diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/image/repart-image.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/networking/scion/scion-control.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/networking/scion/scion-daemon.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/networking/scion/scion-dispatcher.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/scion/scion-router.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/search/hound.nix | 84 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/healthchecks.nix | 18 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/limesurvey.nix | 78 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/peering-manager.nix | 25 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/xfce.nix | 1 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/libvirtd.nix | 7 | ||||
-rw-r--r-- | nixos/tests/limesurvey.nix | 6 |
13 files changed, 174 insertions, 73 deletions
diff --git a/nixos/modules/image/repart-image.nix b/nixos/modules/image/repart-image.nix index e404067299004..de03beeafc0b7 100644 --- a/nixos/modules/image/repart-image.nix +++ b/nixos/modules/image/repart-image.nix @@ -90,8 +90,8 @@ let }."${compression.algorithm}"; compressionCommand = { - "zstd" = "zstd --no-progress --threads=0 -${toString compression.level}"; - "xz" = "xz --keep --verbose --threads=0 -${toString compression.level}"; + "zstd" = "zstd --no-progress --threads=$NIX_BUILD_CORES -${toString compression.level}"; + "xz" = "xz --keep --verbose --threads=$NIX_BUILD_CORES -${toString compression.level}"; }."${compression.algorithm}"; in stdenvNoCC.mkDerivation (finalAttrs: diff --git a/nixos/modules/services/networking/scion/scion-control.nix b/nixos/modules/services/networking/scion/scion-control.nix index b86f1ef26b358..95d78a87ac859 100644 --- a/nixos/modules/services/networking/scion/scion-control.nix +++ b/nixos/modules/services/networking/scion/scion-control.nix @@ -12,13 +12,13 @@ let reconnect_to_dispatcher = true; }; beacon_db = { - connection = "/var/lib/scion-control/control.beacon.db"; + connection = "/run/scion-control/control.beacon.db"; }; path_db = { - connection = "/var/lib/scion-control/control.path.db"; + connection = "/run/scion-control/control.path.db"; }; trust_db = { - connection = "/var/lib/scion-control/control.trust.db"; + connection = "/run/scion-control/control.trust.db"; }; log.console = { level = "info"; @@ -35,7 +35,7 @@ in example = literalExpression '' { path_db = { - connection = "/var/lib/scion-control/control.path.db"; + connection = "/run/scion-control/control.path.db"; }; log.console = { level = "info"; @@ -62,7 +62,7 @@ in DynamicUser = true; Restart = "on-failure"; BindPaths = [ "/dev/shm:/run/shm" ]; - StateDirectory = "scion-control"; + RuntimeDirectory = "scion-control"; }; }; }; diff --git a/nixos/modules/services/networking/scion/scion-daemon.nix b/nixos/modules/services/networking/scion/scion-daemon.nix index a9c0c80f101f8..8528bec1d52eb 100644 --- a/nixos/modules/services/networking/scion/scion-daemon.nix +++ b/nixos/modules/services/networking/scion/scion-daemon.nix @@ -12,10 +12,10 @@ let reconnect_to_dispatcher = true; }; path_db = { - connection = "/var/lib/scion-daemon/sd.path.db"; + connection = "/run/scion-daemon/sd.path.db"; }; trust_db = { - connection = "/var/lib/scion-daemon/sd.trust.db"; + connection = "/run/scion-daemon/sd.trust.db"; }; log.console = { level = "info"; @@ -32,7 +32,7 @@ in example = literalExpression '' { path_db = { - connection = "/var/lib/scion-daemon/sd.path.db"; + connection = "/run/scion-daemon/sd.path.db"; }; log.console = { level = "info"; @@ -57,7 +57,7 @@ in ExecStart = "${pkgs.scion}/bin/scion-daemon --config ${configFile}"; Restart = "on-failure"; DynamicUser = true; - StateDirectory = "scion-daemon"; + RuntimeDirectory = "scion-daemon"; }; }; }; diff --git a/nixos/modules/services/networking/scion/scion-dispatcher.nix b/nixos/modules/services/networking/scion/scion-dispatcher.nix index 9118ebefa18f3..7c9f5e6a385ee 100644 --- a/nixos/modules/services/networking/scion/scion-dispatcher.nix +++ b/nixos/modules/services/networking/scion/scion-dispatcher.nix @@ -66,7 +66,7 @@ in ExecStartPre = "${pkgs.coreutils}/bin/rm -rf /run/shm/dispatcher"; ExecStart = "${pkgs.scion}/bin/scion-dispatcher --config ${configFile}"; Restart = "on-failure"; - StateDirectory = "scion-dispatcher"; + RuntimeDirectory = "scion-dispatcher"; }; }; }; diff --git a/nixos/modules/services/networking/scion/scion-router.nix b/nixos/modules/services/networking/scion/scion-router.nix index 3579005a429ed..2cac44ab767ef 100644 --- a/nixos/modules/services/networking/scion/scion-router.nix +++ b/nixos/modules/services/networking/scion/scion-router.nix @@ -42,7 +42,7 @@ in ExecStart = "${pkgs.scion}/bin/scion-router --config ${configFile}"; Restart = "on-failure"; DynamicUser = true; - StateDirectory = "scion-router"; + RuntimeDirectory = "scion-router"; }; }; }; diff --git a/nixos/modules/services/search/hound.nix b/nixos/modules/services/search/hound.nix index 059f514234ebf..7aca1adc19b08 100644 --- a/nixos/modules/services/search/hound.nix +++ b/nixos/modules/services/search/hound.nix @@ -1,71 +1,66 @@ { config, lib, pkgs, ... }: -with lib; let cfg = config.services.hound; + settingsFormat = pkgs.formats.json { }; in { imports = [ (lib.mkRemovedOptionModule [ "services" "hound" "extraGroups" ] "Use users.users.hound.extraGroups instead") + (lib.mkChangedOptionModule [ "services" "hound" "config" ] [ "services" "hound" "settings" ] (config: builtins.fromJSON config.services.hound.config)) ]; - meta.maintainers = with maintainers; [ SuperSandro2000 ]; + meta.maintainers = with lib.maintainers; [ SuperSandro2000 ]; options = { services.hound = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the hound code search daemon. - ''; - }; + enable = lib.mkEnableOption "hound"; - package = mkPackageOption pkgs "hound" { }; + package = lib.mkPackageOption pkgs "hound" { }; - user = mkOption { + user = lib.mkOption { default = "hound"; - type = types.str; + type = lib.types.str; description = '' User the hound daemon should execute under. ''; }; - group = mkOption { + group = lib.mkOption { default = "hound"; - type = types.str; + type = lib.types.str; description = '' Group the hound daemon should execute under. ''; }; - home = mkOption { + home = lib.mkOption { default = "/var/lib/hound"; - type = types.path; + type = lib.types.path; description = '' The path to use as hound's $HOME. If the default user "hound" is configured then this is the home of the "hound" user. ''; }; - config = mkOption { - type = types.str; - description = '' - The full configuration of the Hound daemon. Note the dbpath - should be an absolute path to a writable location on disk. - ''; - example = literalExpression '' + settings = lib.mkOption { + type = settingsFormat.type; + example = lib.literalExpression '' { - "max-concurrent-indexers" : 2, - "repos" : { - "nixpkgs": { - "url" : "https://www.github.com/NixOS/nixpkgs.git" - } - } + max-concurrent-indexers = 2; + repos.nixpkgs.url = "https://www.github.com/NixOS/nixpkgs.git"; } ''; + description = '' + The full configuration of the Hound daemon. + See the upstream documentation <https://github.com/hound-search/hound/blob/main/docs/config-options.md> for details. + + :::{.note} + The `dbpath` should be an absolute path to a writable directory. + :::.com/hound-search/hound/blob/main/docs/config-options.md>. + ''; }; - listen = mkOption { - type = types.str; + listen = lib.mkOption { + type = lib.types.str; default = "0.0.0.0:6080"; example = ":6080"; description = '' @@ -75,7 +70,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { users.groups = lib.mkIf (cfg.group == "hound") { hound = { }; }; @@ -89,16 +84,19 @@ in { }; }; - systemd.services.hound = let - configFile = pkgs.writeTextFile { - name = "hound.json"; - text = cfg.config; - checkPhase = '' - # check if the supplied text is valid json - ${lib.getExe pkgs.jq} . $target > /dev/null - ''; - }; - in { + environment.etc."hound/config.json".source = pkgs.writeTextFile { + name = "hound-config"; + text = builtins.toJSON cfg.settings; + checkPhase = '' + ${cfg.package}/bin/houndd -check-conf -conf $out + ''; + }; + + services.hound.settings = { + dbpath = "${config.services.hound.home}/data"; + }; + + systemd.services.hound = { description = "Hound Code Search"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; @@ -107,7 +105,7 @@ in { Group = cfg.group; WorkingDirectory = cfg.home; ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo /etc/ssl/certs/ca-certificates.crt"; - ExecStart = "${cfg.package}/bin/houndd -addr ${cfg.listen} -conf ${configFile}"; + ExecStart = "${cfg.package}/bin/houndd -addr ${cfg.listen} -conf /etc/hound/config.json"; }; }; }; diff --git a/nixos/modules/services/web-apps/healthchecks.nix b/nixos/modules/services/web-apps/healthchecks.nix index 5562b37e502c6..c7db999a62c21 100644 --- a/nixos/modules/services/web-apps/healthchecks.nix +++ b/nixos/modules/services/web-apps/healthchecks.nix @@ -11,7 +11,7 @@ let environment = { PYTHONPATH = pkg.pythonPath; STATIC_ROOT = cfg.dataDir + "/static"; - } // cfg.settings; + } // lib.filterAttrs (_: v: !builtins.isNull v) cfg.settings; environmentFile = pkgs.writeText "healthchecks-environment" (lib.generators.toKeyValue { } environment); @@ -21,6 +21,7 @@ let sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env --preserve-env=PYTHONPATH' fi export $(cat ${environmentFile} | xargs) + ${lib.optionalString (cfg.settingsFile != null) "export $(cat ${cfg.settingsFile} | xargs)"} $sudo ${pkg}/opt/healthchecks/manage.py "$@" ''; in @@ -89,6 +90,12 @@ in ''; }; + settingsFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = opt.settings.description; + }; + settings = lib.mkOption { description = '' Environment variables which are read by healthchecks `(local)_settings.py`. @@ -109,6 +116,8 @@ in have support for a `_FILE` variant, run: - `nix-instantiate --eval --expr '(import <nixpkgs> {}).healthchecks.secrets'` - or `nix eval 'nixpkgs#healthchecks.secrets'` if the flake support has been enabled. + + If the same variable is set in both `settings` and `settingsFile` the value from `settingsFile` has priority. ''; type = types.submodule (settings: { freeformType = types.attrsOf types.str; @@ -121,8 +130,9 @@ in }; SECRET_KEY_FILE = mkOption { - type = types.path; + type = types.nullOr types.path; description = "Path to a file containing the secret key."; + default = null; }; DEBUG = mkOption { @@ -186,7 +196,9 @@ in WorkingDirectory = cfg.dataDir; User = cfg.user; Group = cfg.group; - EnvironmentFile = [ environmentFile ]; + EnvironmentFile = [ + environmentFile + ] ++ lib.optional (cfg.settingsFile != null) cfg.settingsFile; StateDirectory = mkIf (cfg.dataDir == "/var/lib/healthchecks") "healthchecks"; StateDirectoryMode = mkIf (cfg.dataDir == "/var/lib/healthchecks") "0750"; }; diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index cdd60f572b990..dbcd9eae2d29a 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -18,7 +18,15 @@ let limesurveyConfig = pkgs.writeText "config.php" '' <?php - return json_decode('${builtins.toJSON cfg.config}', true); + return \array_merge( + \json_decode('${builtins.toJSON cfg.config}', true), + [ + 'config' => [ + 'encryptionnonce' => \trim(\file_get_contents(\getenv('CREDENTIALS_DIRECTORY') . DIRECTORY_SEPARATOR . 'encryption_nonce')), + 'encryptionsecretboxkey' => \trim(\file_get_contents(\getenv('CREDENTIALS_DIRECTORY') . DIRECTORY_SEPARATOR . 'encryption_key')), + ] + ] + ); ?