diff options
Diffstat (limited to 'nixos')
41 files changed, 237 insertions, 98 deletions
diff --git a/nixos/doc/manual/development/running-nixos-tests.section.md b/nixos/doc/manual/development/running-nixos-tests.section.md index d6a456f01883a..1bec023b613aa 100644 --- a/nixos/doc/manual/development/running-nixos-tests.section.md +++ b/nixos/doc/manual/development/running-nixos-tests.section.md @@ -24,8 +24,8 @@ After building/downloading all required dependencies, this will perform a build that starts a QEMU/KVM virtual machine containing a NixOS system. The virtual machine mounts the Nix store of the host; this makes VM creation very fast, as no disk image needs to be created. Afterwards, -you can view a pretty-printed log of the test: +you can view a log of the test: ```ShellSession -$ firefox result/log.html +$ nix-store --read-log result ``` diff --git a/nixos/doc/manual/from_md/development/running-nixos-tests.section.xml b/nixos/doc/manual/from_md/development/running-nixos-tests.section.xml index 7159b95b22b01..da2e5076c956d 100644 --- a/nixos/doc/manual/from_md/development/running-nixos-tests.section.xml +++ b/nixos/doc/manual/from_md/development/running-nixos-tests.section.xml @@ -26,9 +26,9 @@ machine: QEMU running (pid 8841) perform a build that starts a QEMU/KVM virtual machine containing a NixOS system. The virtual machine mounts the Nix store of the host; this makes VM creation very fast, as no disk image needs to be - created. Afterwards, you can view a pretty-printed log of the test: + created. Afterwards, you can view a log of the test: </para> <programlisting> -$ firefox result/log.html +$ nix-store --read-log result </programlisting> </section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index ab37b9f79615a..4824e01cd8acc 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -238,6 +238,13 @@ <link xlink:href="options.html#opt-services.headscale.enable">services.headscale</link> </para> </listitem> + <listitem> + <para> + <link xlink:href="https://0xerr0r.github.io/blocky/">blocky</link>, + fast and lightweight DNS proxy as ad-blocker for local network + with many features. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.05-incompatibilities"> @@ -408,6 +415,15 @@ </listitem> <listitem> <para> + Ntopng (<literal>services.ntopng</literal>) is updated to + 5.2.1 and uses a separate Redis instance if + <literal>system.stateVersion</literal> is at least + <literal>22.05</literal>. Existing setups shouldn’t be + affected. + </para> + </listitem> + <listitem> + <para> The backward compatibility in <literal>services.wordpress</literal> to configure sites with the old interface has been removed. Please use @@ -681,6 +697,12 @@ </listitem> <listitem> <para> + The <literal>vpnc</literal> package has been changed to use + GnuTLS instead of OpenSSL by default for licensing reasons. + </para> + </listitem> + <listitem> + <para> <literal>pkgs.vimPlugins.onedark-nvim</literal> now refers to <link xlink:href="https://github.com/navarasu/onedark.nvim">navarasu/onedark.nvim</link> (formerly refers to @@ -930,6 +952,12 @@ </listitem> <listitem> <para> + The <link xlink:href="https://dino.im">Dino</link> XMPP client + was updated to 0.3, adding support for audio and video calls. + </para> + </listitem> + <listitem> + <para> <literal>services.mattermost.plugins</literal> has been added to allow the declarative installation of Mattermost plugins. Plugins are automatically repackaged using autoPatchelf. diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 61b924f99677d..78240a4f50e2c 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -71,6 +71,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [headscale](https://github.com/juanfont/headscale), an Open Source implementation of the [Tailscale](https://tailscale.io) Control Server. Available as [services.headscale](options.html#opt-services.headscale.enable) +- [blocky](https://0xerr0r.github.io/blocky/), fast and lightweight DNS proxy as ad-blocker for local network with many features. + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Backward