diff options
Diffstat (limited to 'nixos/modules')
100 files changed, 1013 insertions, 386 deletions
diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 0274dfcaa70f9..e38050e637b1c 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -46,8 +46,6 @@ in TRUNK_LINK_FAILURE_MODE = 0; NVSWITCH_FAILURE_MODE = 0; ABORT_CUDA_JOBS_ON_FM_EXIT = 1; - TOPOLOGY_FILE_PATH = "${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; - DATABASE_PATH = "${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; }; defaultText = lib.literalExpression '' { @@ -69,8 +67,6 @@ in TRUNK_LINK_FAILURE_MODE=0; NVSWITCH_FAILURE_MODE=0; ABORT_CUDA_JOBS_ON_FM_EXIT=1; - TOPOLOGY_FILE_PATH="''${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; - DATABASE_PATH="''${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; } ''; description = '' @@ -628,7 +624,14 @@ in TimeoutStartSec = 240; ExecStart = let - nv-fab-conf = settingsFormat.generate "fabricmanager.conf" cfg.datacenter.settings; + # Since these rely on the `nvidia_x11.fabricmanager` derivation, they're + # unsuitable to be mentioned in the configuration defaults, but they _can_ + # be overridden in `cfg.datacenter.settings` if needed. + fabricManagerConfDefaults = { + TOPOLOGY_FILE_PATH = "${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; + DATABASE_PATH = "${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch"; + }; + nv-fab-conf = settingsFormat.generate "fabricmanager.conf" (fabricManagerConfDefaults // cfg.datacenter.settings); in "${lib.getExe nvidia_x11.fabricmanager} -c ${nv-fab-conf}"; LimitCORE = "infinity"; diff --git a/nixos/modules/image/repart-image.nix b/nixos/modules/image/repart-image.nix index e404067299004..de03beeafc0b7 100644 --- a/nixos/modules/image/repart-image.nix +++ b/nixos/modules/image/repart-image.nix @@ -90,8 +90,8 @@ let }."${compression.algorithm}"; compressionCommand = { - "zstd" = "zstd --no-progress --threads=0 -${toString compression.level}"; - "xz" = "xz --keep --verbose --threads=0 -${toString compression.level}"; + "zstd" = "zstd --no-progress --threads=$NIX_BUILD_CORES -${toString compression.level}"; + "xz" = "xz --keep --verbose --threads=$NIX_BUILD_CORES -${toString compression.level}"; }."${compression.algorithm}"; in stdenvNoCC.mkDerivation (finalAttrs: diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 9669ec5e37f3c..54d3a107d6276 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,7 +1,7 @@ { - x86_64-linux = "/nix/store/yrsmzlw2lgbknzwic1gy1gmv3l2w1ax8-nix-2.18.3"; - i686-linux = "/nix/store/ds9381l9mlwfaclvqnkzn3jl4qb8m3y1-nix-2.18.3"; - aarch64-linux = "/nix/store/hw1zny3f8520zyskmp1qaybv1ir5ilxh-nix-2.18.3"; - x86_64-darwin = "/nix/store/z08yc4sl1fr65q53wz6pw30h67qafaln-nix-2.18.3"; - aarch64-darwin = "/nix/store/p57m7m0wrz8sqxiwinzpwzqzak82zn75-nix-2.18.3"; + x86_64-linux = "/nix/store/1w4b47zhp33md29wjhgg549pc281vv02-nix-2.18.4"; + i686-linux = "/nix/store/hz02kn0ffn3wdi2xs7lndpr88v4v4fp2-nix-2.18.4"; + aarch64-linux = "/nix/store/90zwqa9z2fgldc7ki1p5gfvglchjh9r6-nix-2.18.4"; + x86_64-darwin = "/nix/store/bd1ix5mj9lj2yh7bqnmdjc24zlg5jivk-nix-2.18.4"; + aarch64-darwin = "/nix/store/5hvsmklhqiay5i4q5vdkg60p8qpc69rz-nix-2.18.4"; } diff --git a/nixos/modules/misc/mandoc.nix b/nixos/modules/misc/mandoc.nix index 706e2ac2c2836..166693930b5c7 100644 --- a/nixos/modules/misc/mandoc.nix +++ b/nixos/modules/misc/mandoc.nix @@ -96,12 +96,17 @@ in {option}`documentation.man.mandoc.manPath` to an empty list (`[]`). ''; }; - output.fragment = lib.mkEnableOption '' - Omit the <!DOCTYPE> declaration and the <html>, <head>, and <body> - elements and only emit the subtree below the <body> element in HTML - output of {manpage}`mandoc(1)`. The style argument will be ignored. - This is useful when embedding manual content within existing documents. - ''; + output.fragment = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = '' + Whether to omit the <!DOCTYPE> declaration and the <html>, <head>, and <body> + elements and only emit the subtree below the <body> element in HTML + output of {manpage}`mandoc(1)`. The style argument will be ignored. + This is useful when embedding manual content within existing documents. + ''; + }; output.includes = lib.mkOption { type = with lib.types; nullOr str; default = null; @@ -160,9 +165,9 @@ in ''; }; output.toc = lib.mkEnableOption '' - In HTML output of {manpage}`mandoc(1)`, If an input file contains - at least two non-standard sections, print a table of contents near - the beginning of the output. + printing a table of contents near the beginning of the HTML output + of {manpage}`mandoc(1)` if an input file contains at least two + non-standard sections ''; output.width = lib.mkOption { type = with lib.types; nullOr int; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 876e40983c1e5..4d227916c499c 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -243,6 +243,7 @@ ./programs/nh.nix ./programs/nix-index.nix ./programs/nix-ld.nix + ./programs/nix-required-mounts.nix ./programs/nm-applet.nix ./programs/nncp.nix ./programs/noisetorch.nix @@ -477,6 +478,7 @@ ./services/desktops/bamf.nix ./services/desktops/blueman.nix ./services/desktops/cpupower-gui.nix + ./services/desktops/deepin/deepin-anything.nix ./services/desktops/deepin/dde-api.nix ./services/desktops/deepin/app-services.nix ./services/desktops/deepin/dde-daemon.nix @@ -485,6 +487,7 @@ ./services/desktops/espanso.nix ./services/desktops/flatpak.nix ./services/desktops/geoclue2.nix + ./services/desktops/playerctld.nix ./services/desktops/gnome/at-spi2-core.nix ./services/desktops/gnome/evolution-data-server.nix ./services/desktops/gnome/glib-networking.nix @@ -1224,6 +1227,7 @@ ./services/networking/vsftpd.nix ./services/networking/wasabibackend.nix ./services/networking/websockify.nix + ./services/networking/wg-access-server.nix ./services/networking/wg-netmanager.nix ./services/networking/webhook.nix ./services/networking/wg-quick.nix diff --git a/nixos/modules/programs/dublin-traceroute.nix b/nixos/modules/programs/dublin-traceroute.nix index de9446ad7377c..c764352843e78 100644 --- a/nixos/modules/programs/dublin-traceroute.nix +++ b/nixos/modules/programs/dublin-traceroute.nix @@ -8,9 +8,7 @@ in { options = { programs.dublin-traceroute = { - enable = lib.mkEnableOption '' - dublin-traceroute, add it to the global environment and configure a setcap wrapper for it. - ''; + enable = lib.mkEnableOption "dublin-traceroute (including setcap wrapper)"; package = lib.mkPackageOption pkgs "dublin-traceroute" { }; }; diff --git a/nixos/modules/programs/joycond-cemuhook.nix b/nixos/modules/programs/joycond-cemuhook.nix index 6cdd198a7df23..c01a00478113a 100644 --- a/nixos/modules/programs/joycond-cemuhook.nix +++ b/nixos/modules/programs/joycond-cemuhook.nix @@ -1,7 +1,7 @@ { lib, pkgs, config, ... }: { options.programs.joycond-cemuhook = { - enable = lib.mkEnableOption "joycond-cemuhook, a program to enable support for cemuhook's UDP protocol for joycond devices."; + enable = lib.mkEnableOption "joycond-cemuhook, a program to enable support for cemuhook's UDP protocol for joycond devices"; }; config = lib.mkIf config.programs.joycond-cemuhook.enable { diff --git a/nixos/modules/programs/mouse-actions.nix b/nixos/modules/programs/mouse-actions.nix index fdf39d56d3838..73dc783e3100b 100644 --- a/nixos/modules/programs/mouse-actions.nix +++ b/nixos/modules/programs/mouse-actions.nix @@ -6,7 +6,7 @@ in { options.programs.mouse-actions = { enable = lib.mkEnableOption '' - mouse-actions udev rules. This is a prerequisite for using mouse-actions without being root. + mouse-actions udev rules. This is a prerequisite for using mouse-actions without being root ''; }; config = lib.mkIf cfg.enable { diff --git a/nixos/modules/programs/nix-required-mounts.nix b/nixos/modules/programs/nix-required-mounts.nix new file mode 100644 index 0000000000000..5d25958a7698d --- /dev/null +++ b/nixos/modules/programs/nix-required-mounts.nix @@ -0,0 +1,118 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.programs.nix-required-mounts; + package = pkgs.nix-required-mounts; + + Mount = + with lib; + types.submodule { + options.host = mkOption { + type = types.str; + description = "Host path to mount"; + }; + options.guest = mkOption { + type = types.str; + description = "Location in the sandbox to mount the host path at"; + }; + }; + Pattern = + with lib.types; + types.submodule ( + { config, name, ... }: + { + options.onFeatures = lib.mkOption { + type = listOf types.str; + description = "Which requiredSystemFeatures should trigger relaxation of the sandbox"; + default = [ name ]; + }; + options.paths = lib.mkOption { + type = listOf (oneOf [ + path + Mount + ]); + description = "A list of glob patterns, indicating which paths to expose to the sandbox"; + }; + options.unsafeFollowSymlinks = lib.mkEnableOption '' + Instructs the hook to mount the symlink targets as well, when any of + the `paths` contain symlinks. This may not work correctly with glob + patterns. + ''; + } + ); + + driverPaths = [ + pkgs.addOpenGLRunpath.driverLink + + # mesa: + config.hardware.opengl.package + + # nvidia_x11, etc: + ] ++ config.hardware.opengl.extraPackages; # nvidia_x11 + + defaults = { + nvidia-gpu.onFeatures = package.allowedPatterns.nvidia-gpu.onFeatures; + nvidia-gpu.paths = package.allowedPatterns.nvidia-gpu.paths ++ driverPaths; + nvidia-gpu.unsafeFollowSymlinks = false; + }; +in +{ + meta.maintainers = with lib.maintainers; [ SomeoneSerge ]; + options.programs.nix-required-mounts = { + enable = lib.mkEnableOption "Expose extra paths to the sandbox depending on derivations' requiredSystemFeatures"; + presets.nvidia-gpu.enable = lib.mkEnableOption '' + Declare the support for derivations that require an Nvidia GPU to be + available, e.g. derivations with `requiredSystemFeatures = [ "cuda" ]`. + This mounts the corresponding userspace drivers and device nodes in the + sandbox, but only for derivations that request these special features. + + You may extend or override the exposed paths via the + `programs.nix-required-mounts.allowedPatterns.nvidia-gpu.paths` option. + ''; + allowedPatterns = + with lib.types; + lib.mkOption rec { + type = attrsOf Pattern; + description = "The hook config, describing which paths to mount for which system features"; + default = { }; + defaultText = lib.literalExpression '' + { + opengl.paths = config.hardware.opengl.extraPackages ++ [ + config.hardware.opengl.package + pkgs.addOpenGLRunpath.driverLink + "/dev/dri" + ]; + } + ''; + example.require-ipfs.paths = [ "/ipfs" ]; + example.require-ipfs.onFeatures = [ "ifps" ]; + }; + extraWrapperArgs = lib.mkOption { + type = with lib.types; listOf str; + default = [ ]; + description = "List of extra arguments (such as `--add-flags -v`) to pass to the hook's wrapper"; + }; + package = lib.mkOption { + type = lib.types.package; + default = package.override { inherit (cfg) allowedPatterns extraWrapperArgs; }; + description = "The final package with the final config applied"; + internal = true; + }; + }; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { nix.settings.pre-build-hook = lib.getExe cfg.package; } + (lib.mkIf cfg.presets.nvidia-gpu.enable { + nix.settings.system-features = cfg.allowedPatterns.nvidia-gpu.onFeatures; + programs.nix-required-mounts.allowedPatterns = { + inherit (defaults) nvidia-gpu; + }; + }) + ] + ); +} diff --git a/nixos/modules/programs/screen.nix b/nixos/modules/programs/screen.nix index 4f3cd9fcf9a56..63bfe6576cc02 100644 --- a/nixos/modules/programs/screen.nix +++ b/nixos/modules/programs/screen.nix @@ -9,7 +9,7 @@ in programs.screen = { enable = lib.mkEnableOption "screen, a basic terminal multiplexer"; - package = lib.mkPackageOptionMD pkgs "screen" { }; + package = lib.mkPackageOption pkgs "screen" { }; screenrc = lib.mkOption { type = lib.types.lines; diff --git a/nixos/modules/programs/wayland/hyprland.nix b/nixos/modules/programs/wayland/hyprland.nix index 575adc79cf10b..6e69c1730e57b 100644 --- a/nixos/modules/programs/wayland/hyprland.nix +++ b/nixos/modules/programs/wayland/hyprland.nix @@ -38,12 +38,13 @@ in xwayland.enable = lib.mkEnableOption "XWayland" // { default = true; }; systemd.setPath.enable = lib.mkEnableOption null // { - default = true; + default = lib.versionOlder cfg.package.version "0.41.2"; + defaultText = lib.literalExpression ''lib.versionOlder cfg.package.version "0.41.2"''; example = false; description = '' Set environment path of systemd to include the current system's bin directory. This is needed in Hyprland setups, where opening links in applications do not work. - Enabled by default. + Enabled by default for Hyprland versions older than 0.41.2. ''; }; }; diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index af5d91b35f2eb..8aae6eb3f29b0 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -26,13 +26,13 @@ in security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle. - Such a bundle consist exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, - which is a OpenSSL specific PEM format. + Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, + which is an OpenSSL specific PEM format. It is known to be incompatible with certain software stacks. Nevertheless, enabling this will strip all additional trust rules provided by the - certificates themselves, this can