diff options
Diffstat (limited to 'nixos/modules')
21 files changed, 374 insertions, 65 deletions
diff --git a/nixos/modules/misc/documentation.nix b/nixos/modules/misc/documentation.nix index 2a25f8e564684..26323e14b9017 100644 --- a/nixos/modules/misc/documentation.nix +++ b/nixos/modules/misc/documentation.nix @@ -101,6 +101,7 @@ let libPath = filter (pkgs.path + "/lib"); pkgsLibPath = filter (pkgs.path + "/pkgs/pkgs-lib"); nixosPath = filter (pkgs.path + "/nixos"); + NIX_ABORT_ON_WARN = warningsAreErrors; modules = "[ " + concatMapStringsSep " " (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 29c373788c1fe..511d991e919cd 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1012,6 +1012,7 @@ ./services/networking/icecream/daemon.nix ./services/networking/icecream/scheduler.nix ./services/networking/imaginary.nix + ./services/networking/inadyn.nix ./services/networking/inspircd.nix ./services/networking/iodine.nix ./services/networking/iperf3.nix diff --git a/nixos/modules/programs/fcast-receiver.nix b/nixos/modules/programs/fcast-receiver.nix index 8da07a66e2223..2e4e6bf8b242a 100644 --- a/nixos/modules/programs/fcast-receiver.nix +++ b/nixos/modules/programs/fcast-receiver.nix @@ -11,11 +11,11 @@ in }; options.programs.fcast-receiver = { - enable = mkEnableOption (lib.mdDoc "FCast Receiver"); + enable = mkEnableOption "FCast Receiver"; openFirewall = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Open ports needed for the functionality of the program. ''; }; diff --git a/nixos/modules/programs/fzf.nix b/nixos/modules/programs/fzf.nix index 0e7e519f0436d..66ad7d418de68 100644 --- a/nixos/modules/programs/fzf.nix +++ b/nixos/modules/programs/fzf.nix @@ -15,11 +15,12 @@ in environment.systemPackages = lib.mkIf (cfg.keybindings || cfg.fuzzyCompletion) [ pkgs.fzf ]; programs = { - bash.interactiveShellInit = lib.optionalString cfg.fuzzyCompletion '' + # load after programs.bash.enableCompletion + bash.promptPluginInit = lib.mkAfter (lib.optionalString cfg.fuzzyCompletion '' source ${pkgs.fzf}/share/fzf/completion.bash '' + lib.optionalString cfg.keybindings '' source ${pkgs.fzf}/share/fzf/key-bindings.bash - ''; + ''); zsh = { interactiveShellInit = lib.optionalString (!config.programs.zsh.ohMyZsh.enable) diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 7fb75f42db1f8..e755b5f0ee534 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -200,7 +200,8 @@ in unitConfig.DefaultDependencies = false; script = '' if test -f "${cfg.secretKeyFile}"; then - mkdir -m 0755 -p /etc/duo + mkdir -p /etc/duo + chmod 0755 /etc/duo umask 0077 conf="$(mktemp)" @@ -222,7 +223,8 @@ in unitConfig.DefaultDependencies = false; script = '' if test -f "${cfg.secretKeyFile}"; then - mkdir -m 0755 -p /etc/duo + mkdir -p /etc/duo + chmod 0755 /etc/duo umask 0077 conf="$(mktemp)" diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix index 4499532ace897..dfbdff7fb0113 100644 --- a/nixos/modules/services/mail/roundcube.nix +++ b/nixos/modules/services/mail/roundcube.nix @@ -7,7 +7,7 @@ let fpm = config.services.phpfpm.pools.roundcube; localDB = cfg.database.host == "localhost"; user = cfg.database.username; - phpWithPspell = pkgs.php81.withExtensions ({ enabled, all }: [ all.pspell ] ++ enabled); + phpWithPspell = pkgs.php83.withExtensions ({ enabled, all }: [ all.pspell ] ++ enabled); in { options.services.roundcube = { diff --git a/nixos/modules/services/misc/greenclip.nix b/nixos/modules/services/misc/greenclip.nix index 9d1483a5a047a..d92cd1854877f 100644 --- a/nixos/modules/services/misc/greenclip.nix +++ b/nixos/modules/services/misc/greenclip.nix @@ -18,7 +18,10 @@ in { description = "greenclip daemon"; wantedBy = [ "graphical-session.target" ]; after = [ "graphical-session.target" ]; - serviceConfig.ExecStart = "${cfg.package}/bin/greenclip daemon"; + serviceConfig = { + ExecStart = "${cfg.package}/bin/greenclip daemon"; + Restart = "always"; + }; }; environment.systemPackages = [ cfg.package ]; diff --git a/nixos/modules/services/networking/firewall-nftables.nix b/nixos/modules/services/networking/firewall-nftables.nix index de336113843ef..a5ee7efc3c324 