diff options
Diffstat (limited to 'nixos')
34 files changed, 867 insertions, 386 deletions
diff --git a/nixos/doc/manual/configuration/adding-custom-packages.section.md b/nixos/doc/manual/configuration/adding-custom-packages.section.md index 89d329550613c..2340723e07c6b 100644 --- a/nixos/doc/manual/configuration/adding-custom-packages.section.md +++ b/nixos/doc/manual/configuration/adding-custom-packages.section.md @@ -44,7 +44,7 @@ environment.systemPackages = name = "hello-2.8"; src = fetchurl { url = "mirror://gnu/hello/${name}.tar.gz"; - sha256 = "0wqd8sjmxfskrflaxywc7gqw7sfawrfvdxd9skxawzfgyy0pzdz6"; + hash = "sha256-5rd/gffPfa761Kn1tl3myunD8TuM+66oy1O7XqVGDXM="; }; }; in @@ -67,7 +67,7 @@ stdenv.mkDerivation rec { name = "hello-2.8"; src = fetchurl { url = "mirror://gnu/hello/${name}.tar.gz"; - sha256 = "0wqd8sjmxfskrflaxywc7gqw7sfawrfvdxd9skxawzfgyy0pzdz6"; + hash = "sha256-5rd/gffPfa761Kn1tl3myunD8TuM+66oy1O7XqVGDXM="; }; } ``` diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 044d7686ae5c0..58d98b0f0ca47 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -16,6 +16,8 @@ - [acme-dns](https://github.com/joohoi/acme-dns), a limited DNS server to handle ACME DNS challenges easily and securely. Available as [services.acme-dns](#opt-services.acme-dns.enable). +- [frp](https://github.com/fatedier/frp), a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. Available as [services.frp](#opt-services.frp.enable). + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> - [river](https://github.com/riverwm/river), A dynamic tiling wayland compositor. Available as [programs.river](#opt-programs.river.enable). @@ -173,7 +175,7 @@ - The Caddy module gained a new option named `services.caddy.enableReload` which is enabled by default. It allows reloading the service instead of restarting it, if only a config file has changed. This option must be disabled if you have turned off the [Caddy admin API](https://caddyserver.com/docs/caddyfile/options#admin). If you keep this option enabled, you should consider setting [`grace_period`](https://caddyserver.com/docs/caddyfile/options#grace-period) to a non-infinite value to prevent Caddy from delaying the reload indefinitely. -- mdraid support is now optional. This reduces initramfs size and prevents the potentially undesired automatic detection and activation of software RAID pools. It is disabled by default in new configurations (determined by `stateVersion`), but the appropriate settings will be generated by `nixos-generate-config` when installing to a software RAID device, so the standard installation procedure should be unaffected. If you have custom configs relying on mdraid, ensure that you use `stateVersion` correctly or set `boot.swraid.enable` manually. +- mdraid support is now optional. This reduces initramfs size and prevents the potentially undesired automatic detection and activation of software RAID pools. It is disabled by default in new configurations (determined by `stateVersion`), but the appropriate settings will be generated by `nixos-generate-config` when installing to a software RAID device, so the standard installation procedure should be unaffected. If you have custom configs relying on mdraid, ensure that you use `stateVersion` correctly or set `boot.swraid.enable` manually. On systems with an updated `stateVersion` we now also emit warnings if `mdadm.conf` does not contain the minimum required configuration necessary to run the dynamically enabled monitoring daemons. - The `go-ethereum` package has been updated to v1.12.0. This drops support for proof-of-work. Its GraphQL API now encodes all numeric values as hex strings and the GraphQL UI is updated to version 2.0. The default database has changed from `leveldb` to `pebble` but `leveldb` can be forced with the --db.engine=leveldb flag. The `checkpoint-admin` command was [removed along with trusted checkpoints](https://github.com/ethereum/go-ethereum/pull/27147). @@ -198,6 +200,7 @@ - Package `noto-fonts-emoji` was renamed to `noto-fonts-color-emoji`; see [#221181](https://github.com/NixOS/nixpkgs/issues/221181). +- Package `pash` was removed due to being archived upstream. Use `powershell` as an alternative. ## Other Notable Changes {#sec-release-23.11-notable-changes} @@ -239,6 +242,8 @@ Unfortunately all servers supporting new clients (newer version of anki-sync-server, anki's built in sync server and this new rust package) do not support the older sync protocol that was used in the old server, so such old clients will also need updating and in particular the anki package in nixpkgs is also being updated in this release. The module update takes care of the new config syntax and the data itself (user login and cards) are compatible, so users of the module will be able to just log in again after updating both client and server without any extra action. +- `services.matrix-synapse` has new options to configure worker processes for matrix-synapse using [`services.matrix-synapse.workers`](#opt-services.matrix-synapse.workers). It's also now possible to configure a local redis server using [`services.matrix-synapse.configureRedisLocally`](#opt-services.matrix-synapse.configureRedisLocally). + - `services.nginx` gained a `defaultListen` option at server-level with support for PROXY protocol listeners, also `proxyProtocol` is now exposed in `services.nginx.virtualHosts.<name>.listen` option. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see [#213510](https://github.com/NixOS/nixpkgs/pull/213510/) for more details. - `services.restic.backups` now adds wrapper scripts to your system path, which set the same environment variables as the service, so restic operations can easly be run from the command line. This behavior can be disabled by setting `createWrapper` to `false`, per backup configuration. diff --git a/nixos/lib/make-btrfs-fs.nix b/nixos/lib/make-btrfs-fs.nix new file mode 100644 index 0000000000000..225666f9a50e8 --- /dev/null +++ b/nixos/lib/make-btrfs-fs.nix @@ -0,0 +1,65 @@ +# Builds an btrfs image containing a populated /nix/store with the closure +# of store paths passed in the storePaths parameter, in addition to the +# contents of a directory that can be populated with commands. The +# generated image is sized to only fit its contents, with the expectation +# that a script resizes the filesystem at boot time. +{ pkgs +, lib +# List of derivations to be included +, storePaths +# Whether or not to compress the resulting image with zstd +, compressImage ? false, zstd +# Shell commands to populate the ./files directory. +# All files in that directory are copied to the root of the FS. +, populateImageCommands ? "" +, volumeLabel +, uuid ? "44444444-4444-4444-8888-888888888888" +, btrfs-progs +}: + +let + sdClosureInfo = pkgs.buildPackages.closureInfo { rootPaths = storePaths; }; +in +pkgs.stdenv.mkDerivation { + name = "btrfs-fs.img${lib.optionalString compressImage ".zst"}"; + + nativeBuildInputs = [ btrfs-progs ] ++ lib.optional compressImage zstd; + + buildCommand = + '' + ${if compressImage then "img=temp.img" else "img=$out"} + + set -x + ( + mkdir -p ./files + ${populateImageCommands} + ) + + mkdir -p ./rootImage/nix/store + + xargs -I % cp -a --reflink=auto % -t ./rootImage/nix/store/ < ${sdClosureInfo}/store-paths + ( + GLOBIGNORE=".:.." + shopt -u dotglob + + for f in ./files/*; do + cp -a --reflink=auto -t ./rootImage/ "$f" + done + ) + + cp ${sdClosureInfo}/registration ./rootImage/nix-path-registration + + touch $img + mkfs.btrfs -L ${volumeLabel} -U ${uuid} -r ./rootImage --shrink $img + + if ! btrfs check $img; then + echo "--- 'btrfs check' failed for BTRFS image ---" + return 1 + fi + + if [ ${builtins.toString compressImage} ]; then + echo "Compressing image" + zstd -v --no-progress ./$img -o $out + fi + ''; +} diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 0b1238dd888a5..a40713ac25c75 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -4,10 +4,9 @@ pkgs, ... }: let - x11Enabled = config.services.xserver.enable - && (lib.elem "nvidia" config.services.xserver.videoDrivers); + nvidiaEnabled = (lib.elem "nvidia" config.services.xserver.videoDrivers); nvidia_x11 = - if x11Enabled || cfg.datacenter.enable + if nvidiaEnabled || cfg.datacenter.enable then cfg.package else null; @@ -256,7 +255,7 @@ in { ({ assertions = [ { - assertion = !(x11Enabled && cfg.datacenter.enable); + assertion = !(nvidiaEnabled && cfg.datacenter.enable); message = "You cannot configure both X11 and Data Center drivers at the same time."; } ]; @@ -289,7 +288,7 @@ in { ]; }) # X11 - (lib.mkIf x11Enabled { + (lib.mkIf nvidiaEnabled { assertions = [ { assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == ""; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2eb5f8f157bf0..811a46563fb47 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -280,6 +280,7 @@ ./programs/xwayland.nix ./programs/yabar.nix ./programs/yazi.nix + ./programs/yubikey-touch-detector.nix ./programs/zmap.nix ./programs/zsh/oh-my-zsh.nix ./programs/zsh/zsh-autoenv.nix @@ -898,6 +899,7 @@ ./services/networking/flannel.nix ./services/networking/freenet.nix ./services/networking/freeradius.nix + ./services/networking/frp.nix ./services/networking/frr.nix ./services/networking/gateone.nix ./services/networking/gdomap.nix @@ -1068,7 +1070,6 @@ ./services/networking/tayga.nix ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix - ./services/networking/tedicross.nix ./services/networking/teleport.nix ./services/networking/tetrd.nix ./services/networking/tftpd.nix diff --git a/nixos/modules/programs/environment.nix b/nixos/modules/programs/environment.nix index 3fbda153e0b44..6dad0cc524540 100644 --- a/nixos/modules/programs/environment.nix +++ b/nixos/modules/programs/environment.nix @@ -43,7 +43,6 @@ in GTK_PATH = [ "/lib/gtk-2.0" "/lib/gtk-3.0" "/lib/gtk-4.0" ]; XDG_CONFIG_DIRS = [ "/etc/xdg" ]; XDG_DATA_DIRS = [ "/share" ]; - MOZ_PLUGIN_PATH = [ "/lib/mozilla/plugins" ]; LIBEXEC_PATH = [ "/lib/libexec" ]; }; diff --git a/nixos/modules/programs/hyprland.nix b/nixos/modules/programs/hyprland.nix index e0ee5b6bd2a45..638dfb98e8ab0 100644 --- a/nixos/modules/programs/hyprland.nix +++ b/nixos/modules/programs/hyprland.nix @@ -7,9 +7,7 @@ with lib; let cfg = config.programs.hyprland; finalPortalPackage = cfg.portalPackage.override { - hyprland-share-picker = pkgs.hyprland-share-picker.override { - hyprland = cfg.finalPackage; - }; + hyprland = cfg.finalPackage; }; in { diff --git a/nixos/modules/programs/yubikey-touch-detector.nix b/nixos/modules/programs/yubikey-touch-detector.nix new file mode 100644 index 0000000000000..9a0d107f73c98 --- /dev/null +++ b/nixos/modules/programs/yubikey-touch-detector.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: +let cfg = config.programs.yubikey-touch-detector; +in { + options = { + programs.yubikey-touch-detector = { + enable = lib.mkEnableOption "yubikey-touch-detector"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.packages = [ pkgs.yubikey-touch-detector ]; + + systemd.user.services.yubikey-touch-detector = { + path = [ pkgs.gnupg ]; + wantedBy = [ "graphical-session.target" ]; + }; + systemd.user.sockets.yubikey-touch-detector = { + wantedBy = [ "sockets.target" ]; + }; + }; +} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 45014ed3c68ee..408c515044c80 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -124,6 +124,9 @@ in See https://www.isc.org/blogs/isc-dhcp-eol/ for details. Please switch to a different implementation like kea or dnsmasq. '') + (mkRemovedOptionModule [ "services" "tedicross" ] '' + The corresponding package was broken and removed from nixpkgs. + '') # Do NOT add any option renames here, see top of the file ]; diff --git a/nixos/modules/services/hardware/auto-cpufreq.nix b/nixos/modules/services/hardware/auto-cpufreq.nix index cf27bdd8b6eb7..9c69ba8920f35 100644 --- a/nixos/modules/services/hardware/auto-cpufreq.nix +++ b/nixos/modules/services/hardware/auto-cpufreq.nix @@ -44,5 +44,8 @@ in { }; # uses attributes of the linked package - meta.buildDocsInSandbox = false; + meta = { + buildDocsInSandbox = false; + maintainers = with lib.maintainers; [ nicoo ]; + }; } diff --git a/nixos/modules/services/matrix/synapse-log_config.yaml b/nixos/modules/services/matrix/synapse-log_config.yaml deleted file mode 100644 index d85bdd1208f9a..0000000000000 --- a/nixos/modules/services/matrix/synapse-log_config.yaml +++ /dev/null @@ -1,25 +0,0 @@ -version: 1 - -# In systemd's journal, loglevel is implicitly stored, so let's omit it -# from the message text. -formatters: - journal_fmt: - format: '%(name)s: [%(request)s] %(message)s' - -filters: - context: - (): synapse.util.logcontext.LoggingContextFilter - request: "" - -handlers: - journal: - class: systemd.journal.JournalHandler - formatter: journal_fmt - filters: [context] - SYSLOG_IDENTIFIER: synapse - -root: - level: INFO - handlers: [journal] - -disable_existing_loggers: False diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index ef69a8adebb01..554e9ca2ecc35 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.matrix-synapse; - format = pkgs.formats.yaml {}; + format = pkgs.formats.yaml { }; # remove null values from the final configuration finalSettings = lib.filterAttrsRecursive (_: v: v != null) cfg.settings; @@ -13,6 +13,7 @@ let usePostgresql = cfg.settings.database.name == "psycopg2"; hasLocalPostgresDB = let args = cfg.settings.database.args; in usePostgresql && (!