diff options
Diffstat (limited to 'nixos/modules')
21 files changed, 177 insertions, 50 deletions
diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 87b6fea92ba4a..930e57dbde5bb 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -39,7 +39,7 @@ with lib; # dep of graphviz, libXpm is optional for Xpm support gd = super.gd.override { withXorg = false; }; ghostscript = super.ghostscript.override { cupsSupport = false; x11Support = false; }; - gjs = super.gjs.overrideAttrs { doCheck = false; installTests = false; }; # avoid test dependency on gtk3 + gjs = (super.gjs.override { installTests = false; }).overrideAttrs { doCheck = false; }; # avoid test dependency on gtk3 gobject-introspection = super.gobject-introspection.override { x11Support = false; }; gpg-tui = super.gpg-tui.override { x11Support = false; }; gpsd = super.gpsd.override { guiSupport = false; }; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b20e98a9f229b..a008c3c5bdeae 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1316,6 +1316,7 @@ ./services/system/zram-generator.nix ./services/torrent/deluge.nix ./services/torrent/flexget.nix + ./services/torrent/flood.nix ./services/torrent/magnetico.nix ./services/torrent/opentracker.nix ./services/torrent/peerflix.nix diff --git a/nixos/modules/programs/kubeswitch.nix b/nixos/modules/programs/kubeswitch.nix index 304df48e3c11a..9348540022f23 100644 --- a/nixos/modules/programs/kubeswitch.nix +++ b/nixos/modules/programs/kubeswitch.nix @@ -29,17 +29,13 @@ in config = let - shell_files = pkgs.stdenv.mkDerivation rec { - name = "kubeswitch-shell-files"; - phases = [ "installPhase" ]; - installPhase = '' - mkdir -p $out/share - for shell in bash zsh; do - ${cfg.package}/bin/switcher init $shell | sed 's/switch(/${cfg.commandName}(/' > $out/share/${cfg.commandName}_init.$shell - ${cfg.package}/bin/switcher --cmd ${cfg.commandName} completion $shell > $out/share/${cfg.commandName}_completion.$shell - done - ''; - }; + shell_files = pkgs.runCommand "kubeswitch-shell-files" {} '' + mkdir -p $out/share + for shell in bash zsh; do + ${cfg.package}/bin/switcher init $shell | sed 's/switch(/${cfg.commandName}(/' > $out/share/${cfg.commandName}_init.$shell + ${cfg.package}/bin/switcher --cmd ${cfg.commandName} completion $shell > $out/share/${cfg.commandName}_completion.$shell + done + ''; in lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; diff --git a/nixos/modules/services/databases/postgresql.md b/nixos/modules/services/databases/postgresql.md index 8a587832cd8c0..e76f127335c7b 100644 --- a/nixos/modules/services/databases/postgresql.md +++ b/nixos/modules/services/databases/postgresql.md @@ -244,6 +244,27 @@ The upgrade process is: $ ./delete_old_cluster.sh ``` +## Versioning and End-of-Life {#module-services-postgres-versioning} + +PostgreSQL's versioning policy is described [here](https://www.postgresql.org/support/versioning/). TLDR: + +- Each major version is supported for 5 years. +- Every three months there will be a new minor release, containing bug and security fixes. +- For criticial/security fixes there could be more minor releases inbetween. This happens *very* infrequently. +- After five years, a final minor version is released. This usually happens in early November. +- After that a version is considered end-of-life (EOL). +- Around February each year is the first time an EOL-release will not have received regular updates anymore. + +Technically, we'd not want to have EOL'ed packages in a stable NixOS release, which is to be supported until one month after the previous release. Thus, with NixOS' release schedule in May and November, the oldest PostgreSQL version in nixpkgs would have to be supported until December. It could be argued that a soon-to-be-EOL-ed version should thus be removed in May for the .05 release already. But since new security vulnerabilities