diff options
Diffstat (limited to 'nixos/modules')
48 files changed, 846 insertions, 630 deletions
diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index a606ebd767598..53aea5d847129 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -275,7 +275,6 @@ in chattr +C "$DEVICE" 2>/dev/null || true dd if=/dev/zero of="$DEVICE" bs=1M count=${toString sw.size} - chmod 0600 ${sw.device} ${optionalString (!sw.randomEncryption.enable) "mkswap ${sw.realDevice}"} fi ''} @@ -292,9 +291,12 @@ in unitConfig.RequiresMountsFor = [ "${dirOf sw.device}" ]; unitConfig.DefaultDependencies = false; # needed to prevent a cycle - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = sw.randomEncryption.enable; - serviceConfig.ExecStop = optionalString sw.randomEncryption.enable "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = sw.randomEncryption.enable; + UMask = "0177"; + ExecStop = optionalString sw.randomEncryption.enable "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}"; + }; restartIfChanged = false; }; diff --git a/nixos/modules/hardware/graphics.nix b/nixos/modules/hardware/graphics.nix new file mode 100644 index 0000000000000..99c122f75c2a1 --- /dev/null +++ b/nixos/modules/hardware/graphics.nix @@ -0,0 +1,126 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.hardware.graphics; + + driversEnv = pkgs.buildEnv { + name = "graphics-drivers"; + paths = [ cfg.package ] ++ cfg.extraPackages; + }; + + driversEnv32 = pkgs.buildEnv { + name = "graphics-drivers-32bit"; + paths = [ cfg.package32 ] ++ cfg.extraPackages32; + }; +in +{ + imports = [ + (lib.mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) + (lib.mkRemovedOptionModule [ "hardware" "opengl" "s3tcSupport" ] "S3TC support is now always enabled in Mesa.") + (lib.mkRemovedOptionModule [ "hardware" "opengl" "driSupport"] "The setting can be removed.") + + (lib.mkRenamedOptionModule [ "hardware" "opengl" "enable"] [ "hardware" "graphics" "enable" ]) + (lib.mkRenamedOptionModule [ "hardware" "opengl" "driSupport32Bit"] [ "hardware" "graphics" "enable32Bit" ]) + (lib.mkRenamedOptionModule [ "hardware" "opengl" "package"] [ "hardware" "graphics" "package" ]) + (lib.mkRenamedOptionModule [ "hardware" "opengl" "package32"] [ "hardware" "graphics" "package32" ]) + (lib.mkRenamedOptionModule [ "hardware" "opengl" "extraPackages"] [ "hardware" "graphics" "extraPackages" ]) + (lib.mkRenamedOptionModule [ "hardware" "opengl" "extraPackages32"] [ "hardware" "graphics" "extraPackages32" ]) + ]; + + options.hardware.graphics = { + enable = lib.mkOption { + description = '' + Whether to enable hardware accelerated graphics drivers. + + This is required to allow most graphical applications and + environments to use hardware rendering, video encode/decode + acceleration, etc. + + This option should be enabled by default by the corresponding modules, + so you do not usually have to set it yourself. + ''; + type = lib.types.bool; + default = false; + }; + + enable32Bit = lib.mkOption { + description = '' + On 64-bit systems, whether to also install 32-bit drivers for + 32-bit applications (such as Wine). + ''; + type = lib.types.bool; + default = false; + }; + + package = lib.mkOption { + description = '' + The package that provides the default driver set. + ''; + type = lib.types.package; + internal = true; + }; + + package32 = lib.mkOption { + description = '' + The package that provides the 32-bit driver set. Used when {option}`enable32Bit` is enabled. + set. + ''; + type = lib.types.package; + internal = true; + }; + + extraPackages = lib.mkOption { + description = '' + Additional packages to add to the default graphics driver lookup path. + This can be used to add OpenCL drivers, VA-API/VDPAU drivers, etc. + + ::: {.note} + intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver. + ::: + ''; + type = lib.types.listOf lib.types.package; + default = []; + example = lib.literalExpression "with pkgs; [ intel-media-driver intel-ocl intel-vaapi-driver ]"; + }; + + extraPackages32 = lib.mkOption { + description = '' + Additional packages to add to 32-bit graphics driver lookup path on 64-bit systems. + Used when {option}`enable32Bit` is set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers, etc. + + ::: {.note} + intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver. + ::: + ''; + type = lib.types.listOf lib.types.package; + default = []; + example = lib.literalExpression "with pkgs.pkgsi686Linux; [ intel-media-driver intel-vaapi-driver ]"; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = cfg.enable32Bit -> pkgs.stdenv.isx86_64; + message = "`hardware.graphics.enable32Bit` only makes sense on a 64-bit system."; + } + { + assertion = cfg.enable32Bit -> (config.boot.kernelPackages.kernel.features.ia32Emulation or false); + message = "`hardware.graphics.enable32Bit` requires a kernel that supports 32-bit emulation"; + } + ]; + + systemd.tmpfiles.settings.graphics-driver = { + "/run/opengl-driver"."L+".argument = toString driversEnv; + "/run/opengl-driver-32" = + if pkgs.stdenv.isi686 then + { "L+".argument = "opengl-driver"; } + else if cfg.enable32Bit then + { "L+".argument = toString driversEnv32; } + else + { "r" = {}; }; + }; + + hardware.graphics.package = lib.mkDefault pkgs.mesa.drivers; + hardware.graphics.package32 = lib.mkDefault pkgs.pkgsi686Linux.mesa.drivers; + }; +} diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix deleted file mode 100644 index 3ca9deec8961d..0000000000000 --- a/nixos/modules/hardware/opengl.nix +++ /dev/null @@ -1,158 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - - cfg = config.hardware.opengl; - - kernelPackages = config.boot.kernelPackages; - - videoDrivers = config.services.xserver.videoDrivers; - - package = pkgs.buildEnv { - name = "opengl-drivers"; - paths = [ cfg.package ] ++ cfg.extraPackages; - }; - - package32 = pkgs.buildEnv { - name = "opengl-drivers-32bit"; - paths = [ cfg.package32 ] ++ cfg.extraPackages32; - }; - -in - -{ - - imports = [ - (lib.mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ]) - (lib.mkRemovedOptionModule [ "hardware" "opengl" "s3tcSupport" ] "S3TC support is now always enabled in Mesa.") - ]; - - options = { - - hardware.opengl = { - enable = lib.mkOption { - description = '' - Whether to enable OpenGL drivers. This is needed to enable - OpenGL support in X11 systems, as well as for Wayland compositors - like sway and Weston. It is enabled by default - by the corresponding modules, so you do not usually have to - set it yourself, only if there is no module for your wayland - compositor of choice. See services.xserver.enable and - programs.sway.enable. - ''; - type = lib.types.bool; - default = false; - }; - - driSupport = lib.mkOption { - type = lib.types.bool; - default = true; - description = '' - Whether to enable accelerated OpenGL rendering through the - Direct Rendering Interface (DRI). - ''; - }; - - driSupport32Bit = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - On 64-bit systems, whether to support Direct Rendering for - 32-bit applications (such as Wine). This is currently only - supported for the `nvidia` as well as - `Mesa`. - ''; - }; - - package = lib.mkOption { - type = lib.types.package; - internal = true; - description = '' - The package that provides the OpenGL implementation. - ''; - }; - - package32 = lib.mkOption { - type = lib.types.package; - internal = true; - description = '' - The package that provides the 32-bit OpenGL implementation on - 64-bit systems. Used when {option}`driSupport32Bit` is - set. - ''; - }; - - extraPackages = lib.mkOption { - type = lib.types.listOf lib.types.package; - default = []; - example = lib.literalExpression "with pkgs; [ intel-media-driver intel-ocl intel-vaapi-driver ]"; - description = '' - Additional packages to add to OpenGL drivers. - This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc. - - ::: {.note} - intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver. - ::: - ''; - }; - - extraPackages32 =lib. mkOption { - type = lib.types.listOf lib.types.package; - default = []; - example = lib.literalExpression "with pkgs.pkgsi686Linux; [ intel-media-driver intel-vaapi-driver ]"; - description = '' - Additional packages to add to 32-bit OpenGL drivers on 64-bit systems. - Used when {option}`driSupport32Bit` is set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc. - - ::: {.note} - intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver. - ::: - ''; - }; - - setLdLibraryPath = lib.mkOption { - type = lib.types.bool; - internal = true; - default = false; - description = '' - Whether the `LD_LIBRARY_PATH` environment variable - should be set to the locations of driver libraries. Drivers which - rely on overriding libraries should set this to true. Drivers which - support `libglvnd` and other dispatch libraries - instead of overriding libraries should not set this. - ''; - }; - }; - - }; - - config = lib.mkIf cfg.enable { - assertions = [ - { assertion = cfg.driSupport32Bit -> pkgs.stdenv.isx86_64; - message = "Option driSupport32Bit only makes sense on a 64-bit system."; - } - { assertion = cfg.driSupport32Bit -> (config.boot.kernelPackages.kernel.features.ia32Emulation or false); - message = "Option driSupport32Bit requires a kernel that supports 32bit emulation"; - } - ]; - - systemd.tmpfiles.settings.opengl = { - "/run/opengl-driver"."L+".argument = toString package; - "/run/opengl-driver-32" = - if pkgs.stdenv.isi686 then - { "L+".argument = "opengl-driver"; } - else if cfg.driSupport32Bit then - { "L+".argument = toString package32; } - else - { "r" = {}; }; - }; - - environment.sessionVariables.LD_LIBRARY_PATH = lib.mkIf cfg.setLdLibraryPath - ([ "/run/opengl-driver/lib" ] ++ lib.optional cfg.driSupport32Bit "/run/opengl-driver-32/lib"); - - hardware.opengl.package = lib.mkDefault pkgs.mesa.drivers; - hardware.opengl.package32 = lib.mkDefault