(args ? host) || (elem args.host [ "localhost" "127.0.0.1" "::1" ])); + hasWorkers = cfg.workers != { }; registerNewMatrixUser = let @@ -68,6 +69,48 @@ let extras = wantedExtras; inherit (cfg) plugins; }; + + logConfig = logName: { + version = 1; + formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s"; + handlers.journal = { + class = "systemd.journal.JournalHandler"; + formatter = "journal_fmt"; + SYSLOG_IDENTIFIER = logName; + }; + root = { + level = "INFO"; + handlers = [ "journal" ]; + }; + disable_existing_loggers = false; + }; + logConfigText = logName: + let + expr = '' + { + version = 1; + formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s"; + handlers.journal = { + class = "systemd.journal.JournalHandler"; + formatter = "journal_fmt"; + SYSLOG_IDENTIFIER = "${logName}"; + }; + root = { + level = "INFO"; + handlers = [ "journal" ]; + }; + disable_existing_loggers = false; + }; + ''; + in + lib.literalMD '' + Path to a yaml file generated from this Nix expression: + + ``` + ${expr} + ``` + ''; + genLogConfigFile = logName: format.generate "synapse-log-${logName}.yaml" (logConfig logName); in { imports = [ @@ -154,7 +197,108 @@ in { ]; - options = { + options = let + listenerType = workerContext: types.submodule { + options = { + port = mkOption { + type = types.port; + example = 8448; + description = lib.mdDoc '' + The port to listen for HTTP(S) requests on. + ''; + }; + + bind_addresses = mkOption { + type = types.listOf types.str; + default = [ + "::1" + "127.0.0.1" + ]; + example = literalExpression '' + [ + "::" + "0.0.0.0" + ] + ''; + description = lib.mdDoc '' + IP addresses to bind the listener to. + ''; + }; + + type = mkOption { + type = types.enum [ + "http" + "manhole" + "metrics" + "replication" + ]; + default = "http"; + example = "metrics"; + description = lib.mdDoc '' + The type of the listener, usually http. + ''; + }; + + tls = mkOption { + type = types.bool; + default = !workerContext; + example = false; + description = lib.mdDoc '' + Whether to enable TLS on the listener socket. + ''; + }; + + x_forwarded = mkOption { + type = types.bool; + default = false; + example = true; + description = lib.mdDoc '' + Use the X-Forwarded-For (XFF) header as the client IP and not the + actual client IP. + ''; + }; + + resources = mkOption { + type = types.listOf (types.submodule { + options = { + names = mkOption { + type = types.listOf (types.enum [ + "client" + "consent" + "federation" + "health" + "keys" + "media" + "metrics" + "openid" + "replication" + "static" + ]); + description = lib.mdDoc '' + List of resources to host on this listener. + ''; + example = [ + "client" + ]; + }; + compress = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Whether synapse should compress HTTP responses to clients that support it. + This should be disabled if running synapse behind a load balancer + that can do automatic compression. + ''; + }; + }; + }); + description = lib.mdDoc '' + List of HTTP resources to serve on this listener. + ''; + }; + }; + }; + in { services.matrix-synapse = { enable = mkEnableOption (lib.mdDoc "matrix.org synapse"); @@ -251,7 +395,7 @@ in { }; settings = mkOption { - default = {}; + default = { }; description = mdDoc '' The primary synapse configuration. See the [sample configuration](https://github.com/matrix-org/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/sample_config.yaml) @@ -346,8 +490,8 @@ in { log_config = mkOption { type = types.path; - default = ./synapse-log_config.yaml; - defaultText = lib.literalExpression "nixos/modules/services/matrix/synapse-log_config.yaml"; + default = genLogConfigFile "synapse"; + defaultText = logConfigText "synapse"; description = lib.mdDoc '' The file that holds the logging configuration. ''; @@ -409,120 +553,37 @@ in { }; listeners = mkOption { - type = types.listOf (types.submodule { - options = { - port = mkOption { - type = types.port; - example = 8448; - description = lib.mdDoc '' - The port to listen for HTTP(S) requests on. - ''; - }; - - bind_addresses = mkOption { - type = types.listOf types.str; - default = [ - "::1" - "127.0.0.1" - ]; - example = literalExpression '' - [ - "::" - "0.0.0.0" - ] - ''; - description = lib.mdDoc '' - IP addresses to bind the listener to. - ''; - }; - - type = mkOption { - type = types.enum [ - "http" - "manhole" - "metrics" - "replication" - ]; - default = "http"; - example = "metrics"; - description = lib.mdDoc '' - The type of the listener, usually http. - ''; - }; - - tls = mkOption { - type = types.bool; - default = true; - example = false; - description = lib.mdDoc '' - Whether to enable TLS on the listener socket. - ''; - }; - - x_forwarded = mkOption { - type = types.bool; - default = false; - example = true; - description = lib.mdDoc '' - Use the X-Forwarded-For (XFF) header as the client IP and not the - actual client IP. - ''; - }; - - resources = mkOption { - type = types.listOf (types.submodule { - options = { - names = mkOption { - type = types.listOf (types.enum [ - "client" - "consent" - "federation" - "keys" - "media" - "metrics" - "openid" - "replication" - "static" - ]); - description = lib.mdDoc '' - List of resources to host on this listener. - ''; - example = [ - "client" - ]; - }; - compress = mkOption { - type = types.bool; - description = lib.mdDoc '' - Should synapse compress HTTP responses to clients that support it? - This should be disabled if running synapse behind a load balancer - that can do automatic compression. - ''; - }; - }; - }); - description = lib.mdDoc '' - List of HTTP resources to serve on this listener. - ''; - }; - }; - }); - default = [ { + type = types.listOf (listenerType false); + default = [{ port = 8008; bind_addresses = [ "127.0.0.1" ]; type = "http"; tls = false; x_forwarded = true; - resources = [ { + resources = [{ names = [ "client" ]; compress = true; } { names = [ "federation" ]; compress = false; - } ]; - } ]; + }]; + }] ++ lib.optional hasWorkers { + port = 9093; + bind_addresses = [ "127.0.0.1" ]; + type = "http"; + tls = false; + x_forwarded = false; + resources = [{ + names = [ "replication" ]; + compress = false; + }]; + }; description = lib.mdDoc '' List of ports that Synapse should listen on, their purpose and their configuration. + + By default, synapse will be configured for client and federation traffic on port 8008, and + for worker replication traffic on port 9093. See [`services.matrix-synapse.workers`](#opt-services.matrix-synapse.workers) + for more details. ''; }; @@ -534,7 +595,7 @@ in { default = if versionAtLeast config.system.stateVersion "18.03" then "psycopg2" else "sqlite3"; - defaultText = literalExpression '' + defaultText = literalExpression '' if versionAtLeast config.system.stateVersion "18.03" then "psycopg2" else "sqlite3" @@ -551,10 +612,10 @@ in { psycopg2 = "matrix-synapse"; }.${cfg.settings.database.name}; defaultText = literalExpression '' - { - sqlite3 = "''${${options.services.matrix-synapse.dataDir}}/homeserver.db"; - psycopg2 = "matrix-synapse"; - }.''${${options.services.matrix-synapse.settings}.database.name}; + { + sqlite3 = "''${${options.services.matrix-synapse.dataDir}}/homeserver.db"; + psycopg2 = "matrix-synapse"; + }.''