are first disclosed in Februrary of the following year, we agreed on keeping the oldest PostgreSQL major version around one more cycle in [#310580](https://github.com/NixOS/nixpkgs/pull/310580#discussion_r1597284693). + +Thus: +- In September/October the new major version will be released and added to nixos-unstable. +- In November the last minor version for the oldest major will be released. +- Both the current stable .05 release and nixos-unstable should be updated to the latest minor. +- In November, before branch-off for the .11 release, the EOL-ed major will be removed from nixos-unstable. + +This leaves a small gap of a couple of weeks after the latest minor release and the end of our support window for the .05 release, in which there could be an emergency release to other major versions of PostgreSQL - but not the oldest major we have in that branch. In that case: If we can't trivially patch the issue, we will mark the package/version as insecure **immediately**. + ## Options {#module-services-postgres-options} A complete list of options for the PostgreSQL module may be found [here](#opt-services.postgresql.enable). diff --git a/nixos/modules/services/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix index 5bae328accde6..d4f961254f028 100644 --- a/nixos/modules/services/desktop-managers/plasma6.nix +++ b/nixos/modules/services/desktop-managers/plasma6.nix @@ -146,6 +146,7 @@ in { dolphin-plugins spectacle ffmpegthumbs + krdp ]; in requiredPackages diff --git a/nixos/modules/services/games/archisteamfarm.nix b/nixos/modules/services/games/archisteamfarm.nix index c9c41d6f4eb5e..7062332db34ab 100644 --- a/nixos/modules/services/games/archisteamfarm.nix +++ b/nixos/modules/services/games/archisteamfarm.nix @@ -196,7 +196,7 @@ in Group = "archisteamfarm"; WorkingDirectory = cfg.dataDir; Type = "simple"; - ExecStart = "${lib.getExe cfg.package} --no-restart --process-required --service --system-required --path ${cfg.dataDir}"; + ExecStart = "${lib.getExe cfg.package} --no-restart --service --system-required --path ${cfg.dataDir}"; Restart = "always"; # copied from the default systemd service at diff --git a/nixos/modules/services/mail/postsrsd.nix b/nixos/modules/services/mail/postsrsd.nix index 2ebc675ab10af..92f01dd4101e8 100644 --- a/nixos/modules/services/mail/postsrsd.nix +++ b/nixos/modules/services/mail/postsrsd.nix @@ -120,14 +120,9 @@ in { if [ ! -e "${cfg.secretsFile}" ]; then echo "WARNING: secrets file not found, autogenerating!" DIR="$(dirname "${cfg.secretsFile}")" - if [ ! -d "$DIR" ]; then - mkdir -p -m750 "$DIR" - chown "${cfg.user}:${cfg.group}" "$DIR" - fi - dd if=/dev/random bs=18 count=1 | base64 > "${cfg.secretsFile}" - chmod 600 "${cfg.secretsFile}" + install -m 750 -o ${cfg.user} -g ${cfg.group} -d "$DIR" + install -m 600 -o ${cfg.user} -g ${cfg.group} <(dd if=/dev/random bs=18 count=1 | base64) "${cfg.secretsFile}" fi - chown "${cfg.user}:${cfg.group}" "${cfg.secretsFile}" ''; }; diff --git a/nixos/modules/services/misc/amazon-ssm-agent.nix b/nixos/modules/services/misc/amazon-ssm-agent.nix index 9ab4a7f96d087..0da10621d0a09 100644 --- a/nixos/modules/services/misc/amazon-ssm-agent.nix +++ b/nixos/modules/services/misc/amazon-ssm-agent.nix @@ -28,13 +28,7 @@ in { options.services.amazon-ssm-agent = { enable = mkEnableOption "Amazon SSM agent"; - - package = mkOption { - type = types.path; - description = "The Amazon SSM agent package to use"; - default = pkgs.amazon-ssm-agent.override { overrideEtc = false; }; - defaultText = literalExpression "pkgs.amazon-ssm-agent.override { overrideEtc = false; }"; - }; + package = mkPackageOption pkgs "amazon-ssm-agent" {}; }; config = mkIf cfg.enable { diff --git a/nixos/modules/services/misc/anki-sync-server.md b/nixos/modules/services/misc/anki-sync-server.md index f58d3d8ad0dab..5482a4aa0e5ff 100644 --- a/nixos/modules/services/misc/anki-sync-server.md +++ b/nixos/modules/services/misc/anki-sync-server.md @@ -52,7 +52,7 @@ following options: ```nix { - services.anki-sync-server.host = "0.0.0.0"; + services.anki-sync-server.address = "0.0.0.0"; services.anki-sync-server.openFirewall = true; } ``` diff --git a/nixos/modules/services/search/qdrant.nix b/nixos/modules/services/search/qdrant.nix index f28178a5f1751..41a4e9b41f6d9 100644 --- a/nixos/modules/services/search/qdrant.nix +++ b/nixos/modules/services/search/qdrant.nix @@ -60,6 +60,7 @@ in { config = mkIf cfg.enable { services.qdrant.settings = { + service.static_content_dir = mkDefault pkgs.qdrant-web-ui; storage.storage_path = mkDefault "/var/lib/qdrant/storage"; storage.snapshots_path = mkDefault "/var/lib/qdrant/snapshots"; # The following default values are the same as in the default config, diff --git a/nixos/modules/services/security/oauth2-proxy-nginx.nix b/nixos/modules/services/security/oauth2-proxy-nginx.nix index 44bf56233e95e..2dffeb993803f 100644 --- a/nixos/modules/services/security/oauth2-proxy-nginx.nix +++ b/nixos/modules/services/security/oauth2-proxy-nginx.nix @@ -73,6 +73,7 @@ in virtualHosts.${cfg.domain}.locations."/oauth2/" = { proxyPass = cfg.proxy; extraConfig = '' + auth_request off; proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; ''; diff --git a/nixos/modules/services/security/oauth2-proxy.nix b/nixos/modules/services/security/oauth2-proxy.nix index 3079a1d030c52..a897f04ea6333 100644 --- a/nixos/modules/services/security/oauth2-proxy.nix +++ b/nixos/modules/services/security/oauth2-proxy.nix @@ -586,11 +586,11 @@ in wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ] ++ lib.optionals needsKeycloak [ "keycloak.service" ]; after = [ "network-online.target" ] ++ lib.optionals needsKeycloak [ "keycloak.service" ]; - + restartTriggers = [ cfg.keyFile ]; serviceConfig = { User = "oauth2-proxy"; Restart = "always"; - ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}"; + ExecStart = "${lib.getExe cfg.package} ${configString}"; EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile; }; }; diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix index 33957be437b30..41f7de5d80fab 100644 --- a/nixos/modules/services/security/vaultwarden/default.nix +++ b/nixos/modules/services/security/vaultwarden/default.nix @@ -5,6 +5,8 @@ let user = config.users.users.vaultwarden.name; group = config.users.groups.vaultwarden.name; + StateDirectory = if lib.versionOlder config.system.stateVersion "24.11" then "bitwarden_rs" else "vaultwarden"; + # Convert name from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER). nameToEnvVar = name: let @@ -23,7 +25,7 @@ let configEnv = lib.concatMapAttrs (name: value: lib.optionalAttrs (value != null) { ${nameToEnvVar name} = if lib.isBool value then lib.boolToString value else toString value; }) cfg.config; - in { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") { + in { DATA_FOLDER = "/var/lib/${StateDirectory}"; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") { WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault"; } // configEnv; @@ -176,16 +178,45 @@ in { User = user; Group = group; EnvironmentFile = [ configFile ] ++ lib.optional (cfg.environmentFile != null) cfg.environmentFile; - ExecStart = "${vaultwarden}/bin/vaultwarden"; + ExecStart = lib.getExe vaultwarden; LimitNOFILE = "1048576"; - PrivateTmp = "true"; - PrivateDevices = "true"; - ProtectHome = "true"; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "noaccess"; ProtectSystem = "strict"; - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - StateDirectory = "bitwarden_rs"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + inherit StateDirectory; StateDirectoryMode = "0700"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; Restart = "always"; + UMask = "0077"; }; wantedBy = [ "multi-user.target" ]; }; @@ -193,7 +224,7 @@ in { systemd.services.backup-vaultwarden = lib.mkIf (cfg.backupDir != null) { description = "Backup vaultwarden"; environment = { - DATA_FOLDER = "/var/lib/bitwarden_rs"; + DATA_FOLDER = "/var/lib/${StateDirectory}"; BACKUP_FOLDER = cfg.backupDir; }; path = with pkgs; [ sqlite ]; diff --git a/nixos/modules/services/torrent/flood.nix b/nixos/modules/services/torrent/flood.nix new file mode 100644 index 0000000000000..213f4ef046483 --- /dev/null +++ b/nixos/modules/services/torrent/flood.