100644 --- a/nixos/modules/services/networking/firewall-nftables.nix +++ b/nixos/modules/services/networking/firewall-nftables.nix @@ -45,6 +45,18 @@ in This option only works with the nftables based firewall. ''; }; + + extraReversePathFilterRules = mkOption { + type = types.lines; + default = ""; + example = "fib daddr . mark . iif type local accept"; + description = '' + Additional nftables rules to be appended to the rpfilter-allow + chain. + + This option only works with the nftables based firewall. + ''; + }; }; }; @@ -79,6 +91,8 @@ in meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server" fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept + jump rpfilter-allow + ${optionalString cfg.logReversePathDrops '' log level info prefix "rpfilter drop: " ''} @@ -86,6 +100,10 @@ in } ''} + chain rpfilter-allow { + ${cfg.extraReversePathFilterRules} + } + chain input { type filter hook input priority filter; policy drop; diff --git a/nixos/modules/services/networking/inadyn.nix b/nixos/modules/services/networking/inadyn.nix new file mode 100644 index 0000000000000..baa4302096c2c --- /dev/null +++ b/nixos/modules/services/networking/inadyn.nix @@ -0,0 +1,250 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.inadyn; + + # check if a value of an attrset is not null or an empty collection + nonEmptyValue = _: v: v != null && v != [ ] && v != { }; + + renderOption = k: v: + if builtins.elem k [ "provider" "custom" ] then + lib.concatStringsSep "\n" + (mapAttrsToList + (name: config: '' + ${k} ${name} { + ${lib.concatStringsSep "\n " (mapAttrsToList renderOption (filterAttrs nonEmptyValue config))} + }'') + v) + else if k == "include" then + "${k}(\"${v}\")" + else if k == "hostname" && builtins.isList v then + "${k} = { ${builtins.concatStringsSep ", " (map (s: "\"${s}\"") v)} }" + else if builtins.isBool v then + "${k} = ${boolToString v}" + else if builtins.isString v then + "${k} = \"${v}\"" + else + "${k} = ${toString v}"; + + configFile' = pkgs.writeText "inadyn.conf" + '' + # This file was generated by nix + # do not edit + + ${(lib.concatStringsSep "\n" (mapAttrsToList renderOption (filterAttrs nonEmptyValue cfg.settings)))} + ''; + + configFile = if (cfg.configFile != null) then cfg.configFile else configFile'; +in +{ + options.services.inadyn = with types; + let + providerOptions = + { + include = mkOption { + default = null; + description = "File to include additional settings for this provider from."; + type = nullOr path; + }; + ssl = mkOption { + default = true; + description = "Whether to use HTTPS for this DDNS provider."; + type = bool; + }; + username = mkOption { + default = null; + description = "Username for this DDNS provider."; + type = nullOr str; + }; + password = mkOption { + default = null; + description = '' + Password for this DDNS provider. + + WARNING: This will be world-readable in the nix store. + To store credentials securely, use the `include` or `configFile` options. + ''; + type = nullOr str; + }; + hostname = mkOption { + default = "*"; + example = "your.cool-domain.com"; + description = "Hostname alias(es)."; + type = either str (listOf str); + }; + }; + in + { + enable = mkEnableOption ('' + synchronise your machine's IP address with a dynamic DNS provider using inadyn + ''); + user = mkOption { + default = "inadyn"; + type = types.str; + description = '' + User account under which inadyn runs. + + ::: {.note} + If left as the default value this user will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the inadyn service starts. + ::: + ''; + }; + group = mkOption { + default = "inadyn"; + type = types.str; + description = '' + Group account under which inadyn runs. + + ::: {.note} + If left as the default value this user will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the inadyn service starts. + ::: + ''; + }; + interval = mkOption { + default = "*-*-* *:*:00"; + description = '' + How often to check the current IP. + Uses the format described in {manpage}`systemd.time(7)`"; + ''; + type = str; + }; + logLevel = lib.mkOption { + type = lib.types.enum [ "none" "err" "warning" "info" "notice" "debug" ]; + default = "notice"; + description = "Set inadyn's log level."; + }; + settings = mkOption { + default = { }; + description = "See `inadyn.conf (5)`"; + type = submodule { + freeformType = attrs; + options = { + allow-ipv6 = mkOption { + default = config.networking.enableIPv6; + defaultText = "`config.networking.enableIPv6`"; + description = "Whether to get IPv6 addresses from interfaces."; + type = bool; + }; + forced-update = mkOption { + default = 2592000; + description = "Duration (in seconds) after which an update is forced."; + type = ints.positive; + }; + provider = mkOption { + default = { }; + description = '' + Settings for DDNS providers built-in to inadyn. + + For a list of built-in providers, see `inadyn.conf (5)`. + ''; + type = attrsOf (submodule { + freeformType = attrs; + options = providerOptions; + }); + }; + custom = mkOption { + default = { }; + description = '' + Settings for custom DNS providers. + ''; + type = attrsOf (submodule { + freeformType = attrs; + options = providerOptions // { + ddns-server = mkOption { + description = "DDNS server name."; + type = str; + }; + ddns-path = mkOption { + description = '' + DDNS server path. + + See `inadnyn.conf (5)` for a list for format specifiers that can be used. + ''; + example = "/update?user=%u&password=%p&domain=%h&myip=%i"; + type = str; + }; + }; + }); + }; + }; + }; + }; + configFile = mkOption { + default = null; + description = '' + Configuration file for inadyn. + + Setting this will override all other configuration options. + + Passed to the inadyn service using LoadCredential. + ''; + type = nullOr path; + }; + }; + + config = lib.mkIf cfg.enable { + systemd = { + services.inadyn = { + description = "Update nameservers using inadyn"; + documentation = [ + "man:inadyn" + "man:inadyn.conf" + "file:${pkgs.inadyn}/share/doc/inadyn/README.md" + ]; + requires = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + startAt = cfg.interval; + serviceConfig = { + Type = "oneshot"; + ExecStart = ''${lib.getExe pkgs.inadyn} -f ${configFile} --cache-dir ''${CACHE_DIRECTORY}/inadyn -1 --foreground -l ${cfg.logLevel}''; + LoadCredential = "config:${configFile}"; + CacheDirectory = "inadyn"; + + User = cfg.user; + Group = cfg.group; + UMask = "0177"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK"; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + ProtectHome = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = "@system-service"; + CapabilityBoundingSet = ""; + }; + }; + + timers.inadyn.timerConfig.Persistent = true; + }; + + users.users.inadyn = mkIf (cfg.user == "inadyn") { + group = cfg.group; + isSystemUser = true; + }; + + users.groups = mkIf (cfg.group == "inadyn") { + inadyn = { }; + }; + }; +} diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index c9dd1d1b0f01f..435cd530c18d4 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -124,11 +124,20 @@ let fi ''} + # ensure wpa_supplicant.conf exists, or the daemon will fail to start + ${optionalString cfg.allowAuxiliaryImperativeNetworks '' + touch /etc/wpa_supplicant.conf + ''} + # substitute environment variables if [ -f "${configFile}" ]; then ${pkgs.gawk}/bin/awk '{ - for(varname in ENVIRON) - gsub("@"varname"@", ENVIRON[varname]) + for(varname in ENVIRON) { + find = "@"varname"@" + repl = ENVIRON[varname] + if (i = index($0, find)) + $0 = substr($0, 1, i-1) repl substr($0, i+length(find)) + } print }' "${configFile}" > "${finalConfig}" else diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index abf1ce9ba0200..d2992a196bf87 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -47,6 +47,7 @@ let reverse-proxy = reverseProxy; proxy-prefix = proxyPrefix; profile-url = profileURL; + oidc-issuer-url = oidcIssuerUrl; redeem-url = redeemURL; redirect-url = redirectURL; request-logging = requestLogging; @@ -131,6 +132,15 @@ in example = "123456.apps.googleusercontent.com"; }; + oidcIssuerUrl = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The OAuth issuer URL. + ''; + example = "https://login.microsoftonline.com/{TENANT_ID}/v2.0"; + }; + clientSecret = mkOption { type = types.nullOr