${${options.services.matrix-synapse.settings}.database.name}; ''; description = lib.mdDoc '' Name of the database when using the psycopg2 backend, @@ -622,7 +683,7 @@ in { url_preview_ip_range_whitelist = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = lib.mdDoc '' List of IP address CIDR ranges that the URL preview spider is allowed to access even if they are specified in url_preview_ip_range_blacklist. @@ -630,8 +691,27 @@ in { }; url_preview_url_blacklist = mkOption { - type = types.listOf types.str; - default = []; + # FIXME revert to just `listOf (attrsOf str)` after some time(tm). + type = types.listOf ( + types.coercedTo + types.str + (const (throw '' + Setting `config.services.matrix-synapse.settings.url_preview_url_blacklist` + to a list of strings has never worked. Due to a bug, this was the type accepted + by the module, but in practice it broke on runtime and as a result, no URL + preview worked anywhere if this was set. + + See https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_url_blacklist + on how to configure it properly. + '')) + (types.attrsOf types.str)); + default = [ ]; + example = literalExpression '' + [ + { scheme = "http"; } # no http previews + { netloc = "www.acme.com"; path = "/foo"; } # block http(s)://www.acme.com/foo + ] + ''; description = lib.mdDoc '' Optional list of URL matches that the URL preview spider is denied from accessing. @@ -671,7 +751,7 @@ in { turn_uris = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; example = [ "turn:turn.example.com:3487?transport=udp" "turn:turn.example.com:3487?transport=tcp" @@ -708,12 +788,12 @@ in { }; }; }); - default = [ { + default = [{ server_name = "matrix.org"; verify_keys = { "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; }; - } ]; + }]; description = lib.mdDoc '' The trusted servers to download signing keys from. ''; @@ -727,13 +807,114 @@ in { ''; }; + redis = lib.mkOption { + type = types.submodule { + freeformType = format.type; + options = { + enabled = lib.mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to use redis support + ''; + }; + }; + }; + default = { }; + description = lib.mdDoc '' + Redis configuration for synapse. + + See the + [upstream documentation](https://github.com/matrix-org/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/usage/configuration/config_documentation.md#redis) + for available options. + ''; + }; }; }; }; + workers = lib.mkOption { + default = { }; + description = lib.mdDoc '' + Options for configuring workers. Worker support will be enabled if at least one worker is configured here. + + See the [worker documention](https://matrix-org.github.io/synapse/latest/workers.html#worker-configuration) + for possible options for each worker. Worker-specific options overriding the shared homeserver configuration can be + specified here for each worker. + + ::: {.note} + Worker support will add a replication listener on port 9093 to the main synapse process using the default + value of [`services.matrix-synapse.settings.listeners`](#opt-services.matrix-synapse.settings.listeners) and configure that + listener as `services.matrix-synapse.settings.instance_map.main`. + If you set either of those options, make sure to configure a replication listener yourself. + + A redis server is required for running workers. A local one can be enabled + using [`services.matrix-synapse.configureRedisLocally`](#opt-services.matrix-synapse.configureRedisLocally). + + Workers also require a proper reverse proxy setup to direct incoming requests to the appropriate process. See + the [reverse proxy documentation](https://matrix-org.github.io/synapse/latest/reverse_proxy.html) for a + general reverse proxying setup and + the [worker documentation](https://matrix-org.github.io/synapse/latest/workers.html#available-worker-applications) + for the available endpoints per worker application. + ::: + ''; + type = types.attrsOf (types.submodule ({name, ...}: { + freeformType = format.type; + options = { + worker_app = lib.mkOption { + type = types.enum [ + "synapse.app.generic_worker" + "synapse.app.media_repository" + ]; + description = "Type of this worker"; + default = "synapse.app.generic_worker"; + }; + worker_listeners = lib.mkOption { + default = [ ]; + type = types.listOf (listenerType true); + description = lib.mdDoc '' + List of ports that this worker should listen on, their purpose and their configuration. + ''; + }; + worker_log_config = lib.mkOption { + type = types.path; + default = genLogConfigFile "synapse-${name}"; + defaultText = logConfigText "synapse-${name}"; + description = lib.mdDoc '' + The file for log configuration. + + See the [python documentation](https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema) + for the schema and the [upstream repository](https://github.com/matrix-org/synapse/blob/v${pkgs.matrix-synapse-unwrapped.version}/docs/sample_log_config.yaml) + for an example. + ''; + }; + }; + })); + default = { }; + example = lib.literalExpression '' + { + "federation_sender" = { }; + "federation_receiver" = { + worker_listeners = [ + { + type = "http"; + port = 8009; + bind_addresses = [ "127.0.0.1" ]; + tls = false; + x_forwarded = true; + resources = [{ + names = [ "federation" ]; + }]; + } + ]; + }; + } + ''; + }; + extraConfigFiles = mkOption { type = types.listOf types.path; - default = []; + default = [ ]; description = lib.mdDoc '' Extra config files to include. @@ -743,12 +924,21 @@ in { NixOps is in use. ''; }; + + configureRedisLocally = lib.mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to automatically configure a local redis server for matrix-synapse. + ''; + }; }; }; config = mkIf cfg.enable { assertions = [ - { assertion = hasLocalPostgresDB -> config.services.postgresql.enable; + { + assertion = hasLocalPostgresDB -> config.services.postgresql.enable; message = '' Cannot deploy matrix-synapse with a configuration for a local postgresql database and a missing postgresql service. Since 20.03 it's mandatory to manually configure the @@ -764,8 +954,47 @@ in { For further information about this update, please read the release-notes of 20.03 carefully. ''; } + { + assertion = hasWorkers -> cfg.settings.redis.enabled; + message = '' + Workers for matrix-synapse require configuring a redis instance. This can be done + automatically by setting `services.matrix-synapse.configureRedisLocally = true`. + ''; + } + { + assertion = + let + main = cfg.settings.instance_map.main; + listener = lib.findFirst + ( + listener: + listener.port == main.port + && (lib.any (resource: builtins.elem "replication" resource.names) listener.resources) + && (lib.any (bind: bind == main.host || bind == "0.0.0.0" || bind == "::") listener.bind_addresses) + ) + null + cfg.settings.listeners; + in + hasWorkers -> (listener != null); + message = '' + Workers for matrix-synapse require setting `services.matrix-synapse.settings.instance_map.main` + to any listener configured in `services.matrix-synapse.settings.listeners` with a `"replication"` + resource. + + This is done by default unless