> ''; @@ -35,8 +43,9 @@ in package = mkPackageOption pkgs "limesurvey" { }; encryptionKey = mkOption { - type = types.str; - default = "E17687FC77CEE247F0E22BB3ECF27FDE8BEC310A892347EC13013ABA11AA7EB5"; + type = types.nullOr types.str; + default = null; + visible = false; description = '' This is a 32-byte key used to encrypt variables in the database. You _must_ change this from the default value. @@ -44,14 +53,35 @@ in }; encryptionNonce = mkOption { - type = types.str; - default = "1ACC8555619929DB91310BE848025A427B0F364A884FFA77"; + type = types.nullOr types.str; + default = null; + visible = false; description = '' This is a 24-byte nonce used to encrypt variables in the database. You _must_ change this from the default value. ''; }; + encryptionKeyFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + 32-byte key used to encrypt variables in the database. + + Note: It should be string not a store path in order to prevent the password from being world readable + ''; + }; + + encryptionNonceFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + 24-byte used to encrypt variables in the database. + + Note: It should be string not a store path in order to prevent the password from being world readable + ''; + }; + database = { type = mkOption { type = types.enum [ "mysql" "pgsql" "odbc" "mssql" ]; @@ -183,6 +213,22 @@ in { assertion = cfg.database.createLocally -> cfg.database.passwordFile == null; message = "a password cannot be specified if services.limesurvey.database.createLocally is set to true"; } + { assertion = cfg.encryptionKey != null || cfg.encryptionKeyFile != null; + message = '' + You must set `services.limesurvey.encryptionKeyFile` to a file containing a 32-character uppercase hex string. + + If this message appears when updating your system, please turn off encryption + in the LimeSurvey interface and create backups before filling the key. + ''; + } + { assertion = cfg.encryptionNonce != null || cfg.encryptionNonceFile != null; + message = '' + You must set `services.limesurvey.encryptionNonceFile` to a file containing a 24-character uppercase hex string. + + If this message appears when updating your system, please turn off encryption + in the LimeSurvey interface and create backups before filling the nonce. + ''; + } ]; services.limesurvey.config = mapAttrs (name: mkDefault) { @@ -204,8 +250,6 @@ in config = { tempdir = "${stateDir}/tmp"; uploaddir = "${stateDir}/upload"; - encryptionnonce = cfg.encryptionNonce; - encryptionsecretboxkey = cfg.encryptionKey; force_ssl = mkIf (cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL) "on"; config.defaultlang = "en"; }; @@ -229,11 +273,26 @@ in phpPackage = pkgs.php81; phpEnv.DBENGINE = "${cfg.database.dbEngine}"; phpEnv.LIMESURVEY_CONFIG = "${limesurveyConfig}"; + # App code cannot access credentials directly since the service starts + # with the root user so we copy the credentials to a place accessible to Limesurvey + phpEnv.CREDENTIALS_DIRECTORY = "${stateDir}/credentials"; settings = { "listen.owner" = config.services.httpd.user; "listen.group" = config.services.httpd.group; } // cfg.poolConfig; }; + systemd.services.phpfpm-limesurvey.serviceConfig = { + ExecStartPre = pkgs.writeShellScript "limesurvey-phpfpm-exec-pre" '' + cp -f "''${CREDENTIALS_DIRECTORY}"/encryption_key "${stateDir}/credentials/encryption_key" + chown ${user}:${group} "${stateDir}/credentials/encryption_key" + cp -f "''${CREDENTIALS_DIRECTORY}"/encryption_nonce "${stateDir}/credentials/encryption_nonce" + chown ${user}:${group} "${stateDir}/credentials/encryption_nonce" + ''; + LoadCredential = [ + "encryption_key:${if cfg.encryptionKeyFile != null then cfg.encryptionKeyFile else pkgs.writeText "key" cfg.encryptionKey}" + "encryption_nonce:${if cfg.encryptionNonceFile != null then cfg.encryptionNonceFile else pkgs.writeText "nonce" cfg.encryptionKey}" + ]; + }; services.httpd = { enable = true; @@ -277,6 +336,7 @@ in "d ${stateDir}/tmp/assets 0750 ${user} ${group} - -" "d ${stateDir}/tmp/runtime 0750 ${user} ${group} - -" "d ${stateDir}/tmp/upload 0750 ${user} ${group} - -" + "d ${stateDir}/credentials 0700 ${user} ${group} - -" "C ${stateDir}/upload 0750 ${user} ${group} - ${cfg.package}/share/limesurvey/upload" ]; @@ -295,6 +355,10 @@ in User = user; Group = group; Type = "oneshot"; + LoadCredential = [ + "encryption_key:${if cfg.encryptionKeyFile != null then cfg.encryptionKeyFile else pkgs.writeText "key" cfg.encryptionKey}" + "encryption_nonce:${if cfg.encryptionNonceFile != null then cfg.encryptionNonceFile else pkgs.writeText "nonce" cfg.encryptionKey}" + ]; }; }; diff --git