diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/configuration/configuration.xml | 1 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2003.xml | 51 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 10 | ||||
| -rw-r--r-- | nixos/modules/services/misc/matrix-synapse.nix | 46 | ||||
| -rw-r--r-- | nixos/modules/services/misc/matrix-synapse.xml (renamed from nixos/doc/manual/configuration/matrix.xml) | 97 | ||||
| -rw-r--r-- | nixos/modules/services/networking/iodine.nix | 163 | ||||
| -rw-r--r-- | nixos/modules/services/networking/stubby.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/networking/supybot.nix | 109 | ||||
| -rw-r--r-- | nixos/modules/system/boot/kernel.nix | 265 | ||||
| -rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 13 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/iodine.nix | 63 | ||||
| -rw-r--r-- | nixos/tests/matrix-synapse.nix | 21 |
13 files changed, 574 insertions, 267 deletions
diff --git a/nixos/doc/manual/configuration/configuration.xml b/nixos/doc/manual/configuration/configuration.xml index 5961209bc13ac..507d28814ead3 100644 --- a/nixos/doc/manual/configuration/configuration.xml +++ b/nixos/doc/manual/configuration/configuration.xml @@ -21,7 +21,6 @@ <xi:include href="xfce.xml" /> <xi:include href="networking.xml" /> <xi:include href="linux-kernel.xml" /> - <xi:include href="matrix.xml" /> <xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" /> <xi:include href="profiles.xml" /> <xi:include href="kubernetes.xml" /> diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml index bbbd62719b2dd..0996791944f02 100644 --- a/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixos/doc/manual/release-notes/rl-2003.xml @@ -235,7 +235,7 @@ services.xserver.displayManager.defaultSession = "xfce+icewm"; <listitem> <para> The <literal>buildRustCrate</literal> infrastructure now produces <literal>lib</literal> outputs in addition to the <literal>out</literal> output. - This has led to drastically reduced closed sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output. + This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output. </para> </listitem> <listitem> @@ -719,6 +719,55 @@ auth required pam_succeed_if.so uid >= 1000 quiet For further reference, please read <link xlink:href="https://github.com/NixOS/nixpkgs/pull/68953">#68953</link> or the corresponding <link xlink:href="https://discourse.nixos.org/t/predictable-network-interface-names-in-initrd/4055">discourse thread</link>. </para> </listitem> + <listitem> + <para> + The <package>matrix-synapse</package>-package has been updated to + <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.11.1">v1.11.1</link>. + Due to <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.10.0rc1">stricter requirements</link> + for database configuration when using <package>postgresql</package>, the automated database setup + of the module has been removed to avoid any further edge-cases. + </para> + <para> + <package>matrix-synapse</package> expects <literal>postgresql</literal>-databases to have the options + <literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> set to + <link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link> which basically + instructs <literal>postgresql</literal> to ignore any locale-based preferences. + </para> + <para> + Depending on your setup, you need to incorporate one of the following changes in your setup to + upgrade to 20.03: + <itemizedlist> + <listitem><para>If you use <literal>sqlite3</literal> you don't need to do anything.</para></listitem> + <listitem><para>If you use <literal>postgresql</literal> on a different server, you don't need + to change anything as well since this module was never designed to configure remote databases. + </para></listitem> + <listitem><para>If you use <literal>postgresql</literal> and configured your synapse initially on + <literal>19.09</literal> or older, you simply need to enable <package>postgresql</package>-support + explicitly: +<programlisting>{ ... }: { + services.matrix-synapse = { + <link linkend="opt-services.matrix-synapse.enable">enable</link> = true; + /* and all the other config you've defined here */ + }; + <link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true; +}</programlisting> + </para></listitem> + <listitem><para>If you deploy a fresh <package>matrix-synapse</package>, you need to configure + the database yourself (e.g. by using the + <link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link> + option). An