Incompatibilities {#sec-release-22.05-incompatibilities} @@ -134,6 +136,8 @@ In addition to numerous new and upgraded packages, this release has the followin - If you previously used `/etc/docker/daemon.json`, you need to incorporate the changes into the new option `virtualisation.docker.daemon.settings`. +- Ntopng (`services.ntopng`) is updated to 5.2.1 and uses a separate Redis instance if `system.stateVersion` is at least `22.05`. Existing setups shouldn't be affected. + - The backward compatibility in `services.wordpress` to configure sites with the old interface has been removed. Please use `services.wordpress.sites` instead. @@ -212,6 +216,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `lib.assertMsg` and `lib.assertOneOf` no longer return `false` if the passed condition is `false`, `throw`ing the given error message instead (which makes the resulting error message less cluttered). This will not impact the behaviour of code using these functions as intended, namely as top-level wrapper for `assert` conditions. +- The `vpnc` package has been changed to use GnuTLS instead of OpenSSL by default for licensing reasons. + - `pkgs.vimPlugins.onedark-nvim` now refers to [navarasu/onedark.nvim](https://github.com/navarasu/onedark.nvim) (formerly refers to [olimorris/onedarkpro.nvim](https://github.com/olimorris/onedarkpro.nvim)). @@ -310,6 +316,8 @@ In addition to numerous new and upgraded packages, this release has the followin - A new module was added for the [Starship](https://starship.rs/) shell prompt, providing the options `programs.starship.enable` and `programs.starship.settings`. +- The [Dino](https://dino.im) XMPP client was updated to 0.3, adding support for audio and video calls. + - `services.mattermost.plugins` has been added to allow the declarative installation of Mattermost plugins. Plugins are automatically repackaged using autoPatchelf. diff --git a/nixos/lib/test-driver/test_driver/machine.py b/nixos/lib/test-driver/test_driver/machine.py index b730c4b44d7fc..569a0f3c61e48 100644 --- a/nixos/lib/test-driver/test_driver/machine.py +++ b/nixos/lib/test-driver/test_driver/machine.py @@ -241,9 +241,15 @@ class LegacyStartCommand(StartCommand): cdrom: Optional[str] = None, usb: Optional[str] = None, bios: Optional[str] = None, + qemuBinary: Optional[str] = None, qemuFlags: Optional[str] = None, ): - self._cmd = "qemu-kvm -m 384" + if qemuBinary is not None: + self._cmd = qemuBinary + else: + self._cmd = "qemu-kvm" + + self._cmd += " -m 384" # networking net_backend = "-netdev user,id=net0" @@ -381,6 +387,7 @@ class Machine: cdrom=args.get("cdrom"), usb=args.get("usb"), bios=args.get("bios"), + qemuBinary=args.get("qemuBinary"), qemuFlags=args.get("qemuFlags"), ) diff --git a/nixos/modules/hardware/network/b43.nix b/nixos/modules/hardware/network/b43.nix index e63f2d04d1a6f..eb03bf223ccfe 100644 --- a/nixos/modules/hardware/network/b43.nix +++ b/nixos/modules/hardware/network/b43.nix @@ -24,10 +24,6 @@ let kernelVersion = config.boot.kernelPackages.kernel.version; in ###### implementation config = mkIf config.networking.enableB43Firmware { - assertions = singleton - { assertion = lessThan 0 (builtins.compareVersions kernelVersion "3.2"); - message = "b43 firmware for kernels older than 3.2 not packaged yet!"; - }; hardware.firmware = [ pkgs.b43Firmware_5_1_138 ]; }; diff --git a/nixos/modules/hardware/video/capture/mwprocapture.nix b/nixos/modules/hardware/video/capture/mwprocapture.nix index 61bab533edaf7..76cb4c6ee9bfe 100644 --- a/nixos/modules/hardware/video/capture/mwprocapture.nix +++ b/nixos/modules/hardware/video/capture/mwprocapture.nix @@ -16,11 +16,6 @@ in config = mkIf cfg.enable { - assertions = singleton { - assertion = versionAtLeast kernelPackages.kernel.version "3.2"; - message = "Magewell Pro Capture family module is not supported for kernels older than 3.2"; - }; - boot.kernelModules = [ "ProCapture" ]; environment.systemPackages = [ kernelPackages.mwprocapture ]; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 12ad8a4ae0046..303493741f3d0 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -10,10 +10,10 @@ with lib; isoImage.edition = "gnome"; services.xserver.desktopManager.gnome = { - # Add firefox to favorite-apps + # Add Firefox and other tools useful for installation to the launcher favoriteAppsOverride = '' [org.gnome.shell] - favorite-apps=[ 'firefox.