pkgs.pkgsi686Linux.mesa.drivers; - - boot.extraModulePackages = lib.optional (lib.elem "virtualbox" videoDrivers) kernelPackages.virtualboxGuestAdditions; - }; -} diff --git a/nixos/modules/hardware/video/amdgpu-pro.nix b/nixos/modules/hardware/video/amdgpu-pro.nix deleted file mode 100644 index 2a86280eec8cb..0000000000000 --- a/nixos/modules/hardware/video/amdgpu-pro.nix +++ /dev/null @@ -1,69 +0,0 @@ -# This module provides the proprietary AMDGPU-PRO drivers. - -{ config, lib, pkgs, ... }: - -with lib; - -let - - drivers = config.services.xserver.videoDrivers; - - enabled = elem "amdgpu-pro" drivers; - - package = config.boot.kernelPackages.amdgpu-pro; - package32 = pkgs.pkgsi686Linux.linuxPackages.amdgpu-pro.override { kernel = null; }; - - opengl = config.hardware.opengl; - -in - -{ - - config = mkIf enabled { - services.xserver.drivers = singleton - { name = "amdgpu"; modules = [ package ]; display = true; }; - - hardware.opengl.package = package; - hardware.opengl.package32 = package32; - hardware.opengl.setLdLibraryPath = true; - - boot.extraModulePackages = [ package.kmod ]; - - boot.kernelPackages = pkgs.linuxKernel.packagesFor - (pkgs.linuxKernel.kernels.linux_5_10.override { - structuredExtraConfig = { - DEVICE_PRIVATE = kernel.yes; - KALLSYMS_ALL = kernel.yes; - }; - }); - - hardware.firmware = [ package.fw ]; - - systemd.tmpfiles.settings.amdgpu-pro = { - "/run/amdgpu"."L+".argument = "${package}/opt/amdgpu"; - "/run/amdgpu-pro"."L+".argument = "${package}/opt/amdgpu-pro"; - }; - - system.requiredKernelConfig = with config.lib.kernelConfig; [ - (isYes "DEVICE_PRIVATE") - (isYes "KALLSYMS_ALL") - ]; - - boot.initrd.extraUdevRulesCommands = mkIf (!config.boot.initrd.systemd.enable) '' - cp -v ${package}/etc/udev/rules.d/*.rules $out/ - ''; - boot.initrd.services.udev.packages = [ package ]; - - environment.systemPackages = - [ package.vulkan ] ++ - # this isn't really DRI, but we'll reuse this option for now - optional config.hardware.opengl.driSupport32Bit package32.vulkan; - - environment.etc = { - "modprobe.d/blacklist-radeon.conf".source = package + "/etc/modprobe.d/blacklist-radeon.conf"; - amd.source = package + "/etc/amd"; - }; - - }; - -} diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index ae5c2aa7a034a..0274dfcaa70f9 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -297,7 +297,7 @@ in KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 1'" ''; - hardware.opengl = { + hardware.graphics = { extraPackages = [ nvidia_x11.out ]; extraPackages32 = [ nvidia_x11.lib32 ]; }; @@ -467,7 +467,7 @@ in "egl/egl_external_platform.d".source = "/run/opengl-driver/share/egl/egl_external_platform.d/"; }; - hardware.opengl = { + hardware.graphics = { extraPackages = [ pkgs.nvidia-vaapi-driver ]; extraPackages32 = [ pkgs.pkgsi686Linux.nvidia-vaapi-driver ]; }; diff --git a/nixos/modules/hardware/video/virtualbox.nix b/nixos/modules/hardware/video/virtualbox.nix new file mode 100644 index 0000000000000..31ed92b7d148e --- /dev/null +++ b/nixos/modules/hardware/video/virtualbox.nix @@ -0,0 +1,7 @@ +{ lib, config, ... }: +let + inherit (config.boot) kernelPackages; + inherit (config.services.xserver) videoDrivers; +in { + boot.extraModulePackages = lib.mkIf (lib.elem "virtualbox" videoDrivers) [ kernelPackages.virtualboxGuestAdditions ]; +} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index a008c3c5bdeae..d412e414f68b5 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -67,6 +67,7 @@ ./hardware/gkraken.nix ./hardware/glasgow.nix ./hardware/gpgsmartcards.nix + ./hardware/graphics.nix ./hardware/hackrf.nix ./hardware/i2c.nix ./hardware/infiniband.nix @@ -84,7 +85,6 @@ ./hardware/new-lg4ff.nix ./hardware/nitrokey.nix ./hardware/onlykey/default.nix - ./hardware/opengl.nix ./hardware/openrazer.nix ./hardware/opentabletdriver.nix ./hardware/pcmcia.nix @@ -103,7 +103,6 @@ ./hardware/uni-sync.nix ./hardware/usb-modeswitch.nix ./hardware/usb-storage.nix - ./hardware/video/amdgpu-pro.nix ./hardware/video/bumblebee.nix ./hardware/video/capture/mwprocapture.nix ./hardware/video/displaylink.nix @@ -111,6 +110,7 @@ ./hardware/video/nvidia.nix ./hardware/video/switcheroo-control.nix ./hardware/video/uvcvideo/default.nix + ./hardware/video/virtualbox.nix ./hardware/video/webcam/facetimehd.nix ./hardware/video/webcam/ipu6.nix ./hardware/wooting.nix @@ -549,6 +549,7 @@ ./services/games/xonotic.nix ./services/hardware/acpid.nix ./services/hardware/actkbd.nix + ./services/hardware/amdgpu.nix ./services/hardware/amdvlk.nix ./services/hardware/argonone.nix ./services/hardware/asusd.nix diff --git a/nixos/modules/programs/miriway.nix b/nixos/modules/programs/miriway.nix index 00c1356ab0836..418bb3dc4f2dd 100644 --- a/nixos/modules/programs/miriway.nix +++ b/nixos/modules/programs/miriway.nix @@ -65,7 +65,7 @@ in { }; }; - hardware.opengl.enable = lib.mkDefault true; + hardware.graphics.enable = lib.mkDefault true; fonts.enableDefaultPackages = lib.mkDefault true; programs.dconf.enable = lib.mkDefault true; programs.xwayland.enable = lib.mkDefault true; diff --git a/nixos/modules/programs/steam.nix b/nixos/modules/programs/steam.nix index 5138588dbd3e5..2ee464dc22d37 100644 --- a/nixos/modules/programs/steam.nix +++ b/nixos/modules/programs/steam.nix @@ -50,7 +50,7 @@ in { }) // (prev.extraEnv or {}); extraLibraries = pkgs: let prevLibs = if prev ? extraLibraries then prev.extraLibraries pkgs else [ ]; - additionalLibs = with config.hardware.opengl; + additionalLibs = with config.hardware.graphics; if pkgs.stdenv.hostPlatform.is64bit then [ package ] ++ extraPackages else [ package32 ] ++ extraPackages32; @@ -176,10 +176,9 @@ in { }; config = lib.mkIf cfg.enable { - hardware.opengl = { # this fixes the "glXChooseVisual failed" bug, context: https://github.com/NixOS/nixpkgs/issues/47932 + hardware.graphics = { # this fixes the "glXChooseVisual failed" bug, context: https://github.com/NixOS/nixpkgs/issues/47932 enable = true; - driSupport = true; - driSupport32Bit = true; + enable32Bit = true; }; security.wrappers = lib.mkIf (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) { diff --git a/nixos/modules/programs/turbovnc.nix b/nixos/modules/programs/turbovnc.nix index c28b7f7d79910..c7ab18a2e2886 100644 --- a/nixos/modules/programs/turbovnc.nix +++ b/nixos/modules/programs/turbovnc.nix @@ -17,7 +17,7 @@ in Whether to set up NixOS such that TurboVNC's built-in software OpenGL implementation works. - This will enable {option}`hardware.opengl.enable` so that OpenGL + This will enable {option}`hardware.graphics.enable` so that OpenGL programs can find Mesa's llvmpipe drivers. Setting this option to `false` does not mean that software @@ -46,7 +46,7 @@ in # can find the llvmpipe `swrast.so` software rendering DRI lib via `libglvnd`. # This comment exists to explain why `hardware.` is involved, # even though 100% software rendering is used. - hardware.opengl.enable = true; + hardware.graphics.enable = true; }; } diff --git a/nixos/modules/programs/wayland/wayland-session.nix b/nixos/modules/programs/wayland/wayland-session.nix index 877b106684700..09fb2a5f14b2e 100644 --- a/nixos/modules/programs/wayland/wayland-session.nix +++ b/nixos/modules/programs/wayland/wayland-session.nix @@ -11,7 +11,7 @@ pam.services.swaylock = {}; }; - hardware.opengl.enable = lib.mkDefault true; + hardware.graphics.enable = lib.mkDefault true; fonts.enableDefaultPackages = lib.mkDefault true; programs = { diff --git a/nixos/modules/programs/xonsh.nix b/nixos/modules/programs/xonsh.nix index eed5152ba69a5..6bf18d4ebd89c 100644 --- a/nixos/modules/programs/xonsh.nix +++ b/nixos/modules/programs/xonsh.nix @@ -23,7 +23,7 @@ in }; package = lib.mkPackageOption pkgs "xonsh" { - example = "xonsh.override { extraPackages = ps: [ ps.requests ]; }"; + example = "xonsh.wrapper.override { extraPackages = ps: [ ps.requests ]; }"; }; config = lib.mkOption { @@ -61,17 +61,14 @@ in aliases['ls'] = _ls_alias del _ls_alias - ${cfg.config} ''; environment.systemPackages = [ cfg.package ]; - environment.shells = - [ "/run/current-system/sw/bin/xonsh" - "${cfg.package}/bin/xonsh" - ]; - + environment.shells = [ + "/run/current-system/sw/bin/xonsh" + "${lib.getExe cfg.package}" + ]; }; - } diff --git a/nixos/modules/security/ipa.nix b/nixos/modules/security/ipa.nix index 543b1abfa672c..e746ca75724a1 100644 --- a/nixos/modules/security/ipa.nix +++ b/nixos/modules/security/ipa.nix @@ -85,6 +85,18 @@ in { description = "Whether to cache credentials."; }; + ipaHostname = mkOption { + type = types.str; + example = "myworkstation.example.com"; + default = if config.networking.domain != null then config.networking.fqdn + else "${config.networking.hostName}.${cfg.domain}"; + defaultText = literalExpression '' + if config.networking.domain != null then config.networking.fqdn + else "''${networking.hostName}.''${security.ipa.domain}" + ''; + description = "Fully-qualified hostname used to identify this host in the IPA domain."; + }; + ifpAllowedUids = mkOption { type = types.listOf types.str; default = ["root"]; @@ -218,7 +230,7 @@ in { ipa_domain = ${cfg.domain} ipa_server = _srv_, ${cfg.server} - ipa_hostname = ${config.networking.hostName}.