have security consequences depending on your usecases. + certificates themselves. This can have security consequences depending on your usecases ''; security.pki.certificateFiles = mkOption { diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 5d3bed2fb02c8..f77e819d0c83a 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -1055,7 +1055,7 @@ in the dp9ik pam module provided by tlsclient. If set, users can be authenticated against the 9front - authentication server given in {option}`security.pam.dp9ik.authserver`. + authentication server given in {option}`security.pam.dp9ik.authserver` ''; control = mkOption { default = "sufficient"; diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index f7ee4f0068dde..76f623096fb76 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -14,6 +14,8 @@ in security.polkit.enable = mkEnableOption "polkit"; + security.polkit.package = mkPackageOption pkgs "polkit" { }; + security.polkit.debug = mkEnableOption "debug logs from polkit. This is required in order to see log messages from rule definitions"; security.polkit.extraConfig = mkOption { @@ -57,13 +59,13 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.polkit.bin pkgs.polkit.out ]; + environment.systemPackages = [ cfg.package.bin cfg.package.out ]; - systemd.packages = [ pkgs.polkit.out ]; + systemd.packages = [ cfg.package.out ]; systemd.services.polkit.serviceConfig.ExecStart = [ "" - "${pkgs.polkit.out}/lib/polkit-1/polkitd ${optionalString (!cfg.debug) "--no-debug"}" + "${cfg.package.out}/lib/polkit-1/polkitd ${optionalString (!cfg.debug) "--no-debug"}" ]; systemd.services.polkit.restartTriggers = [ config.system.path ]; @@ -82,7 +84,7 @@ in ${cfg.extraConfig} ''; #TODO: validation on compilation (at least against typos) - services.dbus.packages = [ pkgs.polkit.out ]; + services.dbus.packages = [ cfg.package.out ]; security.pam.services.polkit-1 = {}; @@ -91,13 +93,13 @@ in { setuid = true; owner = "root"; group = "root"; - source = "${pkgs.polkit.bin}/bin/pkexec"; + source = "${cfg.package.bin}/bin/pkexec"; }; polkit-agent-helper-1 = { setuid = true; owner = "root"; group = "root"; - source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; + source = "${cfg.package.out}/lib/polkit-1/polkit-agent-helper-1"; }; }; diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index 6ccf42ed7f087..e63a64d4691c0 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -41,7 +41,7 @@ in enable = mkEnableOption '' a memory-safe implementation of the {command}`sudo` command, - which allows non-root users to execute commands as root. + which allows non-root users to execute commands as root ''; package = mkPackageOption pkgs "sudo-rs" { }; diff --git a/nixos/modules/services/admin/pgadmin.nix b/nixos/modules/services/admin/pgadmin.nix index b3dd3c78874c2..9c430bd05e712 100644 --- a/nixos/modules/services/admin/pgadmin.nix +++ b/nixos/modules/services/admin/pgadmin.nix @@ -35,7 +35,7 @@ in default = 5050; }; - package = mkPackageOptionMD pkgs "pgadmin4" { }; + package = mkPackageOption pkgs "pgadmin4" { }; initialEmail = mkOption { description = "Initial email for the pgAdmin account"; diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index c841f4e5f1862..f36edeaf64ceb 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -356,7 +356,7 @@ in boot.kernelModules = ["br_netfilter" "overlay"]; services.kubernetes.kubelet.hostname = - mkDefault config.networking.fqdnOrHostName; + mkDefault (lib.toLower config.networking.fqdnOrHostName); services.kubernetes.pki.certs = with top.lib; { kubelet = mkCert { diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index 62c62c5d2360e..1771ca0b980b9 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -1,7 +1,43 @@ { config, lib, pkgs, ... }: -with builtins; -with lib; + let + inherit (builtins) + hashString + map + substring + toJSON + toString + unsafeDiscardStringContext + ; + + inherit (lib) + any + assertMsg + attrValues + concatStringsSep + escapeShellArg + filterAttrs + hasPrefix + isStorePath + literalExpression + mapAttrs' + mapAttrsToList + mkDefault + mkEnableOption + mkIf + mkOption + mkPackageOption + mkRemovedOptionModule + mkRenamedOptionModule + nameValuePair + optional + optionalAttrs + optionals + teams + toShellVar + types + ; + cfg = config.services.gitlab-runner; hasDocker = config.virtualisation.docker.enable; @@ -20,17 +56,16 @@ let configPath = ''"$HOME"/.gitlab-runner/config.toml''; configureScript = pkgs.writeShellApplication { name = "gitlab-runner-configure"; - runtimeInputs = with pkgs; [ + runtimeInputs = [ cfg.package ] ++ (with pkgs; [ bash gawk jq moreutils remarshal util-linux - cfg.package perl python3 - ]; + ]); text = if (cfg.configFile != null) then '' cp ${cfg.configFile} ${configPath} # make config file readable by service @@ -84,15 +119,20 @@ let # TODO so here we should mention NEW_SERVICES if [ -v 'NEW_SERVICES["${name}"]' ] ; then bash -c ${escapeShellArg (concatStringsSep " \\\n " ([ - "set -a && source ${service.registrationConfigFile} &&" + "set -a && source ${ + if service.registrationConfigFile != null + then service.registrationConfigFile + else service.authenticationTokenConfigFile} &&" "gitlab-runner register" "--non-interactive" "--name '${name}'" "--executor ${service.executor}" "--limit ${toString service.limit}" "--request-concurrency ${toString service.requestConcurrency}" + ] + ++ optional (service.authenticationTokenConfigFile == null) "--maximum-timeout ${toString service.maximumTimeout}" - ] ++ service.registrationFlags + ++ service.registrationFlags ++ optional (service.buildsDir != null) "--builds-dir ${service.buildsDir}" ++ optional (service.cloneUrl != null) @@ -103,11 +143,11 @@ let "--pre-build-script ${service.preBuildScript}" ++ optional (service.postBuildScript != null) "--post-build-script ${service.postBuildScript}" - ++ optional (service.tagList != [ ]) + ++ optional (service.authenticationTokenConfigFile == null && service.tagList != [ ]) "--tag-list ${concatStringsSep "," service.tagList}" - ++ optional service.runUntagged + ++ optional (service.authenticationTokenConfigFile == null && service.runUntagged) "--run-untagged" - ++ optional service.protected + ++ optional (service.authenticationTokenConfigFile == null && service.protected) "--access-level ref_protected" ++ optional service.debugTraceDisabled "--debug-trace-disabled" @@ -214,9 +254,14 @@ in { # nix store will be readable in runner, might be insecure nix = { # File should contain at least these two variables: - # `CI_SERVER_URL` - # `REGISTRATION_TOKEN` + # - `CI_SERVER_URL` + # - `REGISTRATION_TOKEN` + # + # NOTE: Support for runner registration tokens will be removed in GitLab 18.0. + # Please migrate to runner authentication tokens soon. For reference, the example + # runners below this one are configured with authentication tokens instead. registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + dockerImage = "alpine"; dockerVolumes = [ "/nix/store:/nix/store:ro" @@ -255,8 +300,9 @@ in { docker-images = { # File should contain at least these two variables: # `CI_SERVER_URL` - # `REGISTRATION_TOKEN` - registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + # `CI_SERVER_TOKEN` + authenticationTokenConfigFile = "/run/secrets/gitlab-runner-docker-images-token-env"; + dockerImage = "docker:stable"; dockerVolumes = [ "/var/run/docker.sock:/var/run/docker.sock" @@ -269,8 +315,9 @@ in { shell = { # File should contain at least these two variables: # `CI_SERVER_URL` - # `REGISTRATION_TOKEN` - registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + # `CI_SERVER_TOKEN` + authenticationTokenConfigFile = "/run/secrets/gitlab-runner-shell-token-env"; + executor = "shell"; tagList = [ "shell" ]; }; @@ -278,30 +325,67 @@ in { default = { # File should contain at least these two variables: # `CI_SERVER_URL` - # `REGISTRATION_TOKEN` - registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + # `CI_SERVER_TOKEN` + authenticationTokenConfigFile = "/run/secrets/gitlab-runner-default-token-env"; dockerImage = "debian:stable"; }; } ''; type = types.attrsOf (types.submodule { options = { + authenticationTokenConfigFile = mkOption { + type = with types; nullOr path; + default = null; + description = '' + Absolute path to a file containing environment variables used for + gitlab-runner registrations with *runner authentication tokens*. + They replace the deprecated *runner registration tokens*, as + outlined in the [GitLab documentation]. + + A list of all supported environment variables can be found with + `gitlab-runner register --help`. + + The ones you probably want to set are: + - `CI_SERVER_URL=<CI server URL>` + - `CI_SERVER_TOKEN=<runner authentication token secret>` + + ::: {.warning} + Make sure to use a quoted absolute path, + or it is going to be copied to Nix Store. + ::: + + [GitLab documentation]: https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes + ''; + }; registrationConfigFile = mkOption { - type = types.path; + type = with types; nullOr path; + default = null; description = '' Absolute path to a file with environment variables - used for gitlab-runner registration. + used for gitlab-runner registration with *runner registration + tokens*. + A list of all supported environment variables can be found in `gitlab-runner register --help`. - Ones that you probably want to set is + The ones you probably want to set are: + - `CI_SERVER_URL=<CI server URL>` + - `REGISTRATION_TOKEN=<registration secret>` - `CI_SERVER_URL=<CI server URL>` + Support for *runner registration tokens* is deprecated since + GitLab 16.0, has been disabled by default in GitLab 17.0 and + will be removed in GitLab 18.0, as outlined in the + [GitLab documentation]. Please consider migrating to + [runner authentication tokens] and check the documentation on + {option}`services.gitlab-runner.services.<name>.authenticationTokenConfigFile`. - `REGISTRATION_TOKEN=<registration secret>` - - WARNING: make sure to use quoted absolute path, + ::: {.warning} + Make sure to use a quoted absolute path, or it is going to be copied to Nix Store. + ::: + + [GitLab documentation]: https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes + [runner authentication tokens]: https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#the-new-runner-registration-workflow ''; }; registrationFlags = mkOption { @@ -439,6 +523,9 @@ in { default = [ ]; description = '' Tag list. + + This option has no effect for runners registered with an runner + authentication tokens and will be ignored. ''; }; runUntagged = mkOption { @@ -447,6 +534,9 @@ in { description = '' Register to run untagged builds; defaults to `true` when {option}`tagList` is empty. + + This option has no effect for runners registered with an runner + authentication tokens and will be ignored. ''; }; limit = mkOption { @@ -470,6 +560,9 @@ in { description = '' What is the maximum timeout (in seconds) that will be set for job when using this Runner. 0 (default) simply means don't limit. + + This option has no effect for runners registered with an runner + authentication tokens and will be ignored. ''; }; protected = mkOption { @@ -478,6 +571,9 @@ in { description = '' When set to true Runner will only run on pipelines triggered on protected branches. + + This option has no effect for runners registered with an runner + authentication tokens and will be ignored. ''; }; debugTraceDisabled = mkOption { @@ -530,9 +626,67 @@ in { }; }; config = mkIf cfg.enable { - warnings = mapAttrsToList - (n: v: "services.gitlab-runner.services.${n}.`registrationConfigFile` points to a file in Nix Store. You should use quoted absolute path to prevent this.") - (filterAttrs (n: v: isStorePath v.registrationConfigFile) cfg.services); + assertions = + mapAttrsToList (name: serviceConfig: { + assertion = serviceConfig.registrationConfigFile == null || serviceConfig.authenticationTokenConfigFile == null; + message = "`services.gitlab-runner.${name}.registrationConfigFile` and `services.gitlab-runner.services.${name}.authenticationTokenConfigFile` are mutually exclusive."; + }) cfg.services; + + warnings = + mapAttrsToList + (name: serviceConfig: "services.gitlab-runner.services.${name}.`registrationConfigFile` points to a file in Nix Store. You should use quoted absolute path to prevent this.") + (filterAttrs (name: serviceConfig: isStorePath serviceConfig.registrationConfigFile) cfg.services) + ++ mapAttrsToList + (name: serviceConfig: "services.gitlab-runner.services.${name}.`authenticationTokenConfigFile` points to a file in Nix Store. You should use quoted absolute path to prevent this.") + (filterAttrs (name: serviceConfig: isStorePath serviceConfig.authenticationTokenConfigFile) cfg.services) + ++ mapAttrsToList + (name: serviceConfig: '' + Runner registration tokens have been deprecated and disabled by default in GitLab >= 17.0. + Consider migrating to runner authentication tokens by setting `services.gitlab-runner.services.${name}.authenticationTokenConfigFile`. + https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html'' + ) + ( + filterAttrs (name: serviceConfig: + serviceConfig.authenticationTokenConfigFile == null + ) cfg.services + ) + ++ mapAttrsToList + (name: serviceConfig: '' + `services.gitlab-runner.services.