example for this can be found in the + <link linkend="module-services-matrix">documentation of the Matrix module</link>. + </para></listitem> + <listitem><para>If you initially deployed your <package>matrix-synapse</package> on + <literal>nixos-unstable</literal> <emphasis>after</emphasis> the <literal>19.09</literal>-release, + your database is misconfigured due to a regression in NixOS. For now, <package>matrix-synapse</package> will + startup with a warning, but it's recommended to reconfigure the database to set the values + <literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> to + <link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link>. + </para></listitem> + </itemizedlist> + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 72474e5dbd4a0..2f61ee5ae2edb 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -86,6 +86,16 @@ }</programlisting> </para> </listitem> + <listitem> + <para> + The <link linkend="opt-services.supybot.enable">supybot</link> module now uses <literal>/var/lib/supybot</literal> + as its default <link linkend="opt-services.supybot.stateDir">stateDir</link> path if <literal>stateVersion</literal> + is 20.09 or higher. It also enables number of + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd sandboxing options</link> + which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in + <option>systemd.services.supybot.serviceConfig</option>. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 750f4a292fb4a..d02fa13bb99c2 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -111,6 +111,9 @@ app_service_config_files: ${builtins.toJSON cfg.app_service_config_files} ${cfg.extraConfig} ''; + + hasLocalPostgresDB = let args = cfg.database_args; in + usePostgresql && (!(args ? host) || (elem args.host [ "localhost" "127.0.0.1" "::1" ])); in { options = { services.matrix-synapse = { @@ -354,13 +357,6 @@ in { The database engine name. Can be sqlite or psycopg2. ''; }; - create_local_database = mkOption { - type = types.bool; - default = true; - description = '' - Whether to create a local database automatically. - ''; - }; database_name = mkOption { type = types.str; default = "matrix-synapse"; @@ -657,6 +653,25 @@ in { }; config = mkIf cfg.enable { + assertions = [ + { assertion = hasLocalPostgresDB -> config.services.postgresql.enable; + message = '' + Cannot deploy matrix-synapse with a configuration for a local postgresql database + and a missing postgresql service. Since 20.03 it's mandatory to manually configure the + database (please read the thread in https://github.com/NixOS/nixpkgs/pull/80447 for + further reference). + + If you + - try to deploy a fresh synapse, you need to configure the database yourself. An example + for this can be found in <nixpkgs/nixos/tests/matrix-synapse.nix> + - update your existing matrix-synapse instance, you simply need to add `services.postgresql.enable = true` + to your configuration. + + For further information about this update, please read the release-notes of 20.03 carefully. + ''; + } + ]; + users.users.matrix-synapse = { group = "matrix-synapse"; home = cfg.dataDir; @@ -669,18 +684,9 @@ in { gid = config.ids.gids.matrix-synapse; }; - services.postgresql = mkIf (usePostgresql && cfg.create_local_database) { - enable = mkDefault true; - ensureDatabases = [ cfg.database_name ]; - ensureUsers = [{ - name = cfg.database_user; - ensurePermissions = { "DATABASE \"${cfg.database_name}\"" = "ALL PRIVILEGES"; }; - }]; - }; - systemd.services.matrix-synapse = { description = "Synapse Matrix homeserver"; - after = [ "network.target" ] ++ lib.optional config.services.postgresql.enable "postgresql.service" ; + after = [ "network.target" ] ++ optional hasLocalPostgresDB "postgresql.service"; wantedBy = [ "multi-user.target" ]; preStart = '' ${cfg.package}/bin/homeserver \ @@ -709,6 +715,12 @@ in { The `trusted_third_party_id_servers` option as been removed in `matrix-synapse` v1.4.0 as the behavior is now obsolete. '') + (mkRemovedOptionModule [ "services" "matrix-synapse" "create_local_database" ] '' + Database configuration must be done manually. An exemplary setup is demonstrated in + <nixpkgs/nixos/tests/matrix-synapse.nix> + '') ]; + meta.doc = ./matrix-synapse.xml; + } diff --git a/nixos/doc/manual/configuration/matrix.xml b/nixos/modules/services/misc/matrix-synapse.xml index ef8d5cbda8895..053a3b2a563fc 100644 --- a/nixos/doc/manual/configuration/matrix.xml +++ b/nixos/modules/services/misc/matrix-synapse.xml @@ -40,26 +40,35 @@ let in join