${cfg.domain} + ipa_hostname = ${cfg.ipaHostname} cache_credentials = ${pyBool cfg.cacheCredentials} krb5_store_password_if_offline = ${pyBool cfg.offlinePasswords} @@ -232,7 +244,6 @@ in { ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber, lock:nsaccountlock [sssd] - debug_level = 65510 services = nss, sudo, pam, ssh, ifp domains = ${cfg.domain} @@ -244,7 +255,6 @@ in { pam_verbosity = 3 [sudo] - debug_level = 65510 [autofs] diff --git a/nixos/modules/services/admin/docuum.nix b/nixos/modules/services/admin/docuum.nix index 6f6cd4e027337..51a21740b276a 100644 --- a/nixos/modules/services/admin/docuum.nix +++ b/nixos/modules/services/admin/docuum.nix @@ -2,7 +2,7 @@ let cfg = config.services.docuum; - inherit (lib) mkIf mkEnableOption mkOption getExe types; + inherit (lib) mkIf mkEnableOption mkOption getExe types optionals concatMap; in { options.services.docuum = { @@ -14,6 +14,27 @@ in default = "10 GB"; example = "50%"; }; + + minAge = mkOption { + description = "Sets the minimum age of images to be considered for deletion."; + type = types.nullOr types.str; + default = null; + example = "1d"; + }; + + keep = mkOption { + description = "Prevents deletion of images for which repository:tag matches the specified regex."; + type = types.listOf types.str; + default = []; + example = [ "^my-image" ]; + }; + + deletionChunkSize = mkOption { + description = "Removes specified quantity of images at a time."; + type = types.int; + default = 1; + example = 10; + }; }; config = mkIf cfg.enable { @@ -35,10 +56,13 @@ in DynamicUser = true; StateDirectory = "docuum"; SupplementaryGroups = [ "docker" ]; - ExecStart = utils.escapeSystemdExecArgs [ + ExecStart = utils.escapeSystemdExecArgs ([ (getExe pkgs.docuum) "--threshold" cfg.threshold - ]; + "--deletion-chunk-size" cfg.deletionChunkSize + ] ++ (concatMap (keep: [ "--keep" keep ]) cfg.keep) + ++ (optionals (cfg.minAge != null) [ "--min-age" cfg.minAge ]) + ); }; }; }; diff --git a/nixos/modules/services/admin/meshcentral.nix b/nixos/modules/services/admin/meshcentral.nix index 25779e01123ec..6e0801e1c0894 100644 --- a/nixos/modules/services/admin/meshcentral.nix +++ b/nixos/modules/services/admin/meshcentral.nix @@ -42,5 +42,5 @@ in with lib; { }; }; }; - meta.maintainers = [ maintainers.lheckemann ]; + meta.maintainers = [ ]; } diff --git a/nixos/modules/services/desktop-managers/lomiri.nix b/nixos/modules/services/desktop-managers/lomiri.nix index eec33597dc711..0b871aa38183e 100644 --- a/nixos/modules/services/desktop-managers/lomiri.nix +++ b/nixos/modules/services/desktop-managers/lomiri.nix @@ -63,7 +63,7 @@ in { ]; # Copy-pasted basic stuff - hardware.opengl.enable = lib.mkDefault true; + hardware.graphics.enable = lib.mkDefault true; fonts.enableDefaultPackages = lib.mkDefault true; programs.dconf.enable = lib.mkDefault true; diff --git a/nixos/modules/services/desktops/gnome/gnome-keyring.nix b/nixos/modules/services/desktops/gnome/gnome-keyring.nix index 79bce0ade2fc5..02b198fd81cb9 100644 --- a/nixos/modules/services/desktops/gnome/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome/gnome-keyring.nix @@ -1,45 +1,52 @@ # GNOME Keyring daemon. -{ config, pkgs, lib, ... }: - +{ + config, + pkgs, + lib, + ... +}: +let + cfg = config.services.gnome.gnome-keyring; +in { meta = { maintainers = lib.teams.gnome.members; }; - ###### interface - options = { - services.gnome.gnome-keyring = { - - enable = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - Whether to enable GNOME Keyring daemon, a service designed to - take care of the user's security credentials, - such as user names and passwords. - ''; - }; - + enable = lib.mkEnableOption '' + GNOME Keyring daemon, a service designed to + take care of the user's security credentials, + such as user names and passwords + ''; }; - }; - - ###### implementation - - config = lib.mkIf config.services.gnome.gnome-keyring.enable { - + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.gnome.gnome-keyring ]; - services.dbus.packages = [ pkgs.gnome.gnome-keyring pkgs.gcr ]; + services.dbus.packages = [ + pkgs.gnome.gnome-keyring + pkgs.gcr + ]; xdg.portal.extraPortals = [ pkgs.gnome.gnome-keyring ]; - security.pam.services.login.enableGnomeKeyring = true; + security.pam.services = lib.mkMerge [ + { + login.enableGnomeKeyring = true; + } + (lib.mkIf config.services.xserver.displayManager.gdm.enable { + gdm-password.enableGnomeKeyring = true; + gdm-autologin.enableGnomeKeyring = true; + }) + (lib.mkIf (config.services.xserver.displayManager.gdm.enable && config.services.fprintd.enable) { + gdm-fingerprint.enableGnomeKeyring = true; + }) + ]; security.wrappers.gnome-keyring-daemon = { owner = "root"; @@ -47,7 +54,5 @@ capabilities = "cap_ipc_lock=ep"; source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon"; }; - }; - } diff --git a/nixos/modules/services/display-managers/default.nix b/nixos/modules/services/display-managers/default.nix index feba4b163ccd2..9a7bd6c84b15b 100644 --- a/nixos/modules/services/display-managers/default.nix +++ b/nixos/modules/services/display-managers/default.nix @@ -212,9 +212,7 @@ in after = [ "acpid.service" "systemd-logind.service" "systemd-user-sessions.service" ]; restartIfChanged = false; - environment = lib.optionalAttrs config.hardware.opengl.setLdLibraryPath { - LD_LIBRARY_PATH = lib.makeLibraryPath [ pkgs.addOpenGLRunpath.driverLink ]; - } // cfg.environment; + environment = cfg.environment; preStart = cfg.preStart; script = lib.mkIf (config.systemd.services.display-manager.enable == true) cfg.execCmd; diff --git a/nixos/modules/services/hardware/amdgpu.nix b/nixos/modules/services/hardware/amdgpu.nix new file mode 100644 index 0000000000000..1952be08a17cf --- /dev/null +++ b/nixos/modules/services/hardware/amdgpu.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.hardware.amdgpu; +in { + options.hardware.amdgpu = { + legacySupport.enable = lib.mkEnableOption '' + using `amdgpu` kernel driver instead of `radeon` for Southern Islands + (Radeon HD 7000) series and Sea Islands (Radeon HD 8000) + series cards. Note: this removes support for analog video outputs, + which is only available in the `radeon` driver + ''; + initrd.enable = lib.mkEnableOption '' + loading `amdgpu` kernelModule in stage 1. + Can fix lower resolution in boot screen during initramfs phase + ''; + opencl.enable = lib.mkEnableOption ''OpenCL support using ROCM runtime library''; + # cfg.amdvlk option is defined in ./amdvlk.nix module + }; + + config = { + boot.kernelParams = lib.optionals cfg.legacySupport.enable [ + "amdgpu.si_support=1" + "amdgpu.cik_support=1" + "radeon.si_support=0" + "radeon.cik_support=0" + ]; + + boot.initrd.kernelModules = lib.optionals cfg.initrd.enable [ "amdgpu" ]; + + hardware.graphics = lib.mkIf cfg.opencl.enable { + enable = lib.mkDefault true; + extraPackages = [ + pkgs.rocmPackages.clr + pkgs.rocmPackages.clr.icd + ]; + }; + }; + + meta = { + maintainers = with lib.maintainers; [ johnrtitor ]; + }; +} diff --git a/nixos/modules/services/hardware/amdvlk.nix b/nixos/modules/services/hardware/amdvlk.nix index 20879f2f21b43..32d6fb3be21dc 100644 --- a/nixos/modules/services/hardware/amdvlk.nix +++ b/nixos/modules/services/hardware/amdvlk.nix @@ -31,11 +31,9 @@ in { }; config = lib.mkIf cfg.enable { - hardware.opengl = { + hardware.graphics = { enable = true; - driSupport = true; extraPackages = [ cfg.package ]; - driSupport32Bit = cfg.support32Bit.enable; extraPackages32 = [ cfg.support32Bit.package ]; }; diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix index 180c9800d7345..ab10206fea42e 100644 --- a/nixos/modules/services/mail/mailman.nix +++ b/nixos/modules/services/mail/mailman.nix @@ -646,7 +646,7 @@ in { }; meta = { - maintainers = with lib.maintainers; [ lheckemann qyliss ]; + maintainers = with lib.maintainers; [ qyliss ]; doc = ./mailman.md; }; diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index bc88fb53012b7..6d2e6201d66d3 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -1121,7 +1121,7 @@ in { The client listener on matrix-synapse is configured to use UNIX domain sockets. This configuration is incompatible with the `register_new_matrix_user` script. - Disable `services.mastrix-synapse.enableRegistrationScript` to continue. + Disable `services.matrix-synapse.enableRegistrationScript` to continue. ''; } ] diff --git a/nixos/modules/services/misc/graphical-desktop.nix b/nixos/modules/services/misc/graphical-desktop.nix index a88c02e610bf4..c8fe0d921c6ad 100644 --- a/nixos/modules/services/misc/graphical-desktop.nix +++ b/nixos/modules/services/misc/graphical-desktop.nix @@ -38,7 +38,7 @@ in fonts.enableDefaultPackages = lib.mkDefault true; - hardware.opengl.enable = lib.mkDefault true; + hardware.graphics.enable = lib.mkDefault true; programs.gnupg.agent.pinentryPackage = lib.mkOverride 1100 pkgs.pinentry-gnome3; diff --git a/nixos/modules/services/misc/snapper.nix b/nixos/modules/services/misc/snapper.nix index a42fca5b60289..1b16ef7958ad2 100644 --- a/nixos/modules/services/misc/snapper.nix +++ b/nixos/modules/services/misc/snapper.nix @@ -1,16 +1,32 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: with lib; let cfg = config.services.snapper; - mkValue = v: - if isList v then "\"${concatMapStringsSep " " (escape [ "\\" " " ]) v}\"" - else if v == true then "yes" - else if v == false then "no" - else if isString v then "\"${v}\"" - else builtins.toJSON v; + mkValue = + v: + if isList v then + "\"${ + concatMapStringsSep " " (escape [ + "\\" + " " + ]) v + }\"" + else if v == true then + "yes" + else if v == false then + "no" + else if isString v then + "\"${v}\"" + else + builtins.toJSON v; mkKeyValue = k: v: "${k}=${mkValue v}"; @@ -43,7 +59,7 @@ let ALLOW_GROUPS = mkOption { type = types.listOf safeStr; - default = []; + default = [ ]; description = '' List of groups allowed to operate with the config. @@ -53,7 +69,7 @@ let ALLOW_USERS = mkOption { type = types.listOf safeStr; - default = []; + default = [ ]; example = [ "alice" ]; description = '' List of users allowed to operate with the config. "root" is always @@ -78,6 +94,54 @@ let Defines whether hourly snapshots should be created. ''; }; + + TIMELINE_LIMIT_HOURLY = mkOption { + type = types.str; + default = "10"; + description = '' + Limits for timeline cleanup. + ''; + }; + + TIMELINE_LIMIT_DAILY = mkOption { + type = types.str; + default = "10"; + description = '' + Limits for timeline cleanup. + ''; + }; + + TIMELINE_LIMIT_WEEKLY = mkOption { + type = types.str; + default = "0"; + description = '' + Limits for timeline cleanup. + ''; + }; + + TIMELINE_LIMIT_MONTHLY = mkOption { + type = types.str; + default = "10"; + description = '' + Limits for timeline cleanup. + ''; + }; + + TIMELINE_LIMIT_QUARTERLY = mkOption { + type = types.str; + default = "0"; + description = '' + Limits for timeline cleanup. + ''; + }; + + TIMELINE_LIMIT_YEARLY = mkOption { + type = types.str; + default = "10"; + description = '' + Limits for timeline cleanup. + ''; + }; }; in @@ -152,112 +216,129 @@ in is valid here, even if NixOS doesn't document it. ''; - type = types.attrsOf (types.submodule { - freeformType = types.attrsOf (types.oneOf [ (types.listOf safeStr) types.bool safeStr types.number ]); - - options = configOptions; - }); + type = types.attrsOf ( + types.submodule { + freeformType = types.attrsOf ( + types.oneOf [ + (types.listOf safeStr) + types.bool + safeStr + types.number + ] + ); + + options = configOptions; + } + ); }; }; - config = mkIf (cfg.configs != {}) (let - documentation = [ "man:snapper(8)" "man:snapper-configs(5)" ]; - in { - - environment = { - - systemPackages = [ pkgs.snapper ]; - - # Note: snapper/config-templates/default is only needed for create-config - # which is not the NixOS way to configure. - etc = { - - "sysconfig/snapper".text = '' - SNAPPER_CONFIGS="${lib.concatStringsSep " " (builtins.attrNames cfg.configs)}" - ''; - - } - // (mapAttrs' (name: subvolume: nameValuePair "snapper/configs/${name}" ({ - text = lib.generators.toKeyValue { inherit mkKeyValue; } (filterAttrs (k: v: v != defaultOf k) subvolume); - })) cfg.configs) - // (lib.optionalAttrs (cfg.filters != null) { - "snapper/filters/default.txt".text = cfg.filters; - }); - - }; + config = mkIf (cfg.configs != { }) ( + let + documentation = [ + "man:snapper(8)" + "man:snapper-configs(5)" + ]; + in + { + environment = { + + systemPackages = [ pkgs.snapper ]; + + # Note: snapper/config-templates/default is only needed for create-config + # which is not the NixOS way to configure. + etc = + { + + "sysconfig/snapper".text = '' + SNAPPER_CONFIGS="${lib.concatStringsSep " " (builtins.attrNames cfg.configs)}" + ''; + } + // (mapAttrs' ( + name: subvolume: + nameValuePair "snapper/configs/${name}" ({ + text = lib.generators.toKeyValue { inherit mkKeyValue; } ( + filterAttrs (k: v: v != defaultOf k) subvolume + ); + }) + ) cfg.configs) + // (lib.optionalAttrs (cfg.filters != null) { "snapper/filters/default.txt".text = cfg.filters; }); + }; - services.dbus.packages = [ pkgs.snapper ]; - - systemd.services.snapperd = { - description = "DBus interface for snapper"; - inherit documentation; - serviceConfig = { - Type = "dbus"; - BusName = "org.opensuse.Snapper"; - ExecStart = "${pkgs.snapper}/bin/snapperd"; - CapabilityBoundingSet = "CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE"; - LockPersonality = true; - NoNewPrivileges = false; - PrivateNetwork = true; - ProtectHostname = true; - RestrictAddressFamilies = "AF_UNIX"; - RestrictRealtime = true; + services.dbus.packages = [ pkgs.snapper ]; + + systemd.services.snapperd = { + description = "DBus interface for snapper"; + inherit documentation; + serviceConfig = { + Type = "dbus"; + BusName = "org.opensuse.Snapper"; + ExecStart = "${pkgs.snapper}/bin/snapperd"; + CapabilityBoundingSet = "CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE"; + LockPersonality = true; + NoNewPrivileges = false; + PrivateNetwork = true; + ProtectHostname = true; + RestrictAddressFamilies = "AF_UNIX"; + RestrictRealtime = true; + }; }; - }; - systemd.services.snapper-timeline = { - description = "Timeline of Snapper Snapshots"; - inherit documentation; - requires = [ "local-fs.target" ]; - serviceConfig.ExecStart = "${pkgs.snapper}/lib/snapper/systemd-helper --timeline"; - }; + systemd.services.snapper-timeline = { + description = "Timeline of Snapper Snapshots"; + inherit documentation; + requires = [ "local-fs.target" ]; + serviceConfig.ExecStart = "${pkgs.snapper}/lib/snapper/systemd-helper --timeline"; + }; - systemd.timers.snapper-timeline = { - wantedBy = [ "timers.target" ]; - timerConfig = { - Persistent = cfg.persistentTimer; - OnCalendar = cfg.snapshotInterval; + systemd.timers.snapper-timeline = { + wantedBy = [ "timers.target" ]; + timerConfig = { + Persistent = cfg.persistentTimer; + OnCalendar = cfg.snapshotInterval; + }; }; - }; - systemd.services.snapper-cleanup = { - description = "Cleanup of Snapper Snapshots"; - inherit documentation; - serviceConfig.ExecStart = "${pkgs.snapper}/lib/snapper/systemd-helper --cleanup"; - }; + systemd.services.snapper-cleanup = { + description = "Cleanup of Snapper Snapshots"; + inherit documentation; + serviceConfig.ExecStart = "${pkgs.snapper}/lib/snapper/systemd-helper --cleanup"; + }; - systemd.timers.snapper-cleanup = { - description = "Cleanup of Snapper Snapshots"; - inherit documentation; - wantedBy = [ "timers.target" ]; - requires = [ "local-fs.target" ]; - timerConfig.OnBootSec = "10m"; - timerConfig.OnUnitActiveSec = cfg.cleanupInterval; - }; + systemd.timers.snapper-cleanup = { + description = "Cleanup of Snapper Snapshots"; + inherit documentation; + wantedBy = [ "timers.target" ]; + requires = [ "local-fs.target" ]; + timerConfig.OnBootSec = "10m"; + timerConfig.OnUnitActiveSec = cfg.cleanupInterval; + }; - systemd.services.snapper-boot = lib.optionalAttrs cfg.snapshotRootOnBoot { - description = "Take snapper snapshot of root on boot"; - inherit documentation; - serviceConfig.ExecStart = "${pkgs.snapper}/bin/snapper --config root create --cleanup-algorithm number --description boot"; - serviceConfig.Type = "oneshot"; - requires = [ "local-fs.target" ]; - wantedBy = [ "multi-user.target" ]; - unitConfig.ConditionPathExists = "/etc/snapper/configs/root"; - }; + systemd.services.snapper-boot = lib.mkIf cfg.snapshotRootOnBoot { + description = "Take snapper snapshot of root on boot"; + inherit documentation; + serviceConfig.ExecStart = "${pkgs.snapper}/bin/snapper --config root create --cleanup-algorithm number --description boot"; + serviceConfig.Type = "oneshot"; + requires = [ "local-fs.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig.ConditionPathExists = "/etc/snapper/configs/root"; + }; - assertions = - concatMap - (name: - let - sub = cfg.configs.${name}; - in - [ { assertion = !(sub ? extraConfig); - message = '' - The option definition `services.snapper.configs.${name}.extraConfig' no longer has any effect; please remove it. - The contents of this option should be migrated to attributes on `services.snapper.configs.${name}'. - ''; - } - ] ++ + assertions = concatMap ( + name: + let + sub = cfg.configs.${name}; + in + [ + { + assertion = !(sub ? extraConfig); + message = '' + The option definition `services.snapper.configs.${name}.extraConfig' no longer has any effect; please remove it. + The contents of this option should be migrated to attributes on `services.snapper.configs.${name}'. + ''; + } + ] + ++ map (attr: { assertion = !(hasAttr attr sub); @@ -265,8 +346,11 @@ in The option definition `services.snapper.configs.${name}.${attr}' has been renamed to `services.snapper.configs.${name}.${toUpper attr}'. ''; }) - [ "fstype" "subvolume" ] - ) - (attrNames cfg.configs); - }); + [ + "fstype" + "subvolume" + ] + ) (attrNames cfg.configs); + } + ); } diff --git a/nixos/modules/services/monitoring/grafana-reporter.nix b/nixos/modules/services/monitoring/grafana-reporter.nix index 340ab7abd19b7..528041cab37af 100644 --- a/nixos/modules/services/monitoring/grafana-reporter.nix +++ b/nixos/modules/services/monitoring/grafana-reporter.nix @@ -60,7 +60,7 @@ in { "-templates ${cfg.templateDir}" ]; in { - ExecStart = "${pkgs.grafana_reporter}/bin/grafana-reporter ${args}"; + ExecStart = "${pkgs.grafana-reporter}/bin/grafana-reporter ${args}"; }; }; }; diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 90e00e91deed2..8f89408bdea59 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -13,6 +13,9 @@ let ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin ln -s /run/wrappers/bin/systemd-journal.plugin $out/libexec/netdata/plugins.d/systemd-journal.plugin + ln -s /run/wrappers/bin/logs-management.plugin $out/libexec/netdata/plugins.d/logs-management.plugin + ln -s /run/wrappers/bin/network-viewer.plugin $out/libexec/netdata/plugins.d/network-viewer.plugin + ln -s /run/wrappers/bin/debugfs.plugin $out/libexec/netdata/plugins.d/debugfs.plugin ''; plugins = [ @@ -47,6 +50,7 @@ let defaultUser = "netdata"; + isThereAnyWireGuardTunnels = config.networking.wireguard.enable || lib.any (c: lib.hasAttrByPath [ "netdevConfig" "Kind" ] c && c.netdevConfig.Kind == "wireguard") (builtins.attrValues config.systemd.network.netdevs); in { options = { services.netdata = { @@ -86,6 +90,14 @@ in { Whether to enable python-based plugins ''; }; + recommendedPythonPackages = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable a set of recommended Python plugins + by installing extra Python packages. + ''; + }; extraPackages = mkOption { type = types.functionTo (types.listOf types.package); default = ps: []; @@ -198,13 +210,26 @@ in { } ]; + # Includes a set of recommended Python plugins in exchange of imperfect disk consumption. + services.netdata.python.extraPackages = lib.mkIf cfg.python.recommendedPythonPackages (ps: [ + ps.requests + ps.pandas + ps.numpy + ps.psycopg2 + ps.python-ldap + ps.netdata-pandas + ps.changefinder + ]); + services.netdata.configDir.".opt-out-from-anonymous-statistics" = mkIf (!cfg.enableAnalyticsReporting) (pkgs.writeText ".opt-out-from-anonymous-statistics" ""); environment.etc."netdata/netdata.conf".source = configFile; environment.etc."netdata/conf.d".source = configDirectory; systemd.services.netdata = { description = "Real time performance monitoring"; - after = [ "network.target" ]; + after = [ "network.target" "suid-sgid-wrappers.service" ]; + # No wrapper means no "useful" netdata. + requires = [ "suid-sgid-wrappers.service" ]; wantedBy = [ "multi-user.target" ]; path = (with pkgs; [ curl @@ -213,10 +238,16 @@ in { which procps bash + nvme-cli # for go.d + iw # for charts.d + apcupsd # for charts.d + # TODO: firehol # for FireQoS -- this requires more NixOS module support. util-linux # provides logger command; required for syslog health alarms ]) ++ lib.optional cfg.python.enable (pkgs.python3.withPackages cfg.python.extraPackages) - ++ lib.optional config.virtualisation.libvirtd.enable (config.virtualisation.libvirtd.package); + ++ lib.optional config.virtualisation.libvirtd.enable config.virtualisation.libvirtd.package + ++ lib.optional config.virtualisation.docker.enable config.virtualisation.docker.package + ++ lib.optionals config.virtualisation.podman.enable [ pkgs.jq config.virtualisation.podman.package ]; environment = { PYTHONPATH = "${cfg.package}/libexec/netdata/python.d/python_modules"; NETDATA_PIPENAME = "/run/netdata/ipc"; @@ -256,6 +287,8 @@ in { # Configuration directory and mode ConfigurationDirectory = "netdata"; ConfigurationDirectoryMode = "0755"; + # AmbientCapabilities + AmbientCapabilities = lib.optional isThereAnyWireGuardTunnels "CAP_NET_ADMIN"; # Capabilities CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins @@ -269,7 +302,7 @@ in { "CAP_SYS_CHROOT" # is required for cgroups plugin "CAP_SETUID" # is required for cgroups and cgroups-network plugins "CAP_SYSLOG" # is required for systemd-journal plugin - ]; + ] ++ lib.optional isThereAnyWireGuardTunnels "CAP_NET_ADMIN"; # Sandboxing ProtectSystem = "full"; ProtectHome = "read-only"; @@ -308,6 +341,14 @@ in { permissions = "u+rx,g+x,o-rwx"; }; + "debugfs.plugin" = { + source = "${cfg.package}/libexec/netdata/plugins.d/debugfs.plugin.org"; + capabilities = "cap_dac_read_search+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+x,o-rwx"; + }; + "cgroup-network" = { source = "${cfg.package}/libexec/netdata/plugins.d/cgroup-network.org"; capabilities = "cap_setuid+ep"; @@ -332,6 +373,14 @@ in { permissions = "u+rx,g+x,o-rwx"; }; + "logs-management.plugin" = { + source = "${cfg.package}/libexec/netdata/plugins.d/logs-management.plugin.org"; + capabilities = "cap_dac_read_search,cap_syslog+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+x,o-rwx"; + }; + "slabinfo.plugin" = { source = "${cfg.package}/libexec/netdata/plugins.d/slabinfo.plugin.org"; capabilities = "cap_dac_override+ep"; @@ -348,6 +397,14 @@ in { group = cfg.group; permissions = "u+rx,g+x,o-rwx"; }; + } // optionalAttrs (cfg.package.withNetworkViewer) { + "network-viewer.plugin" = { + source = "${cfg.package}/libexec/netdata/plugins.d/network-viewer.plugin.org"; + capabilities = "cap_sys_admin,cap_dac_read_search,cap_sys_ptrace+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+x,o-rwx"; + }; }; security.pam.loginLimits = [ @@ -359,6 +416,8 @@ in { ${defaultUser} = { group = defaultUser; isSystemUser = true; + extraGroups = lib.optional config.virtualisation.docker.enable "docker" + ++ lib.optional config.virtualisation.podman.enable "podman"; }; }; diff --git a/nixos/modules/services/network-filesystems/davfs2.nix b/nixos/modules/services/network-filesystems/davfs2.nix index 9a7d0daa6421f..49a363476c975 100644 --- a/nixos/modules/services/network-filesystems/davfs2.nix +++ b/nixos/modules/services/network-filesystems/davfs2.nix @@ -4,7 +4,7 @@ let inherit (lib.attrsets) optionalAttrs; inherit (lib.generators) toINIWithGlobalSection; inherit (lib.lists) optional; - inherit (lib.modules) mkIf; + inherit (lib.modules) mkIf mkRemovedOptionModule; inherit (lib.options) literalExpression mkEnableOption mkOption; inherit (lib.strings) escape; inherit (lib.types) attrsOf bool int lines oneOf str submodule; @@ -27,6 +27,13 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "davfs2" "extraConfig" ] '' + The option extraConfig got removed, please migrate to + services.davfs2.settings instead. + '') + ]; + options.services.davfs2 = { enable = mkEnableOption "davfs2"; diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 66ef3f14ed700..c70d0cf7beac3 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -201,14 +201,10 @@ in message = "If samba.nsswins is enabled, then samba.enableWinbindd must also be enabled"; } ]; - # Always provide a smb.conf to shut up programs like smbclient and smbspool. - environment.etc."samba/smb.conf".source = mkOptionDefault ( - if cfg.enable then configFile - else pkgs.writeText "smb-dummy.conf" "# Samba is disabled." - ); } (mkIf cfg.enable { + environment.etc."samba/smb.conf".source = configFile; system.nssModules = optional cfg.nsswins samba; system.nssDatabases.hosts = optional cfg.nsswins "wins"; diff --git a/nixos/modules/services/networking/netbird.nix b/nixos/modules/services/networking/netbird.nix index 7add377896cab..e68c39946fe3b 100644 --- a/nixos/modules/services/networking/netbird.nix +++ b/nixos/modules/services/networking/netbird.nix @@ -37,7 +37,6 @@ in { meta.maintainers = with maintainers; [ misuzu - thubrecht ]; meta.doc = ./netbird.md; diff --git a/nixos/modules/services/networking/netbird/server.nix b/nixos/modules/services/networking/netbird/server.nix index 2b6ad696646e9..e3de286a04fa4 100644 --- a/nixos/modules/services/networking/netbird/server.nix +++ b/nixos/modules/services/networking/netbird/server.nix @@ -16,7 +16,7 @@ in { meta = { - maintainers = with lib.maintainers; [thubrecht patrickdag]; + maintainers = with lib.maintainers; [patrickdag]; doc = ./server.md; }; diff --git a/nixos/modules/services/networking/wstunnel.nix b/nixos/modules/services/networking/wstunnel.nix index 1b169567624c0..bd7536351955a 100644 --- a/nixos/modules/services/networking/wstunnel.nix +++ b/nixos/modules/services/networking/wstunnel.nix @@ -1,83 +1,94 @@ -{ config, lib, options, pkgs, utils, ... }: -with lib; +{ config +, lib +, pkgs +, ... +}: + let cfg = config.services.wstunnel; - attrsToArgs = attrs: utils.escapeSystemdExecArgs ( - mapAttrsToList - (name: value: if value == true then "--${name}" else "--${name}=${value}") - attrs - ); - hostPortToString = { host, port }: "${host}:${builtins.toString port}"; + hostPortToString = { host, port }: "${host}:${toString port}"; hostPortSubmodule = { options = { - host = mkOption { + host = lib.mkOption { description = "The hostname."; - type = types.str; + type = lib.types.str; }; - port = mkOption { + port = lib.mkOption { description = "The port."; - type = types.port; + type = lib.types.port; }; }; }; commonOptions = { - enable = mkOption { - description = "Whether to enable this `wstunnel` instance."; - type = types.bool; + enable = lib.mkEnableOption "this `wstunnel` instance." // { default = true; }; - package = mkPackageOption pkgs "wstunnel" {}; + package = lib.mkPackageOption pkgs "wstunnel" { }; - autoStart = mkOption { - description = "Whether this tunnel server should be started automatically."; - type = types.bool; - default = true; - }; + autoStart = + lib.mkEnableOption "starting this wstunnel instance automatically." // { + default = true; + }; - extraArgs = mkOption { - description = "Extra command line arguments to pass to `wstunnel`. Attributes of the form `argName = true;` will be translated to `--argName`, and `argName = \"value\"` to `--argName=value`."; - type = with types; attrsOf (either str bool); - default = {}; + extraArgs = lib.mkOption { + description = '' + Extra command line arguments to pass to `wstunnel`. + Attributes of the form `argName = true;` will be translated to `--argName`, + and `argName = \"value\"` to `--argName value`. + ''; + type = with lib.types; attrsOf (either str bool); + default = { }; example = { "someNewOption" = true; "someNewOptionWithValue" = "someValue"; }; }; - loggingLevel = mkOption { + loggingLevel = lib.mkOption { description = '' Passed to --log-lvl Control the log verbosity. i.e: TRACE, DEBUG, INFO, WARN, ERROR, OFF For more details, checkout [EnvFilter](https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#example-syntax) ''; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; example = "INFO"; default = null; }; - environmentFile = mkOption { - description = "Environment file to be passed to the systemd service. Useful for passing secrets to the service to prevent them from being world-readable in the Nix store. Note however that the secrets are passed to `wstunnel` through the command line, which makes them locally readable for all users of the system at runtime."; - type = types.nullOr types.path; + environmentFile = lib.mkOption { + description = '' + Environment file to be passed to the systemd service. + Useful for passing secrets to the service to prevent them from being + world-readable in the Nix store. + Note however that the secrets are passed to `wstunnel` through + the command line, which makes them locally readable for all users of + the system at runtime. + ''; + type = lib.types.nullOr lib.types.path; default = null; example = "/var/lib/secrets/wstunnelSecrets"; }; }; - serverSubmodule = { config, ...