diff options
Diffstat (limited to 'nixos')
33 files changed, 558 insertions, 136 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 0fd44f0673315..29cac1dc45be0 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -50,7 +50,7 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi - `virtualisation.docker.enableNvidia` and `virtualisation.podman.enableNvidia` options are deprecated. `virtualisation.containers.cdi.dynamic.nvidia.enable` should be used instead. This option will expose GPUs on containers with the `--device` CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature. -- A new option `system.etc.overlay.enable` was added. If enabled, `/etc` is +- `system.etc.overlay.enable` option was added. If enabled, `/etc` is mounted via an overlayfs instead of being created by a custom perl script. - NixOS AMIs are now uploaded regularly to a new AWS Account. @@ -155,6 +155,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [microsocks](https://github.com/rofl0r/microsocks), a tiny, portable SOCKS5 server with very moderate resource usage. Available as [services.microsocks]($opt-services-microsocks.enable). +- [inadyn](https://github.com/troglobit/inadyn), a Dynamic DNS client with built-in support for multiple providers. Available as [services.inadyn](#opt-services.inadyn.enable). + - [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable). - [fritz-exporter](https://github.com/pdreker/fritz_exporter), a Prometheus exporter for extracting metrics from [FRITZ!](https://avm.de/produkte/) devices. Available as [services.prometheus.exporters.fritz](#opt-services.prometheus.exporters.fritz.enable). @@ -235,7 +237,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `nvtop` family of packages was reorganized into nested attrset. `nvtop` has been renamed to `nvtopPackages.full`, and all `nvtop-{amd,nvidia,intel,msm}` packages are now named as `nvtopPackages.{amd,nvidia,intel,msm}` -- `neo4j` has been updated to 5, you may want to read the [release notes for Neo4j 5](https://neo4j.com/release-notes/database/neo4j-5/) +- `neo4j` has been updated to version 5, you may want to read the [release notes for Neo4j 5](https://neo4j.com/release-notes/database/neo4j-5/) - `services.neo4j.allowUpgrade` was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades. @@ -249,37 +251,37 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `services.aria2.rpcSecret` has been replaced with `services.aria2.rpcSecretFile`. This was done so that secrets aren't stored in the world-readable nix store. - To migrate, you will have create a file with the same exact string, and change + To migrate, you will have to create a file with the same exact string, and change your module options to point to that file. For example, `services.aria2.rpcSecret = "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"` where the file `secret_file` contains the string `mysecret`. - `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading - to another signature algorithm. It is however possible, for the time being, to restore the DSA keys support using `override` to set `dsaKeysSupport = true`. + to another signature algorithm. However, for the time being it is possible to restore DSA key support using `override` to set `dsaKeysSupport = true`. -- `buildGoModule` now throws error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias. +- `buildGoModule` now throws an error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias. -- Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857) +- `services.invidious.settings.db.user`, the default database username, has changed from `kemal` to `invidious`. Setups involving an externally-provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857) - `writeReferencesToFile` is deprecated in favour of the new trivial build helper `writeClosure`. The latter accepts a list of paths and has an unambiguous name and cleaner implementation. - `inetutils` now has a lower priority to avoid shadowing the commonly used `util-linux`. If one wishes to restore the default priority, simply use `lib.setPrio 5 inetutils` or override with `meta.priority = 5`. -- `paperless`' `services.paperless.extraConfig` setting has been removed and converted to the freeform type and option named `services.paperless.settings`. +- `paperless`' `services.paperless.extraConfig` setting has been removed and converted to the free-form type and option named `services.paperless.settings`. -- `davfs2`' `services.davfs2.extraConfig` setting has been deprecated and converted to the freeform type option named `services.davfs2.settings` according to RFC42. +- `davfs2`' `services.davfs2.extraConfig` setting has been deprecated and converted to the free-form type option named `services.davfs2.settings` according to RFC42. -- `services.homepage-dashboard` now takes it's configuration using native Nix expressions, rather than dumping templated configurations into `/var/lib/homepage-dashboard` where they were previously managed manually. There are now new options which allow the configuration of bookmarks, services, widgets and custom CSS/JS natively in Nix. +- `services.homepage-dashboard` now takes its configuration using native Nix expressions, rather than dumping templated configurations into `/var/lib/homepage-dashboard` where they were previously managed manually. There are now new options which allow the configuration of bookmarks, services, widgets and custom CSS/JS natively in Nix. - `hare` may now be cross-compiled. For that to work, however, `haredoc` needed to stop being built together with it. Thus, the latter is now its own package with the name of `haredoc`. -- The legacy and long deprecated systemd target `network-interfaces.target` has been removed. Use `network.target` instead. +- `network-interfaces.target` system target was removed as it