you manually configure either of those settings. + ''; + } ]; + services.matrix-synapse.settings.redis = lib.mkIf cfg.configureRedisLocally { + enabled = true; + path = config.services.redis.servers.matrix-synapse.unixSocket; + }; + services.matrix-synapse.settings.instance_map.main = lib.mkIf hasWorkers (lib.mkDefault { + host = "127.0.0.1"; + port = 9093; + }); + services.matrix-synapse.configFile = configFile; services.matrix-synapse.package = wrapped; @@ -784,64 +1013,124 @@ in { gid = config.ids.gids.matrix-synapse; }; - systemd.services.matrix-synapse = { - description = "Synapse Matrix homeserver"; + systemd.targets.matrix-synapse = lib.mkIf hasWorkers { + description = "Synapse Matrix parent target"; after = [ "network.target" ] ++ optional hasLocalPostgresDB "postgresql.service"; wantedBy = [ "multi-user.target" ]; - preStart = '' - ${cfg.package}/bin/synapse_homeserver \ - --config-path ${configFile} \ - --keys-directory ${cfg.dataDir} \ - --generate-keys - ''; - environment = optionalAttrs (cfg.withJemalloc) { - LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so"; - }; - serviceConfig = { - Type = "notify"; - User = "matrix-synapse"; - Group = "matrix-synapse"; - WorkingDirectory = cfg.dataDir; - ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" '' - chown matrix-synapse:matrix-synapse ${cfg.settings.signing_key_path} - chmod 0600 ${cfg.settings.signing_key_path} - '')) ]; - ExecStart = '' - ${cfg.package}/bin/synapse_homeserver \ - ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) } - --keys-directory ${cfg.dataDir} - ''; - ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; - Restart = "on-failure"; - UMask = "0077"; - - # Security Hardening - # Refer to systemd.exec(5) for option descriptions. - CapabilityBoundingSet = [ "" ]; - LockPersonality = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - ReadWritePaths = [ cfg.dataDir ]; - RemoveIPC = true; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; - }; + }; + + systemd.services = + let + targetConfig = + if hasWorkers + then { + partOf = [ "matrix-synapse.target" ]; + wantedBy = [ "matrix-synapse.target" ]; + unitConfig.ReloadPropagatedFrom = "matrix-synapse.target"; + } + else { + after = [ "network.target" ] ++ optional hasLocalPostgresDB "postgresql.service"; + wantedBy = [ "multi-user.target" ]; + }; + baseServiceConfig = { + environment = optionalAttrs (cfg.withJemalloc) { + LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so"; + }; + serviceConfig = { + Type = "notify"; + User = "matrix-synapse"; + Group = "matrix-synapse"; + WorkingDirectory = cfg.dataDir; + ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; + Restart = "on-failure"; + UMask = "0077"; + + # Security Hardening + # Refer to systemd.exec(5) for option descriptions. + CapabilityBoundingSet = [ "" ]; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ cfg.dataDir ]; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; + }; + } + // targetConfig; + genWorkerService = name: workerCfg: + let + finalWorkerCfg = workerCfg // { worker_name = name; }; + workerConfigFile = format.generate "worker-${name}.yaml" finalWorkerCfg; + in + { + name = "matrix-synapse-worker-${name}"; + value = lib.mkMerge [ + baseServiceConfig + { + description = "Synapse Matrix worker ${name}"; + # make sure the main process starts first for potential database migrations + after = [ "matrix-synapse.service" ]; + requires = [ "matrix-synapse.service" ]; + serviceConfig = { + ExecStart = '' + ${cfg.package}/bin/synapse_worker \ + ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile workerConfigFile ] ++ cfg.extraConfigFiles) } + --keys-directory ${cfg.dataDir} + ''; + }; + } + ]; + }; + in + { + matrix-synapse = lib.mkMerge [ + baseServiceConfig + { + description = "Synapse Matrix homeserver"; + preStart = '' + ${cfg.package}/bin/synapse_homeserver \ + --config-path ${configFile} \ + --keys-directory ${cfg.dataDir} \ + --generate-keys + ''; + serviceConfig = { + ExecStartPre = [ + ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" '' + chown matrix-synapse:matrix-synapse ${cfg.settings.signing_key_path} + chmod 0600 ${cfg.settings.signing_key_path} + '')) + ]; + ExecStart = '' + ${cfg.package}/bin/synapse_homeserver \ + ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) } + --keys-directory ${cfg.dataDir} + ''; + }; + } + ]; + } + // (lib.mapAttrs' genWorkerService cfg.workers); + + services.redis.servers.matrix-synapse = lib.mkIf cfg.configureRedisLocally { + enable = true; + user = "matrix-synapse"; }; environment.systemPackages = [ registerNewMatrixUser ]; diff --git a/nixos/modules/services/misc/cfdyndns.nix b/nixos/modules/services/misc/cfdyndns.nix index 5a02de2aad213..dba8ac2001514 100644 --- a/nixos/modules/services/misc/cfdyndns.nix +++ b/nixos/modules/services/misc/cfdyndns.nix @@ -60,8 +60,8 @@ in startAt = "*:0/5"; serviceConfig = { Type = "simple"; - User = config.ids.uids.cfdyndns; - Group = config.ids.gids.cfdyndns; + LoadCredential = lib.optional (cfg.apiTokenFile != null) "CLOUDFLARE_APITOKEN_FILE:${cfg.apiTokenFile}"; + DynamicUser = true; }; environment = { CLOUDFLARE_RECORDS="${concatStringsSep "," cfg.records}"; @@ -72,23 +72,10 @@ in export CLOUDFLARE_EMAIL="${cfg.email}" ''} ${optionalString (cfg.apiTokenFile != null) '' - export CLOUDFLARE_APITOKEN="$(cat ${escapeShellArg cfg.apiTokenFile})" + export CLOUDFLARE_APITOKEN=$(${pkgs.systemd}/bin/systemd-creds cat CLOUDFLARE_APITOKEN_FILE) ''} ${pkgs.cfdyndns}/bin/cfdyndns ''; }; - - users.users = { - cfdyndns = { - group = "cfdyndns"; - uid = config.ids.uids.cfdyndns; - }; - }; - - users.groups = { - cfdyndns = { - gid = config.ids.gids.cfdyndns; - }; - }; }; } diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 2a4483199d7dd..43fdc09f45592 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -46,7 +46,8 @@ in config = mkIf cfg.enable { systemd.services.jellyfin = { description = "Jellyfin Media Server"; - after = [ "network.