config.networking.hostName config.networking.domain; in { networking = { - hostName = "myhostname"; - domain = "example.org"; + <link linkend="opt-networking.hostName">hostName</link> = "myhostname"; + <link linkend="opt-networking.domain">domain</link> = "example.org"; }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + <link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ]; + + <link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true; + <link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link> = '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; services.nginx = { - enable = true; + <link linkend="opt-services.nginx.enable">enable</link> = true; # only recommendedProxySettings and recommendedGzipSettings are strictly required, # but the rest make sense as well - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; + <link linkend="opt-services.nginx.recommendedTlsSettings">recommendedTlsSettings</link> = true; + <link linkend="opt-services.nginx.recommendedOptimisation">recommendedOptimisation</link> = true; + <link linkend="opt-services.nginx.recommendedGzipSettings">recommendedGzipSettings</link> = true; + <link linkend="opt-services.nginx.recommendedProxySettings">recommendedProxySettings</link> = true; - virtualHosts = { + <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { # This host section can be placed on a different host than the rest, # i.e. to delegate from the host being accessible as ${config.networking.domain} # to another host actually running the Matrix homeserver. "${config.networking.domain}" = { - locations."= /.well-known/matrix/server".extraConfig = + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/server".extraConfig</link> = let # use 443 instead of the default 8448 port to unite # the client-server and server-server port for simplicity @@ -68,7 +77,7 @@ in { add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; ''; - locations."= /.well-known/matrix/client".extraConfig = + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/client".extraConfig</link> = let client = { "m.homeserver" = { "base_url" = "https://${fqdn}"; }; @@ -84,34 +93,37 @@ in { # Reverse proxy for Matrix client-server and server-server communication ${fqdn} = { - enableACME = true; - forceSSL = true; + <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; # Or do a redirect instead of the 404, or whatever is appropriate for you. # But do not put a Matrix Web client here! See the Riot Web section below. - locations."/".extraConfig = '' + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."/".extraConfig</link> = '' return 404; ''; # forward all Matrix API calls to the synapse Matrix homeserver locations."/_matrix" = { - proxyPass = "http://[::1]:8008"; # without a trailing / + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.proxyPass">proxyPass</link> = "http://[::1]:8008"; # without a trailing / }; }; }; }; services.matrix-synapse = { - enable = true; - server_name = config.networking.domain; - listeners = [ + <link linkend="opt-services.matrix-synapse.enable">enable</link> = true; + <link linkend="opt-services.matrix-synapse.server_name">server_name</link> = config.networking.domain; + <link linkend="opt-services.matrix-synapse.listeners">listeners</link> = [ { - port = 8008; - bind_address = "::1"; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { names = [ "client" "federation" ]; compress = false; } + <link linkend="opt-services.matrix-synapse.listeners._.port">port</link> = 8008; + <link linkend="opt-services.matrix-synapse.listeners._.bind_address">bind_address</link> = "::1"; + <link linkend="opt-services.matrix-synapse.listeners._.type">type</link> = "http"; + <link linkend="opt-services.matrix-synapse.listeners._.tls">tls</link> = false; + <link linkend="opt-services.matrix-synapse.listeners._.x_forwarded">x_forwarded</link> = true; + <link linkend="opt-services.matrix-synapse.listeners._.resources">resources</link> = [ + { + <link linkend="opt-services.matrix-synapse.listeners._.resources._.names">names</link> = [ "client" "federation" ]; + <link linkend="opt-services.matrix-synapse.listeners._.resources._.compress">compress</link> = false; + } ]; } ]; @@ -135,10 +147,10 @@ in { <para> If you want to run a server with public registration by anybody, you can - then enable <option>services.matrix-synapse.enable_registration = - true;</option>. Otherwise, or you can generate a registration secret with + then enable <literal><link