has been deprecated for a long time. Use `network.target` instead. - `azure-cli` now has extension support. For example, to install the `aks-preview` extension, use ```nix environment.systemPackages = [ - (azure-cli.withExtensions [ azure-cli.extensions.aks-preview ]); + (azure-cli.withExtensions [ azure-cli.extensions.aks-preview ]) ]; ``` To make the `azure-cli` immutable and prevent clashes in case `azure-cli` is also installed via other package managers, some configuration files were moved into the derivation. @@ -349,6 +351,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - Ada packages (libraries and tools) have been moved into the `gnatPackages` scope. `gnatPackages` uses the default GNAT compiler, `gnat12Packages` and `gnat13Packages` use the respective matching compiler version. +- Paths provided as `restartTriggers` and `reloadTriggers` for systemd units will now be copied into the nix store to make the behavior consistent. + Previously, `restartTriggers = [ ./config.txt ]`, if defined in a flake, would trigger a restart when any part of the flake changed; and if not defined in a flake, would never trigger a restart even if the contents of `config.txt` changed. + - `spark2014` has been renamed to `gnatprove`. A version of `gnatprove` matching different GNAT versions is available from the different `gnatPackages` sets. - `services.resolved.fallbackDns` can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead. @@ -396,7 +401,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m upgrade NetBox by changing `services.netbox.package`. Database migrations will be run automatically. -- The executable file names for `firefox-devedition`, `firefox-beta`, `firefox-esr` now matches their package names, which is consistent with the `firefox-*-bin` packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher. +- `firefox-devedition`, `firefox-beta`, `firefox-esr` executable file names for now match their package names, which is consistent with the `firefox-*-bin` packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher. - switch-to-configuration does not directly call systemd-tmpfiles anymore. Instead, the new artificial sysinit-reactivation.target is introduced which @@ -467,14 +472,14 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `addDriverRunpath` has been added to facilitate the deprecation of the old `addOpenGLRunpath` setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration. -- Cinnamon has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release and could potentially [affect Xorg sessions](https://blog.linuxmint.com/?p=4639). We suggest a reboot when switching between sessions. +- (TODO awaiting feedback on code-casing package names) Cinnamon has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release and could potentially [affect Xorg sessions](https://blog.linuxmint.com/?p=4639). We suggest a reboot when switching between sessions. -- MATE has been updated to 1.28. +- (TODO awaiting feedback on code-casing package names) MATE has been updated to 1.28. - To properly support panel plugins built with Wayland (in-process) support, we are introducing `services.xserver.desktopManager.mate.extraPanelApplets` option, please use that for installing panel applets. - Similarly, please use `services.xserver.desktopManager.mate.extraCajaExtensions` option for installing Caja extensions. - To use the Wayland session, enable `services.xserver.desktopManager.mate.enableWaylandSession`. This is opt-in for now as it is in early stage and introduces a new set of Wayfire closure. Due to [known issues with LightDM](https://github.com/canonical/lightdm/issues/63), we suggest using SDDM for display manager. -- The Budgie module installs gnome-terminal by default (instead of mate-terminal). +- The (TODO awaiting feedback on code-casing package names) Budgie module installs gnome-terminal by default (instead of mate-terminal). - New `boot.loader.systemd-boot.xbootldrMountPoint` allows setting up a separate [XBOOTLDR partition](https://uapi-group.org/specifications/specs/boot_loader_specification/) to store boot files. Useful on systems with a small EFI System partition that cannot be easily repartitioned. @@ -486,7 +491,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - The Matrix homeserver [Synapse](https://element-hq.github.io/synapse/) module now supports configuring UNIX domain socket [listeners](#opt-services.matrix-synapse.settings.listeners) through the `path` option. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets. -- The initrd ssh daemon module got a new option to add authorized keys via a list of files using `boot.initrd.network.ssh.authorizedKeyFiles`. +- `boot.initrd.network.ssh.authorizedKeyFiles` is a new option in the initrd ssh daemon module, for adding authorized keys via list of files. - Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles. The `nimPackages` and `nim2Packages` sets have been removed. @@ -504,9 +509,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `libass` now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with `mpv`, `ffmpeg`, etc. -- [Lilypond](https://lilypond.org/index.html) and [Denemo](https://www.denemo.org) are now compiled with Guile 3.0. +- (TODO awaiting feedback on code-casing package names) [Lilypond](https://lilypond.org/index.html) and [Denemo](https://www.denemo.org) are now compiled with Guile 3.0. -- Garage has been updated to v1.x.x. Users should read the [upstream release notes](https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v1.0.0) and follow the documentation when changing over their `services.garage.package` and performing this manual upgrade. +- (TODO awaiting feedback on code-casing package names) Garage has been updated to v1.x.x. Users should read the [upstream release notes](https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v1.0.0) and