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; # This is mostly follows: https://github.com/jellyfin/jellyfin/blob/master/fedora/jellyfin.service diff --git a/nixos/modules/services/monitoring/below.nix b/nixos/modules/services/monitoring/below.nix index 92ee3882cac87..4a7135162ac44 100644 --- a/nixos/modules/services/monitoring/below.nix +++ b/nixos/modules/services/monitoring/below.nix @@ -103,4 +103,6 @@ in { }; }; }; + + meta.maintainers = with lib.maintainers; [ nicoo ]; } diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 571b9a3aeebd1..e90a0e9d16db6 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -88,26 +88,6 @@ let # Get a submodule without any embedded metadata: _filter = x: filterAttrs (k: v: k != "_module") x; - # FIXME(@Ma27) remove before 23.05. This is just a helper-type - # because `mkRenamedOptionModule` doesn't work if `foo.bar` is renamed - # to `foo.bar.baz`. - submodule' = module: types.coercedTo - (mkOptionType { - name = "grafana-provision-submodule"; - description = "Wrapper-type for backwards compat of Grafana's declarative provisioning"; - check = x: - if builtins.isList x then - throw '' - Provisioning dashboards and datasources declaratively by - setting `dashboards` or `datasources` to a list is not supported - anymore. Use `services.grafana.provision.datasources.settings.datasources` - (or `services.grafana.provision.dashboards.settings.providers`) instead. - '' - else isAttrs x || isFunction x; - }) - id - (types.submodule module); - # http://docs.grafana.org/administration/provisioning/#datasources grafanaTypes.datasourceConfig = types.submodule { freeformType = provisioningSettingsFormat.type; @@ -1160,7 +1140,7 @@ in Declaratively provision Grafana's datasources. ''; default = { }; - type = submodule' { + type = types.submodule { options.settings = mkOption { description = lib.mdDoc '' Grafana datasource configuration in Nix. Can't be used with @@ -1235,7 +1215,7 @@ in Declaratively provision Grafana's dashboards. ''; default = { }; - type = submodule' { + type = types.submodule { options.settings = mkOption { description = lib.mdDoc '' Grafana dashboard configuration in Nix. Can't be used with diff --git a/nixos/modules/services/networking/frp.nix b/nixos/modules/services/networking/frp.nix new file mode 100644 index 0000000000000..09d2b77363024 --- /dev/null +++ b/nixos/modules/services/networking/frp.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.frp; + settingsFormat = pkgs.formats.ini { }; + configFile = settingsFormat.generate "frp.ini" cfg.settings; + isClient = (cfg.role == "client"); + isServer = (cfg.role == "server"); +in +{ + options = { + services.frp = { + enable = mkEnableOption (mdDoc "frp"); + + package = mkPackageOptionMD pkgs "frp" { }; + + role = mkOption { + type = types.enum [ "server" "client" ]; + description = mdDoc '' + The frp consists of `client` and `server`. The server is usually + deployed on the machine with a public IP address, and + the client is usually deployed on the machine + where the Intranet service to be penetrated resides. + ''; + }; + + settings = mkOption { + type = settingsFormat.type; + default = { }; + description = mdDoc '' + Frp configuration, for configuration options + see the example of [client](https://github.com/fatedier/frp/blob/dev/conf/frpc_full.ini) + or [server](https://github.com/fatedier/frp/blob/dev/conf/frps_full.ini) on github. + ''; + example = literalExpression '' + { + common = { + server_addr = "x.x.x.x"; + server_port = 7000; + }; + } + ''; + }; + }; + }; + + config = + let + serviceCapability = optionals isServer [ "CAP_NET_BIND_SERVICE" ]; + executableFile = if isClient then "frpc" else "frps"; + in + mkIf cfg.enable { + systemd.services = { + frp = { + wants = optionals isClient [ "network-online.target" ]; + after = if isClient then [ "network-online.target" ] else [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + description = "A fast reverse proxy frp ${cfg.role}"; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + RestartSec = 15; + ExecStart = "${cfg.package}/bin/${executableFile} -c ${configFile}"; + StateDirectoryMode = optionalString isServer "0700"; + DynamicUser = true; + # Hardening + UMask = optionalString isServer "0007"; + CapabilityBoundingSet = serviceCapability; + AmbientCapabilities = serviceCapability; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ] ++ optionals isClient [ "AF_UNIX" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" ]; + }; + }; + }; + }; + + meta.maintainers = with maintainers; [ zaldnoay ]; +} diff --git a/nixos/modules/services/networking/frr.nix b/nixos/modules/services/networking/frr.nix index d350fe3548ae1..8488a4e4ef481 100644 --- a/nixos/modules/services/networking/frr.nix +++ b/nixos/modules/services/networking/frr.nix @@ -23,6 +23,7 @@ let "pbr" "bfd" "fabric" + "mgmt" ]; allServices = services ++ [ "zebra" ]; diff --git a/nixos/modules/services/networking/tedicross.nix b/nixos/modules/services/networking/tedicross.nix deleted file mode 100644 index cee7e11f4fb15..0000000000000 --- a/nixos/modules/services/networking/tedicross.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - dataDir = "/var/lib/tedicross"; - cfg = config.services.tedicross; - configJSON = pkgs.writeText "tedicross-settings.json" (builtins.toJSON cfg.config); - configYAML = pkgs.runCommand "tedicross-settings.yaml" { preferLocalBuild = true; } '' - ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out - ''; - -in { - options = { - services.tedicross = { - enable = mkEnableOption (lib.mdDoc "the TediCross Telegram-Discord bridge service"); - - config = mkOption { - type = types.attrs; - # from https://github.com/TediCross/TediCross/blob/master/example.settings.yaml - example = literalExpression '' - { - telegram = { - useFirstNameInsteadOfUsername = false; - colonAfterSenderName = false; - skipOldMessages = true; - sendEmojiWithStickers = true; - }; - discord = { - useNickname = false; - skipOldMessages = true; - displayTelegramReplies = "embed"; - replyLength = 100; - }; - bridges = [ - { - name = "Default bridge"; - direction = "both"; - telegram = { - chatId = -123456789; - relayJoinMessages = true; - relayLeaveMessages = true; - sendUsernames = true; - ignoreCommands = true; - }; - discord = { - serverId = "DISCORD_SERVER_ID"; - channelId = "DISCORD_CHANNEL_ID"; - relayJoinMessages = true; - relayLeaveMessages = true; - sendUsernames = true; - crossDeleteOnTelegram = true; - }; - } - ]; - - debug = false; - } - ''; - description = lib.mdDoc '' - {file}`settings.yaml` configuration as a Nix attribute set. - Secret tokens should be specified using {option}`environmentFile` - instead of this world-readable file. - ''; - }; - - environmentFile = mkOption { - type = types.nullOr types.path; - default = null; - description = lib.mdDoc '' - File containing environment variables to be passed to the TediCross service, - in which secret tokens can be specified securely using the - `TELEGRAM_BOT_TOKEN` and `DISCORD_BOT_TOKEN` - keys. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - # from https://github.com/TediCross/TediCross/blob/master/guides/autostart/Linux.md - systemd.services.tedicross = { - description = "TediCross Telegram-Discord bridge service"; - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.nodePackages.tedicross}/bin/tedicross --config='${configYAML}' --data-dir='${dataDir}'"; - Restart = "always"; - DynamicUser = true; - StateDirectory = baseNameOf dataDir; - EnvironmentFile = cfg.environmentFile; - }; - }; - }; - - meta.maintainers = with maintainers; [ pacien ]; -} - diff --git a/nixos/modules/services/web-apps/mobilizon.nix b/nixos/modules/services/web-apps/mobilizon.nix index 4e796e2bc80cf..e9264a38f0e61 100644 --- a/nixos/modules/services/web-apps/mobilizon.nix +++ b/nixos/modules/services/web-apps/mobilizon.nix @@ -60,13 +60,13 @@ in options = { services.mobilizon = { enable = mkEnableOption - "Mobilizon federated organization and mobilization platform"; + (lib.mdDoc "Mobilizon federated organization and mobilization platform"); nginx.enable = lib.mkOption { type = lib.types.bool; default = true; - description = '' - Whether an <literal>nginx</literal> virtual host should be + description = lib.mdDoc '' + Whether an Nginx virtual host should be set up to serve Mobilizon. ''; }; @@ -87,10 +87,10 @@ in "Mobilizon.Web.Endpoint" = { url.host = mkOption { type = elixirTypes.str; - defaultText = literalExpression '' + defaultText = lib.literalMD '' ''${settings.":mobilizon".":instance".hostname} ''; - description = '' + description = lib.mdDoc '' Your instance's hostname for generating URLs throughout the app ''; }; @@ -99,14 +99,14 @@ in port = mkOption { type = elixirTypes.port; default = 4000; - description = '' + description = lib.mdDoc '' The port to run the server ''; }; ip = mkOption { type = elixirTypes.tuple; default = settingsFormat.lib.mkTuple [ 0 0 0 0 0 0 0 1 ]; - description = '' + description = lib.mdDoc '' The IP address to listen on. Defaults to [::1] notated as a byte tuple. ''; }; @@ -115,7 +115,7 @@ in has_reverse_proxy = mkOption { type = elixirTypes.bool; default = true; - description = '' + description = lib.mdDoc '' Whether you use a reverse proxy ''; }; @@ -124,14 +124,14 @@ in ":instance" = { name = mkOption { type = elixirTypes.str; - description = '' + description = lib.mdDoc '' The fallback instance name if not configured into the admin UI ''; }; hostname = mkOption { type = elixirTypes.str; - description = '' + description = lib.mdDoc '' Your instance's hostname ''; }; @@ -141,7 +141,7 @@ in defaultText = literalExpression '' noreply@''${settings.":mobilizon".":instance".hostname} ''; - description = '' + description = lib.mdDoc '' The email for the From: header in emails ''; }; @@ -151,7 +151,7 @@ in defaultText = literalExpression '' ''${email_from} ''; - description = '' + description = lib.mdDoc '' The email for the Reply-To: header in emails ''; }; @@ -161,7 +161,7 @@ in socket_dir = mkOption { type = types.nullOr elixirTypes.str; default = postgresqlSocketDir; - description = '' + description = lib.mdDoc '' Path to the postgres socket directory. Set this to null if you want to connect to a remote database. @@ -171,14 +171,14 @@ in If connecting to a remote database, please follow the instructions on how to setup your database: - <link xlink:href="https://docs.joinmobilizon.org/administration/install/release/#database-setup"/> + <https://docs.joinmobilizon.org/administration/install/release/#database-setup> ''; }; username = mkOption { type = types.nullOr elixirTypes.str; default = user; - description = '' + description = lib.mdDoc '' User used to connect to the database ''; }; @@ -186,7 +186,7 @@ in database = mkOption { type = types.nullOr elixirTypes.str; default = "mobilizon_prod"; - description = '' + description = lib.mdDoc '' Name of the database ''; }; @@ -196,9 +196,9 @@ in }; default = { }; - description = '' + description = lib.mdDoc '' Mobilizon Elixir documentation, see - <link xlink:href="https://docs.joinmobilizon.org/administration/configure/reference/"/> + <https://docs.joinmobilizon.org/administration/configure/reference/> for supported values. ''; }; diff --git a/nixos/modules/services/web-servers/caddy/default.nix b/nixos/modules/services/web-servers/caddy/default.nix index cec0b379f67ae..ce74e243a1818 100644 --- a/nixos/modules/services/web-servers/caddy/default.nix +++ b/nixos/modules/services/web-servers/caddy/default.nix @@ -36,6 +36,7 @@ let ${cfg.globalConfig} } ${cfg.extraConfig} + ${concatMapStringsSep "\n" mkVHostConf virtualHosts} ''; Caddyfile-formatted = pkgs.runCommand "Caddyfile-formatted" { nativeBuildInputs = [ cfg.package ]; } '' @@ -340,7 +341,6 @@ in groups = config.users.groups; }) acmeHosts; - services.caddy.extraConfig = concatMapStringsSep "\n" mkVHostConf virtualHosts; services.caddy.globalConfig = '' ${optionalString (cfg.email != null) "email ${cfg.email}"} ${optionalString (cfg.acmeCA != null) "acme_ca ${cfg.acmeCA}"} diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index dc3fe163116e1..06c329e006b84 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -351,6 +351,12 @@ let new_response="$(ykchalresp -${toString dev.yubikey.slot} -x $new_challenge 2>/dev/null)" + if [ -z "$new_response" ]; then + echo "Warning: Unable to generate new challenge response, current challenge persists!" + umount /crypt-storage + return + fi + if [ ! -z "$k_user" ]; then new_k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString dev.yubikey.keyLength} $new_iterations $new_response | rbtohex)" else diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 4e7201833db6b..b898a63179624 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -66,7 +66,7 @@ in }; services.resolved.dnssec = mkOption { - default = "allow-downgrade"; + default = "false"; example = "true"; type = types.enum [ "true" "allow-downgrade" "false" ]; description = lib.mdDoc '' @@ -85,6 +85,12 @@ in synthesizing a DNS response that suggests DNSSEC was not supported. - `"false"`: DNS lookups are not DNSSEC validated. + + At the time of September 2023, systemd upstream advise + to disable DNSSEC by default as the current code + is not robust enough to deal with "in the wild" non-compliant + servers, which will usually give you a broken bad experience + in addition of insecure. ''; }; diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 7aaa3f85bfe0e..a3551f68dbe89 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -123,7 +123,7 @@ let # ZFS properties such as `setuid=off` and `exec=off` (unless manually # duplicated in `fileSystems.*.options`, defeating "zfsutil"'s purpose). copy_bin_and_libs ${lib.getOutput "mount" pkgs.util-linux}/bin/mount - copy_bin_and_libs ${pkgs.zfs}/bin/mount.zfs + copy_bin_and_libs ${config.boot.zfs.package}/bin/mount.zfs ''} # Copy some util-linux stuff. diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 21d604bee6e3f..5cf863c87f27c 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -662,6 +662,11 @@ in ]; }; + # ZFS already has its own scheduler. Without this my(@Artturin) computer froze for a second when I nix build something. + services.udev.extraRules = '' + ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none" + ''; + environment.etc = genAttrs (map (file: "zfs/zed.d/${file}") diff --git a/nixos/modules/tasks/swraid.nix b/nixos/modules/tasks/swraid.nix index 1174187062d74..61b3682e0f68e 100644 --- a/nixos/modules/tasks/swraid.nix +++ b/nixos/modules/tasks/swraid.nix @@ -4,6 +4,11 @@ mdadm_conf = config.environment.etc."mdadm.conf"; + enable_implicitly_for_old_state_versions = lib.versionOlder config.system.stateVersion "23.11"; + + minimum_config_is_set = config_text: + (builtins.match ".*(MAILADDR|PROGRAM).