${name}.protected` with runner authentication tokens has no effect and will be ignored. Please remove it from your configuration.'' + ) + ( + filterAttrs (name: serviceConfig: + serviceConfig.authenticationTokenConfigFile != null && serviceConfig.protected == true + ) cfg.services + ) + ++ mapAttrsToList + (name: serviceConfig: '' + `services.gitlab-runner.services.${name}.runUntagged` with runner authentication tokens has no effect and will be ignored. Please remove it from your configuration.'' + ) + ( + filterAttrs (name: serviceConfig: + serviceConfig.authenticationTokenConfigFile != null && serviceConfig.runUntagged == true + ) cfg.services + ) + ++ mapAttrsToList + (name: v: '' + `services.gitlab-runner.services.${name}.maximumTimeout` with runner authentication tokens has no effect and will be ignored. Please remove it from your configuration.'' + ) + ( + filterAttrs (name: serviceConfig: + serviceConfig.authenticationTokenConfigFile != null && serviceConfig.maximumTimeout != 0 + ) cfg.services + ) + ++ mapAttrsToList + (name: v: '' + `services.gitlab-runner.services.${name}.tagList` with runner authentication tokens has no effect and will be ignored. Please remove it from your configuration.'' + ) + ( + filterAttrs (serviceName: serviceConfig: + serviceConfig.authenticationTokenConfigFile != null && serviceConfig.tagList != [ ] + ) cfg.services + ) + ; environment.systemPackages = [ cfg.package ]; systemd.services.gitlab-runner = { @@ -545,15 +699,19 @@ in { environment = config.networking.proxy.envVars // { HOME = "/var/lib/gitlab-runner"; }; - path = with pkgs; [ - bash - gawk - jq - moreutils - remarshal - util-linux - cfg.package - ] ++ cfg.extraPackages; + + path = + (with pkgs; [ + bash + gawk + jq + moreutils + remarshal + util-linux + ]) + ++ [ cfg.package ] + ++ cfg.extraPackages; + reloadIfChanged = true; serviceConfig = { # Set `DynamicUser` under `systemd.services.gitlab-runner.serviceConfig` diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index e38931b6b7ea8..7a3afc5efafcf 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -37,7 +37,7 @@ in description = "The port to bind to."; }; - enableUnixSocket = mkEnableOption "Unix Domain Socket at /run/memcached/memcached.sock instead of listening on an IP address and port. The `listen` and `port` options are ignored."; + enableUnixSocket = mkEnableOption "Unix Domain Socket at /run/memcached/memcached.sock instead of listening on an IP address and port. The `listen` and `port` options are ignored"; maxMemory = mkOption { type = types.ints.unsigned; diff --git a/nixos/modules/services/databases/neo4j.nix b/nixos/modules/services/databases/neo4j.nix index 4369ec2007dcf..c3f1872e0822a 100644 --- a/nixos/modules/services/databases/neo4j.nix +++ b/nixos/modules/services/databases/neo4j.nix @@ -620,6 +620,6 @@ in { }; meta = { - maintainers = with lib.maintainers; [ patternspandemic jonringer ]; + maintainers = with lib.maintainers; [ patternspandemic ]; }; } diff --git a/nixos/modules/services/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix index 796e24286f9e4..01a5bfa1dee27 100644 --- a/nixos/modules/services/desktop-managers/plasma6.nix +++ b/nixos/modules/services/desktop-managers/plasma6.nix @@ -8,7 +8,7 @@ cfg = config.services.desktopManager.plasma6; inherit (pkgs) kdePackages; - inherit (lib) literalExpression mkDefault mkIf mkOption mkPackageOptionMD types; + inherit (lib) literalExpression mkDefault mkIf mkOption mkPackageOption types; activationScript = '' # will be rebuilt automatically @@ -29,7 +29,7 @@ in { description = "Enable Qt 5 integration (theming, etc). Disable for a pure Qt 6 system."; }; - notoPackage = mkPackageOptionMD pkgs "Noto fonts - used for UI by default" { + notoPackage = mkPackageOption pkgs "Noto fonts - used for UI by default" { default = ["noto-fonts"]; example = "noto-fonts-lgc-plus"; }; diff --git a/nixos/modules/services/desktops/deepin/deepin-anything.nix b/nixos/modules/services/desktops/deepin/deepin-anything.nix new file mode 100644 index 0000000000000..4e88a789551b9 --- /dev/null +++ b/nixos/modules/services/desktops/deepin/deepin-anything.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +{ + + meta = { + maintainers = lib.teams.deepin.members; + }; + + options = { + + services.deepin.deepin-anything = { + + enable = lib.mkEnableOption "deepin anything file search tool"; + + }; + + }; + + config = lib.mkIf config.services.deepin.dde-api.enable { + environment.systemPackages = [ pkgs.deepin.deepin-anything ]; + + services.dbus.packages = [ pkgs.deepin.deepin-anything ]; + + users.groups.deepin-anything = { }; + + users.users.deepin-anything = { + description = "Deepin Anything Server"; + home = "/var/lib/deepin-anything"; + createHome = true; + group = "deepin-anything"; + isSystemUser = true; + }; + + boot.extraModulePackages = [ config.boot.kernelPackages.deepin-anything-module ]; + boot.kernelModules = [ "vfs_monitor" ]; + }; + +} diff --git a/nixos/modules/services/desktops/playerctld.nix b/nixos/modules/services/desktops/playerctld.nix new file mode 100644 index 0000000000000..ef4866d75715d --- /dev/null +++ b/nixos/modules/services/desktops/playerctld.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.services.playerctld; +in +{ + options.services.playerctld = { + enable = lib.mkEnableOption "the playerctld daemon"; + + package = lib.mkPackageOption pkgs "playerctl" { }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + systemd.user.services.playerctld = { + description = "Playerctld daemon to track media player activity"; + wantedBy = [ "default.target" ]; + + serviceConfig = { + Type = "exec"; + ExecStart = "${cfg.package}/bin/playerctld"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ aacebedo ]; +} diff --git a/nixos/modules/services/games/armagetronad.nix b/nixos/modules/services/games/armagetronad.nix index 71c8528a9f6ea..dfeadb19026f7 100644 --- a/nixos/modules/services/games/armagetronad.nix +++ b/nixos/modules/services/games/armagetronad.nix @@ -36,7 +36,7 @@ in options = { enable = mkEnableOption "armagetronad"; - package = lib.mkPackageOptionMD pkgs "armagetronad-dedicated" { + package = lib.mkPackageOption pkgs "armagetronad-dedicated" { example = '' pkgs.armagetronad."0.2.9-sty+ct+ap".dedicated ''; diff --git a/nixos/modules/services/games/teeworlds.nix b/nixos/modules/services/games/teeworlds.nix index 1958fd4141788..b9ed49937a7f7 100644 --- a/nixos/modules/services/games/teeworlds.nix +++ b/nixos/modules/services/games/teeworlds.nix @@ -95,7 +95,7 @@ in services.teeworlds = { enable = mkEnableOption "Teeworlds Server"; - package = mkPackageOptionMD pkgs "teeworlds-server" { }; + package = mkPackageOption pkgs "teeworlds-server" { }; openPorts = mkOption { type = types.bool; diff --git a/nixos/modules/services/hardware/auto-epp.nix b/nixos/modules/services/hardware/auto-epp.nix index b568dec26f4c9..1d939a98142e0 100644 --- a/nixos/modules/services/hardware/auto-epp.nix +++ b/nixos/modules/services/hardware/auto-epp.nix @@ -10,7 +10,7 @@ in { services.auto-epp = { enable = lib.mkEnableOption "auto-epp for amd active pstate"; - package = lib.mkPackageOptionMD pkgs "auto-epp" {}; + package = lib.mkPackageOption pkgs "auto-epp" {}; settings = mkOption { type = types.submodule { diff --git a/nixos/modules/services/hardware/openrgb.nix b/nixos/modules/services/hardware/openrgb.nix index 6ae5b4e587c6c..1f7e4ffb9265a 100644 --- a/nixos/modules/services/hardware/openrgb.nix +++ b/nixos/modules/services/hardware/openrgb.nix @@ -51,5 +51,5 @@ in { }; }; - meta.maintainers = with lib.maintainers; [ jonringer ]; + meta.maintainers = with lib.maintainers; [ ]; } diff --git a/nixos/modules/services/home-automation/ebusd.nix b/nixos/modules/services/home-automation/ebusd.nix index f5c5479e8eaff..97d1e2796adab 100644 --- a/nixos/modules/services/home-automation/ebusd.nix +++ b/nixos/modules/services/home-automation/ebusd.nix @@ -11,7 +11,7 @@ in options.services.ebusd = { enable = mkEnableOption "ebusd, a daemon for communication with eBUS heating systems"; - package = mkPackageOptionMD pkgs "ebusd" { }; + package = mkPackageOption pkgs "ebusd" { }; device = mkOption { type = types.str; diff --git a/nixos/modules/services/home-automation/matter-server.nix b/nixos/modules/services/home-automation/matter-server.nix index 7bf1cfe54d17b..08a68db71386e 100644 --- a/nixos/modules/services/home-automation/matter-server.nix +++ b/nixos/modules/services/home-automation/matter-server.nix @@ -19,7 +19,7 @@ in options.services.matter-server = with types; { enable = mkEnableOption "Matter-server"; - package = mkPackageOptionMD pkgs "python-matter-server" { }; + package = mkPackageOption pkgs "python-matter-server" { }; port = mkOption { type = types.port; diff --git a/nixos/modules/services/matrix/mautrix-signal.nix b/nixos/modules/services/matrix/mautrix-signal.nix index faca10551abb6..0da95b9c8a7b4 100644 --- a/nixos/modules/services/matrix/mautrix-signal.nix +++ b/nixos/modules/services/matrix/mautrix-signal.nix @@ -52,7 +52,7 @@ let in { options.services.mautrix-signal = { - enable = lib.mkEnableOption "mautrix-signal, a Matrix-Signal puppeting bridge."; + enable = lib.mkEnableOption "mautrix-signal, a Matrix-Signal puppeting bridge"; settings = lib.mkOption { apply = lib.recursiveUpdate defaultConfig; diff --git a/nixos/modules/services/matrix/mautrix-whatsapp.nix b/nixos/modules/services/matrix/mautrix-whatsapp.nix index 31f64c16d7913..d124edc216dd0 100644 --- a/nixos/modules/services/matrix/mautrix-whatsapp.nix +++ b/nixos/modules/services/matrix/mautrix-whatsapp.nix @@ -47,7 +47,7 @@ in { options.services.mautrix-whatsapp = { - enable = lib.mkEnableOption "mautrix-whatsapp, a puppeting/relaybot bridge between Matrix and WhatsApp."; + enable = lib.mkEnableOption "mautrix-whatsapp, a puppeting/relaybot bridge between Matrix and WhatsApp"; settings = lib.mkOption { type = settingsFormat.type; diff --git a/nixos/modules/services/misc/mqtt2influxdb.nix b/nixos/modules/services/misc/mqtt2influxdb.nix index 925139b449b8e..d07ce1e66ba31 100644 --- a/nixos/modules/services/misc/mqtt2influxdb.nix +++ b/nixos/modules/services/misc/mqtt2influxdb.nix @@ -124,7 +124,7 @@ let in { options = { services.mqtt2influxdb = { - enable = mkEnableOption "BigClown MQTT to InfluxDB bridge."; + enable = mkEnableOption "BigClown MQTT to InfluxDB bridge"; package = mkPackageOption pkgs ["python3Packages" "mqtt2influxdb"] {}; environmentFiles = mkOption { type = types.listOf types.path; diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix index 1467c3f93bc85..c460514783efc 100644 --- a/nixos/modules/services/misc/ollama.nix +++ b/nixos/modules/services/misc/ollama.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - inherit (lib) types; + inherit (lib) types mkBefore; cfg = config.services.ollama; ollamaPackage = cfg.package.override { @@ -132,6 +132,14 @@ in Since `ollama run` is mostly a shell around the ollama server, this is usually sufficient. ''; }; + loadModels = lib.mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + The models to download as soon as the service starts. + Search for models of your choice from: https://ollama.com/library + ''; + }; openFirewall = lib.mkOption { type = types.bool; default = false; @@ -161,6 +169,14 @@ in DynamicUser = cfg.sandbox; ReadWritePaths = cfg.writablePaths; }; + postStart = mkBefore '' + set -x + export OLLAMA_HOST=${lib.escapeShellArg cfg.host}:${builtins.toString cfg.port} + for model in ${lib.escapeShellArgs cfg.loadModels} + do + ${lib.escapeShellArg (lib.getExe ollamaPackage)} pull "$model" + done + ''; }; networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; }; diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index e564fe3b8317b..6d6a49c10bddc 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -225,7 +225,7 @@ in effectively never complete due to running into timeouts. This sets `OMP_NUM_THREADS` to `1` in order to mitigate the issue. See - https://github.com/NixOS/nixpkgs/issues/240591 for more information. + https://github.com/NixOS/nixpkgs/issues/240591 for more information '' // mkOption { default = true; }; }; diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index c7abb2cfa2a3e..a9a069b0c0555 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -70,7 +70,7 @@ in To activate dex, first a search user must be created in the Portunus web ui and then the password must to be set as the `DEX_SEARCH_USER_PASSWORD` environment variable - in the [](#opt-services.dex.environmentFile) setting. + in the [](#opt-services.dex.environmentFile) setting ''; oidcClients = mkOption { diff --git a/nixos/modules/services/misc/spice-autorandr.nix b/nixos/modules/services/misc/spice-autorandr.nix index 0d58d28657172..92b8a15e93c5d 100644 --- a/nixos/modules/services/misc/spice-autorandr.nix +++ b/nixos/modules/services/misc/spice-autorandr.nix @@ -6,7 +6,7 @@ in { options = { services.spice-autorandr = { - enable = lib.mkEnableOption "spice-autorandr service that will automatically resize display to match SPICE client window size."; + enable = lib.mkEnableOption "spice-autorandr service that will automatically resize display to match SPICE client window size"; package = lib.mkPackageOption pkgs "spice-autorandr" { }; }; }; diff --git a/nixos/modules/services/monitoring/nezha-agent.nix b/nixos/modules/services/monitoring/nezha-agent.nix index 