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ] + favorite-apps=[ 'firefox.desktop', 'nixos-manual.desktop', 'org.gnome.Terminal.desktop', 'org.gnome.Nautilus.desktop', 'gparted.desktop' ] ''; enable = true; }; diff --git a/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix b/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix index 8aedce2fb49ce..b4a94f62ad939 100644 --- a/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix +++ b/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix @@ -25,4 +25,7 @@ pkgs.runCommand "nixos-build-vms" { nativeBuildInputs = [ pkgs.makeWrapper ]; } ln -s ${interactiveDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms wrapProgram $out/bin/nixos-test-driver \ --add-flags "--interactive" + wrapProgram $out/bin/nixos-run-vms \ + --set testScript "${pkgs.writeText "start-all" "start_all(); join_all();"}" \ + --add-flags "--no-interactive" '' diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b6d9bd00629af..ca82ddfb58638 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -718,6 +718,7 @@ ./services/networking/bird.nix ./services/networking/bitlbee.nix ./services/networking/blockbook-frontend.nix + ./services/networking/blocky.nix ./services/networking/charybdis.nix ./services/networking/cjdns.nix ./services/networking/cntlm.nix diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 66a47bcaab6c9..e63f19010de8a 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -92,7 +92,6 @@ let , permissions , ... }: - assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3"); '' cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}" echo -n "${source}" > "$wrapperDir/${program}.real" diff --git a/nixos/modules/services/backup/mysql-backup.nix b/nixos/modules/services/backup/mysql-backup.nix index 9fca21002733a..c40a0b5abc40e 100644 --- a/nixos/modules/services/backup/mysql-backup.nix +++ b/nixos/modules/services/backup/mysql-backup.nix @@ -113,9 +113,10 @@ in }; }; services.mysql-backup = { - description = "Mysql backup service"; + description = "MySQL backup service"; enable = true; serviceConfig = { + Type = "oneshot"; User = cfg.user; }; script = backupScript; diff --git a/nixos/modules/services/mail/postfixadmin.nix b/nixos/modules/services/mail/postfixadmin.nix index f5c8efb3076c4..a0846ad529020 100644 --- a/nixos/modules/services/mail/postfixadmin.nix +++ b/nixos/modules/services/mail/postfixadmin.nix @@ -114,7 +114,7 @@ in location ~* \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${fpm.socket}; - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; } ''; diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix index ac192c56aa604..1dd393da88221 100644 --- a/nixos/modules/services/mail/roundcube.nix +++ b/nixos/modules/services/mail/roundcube.nix @@ -153,7 +153,7 @@ in location ~* \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${fpm.socket}; - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; } ''; diff --git a/nixos/modules/services/matrix/mjolnir.xml b/nixos/modules/services/matrix/mjolnir.xml index d462ddf7b01be..b07abe3397917 100644 --- a/nixos/modules/services/matrix/mjolnir.xml +++ b/nixos/modules/services/matrix/mjolnir.xml @@ -98,7 +98,7 @@ </para> <para> To use the Antispam Module, add <package>matrix-synapse-plugins.matrix-synapse-mjolnir-antispam</package> - to the Synapse plugin list and enable the <literal>mjolnir.AntiSpam</literal> module. + to the Synapse plugin list and enable the <literal>mjolnir.Module</literal> module. </para> <programlisting> { @@ -108,7 +108,7 @@ ]; extraConfig = '' modules: - - module: mjolnir.AntiSpam + - module: mjolnir.Module config: # Prevent servers/users in the ban lists from inviting users on this # server to rooms. Default true. diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index 