*" mdadm_conf.text) != null; + in { imports = [ (lib.mkRenamedOptionModule [ "boot" "initrd" "services" "swraid" "enable" ] [ "boot" "swraid" "enable" ]) @@ -26,7 +31,7 @@ in { should detect it correctly in the standard installation procedure. ''; - default = lib.versionOlder config.system.stateVersion "23.11"; + default = enable_implicitly_for_old_state_versions; defaultText = lib.mdDoc "`true` if stateVersion is older than 23.11"; }; @@ -39,7 +44,7 @@ in { config = lib.mkIf cfg.enable { warnings = lib.mkIf - ((builtins.match ".*(MAILADDR|PROGRAM).*" mdadm_conf.text) == null) + ( !enable_implicitly_for_old_state_versions && !minimum_config_is_set mdadm_conf) [ "mdadm: Neither MAILADDR nor PROGRAM has been set. This will cause the `mdmon` service to crash." ]; environment.systemPackages = [ pkgs.mdadm ]; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index d0a5ddd87ccf6..74c3e1ecd03f2 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -647,7 +647,7 @@ in import pkgs.path { system = "x86_64-darwin"; } ''; description = lib.mdDoc '' - pkgs set to use for the host-specific packages of the vm runner. + Package set to use for the host-specific packages of the VM runner. Changing this to e.g. a Darwin package set allows running NixOS VMs on Darwin. ''; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 30ea7c70026f4..0574c1db87544 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -290,6 +290,7 @@ in { freshrss-sqlite = handleTest ./freshrss-sqlite.nix {}; freshrss-pgsql = handleTest ./freshrss-pgsql.nix {}; frigate = handleTest ./frigate.nix {}; + frp = handleTest ./frp.nix {}; frr = handleTest ./frr.nix {}; fsck = handleTest ./fsck.nix {}; fsck-systemd-stage-1 = handleTest ./fsck.nix { systemdStage1 = true; }; @@ -467,6 +468,7 @@ in { matrix-appservice-irc = handleTest ./matrix/appservice-irc.nix {}; matrix-conduit = handleTest ./matrix/conduit.nix {}; matrix-synapse = handleTest ./matrix/synapse.nix {}; + matrix-synapse-workers = handleTest ./matrix/synapse-workers.nix {}; mattermost = handleTest ./mattermost.nix {}; mediamtx = handleTest ./mediamtx.nix {}; mediatomb = handleTest ./mediatomb.nix {}; diff --git a/nixos/tests/anbox.nix b/nixos/tests/anbox.nix index d78f63ec761fc..dfd6c13d93181 100644 --- a/nixos/tests/anbox.nix +++ b/nixos/tests/anbox.nix @@ -16,10 +16,6 @@ virtualisation.anbox.enable = true; boot.kernelPackages = pkgs.linuxPackages_5_15; - - # The AArch64 anbox image will not start. - # Meanwhile the postmarketOS images work just fine. - virtualisation.anbox.image = pkgs.anbox.postmarketos-image; virtualisation.memorySize = 2500; }; diff --git a/nixos/tests/discourse.nix b/nixos/tests/discourse.nix index c79ba41c2eb9c..3e69a314905cc 100644 --- a/nixos/tests/discourse.nix +++ b/nixos/tests/discourse.nix @@ -166,7 +166,7 @@ import ./make-test-python.nix ( request = builtins.toJSON { title = "Private message"; raw = "This is a test message."; - target_usernames = admin.username; + target_recipients = admin.username; archetype = "private_message"; }; in '' diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 44b583ebcea55..fcdfa586fd55d 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -55,7 +55,7 @@ in { nodes = { docker = { ... }: { virtualisation = { - diskSize = 2048; + diskSize = 3072; docker.enable = true; }; }; diff --git a/nixos/tests/frp.nix b/nixos/tests/frp.nix new file mode 100644 index 0000000000000..2f5c0f8ec933b --- /dev/null +++ b/nixos/tests/frp.nix @@ -0,0 +1,86 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "frp"; + meta.maintainers = with lib.maintainers; [ zaldnoay janik ]; + nodes = { + frps = { + networking = { + useNetworkd = true; + useDHCP = false; + firewall.enable = false; + }; + + systemd.network.networks."01-eth1" = { + name = "eth1"; + networkConfig.Address = "10.0.0.1/24"; + }; + + services.frp = { + enable = true; + role = "server"; + settings = { + common = { + bind_port = 7000; + vhost_http_port = 80; + }; + }; + }; + }; + + + frpc = { + networking = { + useNetworkd = true; + useDHCP = false; + }; + + systemd.network.networks."01-eth1" = { + name = "eth1"; + networkConfig.Address = "10.0.0.2/24"; + }; + + services.httpd = { + enable = true; + adminAddr = "admin@example.com"; + virtualHosts."test-appication" = + let + testdir = pkgs.writeTextDir "web/index.php" "<?php phpinfo();"; + in + { + documentRoot = "${testdir}/web"; + locations."/" = { + index = "index.php index.html"; + }; + }; + phpPackage = pkgs.php81; + enablePHP = true; + }; + + services.frp = { + enable = true; + role = "client"; + settings = { + common = { + server_addr = "10.0.0.1"; + server_port = 7000; + }; + web = { + type = "http"; + local_port = 80; + custom_domains = "10.0.0.1"; + }; + }; + }; + }; + }; + + testScript = '' + start_all() + frps.wait_for_unit("frp.service") + frps.wait_for_open_port(80) + frpc.wait_for_unit("frp.service") + response = frpc.succeed("curl -fvvv -s http://127.0.0.1/") + assert "PHP Version ${pkgs.php81.version}" in response, "PHP version not detected" + response = frpc.succeed("curl -fvvv -s http://10.0.0.1/") + assert "PHP Version ${pkgs.php81.version}" in response, "PHP version not detected" + ''; +}) diff --git a/nixos/tests/matrix/synapse-workers.nix b/nixos/tests/matrix/synapse-workers.nix new file mode 100644 index 0000000000000..e90301aeae9e4 --- /dev/null +++ b/nixos/tests/matrix/synapse-workers.nix @@ -0,0 +1,50 @@ +import ../make-test-python.nix ({ pkgs, ... }: { + name = "matrix-synapse-workers"; + meta = with pkgs.lib; { + maintainers = teams.matrix.members; + }; + + nodes = { + homeserver = + { pkgs + , nodes + , ... + }: { + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + services.matrix-synapse = { + enable = true; + settings = { + database = { + name = "psycopg2"; + args.password = "synapse"; + }; + enable_registration = true; + enable_registration_without_verification = true; + + federation_sender_instances = [ "federation_sender" ]; + }; + configureRedisLocally = true; + workers = { + "federation_sender" = { }; + }; + }; + }; + }; + + testScript = '' + start_all() + + homeserver.wait_for_unit("matrix-synapse.service"); + homeserver.wait_for_unit("matrix-synapse-worker-federation_sender.service"); + ''; +}) diff --git a/nixos/tests/zfs.nix b/nixos/tests/zfs.nix index 8e52e00657456..800f5e43cd15c 100644 --- a/nixos/tests/zfs.nix +++ b/nixos/tests/zfs.nix @@ -113,6 +113,8 @@ let }; testScript = '' + # TODO: Remove this when upgrading stable to zfs 2.2.0 + unstable = ${if enableUnstable then "True" else "False"}; machine.wait_for_unit("multi-user.target") machine.succeed( "zpool status", @@ -133,9 +135,10 @@ let ) machine.crash() machine.wait_for_unit("multi-user.target") + machine.succeed("zfs set sharesmb=on rpool/shared_smb") + if not unstable: + machine.succeed("zfs share rpool/shared_smb") machine.succeed( - "zfs set sharesmb=on rpool/shared_smb", - "zfs share rpool/shared_smb", "smbclient -gNL localhost | grep rpool_shared_smb", "umount /tmp/mnt", "zpool destroy rpool", |