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, utils, ... }: + +let + cfg = config.services.flood; +in +{ + meta.maintainers = with lib.maintainers; [ thiagokokada ]; + + options.services.flood = { + enable = lib.mkEnableOption "flood"; + package = lib.mkPackageOption pkgs "flood" { }; + openFirewall = lib.mkEnableOption "" // { + description = "Whether to open the firewall for the port in {option}`services.flood.port`."; + }; + port = lib.mkOption { + type = lib.types.int; + description = "Port to bind webserver."; + default = 3000; + example = 3001; + }; + host = lib.mkOption { + type = lib.types.str; + description = "Host to bind webserver."; + default = "localhost"; + example = "::"; + }; + extraArgs = lib.mkOption { + type = with lib.types; listOf str; + description = "Extra arguments passed to `flood`."; + default = [ ]; + example = [ "--baseuri=/" ]; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.flood = { + description = "A modern web UI for various torrent clients."; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + Documentation = "https://github.com/jesec/flood/wiki"; + }; + serviceConfig = { + Restart = "on-failure"; + RestartSec = "3s"; + ExecStart = utils.escapeSystemdExecArgs ([ + (lib.getExe cfg.package) + "--host" + cfg.host + "--port" + (toString cfg.port) + "--rundir=/var/lib/flood" + ] ++ cfg.extraArgs); + + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + StateDirectory = "flood"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "@pkey" "~@privileged" ]; + }; + }; + + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ + cfg.port + ]; + }; +} + diff --git a/nixos/modules/services/web-apps/akkoma.nix b/nixos/modules/services/web-apps/akkoma.nix index 338e7c7383380..8ba3c7eaa1e6a 100644 --- a/nixos/modules/services/web-apps/akkoma.nix +++ b/nixos/modules/services/web-apps/akkoma.nix @@ -1136,6 +1136,6 @@ in { }; }; - meta.maintainers = with maintainers; [ mvs tcmal ]; + meta.maintainers = with maintainers; [ mvs ]; meta.doc = ./akkoma.md; } diff --git a/nixos/modules/services/web-apps/firefly-iii.nix b/nixos/modules/services/web-apps/firefly-iii.nix index 6b383139c8911..3e51bd226b02e 100644 --- a/nixos/modules/services/web-apps/firefly-iii.nix +++ b/nixos/modules/services/web-apps/firefly-iii.nix @@ -46,7 +46,8 @@ let Type = "oneshot"; User = user; Group = group; - StateDirectory = "${removePrefix "/var/lib/" cfg.dataDir}"; + StateDirectory = "firefly-iii"; + ReadWritePaths = [cfg.dataDir]; WorkingDirectory = cfg.package; PrivateTmp = true; PrivateDevices = true; diff --git a/nixos/modules/services/web-apps/freshrss.nix b/nixos/modules/services/web-apps/freshrss.nix index 1035c961c02c9..021101fecaa48 100644 --- a/nixos/modules/services/web-apps/freshrss.nix +++ b/nixos/modules/services/web-apps/freshrss.nix @@ -10,7 +10,7 @@ in meta.maintainers = with maintainers; [ etu stunkymonkey mattchrist ]; options.services.freshrss = { - enable = mkEnableOption "FreshRSS feed reader"; + enable = mkEnableOption "FreshRSS RSS aggregator and reader with php-fpm backend."; package = mkPackageOption pkgs "freshrss" { }; @@ -108,7 +108,7 @@ in type = types.str; default = poolName; description = '' - Name of the phpfpm pool to use and setup. If not specified, a pool will be created + Name of the php-fpm pool to use and setup. If not specified, a pool