5a5c30a412330..2b9c6d80abbd7 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -39,9 +39,11 @@ in { default = "127.0.0.1"; description = '' The host name or IP address on which to bind Airsonic. - Only relevant if you have multiple network interfaces and want - to make Airsonic available on only one of them. The default value - will bind Airsonic to all available network interfaces. + The default value is appropriate for first launch, when the + default credentials are easy to guess. It is also appropriate + if you intend to use the virtualhost option in the service + module. In other cases, you may want to change this to a + specific IP or 0.0.0.0 to listen on all interfaces. ''; }; diff --git a/nixos/modules/services/misc/mbpfan.nix b/nixos/modules/services/misc/mbpfan.nix index d2b0f0da2ad92..e0a4d8a13e75f 100644 --- a/nixos/modules/services/misc/mbpfan.nix +++ b/nixos/modules/services/misc/mbpfan.nix @@ -6,7 +6,7 @@ let cfg = config.services.mbpfan; verbose = if cfg.verbose then "v" else ""; settingsFormat = pkgs.formats.ini {}; - settingsFile = settingsFormat.generate "config.conf" cfg.settings; + settingsFile = settingsFormat.generate "mbpfan.ini" cfg.settings; in { options.services.mbpfan = { @@ -36,29 +36,35 @@ in { freeformType = settingsFormat.type; options.general.min_fan1_speed = mkOption { - type = types.int; + type = types.nullOr types.int; default = 2000; - description = "The minimum fan speed."; + description = '' + The minimum fan speed. Setting to null enables automatic detection. + Check minimum fan limits with "cat /sys/devices/platform/applesmc.768/fan*_min". + ''; }; options.general.max_fan1_speed = mkOption { - type = types.int; + type = types.nullOr types.int; default = 6199; - description = "The maximum fan speed."; + description = '' + The maximum fan speed. Setting to null enables automatic detection. + Check maximum fan limits with "cat /sys/devices/platform/applesmc.768/fan*_max". + ''; }; options.general.low_temp = mkOption { type = types.int; default = 55; - description = "The low temperature."; + description = "Temperature below which fan speed will be at minimum. Try ranges 55-63."; }; options.general.high_temp = mkOption { type = types.int; default = 58; - description = "The high temperature."; + description = "Fan will increase speed when higher than this temperature. Try ranges 58-66."; }; options.general.max_temp = mkOption { type = types.int; default = 86; - description = "The maximum temperature."; + description = "Fan will run at full speed above this temperature. Do not set it > 90."; }; options.general.polling_interval = mkOption { type = types.int; diff --git a/nixos/modules/services/misc/mediatomb.nix b/nixos/modules/services/misc/mediatomb.nix index 360cdbac2a1e9..ee5c0ef8d277b 100644 --- a/nixos/modules/services/misc/mediatomb.nix +++ b/nixos/modules/services/misc/mediatomb.nix @@ -366,6 +366,7 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${binaryCommand} --port ${toString cfg.port} ${interfaceFlag} ${configFlag} --home ${cfg.dataDir}"; serviceConfig.User = cfg.user; + serviceConfig.Group = cfg.group; }; users.groups = optionalAttrs (cfg.group == "mediatomb") { diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index a401458c41697..ca59ea2937833 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -762,7 +762,7 @@ in nix.settings = mkMerge [ { trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; - substituters = [ "https://cache.nixos.org/" ]; + substituters = mkAfter [ "https://cache.nixos.org/" ]; system-features = mkDefault ( [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ diff --git a/nixos/modules/services/misc/sourcehut/git.nix b/nixos/modules/services/misc/sourcehut/git.nix index 5ce16df8cd87c..ff110905d1841 100644 --- a/nixos/modules/services/misc/sourcehut/git.nix +++ b/nixos/modules/services/misc/sourcehut/git.nix @@ -207,7 +207,7 @@ in fastcgi_param PATH_INFO $uri; fastcgi_param GIT_PROJECT_ROOT $document_root; fastcgi_read_timeout 500s; - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; gzip