diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2405.section.md | 21 | ||||
-rw-r--r-- | nixos/modules/config/terminfo.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/desktop-managers/plasma6.nix | 9 | ||||
-rw-r--r-- | nixos/modules/services/networking/jotta-cli.md | 4 | ||||
-rw-r--r-- | nixos/modules/services/networking/jotta-cli.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/networking/sunshine.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/system/dbus.nix | 12 | ||||
-rwxr-xr-x | nixos/modules/system/activation/switch-to-configuration.pl | 3 | ||||
-rw-r--r-- | nixos/tests/jotta-cli.nix | 2 |
10 files changed, 62 insertions, 14 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 70473f4a9b417..93a9da175b1e9 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -133,7 +133,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [mautrix-meta](https://github.com/mautrix/meta), a Matrix <-> Facebook and Matrix <-> Instagram hybrid puppeting/relaybot bridge. Available as services.mautrix-meta -- [Jottacloud Command-line Tool](https://docs.jottacloud.com/en/articles/1436834-jottacloud-command-line-tool), a CLI for the [Jottacloud](https://jottacloud.com/) cloud storage provider. Available as [user.services.jotta-cli](#opt-user.services.jotta-cli.enable). +- [Jottacloud Command-line Tool](https://docs.jottacloud.com/en/articles/1436834-jottacloud-command-line-tool), a CLI for the [Jottacloud](https://jottacloud.com/) cloud storage provider. Available as [services.jotta-cli](#opt-services.jotta-cli.enable). - [transfer-sh](https://github.com/dutchcoders/transfer.sh), a tool that supports easy and fast file sharing from the command-line. Available as [services.transfer-sh](#opt-services.transfer-sh.enable). @@ -321,9 +321,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - Proxies are now defined with a new option `settings.proxies` which takes a list of proxies. - Consult the [upstream documentation](https://github.com/fatedier/frp#example-usage) for more details on the changes. -- `mkosi` was updated to v20. Parts of the user interface have changed. Consult the - release notes of [v19](https://github.com/systemd/mkosi/releases/tag/v19) and - [v20](https://github.com/systemd/mkosi/releases/tag/v20) for a list of changes. +- `mkosi` was updated to v22. Parts of the user interface have changed. Consult the + release notes of [v19](https://github.com/systemd/mkosi/releases/tag/v19), + [v20](https://github.com/systemd/mkosi/releases/tag/v20), + [v21](https://github.com/systemd/mkosi/releases/tag/v21) and + [v22](https://github.com/systemd/mkosi/releases/tag/v22) for a list of changes. - `gonic` has been updated to v0.16.4. Config now requires `playlists-path` to be set. See the rest of the [v0.16.0 release notes](https://github.com/sentriz/gonic/releases/tag/v0.16.0) for more details. @@ -534,6 +536,17 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list. For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``; +- `services.openssh` now has an option `authorizedKeysInHomedir`, controlling whether `~/.ssh/authorizedKeys` is + added to `authorizedKeysFiles`. + ::: {.note} + This option currently defaults to `true` for NixOS 24.05, preserving the previous behaviour. + This is expected to change in NixOS 24.11. + ::: + ::: {.warning} + Users should check that their SSH keys are in `users.users.*.openssh`, or that they have another way to access + and administer the system, before setting this option to `false`. + ::: + - [`matrix-synapse`](https://element-hq.github.io/synapse/) homeserver module now supports configuring UNIX domain socket [`listeners`](#opt-services.matrix-synapse.settings.listeners) through the `path` option. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets. diff --git a/nixos/modules/config/terminfo.nix b/nixos/modules/config/terminfo.nix index 4b58605aa7f1a..b538d749ffcbf 100644 --- a/nixos/modules/config/terminfo.nix +++ b/nixos/modules/config/terminfo.nix @@ -31,7 +31,7 @@ with lib; # attrNames (filterAttrs # (_: drv: (builtins.tryEval (isDerivation drv && drv ? terminfo)).value) # pkgs) - environment.systemPackages = mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs; [ + environment.systemPackages = mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs.pkgsBuildBuild; [ alacritty contour foot diff --git a/nixos/modules/services/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix index 08507b4d370a7..842b0716b928d 100644 --- a/nixos/modules/services/desktop-managers/plasma6.nix +++ b/nixos/modules/services/desktop-managers/plasma6.nix @@ -286,6 +286,15 @@ in { kde-smartcard = lib.mkIf config.security.pam.p11.enable { p11Auth = true; }; }; + security.wrappers = { + kwin_wayland = { + owner = "root"; + group = "root"; + capabilities = "cap_sys_nice+ep"; + source = "${lib.getBin pkgs.kdePackages.kwin}/bin/kwin_wayland"; + }; + }; + programs.dconf.enable = true; programs.firefox.nativeMessagingHosts.packages = [kdePackages.plasma-browser-integration]; diff --git a/nixos/modules/services/networking/jotta-cli.md b/nixos/modules/services/networking/jotta-cli.md index fee002a4e6046..335e5c8e38563 100644 --- a/nixos/modules/services/networking/jotta-cli.md +++ b/nixos/modules/services/networking/jotta-cli.md @@ -6,7 +6,7 @@ The [Jottacloud Command-line Tool](https://docs.jottacloud.com/en/articles/14368 ```nix { - user.services.jotta-cli.enable = true; + services.jotta-cli.enable = true; } ``` @@ -15,7 +15,7 @@ This adds `jotta-cli` to `environment.systemPackages` and starts a user service ## Example Configuration {#module-services-jotta-cli-example-configuration} ```nix -user.services.jotta-cli = { +services.jotta-cli = { enable = true; options = [ "slow" ]; package = pkgs.jotta-cli; diff --git a/nixos/modules/services/networking/jotta-cli.nix b/nixos/modules/services/networking/jotta-cli.nix index c7e6dad5453ca..e0fa1ef332fe6 100644 --- a/nixos/modules/services/networking/jotta-cli.nix +++ b/nixos/modules/services/networking/jotta-cli.nix @@ -2,10 +2,10 @@ with lib; -let cfg = config.user.services.jotta-cli; +let cfg = config.services.jotta-cli; in { options = { - user.services.jotta-cli = { + services.jotta-cli = { enable = mkEnableOption "Jottacloud Command-line Tool"; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index c62bccd462d33..0fdb708bf052f 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -296,6 +296,17 @@ in ''; }; + authorizedKeysInHomedir = mkOption { + type = types.bool; + default = true; + description = '' + Enables the use of the `~/.ssh/authorized_keys` file. + + Otherwise, the only files trusted by default are those in `/etc/ssh/authorized_keys.d`, + *i.e.* SSH keys from [](#opt-users.users._name_.openssh.authorizedKeys.keys). + ''; + }; + authorizedKeysCommand = mkOption { type = types.str; default = "none"; @@ -635,7 +646,7 @@ in # https://github.com/NixOS/nixpkgs/pull/10155 # https://github.com/NixOS/nixpkgs/pull/41745 services.openssh.authorizedKeysFiles = - [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ]; + lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys" ++ [ "/etc/ssh/authorized_keys.d/%u" ]; services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u"; diff --git a/nixos/modules/services/networking/sunshine.nix b/nixos/modules/services/networking/sunshine.nix index 0749eaee95d8a..ec78db1f3f8e9 100644 --- a/nixos/modules/services/networking/sunshine.nix +++ b/nixos/modules/services/networking/sunshine.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, utils, ... }: let - inherit (lib) mkEnableOption mkPackageOption mkOption mkIf mkDefault types optionals getExe; + inherit (lib) mkEnableOption mkPackageOption mkOption literalExpression mkIf mkDefault types optionals getExe; inherit (utils) escapeSystemdExecArgs; cfg = config.services.sunshine; @@ -46,7 +46,7 @@ in See https://docs.lizardbyte.dev/projects/sunshine/en/latest/about/advanced_usage.html#configuration for syntax. ''; - example = '' + example = literalExpression '' { sunshine_name = "nixos"; } @@ -67,7 +67,7 @@ in description = '' Configuration for applications to be exposed to Moonlight. If this is set, no configuration is possible from the web UI, and must be by the `settings` option. ''; - example = '' + example = literalExpression '' { env = { PATH = "$(PATH):$(HOME)/.local/bin"; diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index 8dba0aca64337..26f4eba707f92 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -147,6 +147,10 @@ in }; systemd.services.dbus = { + aliases = [ + # hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus + "dbus-broker.service" + ]; # Don't restart dbus-daemon. Bad things tend to happen if we do. reloadIfChanged = true; restartTriggers = [ @@ -158,6 +162,10 @@ in }; systemd.user.services.dbus = { + aliases = [ + # hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus + "dbus-broker.service" + ]; # Don't restart dbus-daemon. Bad things tend to happen if we do. reloadIfChanged = true; restartTriggers = [ @@ -184,6 +192,8 @@ in # https://github.com/NixOS/nixpkgs/issues/108643 systemd.services.dbus-broker = { aliases = [ + # allow other services to just depend on dbus, + # but also a hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus "dbus.service" ]; unitConfig = { @@ -203,6 +213,8 @@ in systemd.user.services.dbus-broker = { aliases = [ + # allow other services to just depend on dbus, + # but also a hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus "dbus.service" ]; # Don't restart dbus. Bad things tend to happen if we do. diff --git a/nixos/modules/system/activation/switch-to-configuration.pl b/nixos/modules/system/activation/switch-to-configuration.pl index ba45231465fb4..cabc1dcc2d65a 100755 --- a/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixos/modules/system/activation/switch-to-configuration.pl @@ -472,6 +472,9 @@ sub handle_modified_unit { ## no critic(Subroutines::ProhibitManyArgs, Subroutin $units_to_reload->{$unit} = 1; record_unit($reload_list_file, $unit); } + elsif ($unit eq "dbus.service" || $unit eq "dbus-broker.service") { + # dbus service should only ever be reloaded, not started/stoped/restarted as that would break the system. + } elsif (!parse_systemd_bool(\%new_unit_info, "Service", "X-RestartIfChanged", 1) || parse_systemd_bool(\%new_unit_info, "Unit", "RefuseManualStop", 0) || parse_systemd_bool(\%new_unit_info, "Unit", "X-OnlyManualStart", 0)) { $units_to_skip->{$unit} = 1; } else { diff --git a/nixos/tests/jotta-cli.nix b/nixos/tests/jotta-cli.nix index 5eefe65c1d385..0df23ee2cba5c 100644 --- a/nixos/tests/jotta-cli.nix +++ b/nixos/tests/jotta-cli.nix @@ -4,7 +4,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { meta.maintainers = with pkgs.lib.maintainers; [ evenbrenden ]; nodes.machine = { pkgs, ... }: { - user.services.jotta-cli.enable = true; + services.jotta-cli.enable = true; imports = [ ./common/user-account.nix ]; }; |