follow the documentation when changing over their `services.garage.package` and performing this manual upgrade. - The EC2 image module now enables the [Amazon SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) by default. @@ -541,7 +546,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.). The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime. -- With a bump to `sonarr` v4, existing config database files will be upgraded automatically, but note that some old apparently-working configs [might actually be corrupt and fail to upgrade cleanly](https://forums.sonarr.tv/t/sonarr-v4-released/33089). +- `sonarr` bumped to v4. Consequently existing config database files will be upgraded automatically, but note that some old apparently-working configs [might actually be corrupt and fail to upgrade cleanly](https://forums.sonarr.tv/t/sonarr-v4-released/33089). - The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an @@ -551,15 +556,13 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - The netbird module now allows running multiple tunnels in parallel through [`services.netbird.tunnels`](#opt-services.netbird.tunnels). - [Nginx virtual hosts](#opt-services.nginx.virtualHosts) using `forceSSL` or - `globalRedirect` can now have redirect codes other than 301 through + `globalRedirect` can now have redirect codes other than 301 through `redirectCode`. - `bacula` now allows to configure `TLS` for encrypted communication. - `redirectCode`. - - `libjxl` 0.9.0 [dropped support for the butteraugli API](https://github.com/libjxl/libjxl/pull/2576). You will no longer be able to set `enableButteraugli` on `libaom`. -- The source of the `mockgen` package has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock). +- `mockgen` package source has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock). - `security.pam.enableSSHAgentAuth` was renamed to `security.pam.sshAgentAuth.enable` and an `authorizedKeysFiles` option was added, to control which `authorized_keys` files are trusted. It defaults to the previous behaviour, @@ -576,7 +579,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `nextcloud-setup.service` no longer changes the group of each file & directory inside `/var/lib/nextcloud/{config,data,store-apps}` if one of these directories has the wrong owner group. This was part of transitioning the group used for `/var/lib/nextcloud`, but isn't necessary anymore. -- `services.kavita` now uses the freeform option `services.kavita.settings` for the application settings file. +- `services.kavita` now uses the free-form option `services.kavita.settings` for the application settings file. The options `services.kavita.ipAdresses` and `services.kavita.port` now exist at `services.kavita.settings.IpAddresses` and `services.kavita.settings.IpAddresses`. The file at `services.kavita.tokenKeyFile` now needs to contain a secret with 512+ bits instead of 128+ bits. @@ -587,7 +590,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `services.soju` now has a wrapper for the `sojuctl` command, pointed at the service config file. It also has the new option `adminSocket.enable`, which creates a unix admin socket at `/run/soju/admin`. -- Gitea 1.21 upgrade has several breaking changes, including: +- `gitea` upgrade to 1.21 has several breaking changes, including: - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*` - New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command. @@ -599,10 +602,10 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - The `services.networkmanager.extraConfig` was renamed to `services.networkmanager.settings` and was changed to use the ini type instead of using a multiline string. -- The module `services.github-runner` has been removed. To configure a single GitHub Actions Runner refer to `services.github-runners.*`. Note that this will trigger a new runner registration. +- `services.github-runner` module has been removed. To configure a single GitHub Actions Runner refer to `services.github-runners.*`. Note that this will trigger a new runner registration. - The `services.slskd` has been refactored to include more configuation options in - the freeform `services.slskd.settings` option, and some defaults (including listen ports) + the free-form `services.slskd.settings` option, and some defaults (including listen ports) have been changed to match the upstream defaults. Additionally, disk logging is now disabled by default, and the log rotation timer has been removed. The nginx virtualhost option is now of the `vhost-options` type. diff --git a/nixos/lib/systemd-lib.nix b/nixos/lib/systemd-lib.nix index 198a710f052dd..eef49f8c4ef38 100644 --- a/nixos/lib/systemd-lib.nix +++ b/nixos/lib/systemd-lib.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs }: +{ config, lib, pkgs, utils }: let inherit (lib) @@ -14,10 +14,12 @@ let elem filter filterAttrs + flatten flip head isInt isList + isPath length makeBinPath makeSearchPathOutput @@ -28,6 +30,7 @@ let optional optionalAttrs optionalString + pipe range replaceStrings reverseList @@ -366,9 +369,17 @@ in rec { // optionalAttrs (config.requisite != []) { Requisite = toString config.requisite; } // optionalAttrs (config ? restartTriggers && config.restartTriggers != []) - { X-Restart-Triggers = "${pkgs.writeText "X-Restart-Triggers-${name}" (toString config.restartTriggers)}"; } + { X-Restart-Triggers = "${pkgs.writeText "X-Restart-Triggers-${name}" (pipe config.restartTriggers [ + flatten + (map (x: if isPath x then "${x}" else x)) + toString + ])}"; } // optionalAttrs (config ? reloadTriggers && config.reloadTriggers != []) - { X-Reload-Triggers = "${pkgs.writeText "X-Reload-Triggers-${name}" (toString config.reloadTriggers)}"; } + { X-Reload-Triggers = "${pkgs.writeText "X-Reload-Triggers-${name}" (pipe