linkend="opt-services.matrix-synapse.enable_registration">services.matrix-synapse.enable_registration</link> = + true;</literal>. Otherwise, or you can generate a registration secret with <command>pwgen -s 64 1</command> and set it with - <option>services.matrix-synapse.registration_shared_secret</option>. To + <option><link linkend="opt-services.matrix-synapse.registration_shared_secret">services.matrix-synapse.registration_shared_secret</link></option>. To create a new user or admin, run the following after you have set the secret and have rebuilt NixOS: <screen> @@ -154,8 +166,8 @@ Success! <literal>@your-username:example.org</literal>. Note that the registration secret ends up in the nix store and therefore is world-readable by any user on your machine, so it makes sense to only temporarily activate the - <option>registration_shared_secret</option> option until a better solution - for NixOS is in place. + <link linkend="opt-services.matrix-synapse.registration_shared_secret">registration_shared_secret</link> + option until a better solution for NixOS is in place. </para> </section> <section xml:id="module-services-matrix-riot-web"> @@ -177,15 +189,24 @@ Success! Matrix Now!</link> for a list of existing clients and their supported featureset. <programlisting> -services.nginx.virtualHosts."riot.${fqdn}" = { - enableACME = true; - forceSSL = true; - serverAliases = [ - "riot.${config.networking.domain}" - ]; +{ + services.nginx.virtualHosts."riot.${fqdn}" = { + <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ + "riot.${config.networking.domain}" + ]; - root = pkgs.riot-web; -}; + <link linkend="opt-services.nginx.virtualHosts._name_.root">root</link> = pkgs.riot-web.override { + conf = { + default_server_config."m.homeserver" = { + "base_url" = "${config.networking.domain}"; + "server_name" = "${fqdn}"; + }; + }; + }; + }; +} </programlisting> </para> diff --git a/nixos/modules/services/networking/iodine.nix b/nixos/modules/services/networking/iodine.nix index f9ca26c279609..46051d7044b5e 100644 --- a/nixos/modules/services/networking/iodine.nix +++ b/nixos/modules/services/networking/iodine.nix @@ -9,6 +9,8 @@ let iodinedUser = "iodined"; + /* is this path made unreadable by ProtectHome = true ? */ + isProtected = x: hasPrefix "/root" x || hasPrefix "/home" x; in { imports = [ @@ -35,45 +37,48 @@ in corresponding attribute name. ''; example = literalExample '' - { - foo = { - server = "tunnel.mdomain.com"; - relay = "8.8.8.8"; - extraConfig = "-v"; + { + foo = { + server = "tunnel.mdomain.com"; + relay = "8.8.8.8"; + extraConfig = "-v"; + } } - } ''; - type = types.attrsOf (types.submodule ( - { - options = { - server = mkOption { - type = types.str; - default = ""; - description = "Domain or Subdomain of server running iodined"; - example = "tunnel.mydomain.com"; - }; - - relay = mkOption { - type = types.str; - default = ""; - description = "DNS server to use as a intermediate relay to the iodined server"; - example = "8.8.8.8"; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = "Additional command line parameters"; - example = "-l 192.168.1.10 -p 23"; - }; - - passwordFile = mkOption { - type = types.str; - default = ""; - description = "File that contains password"; - }; - }; - })); + type = types.attrsOf ( + types.submodule ( + { + options = { + server = mkOption { + type = types.str; + default = ""; + description = "Hostname of server running iodined"; + example = "tunnel.mydomain.com"; + }; + + relay = mkOption { + type = types.str; + default = ""; + description = "DNS server to use as an intermediate relay to the iodined server"; + example = "8.8.8.8"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Additional command line parameters"; + example = "-l 192.168.1.10 -p 23"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "Path to a file containing the password."; + }; + }; + } + ) + ); }; server = { @@ -121,31 +126,67 @@ in boot.kernelModules = [ "tun" ]; systemd.services = - let - createIodineClientService = name: cfg: - { - description = "iodine client - ${name}"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - script = "exec ${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "< \"${cfg.passwordFile}\""} ${cfg.relay} ${cfg.server}"; - serviceConfig = { - RestartSec = "30s"; - Restart = "always"; + let + createIodineClientService = name: cfg: + { + description = "iodine client - ${name}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + script = "exec ${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "< \"${builtins.toString