types.str; description = '' diff --git a/nixos/modules/services/system/earlyoom.nix b/nixos/modules/services/system/earlyoom.nix index bcdf7d6512d5a..7e012dee02cbf 100644 --- a/nixos/modules/services/system/earlyoom.nix +++ b/nixos/modules/services/system/earlyoom.nix @@ -4,15 +4,29 @@ let cfg = config.services.earlyoom; inherit (lib) - mkDefault mkEnableOption mkIf mkOption types - mkRemovedOptionModule literalExpression - escapeShellArg concatStringsSep optional optionalString; - + concatStringsSep + escapeShellArg + literalExpression + mkDefault + mkEnableOption + mkIf + mkOption + mkPackageOption + mkRemovedOptionModule + optionalString + optionals + types; in { + meta = { + maintainers = with lib.maintainers; [ AndersonTorres ]; + }; + options.services.earlyoom = { enable = mkEnableOption "early out of memory killing"; + package = mkPackageOption pkgs "earlyoom" { }; + freeMemThreshold = mkOption { type = types.ints.between 1 100; default = 10; @@ -138,22 +152,21 @@ in systemd.services.earlyoom = { description = "Early OOM Daemon for Linux"; wantedBy = [ "multi-user.target" ]; - path = optional cfg.enableNotifications pkgs.dbus; + path = optionals cfg.enableNotifications [ pkgs.dbus ]; serviceConfig = { StandardError = "journal"; ExecStart = concatStringsSep " " ([ - "${pkgs.earlyoom}/bin/earlyoom" + "${lib.getExe cfg.package}" ("-m ${toString cfg.freeMemThreshold}" - + optionalString (cfg.freeMemKillThreshold != null) ",${toString cfg.freeMemKillThreshold}") + + optionalString (cfg.freeMemKillThreshold != null) ",${toString cfg.freeMemKillThreshold}") ("-s ${toString cfg.freeSwapThreshold}" - + optionalString (cfg.freeSwapKillThreshold != null) ",${toString cfg.freeSwapKillThreshold}") + + optionalString (cfg.freeSwapKillThreshold != null) ",${toString cfg.freeSwapKillThreshold}") "-r ${toString cfg.reportInterval}" ] - ++ optional cfg.enableDebugInfo "-d" - ++ optional cfg.enableNotifications "-n" - ++ optional (cfg.killHook != null) "-N ${escapeShellArg cfg.killHook}" - ++ cfg.extraArgs - ); + ++ optionals cfg.enableDebugInfo [ "-d" ] + ++ optionals cfg.enableNotifications [ "-n" ] + ++ optionals (cfg.killHook != null) [ "-N ${escapeShellArg cfg.killHook}" ] + ++ cfg.extraArgs); }; }; }; diff --git a/nixos/modules/services/web-apps/coder.nix b/nixos/modules/services/web-apps/coder.nix index 318a7c8fc1357..d4a5b7b2b89cd 100644 --- a/nixos/modules/services/web-apps/coder.nix +++ b/nixos/modules/services/web-apps/coder.nix @@ -169,7 +169,7 @@ in { after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - environment = config.environment.extra // { + environment = cfg.environment.extra // { CODER_ACCESS_URL = cfg.accessUrl; CODER_WILDCARD_ACCESS_URL = cfg.wildcardAccessUrl; CODER_PG_CONNECTION_URL = "user=${cfg.database.username} ${optionalString (cfg.database.password != null) "password=${cfg.database.password}"} database=${cfg.database.database} host=${cfg.database.host} ${optionalString (cfg.database.sslmode != null) "sslmode=${cfg.database.sslmode}"}"; diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index 0d0361584c3a0..cdd60f572b990 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -2,7 +2,7 @@ let - inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption; + inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption mkPackageOption; inherit (lib) literalExpression mapAttrs optional optionalString types; cfg = config.services.limesurvey; @@ -12,8 +12,6 @@ let group = config.services.httpd.group; stateDir = "/var/lib/limesurvey"; - pkg = pkgs.limesurvey; - configType = with types; oneOf [ (attrsOf configType) str int bool ] // { description = "limesurvey config type (str, int, bool or attribute set thereof)"; }; @@ -34,6 +32,8 @@ in options.services.limesurvey = { enable = mkEnableOption "Limesurvey web application"; + package = mkPackageOption pkgs "limesurvey" { }; + encryptionKey = mkOption { type = types.str; default = "E17687FC77CEE247F0E22BB3ECF27FDE8BEC310A892347EC13013ABA11AA7EB5"; @@ -240,7 +240,7 @@ in adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { - documentRoot = mkForce "${pkg}/share/limesurvey"; + documentRoot = mkForce "${cfg.package}/share/limesurvey"; extraConfig = '' Alias "/tmp" "${stateDir}/tmp" <Directory "${stateDir}"> @@ -256,7 +256,7 @@ in Options -Indexes </Directory> - <Directory "${pkg}/share/limesurvey"> + <Directory "${cfg.package}/share/limesurvey"> <FilesMatch "\.php$"> <If "-f %{REQUEST_FILENAME}"> SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" @@ -277,7 +277,7 @@ in "d ${stateDir}/tmp/assets 0750 ${user} ${group} - -" "d ${stateDir}/tmp/runtime 0750 ${user} ${group} - -" "d ${stateDir}/tmp/upload 0750 ${user} ${group} - -" - "C ${stateDir}/upload 0750 ${user} ${group} - ${pkg}/share/limesurvey/upload" + "C ${stateDir}/upload 0750 ${user} ${group} - ${cfg.package}/share/limesurvey/upload" ]; systemd.services.limesurvey-init = { @@ -288,8 +288,8 @@ in environment.LIMESURVEY_CONFIG = limesurveyConfig; script = '' # update or install the database as required - ${pkgs.php81}/bin/php ${pkg}/share/limesurvey/application/commands/console.php updatedb || \ - ${pkgs.php81}/bin/php ${pkg}/share/limesurvey/application/commands/console.php install admin password admin admin@example.com verbose + ${pkgs.php81}/bin/php ${cfg.package}/share/limesurvey/application/commands/console.php updatedb || \ + ${pkgs.php81}/bin/php ${cfg.package}/share/limesurvey/application/commands/console.php install admin password admin admin@example.com verbose ''; serviceConfig = { User = user; diff --git a/nixos/modules/services/web-apps/mediawiki.nix b/nixos/modules/services/web-apps/mediawiki.nix index 7246fd93a2314..b11626ec2dc3b 100644 --- a/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixos/modules/services/web-apps/mediawiki.nix @@ -246,7 +246,9 @@ in passwordFile = mkOption { type = types.path; - description = "A file containing the initial password for the admin user."; + description = '' + A file containing the initial password for the administrator account "admin". + ''; example = "/run/keys/mediawiki-password"; }; diff --git a/nixos/modules/services/web-apps/pretalx.nix b/nixos/modules/services/web-apps/pretalx.nix index e80eedf9f8590..b062a8b7eeeac 100644 --- a/nixos/modules/services/web-apps/pretalx.nix +++ b/nixos/modules/services/web-apps/pretalx.nix @@ -286,16 +286,16 @@ in virtualHosts.${cfg.nginx.domain} = { # https://docs.pretalx.org/administrator/installation.html#step-7-ssl extraConfig = '' - more_set_headers Referrer-Policy same-origin; - more_set_headers X-Content-Type-Options nosniff; + more_set_headers "Referrer-Policy: same-origin"; + more_set_headers "X-Content-Type-Options: nosniff"; ''; locations = { "/".proxyPass = "http://pretalx"; "/media/" = { - alias = "${cfg.settings.filesystem.data}/data/media/"; + alias = "${cfg.settings.filesystem.data}/media/"; extraConfig = '' access_log off; - more_set_headers Content-Disposition 'attachment; filename="$1"'; + more_set_headers 'Content-Disposition: attachment; filename="$1"'; expires 7d; ''; }; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 40470f535bf61..337d53e869efe 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -829,7 +829,7 @@ in sslCiphers = mkOption { type = types.nullOr types.str; # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate - default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"; description = "Ciphers to choose from when negotiating TLS handshakes."; }; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index aea6855f91c50..c82924763d5e8 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -595,18 +595,17 @@ in }; systemd.units = - mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit n v)) cfg.paths - // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services - // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit n v)) cfg.slices - // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.sockets - // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit n v)) cfg.targets - // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit n v)) cfg.timers - // listToAttrs (map - (v: let n = escapeSystemdPath v.where; - in nameValuePair "${n}.mount" (mountToUnit n v)) cfg.mounts) - // listToAttrs (map - (v: let n = escapeSystemdPath