8312a425d28fc..7ebbc7f2f3297 100644 --- a/nixos/modules/services/monitoring/nezha-agent.nix +++ b/nixos/modules/services/monitoring/nezha-agent.nix @@ -24,6 +24,13 @@ in Enable SSL/TLS encryption. ''; }; + gpu = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Enable GPU monitoring. + ''; + }; disableCommandExecute = lib.mkOption { type = lib.types.bool; default = true; @@ -46,7 +53,12 @@ in ''; }; reportDelay = lib.mkOption { - type = lib.types.enum [ 1 2 3 4 ]; + type = lib.types.enum [ + 1 + 2 + 3 + 4 + ]; default = 1; description = '' The interval between system status reportings. @@ -96,6 +108,7 @@ in ++ lib.optional cfg.skipConnection "--skip-conn" ++ lib.optional cfg.skipProcess "--skip-procs" ++ lib.optional cfg.tls "--tls" + ++ lib.optional cfg.gpu "--gpu" ); wantedBy = [ "multi-user.target" ]; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 2dc12a221bf06..dc357f6cc5fb3 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -52,7 +52,6 @@ let "lnd" "mail" "mikrotik" - "minio" "modemmanager" "mongodb" "mysqld" @@ -279,20 +278,16 @@ let in { - imports = (lib.forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter" - "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" - "snmpExporter" "unifiExporter" "varnishExporter" ] - (opt: lib.mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' - The prometheus exporters are now configured using `services.prometheus.exporters'. - See the 18.03 release notes for more information. - '' )); - options.services.prometheus.exporters = mkOption { type = types.submodule { options = (mkSubModules); imports = [ ../../../misc/assertions.nix (lib.mkRenamedOptionModule [ "unifi-poller" ] [ "unpoller" ]) + (lib.mkRemovedOptionModule [ "minio" ] '' + The Minio exporter has been removed, as it was broken and unmaintained. + See the 24.11 release notes for more information. + '') ]; }; description = "Prometheus exporter configuration"; @@ -438,11 +433,7 @@ in '' ) ] ++ config.services.prometheus.exporters.warnings; - }] ++ [(mkIf config.services.minio.enable { - services.prometheus.exporters.minio.minioAddress = mkDefault "http://localhost:9000"; - services.prometheus.exporters.minio.minioAccessKey = mkDefault config.services.minio.accessKey; - services.prometheus.exporters.minio.minioAccessSecret = mkDefault config.services.minio.secretKey; - })] ++ [(mkIf config.services.prometheus.exporters.rtl_433.enable { + }] ++ [(mkIf config.services.prometheus.exporters.rtl_433.enable { hardware.rtl-sdr.enable = mkDefault true; })] ++ [(mkIf config.services.postfix.enable { services.prometheus.exporters.postfix.group = mkDefault config.services.postfix.setgidGroup; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/minio.nix b/nixos/modules/services/monitoring/prometheus/exporters/minio.nix deleted file mode 100644 index 8faff5908b8a9..0000000000000 --- a/nixos/modules/services/monitoring/prometheus/exporters/minio.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ config, lib, pkgs, options, ... }: - -let - cfg = config.services.prometheus.exporters.minio; - inherit (lib) - mkOption - types - optionalString - concatStringsSep - escapeShellArg - ; -in -{ - port = 9290; - extraOpts = { - minioAddress = mkOption { - type = types.str; - example = "https://10.0.0.1:9000"; - description = '' - The URL of the minio server. - Use HTTPS if Minio accepts secure connections only. - By default this connects to the local minio server if enabled. - ''; - }; - - minioAccessKey = mkOption { - type = types.str; - example = "yourMinioAccessKey"; - description = '' - The value of the Minio access key. - It is required in order to connect to the server. - By default this uses the one from the local minio server if enabled - and `config.services.minio.accessKey`. - ''; - }; - - minioAccessSecret = mkOption { - type = types.str; - description = '' - The value of the Minio access secret. - It is required in order to connect to the server. - By default this uses the one from the local minio server if enabled - and `config.services.minio.secretKey`. - ''; - }; - - minioBucketStats = mkOption { - type = types.bool; - default = false; - description = '' - Collect statistics about the buckets and files in buckets. - It requires more computation, use it carefully in case of large buckets.. - ''; - }; - }; - serviceOpts = { - serviceConfig = { - ExecStart = '' - ${pkgs.prometheus-minio-exporter}/bin/minio-exporter \ - -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ - -minio.server ${cfg.minioAddress} \ - -minio.access-key ${escapeShellArg cfg.minioAccessKey} \ - -minio.access-secret ${escapeShellArg cfg.minioAccessSecret} \ - ${optionalString cfg.minioBucketStats "-minio.bucket-stats"} \ - ${concatStringsSep " \\\n " cfg.extraFlags} - ''; - }; - }; -} diff --git a/nixos/modules/services/monitoring/rustdesk-server.nix b/nixos/modules/services/monitoring/rustdesk-server.nix index 21e6128c7226a..ea4dd43cbb35b 100644 --- a/nixos/modules/services/monitoring/rustdesk-server.nix +++ b/nixos/modules/services/monitoring/rustdesk-server.nix @@ -4,7 +4,7 @@ let UDPPorts = [21116]; in { options.services.rustdesk-server = with lib; with types; { - enable = mkEnableOption "RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices."; + enable = mkEnableOption "RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices"; package = mkPackageOption pkgs "rustdesk-server" {}; diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix index 2c05eaad25ace..6fd3b5707ab67 100644 --- a/nixos/modules/services/monitoring/smartd.nix +++ b/nixos/modules/services/monitoring/smartd.nix @@ -10,6 +10,7 @@ let opt = options.services.smartd; nm = cfg.notifications.mail; + ns = cfg.notifications.systembus-notify; nw = cfg.notifications.wall; nx = cfg.notifications.x11; @@ -28,6 +29,12 @@ let ${pkgs.smartmontools}/sbin/smartctl -a -d "$SMARTD_DEVICETYPE" "$SMARTD_DEVICE" } | ${nm.mailer} -i "${nm.recipient}" ''} + ${optionalString ns.enable '' + ${pkgs.dbus}/bin/dbus-send --system \ + / net.nuetzlich.SystemNotifications.Notify \ + "string:Problem detected with disk: $SMARTD_DEVICESTRING" \ + "string:Warning message from smartd is: $SMARTD_MESSAGE" + ''} ${optionalString nw.enable '' { ${pkgs.coreutils}/bin/cat << EOF @@ -159,6 +166,24 @@ in }; }; + systembus-notify = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whenever to send systembus-notify notifications. + + WARNING: enabling this option (while convenient) should *not* be done on a + machine where you do not trust the other users as it allows any other + local user to DoS your session by spamming notifications. + + To actually see the notifications in your GUI session, you need to have + `systembus-notify` running as your user, which this + option handles by enabling {option}`services.systembus-notify`. + ''; + }; + }; + wall = { enable = mkOption { default = true; @@ -247,6 +272,8 @@ in serviceConfig.ExecStart = "${pkgs.smartmontools}/sbin/smartd ${lib.concatStringsSep " " cfg.extraOptions} --no-fork --configfile=${smartdConf}"; }; + services.systembus-notify.enable = mkDefault ns.enable; + }; } diff --git a/nixos/modules/services/monitoring/thanos.nix b/nixos/modules/services/monitoring/thanos.nix index f4cec0a545cb7..10f4d08f8874e 100644 --- a/nixos/modules/services/monitoring/thanos.nix +++ b/nixos/modules/services/monitoring/thanos.nix @@ -696,7 +696,7 @@ in { }; store = paramsToOptions params.store // { - enable = mkEnableOption "the Thanos store node giving access to blocks in a bucket provider."; + enable = mkEnableOption "the Thanos store node giving access to blocks in a bucket provider"; arguments = mkArgumentsOption "store"; }; diff --git a/nixos/modules/services/monitoring/ups.nix b/nixos/modules/services/monitoring/ups.nix index 0a0d5eadccd30..35a2d61da1de4 100644 --- a/nixos/modules/services/monitoring/ups.nix +++ b/nixos/modules/services/monitoring/ups.nix @@ -385,8 +385,8 @@ in power.ups = { enable = mkEnableOption '' - Enables support for Power Devices, such as Uninterruptible Power - Supplies, Power Distribution Units and Solar Controllers. + support for Power Devices, such as Uninterruptible Power + Supplies, Power Distribution Units and Solar Controllers ''; mode = mkOption { diff --git a/nixos/modules/services/network-filesystems/openafs/server.nix b/nixos/modules/services/network-filesystems/openafs/server.nix index a399aa6c23bca..8186277b47775 100644 --- a/nixos/modules/services/network-filesystems/openafs/server.nix +++ b/nixos/modules/services/network-filesystems/openafs/server.nix @@ -183,7 +183,7 @@ in { enableFabs = mkEnableOption '' FABS, the flexible AFS backup system. It stores volumes as dump files, relying on other - pre-existing backup solutions for handling them. + pre-existing backup solutions for handling them ''; buserverArgs = mkOption { diff --git a/nixos/modules/services/network-filesystems/samba-wsdd.nix b/nixos/modules/services/network-filesystems/samba-wsdd.nix index 608b48cf0305c..f46bf802511ae 100644 --- a/nixos/modules/services/network-filesystems/samba-wsdd.nix +++ b/nixos/modules/services/network-filesystems/samba-wsdd.nix @@ -10,7 +10,7 @@ in { services.samba-wsdd = { enable = mkEnableOption '' Web Services Dynamic Discovery host daemon. This enables (Samba) hosts, like your local NAS device, - to be found by Web Service Discovery Clients like Windows. + to be found by Web Service Discovery Clients like Windows ''; interface = mkOption { type = types.nullOr types.str; diff --git a/nixos/modules/services/networking/gns3-server.nix b/nixos/modules/services/networking/gns3-server.nix index ba0d6be30f499..ec6a53dddc709 100644 --- a/nixos/modules/services/networking/gns3-server.nix +++ b/nixos/modules/services/networking/gns3-server.nix @@ -16,7 +16,7 @@ in { services.gns3-server = { enable = lib.mkEnableOption "GNS3 Server daemon"; - package = lib.mkPackageOptionMD pkgs "gns3-server" { }; + package = lib.mkPackageOption pkgs "gns3-server" { }; auth = { enable = lib.mkEnableOption "password based HTTP authentication to access the GNS3 Server"; @@ -87,18 +87,18 @@ in { }; dynamips = { - enable = lib.mkEnableOption ''Whether to enable Dynamips support.''; - package = lib.mkPackageOptionMD pkgs "dynamips" { }; + enable = lib.mkEnableOption ''Dynamips support''; + package = lib.mkPackageOption pkgs "dynamips" { }; }; ubridge = { - enable = lib.mkEnableOption ''Whether to enable uBridge support.''; - package = lib.mkPackageOptionMD pkgs "ubridge" { }; + enable = lib.mkEnableOption ''uBridge support''; + package = lib.mkPackageOption pkgs "ubridge" { }; }; vpcs = { - enable = lib.mkEnableOption ''Whether to enable VPCS support.''; - package = lib.mkPackageOptionMD pkgs "vpcs" { }; + enable = lib.mkEnableOption ''VPCS support''; + package = lib.mkPackageOption pkgs "vpcs" { }; }; }; }; diff --git a/nixos/modules/services/networking/haproxy.nix b/nixos/modules/services/networking/haproxy.nix index c764b447b0cb9..19b096bf49069 100644 --- a/nixos/modules/services/networking/haproxy.nix +++ b/nixos/modules/services/networking/haproxy.nix @@ -17,7 +17,7 @@ with lib; options = { services.haproxy = { - enable = mkEnableOption "HAProxy, the reliable, high performance TCP/HTTP load balancer."; + enable = mkEnableOption "HAProxy, the reliable, high performance TCP/HTTP load balancer"; package = mkPackageOption pkgs "haproxy" { }; diff --git a/nixos/modules/services/networking/hylafax/options.nix b/nixos/modules/services/networking/hylafax/options.nix index 1880aebe7a6be..973dfa054afcb 100644 --- a/nixos/modules/services/networking/hylafax/options.nix +++ b/nixos/modules/services/networking/hylafax/options.nix @@ -312,9 +312,9 @@ in }; faxqclean.enable.spoolInit = mkEnableOption '' - Purge old files from the spooling area with + purging old files from the spooling area with {file}`faxqclean` - each time the spooling area is initialized. + each time the spooling area is initialized ''; faxqclean.enable.frequency = mkOption { type = nullOr nonEmptyStr; diff --git a/nixos/modules/services/networking/netbird/dashboard.nix b/nixos/modules/services/networking/netbird/dashboard.nix index 6fc3086155900..788b724231be3 100644 --- a/nixos/modules/services/networking/netbird/dashboard.nix +++ b/nixos/modules/services/networking/netbird/dashboard.nix @@ -39,7 +39,7 @@ in package = mkPackageOption pkgs "netbird-dashboard" { }; - enableNginx = mkEnableOption "Nginx reverse-proxy to serve the dashboard."; + enableNginx = mkEnableOption "Nginx reverse-proxy to serve the dashboard"; domain = mkOption { type = str; diff --git a/nixos/modules/services/networking/netbird/management.nix b/nixos/modules/services/networking/netbird/management.nix index 52f033959143c..f4b5bbf643239 100644 --- a/nixos/modules/services/networking/netbird/management.nix +++ b/nixos/modules/services/networking/netbird/management.nix @@ -137,7 +137,7 @@ in { options.services.netbird.server.management = { - enable = mkEnableOption "Netbird Management Service."; + enable = mkEnableOption "Netbird Management Service"; package = mkPackageOption pkgs "netbird" { }; @@ -335,7 +335,7 @@ in description = "Log level of the netbird services."; }; - enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird management service."; + enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird management service"; }; config = mkIf cfg.enable { diff --git a/nixos/modules/services/networking/netbird/server.nix b/nixos/modules/services/networking/netbird/server.nix index e3de286a04fa4..1725374d03c6b 100644 --- a/nixos/modules/services/networking/netbird/server.nix +++ b/nixos/modules/services/networking/netbird/server.nix @@ -31,7 +31,7 @@ in options.services.netbird.server = { enable = mkEnableOption "Netbird Server stack, comprising the dashboard, management API and signal service"; - enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird server services."; + enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird server services"; domain = mkOption { type = str; diff --git a/nixos/modules/services/networking/netbird/signal.nix b/nixos/modules/services/networking/netbird/signal.nix index 8408d20e874b5..b53e9d40c2eed 100644 --- a/nixos/modules/services/networking/netbird/signal.nix +++ b/nixos/modules/services/networking/netbird/signal.nix @@ -28,7 +28,7 @@ in package = mkPackageOption pkgs "netbird" { }; - enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird signal service."; + enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird signal service"; domain = mkOption { type = str; diff --git a/nixos/modules/services/networking/networkd-dispatcher.nix b/nixos/modules/services/networking/networkd-dispatcher.nix index 039888e3c0646..427835870e59f 100644 --- a/nixos/modules/services/networking/networkd-dispatcher.nix +++ b/nixos/modules/services/networking/networkd-dispatcher.nix @@ -14,7 +14,7 @@ in { enable = mkEnableOption '' Networkd-dispatcher service for systemd-networkd connection status change. See [https://gitlab.com/craftyguy/networkd-dispatcher](upstream instructions) - for usage. + for usage ''; rules = mkOption { diff --git a/nixos/modules/services/networking/nncp.nix b/nixos/modules/services/networking/nncp.nix index f4ed7ecc7d4a6..8c5b5a61a181d 100644 --- a/nixos/modules/services/networking/nncp.nix +++ b/nixos/modules/services/networking/nncp.nix @@ -34,9 +34,7 @@ in { [](#opt-programs.nncp.settings) ''; socketActivation = { - enable = mkEnableOption '' - Whether to run nncp-daemon persistently or socket-activated. - ''; + enable = mkEnableOption "socket activation for nncp-daemon"; listenStreams = mkOption { type = with types; listOf str; description = '' diff --git a/nixos/modules/services/networking/oink.nix b/nixos/modules/services/networking/oink.nix index cd0fdf172331d..3497ca9220a80 100644 --- a/nixos/modules/services/networking/oink.nix +++ b/nixos/modules/services/networking/oink.nix @@ -77,6 +77,7 @@ in config = mkIf cfg.enable { systemd.services.oink = { description = "Dynamic DNS client for Porkbun"; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; script = "${cfg.package}/bin/oink -c ${oinkConfig}"; }; diff --git a/nixos/modules/services/networking/scion/scion-control.nix b/nixos/modules/services/networking/scion/scion-control.nix index c3a22039aa524..95d78a87ac859 100644 --- a/nixos/modules/services/networking/scion/scion-control.nix +++ b/nixos/modules/services/networking/scion/scion-control.nix @@ -12,19 +12,19 @@ let reconnect_to_dispatcher = true; }; beacon_db = { - connection = "/var/lib/scion-control/control.beacon.db"; + connection = "/run/scion-control/control.beacon.db"; }; path_db = { - connection = "/var/lib/scion-control/control.path.db"; + connection = "/run/scion-control/control.path.db"; }; trust_db = { - connection = "/var/lib/scion-control/control.trust.db"; + connection = "/run/scion-control/control.trust.db"; }; log.console = { level = "info"; }; }; - configFile = toml.generate "scion-control.toml" (defaultConfig // cfg.settings); + configFile = toml.generate "scion-control.toml" (recursiveUpdate defaultConfig cfg.settings); in { options.services.scion.scion-control = { @@ -35,7 +35,7 @@ in example = literalExpression '' { path_db = { - connection = "/var/lib/scion-control/control.path.db"; + connection = "/run/scion-control/control.path.db"; }; log.console = { level = "info"; @@ -62,7 +62,7 @@ in DynamicUser = true; Restart = "on-failure"; BindPaths = [ "/dev/shm:/run/shm" ]; - StateDirectory = "scion-control"; + RuntimeDirectory = "scion-control"; }; }; }; diff --git a/nixos/modules/services/networking/scion/scion-daemon.nix b/nixos/modules/services/networking/scion/scion-daemon.nix index 53b56841c3929..8528bec1d52eb 100644 --- a/nixos/modules/services/networking/scion/scion-daemon.nix +++ b/nixos/modules/services/networking/scion/scion-daemon.nix @@ -12,16 +12,16 @@ let reconnect_to_dispatcher = true; }; path_db = { - connection = "/var/lib/scion-daemon/sd.path.db"; + connection = "/run/scion-daemon/sd.path.db"; }; trust_db = { - connection = "/var/lib/scion-daemon/sd.trust.db"; + connection = "/run/scion-daemon/sd.trust.db"; }; log.console = { level = "info"; }; }; - configFile = toml.generate "scion-daemon.toml" (defaultConfig // cfg.settings); + configFile = toml.generate "scion-daemon.toml" (recursiveUpdate defaultConfig cfg.settings); in { options.services.scion.scion-daemon = { @@ -32,7 +32,7 @@ in example = literalExpression '' { path_db = { - connection = "/var/lib/scion-daemon/sd.path.db"; + connection = "/run/scion-daemon/sd.path.db"; }; log.console = { level = "info"; @@ -57,7 +57,7 @@ in ExecStart = "${pkgs.scion}/bin/scion-daemon --config ${configFile}"; Restart = "on-failure"; DynamicUser = true; - StateDirectory = "scion-daemon"; + RuntimeDirectory = "scion-daemon"; }; }; }; diff --git a/nixos/modules/services/networking/scion/scion-dispatcher.nix b/nixos/modules/services/networking/scion/scion-dispatcher.nix index 05d1fd0782af5..7c9f5e6a385ee 100644 --- a/nixos/modules/services/networking/scion/scion-dispatcher.nix +++ b/nixos/modules/services/networking/scion/scion-dispatcher.nix @@ -15,7 +15,7 @@ let level = "info"; }; }; - configFile = toml.generate "scion-dispatcher.toml" (defaultConfig // cfg.settings); + configFile = toml.generate "scion-dispatcher.toml" (recursiveUpdate defaultConfig cfg.settings); in { options.services.scion.scion-dispatcher = { @@ -66,7 +66,7 @@ in ExecStartPre = "${pkgs.coreutils}/bin/rm -rf /run/shm/dispatcher"; ExecStart = "${pkgs.scion}/bin/scion-dispatcher --config ${configFile}"; Restart = "on-failure"; - StateDirectory = "scion-dispatcher"; + RuntimeDirectory = "scion-dispatcher"; }; }; }; diff --git a/nixos/modules/services/networking/scion/scion-router.nix b/nixos/modules/services/networking/scion/scion-router.nix index 488dfd12b3a57..2cac44ab767ef 100644 --- a/nixos/modules/services/networking/scion/scion-router.nix +++ b/nixos/modules/services/networking/scion/scion-router.nix @@ -11,7 +11,7 @@ let config_dir = "/etc/scion"; }; }; - configFile = toml.generate "scion-router.toml" (defaultConfig // cfg.settings); + configFile = toml.generate "scion-router.toml" (recursiveUpdate defaultConfig cfg.settings); in { options.services.scion.scion-router = { @@ -42,7 +42,7 @@ in ExecStart = "${pkgs.scion}/bin/scion-router --config ${configFile}"; Restart = "on-failure"; DynamicUser = true; - StateDirectory = "scion-router"; + RuntimeDirectory = "scion-router"; }; }; }; diff --git a/nixos/modules/services/networking/scion/scion.nix b/nixos/modules/services/networking/scion/scion.nix index 5e3445edbb89a..b8bfef8b93b58 100644 --- a/nixos/modules/services/networking/scion/scion.nix +++ b/nixos/modules/services/networking/scion/scion.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -17,6 +17,9 @@ in }; }; config = mkIf cfg.enable { + environment.systemPackages = [ + pkgs.scion + ]; services.scion = { scion-dispatcher.enable = true; scion-daemon.enable = true; diff --git a/nixos/modules/services/networking/wg-access-server.nix b/nixos/modules/services/networking/wg-access-server.nix new file mode 100644 index 0000000000000..5876699924b22 --- /dev/null +++ b/nixos/modules/services/networking/wg-access-server.nix @@ -0,0 +1,124 @@ +{ config, pkgs, lib, ... }: +let + inherit (lib) mkEnableOption mkPackageOption mkOption types; + + cfg = config.services.wg-access-server; + + settingsFormat = pkgs.formats.yaml { }; + configFile = settingsFormat.generate "config.yaml" cfg.settings; +in +{ + + options.services.wg-access-server = { + enable = mkEnableOption "wg-access-server"; + + package = mkPackageOption pkgs "wg-access-server" { }; + + settings = mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + options = { + dns.enable = mkOption { + type = types.bool; + default = true; + description = '' + Enable/disable the embedded DNS proxy server. + This is enabled by default and allows VPN clients to avoid DNS leaks by sending all DNS requests to wg-access-server itself. + ''; + }; + storage = mkOption { + type = types.str; + default = "sqlite3://db.sqlite"; + description = "A storage backend connection string. See [storage docs](https://www.freie-netze.org/wg-access-server/3-storage/)"; + }; + }; + }; + description = "See https://www.freie-netze.org/wg-access-server/2-configuration/ for possible options"; + }; + + secretsFile = mkOption { + type = types.path; + description = '' + yaml file containing all secrets. this needs to be in the same structure as the configuration. + + This must to contain the admin password and wireguard private key. + As well as the secrets for your auth backend. + + Example: + ```yaml + adminPassword: <admin password> + wireguard: + privateKey: <wireguard private key> + auth: + oidc: + clientSecret: <client secret> + ``` + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = + map + (attrPath: + { + assertion = !lib.hasAttrByPath attrPath config.services.wg-access-server.settings; + message = '' + {option}`services.wg-access-server.settings.${lib.concatStringsSep "." attrPath}` must definded + in {option}`services.wg-access-server.secretsFile`. + ''; + }) + [ + [ "adminPassword" ] + [ "wireguard" "privateKey" ] + [ "auth" "sessionStore" ] + [ "auth" "oidc" "clientSecret" ] + [ "auth" "gitlab" "clientSecret" ] + ]; + + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = "1"; + "net.ipv6.conf.all.forwarding" = "1"; + }; + + systemd.services.wg-access-server = { + description = "WG access server"; + wantedBy = [ "multi-user.target" ]; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + script = '' + # merge secrets into main config + yq eval-all "select(fileIndex == 0) * select(fileIndex == 1)" ${configFile} $CREDENTIALS_DIRECTORY/SECRETS_FILE \ + > "$STATE_DIRECTORY/config.yml" + + ${lib.getExe cfg.package} serve --config "$STATE_DIRECTORY/config.yml" + ''; + + path = with pkgs; [ + iptables + # needed by startup script + yq-go + ]; + + serviceConfig = + let + capabilities = [ + "CAP_NET_ADMIN" + ] ++ lib.optional cfg.settings.dns.enabled "CAP_NET_BIND_SERVICE"; + in + { + WorkingDirectory = "/var/lib/wg-access-server"; + StateDirectory = "wg-access-server"; + + LoadCredential = [ + "SECRETS_FILE:${cfg.secretsFile}" + ]; + + # Hardening + DynamicUser = true; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/xrdp.nix b/nixos/modules/services/networking/xrdp.nix index 884325d13159b..d571c6e4d88d7 100644 --- a/nixos/modules/services/networking/xrdp.nix +++ b/nixos/modules/services/networking/xrdp.nix @@ -51,11 +51,11 @@ in enable = mkEnableOption "xrdp, the Remote Desktop Protocol server"; - package = mkPackageOptionMD pkgs "xrdp" { }; + package = mkPackageOption pkgs "xrdp" { }; audio = { enable = mkEnableOption "audio support for xrdp sessions. So far it only works with PulseAudio sessions on the server side. No PipeWire support yet"; - package = mkPackageOptionMD pkgs "pulseaudio-module-xrdp" {}; + package = mkPackageOption pkgs "pulseaudio-module-xrdp" {}; }; port = mkOption { diff --git a/nixos/modules/services/networking/zerotierone.nix b/nixos/modules/services/networking/zerotierone.nix index 68c04118fdd58..2485327ed44e6 100644 --- a/nixos/modules/services/networking/zerotierone.nix +++ b/nixos/modules/services/networking/zerotierone.nix @@ -34,7 +34,7 @@ in options.services.zerotierone.package = mkPackageOption pkgs "zerotierone" { }; options.services.zerotierone.localConf = mkOption { - default = null; + default = {}; description = '' Optional configuration to be written to the Zerotier JSON-based local.conf. If set, the configuration will be symlinked to `/var/lib/zerotier-one/local.conf` at build time. diff --git a/nixos/modules/services/search/hound.nix b/nixos/modules/services/search/hound.nix index e3f9c8da3752a..7aca1adc19b08 100644 --- a/nixos/modules/services/search/hound.nix +++ b/nixos/modules/services/search/hound.nix @@ -1,71 +1,66 @@ { config, lib, pkgs, ... }: -with lib; let cfg = config.services.hound; + settingsFormat = pkgs.formats.json { }; in { imports = [ (lib.mkRemovedOptionModule [ "services" "hound" "extraGroups" ] "Use users.users.hound.extraGroups instead") + (lib.mkChangedOptionModule [ "services" "hound" "config" ] [ "services" "hound" "settings" ] (config: builtins.fromJSON config.services.hound.config)) ]; - meta.maintainers = with maintainers; [ SuperSandro2000 ]; + meta.maintainers = with lib.maintainers; [ SuperSandro2000 ]; options = { services.hound = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the hound code search daemon. - ''; - }; + enable = lib.mkEnableOption "hound"; - package = mkPackageOptionMD pkgs "hound" { }; + package = lib.mkPackageOption pkgs "hound" { }; - user = mkOption { + user = lib.mkOption { default = "hound"; - type = types.str; + type = lib.types.str; description = '' User the hound daemon should execute under. ''; }; - group = mkOption { + group = lib.mkOption { default = "hound"; - type = types.str; + type = lib.types.str; description = '' Group the hound daemon should execute under. ''; }; - home = mkOption { + home = lib.mkOption { default = "/var/lib/hound"; - type = types.path; + type = lib.types.path; description = '' The path to use as hound's $HOME. If the default user "hound" is configured then this is the home of the "hound" user. ''; }; - config = mkOption { - type = types.str; - description = '' - The full configuration of the Hound daemon. Note the dbpath - should be an absolute path to a writable location on disk. - ''; - example = literalExpression '' + settings = lib.mkOption { + type = settingsFormat.type; + example = lib.literalExpression '' { - "max-concurrent-indexers" : 2, - "repos" : { - "nixpkgs": { - "url" : "https://www.github.com/NixOS/nixpkgs.git" - } - } + max-concurrent-indexers = 2; + repos.nixpkgs.url = "https://www.github.com/NixOS/nixpkgs.git"; } ''; + description = '' + The full configuration of the Hound daemon. + See the upstream documentation <https://github.com/hound-search/hound/blob/main/docs/config-options.md> for details. + + :::{.note} + The `dbpath` should be an absolute path to a writable directory. + :::.com/hound-search/hound/blob/main/docs/config-options.md>. + ''; }; - listen = mkOption { - type = types.str; + listen = lib.mkOption { + type = lib.types.str; default = "0.0.0.0:6080"; example = ":6080"; description = '' @@ -75,7 +70,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { users.groups = lib.mkIf (cfg.group == "hound") { hound = { }; }; @@ -89,16 +84,19 @@ in { }; }; - systemd.services.hound = let - configFile = pkgs.writeTextFile { - name = "hound.json"; - text = cfg.config; - checkPhase = '' - # check if the supplied text is valid json - ${lib.getExe pkgs.jq} . $target > /dev/null - ''; - }; - in { + environment.etc."hound/config.json".source = pkgs.writeTextFile { + name = "hound-config"; + text = builtins.toJSON cfg.settings; + checkPhase = '' + ${cfg.package}/bin/houndd -check-conf -conf $out + ''; + }; + + services.hound.settings = { + dbpath = "${config.services.hound.home}/data"; + }; + + systemd.services.hound = { description = "Hound Code Search"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; @@ -107,7 +105,7 @@ in { Group = cfg.group; WorkingDirectory = cfg.home; ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo /etc/ssl/certs/ca-certificates.crt"; - ExecStart = "${cfg.package}/bin/houndd -addr ${cfg.listen} -conf ${configFile}"; + ExecStart = "${cfg.package}/bin/houndd -addr ${cfg.listen} -conf /etc/hound/config.json"; }; }; }; diff --git a/nixos/modules/services/search/quickwit.nix b/nixos/modules/services/search/quickwit.nix index 6b2db935cf0bf..c4cc0c2427dff 100644 --- a/nixos/modules/services/search/quickwit.nix +++ b/nixos/modules/services/search/quickwit.nix @@ -160,7 +160,7 @@ in ProtectProc = "invisible"; ProtectSystem = "strict"; ReadWritePaths = [ - "/var/lib/quickwit" + cfg.dataDir ]; RestrictAddressFamilies = [ "AF_NETLINK" diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index c4031b64ba6aa..b6ce42d7318c8 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -263,7 +263,7 @@ in ''; type = with types; attrsOf (either lines (submodule ({ name, ... }: { options = { - enabled = mkEnableOption "this jail." // { + enabled = mkEnableOption "this jail" // { default = true; readOnly = name == "DEFAULT"; }; diff --git a/nixos/modules/services/security/haveged.nix b/nixos/modules/services/security/haveged.nix index 57cef7e44d503..4c686d74268af 100644 --- a/nixos/modules/services/security/haveged.nix +++ b/nixos/modules/services/security/haveged.nix @@ -17,7 +17,7 @@ in enable = mkEnableOption '' haveged entropy daemon, which refills /dev/random when low. - NOTE: does nothing on kernels newer than 5.6. + NOTE: does nothing on kernels newer than 5.6 ''; # source for the note https://github.com/jirka-h/haveged/issues/57 diff --git a/nixos/modules/services/security/vaultwarden/backup.sh b/nixos/modules/services/security/vaultwarden/backup.sh index 7668da5bc88f3..0c1cd3aa544f6 100644 --- a/nixos/modules/services/security/vaultwarden/backup.sh +++ b/nixos/modules/services/security/vaultwarden/backup.sh @@ -1,17 +1,21 @@ #!/usr/bin/env bash +# Allow use of !() when copying to not copy certain files +shopt -s extglob + # Based on: https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault if [ ! -d "$BACKUP_FOLDER" ]; then echo "Backup folder '$BACKUP_FOLDER' does not exist" >&2 exit 1 fi -if [[ ! -f "$DATA_FOLDER"/db.sqlite3 ]]; then - echo "Could not find SQLite database file '$DATA_FOLDER/db.sqlite3'" >&2 - exit 1 +if [[ -f "$DATA_FOLDER"/db.sqlite3 ]]; then + sqlite3 "$DATA_FOLDER"/db.sqlite3 ".backup '$BACKUP_FOLDER/db.sqlite3'" +fi + +if [ ! -d "$DATA_FOLDER" ]; then + echo "No data folder (yet). This will happen on first launch if backup is triggered before vaultwarden has started." + exit 0 fi -sqlite3 "$DATA_FOLDER"/db.sqlite3 ".backup '$BACKUP_FOLDER/db.sqlite3'" -cp "$DATA_FOLDER"/rsa_key.{der,pem,pub.der} "$BACKUP_FOLDER" -cp -r "$DATA_FOLDER"/attachments "$BACKUP_FOLDER" -cp -r "$DATA_FOLDER"/icon_cache "$BACKUP_FOLDER" +cp -r "$DATA_FOLDER"/!(db.*) "$BACKUP_FOLDER"/ diff --git a/nixos/modules/services/system/localtimed.nix b/nixos/modules/services/system/localtimed.nix index 8af22892a117c..bd83d227aa35c 100644 --- a/nixos/modules/services/system/localtimed.nix +++ b/nixos/modules/services/system/localtimed.nix @@ -18,6 +18,8 @@ in { geoclue2 to determine the current location. ''; }; + package = mkPackageOption pkgs "localtime" { }; + geoclue2Package = mkPackageOption pkgs "geoclue2-with-demo-agent" { }; }; }; @@ -29,14 +31,14 @@ in { }; # Install the polkit rules. - environment.systemPackages = [ pkgs.localtime ]; + environment.systemPackages = [ cfg.package ]; systemd.services.localtimed = { wantedBy = [ "multi-user.target" ]; partOf = [ "localtimed-geoclue-agent.service" ]; after = [ "localtimed-geoclue-agent.service" ]; serviceConfig = { - ExecStart = "${pkgs.localtime}/bin/localtimed"; + ExecStart = "${cfg.package}/bin/localtimed"; Restart = "on-failure"; Type = "exec"; User = "localtimed"; @@ -48,7 +50,7 @@ in { partOf = [ "geoclue.service" ]; after = [ "geoclue.service" ]; serviceConfig = { - ExecStart = "${pkgs.geoclue2-with-demo-agent}/libexec/geoclue-2.0/demos/agent"; + ExecStart = "${cfg.geoclue2Package}/libexec/geoclue-2.0/demos/agent"; Restart = "on-failure"; Type = "exec"; User = "localtimed"; diff --git a/nixos/modules/services/torrent/rtorrent.nix b/nixos/modules/services/torrent/rtorrent.nix index 009c2ffe0a5b0..e0ce33d13462e 100644 --- a/nixos/modules/services/torrent/rtorrent.nix +++ b/nixos/modules/services/torrent/rtorrent.nix @@ -8,6 +8,8 @@ let opt = options.services.rtorrent; in { + meta.maintainers = with lib.maintainers; [ thiagokokada ]; + options.services.rtorrent = { enable = mkEnableOption "rtorrent"; @@ -202,7 +204,31 @@ in { ExecStartPre=''${pkgs.bash}/bin/bash -c "if test -e ${cfg.dataDir}/session/rtorrent.lock && test -z $(${pkgs.procps}/bin/pidof rtorrent); then rm -f ${cfg.dataDir}/session/rtorrent.lock; fi"''; ExecStart="${cfg.package}/bin/rtorrent -n -o system.daemon.set=true -o import=${rtorrentConfigFile}"; RuntimeDirectory = "rtorrent"; - RuntimeDirectoryMode = 755; + RuntimeDirectoryMode = 750; + + CapabilityBoundingSet = [ "" ]; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + # If the default user is changed, there is a good chance that they + # want to store data in e.g.: $HOME directory + # Relax hardening in this case + ProtectHome = lib.mkIf (cfg.user == "rtorrent") true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "full"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" ]; }; }; }; diff --git a/nixos/modules/services/ttys/kmscon.nix b/nixos/modules/services/ttys/kmscon.nix index 031c5bbb383e1..b8e9330498c0c 100644 --- a/nixos/modules/services/ttys/kmscon.nix +++ b/nixos/modules/services/ttys/kmscon.nix @@ -41,6 +41,12 @@ in { }; in nullOr (nonEmptyListOf fontType); }; + useXkbConfig = mkOption { + description = "Configure keymap from xserver keyboard settings."; + type = types.bool; + default = false; + }; + extraConfig = mkOption { description = "Extra contents of the kmscon.conf file."; type = types.lines; @@ -67,45 +73,39 @@ in { }; config = mkIf cfg.enable { - # Largely copied from unit provided with kmscon source - systemd.units."kmsconvt@.service".text = '' - [Unit] - Description=KMS System Console on %I - Documentation=man:kmscon(1) - After=systemd-user-sessions.service - After=plymouth-quit-wait.service - After=systemd-logind.service - After=systemd-vconsole-setup.service - Requires=systemd-logind.service - Before=getty.target - Conflicts=getty@%i.service - OnFailure=getty@%i.service - IgnoreOnIsolate=yes - ConditionPathExists=/dev/tty0 - - [Service] - ExecStart= - ExecStart=${pkgs.kmscon}/bin/kmscon "--vt=%I" ${cfg.extraOptions} --seats=seat0 --no-switchvt --configdir ${configDir} --login -- ${pkgs.shadow}/bin/login -p ${autologinArg} - UtmpIdentifier=%I - TTYPath=/dev/%I - TTYReset=yes - TTYVHangup=yes - TTYVTDisallocate=yes - - X-RestartIfChanged=false - ''; + systemd.packages = [ pkgs.kmscon ]; + + systemd.services."kmsconvt@" = { + after = [ "systemd-logind.service" "systemd-vconsole-setup.service" ]; + requires = [ "systemd-logind.service" ]; + + serviceConfig.ExecStart = [ + "" + '' + ${pkgs.kmscon}/bin/kmscon "--vt=%I" ${cfg.extraOptions} --seats=seat0 --no-switchvt --configdir ${configDir} --login -- ${pkgs.shadow}/bin/login -p ${autologinArg} + '' + ]; + + restartIfChanged = false; + aliases = [ "autovt@.service" ]; + }; systemd.suppressedSystemUnits = [ "autovt@.service" ]; - systemd.units."kmsconvt@.service".aliases = [ "autovt@.service" ]; systemd.services.systemd-vconsole-setup.enable = false; systemd.services.reload-systemd-vconsole-setup.enable = false; services.kmscon.extraConfig = let + xkb = optionals cfg.useXkbConfig + lib.mapAttrsToList (n: v: "xkb-${n}=${v}") ( + lib.filterAttrs + (n: v: builtins.elem n ["layout" "model" "options" "variant"] && v != "") + config.services.xserver.xkb + ); render = optionals cfg.hwRender [ "drm" "hwaccel" ]; fonts = optional (cfg.fonts != null) "font-name=${lib.concatMapStringsSep ", " (f: f.name) cfg.fonts}"; - in lib.concatStringsSep "\n" (render ++ fonts); + in lib.concatStringsSep "\n" (xkb ++ render ++ fonts); hardware.graphics.enable = mkIf cfg.hwRender true; diff --git a/nixos/modules/services/web-apps/audiobookshelf.nix b/nixos/modules/services/web-apps/audiobookshelf.nix index 84dffc5f9d3c5..2f00c852ac8fe 100644 --- a/nixos/modules/services/web-apps/audiobookshelf.nix +++ b/nixos/modules/services/web-apps/audiobookshelf.nix @@ -8,7 +8,7 @@ in { options = { services.audiobookshelf = { - enable = mkEnableOption "Audiobookshelf, self-hosted audiobook and podcast server."; + enable = mkEnableOption "Audiobookshelf, self-hosted audiobook and podcast server"; package = mkPackageOption pkgs "audiobookshelf" { }; diff --git a/nixos/modules/services/web-apps/code-server.nix b/nixos/modules/services/web-apps/code-server.nix index abb5be50d353e..f94a1a8b53fa4 100644 --- a/nixos/modules/services/web-apps/code-server.nix +++ b/nixos/modules/services/web-apps/code-server.nix @@ -9,7 +9,7 @@ in { services.code-server = { enable = lib.mkEnableOption "code-server"; - package = lib.mkPackageOptionMD pkgs "code-server" { + package = lib.mkPackageOption pkgs "code-server" { example = '' pkgs.vscode-with-extensions.override { vscode = pkgs.code-server; diff --git a/nixos/modules/services/web-apps/healthchecks.nix b/nixos/modules/services/web-apps/healthchecks.nix index 5562b37e502c6..c7db999a62c21 100644 --- a/nixos/modules/services/web-apps/healthchecks.nix +++ b/nixos/modules/services/web-apps/healthchecks.nix @@ -11,7 +11,7 @@ let environment = { PYTHONPATH = pkg.pythonPath; STATIC_ROOT = cfg.dataDir + "/static"; - } // cfg.settings; + } // lib.filterAttrs (_: v: !builtins.isNull v) cfg.settings; environmentFile = pkgs.writeText "healthchecks-environment" (lib.generators.toKeyValue { } environment); @@ -21,6 +21,7 @@ let sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env --preserve-env=PYTHONPATH' fi export $(cat ${environmentFile} | xargs) + ${lib.optionalString (cfg.settingsFile != null) "export $(cat ${cfg.settingsFile} | xargs)"} $sudo ${pkg}/opt/healthchecks/manage.py "$@" ''; in @@ -89,6 +90,12 @@ in ''; }; + settingsFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = opt.settings.description; + }; + settings = lib.mkOption { description = '' Environment variables which are read by healthchecks `(local)_settings.py`. @@ -109,6 +116,8 @@ in have support for a `_FILE` variant, run: - `nix-instantiate --eval --expr '(import <nixpkgs> {}).healthchecks.secrets'` - or `nix eval 'nixpkgs#healthchecks.secrets'` if the flake support has been enabled. + + If the same variable is set in both `settings` and `settingsFile` the value from `settingsFile` has priority. ''; type = types.submodule (settings: { freeformType = types.attrsOf types.str; @@ -121,8 +130,9 @@ in }; SECRET_KEY_FILE = mkOption { - type = types.path; + type = types.nullOr types.path; description = "Path to a file containing the secret key."; + default = null; }; DEBUG = mkOption { @@ -186,7 +196,9 @@ in WorkingDirectory = cfg.dataDir; User = cfg.user; Group = cfg.group; - EnvironmentFile = [ environmentFile ]; + EnvironmentFile = [ + environmentFile + ] ++ lib.optional (cfg.settingsFile != null) cfg.settingsFile; StateDirectory = mkIf (cfg.dataDir == "/var/lib/healthchecks") "healthchecks"; StateDirectoryMode = mkIf (cfg.dataDir == "/var/lib/healthchecks") "0750"; }; diff --git a/nixos/modules/services/web-apps/invidious.nix b/nixos/modules/services/web-apps/invidious.nix index f0e860383a62c..7997ea1f36308 100644 --- a/nixos/modules/services/web-apps/invidious.nix +++ b/nixos/modules/services/web-apps/invidious.nix @@ -390,7 +390,7 @@ in ''; }; - package = lib.mkPackageOptionMD pkgs "http3-ytproxy" { }; + package = lib.mkPackageOption pkgs "http3-ytproxy" { }; }; }; diff --git a/nixos/modules/services/web-apps/jitsi-meet.nix b/nixos/modules/services/web-apps/jitsi-meet.nix index 76753b89ec9ea..247b65c786636 100644 --- a/nixos/modules/services/web-apps/jitsi-meet.nix +++ b/nixos/modules/services/web-apps/jitsi-meet.nix @@ -170,7 +170,7 @@ in ''; }; - caddy.enable = mkEnableOption "Whether to enable caddy reverse proxy to expose jitsi-meet"; + caddy.enable = mkEnableOption "caddy reverse proxy to expose jitsi-meet"; prosody.enable = mkOption { type = bool; diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 36bae2575974e..5d429675bafcf 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -328,7 +328,7 @@ in }; hostname = mkOption { - type = str; + type = nullOr str; example = "keycloak.example.com"; description = '' The hostname part of the public URL used as base for @@ -478,6 +478,10 @@ in message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably"; } { + assertion = cfg.settings.hostname != null || ! cfg.settings.hostname-strict or true; + message = "Setting the Keycloak hostname is required, see `services.keycloak.settings.hostname`"; + } + { assertion = cfg.settings.hostname-url or null == null; message = '' The option `services.keycloak.settings.hostname-url' has been removed. diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index cdd60f572b990..dbcd9eae2d29a 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -18,7 +18,15 @@ let limesurveyConfig = pkgs.writeText "config.php" '' <?php - return json_decode('${builtins.toJSON cfg.config}', true); + return \array_merge( + \json_decode('${builtins.toJSON cfg.config}', true), + [ + 'config' => [ + 'encryptionnonce' => \trim(\file_get_contents(\getenv('CREDENTIALS_DIRECTORY') . DIRECTORY_SEPARATOR . 'encryption_nonce')), + 'encryptionsecretboxkey' => \trim(\file_get_contents(\getenv('CREDENTIALS_DIRECTORY') . DIRECTORY_SEPARATOR . 'encryption_key')), + ] + ] + ); ?> ''; @@ -35,8 +43,9 @@ in package = mkPackageOption pkgs "limesurvey" { }; encryptionKey = mkOption { - type = types.str; - default = "E17687FC77CEE247F0E22BB3ECF27FDE8BEC310A892347EC13013ABA11AA7EB5"; + type = types.nullOr types.str; + default = null; + visible = false; description = '' This is a 32-byte key used to encrypt variables in the database. You _must_ change this from the default value. @@ -44,14 +53,35 @@ in }; encryptionNonce = mkOption { - type = types.str; - default = "1ACC8555619929DB91310BE848025A427B0F364A884FFA77"; + type = types.nullOr types.str; + default = null; + visible = false; description = '' This is a 24-byte nonce used to encrypt variables in the database. You _must_ change this from the default value. ''; }; + encryptionKeyFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + 32-byte key used to encrypt variables in the database. + + Note: It should be string not a store path in order to prevent the password from being world readable + ''; + }; + + encryptionNonceFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + 24-byte used to encrypt variables in the database. + + Note: It should be string not a store path in order to prevent the password from being world readable + ''; + }; + database = { type = mkOption { type = types.enum [ "mysql" "pgsql" "odbc" "mssql" ]; @@ -183,6 +213,22 @@ in { assertion = cfg.database.createLocally -> cfg.database.passwordFile == null; message = "a password cannot be specified if services.limesurvey.database.createLocally is set to true"; } + { assertion = cfg.encryptionKey != null || cfg.encryptionKeyFile != null; + message = '' + You must set `services.limesurvey.encryptionKeyFile` to a file containing a 32-character uppercase hex string. + + If this message appears when updating your system, please turn off encryption + in the LimeSurvey interface and create backups before filling the key. + ''; + } + { assertion = cfg.encryptionNonce != null || cfg.encryptionNonceFile != null; + message = '' + You must set `services.limesurvey.encryptionNonceFile` to a file containing a 24-character uppercase hex string. + + If this message appears when updating your system, please turn off encryption + in the LimeSurvey interface and create backups before filling the nonce. + ''; + } ]; services.limesurvey.config = mapAttrs (name: mkDefault) { @@ -204,8 +250,6 @@ in config = { tempdir = "${stateDir}/tmp"; uploaddir = "${stateDir}/upload"; - encryptionnonce = cfg.encryptionNonce; - encryptionsecretboxkey = cfg.encryptionKey; force_ssl = mkIf (cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL) "on"; config.defaultlang = "en"; }; @@ -229,11 +273,26 @@ in phpPackage = pkgs.php81; phpEnv.DBENGINE = "${cfg.database.dbEngine}"; phpEnv.LIMESURVEY_CONFIG = "${limesurveyConfig}"; + # App code cannot access credentials directly since the service starts + # with the root user so we copy the credentials to a place accessible to Limesurvey + phpEnv.CREDENTIALS_DIRECTORY = "${stateDir}/credentials"; settings = { "listen.owner" = config.services.httpd.user; "listen.group" = config.services.httpd.group; } // cfg.poolConfig; }; + systemd.services.phpfpm-limesurvey.serviceConfig = { + ExecStartPre = pkgs.writeShellScript "limesurvey-phpfpm-exec-pre" '' + cp -f "''${CREDENTIALS_DIRECTORY}"/encryption_key "${stateDir}/credentials/encryption_key" + chown ${user}:${group} "${stateDir}/credentials/encryption_key" + cp -f "''${CREDENTIALS_DIRECTORY}"/encryption_nonce "${stateDir}/credentials/encryption_nonce" + chown ${user}:${group} "${stateDir}/credentials/encryption_nonce" + ''; + LoadCredential = [ + "encryption_key:${if cfg.encryptionKeyFile != null then cfg.encryptionKeyFile else pkgs.writeText "key" cfg.encryptionKey}" + "encryption_nonce:${if cfg.encryptionNonceFile != null then cfg.encryptionNonceFile else pkgs.writeText "nonce" cfg.encryptionKey}" + ]; + }; services.httpd = { enable = true; @@ -277,6 +336,7 @@ in "d ${stateDir}/tmp/assets 0750 ${user} ${group} - -" "d ${stateDir}/tmp/runtime 0750 ${user} ${group} - -" "d ${stateDir}/tmp/upload 0750 ${user} ${group} - -" + "d ${stateDir}/credentials 0700 ${user} ${group} - -" "C ${stateDir}/upload 0750 ${user} ${group} - ${cfg.package}/share/limesurvey/upload" ]; @@ -295,6 +355,10 @@ in User = user; Group = group; Type = "oneshot"; + LoadCredential = [ + "encryption_key:${if cfg.encryptionKeyFile != null then cfg.encryptionKeyFile else pkgs.writeText "key" cfg.encryptionKey}" + "encryption_nonce:${if cfg.encryptionNonceFile != null then cfg.encryptionNonceFile else pkgs.writeText "nonce" cfg.encryptionKey}" + ]; }; }; diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index f4560ed64bb4f..bfb3e73e65102 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -300,7 +300,7 @@ in { package = mkOption { type = types.package; description = "Which package to use for the Nextcloud instance."; - relatedPackages = [ "nextcloud26" "nextcloud27" "nextcloud28" ]; + relatedPackages = [ "nextcloud28" "nextcloud29" ]; }; phpPackage = mkPackageOption pkgs "php" { example = "php82"; @@ -489,7 +489,7 @@ in { implementation into the virtual filesystem. Further details about this feature can be found in the - [upstream documentation](https://docs.nextcloud.com/server/22/admin_manual/configuration_files/primary_storage.html). + [upstream documentation](https://docs.nextcloud.com/server/22/admin_manual/configuration_files/primary_storage.html) ''; bucket = mkOption { type = types.str; @@ -591,7 +591,7 @@ in { This is used by the theming app and for generating previews of certain images (e.g. SVG and HEIF). You may want to disable it for increased security. In that case, previews will still be available for some images (e.g. JPEG and PNG). - See <https://github.com/nextcloud/server/issues/13099>. + See <https://github.com/nextcloud/server/issues/13099> '' // { default = true; }; @@ -861,8 +861,6 @@ in { nextcloud defined in an overlay, please set `services.nextcloud.package` to `pkgs.nextcloud`. '' - else if versionOlder stateVersion "23.05" then nextcloud25 - else if versionOlder stateVersion "23.11" then nextcloud26 else if versionOlder stateVersion "24.05" then nextcloud27 else nextcloud29 ); diff --git a/nixos/modules/services/web-apps/peering-manager.nix b/nixos/modules/services/web-apps/peering-manager.nix index c85cb76e5ea11..acdc393745293 100644 --- a/nixos/modules/services/web-apps/peering-manager.nix +++ b/nixos/modules/services/web-apps/peering-manager.nix @@ -16,6 +16,8 @@ let ln -s ${configFile} $out/opt/peering-manager/peering_manager/configuration.py '' + lib.optionalString cfg.enableLdap '' ln -s ${cfg.ldapConfigPath} $out/opt/peering-manager/peering_manager/ldap_config.py + '' + lib.optionalString cfg.enableOidc '' + ln -s ${cfg.oidcConfigPath} $out/opt/peering-manager/peering_manager/oidc_config.py ''; })).override { inherit (cfg) plugins; @@ -139,6 +141,24 @@ in { See the [documentation](https://peering-manager.readthedocs.io/en/stable/setup/6-ldap/#configuration) for possible options. ''; }; + + enableOidc = mkOption { + type = types.bool; + default = false; + description = '' + Enable OIDC-Authentication for Peering Manager. + + This requires a configuration file being pass through `oidcConfigPath`. + ''; + }; + + oidcConfigPath = mkOption { + type = types.path; + description = '' + Path to the Configuration-File for OIDC-Authentication, will be loaded as `oidc_config.py`. + See the [documentation](https://peering-manager.readthedocs.io/en/stable/setup/6b-oidc/#configuration) for possible options. + ''; + }; }; config = lib.mkIf cfg.enable { @@ -173,7 +193,10 @@ in { PEERINGDB_API_KEY = file.readline() ''; - plugins = lib.mkIf cfg.enableLdap (ps: [ ps.django-auth-ldap ]); + plugins = (ps: + (lib.optionals cfg.enableLdap [ ps.django-auth-ldap ]) ++ + (lib.optionals cfg.enableOidc (with ps; [ mozilla-django-oidc pyopenssl josepy ])) + ); }; system.build.peeringManagerPkg = pkg; diff --git a/nixos/modules/services/web-apps/pretalx.nix b/nixos/modules/services/web-apps/pretalx.nix index 1411d11982c87..2280d9165b40b 100644 --- a/nixos/modules/services/web-apps/pretalx.nix +++ b/nixos/modules/services/web-apps/pretalx.nix @@ -35,7 +35,7 @@ in options.services.pretalx = { enable = lib.mkEnableOption "pretalx"; - package = lib.mkPackageOptionMD pkgs "pretalx" {}; + package = lib.mkPackageOption pkgs "pretalx" {}; group = lib.mkOption { type = lib.types.str; diff --git a/nixos/modules/services/web-apps/pretix.nix b/nixos/modules/services/web-apps/pretix.nix index 9786b61160260..0fb635964fe65 100644 --- a/nixos/modules/services/web-apps/pretix.nix +++ b/nixos/modules/services/web-apps/pretix.nix @@ -63,7 +63,7 @@ in }; options.services.pretix = { - enable = mkEnableOption "Pretix, a ticket shop application for conferences, festivals, concerts, etc."; + enable = mkEnableOption "Pretix, a ticket shop application for conferences, festivals, concerts, etc"; package = mkPackageOption pkgs "pretix" { }; diff --git a/nixos/modules/services/web-apps/silverbullet.nix b/nixos/modules/services/web-apps/silverbullet.nix index c316d074cbaab..a6a830e674b49 100644 --- a/nixos/modules/services/web-apps/silverbullet.nix +++ b/nixos/modules/services/web-apps/silverbullet.nix @@ -12,9 +12,9 @@ in { options = { services.silverbullet = { - enable = lib.mkEnableOption "Silverbullet, an open-source, self-hosted, offline-capable Personal Knowledge Management (PKM) web application."; + enable = lib.mkEnableOption "Silverbullet, an open-source, self-hosted, offline-capable Personal Knowledge Management (PKM) web application"; - package = lib.mkPackageOptionMD pkgs "silverbullet" { }; + package = lib.mkPackageOption pkgs "silverbullet" { }; openFirewall = lib.mkOption { type = lib.types.bool; diff --git a/nixos/modules/services/web-apps/slskd.nix b/nixos/modules/services/web-apps/slskd.nix index 6254fe294eeed..7d4bc66c73998 100644 --- a/nixos/modules/services/web-apps/slskd.nix +++ b/nixos/modules/services/web-apps/slskd.nix @@ -7,7 +7,7 @@ in { options.services.slskd = with lib; with types; { enable = mkEnableOption "slskd"; - package = mkPackageOptionMD pkgs "slskd" { }; + package = mkPackageOption pkgs "slskd" { }; user = mkOption { type = types.str; diff --git a/nixos/modules/services/web-apps/suwayomi-server.nix b/nixos/modules/services/web-apps/suwayomi-server.nix index 5b61852a534dc..caa091685d2fb 100644 --- a/nixos/modules/services/web-apps/suwayomi-server.nix +++ b/nixos/modules/services/web-apps/suwayomi-server.nix @@ -9,9 +9,9 @@ in { options = { services.suwayomi-server = { - enable = mkEnableOption "Suwayomi, a free and open source manga reader server that runs extensions built for Tachiyomi."; + enable = mkEnableOption "Suwayomi, a free and open source manga reader server that runs extensions built for Tachiyomi"; - package = lib.mkPackageOptionMD pkgs "suwayomi-server" { }; + package = lib.mkPackageOption pkgs "suwayomi-server" { }; dataDir = mkOption { type = types.path; @@ -72,7 +72,7 @@ in }; basicAuthEnabled = mkEnableOption '' - Add basic access authentication to Suwayomi-Server. + basic access authentication for Suwayomi-Server. Enabling this option is useful when hosting on a public network/the Internet ''; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index f9720c3629353..b5ff630a4d484 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -1086,9 +1086,9 @@ in ''; description = "Declarative vhost config"; }; - validateConfigFile = lib.mkEnableOption '' - Validate configuration with pkgs.writeNginxConfig. - '' // { default = true; }; + validateConfigFile = lib.mkEnableOption "validating configuration with pkgs.writeNginxConfig" // { + default = true; + }; }; }; diff --git a/nixos/modules/services/web-servers/tomcat.nix b/nixos/modules/services/web-servers/tomcat.nix index e243778cc747c..1c5a9af5c9245 100644 --- a/nixos/modules/services/web-servers/tomcat.nix +++ b/nixos/modules/services/web-servers/tomcat.nix @@ -21,6 +21,14 @@ in example = "tomcat10"; }; + port = lib.mkOption { + type = lib.types.port; + default = 8080; + description = '' + The TCP port Tomcat should listen on. + ''; + }; + purifyOnStart = lib.mkOption { type = lib.types.bool; default = false; @@ -244,8 +252,12 @@ in hostElementsString = lib.concatMapStringsSep "\n" hostElementForVirtualHost cfg.virtualHosts; hostElementsSedString = lib.replaceStrings ["\n"] ["\\\n"] hostElementsString; in '' - # Create a modified server.xml which also includes all virtual hosts - sed -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\\"${lib.escapeShellArg hostElementsSedString} \ + # Create a modified server.xml which listens on the given port, + # and also includes all virtual hosts. + # The host modification must be last here, + # else if hostElementsSedString is empty sed gets confused as to what to append + sed -e 's/<Connector port="8080"/<Connector port="${toString cfg.port}"/' \ + -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\\"${lib.escapeShellArg hostElementsSedString} \ ${tomcat}/conf/server.xml > ${cfg.baseDir}/conf/server.xml '' } diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix index 2e0eef67c0b3e..fa67441e7ac49 100644 --- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -229,7 +229,6 @@ in }) (mkIf serviceCfg.apps.enable { - programs.geary.enable = mkDefault (notExcluded pkgs.gnome.geary); programs.gnome-disks.enable = mkDefault (notExcluded pkgs.gnome.gnome-disk-utility); programs.gnome-terminal.enable = mkDefault (notExcluded pkgs.gnome.gnome-terminal); programs.file-roller.enable = mkDefault (notExcluded pkgs.gnome.file-roller); @@ -247,7 +246,6 @@ in pix # external apps shipped with linux-mint - hexchat gnome-calculator gnome-calendar gnome-screenshot diff --git a/nixos/modules/services/x11/desktop-managers/deepin.nix b/nixos/modules/services/x11/desktop-managers/deepin.nix index 30bd14adb4192..1151178a8824e 100644 --- a/nixos/modules/services/x11/desktop-managers/deepin.nix +++ b/nixos/modules/services/x11/desktop-managers/deepin.nix @@ -53,6 +53,7 @@ in services.deepin.dde-daemon.enable = mkForce true; services.deepin.dde-api.enable = mkForce true; services.deepin.app-services.enable = mkForce true; + services.deepin.deepin-anything.enable = mkDefault true; services.colord.enable = mkDefault true; services.accounts-daemon.enable = mkDefault true; @@ -98,11 +99,12 @@ in "/share/dsg" "/share/deepin-themes" "/share/deepin" + "/share/dde-shell" ]; environment.etc = { "deepin-installer.conf".text = '' - system_info_vendor_name="Copyright (c) 2003-2023 NixOS contributors" + system_info_vendor_name="Copyright (c) 2003-2024 NixOS contributors" ''; }; @@ -140,8 +142,10 @@ in dtkwidget dtkdeclarative qt5platform-plugins + qt6platform-plugins + qt5integration + qt6integration deepin-pw-check - deepin-turbo dde-account-faces deepin-icon-theme @@ -152,7 +156,9 @@ in deepin-desktop-base startdde + # TODO: should remove dde-dock, but dde-shell still need it's dconfig dde-dock + dde-shell dde-launchpad dde-session-ui dde-session-shell @@ -171,6 +177,7 @@ in dde-appearance dde-application-manager deepin-service-manager + dde-grand-search ]; optionalPackages = [ onboard # dde-dock plugin @@ -194,7 +201,7 @@ in ++ utils.removePackagesByName optionalPackages config.environment.deepin.excludePackages; services.dbus.packages = with pkgs.deepin; [ - dde-dock + dde-shell dde-launchpad dde-session-ui dde-session-shell @@ -209,9 +216,11 @@ in dde-appearance dde-application-manager deepin-service-manager + dde-grand-search ]; systemd.packages = with pkgs.deepin; [ + dde-shell dde-launchpad dde-file-manager dde-calendar diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 69a83ecb72065..aee2f5b35db2e 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -165,6 +165,7 @@ in services.tumbler.enable = true; services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.libinput.enable = mkDefault true; # used in xfce4-settings-manager + services.colord.enable = mkDefault true; # Enable default programs programs.dconf.enable = true; diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 107a2f1647925..51ab08e74f864 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -321,6 +321,22 @@ in session include login ''; + login.fprintAuth = mkIf config.services.fprintd.enable false; + gdm-fingerprint.text = mkIf config.services.fprintd.enable '' + auth required pam_shells.so + auth requisite pam_nologin.so + auth requisite pam_faillock.so preauth + auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so + auth optional pam_permit.so + auth required pam_env.so + auth [success=ok default=1] ${pkgs.gnome.gdm}/lib/security/pam_gdm.so + + account include login + + password required pam_deny.so + + session include login + ''; }; }; diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index d1cd601c2d9b1..cbeec4588f593 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -150,9 +150,13 @@ in HostKey ${initrdKeyPath path} '')} - KexAlgorithms ${concatStringsSep "," sshdCfg.settings.KexAlgorithms} - Ciphers ${concatStringsSep "," sshdCfg.settings.Ciphers} - MACs ${concatStringsSep "," sshdCfg.settings.Macs} + '' + lib.optionalString (sshdCfg.settings.KexAlgorithms != null) '' + KexAlgorithms ${concatStringsSep "," sshdCfg.settings.KexAlgorithms} + '' + lib.optionalString (sshdCfg.settings.Ciphers != null) '' + Ciphers ${concatStringsSep "," sshdCfg.settings.Ciphers} + '' + lib.optionalString (sshdCfg.settings.Macs != null) '' + MACs ${concatStringsSep "," sshdCfg.settings.Macs} + '' + '' LogLevel ${sshdCfg.settings.LogLevel} diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 14a4ab596b52c..76a6751b05708 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -489,7 +489,7 @@ in system.nssModules = [ cfg.package.out ]; system.nssDatabases = { hosts = (mkMerge [ - (mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is mkBefore'd) + (mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is 501) (mkOrder 999 ["myhostname"]) # after files (which is 998), but before regular nss modules ]); passwd = (mkMerge [ diff --git a/nixos/modules/system/etc/etc.nix b/nixos/modules/system/etc/etc.nix index 80ca69e495e9d..87932075f3679 100644 --- a/nixos/modules/system/etc/etc.nix +++ b/nixos/modules/system/etc/etc.nix @@ -64,14 +64,6 @@ let etcHardlinks = filter (f: f.mode != "symlink" && f.mode != "direct-symlink") etc'; - build-composefs-dump = pkgs.runCommand "build-composefs-dump.py" - { - buildInputs = [ pkgs.python3 ]; - } '' - install ${./build-composefs-dump.py} $out - patchShebangs --host $out - ''; - in { @@ -295,10 +287,12 @@ in system.build.etcMetadataImage = let etcJson = pkgs.writeText "etc-json" (builtins.toJSON etc'); - etcDump = pkgs.runCommand "etc-dump" { } "${build-composefs-dump} ${etcJson} > $out"; + etcDump = pkgs.runCommand "etc-dump" { } '' + ${lib.getExe pkgs.buildPackages.python3} ${./build-composefs-dump.py} ${etcJson} > $out + ''; in pkgs.runCommand "etc-metadata.erofs" { - nativeBuildInputs = [ pkgs.composefs pkgs.erofs-utils ]; + nativeBuildInputs = with pkgs.buildPackages; [ composefs erofs-utils ]; } '' mkcomposefs --from-file ${etcDump} $out fsck.erofs $out diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 2b365bc555855..00b6b28eb6537 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -57,12 +57,12 @@ in options.testing = { initrdBackdoor = lib.mkEnableOption '' - enable backdoor.service in initrd. Requires + backdoor.service in initrd. Requires boot.initrd.systemd.enable to be enabled. Boot will pause in stage 1 at initrd.target, and will listen for commands from the Machine python interface, just like stage 2 normally does. This enables commands to be sent to test and debug stage 1. Use - machine.switch_root() to leave stage 1 and proceed to stage 2. + machine.switch_root() to leave stage 1 and proceed to stage 2 ''; }; diff --git a/nixos/modules/virtualisation/incus.nix b/nixos/modules/virtualisation/incus.nix index 87568390bd3b8..2b69a7a076585 100644 --- a/nixos/modules/virtualisation/incus.nix +++ b/nixos/modules/virtualisation/incus.nix @@ -149,7 +149,7 @@ in Users in the "incus-admin" group can interact with the daemon (e.g. to start or stop containers) using the - {command}`incus` command line tool, among others. + {command}`incus` command line tool, among others ''; package = lib.mkPackageOption pkgs "incus-lts" { }; diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 226ece8176708..72c2a2ef5551c 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -332,6 +332,14 @@ in libvirt NSS module options. ''; }; + + sshProxy = mkOption { + type = types.bool; + default = true; + description = '' + Weither to configure OpenSSH to use the [SSH Proxy](https://libvirt.org/ssh-proxy.html). + ''; + }; }; @@ -382,6 +390,10 @@ in source = "${cfg.qemu.package}/libexec/qemu-bridge-helper"; }; + programs.ssh.extraConfig = mkIf cfg.sshProxy '' + Include ${cfg.package}/etc/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf + ''; + systemd.packages = [ cfg.package ]; systemd.services.libvirtd-config = { @@ -533,9 +545,10 @@ in }; system.nssModules = optional (cfg.nss.enable or cfg.nss.enableGuest) cfg.package; - system.nssDatabases.hosts = builtins.concatLists [ - (optional cfg.nss.enable "libvirt") - (optional cfg.nss.enableGuest "libvirt_guest") + system.nssDatabases.hosts = mkMerge [ + # ensure that the NSS modules come between mymachines (which is 400) and resolve (which is 501) + (mkIf cfg.nss.enable (mkOrder 430 [ "libvirt" ])) + (mkIf cfg.nss.enableGuest (mkOrder 432 [ "libvirt_guest" ])) ]; }; } diff --git a/nixos/modules/virtualisation/multipass.nix b/nixos/modules/virtualisation/multipass.nix index 7918a716a870b..8a55282c88d8c 100644 --- a/nixos/modules/virtualisation/multipass.nix +++ b/nixos/modules/virtualisation/multipass.nix @@ -10,9 +10,7 @@ in { options = { virtualisation.multipass = { - enable = lib.mkEnableOption '' - Multipass, a simple manager for virtualised Ubuntu instances. - ''; + enable = lib.mkEnableOption "Multipass, a simple manager for virtualised Ubuntu instances"; logLevel = lib.mkOption { type = lib.types.enum [ "error" "warning" "info" "debug" "trace" ]; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 3b81cfaf2b8ca..d1dc6404d4f51 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -900,7 +900,7 @@ in }; virtualisation.tpm = { - enable = mkEnableOption "a TPM device in the virtual machine with a driver, using swtpm."; + enable = mkEnableOption "a TPM device in the virtual machine with a driver, using swtpm"; package = mkPackageOption cfg.host.pkgs "swtpm" { }; diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix index a34fe132ba7e1..4808652a542ad 100644 --- a/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixos/modules/virtualisation/virtualbox-host.nix @@ -89,7 +89,7 @@ in Enable KVM support for VirtualBox. This increases compatibility with Linux kernel versions, because the VirtualBox kernel modules are not required. - This option is incompatible with `enableHardening` and `addNetworkInterface`. + This option is incompatible with `addNetworkInterface`. Note: This is experimental. Please check https://github.com/cyberus-technology/virtualbox-kvm/issues. ''; @@ -136,18 +136,6 @@ in assertion = !cfg.addNetworkInterface; message = "VirtualBox KVM only supports standard NAT networking for VMs. Please turn off virtualisation.virtualbox.host.addNetworkInterface."; } - - { - assertion = !cfg.enableHardening; - message = "VirtualBox KVM is not compatible with hardening: Please turn off virtualisation.virtualbox.host.enableHardening."; - } - ]; - - warnings = [ - '' - KVM support in VirtualBox is experimental. Not all security features are available yet. - See: https://github.com/cyberus-technology/virtualbox-kvm/issues/12 - '' ]; }) (mkIf (!cfg.enableKvm) { boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ]; |