off; } ''; diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index a894caed1a34a..ff63c41e193c6 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -106,7 +106,7 @@ let certtool = "${pkgs.gnutls.bin}/bin/certtool"; - nixos-taskserver = pkgs.pythonPackages.buildPythonApplication { + nixos-taskserver = with pkgs.python2.pkgs; buildPythonApplication { name = "nixos-taskserver"; src = pkgs.runCommand "nixos-taskserver-src" { preferLocalBuild = true; } '' @@ -129,7 +129,7 @@ let EOF ''; - propagatedBuildInputs = [ pkgs.pythonPackages.click ]; + propagatedBuildInputs = [ click ]; }; in { @@ -138,12 +138,13 @@ in { enable = mkOption { type = types.bool; default = false; - description = '' + description = let + url = "https://nixos.org/manual/nixos/stable/index.html#module-services-taskserver"; + in '' Whether to enable the Taskwarrior server. More instructions about NixOS in conjuction with Taskserver can be - found in the NixOS manual at - <olink targetdoc="manual" targetptr="module-taskserver"/>. + found <link xlink:href="${url}">in the NixOS manual</link>. ''; }; diff --git a/nixos/modules/services/misc/taskserver/doc.xml b/nixos/modules/services/misc/taskserver/doc.xml index 5656bb85b373b..f6ead7c37857a 100644 --- a/nixos/modules/services/misc/taskserver/doc.xml +++ b/nixos/modules/services/misc/taskserver/doc.xml @@ -1,7 +1,7 @@ <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" - xml:id="module-taskserver"> + xml:id="module-services-taskserver"> <title>Taskserver</title> <para> Taskserver is the server component of diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index 407742f72ad5a..a557e742b7cfa 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -254,7 +254,7 @@ in { location /cgi-bin { gzip off; - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; fastcgi_param SCRIPT_FILENAME ${pkg}/libexec/zoneminder/${zms}; fastcgi_param HTTP_PROXY ""; fastcgi_intercept_errors on; @@ -270,7 +270,7 @@ in { try_files $uri =404; fastcgi_index index.php; - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param HTTP_PROXY ""; diff --git a/nixos/modules/services/networking/blocky.nix b/nixos/modules/services/networking/blocky.nix new file mode 100644 index 0000000000000..7488e05fc0331 --- /dev/null +++ b/nixos/modules/services/networking/blocky.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.blocky; + + format = pkgs.formats.yaml { }; + configFile = format.generate "config.yaml" cfg.settings; +in +{ + options.services.blocky = { + enable = mkEnableOption "Fast and lightweight DNS proxy as ad-blocker for local network with many features"; + + settings = mkOption { + type = format.type; + default = { }; + description = '' + Blocky configuration. Refer to + <link xlink:href="https://0xerr0r.github.io/blocky/configuration/"/> + for details on supported values. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.blocky = { + description = "A DNS proxy and ad-blocker for the local network"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.blocky}/bin/blocky --config ${configFile}"; + + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/eternal-terminal.nix b/nixos/modules/services/networking/eternal-terminal.nix index 88b4cd90540f4..0dcf3d28f4e0e 100644 --- a/nixos/modules/services/networking/eternal-terminal.nix +++ b/nixos/modules/services/networking/eternal-terminal.nix @@ -90,6 +90,6 @@ in }; meta = { - maintainers = with lib.maintainers; [ pingiun ]; + maintainers = with lib.maintainers; [ ]; }; } diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 7482e29a3fda9..c213a5516a498 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -433,8 +433,6 @@ in drop the packet if the source address is not reachable via any interface) or false. Defaults to the value of kernelHasRPFilter. - - (needs kernel 3.3+) ''; }; diff --git a/nixos/modules/services/networking/hylafax/options.nix b/nixos/modules/services/networking/hylafax/options.nix index 8e59c68054d2a..8f621b61002fc 100644 --- a/nixos/modules/services/networking/hylafax/options.nix +++ b/nixos/modules/services/networking/hylafax/options.nix @@ -3,7 +3,7 @@ let inherit (lib.options) literalExpression mkEnableOption mkOption; - inherit (lib.types) bool enum ints lines attrsOf nullOr path str submodule; + inherit (lib.types) bool enum ints lines attrsOf nonEmptyStr nullOr path str submodule; inherit (lib.modules) mkDefault mkIf mkMerge; commonDescr = '' @@ -17,8 +17,6 @@ let configuration to yield an operational system. ''; - str1 = lib.types.addCheck str (s: s!