cfg.passwordFile}\""} ${cfg.relay} ${cfg.server}"; + serviceConfig = { + RestartSec = "30s"; + Restart = "always"; + + # hardening : + # Filesystem access + ProtectSystem = "strict"; + ProtectHome = if isProtected cfg.passwordFile then "read-only" else "true" ; + PrivateTmp = true; + ReadWritePaths = "/dev/net/tun"; + PrivateDevices = false; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + # Caps + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + MemoryDenyWriteExecute = true; + }; + }; + in + listToAttrs ( + mapAttrsToList + (name: value: nameValuePair "iodine-${name}" (createIodineClientService name value)) + cfg.clients + ) // { + iodined = mkIf (cfg.server.enable) { + description = "iodine, ip over dns server daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${builtins.toString cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}"; + serviceConfig = { + # Filesystem access + ProtectSystem = "strict"; + ProtectHome = if isProtected cfg.server.passwordFile then "read-only" else "true" ; + PrivateTmp = true; + ReadWritePaths = "/dev/net/tun"; + PrivateDevices = false; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + # Caps + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + MemoryDenyWriteExecute = true; + }; + }; }; - }; - in - listToAttrs ( - mapAttrsToList - (name: value: nameValuePair "iodine-${name}" (createIodineClientService name value)) - cfg.clients - ) // { - iodined = mkIf (cfg.server.enable) { - description = "iodine, ip over dns server daemon"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}"; - }; - }; users.users.${iodinedUser} = { uid = config.ids.uids.iodined; diff --git a/nixos/modules/services/networking/stubby.nix b/nixos/modules/services/networking/stubby.nix index 849d266576d54..c5e0f929a1267 100644 --- a/nixos/modules/services/networking/stubby.nix +++ b/nixos/modules/services/networking/stubby.nix @@ -205,6 +205,7 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig = { + Type = "notify"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}"; diff --git a/nixos/modules/services/networking/supybot.nix b/nixos/modules/services/networking/supybot.nix index d5b9a97a1c1a6..dc9fb31ffd0bf 100644 --- a/nixos/modules/services/networking/supybot.nix +++ b/nixos/modules/services/networking/supybot.nix @@ -3,32 +3,35 @@ with lib; let - cfg = config.services.supybot; - + isStateDirHome = hasPrefix "/home/" cfg.stateDir; + isStateDirVar = cfg.stateDir == "/var/lib/supybot"; + pyEnv = pkgs.python3.withPackages (p: [ p.limnoria ] ++ (cfg.extraPackages p)); in - { - options = { services.supybot = { enable = mkOption { + type = types.bool; default = false; - description = "Enable Supybot, an IRC bot"; + description = "Enable Supybot, an IRC bot (also known as Limnoria)."; }; stateDir = mkOption { - # Setting this to /var/lib/supybot caused useradd to fail - default = "/home/supybot"; + type = types.path; + default = if versionAtLeast config.system.stateVersion "20.09" + then "/var/lib/supybot" + else "/home/supybot"; + defaultText = "/var/lib/supybot"; description = "The root directory, logs and plugins are stored here"; }; configFile = mkOption { type = types.path; description = '' - Path to a supybot config file. This can be generated by + Path to initial supybot config file. This can be generated by running supybot-wizard. Note: all paths should include the full path to the stateDir @@ -36,21 +39,54 @@ in ''; }; + plugins = mkOption { + type = types.attrsOf types.path; + default = {}; + description = '' + Attribute set of additional plugins that will be symlinked to the + <filename>plugin</filename> subdirectory. + + Please note that you still need to add the plugins to the config + file (or with <literal>!load</literal>) using their attribute name. + ''; + example = literalExample '' + let + plugins = pkgs.fetchzip { + url = "https://github.com/ProgVal/Supybot-plugins/archive/57c2450c.zip"; + sha256 = "077snf84ibnva3sbpzdfpfma6hcdw7dflwnhg6pw7mgnf0nd84qd"; + }; + in + { + Wikipedia = "''${plugins}/Wikipedia"; + Decide = ./supy-decide; + } + ''; + }; + + extraPackages = mkOption { + default = p: []; + description = '' + Extra Python packages available to supybot plugins. The + value must be a function which receives the attrset defined + in <varname>python3Packages</varname> as the sole argument. + ''; + example = literalExample ''p: [ p.lxml p.requests ]''; + }; + }; }; - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.pythonPackages.limnoria ]; + environment.systemPackages = [ pkgs.python3Packages.limnoria ]; users.users.supybot = { uid = config.ids.uids.supybot; group = "supybot"; description = "Supybot IRC bot user"; home = cfg.stateDir; - createHome = true; + isSystemUser = true; }; users.groups.supybot = { @@ -59,19 +95,16 @@ in systemd.services.supybot = { description = "Supybot, an IRC bot"; + documentation = [ "https://limnoria.readthedocs.io/" ]; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.pythonPackages.limnoria ]; preStart = '' - cd ${cfg.stateDir} - mkdir -p backup conf data plugins logs/plugins tmp web - ln -sf ${cfg.configFile} supybot.cfg # This needs to be created afresh every time - rm -f supybot.cfg.bak + rm -f '${cfg.stateDir}/supybot.cfg.bak' ''; serviceConfig = { - ExecStart = "${pkgs.pythonPackages.limnoria}/bin/supybot ${cfg.stateDir}/supybot.cfg"; + ExecStart = "${pyEnv}/bin/supybot ${cfg.stateDir}/supybot.cfg"; PIDFile = "/run/supybot.pid"; User = "supybot"; Group = "supybot"; @@ -79,8 +112,50 @@ in Restart = "on-abort"; StartLimitInterval = "5m"; StartLimitBurst = "1"; + + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + RestrictNamespaces = true; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RemoveIPC = true; + ProtectHostname = true; + CapabilityBoundingSet = ""; + ProtectSystem = "full"; + } + // optionalAttrs isStateDirVar { + StateDirectory = "supybot"; + ProtectSystem = "strict"; + } + // optionalAttrs (!isStateDirHome) { + ProtectHome = true; }; }; + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' 0700 supybot supybot - -" + "d '${cfg.stateDir}/backup' 0750 supybot supybot - -" + "d '${cfg.stateDir}/conf' 0750 supybot supybot - -" + "d '${cfg.stateDir}/data' 0750 supybot supybot - -" + "d '${cfg.stateDir}/plugins' 0750 supybot supybot - -" + "d '${cfg.stateDir}/logs' 0750 supybot supybot - -" + "d '${cfg.stateDir}/logs/plugins' 0750 supybot supybot - -" + "d '${cfg.stateDir}/tmp' 0750 supybot supybot - -" + "d '${cfg.stateDir}/web' 0750 supybot supybot - -" + "L '${cfg.stateDir}/supybot.cfg' - - - - ${cfg.configFile}" + ] + ++ (flip mapAttrsToList cfg.plugins (name: dest: + "L+ '${cfg.stateDir}/plugins/${name}' - - - - ${dest}" + )); + }; } diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index c247f334c23d9..43871f439f7f3 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -192,139 +192,144 @@ in ###### implementation - config = mkIf (!config.boot.isContainer) { - - system.build = { inherit kernel; }; - - system.modulesTree = [ kernel ] ++ config.boot.extraModulePackages; - - # Implement consoleLogLevel both in early boot and using sysctl - # (so you don't need to reboot to have changes take effect). - boot.kernelParams = - [ "loglevel=${toString config.boot.consoleLogLevel}" ] ++ - optionals config.boot.vesa [ "vga=0x317" "nomodeset" ]; - - boot.kernel.sysctl."kernel.printk" = mkDefault config.boot.consoleLogLevel; - - boot.kernelModules = [ "loop" "atkbd" ]; - - boot.initrd.availableKernelModules = - [ # Note: most of these (especially the SATA/PATA modules) - # shouldn't be included by default since nixos-generate-config - # detects them, but I'm keeping them for now for backwards - # compatibility. - - # Some SATA/PATA stuff. - "ahci" - "sata_nv" - "sata_via" - "sata_sis" - "sata_uli" - "ata_piix" - "pata_marvell" - - # Standard SCSI stuff. - "sd_mod" - "sr_mod" - - # SD cards and internal eMMC drives. - "mmc_block" - - # Support USB keyboards, in case the boot fails and we only have - # a USB keyboard, or for LUKS passphrase prompt. - "uhci_hcd" - "ehci_hcd" - "ehci_pci" - "ohci_hcd" - "ohci_pci" - "xhci_hcd" - "xhci_pci" - "usbhid" - "hid_generic" "hid_lenovo" "hid_apple" "hid_roccat" - "hid_logitech_hidpp" "hid_logitech_dj" - - ] ++ optionals (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [ - # Misc. x86 keyboard stuff. - "pcips2" "atkbd" "i8042" - - # x86 RTC needed by the stage 2 init script. - "rtc_cmos" - ]; - - boot.initrd.kernelModules = - [ # For LVM. - "dm_mod" - ]; - - # The Linux kernel >= 2.6.27 provides firmware. - hardware.firmware = [ kernel ]; - - # Create /etc/modules-load.d/nixos.conf, which is read by - # systemd-modules-load.service to load required kernel modules. - environment.etc = - { "modules-load.d/nixos.conf".source = kernelModulesConf; - }; - - systemd.services.systemd-modules-load = - { wantedBy = [ "multi-user.target" ]; - restartTriggers = [ kernelModulesConf ]; - serviceConfig = - { # Ignore failed module loads. Typically some of the - # modules in ‘boot.kernelModules’ are "nice to have but - # not