}: { + serverSubmodule = { config, ... }: { options = commonOptions // { - listen = mkOption { - description = "Address and port to listen on. Setting the port to a value below 1024 will also give the process the required `CAP_NET_BIND_SERVICE` capability."; - type = types.submodule hostPortSubmodule; + listen = lib.mkOption { + description = '' + Address and port to listen on. + Setting the port to a value below 1024 will also give the process + the required `CAP_NET_BIND_SERVICE` capability. + ''; + type = lib.types.submodule hostPortSubmodule; default = { host = "0.0.0.0"; port = if config.enableHTTPS then 443 else 80; }; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' { host = "0.0.0.0"; port = if enableHTTPS then 443 else 80; @@ -85,39 +96,50 @@ let ''; }; - restrictTo = mkOption { - description = "Accepted traffic will be forwarded only to this service. Set to `null` to allow forwarding to arbitrary addresses."; - type = types.listOf (types.submodule hostPortSubmodule); - default = []; + restrictTo = lib.mkOption { + description = '' + Accepted traffic will be forwarded only to this service. + ''; + type = lib.types.listOf (lib.types.submodule hostPortSubmodule); + default = [ ]; example = [{ host = "127.0.0.1"; port = 51820; }]; }; - enableHTTPS = mkOption { + enableHTTPS = lib.mkOption { description = "Use HTTPS for the tunnel server."; - type = types.bool; + type = lib.types.bool; default = true; }; - tlsCertificate = mkOption { - description = "TLS certificate to use instead of the hardcoded one in case of HTTPS connections. Use together with `tlsKey`."; - type = types.nullOr types.path; + tlsCertificate = lib.mkOption { + description = '' + TLS certificate to use instead of the hardcoded one in case of HTTPS connections. + Use together with `tlsKey`. + ''; + type = lib.types.nullOr lib.types.path; default = null; example = "/var/lib/secrets/cert.pem"; }; - tlsKey = mkOption { - description = "TLS key to use instead of the hardcoded on in case of HTTPS connections. Use together with `tlsCertificate`."; - type = types.nullOr types.path; + tlsKey = lib.mkOption { + description = '' + TLS key to use instead of the hardcoded on in case of HTTPS connections. + Use together with `tlsCertificate`. + ''; + type = lib.types.nullOr lib.types.path; default = null; example = "/var/lib/secrets/key.pem"; }; - useACMEHost = mkOption { - description = "Use a certificate generated by the NixOS ACME module for the given host. Note that this will not generate a new certificate - you will need to do so with `security.acme.certs`."; - type = types.nullOr types.str; + useACMEHost = lib.mkOption { + description = '' + Use a certificate generated by the NixOS ACME module for the given host. + Note that this will not generate a new certificate - you will need to do so with `security.acme.certs`. + ''; + type = lib.types.nullOr lib.types.str; default = null; example = "example.com"; }; @@ -126,95 +148,113 @@ let clientSubmodule = { config, ... }: { options = commonOptions // { - connectTo = mkOption { + connectTo = lib.mkOption { description = "Server address and port to connect to."; - type = types.str; + type = lib.types.str; example = "https://wstunnel.server.com:8443"; }; - localToRemote = mkOption { + localToRemote = lib.mkOption { description = ''Listen on local and forwards traffic from remote.''; - type = types.listOf (types.str); - default = []; + type = lib.types.listOf (lib.types.str); + default = [ ]; example = [ "tcp://1212:google.com:443" "unix:///tmp/wstunnel.sock:g.com:443" ]; }; - remoteToLocal = mkOption { + remoteToLocal = lib.mkOption { description = "Listen on remote and forwards traffic from local. Only tcp is supported"; - type = types.listOf (types.str); - default = []; + type = lib.types.listOf lib.types.str; + default = [ ]; example = [ "tcp://1212:google.com:443" "unix://wstunnel.sock:g.com:443" ]; }; - addNetBind = mkEnableOption "Whether add CAP_NET_BIND_SERVICE to the tunnel service, this should be enabled if you want to bind port < 1024"; + addNetBind = lib.mkEnableOption "Whether add CAP_NET_BIND_SERVICE to the tunnel service, this should be enabled if you want to bind port < 1024"; - httpProxy = mkOption { + httpProxy = lib.mkOption { description = '' Proxy to use to connect to the wstunnel server (`USER:PASS@HOST:PORT`). ::: {.warning} - Passwords specified here will be world-readable in the Nix store! To pass a password to the service, point the `environmentFile` option to a file containing `PROXY_PASSWORD=<your-password-here>` and set this option to `<user>:$PROXY_PASSWORD@<host>:<port>`. Note however that this will also locally leak the passwords at runtime via e.g. /proc/<pid>/cmdline. - + Passwords specified here will be world-readable in the Nix store! + To pass a password to the service, point the `environmentFile` option + to a file containing `PROXY_PASSWORD=<your-password-here>` and set + this option to `<user>:$PROXY_PASSWORD@<host>:<port>`. + Note however that this will also locally leak the passwords at + runtime via e.g. /proc/<pid>/cmdline. ::: ''; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; default = null; }; - soMark = mkOption { - description = "Mark network packets with the SO_MARK sockoption with the specified value. Setting this option will also enable the required `CAP_NET_ADMIN` capability for the systemd service."; - type = types.nullOr types.int; + soMark = lib.mkOption { + description = '' + Mark network packets with the SO_MARK sockoption with the specified value. + Setting this option will also enable the required `CAP_NET_ADMIN` capability + for the systemd service. + ''; + type = lib.types.nullOr lib.types.ints.unsigned; default = null; }; - upgradePathPrefix = mkOption { - description = "Use a specific HTTP path prefix that will show up in the upgrade request to the `wstunnel` server. Useful when running `wstunnel` behind a reverse proxy."; - type = types.nullOr types.str; + upgradePathPrefix = lib.mkOption { + description = '' + Use a specific HTTP path prefix that will show up in the upgrade + request to the `wstunnel` server. + Useful when running `wstunnel` behind a reverse proxy. + ''; + type = lib.types.nullOr lib.types.str; default = null; example = "wstunnel"; }; - tlsSNI = mkOption { + tlsSNI = lib.mkOption { description = "Use this as the SNI while connecting via TLS. Useful for circumventing hostname-based firewalls."; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; default = null; }; - tlsVerifyCertificate = mkOption { + tlsVerifyCertificate = lib.mkOption { description = "Whether to verify the TLS certificate of the server. It might be useful to set this to `false` when working with the `tlsSNI` option."; - type = types.bool; + type = lib.types.bool; default = true; }; # The original argument name `websocketPingFrequency` is a misnomer, as the frequency is the inverse of the interval. - websocketPingInterval = mkOption { + websocketPingInterval = lib.mkOption { description = "Frequency at which the client will send websocket ping to the server."; - type = types.nullOr types.ints.unsigned; + type = lib.types.nullOr lib.types.ints.unsigned; default = null; }; - upgradeCredentials = mkOption { + upgradeCredentials = lib.mkOption { description = '' - Use these credentials to authenticate during the HTTP upgrade request (Basic authorization type, `USER:[PASS]`). + Use these credentials to authenticate during the HTTP upgrade request + (Basic authorization type, `USER:[PASS]`). ::: {.warning} - Passwords specified here will be world-readable in the Nix store! To pass a password to the service, point the `environmentFile` option to a file containing `HTTP_PASSWORD=<your-password-here>` and set this option to `<user>:$HTTP_PASSWORD`. Note however that this will also locally leak the passwords at runtime via e.g. /proc/<pid>/cmdline. + Passwords specified here will be world-readable in the Nix store! + To pass a password to the service, point the `environmentFile` option + to a file containing `HTTP_PASSWORD=<your-password-here>` and set this + option to `<user>:$HTTP_PASSWORD`. + Note however that this will also locally leak the passwords at runtime + via e.g. /proc/<pid>/cmdline. ::: ''; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; default = null; }; - customHeaders = mkOption { + customHeaders = lib.mkOption { description = "Custom HTTP headers to send during the upgrade request."; - type = types.attrsOf types.str; - default = {}; + type = lib.types.attrsOf lib.types.str; + default = { }; example = { "X-Some-Header" = "some-value"; }; @@ -224,49 +264,63 @@ let generateServerUnit = name: serverCfg: { name = "wstunnel-server-${name}"; - value = { - description = "wstunnel server - ${name}"; - requires = [ "network.target" "network-online.target" ]; - after = [ "network.target" "network-online.target" ]; - wantedBy = optional serverCfg.autoStart "multi-user.target"; - - serviceConfig = let - certConfig = config.security.acme.certs."${serverCfg.useACMEHost}"; - in { - Type = "simple"; - ExecStart = with serverCfg; let - resolvedTlsCertificate = if useACMEHost != null - then "${certConfig.directory}/fullchain.pem" - else tlsCertificate; - resolvedTlsKey = if useACMEHost != null - then "${certConfig.directory}/key.pem" - else tlsKey; - in '' - ${package}/bin/wstunnel \ + value = + let + certConfig = config.security.acme.certs.${serverCfg.useACMEHost}; + in + { + description = "wstunnel server - ${name}"; + requires = [ "network.target" "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; + wantedBy = lib.optional serverCfg.autoStart "multi-user.target"; + + environment.RUST_LOG = serverCfg.loggingLevel; + + serviceConfig = { + Type = "exec"; + EnvironmentFile = + lib.optional (serverCfg.environmentFile != null) serverCfg.environmentFile; + DynamicUser = true; + SupplementaryGroups = + lib.optional (serverCfg.useACMEHost != null) certConfig.group; + PrivateTmp = true; + AmbientCapabilities = + lib.optionals (serverCfg.listen.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; + NoNewPrivileges = true; + RestrictNamespaces = "uts ipc pid user cgroup"; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + PrivateDevices = true; + RestrictSUIDSGID = true; + + Restart = "on-failure"; + RestartSec = 2; + RestartSteps = 20; + RestartMaxDelaySec = "5min"; + }; + + script = with serverCfg; '' + ${lib.getExe package} \ server \ - ${concatStringsSep " " (builtins.map (hostPair: "--restrict-to ${utils.escapeSystemdExecArg (hostPortToString hostPair)}") restrictTo)} \ - ${optionalString (resolvedTlsCertificate != null) "--tls-certificate ${utils.escapeSystemdExecArg resolvedTlsCertificate}"} \ - ${optionalString (resolvedTlsKey != null) "--tls-private-key ${utils.escapeSystemdExecArg resolvedTlsKey}"} \ - ${optionalString (loggingLevel != null) "--log-lvl ${loggingLevel}"} \ - ${attrsToArgs extraArgs} \ - ${utils.escapeSystemdExecArg "${if enableHTTPS then "wss" else "ws"}://${hostPortToString listen}"} + ${lib.cli.toGNUCommandLineShell { } ( + lib.recursiveUpdate + { + restrict-to = map hostPortToString restrictTo; + tls-certificate = if useACMEHost != null + then "${certConfig.directory}/fullchain.pem" + else "${tlsCertificate}"; + tls-private-key = if useACMEHost != null + then "${certConfig.directory}/key.pem" + else "${tlsKey}"; + } + extraArgs + )} \ + ${lib.escapeShellArg "${if enableHTTPS then "wss" else "ws"}://${hostPortToString listen}"} ''; - EnvironmentFile = optional (serverCfg.environmentFile != null) serverCfg.environmentFile; - DynamicUser = true; - SupplementaryGroups = optional (serverCfg.useACMEHost != null) certConfig.group; - PrivateTmp = true; - AmbientCapabilities = optionals (serverCfg.listen.