=""); # non-empty string - configAttrType = # Options in HylaFAX configuration files can be # booleans, strings, integers, or list thereof @@ -37,7 +35,7 @@ let modemConfigOptions = { name, config, ... }: { options = { name = mkOption { - type = str1; + type = nonEmptyStr; example = "ttyS1"; description = '' Name of modem device, @@ -45,7 +43,7 @@ let ''; }; type = mkOption { - type = str1; + type = nonEmptyStr; example = "cirrus"; description = '' Name of modem configuration file, @@ -135,14 +133,14 @@ in }; countryCode = mkOption { - type = nullOr str1; + type = nullOr nonEmptyStr; default = null; example = "49"; description = "Country code for server and all modems."; }; areaCode = mkOption { - type = nullOr str1; + type = nullOr nonEmptyStr; default = null; example = "30"; description = "Area code for server and all modems."; @@ -279,7 +277,7 @@ in each time the spooling area is initialized. ''; faxcron.enable.frequency = mkOption { - type = nullOr str1; + type = nullOr nonEmptyStr; default = null; example = "daily"; description = '' @@ -319,7 +317,7 @@ in each time the spooling area is initialized. ''; faxqclean.enable.frequency = mkOption { - type = nullOr str1; + type = nullOr nonEmptyStr; default = null; example = "daily"; description = '' diff --git a/nixos/modules/services/networking/multipath.nix b/nixos/modules/services/networking/multipath.nix index 1cc2ad1fc849c..1a44184ff6dcc 100644 --- a/nixos/modules/services/networking/multipath.nix +++ b/nixos/modules/services/networking/multipath.nix @@ -242,21 +242,6 @@ in { ''; }; - retain_attached_hw_handler = mkOption { - type = nullOr (enum [ "yes" "no" ]); - default = null; # real default: "yes" - description = '' - (Obsolete for kernels >= 4.3) If set to "yes" and the SCSI layer has - already attached a hardware_handler to the device, multipath will not - force the device to use the hardware_handler specified by mutipath.conf. - If the SCSI layer has not attached a hardware handler, multipath will - continue to use its configured hardware handler. - - Important Note: Linux kernel 4.3 or newer always behaves as if - "retain_attached_hw_handler yes" was set. - ''; - }; - detect_prio = mkOption { type = nullOr (enum [ "yes" "no" ]); default = null; # real default: "yes" diff --git a/nixos/modules/services/networking/ntopng.nix b/nixos/modules/services/networking/ntopng.nix index 77a004e8ab3a5..022fc923edaa3 100644 --- a/nixos/modules/services/networking/ntopng.nix +++ b/nixos/modules/services/networking/ntopng.nix @@ -6,7 +6,13 @@ let cfg = config.services.ntopng; opt = options.services.ntopng; - redisCfg = config.services.redis; + + createRedis = cfg.redis.createInstance != null; + redisService = + if cfg.redis.createInstance == "" then + "redis.service" + else + "redis-${cfg.redis.createInstance}.service"; configFile = if cfg.configText != "" then pkgs.writeText "ntopng.conf" '' @@ -15,8 +21,10 @@ let else pkgs.writeText "ntopng.conf" '' ${concatStringsSep " " (map (e: "--interface=" + e) cfg.interfaces)} - --http-port=${toString cfg.http-port} - --redis=localhost:${toString redisCfg.port} + --http-port=${toString cfg.httpPort} + --redis=${cfg.redis.address} + --data-dir=/var/lib/ntopng + --user=ntopng ${cfg.extraConfig} ''; @@ -24,6 +32,10 @@ in { + imports = [ + (mkRenamedOptionModule [ "services" "ntopng" "http-port" ] [ "services" "ntopng" "httpPort" ]) + ]; + options = { services.ntopng = { @@ -56,7 +68,7 @@ in ''; }; - http-port = mkOption { + httpPort = mkOption { default = 3000; type = types.int; description = '' @@ -64,6 +76,24 @@ in ''; }; + redis.address = mkOption { + type = types.str; + example = literalExpression "config.services.redis.ntopng.unixSocket"; + description = '' + Redis address - may be a Unix socket or a network host and port. + ''; + }; + + redis.createInstance = mkOption { + type = types.nullOr types.str; + default = if versionAtLeast config.system.stateVersion "22.05" then "ntopng" else ""; + description = '' + Local Redis instance name. Set to <literal>null</literal> to disable + local Redis instance. Defaults to <literal>""</literal> for + <literal>system.stateVersion</literal> older than 22.05. + ''; + }; + configText = mkOption { default = ""; example = '' @@ -95,23 +125,36 @@ in config = mkIf cfg.enable { # ntopng uses redis for data storage - services.redis.enable = true; + services.ntopng.redis.address = + mkIf createRedis config.services.redis.servers.${cfg.redis.createInstance}.unixSocket; + + services.redis.servers = mkIf createRedis { + ${cfg.redis.createInstance} = { + enable = true; + user = mkIf (cfg.redis.createInstance == "ntopng") "ntopng"; + }; + }; # nice to have manual page and ntopng command in PATH environment.systemPackages = [ pkgs.ntopng ]; + systemd.tmpfiles.rules = [ "d /var/lib/ntopng 0700 ntopng ntopng -" ]; + systemd.services.ntopng = { description = "Ntopng Network Monitor"; - requires = [ "redis.service" ]; - after = [ "network.target" "redis.service" ]; + requires = optional createRedis redisService; + after = [ "network.target" ] ++ optional createRedis redisService; wantedBy = [ "multi-user.target" ]; - preStart = "mkdir -p /var/lib/ntopng/"; serviceConfig.ExecStart = "${pkgs.ntopng}/bin/ntopng ${configFile}"; unitConfig.Documentation = "man:ntopng(8)"; }; - # ntopng drops priveleges to user "nobody" and that user is already defined - # in users-groups.nix. + users.extraUsers.ntopng = { + group = "ntopng"; + isSystemUser = true; + }; + + users.extraGroups.ntopng = { }; }; } diff --git a/nixos/modules/services/web-apps/dokuwiki.nix b/nixos/modules/services/web-apps/dokuwiki.nix index 30913ced88493..1f8ca742db951 100644 --- a/nixos/modules/services/web-apps/dokuwiki.nix +++ b/nixos/modules/services/web-apps/dokuwiki.nix @@ -376,7 +376,7 @@ in "~ \\.php$" = { extraConfig = '' try_files $uri $uri/ /doku.php; - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REDIRECT_STATUS 200; fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; diff --git a/nixos/modules/services/web-apps/jirafeau.nix b/nixos/modules/services/web-apps/jirafeau.nix index a95e2b4f82a91..328c61c8e6462 100644 --- a/nixos/modules/services/web-apps/jirafeau.nix +++ b/nixos/modules/services/web-apps/jirafeau.nix @@ -136,7 +136,7 @@ in ''; locations = { "~ \\.php$".extraConfig = '' - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_pass unix:${config.services.phpfpm.pools.jirafeau.socket}; diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 1e3c7e53c175a..8208c85bfd708 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -92,6 +92,7 @@ let mastodonEnv = pkgs.writeShellScriptBin "mastodon-env" '' set -a + export RAILS_ROOT="${cfg.package}" source "${envFile}" source /var/lib/mastodon/.secrets_env eval -- "\$@" diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index fd97ab76a5f62..4b36cc8754c61 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -235,7 +235,7 @@ in locations."~ \\.php$" = { tryFiles = "$uri =404"; extraConfig = '' - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; fastcgi_pass unix:${fpm.socket}; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; diff --git a/nixos/modules/services/web-apps/rss-bridge.nix b/nixos/modules/services/web-apps/rss-bridge.nix index 456ca00416feb..f2b6d9559823b 100644 --- a/nixos/modules/services/web-apps/rss-bridge.nix +++ b/nixos/modules/services/web-apps/rss-bridge.nix @@ -111,7 +111,7 @@ in locations."~ ^/index.php(/|$)" = { extraConfig = '' - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.socket}; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; diff --git a/nixos/modules/services/web-servers/nginx/gitweb.nix b/nixos/modules/services/web-servers/nginx/gitweb.nix index 11bf2a309ea81..db45577a46d16 100644 --- a/nixos/modules/services/web-servers/nginx/gitweb.nix +++ b/nixos/modules/services/web-servers/nginx/gitweb.nix @@ -79,7 +79,7 @@ in }; locations."