v.where; - in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts); + let + withName = cfgToUnit: cfg: lib.nameValuePair cfg.name (cfgToUnit cfg); + in + mapAttrs' (_: withName pathToUnit) cfg.paths + // mapAttrs' (_: withName serviceToUnit) cfg.services + // mapAttrs' (_: withName sliceToUnit) cfg.slices + // mapAttrs' (_: withName socketToUnit) cfg.sockets + // mapAttrs' (_: withName targetToUnit) cfg.targets + // mapAttrs' (_: withName timerToUnit) cfg.timers + // listToAttrs (map (withName mountToUnit) cfg.mounts) + // listToAttrs (map (withName automountToUnit) cfg.automounts); # Environment of PID 1 systemd.managerEnvironment = { diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 00441b693d670..cc32b2a15e7ce 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -490,18 +490,18 @@ in { targets.initrd.aliases = ["default.target"]; units = - mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit n v)) cfg.paths - // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services - // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit n v)) cfg.slices - // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.sockets - // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit n v)) cfg.targets - // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit n v)) cfg.timers + mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit v)) cfg.paths + // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit v)) cfg.services + // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit v)) cfg.slices + // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit v)) cfg.sockets + // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit v)) cfg.targets + // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit v)) cfg.timers // listToAttrs (map (v: let n = escapeSystemdPath v.where; - in nameValuePair "${n}.mount" (mountToUnit n v)) cfg.mounts) + in nameValuePair "${n}.mount" (mountToUnit v)) cfg.mounts) // listToAttrs (map (v: let n = escapeSystemdPath v.where; - in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts); + in nameValuePair "${n}.automount" (automountToUnit v)) cfg.automounts); # make sure all the /dev nodes are set up services.systemd-tmpfiles-setup-dev.wantedBy = ["sysinit.target"]; diff --git a/nixos/modules/system/boot/systemd/user.nix b/nixos/modules/system/boot/systemd/user.nix index 4c7b51ee22b74..2685cf7e283a2 100644 --- a/nixos/modules/system/boot/systemd/user.nix +++ b/nixos/modules/system/boot/systemd/user.nix @@ -175,12 +175,12 @@ in { }; systemd.user.units = - mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit n v)) cfg.paths - // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services - // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit n v)) cfg.slices - // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.sockets - // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit n v)) cfg.targets - // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit n v)) cfg.timers; + mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit v)) cfg.paths + // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit v)) cfg.services + // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit v)) cfg.slices + // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit v)) cfg.sockets + // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit v)) cfg.targets + // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit v)) cfg.timers; # Generate timer units for all services that have a ‘startAt’ value. systemd.user.timers = diff --git a/nixos/modules/virtualisation/digital-ocean-config.nix b/nixos/modules/virtualisation/digital-ocean-config.nix index 2d5bc0661d48d..4ef2b85551c66 100644 --- a/nixos/modules/virtualisation/digital-ocean-config.nix +++ b/nixos/modules/virtualisation/digital-ocean-config.nix @@ -41,7 +41,7 @@ with lib; kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; initrd.kernelModules = [ "virtio_scsi" ]; kernelModules = [ "virtio_pci" "virtio_net" ]; - loader.grub.devices = lib.mkDefault ["/dev/vda"]; + loader.grub.devices = ["/dev/vda"]; }; services.openssh = { enable = mkDefault true; |