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; - NoNewPrivileges = true; - RestrictNamespaces = "uts ipc pid user cgroup"; - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - PrivateDevices = true; - RestrictSUIDSGID = true; }; - }; }; generateClientUnit = name: clientCfg: { @@ -275,30 +329,19 @@ let description = "wstunnel client - ${name}"; requires = [ "network.target" "network-online.target" ]; after = [ "network.target" "network-online.target" ]; - wantedBy = optional clientCfg.autoStart "multi-user.target"; + wantedBy = lib.optional clientCfg.autoStart "multi-user.target"; + + environment.RUST_LOG = clientCfg.loggingLevel; serviceConfig = { - Type = "simple"; - ExecStart = with clientCfg; '' - ${package}/bin/wstunnel client \ - ${concatStringsSep " " (builtins.map (x: "--local-to-remote ${x}") localToRemote)} \ - ${concatStringsSep " " (builtins.map (x: "--remote-to-local ${x}") remoteToLocal)} \ - ${concatStringsSep " " (mapAttrsToList (n: v: "--http-headers \"${n}: ${v}\"") customHeaders)} \ - ${optionalString (httpProxy != null) "--http-proxy ${httpProxy}"} \ - ${optionalString (soMark != null) "--socket-so-mark=${toString soMark}"} \ - ${optionalString (upgradePathPrefix != null) "--http-upgrade-path-prefix ${upgradePathPrefix}"} \ - ${optionalString (tlsSNI != null) "--tls-sni-override ${tlsSNI}"} \ - ${optionalString tlsVerifyCertificate "--tls-verify-certificate"} \ - ${optionalString (websocketPingInterval != null) "--websocket-ping-frequency-sec ${toString websocketPingInterval}"} \ - ${optionalString (upgradeCredentials != null) "--http-upgrade-credentials ${upgradeCredentials}"} \ - ${optionalString (loggingLevel != null) "--log-lvl ${loggingLevel}"} \ - ${attrsToArgs extraArgs} \ - ${utils.escapeSystemdExecArg connectTo} - ''; - EnvironmentFile = optional (clientCfg.environmentFile != null) clientCfg.environmentFile; + Type = "exec"; + EnvironmentFile = + lib.optional (clientCfg.environmentFile != null) clientCfg.environmentFile; DynamicUser = true; PrivateTmp = true; - AmbientCapabilities = (optionals (clientCfg.soMark != null) [ "CAP_NET_ADMIN" ]) ++ (optionals (clientCfg.addNetBind) [ "CAP_NET_BIND_SERVICE" ]); + AmbientCapabilities = + (lib.optionals clientCfg.addNetBind [ "CAP_NET_BIND_SERVICE" ]) ++ + (lib.optionals (clientCfg.soMark != null) [ "CAP_NET_ADMIN" ]); NoNewPrivileges = true; RestrictNamespaces = "uts ipc pid user cgroup"; ProtectSystem = "strict"; @@ -308,17 +351,45 @@ let ProtectControlGroups = true; PrivateDevices = true; RestrictSUIDSGID = true; + + Restart = "on-failure"; + RestartSec = 2; + RestartSteps = 20; + RestartMaxDelaySec = "5min"; }; + + script = with clientCfg; '' + ${lib.getExe package} \ + client \ + ${lib.cli.toGNUCommandLineShell { } ( + lib.recursiveUpdate + { + local-to-remote = localToRemote; + remote-to-local = remoteToLocal; + http-headers = lib.mapAttrsToList (n: v: "${n}:${v}") customHeaders; + http-proxy = httpProxy; + socket-so-mark = soMark; + http-upgrade-path-prefix = upgradePathPrefix; + tls-sni-override = tlsSNI; + tls-verify-certificate = tlsVerifyCertificate; + websocket-ping-frequency-sec = websocketPingInterval; + http-upgrade-credentials = upgradeCredentials; + } + extraArgs + )} \ + ${lib.escapeShellArg connectTo} + ''; }; }; -in { +in +{ options.services.wstunnel = { - enable = mkEnableOption "wstunnel"; + enable = lib.mkEnableOption "wstunnel"; - servers = mkOption { + servers = lib.mkOption { description = "`wstunnel` servers to set up."; - type = types.attrsOf (types.submodule serverSubmodule); - default = {}; + type = lib.types.attrsOf (lib.types.submodule serverSubmodule); + default = { }; example = { "wg-tunnel" = { listen = { @@ -336,13 +407,13 @@ in { }; }; - clients = mkOption { + clients = lib.mkOption { description = "`wstunnel` clients to set up."; - type = types.attrsOf (types.submodule clientSubmodule); - default = {}; + type = lib.types.attrsOf (lib.types.submodule clientSubmodule); + default = { }; example = { "wg-tunnel" = { - connectTo = "https://wstunnel.server.com:8443"; + connectTo = "wss://wstunnel.server.com:8443"; localToRemote = [ "tcp://1212:google.com:443" "tcp://2:n.lan:4?proxy_protocol" @@ -356,28 +427,42 @@ in { }; }; - config = mkIf cfg.enable { - systemd.services = (mapAttrs' generateServerUnit (filterAttrs (n: v: v.enable) cfg.servers)) // (mapAttrs' generateClientUnit (filterAttrs (n: v: v.enable) cfg.clients)); - - assertions = (mapAttrsToList (name: serverCfg: { - assertion = !(serverCfg.useACMEHost != null && (serverCfg.tlsCertificate != null || serverCfg.tlsKey != null)); - message = '' - Options services.wstunnel.servers."${name}".useACMEHost and services.wstunnel.servers."${name}".{tlsCertificate, tlsKey} are mutually exclusive. - ''; - }) cfg.servers) ++ - (mapAttrsToList (name: serverCfg: { - assertion = !((serverCfg.tlsCertificate != null || serverCfg.tlsKey != null) && !(serverCfg.tlsCertificate != null && serverCfg.tlsKey != null)); - message = '' - services.wstunnel.servers."${name}".tlsCertificate and services.wstunnel.servers."${name}".tlsKey need to be set together. - ''; - }) cfg.servers) ++ - (mapAttrsToList (name: clientCfg: { - assertion = !(clientCfg.localToRemote == [] && clientCfg.remoteToLocal == []); - message = '' - Either one of services.wstunnel.clients."${name}".localToRemote or services.wstunnel.clients."${name}".remoteToLocal must be set. - ''; - }) cfg.clients); + config = lib.mkIf cfg.enable { + systemd.services = + (lib.mapAttrs' generateServerUnit (lib.filterAttrs (n: v: v.enable) cfg.servers)) // + (lib.mapAttrs' generateClientUnit (lib.filterAttrs (n: v: v.enable) cfg.clients)); + + assertions = + (lib.mapAttrsToList + (name: serverCfg: { + assertion = + !(serverCfg.useACMEHost != null && serverCfg.tlsCertificate != null); + message = '' + Options services.wstunnel.servers."${name}".useACMEHost and services.wstunnel.servers."${name}".{tlsCertificate, tlsKey} are mutually exclusive. + ''; + }) + cfg.servers) ++ + + (lib.mapAttrsToList + (name: serverCfg: { + assertion = + (serverCfg.tlsCertificate == null && serverCfg.tlsKey == null) || + (serverCfg.tlsCertificate != null && serverCfg.tlsKey != null); + message = '' + services.wstunnel.servers."${name}".tlsCertificate and services.wstunnel.servers."${name}".tlsKey need to be set together. + ''; + }) + cfg.servers) ++ + + (lib.mapAttrsToList + (name: clientCfg: { + assertion = !(clientCfg.localToRemote == [ ] && clientCfg.remoteToLocal == [ ]); + message = '' + Either one of services.wstunnel.clients."${name}".localToRemote or services.wstunnel.clients."${name}".remoteToLocal must be set. + ''; + }) + cfg.clients); }; - meta.maintainers = with maintainers; [ alyaeanyx neverbehave ]; + meta.maintainers = with lib.maintainers; [ alyaeanyx rvdp neverbehave ]; } diff --git a/nixos/modules/services/networking/zerotierone.nix b/nixos/modules/services/networking/zerotierone.nix index 86c1efc629a98..68c04118fdd58 100644 --- a/nixos/modules/services/networking/zerotierone.nix +++ b/nixos/modules/services/networking/zerotierone.nix @@ -4,7 +4,9 @@ with lib; let cfg = config.services.zerotierone; - localConfFile = pkgs.writeText "zt-local.conf" (builtins.toJSON cfg.localConf); + + settingsFormat = pkgs.formats.json {}; + localConfFile = settingsFormat.generate "zt-local.conf" cfg.localConf; localConfFilePath = "/var/lib/zerotier-one/local.conf"; in { @@ -41,7 +43,7 @@ in example = { settings.allowTcpFallbackRelay = false; }; - type = types.nullOr types.attrs; + type = settingsFormat.type; }; config = mkIf cfg.enable { @@ -60,7 +62,7 @@ in chown -R root:root /var/lib/zerotier-one '' + (concatMapStrings (netId: '' touch "/var/lib/zerotier-one/networks.d/${netId}.conf" - '') cfg.joinNetworks) + optionalString (cfg.localConf != null) '' + '') cfg.joinNetworks) + optionalString (cfg.localConf != {}) '' if [ -L "${localConfFilePath}" ] then rm ${localConfFilePath} diff --git a/nixos/modules/services/security/sslmate-agent.nix b/nixos/modules/services/security/sslmate-agent.nix index c850eb22a0311..57cb955a39dd9 100644 --- a/nixos/modules/services/security/sslmate-agent.nix +++ b/nixos/modules/services/security/sslmate-agent.nix @@ -6,7 +6,7 @@ let cfg = config.services.sslmate-agent; in { - meta.maintainers = with maintainers; [ wolfangaukang ]; + meta.maintainers = [ ]; options = { services.sslmate-agent = { diff --git a/nixos/modules/services/security/step-ca.nix b/nixos/modules/services/security/step-ca.nix index e9195fbd51608..43bc402e7818b 100644 --- a/nixos/modules/services/security/step-ca.nix +++ b/nixos/modules/services/security/step-ca.nix @@ -4,7 +4,7 @@ let settingsFormat = (pkgs.formats.json { }); in { - meta.maintainers = with lib.maintainers; [ mohe2015 ]; + meta.maintainers = with lib.maintainers; [ ]; options = { services.step-ca = { diff --git a/nixos/modules/services/ttys/kmscon.nix b/nixos/modules/services/ttys/kmscon.nix index 74314e1e76e40..031c5bbb383e1 100644 --- a/nixos/modules/services/ttys/kmscon.nix +++ b/nixos/modules/services/ttys/kmscon.nix @@ -107,7 +107,7 @@ in { fonts = optional (cfg.fonts != null) "font-name=${lib.concatMapStringsSep ", " (f: f.name) cfg.fonts}"; in lib.concatStringsSep "\n" (render ++ fonts); - hardware.opengl.enable = mkIf cfg.hwRender true; + hardware.graphics.enable = mkIf cfg.hwRender true; fonts = mkIf (cfg.fonts != null) { fontconfig.enable = true; diff --git a/nixos/modules/services/wayland/cage.nix b/nixos/modules/services/wayland/cage.nix index 91949f197cfed..870ae58f8646e 100644 --- a/nixos/modules/services/wayland/cage.nix +++ b/nixos/modules/services/wayland/cage.nix @@ -101,7 +101,7 @@ in { session required ${config.systemd.package}/lib/security/pam_systemd.so ''; - hardware.opengl.enable = mkDefault true; + hardware.graphics.enable = mkDefault true; systemd.targets.graphical.wants = [ "cage-tty1.service" ]; diff --git a/nixos/modules/services/web-apps/firefly-iii.nix b/nixos/modules/services/web-apps/firefly-iii.nix index 3e51bd226b02e..338f049093202 100644 --- a/nixos/modules/services/web-apps/firefly-iii.nix +++ b/nixos/modules/services/web-apps/firefly-iii.nix @@ -33,10 +33,10 @@ let ${optionalString (cfg.settings.DB_CONNECTION == "sqlite") "touch ${cfg.dataDir}/storage/database/database.sqlite"} + ${artisan} cache:clear ${artisan} package:discover ${artisan} firefly-iii:upgrade-database ${artisan} firefly-iii:laravel-passport-keys - ${artisan} cache:clear ${artisan} view:cache ${artisan} route:cache ${artisan} config:cache @@ -283,8 +283,6 @@ in { before = [ "phpfpm-firefly-iii.service" ]; serviceConfig = { ExecStart = firefly-iii-maintenance; - RuntimeDirectory = "phpfpm"; - RuntimeDirectoryPreserve = true; RemainAfterExit = true; } // commonServiceConfig; unitConfig.JoinsNamespaceOf = "phpfpm-firefly-iii.service"; diff --git a/nixos/modules/services/web-apps/keycloak.md b/nixos/modules/services/web-apps/keycloak.md index 020bee4003489..4036885ce151c 100644 --- a/nixos/modules/services/web-apps/keycloak.md +++ b/nixos/modules/services/web-apps/keycloak.md @@ -68,13 +68,11 @@ to `/auth`. See the option description for more details. ::: -[](#opt-services.keycloak.settings.hostname-strict-backchannel) -determines whether Keycloak should force all requests to go -through the frontend URL. By default, -Keycloak allows backend requests to -instead use its local hostname or IP address and may also -advertise it to clients through its OpenID Connect Discovery -endpoint. +[](#opt-services.keycloak.settings.hostname-backchannel-dynamic) +Keycloak has the capability to offer a separate URL for backchannel requests, +enabling internal communication while maintaining the use of a public URL +for frontchannel requests. Moreover, the backchannel is dynamically +resolved based on incoming headers endpoint. For more information on hostname configuration, see the [Hostname section of the Keycloak Server Installation and Configuration diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 6d472cf48cd01..36bae2575974e 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -328,8 +328,7 @@ in }; hostname = mkOption { - type = nullOr str; - default = null; + type = str; example = "keycloak.example.com"; description = '' The hostname part of the public URL used as base for @@ -340,16 +339,13 @@ in ''; }; - hostname-strict-backchannel = mkOption { + hostname-backchannel-dynamic = mkOption { type = bool; default = false; example = true; description = '' - Whether Keycloak should force all requests to go - through the frontend URL. By default, Keycloak allows - backend requests to instead use its local hostname or - IP address and may also advertise it to clients - through its OpenID Connect Discovery endpoint. + Enables dynamic resolving of backchannel URLs, + including hostname, scheme, port and context path. See <https://www.keycloak.org/server/hostname> for more information about hostname configuration. @@ -482,12 +478,20 @@ in message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably"; } { - assertion = cfg.settings.hostname != null || cfg.settings.hostname-url or null != null; - message = "Setting the Keycloak hostname is required, see `services.keycloak.settings.hostname`"; + assertion = cfg.settings.hostname-url or null == null; + message = '' + The option `services.keycloak.settings.hostname-url' has been removed. + Set `services.keycloak.settings.hostname' instead. + See [New Hostname options](https://www.keycloak.org/docs/25.0.0/upgrading/#new-hostname-options) for details. + ''; } { - assertion = !(cfg.settings.hostname != null && cfg.settings.hostname-url or null != null); - message = "`services.keycloak.settings.hostname` and `services.keycloak.settings.hostname-url` are mutually exclusive"; + assertion = cfg.settings.hostname-strict-backchannel or null == null; + message = '' + The option `services.keycloak.settings.hostname-strict-backchannel' has been removed. + Set `services.keycloak.settings.hostname-backchannel-dynamic' instead. + See [New Hostname options](https://www.keycloak.org/docs/25.0.0/upgrading/#new-hostname-options) for details. + ''; } ]; diff --git a/nixos/modules/services/web-apps/mealie.nix b/nixos/modules/services/web-apps/mealie.nix index 0d41cffd3d9dd..2484b2489c0d0 100644 --- a/nixos/modules/services/web-apps/mealie.nix +++ b/nixos/modules/services/web-apps/mealie.nix @@ -59,7 +59,7 @@ in PRODUCTION = "true"; ALEMBIC_CONFIG_FILE="${pkg}/config/alembic.ini"; API_PORT = toString cfg.port; - BASE_URL = "http://localhost:${cfg.port}"; + BASE_URL = "http://localhost:${toString cfg.port}"; DATA_DIR = "/var/lib/mealie"; CRF_MODEL_PATH = "/var/lib/mealie/model.crfmodel"; } // (builtins.mapAttrs (_: val: toString val) cfg.settings); diff --git a/nixos/modules/services/web-apps/zitadel.nix b/nixos/modules/services/web-apps/zitadel.nix index 99b0a0bc56f67..ed7fae8d9dda0 100644 --- a/nixos/modules/services/web-apps/zitadel.nix +++ b/nixos/modules/services/web-apps/zitadel.nix @@ -219,5 +219,5 @@ in users.groups.zitadel = lib.mkIf (cfg.group == "zitadel") { }; }; - meta.maintainers = with lib.maintainers; [ Sorixelle ]; + meta.maintainers = [ ]; } diff --git a/nixos/modules/services/web-servers/bluemap.nix b/nixos/modules/services/web-servers/bluemap.nix index 28eaad3db313e..731468fd9a0ec 100644 --- a/nixos/modules/services/web-servers/bluemap.nix +++ b/nixos/modules/services/web-servers/bluemap.nix @@ -71,9 +71,7 @@ in { host = mkOption { type = lib.types.str; - default = "bluemap.${config.networking.domain}"; - defaultText = lib.literalExpression "bluemap.\${config.networking.domain}"; - description = "Domain to configure nginx for"; + description = "Domain on which nginx will serve the bluemap webapp"; }; onCalendar = mkOption { diff --git a/nixos/modules/services/x11/desktop-managers/phosh.nix b/nixos/modules/services/x11/desktop-managers/phosh.nix index e8494b2c017c9..12b39f927c012 100644 --- a/nixos/modules/services/x11/desktop-managers/phosh.nix +++ b/nixos/modules/services/x11/desktop-managers/phosh.nix @@ -216,7 +216,7 @@ in security.pam.services.phosh = {}; - hardware.opengl.enable = mkDefault true; + hardware.graphics.enable = mkDefault true; services.gnome.core-shell.enable = true; services.gnome.core-os-services.enable = true; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 5a86d055c2719..57e83399eded6 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -302,7 +302,7 @@ in default = [ "modesetting" "fbdev" ]; example = [ "nvidia" - "amdgpu-pro" + "amdgpu" ]; # TODO(@oxij): think how to easily add the rest, like those nvidia things relatedPackages = concatLists @@ -716,10 +716,7 @@ in restartIfChanged = false; - environment = - optionalAttrs config.hardware.opengl.setLdLibraryPath - { LD_LIBRARY_PATH = lib.makeLibraryPath [ pkgs.addOpenGLRunpath.driverLink ]; } - // config.services.displayManager.environment; + environment = config.services.displayManager.environment; preStart = '' diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index bcc649dcbec0a..8a0894ed85c3d 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -244,8 +244,8 @@ in }; assertions = [ - { assertion = cfg.enableNvidia && pkgs.stdenv.isx86_64 -> config.hardware.opengl.driSupport32Bit or false; - message = "Option enableNvidia on x86_64 requires 32bit support libraries"; + { assertion = cfg.enableNvidia && pkgs.stdenv.isx86_64 -> config.hardware.graphics.enable32Bit or false; + message = "Option enableNvidia on x86_64 requires 32-bit support libraries"; }]; virtualisation.docker.daemon.settings = { diff --git a/nixos/modules/virtualisation/oci-image.nix b/nixos/modules/virtualisation/oci-image.nix index d4af5016dd71c..1e2b90bfd46e2 100644 --- a/nixos/modules/virtualisation/oci-image.nix +++ b/nixos/modules/virtualisation/oci-image.nix @@ -9,10 +9,10 @@ in config = { system.build.OCIImage = import ../../lib/make-disk-image.nix { inherit config lib pkgs; + inherit (cfg) diskSize; name = "oci-image"; configFile = ./oci-config-user.nix; format = "qcow2"; - diskSize = 8192; partitionTableType = if cfg.efi then "efi" else "legacy"; }; diff --git a/nixos/modules/virtualisation/oci-options.nix b/nixos/modules/virtualisation/oci-options.nix index 0dfedc6a530c8..76f3475a42817 100644 --- a/nixos/modules/virtualisation/oci-options.nix +++ b/nixos/modules/virtualisation/oci-options.nix @@ -9,6 +9,12 @@ Whether the OCI instance is using EFI. ''; }; + diskSize = lib.mkOption { + type = lib.types.int; + default = 8192; + description = "Size of the disk image created in MB."; + example = "diskSize = 12 * 1024; # 12GiB"; + }; }; }; } diff --git a/nixos/modules/virtualisation/spice-usb-redirection.nix b/nixos/modules/virtualisation/spice-usb-redirection.nix index 255327f2622c9..1631a91ccf863 100644 --- a/nixos/modules/virtualisation/spice-usb-redirection.nix +++ b/nixos/modules/virtualisation/spice-usb-redirection.nix @@ -22,5 +22,5 @@ }; }; - meta.maintainers = [ lib.maintainers.lheckemann ]; + meta.maintainers = [ ]; } |