${cfg.location}/" = { extraConfig = '' - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; fastcgi_param GITWEB_CONFIG ${gitwebConfig.gitwebConfigFile}; fastcgi_pass unix:/run/gitweb/gitweb.sock; ''; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 5c91993771e4a..06117ab451d3c 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1325,22 +1325,13 @@ in val = tempaddrValues.${opt}.sysctl; in nameValuePair "net.ipv6.conf.${replaceChars ["."] ["/"] i.name}.use_tempaddr" val)); - # Capabilities won't work unless we have at-least a 4.3 Linux - # kernel because we need the ambient capability - security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then { + security.wrappers = { ping = { owner = "root"; group = "root"; capabilities = "cap_net_raw+p"; source = "${pkgs.iputils.out}/bin/ping"; }; - } else { - ping = { - setuid = true; - owner = "root"; - group = "root"; - source = "${pkgs.iputils.out}/bin/ping"; - }; }; security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' /run/wrappers/bin/ping { diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 27d6d5fff3ac6..515a3c7208ce4 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -52,6 +52,7 @@ in bitcoind = handleTest ./bitcoind.nix {}; bittorrent = handleTest ./bittorrent.nix {}; blockbook-frontend = handleTest ./blockbook-frontend.nix {}; + blocky = handleTest ./blocky.nix {}; boot = handleTestOn ["x86_64-linux" "aarch64-linux"] ./boot.nix {}; boot-stage1 = handleTest ./boot-stage1.nix {}; borgbackup = handleTest ./borgbackup.nix {}; diff --git a/nixos/tests/blocky.nix b/nixos/tests/blocky.nix new file mode 100644 index 0000000000000..18e7f45e1c738 --- /dev/null +++ b/nixos/tests/blocky.nix @@ -0,0 +1,34 @@ +import ./make-test-python.nix { + name = "blocky"; + + nodes = { + server = { pkgs, ... }: { + environment.systemPackages = [ pkgs.dnsutils ]; + services.blocky = { + enable = true; + + settings = { + customDNS = { + mapping = { + "printer.lan" = "192.168.178.3,2001:0db8:85a3:08d3:1319:8a2e:0370:7344"; + }; + }; + upstream = { + default = [ "8.8.8.8" "1.1.1.1" ]; + }; + port = 53; + httpPort = 5000; + logLevel = "info"; + }; + }; + }; + }; + + testScript = '' + with subtest("Service test"): + server.wait_for_unit("blocky.service") + server.wait_for_open_port(53) + server.wait_for_open_port(5000) + server.succeed("dig @127.0.0.1 +short -x 192.168.178.3 | grep -qF printer.lan") + ''; +} diff --git a/nixos/tests/doh-proxy-rust.nix b/nixos/tests/doh-proxy-rust.nix index 23f8616849c3d..11ed87d23bbe6 100644 --- a/nixos/tests/doh-proxy-rust.nix +++ b/nixos/tests/doh-proxy-rust.nix @@ -38,6 +38,6 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { machine.wait_for_unit("doh-proxy-rust.service") machine.wait_for_open_port(53) machine.wait_for_open_port(3000) - machine.succeed(f"curl --fail '{url}?dns={query}' | grep -F {bin_ip}") + machine.succeed(f"curl --fail -H 'Accept: application/dns-message' '{url}?dns={query}' | grep -F {bin_ip}") ''; }) diff --git a/nixos/tests/gitolite-fcgiwrap.nix b/nixos/tests/gitolite-fcgiwrap.nix index fc9b214b762ee..38f8d5c883fd5 100644 --- a/nixos/tests/gitolite-fcgiwrap.nix +++ b/nixos/tests/gitolite-fcgiwrap.nix @@ -42,7 +42,7 @@ import ./make-test-python.nix ( auth_basic_user_file /etc/gitolite/htpasswd; # common FastCGI parameters are required - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; # strip the CGI program prefix fastcgi_split_path_info ^(/git)(.*)$; diff --git a/nixos/tests/php/fpm.nix b/nixos/tests/php/fpm.nix index 31a79bb4dbe39..718a635a6c7c9 100644 --- a/nixos/tests/php/fpm.nix +++ b/nixos/tests/php/fpm.nix @@ -17,7 +17,7 @@ import ../make-test-python.nix ({ pkgs, lib, php, ... }: { locations."~ \\.php$".extraConfig = '' fastcgi_pass unix:${config.services.phpfpm.pools.foobar.socket}; fastcgi_index index.php; - include ${pkgs.nginx}/conf/fastcgi_params; + include ${config.services.nginx.package}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; ''; locations."/" = { |