will be created with default values. ''; }; diff --git a/nixos/modules/services/web-apps/invoiceplane.nix b/nixos/modules/services/web-apps/invoiceplane.nix index c3dbb88619b33..9a9f180b21021 100644 --- a/nixos/modules/services/web-apps/invoiceplane.nix +++ b/nixos/modules/services/web-apps/invoiceplane.nix @@ -46,10 +46,10 @@ let version = src.version; src = pkgs.invoiceplane; - postPhase = '' + postPatch = '' # Patch index.php file to load additional config file substituteInPlace index.php \ - --replace "require('vendor/autoload.php');" "require('vendor/autoload.php'); \$dotenv = Dotenv\Dotenv::createImmutable(__DIR__, 'extraConfig.php'); \$dotenv->load();"; + --replace-fail "require('vendor/autoload.php');" "require('vendor/autoload.php'); \$dotenv = Dotenv\Dotenv::createImmutable(__DIR__, 'extraConfig.php'); \$dotenv->load();"; ''; installPhase = '' diff --git a/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix b/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix index d58210c8d9610..9bd2cf310c0af 100644 --- a/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix +++ b/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix @@ -7,7 +7,7 @@ let cfg = config.services.nextjs-ollama-llm-ui; # we have to override the URL to a Ollama service here, because it gets baked into the web app. - nextjs-ollama-llm-ui = cfg.package.override { ollamaUrl = "https://ollama.lambdablob.com"; }; + nextjs-ollama-llm-ui = cfg.package.override { inherit (cfg) ollamaUrl; }; in { options = { diff --git a/nixos/modules/services/web-apps/pretix.nix b/nixos/modules/services/web-apps/pretix.nix index 498face7456db..9786b61160260 100644 --- a/nixos/modules/services/web-apps/pretix.nix +++ b/nixos/modules/services/web-apps/pretix.nix @@ -310,7 +310,7 @@ in type = types.str; default = "redis+socket://${config.services.redis.servers.pretix.unixSocket}?virtual_host=1"; defaultText = literalExpression '' - optionalString config.services.pretix.celery.enable "redis+socket://''${config.services.redis.servers.pretix.unixSocket}?virtual_host=1" + redis+socket://''${config.services.redis.servers.pretix.unixSocket}?virtual_host=1 ''; description = '' URI to the celery backend used for the asynchronous job queue. @@ -321,7 +321,7 @@ in type = types.str; default = "redis+socket://${config.services.redis.servers.pretix.unixSocket}?virtual_host=2"; defaultText = literalExpression '' - optionalString config.services.pretix.celery.enable "redis+socket://''${config.services.redis.servers.pretix.unixSocket}?virtual_host=2" + redis+socket://''${config.services.redis.servers.pretix.unixSocket}?virtual_host=2 ''; description = '' URI to the celery broker used for the asynchronous job queue. diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index cee8663f0040e..e73048dc2ecbe 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -323,15 +323,15 @@ in { assertions = [ { assertion = (hasPrefix "/" efi.efiSysMountPoint); - message = "The ESP mount point '${efi.efiSysMountPoint}' must be an absolute path"; + message = "The ESP mount point '${toString efi.efiSysMountPoint}' must be an absolute path"; } { assertion = cfg.xbootldrMountPoint == null || (hasPrefix "/" cfg.xbootldrMountPoint); - message = "The XBOOTLDR mount point '${cfg.xbootldrMountPoint}' must be an absolute path"; + message = "The XBOOTLDR mount point '${toString cfg.xbootldrMountPoint}' must be an absolute path"; } { assertion = cfg.xbootldrMountPoint != efi.efiSysMountPoint; - message = "The XBOOTLDR mount point '${cfg.xbootldrMountPoint}' cannot be the same as the ESP mount point '${efi.efiSysMountPoint}'"; + message = "The XBOOTLDR mount point '${toString cfg.xbootldrMountPoint}' cannot be the same as the ESP mount point '${toString efi.efiSysMountPoint}'"; } { assertion = (config.boot.kernelPackages.kernel.features or { efiBootStub = true; }) ? efiBootStub; |