required" (e.g. acpi-cpufreq), so we don't want to - # barf on those. - SuccessExitStatus = "0 1"; + config = mkMerge + [ (mkIf config.boot.initrd.enable { + boot.initrd.availableKernelModules = + [ # Note: most of these (especially the SATA/PATA modules) + # shouldn't be included by default since nixos-generate-config + # detects them, but I'm keeping them for now for backwards + # compatibility. + + # Some SATA/PATA stuff. + "ahci" + "sata_nv" + "sata_via" + "sata_sis" + "sata_uli" + "ata_piix" + "pata_marvell" + + # Standard SCSI stuff. + "sd_mod" + "sr_mod" + + # SD cards and internal eMMC drives. + "mmc_block" + + # Support USB keyboards, in case the boot fails and we only have + # a USB keyboard, or for LUKS passphrase prompt. + "uhci_hcd" + "ehci_hcd" + "ehci_pci" + "ohci_hcd" + "ohci_pci" + "xhci_hcd" + "xhci_pci" + "usbhid" + "hid_generic" "hid_lenovo" "hid_apple" "hid_roccat" + "hid_logitech_hidpp" "hid_logitech_dj" + + ] ++ optionals (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [ + # Misc. x86 keyboard stuff. + "pcips2" "atkbd" "i8042" + + # x86 RTC needed by the stage 2 init script. + "rtc_cmos" + ]; + + boot.initrd.kernelModules = + [ # For LVM. + "dm_mod" + ]; + }) + + (mkIf (!config.boot.isContainer) { + system.build = { inherit kernel; }; + + system.modulesTree = [ kernel ] ++ config.boot.extraModulePackages; + + # Implement consoleLogLevel both in early boot and using sysctl + # (so you don't need to reboot to have changes take effect). + boot.kernelParams = + [ "loglevel=${toString config.boot.consoleLogLevel}" ] ++ + optionals config.boot.vesa [ "vga=0x317" "nomodeset" ]; + + boot.kernel.sysctl."kernel.printk" = mkDefault config.boot.consoleLogLevel; + + boot.kernelModules = [ "loop" "atkbd" ]; + + # The Linux kernel >= 2.6.27 provides firmware. + hardware.firmware = [ kernel ]; + + # Create /etc/modules-load.d/nixos.conf, which is read by + # systemd-modules-load.service to load required kernel modules. + environment.etc = + { "modules-load.d/nixos.conf".source = kernelModulesConf; }; - }; - - lib.kernelConfig = { - isYes = option: { - assertion = config: config.isYes option; - message = "CONFIG_${option} is not yes!"; - configLine = "CONFIG_${option}=y"; - }; - - isNo = option: { - assertion = config: config.isNo option; - message = "CONFIG_${option} is not no!"; - configLine = "CONFIG_${option}=n"; - }; - - isModule = option: { - assertion = config: config.isModule option; - message = "CONFIG_${option} is not built as a module!"; - configLine = "CONFIG_${option}=m"; - }; - - ### Usually you will just want to use these two - # True if yes or module - isEnabled = option: { - assertion = config: config.isEnabled option; - message = "CONFIG_${option} is not enabled!"; - configLine = "CONFIG_${option}=y"; - }; - - # True if no or omitted - isDisabled = option: { - assertion = config: config.isDisabled option; - message = "CONFIG_${option} is not disabled!"; - configLine = "CONFIG_${option}=n"; - }; - }; - # The config options that all modules can depend upon - system.requiredKernelConfig = with config.lib.kernelConfig; [ - # !!! Should this really be needed? - (isYes "MODULES") - (isYes "BINFMT_ELF") - ] ++ (optional (randstructSeed != "") (isYes "GCC_PLUGIN_RANDSTRUCT")); + systemd.services.systemd-modules-load = + { wantedBy = [ "multi-user.target" ]; + restartTriggers = [ kernelModulesConf ]; + serviceConfig = + { # Ignore failed module loads. Typically some of the + # modules in ‘boot.kernelModules’ are "nice to have but + # not required" (e.g. acpi-cpufreq), so we don't want to + # barf on those. + SuccessExitStatus = "0 1"; + }; + }; - # nixpkgs kernels are assumed to have all required features - assertions = if config.boot.kernelPackages.kernel ? features then [] else - let cfg = config.boot.kernelPackages.kernel.config; in map (attrs: - { assertion = attrs.assertion cfg; inherit (attrs) message; } - ) config.system.requiredKernelConfig; + lib.kernelConfig = { + isYes = option: { + assertion = config: config.isYes option; + message = "CONFIG_${option} is not yes!"; + configLine = "CONFIG_${option}=y"; + }; - }; + isNo = option: { + assertion = config: config.isNo option; + message = "CONFIG_${option} is not no!"; + configLine = "CONFIG_${option}=n"; + }; + + isModule = option: { + assertion = config: config.isModule option; + message = "CONFIG_${option} is not built as a module!"; + configLine = "CONFIG_${option}=m"; + }; + + ### Usually you will just want to use these two + # True if yes or module + isEnabled = option: { + assertion = config: config.isEnabled option; + message = "CONFIG_${option} is not enabled!"; + configLine = "CONFIG_${option}=y"; + }; + + # True if no or omitted + isDisabled = option: { + assertion = config: config.isDisabled option; + message = "CONFIG_${option} is not disabled!"; + configLine = "CONFIG_${option}=n"; + }; + }; + + # The config options that all modules can depend upon + system.requiredKernelConfig = with config.lib.kernelConfig; + [ + # !!! Should this really be needed? + (isYes "MODULES") + (isYes "BINFMT_ELF") + ] ++ (optional (randstructSeed != "") (isYes "GCC_PLUGIN_RANDSTRUCT")); + + # nixpkgs kernels are assumed to have all required features + assertions = if config.boot.kernelPackages.kernel ? features then [] else + let cfg = config.boot.kernelPackages.kernel.config; in map (attrs: + { assertion = attrs.assertion cfg; inherit (attrs) message; } + ) config.system.requiredKernelConfig; + + }) + + ]; } diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 26117cffeda25..93cd801ef8039 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -390,6 +390,17 @@ in ''; }; + boot.initrd.enable = mkOption { + type = types.bool; + default = !config.boot.isContainer; + defaultText = "!config.boot.isContainer"; + description = '' + Whether to enable the NixOS initial RAM disk (initrd). This may be + needed to perform some initialisation tasks (like mounting + network/encrypted file systems) before continuing the boot process. + ''; + }; + boot.initrd.prepend = mkOption { default = [ ]; type = types.listOf types.str; @@ -555,7 +566,7 @@ in }; - config = mkIf (!config.boot.isContainer) { + config = mkIf config.boot.initrd.enable { assertions = [ { assertion = any (fs: fs.mountPoint == "/") fileSystems; message = "The ‘fileSystems’ option does not specify your root file system."; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 7dd0f23df6588..51b463747b0e7 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -135,6 +135,7 @@ in initrd-network-ssh = handleTest ./initrd-network-ssh {}; initrdNetwork = handleTest ./initrd-network.nix {}; installer = handleTest ./installer.nix {}; + iodine = handleTest ./iodine.nix {}; ipv6 = handleTest ./ipv6.nix {}; jackett = handleTest ./jackett.nix {}; jellyfin = handleTest ./jellyfin.nix {}; diff --git a/nixos/tests/iodine.nix b/nixos/tests/iodine.nix new file mode 100644 index 0000000000000..8bd9603a6d6c8 --- /dev/null +++ b/nixos/tests/iodine.nix @@ -0,0 +1,63 @@ +import ./make-test-python.nix ( + { pkgs, ... }: let + domain = "whatever.example.com"; + in + { + name = "iodine"; + nodes = { + server = + { ... }: + + { + networking.firewall = { + allowedUDPPorts = [ 53 ]; + trustedInterfaces = [ "dns0" ]; + }; + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.ip_forward" = 1; + }; + + services.iodine.server = { + enable = true; + ip = "10.53.53.1/24"; + passwordFile = "${builtins.toFile "password" "foo"}"; + inherit domain; + }; + + # test resource: accessible only via tunnel + services.openssh = { + enable = true; + openFirewall = false; + }; + }; + + client = + { ... }: { + services.iodine.clients.testClient = { + # test that ProtectHome is "read-only" + passwordFile = "/root/pw"; + relay = "server"; + server = domain; + }; + systemd.tmpfiles.rules = [ + "f /root/pw 0666 root root - foo" + ]; + environment.systemPackages = [ + pkgs.nagiosPluginsOfficial + ]; + }; + + }; + + testScript = '' + start_all() + + server.wait_for_unit("sshd") + server.wait_for_unit("iodined") + client.wait_for_unit("iodine-testClient") + + client.succeed("check_ssh -H 10.53.53.1") + ''; + } +) diff --git a/nixos/tests/matrix-synapse.nix b/nixos/tests/matrix-synapse.nix index fca53009083a4..f3623aa3c094d 100644 --- a/nixos/tests/matrix-synapse.nix +++ b/nixos/tests/matrix-synapse.nix @@ -35,12 +35,31 @@ in { nodes = { # Since 0.33.0, matrix-synapse doesn't allow underscores in server names - serverpostgres = args: { + serverpostgres = { pkgs, ... }: { services.matrix-synapse = { enable = true; database_type = "psycopg2"; tls_certificate_path = "${cert}"; tls_private_key_path = "${key}"; + database_args = { + password = "synapse"; + }; + }; + services.postgresql = { + enable = true; + + # The database name and user are configured by the following options: + # - services.matrix-synapse.database_name + # - services.matrix-synapse.database_user + # + # The values used here represent the default values of the module. + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; }; }; |