a/nixos/modules/services/web-apps/peering-manager.nix b/nixos/modules/services/web-apps/peering-manager.nix index c85cb76e5ea11..acdc393745293 100644 --- a/nixos/modules/services/web-apps/peering-manager.nix +++ b/nixos/modules/services/web-apps/peering-manager.nix @@ -16,6 +16,8 @@ let ln -s ${configFile} $out/opt/peering-manager/peering_manager/configuration.py '' + lib.optionalString cfg.enableLdap '' ln -s ${cfg.ldapConfigPath} $out/opt/peering-manager/peering_manager/ldap_config.py + '' + lib.optionalString cfg.enableOidc '' + ln -s ${cfg.oidcConfigPath} $out/opt/peering-manager/peering_manager/oidc_config.py ''; })).override { inherit (cfg) plugins; @@ -139,6 +141,24 @@ in { See the [documentation](https://peering-manager.readthedocs.io/en/stable/setup/6-ldap/#configuration) for possible options. ''; }; + + enableOidc = mkOption { + type = types.bool; + default = false; + description = '' + Enable OIDC-Authentication for Peering Manager. + + This requires a configuration file being pass through `oidcConfigPath`. + ''; + }; + + oidcConfigPath = mkOption { + type = types.path; + description = '' + Path to the Configuration-File for OIDC-Authentication, will be loaded as `oidc_config.py`. + See the [documentation](https://peering-manager.readthedocs.io/en/stable/setup/6b-oidc/#configuration) for possible options. + ''; + }; }; config = lib.mkIf cfg.enable { @@ -173,7 +193,10 @@ in { PEERINGDB_API_KEY = file.readline() ''; - plugins = lib.mkIf cfg.enableLdap (ps: [ ps.django-auth-ldap ]); + plugins = (ps: + (lib.optionals cfg.enableLdap [ ps.django-auth-ldap ]) ++ + (lib.optionals cfg.enableOidc (with ps; [ mozilla-django-oidc pyopenssl josepy ])) + ); }; system.build.peeringManagerPkg = pkg; diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 69a83ecb72065..aee2f5b35db2e 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -165,6 +165,7 @@ in services.tumbler.enable = true; services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.libinput.enable = mkDefault true; # used in xfce4-settings-manager + services.colord.enable = mkDefault true; # Enable default programs programs.dconf.enable = true; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 14a4ab596b52c..76a6751b05708 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -489,7 +489,7 @@ in system.nssModules = [ cfg.package.out ]; system.nssDatabases = { hosts = (mkMerge [ - (mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is mkBefore'd) + (mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is 501) (mkOrder 999 ["myhostname"]) # after files (which is 998), but before regular nss modules ]); passwd = (mkMerge [ diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 9fbb126738a93..72c2a2ef5551c 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -545,9 +545,10 @@ in }; system.nssModules = optional (cfg.nss.enable or cfg.nss.enableGuest) cfg.package; - system.nssDatabases.hosts = builtins.concatLists [ - (optional cfg.nss.enable "libvirt") - (optional cfg.nss.enableGuest "libvirt_guest") + system.nssDatabases.hosts = mkMerge [ + # ensure that the NSS modules come between mymachines (which is 400) and resolve (which is 501) + (mkIf cfg.nss.enable (mkOrder 430 [ "libvirt" ])) + (mkIf cfg.nss.enableGuest (mkOrder 432 [ "libvirt_guest" ])) ]; }; } diff --git a/nixos/tests/limesurvey.nix b/nixos/tests/limesurvey.nix index 9a3193991f352..87e9fe1cdc149 100644 --- a/nixos/tests/limesurvey.nix +++ b/nixos/tests/limesurvey.nix @@ -1,6 +1,6 @@ -import ./make-test-python.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "limesurvey"; - meta.maintainers = [ pkgs.lib.maintainers.aanderse ]; + meta.maintainers = [ lib.maintainers.aanderse ]; nodes.machine = { ... }: { services.limesurvey = { @@ -9,6 +9,8 @@ import ./make-test-python.nix ({ pkgs, ... }: { hostName = "example.local"; adminAddr = "root@example.local"; }; + encryptionKeyFile = pkgs.writeText "key" (lib.strings.replicate 32 "0"); + encryptionNonceFile = pkgs.writeText "nonce" (lib.strings.replicate 24 "0"); }; # limesurvey won't work without a dot in the hostname |