config.reloadTriggers [ + flatten + (map (x: if isPath x then "${x}" else x)) + toString + ])}"; } // optionalAttrs (config.description != "") { Description = config.description; } // optionalAttrs (config.documentation != []) { @@ -385,8 +396,41 @@ in rec { }; }; - serviceConfig = { config, ... }: { - config.environment.PATH = mkIf (config.path != []) "${makeBinPath config.path}:${makeSearchPathOutput "bin" "sbin" config.path}"; + serviceConfig = { name, config, ... }: { + config = { + name = "${name}.service"; + environment.PATH = mkIf (config.path != []) "${makeBinPath config.path}:${makeSearchPathOutput "bin" "sbin" config.path}"; + }; + }; + + pathConfig = { name, config, ... }: { + config = { + name = "${name}.path"; + }; + }; + + socketConfig = { name, config, ... }: { + config = { + name = "${name}.socket"; + }; + }; + + sliceConfig = { name, config, ... }: { + config = { + name = "${name}.slice"; + }; + }; + + targetConfig = { name, config, ... }: { + config = { + name = "${name}.target"; + }; + }; + + timerConfig = { name, config, ... }: { + config = { + name = "${name}.timer"; + }; }; stage2ServiceConfig = { @@ -405,6 +449,7 @@ in rec { mountConfig = { config, ... }: { config = { + name = "${utils.escapeSystemdPath config.where}.mount"; mountConfig = { What = config.what; Where = config.where; @@ -418,6 +463,7 @@ in rec { automountConfig = { config, ... }: { config = { + name = "${utils.escapeSystemdPath config.where}.automount"; automountConfig = { Where = config.where; }; @@ -433,8 +479,8 @@ in rec { WantedBy=${concatStringsSep " " def.wantedBy} ''; - targetToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy; + targetToUnit = def: + { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy; text = '' [Unit] @@ -442,8 +488,8 @@ in rec { ''; }; - serviceToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy; + serviceToUnit = def: + { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy; text = commonUnitText def ('' [Service] '' + (let env = cfg.globalEnvironment // def.environment; @@ -452,7 +498,7 @@ in rec { "Environment=${toJSON "${n}=${env.${n}}"}\n"; # systemd max line length is now 1MiB # https://github.com/systemd/systemd/commit/e6dde451a51dc5aaa7f4d98d39b8fe735f73d2af - in if stringLength s >= 1048576 then throw "The value of the environment variable ‘${n}’ in systemd service ‘${name}.service’ is too long." else s) (attrNames env)) + in if stringLength s >= 1048576 then throw "The value of the environment variable ‘${n}’ in systemd service ‘${def.name}.service’ is too long." else s) (attrNames env)) + (if def ? reloadIfChanged && def.reloadIfChanged then '' X-ReloadIfChanged=true '' else if (def ? restartIfChanged && !def.restartIfChanged) then '' @@ -463,8 +509,8 @@ in rec { '' + attrsToSection def.serviceConfig); }; - socketToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy; + socketToUnit = def: + { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy; text = commonUnitText def '' [Socket] ${attrsToSection def.socketConfig} @@ -473,40 +519,40 @@ in rec { ''; }; - timerToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy; + timerToUnit = def: + { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy; text = commonUnitText def '' [Timer] ${attrsToSection def.timerConfig} ''; }; - pathToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy; + pathToUnit = def: + { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy; text = commonUnitText def '' [Path] ${attrsToSection def.pathConfig} ''; }; - mountToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy; + mountToUnit = def: + { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy; text = commonUnitText def '' [Mount] ${attrsToSection def.mountConfig} ''; }; - automountToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy; + automountToUnit = def: + { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy; text = commonUnitText def '' [Automount] ${attrsToSection def.automountConfig} ''; }; - sliceToUnit = name: def: - { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy; + sliceToUnit = def: + { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy; text = commonUnitText def '' [Slice] ${attrsToSection def.sliceConfig} diff --git a/nixos/lib/systemd-types.nix b/nixos/lib/systemd-types.nix index c4c5771cff822..f3bc8e06d9cb9 100644 --- a/nixos/lib/systemd-types.nix +++ b/nixos/lib/systemd-types.nix @@ -5,8 +5,13 @@ let automountConfig makeUnit mountConfig + pathConfig + sliceConfig + socketConfig stage1ServiceConfig stage2ServiceConfig + targetConfig + timerConfig unitConfig ; @@ -48,29 +53,32 @@ let ; in -rec { +{ units = attrsOf (submodule ({ name, config, ... }: { options = concreteUnitOptions; - config = { unit = mkDefault (makeUnit name config); }; + config = { + name = mkDefault name; + unit = mkDefault (makeUnit name config); + }; })); services = attrsOf (submodule [ stage2ServiceOptions unitConfig stage2ServiceConfig ]); initrdServices = attrsOf (submodule [ stage1ServiceOptions unitConfig stage1ServiceConfig ]); - targets = attrsOf (submodule [ stage2CommonUnitOptions unitConfig ]); - initrdTargets = attrsOf (submodule [ stage1CommonUnitOptions unitConfig ]); + targets = attrsOf (submodule [ stage2CommonUnitOptions unitConfig targetConfig ]); + initrdTargets = attrsOf (submodule [ stage1CommonUnitOptions unitConfig targetConfig ]); - sockets = attrsOf (submodule [ stage2SocketOptions unitConfig ]); - initrdSockets = attrsOf (submodule [ stage1SocketOptions unitConfig ]); + sockets = attrsOf (submodule [ stage2SocketOptions unitConfig socketConfig]); + initrdSockets = attrsOf (submodule [ stage1SocketOptions unitConfig socketConfig ]); - timers = attrsOf (submodule [ stage2TimerOptions unitConfig ]); - initrdTimers = attrsOf (submodule [ stage1TimerOptions unitConfig ]); + timers = attrsOf (submodule [ stage2TimerOptions unitConfig timerConfig ]); + initrdTimers = attrsOf (submodule [ stage1TimerOptions unitConfig timerConfig ]); - paths = attrsOf (submodule [ stage2PathOptions unitConfig ]); - initrdPaths = attrsOf (submodule [ stage1PathOptions unitConfig ]); + paths = attrsOf (submodule [ stage2PathOptions unitConfig pathConfig ]); + initrdPaths = attrsOf (submodule [ stage1PathOptions unitConfig pathConfig ]); - slices = attrsOf (submodule [ stage2SliceOptions unitConfig ]); - initrdSlices = attrsOf (submodule [ stage1SliceOptions unitConfig ]); + slices = attrsOf (submodule [ stage2SliceOptions unitConfig sliceConfig ]); + initrdSlices = attrsOf (submodule [ stage1SliceOptions unitConfig sliceConfig ]); mounts = listOf (submodule [ stage2MountOptions unitConfig mountConfig ]); initrdMounts = listOf (submodule [ stage1MountOptions unitConfig mountConfig ]); diff --git a/nixos/lib/systemd-unit-options.nix b/nixos/lib/systemd-unit-options.nix index fc990a87f0c20..160f2bf9483ae 100644 --- a/nixos/lib/systemd-unit-options.nix +++ b/nixos/lib/systemd-unit-options.nix @@ -65,6 +65,14 @@ in rec { ''; }; + name = lib.mkOption { + type = lib.types.str; + description = '' + The name of this systemd unit, including its extension. + This can be used to refer to this unit from other systemd units. + ''; + }; + overrideStrategy = mkOption { default = "asDropinIfExists"; type = types.enum [ "asDropinIfExists" "asDropin" ]; diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index 4992113bdbd25..c1c1828a2c12c 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -35,7 +35,8 @@ let inherit (lib.strings) toJSON normalizePath escapeC; in -rec { +let +utils = rec { # Copy configuration files to avoid having the entire sources in the system closure copyFile = filePath: pkgs.runCommand (builtins.unsafeDiscardStringContext (baseNameOf filePath)) {} '' @@ -262,11 +263,12 @@ rec { filter (x: !(elem (getName x) namesToRemove)) packages; systemdUtils = { - lib = import ./systemd-lib.nix { inherit lib config pkgs; }; + lib = import ./systemd-lib.nix { inherit lib config pkgs utils; }; unitOptions = import ./systemd-unit-options.nix { inherit lib systemdUtils; }; types = import ./systemd-types.nix { inherit lib systemdUtils pkgs; }; network = { units = import ./systemd-network-units.nix { inherit lib systemdUtils; }; }; }; -} +}; +in utils diff --git a/nixos/modules/misc/documentation.nix b/nixos/modules/misc/documentation.nix index 2a25f8e564684..26323e14b9017 100644 --- a/nixos/modules/misc/documentation.nix +++ b/nixos/modules/misc/documentation.nix @@ -101,6 +101,7 @@ let libPath = filter (pkgs.path + "/lib"); pkgsLibPath = filter (pkgs.path + "/pkgs/pkgs-lib"); nixosPath = filter (pkgs.path + "/nixos"); + NIX_ABORT_ON_WARN = warningsAreErrors; modules = "[ " + concatMapStringsSep " " (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 29c373788c1fe..511d991e919cd 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1012,6 +1012,7 @@ ./services/networking/icecream/daemon.nix ./services/networking/icecream/scheduler.nix ./services/networking/imaginary.nix + ./services/networking/inadyn.nix ./services/networking/inspircd.nix ./services/networking/iodine.nix ./services/networking/iperf3.nix diff --git a/nixos/modules/programs/fcast-receiver.nix b/nixos/modules/programs/fcast-receiver.nix index 8da07a66e2223..2e4e6bf8b242a 100644 --- a/nixos/modules/programs/fcast-receiver.nix +++ b/nixos/modules/programs/fcast-receiver.nix @@ -11,11 +11,11 @@ in }; options.programs.fcast-receiver = { - enable = mkEnableOption (lib.mdDoc "FCast Receiver"); + enable = mkEnableOption "FCast Receiver"; openFirewall = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Open ports needed for the functionality of the program. ''; }; diff --git a/nixos/modules/programs/fzf.nix b/nixos/modules/programs/fzf.nix index 0e7e519f0436d..66ad7d418de68 100644 --- a/nixos/modules/programs/fzf.nix +++ b/nixos/modules/programs/fzf.nix @@ -15,11 +15,12 @@ in environment.systemPackages = lib.mkIf (cfg.keybindings || cfg.fuzzyCompletion) [ pkgs.fzf ]; programs = { - bash.interactiveShellInit = lib.optionalString cfg.fuzzyCompletion '' + # load after programs.bash.enableCompletion + bash.promptPluginInit = lib.mkAfter (lib.optionalString cfg.fuzzyCompletion '' source ${pkgs.fzf}/share/fzf/completion.bash '' + lib.optionalString cfg.keybindings '' source ${pkgs.fzf}/share/fzf/key-bindings.bash - ''; + ''); zsh = { interactiveShellInit = lib.optionalString (!config.programs.zsh.ohMyZsh.enable) diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 7fb75f42db1f8..e755b5f0ee534 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -200,7 +200,8 @@ in unitConfig.DefaultDependencies = false; script = '' if test -f "${cfg.secretKeyFile}"; then - mkdir -m 0755 -p /etc/duo + mkdir -p /etc/duo + chmod 0755 /etc/duo umask 0077 conf="$(mktemp)" @@ -222,7 +223,8 @@ in unitConfig.DefaultDependencies = false; script = '' if test -f "${cfg.secretKeyFile}"; then - mkdir -m 0755 -p /etc/duo + mkdir -p /etc/duo + chmod 0755 /etc/duo umask 0077 conf="$(mktemp)" diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix index 4499532ace897..dfbdff7fb0113 100644 --- a/nixos/modules/services/mail/roundcube.nix +++ b/nixos/modules/services/mail/roundcube.nix @@ -7,7 +7,7 @@ let fpm = config.services.phpfpm.pools.roundcube; localDB = cfg.database.host == "localhost"; user = cfg.database.username; - phpWithPspell = pkgs.php81.withExtensions ({ enabled, all }: [ all.pspell ] ++ enabled); + phpWithPspell = pkgs.php83.withExtensions ({ enabled, all }: [ all.pspell ] ++ enabled); in { options.services.roundcube = { diff --git a/nixos/modules/services/misc/greenclip.nix b/nixos/modules/services/misc/greenclip.nix index 9d1483a5a047a..d92cd1854877f 100644 --- a/nixos/modules/services/misc/greenclip.nix +++ b/nixos/modules/services/misc/greenclip.nix @@ -18,7 +18,10 @@ in { description = "greenclip daemon"; wantedBy = [ "graphical-session.target" ]; after = [ "graphical-session.target" ]; - serviceConfig.ExecStart = "${cfg.package}/bin/greenclip daemon"; + serviceConfig = { + ExecStart = "${cfg.package}/bin/greenclip daemon"; + Restart = "always"; + }; }; environment.systemPackages = [ cfg.package ]; diff --git a/nixos/modules/services/networking/firewall-nftables.nix b/nixos/modules/services/networking/firewall-nftables.nix index de336113843ef..a5ee7efc3c324 100644 --- a/nixos/modules/services/networking/firewall-nftables.nix +++ b/nixos/modules/services/networking/firewall-nftables.nix @@ -45,6 +45,18 @@ in This option only works with the nftables based firewall. ''; }; + + extraReversePathFilterRules = mkOption { + type = types.lines; + default = ""; + example = "fib daddr . mark . iif type local accept"; + description = '' + Additional nftables rules to be appended to the rpfilter-allow + chain. + + This option only works with the nftables based firewall. + ''; + }; }; }; @@ -79,6 +91,8 @@ in meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server" fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept + jump rpfilter-allow + ${optionalString cfg.logReversePathDrops '' log level info prefix "rpfilter drop: " ''} @@ -86,6 +100,10 @@ in } ''} + chain rpfilter-allow { + ${cfg.extraReversePathFilterRules} + } + chain input { type filter hook input priority filter; policy drop; diff --git a/nixos/modules/services/networking/inadyn.nix b/nixos/modules/services/networking/inadyn.nix new file mode 100644 index 0000000000000..baa4302096c2c --- /dev/null +++ b/nixos/modules/services/networking/inadyn.nix @@ -0,0 +1,250 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.inadyn; + + # check if a value of an attrset is not null or an empty collection + nonEmptyValue = _: v: v != null && v != [ ] && v != { }; + + renderOption = k: v: + if builtins.elem k [ "provider" "custom" ] then + lib.concatStringsSep "\n" + (mapAttrsToList + (name: config: '' + ${k} ${name} { + ${lib.concatStringsSep "\n " (mapAttrsToList renderOption (filterAttrs nonEmptyValue config))} + }'') + v) + else if k == "include" then + "${k}(\"${v}\")" + else if k == "hostname" && builtins.isList v then + "${k} = { ${builtins.concatStringsSep ", " (map (s: "\"${s}\"") v)} }" + else if builtins.isBool v then + "${k} = ${boolToString v}" + else if builtins.isString v then + "${k} = \"${v}\"" + else + "${k} = ${toString v}"; + + configFile' = pkgs.writeText "inadyn.conf" + '' + # This file was generated by nix + # do not edit + + ${(lib.concatStringsSep "\n" (mapAttrsToList renderOption (filterAttrs nonEmptyValue cfg.settings)))} + ''; + + configFile = if (cfg.configFile != null) then cfg.configFile else configFile'; +in +{ + options.services.inadyn = with types; + let + providerOptions = + { + include = mkOption { + default = null; + description = "File to include additional settings for this provider from."; + type = nullOr path; + }; + ssl = mkOption { + default = true; + description = "Whether to use HTTPS for this DDNS provider."; + type = bool; + }; + username = mkOption { + default = null; + description = "Username for this DDNS provider."; + type = nullOr str; + }; + password = mkOption { + default = null; + description = '' + Password for this DDNS provider. + + WARNING: This will be world-readable in the nix store. + To store credentials securely, use the `include` or `configFile` options. + ''; + type = nullOr str; + }; + hostname = mkOption { + default = "*"; + example = "your.cool-domain.com"; + description = "Hostname alias(es)."; + type = either str (listOf str); + }; + }; + in + { + enable = mkEnableOption ('' + synchronise your machine's IP address with a dynamic DNS provider using inadyn + ''); + user = mkOption { + default = "inadyn"; + type = types.str; + description = '' + User account under which inadyn runs. + + ::: {.note} + If left as the default value this user will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the inadyn service starts. + ::: + ''; + }; + group = mkOption { + default = "inadyn"; + type = types.str; + description = '' + Group account under which inadyn runs. + + ::: {.note} + If left as the default value this user will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the inadyn service starts. + ::: + ''; + }; + interval = mkOption { + default = "*-*-* *:*:00"; + description = '' + How often to check the current IP. + Uses the format described in {manpage}`systemd.time(7)`"; + ''; + type = str; + }; + logLevel = lib.mkOption { + type = lib.types.enum [ "none" "err" "warning" "info" "notice" "debug" ]; + default = "notice"; + description = "Set inadyn's log level."; + }; + settings = mkOption { + default = { }; + description = "See `inadyn.conf (5)`"; + type = submodule { + freeformType = attrs; + options = { + allow-ipv6 = mkOption { + default = config.networking.enableIPv6; + defaultText = "`config.networking.enableIPv6`"; + description = "Whether to get IPv6 addresses from interfaces."; + type = bool; + }; + forced-update = mkOption { + default = 2592000; + description = "Duration (in seconds) after which an update is forced."; + type = ints.positive; + }; + provider = mkOption { + default = { }; + description = '' + Settings for DDNS providers built-in to inadyn. + + For a list of built-in providers, see `inadyn.conf (5)`. + ''; + type = attrsOf (submodule { + freeformType = attrs; + options = providerOptions; + }); + }; + custom = mkOption { + default = { }; + description = '' + Settings for custom DNS providers. + ''; + type = attrsOf (submodule { + freeformType = attrs; + options = providerOptions // { + ddns-server = mkOption { + description = "DDNS server name."; + type = str; + }; + ddns-path = mkOption { + description = '' + DDNS server path. + + See `inadnyn.conf (5)` for a list for format specifiers that can be used. + ''; + example = "/update?user=%u&password=%p&domain=%h&myip=%i"; + type = str; + }; + }; + }); + }; + }; + }; + }; + configFile = mkOption { + default = null; + description = '' + Configuration file for inadyn. + + Setting this will override all other configuration options. + + Passed to the inadyn service using LoadCredential. + ''; + type = nullOr path; + }; + }; + + config = lib.mkIf cfg.enable { + systemd = { + services.inadyn = { + description = "Update nameservers using inadyn"; + documentation = [ + "man:inadyn" + "man:inadyn.conf" + "file:${pkgs.inadyn}/share/doc/inadyn/README.md" + ]; + requires = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + startAt = cfg.interval; + serviceConfig = { + Type = "oneshot"; + ExecStart = ''${lib.getExe pkgs.inadyn} -f ${configFile} --cache-dir ''${CACHE_DIRECTORY}/inadyn -1 --foreground -l ${cfg.logLevel}''; + LoadCredential = "config:${configFile}"; + CacheDirectory = "inadyn"; + + User = cfg.user; + Group = cfg.group; + UMask = "0177"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK"; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + ProtectHome = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = "@system-service"; + CapabilityBoundingSet = ""; + }; + }; + + timers.inadyn.timerConfig.Persistent = true; + }; + + users.users.inadyn = mkIf (cfg.user == "inadyn") { + group = cfg.group; + isSystemUser = true; + }; + + users.groups = mkIf (cfg.group == "inadyn") { + inadyn = { }; + }; + }; +} diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index c9dd1d1b0f01f..435cd530c18d4 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -124,11 +124,20 @@ let fi ''} + # ensure wpa_supplicant.conf exists, or the daemon will fail to start + ${optionalString cfg.allowAuxiliaryImperativeNetworks '' + touch /etc/wpa_supplicant.conf + ''} + # substitute environment variables if [ -f "${configFile}" ]; then ${pkgs.gawk}/bin/awk '{ - for(varname in ENVIRON) - gsub("@"varname"@", ENVIRON[varname]) + for(varname in ENVIRON) { + find = "@"varname"@" + repl = ENVIRON[varname] + if (i = index($0, find)) + $0 = substr($0, 1, i-1) repl substr($0, i+length(find)) + } print }' "${configFile}" > "${finalConfig}" else diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index abf1ce9ba0200..d2992a196bf87 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -47,6 +47,7 @@ let reverse-proxy = reverseProxy; proxy-prefix = proxyPrefix; profile-url = profileURL; + oidc-issuer-url = oidcIssuerUrl; redeem-url = redeemURL; redirect-url = redirectURL; request-logging = requestLogging; @@ -131,6 +132,15 @@ in example = "123456.apps.googleusercontent.com"; }; + oidcIssuerUrl = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The OAuth issuer URL. + ''; + example = "https://login.microsoftonline.com/{TENANT_ID}/v2.0"; + }; + clientSecret = mkOption { type = types.nullOr types.str; description = '' diff --git a/nixos/modules/services/system/earlyoom.nix b/nixos/modules/services/system/earlyoom.nix index bcdf7d6512d5a..7e012dee02cbf 100644 --- a/nixos/modules/services/system/earlyoom.nix +++ b/nixos/modules/services/system/earlyoom.nix @@ -4,15 +4,29 @@ let cfg = config.services.earlyoom; inherit (lib) - mkDefault mkEnableOption mkIf mkOption types - mkRemovedOptionModule literalExpression - escapeShellArg concatStringsSep optional optionalString; - + concatStringsSep + escapeShellArg + literalExpression + mkDefault + mkEnableOption + mkIf + mkOption + mkPackageOption + mkRemovedOptionModule + optionalString + optionals + types; in { + meta = { + maintainers = with lib.maintainers; [ AndersonTorres ]; + }; + options.services.earlyoom = { enable = mkEnableOption "early out of memory killing"; + package = mkPackageOption pkgs "earlyoom" { }; + freeMemThreshold = mkOption { type = types.ints.between 1 100; default = 10; @@ -138,22 +152,21 @@ in systemd.services.earlyoom = { description = "Early OOM Daemon for Linux"; wantedBy = [ "multi-user.target" ]; - path = optional cfg.enableNotifications pkgs.dbus; + path = optionals cfg.enableNotifications [ pkgs.dbus ]; serviceConfig = { StandardError = "journal"; ExecStart = concatStringsSep " " ([ - "${pkgs.earlyoom}/bin/earlyoom" + "${lib.getExe cfg.package}" ("-m ${toString cfg.freeMemThreshold}" - + optionalString (cfg.freeMemKillThreshold != null) ",${toString cfg.freeMemKillThreshold}") + + optionalString (cfg.freeMemKillThreshold != null) ",${toString cfg.freeMemKillThreshold}") ("-s ${toString cfg.freeSwapThreshold}" - + optionalString (cfg.freeSwapKillThreshold != null) ",${toString cfg.freeSwapKillThreshold}") + + optionalString (cfg.freeSwapKillThreshold != null) ",${toString cfg.freeSwapKillThreshold}") "-r ${toString cfg.reportInterval}" ] - ++ optional cfg.enableDebugInfo "-d" - ++ optional cfg.enableNotifications "-n" - ++ optional (cfg.killHook != null) "-N ${escapeShellArg cfg.killHook}" - ++ cfg.extraArgs - ); + ++ optionals cfg.enableDebugInfo [ "-d" ] + ++ optionals cfg.enableNotifications [ "-n" ] + ++ optionals (cfg.killHook != null) [ "-N ${escapeShellArg cfg.killHook}" ] + ++ cfg.extraArgs); }; }; }; diff --git a/nixos/modules/services/web-apps/coder.nix b/nixos/modules/services/web-apps/coder.nix index 318a7c8fc1357..d4a5b7b2b89cd 100644 --- a/nixos/modules/services/web-apps/coder.nix +++ b/nixos/modules/services/web-apps/coder.nix @@ -169,7 +169,7 @@ in { after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - environment = config.environment.extra // { + environment = cfg.environment.extra // { CODER_ACCESS_URL = cfg.accessUrl; CODER_WILDCARD_ACCESS_URL = cfg.wildcardAccessUrl; CODER_PG_CONNECTION_URL = "user=${cfg.database.username} ${optionalString (cfg.database.password != null) "password=${cfg.database.password}"} database=${cfg.database.database} host=${cfg.database.host} ${optionalString (cfg.database.sslmode != null) "sslmode=${cfg.database.sslmode}"}"; diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index 0d0361584c3a0..cdd60f572b990 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -2,7 +2,7 @@ let - inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption; + inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption mkPackageOption; inherit (lib) literalExpression mapAttrs optional optionalString types; cfg = config.services.limesurvey; @@ -12,8 +12,6 @@ let group = config.services.httpd.group; stateDir = "/var/lib/limesurvey"; - pkg = pkgs.limesurvey; - configType = with types; oneOf [ (attrsOf configType) str int bool ] // { description = "limesurvey config type (str, int, bool or attribute set thereof)"; }; @@ -34,6 +32,8 @@ in options.services.limesurvey = { enable = mkEnableOption "Limesurvey web application"; + package = mkPackageOption pkgs "limesurvey" { }; + encryptionKey = mkOption { type = types.str; default = "E17687FC77CEE247F0E22BB3ECF27FDE8BEC310A892347EC13013ABA11AA7EB5"; @@ -240,7 +240,7 @@ in adminAddr = mkDefault cfg.virtualHost.adminAddr; extraModules = [ "proxy_fcgi" ]; virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost { - documentRoot = mkForce "${pkg}/share/limesurvey"; + documentRoot = mkForce "${cfg.package}/share/limesurvey"; extraConfig = '' Alias "/tmp" "${stateDir}/tmp" <Directory "${stateDir}"> @@ -256,7 +256,7 @@ in Options -Indexes </Directory> - <Directory "${pkg}/share/limesurvey"> + <Directory "${cfg.package}/share/limesurvey"> <FilesMatch "\.php$"> <If "-f %{REQUEST_FILENAME}"> SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/" @@ -277,7 +277,7 @@ in "d ${stateDir}/tmp/assets 0750 ${user} ${group} - -" "d ${stateDir}/tmp/runtime 0750 ${user} ${group} - -" "d ${stateDir}/tmp/upload 0750 ${user} ${group} - -" - "C ${stateDir}/upload 0750 ${user} ${group} - ${pkg}/share/limesurvey/upload" + "C ${stateDir}/upload 0750 ${user} ${group} - ${cfg.package}/share/limesurvey/upload" ]; systemd.services.limesurvey-init = { @@ -288,8 +288,8 @@ in environment.LIMESURVEY_CONFIG = limesurveyConfig; script = '' # update or install the database as required - ${pkgs.php81}/bin/php ${pkg}/share/limesurvey/application/commands/console.php updatedb || \ - ${pkgs.php81}/bin/php ${pkg}/share/limesurvey/application/commands/console.php install admin password admin admin@example.com verbose + ${pkgs.php81}/bin/php ${cfg.package}/share/limesurvey/application/commands/console.php updatedb || \ + ${pkgs.php81}/bin/php ${cfg.package}/share/limesurvey/application/commands/console.php install admin password admin admin@example.com verbose ''; serviceConfig = { User = user; diff --git a/nixos/modules/services/web-apps/mediawiki.nix b/nixos/modules/services/web-apps/mediawiki.nix index 7246fd93a2314..b11626ec2dc3b 100644 --- a/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixos/modules/services/web-apps/mediawiki.nix @@ -246,7 +246,9 @@ in passwordFile = mkOption { type = types.path; - description = "A file containing the initial password for the admin user."; + description = '' + A file containing the initial password for the administrator account "admin". + ''; example = "/run/keys/mediawiki-password"; }; diff --git a/nixos/modules/services/web-apps/pretalx.nix b/nixos/modules/services/web-apps/pretalx.nix index e80eedf9f8590..b062a8b7eeeac 100644 --- a/nixos/modules/services/web-apps/pretalx.nix +++ b/nixos/modules/services/web-apps/pretalx.nix @@ -286,16 +286,16 @@ in virtualHosts.${cfg.nginx.domain} = { # https://docs.pretalx.org/administrator/installation.html#step-7-ssl extraConfig = '' - more_set_headers Referrer-Policy same-origin; - more_set_headers X-Content-Type-Options nosniff; + more_set_headers "Referrer-Policy: same-origin"; + more_set_headers "X-Content-Type-Options: nosniff"; ''; locations = { "/".proxyPass = "http://pretalx"; "/media/" = { - alias = "${cfg.settings.filesystem.data}/data/media/"; + alias = "${cfg.settings.filesystem.data}/media/"; extraConfig = '' access_log off; - more_set_headers Content-Disposition 'attachment; filename="$1"'; + more_set_headers 'Content-Disposition: attachment; filename="$1"'; expires 7d; ''; }; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 40470f535bf61..337d53e869efe 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -829,7 +829,7 @@ in sslCiphers = mkOption { type = types.nullOr types.str; # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate - default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"; description = "Ciphers to choose from when negotiating TLS handshakes."; }; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index aea6855f91c50..c82924763d5e8 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -595,18 +595,17 @@ in }; systemd.units = - mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit n v)) cfg.paths - // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services - // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit n v)) cfg.slices - // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.sockets - // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit n v)) cfg.targets - // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit n v)) cfg.timers - // listToAttrs (map - (v: let n = escapeSystemdPath v.where; - in nameValuePair "${n}.mount" (mountToUnit n v)) cfg.mounts) - // listToAttrs (map - (v: let n = escapeSystemdPath v.where; - in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts); + let + withName = cfgToUnit: cfg: lib.nameValuePair cfg.name (cfgToUnit cfg); + in + mapAttrs' (_: withName pathToUnit) cfg.paths + // mapAttrs' (_: withName serviceToUnit) cfg.services + // mapAttrs' (_: withName sliceToUnit) cfg.slices + // mapAttrs' (_: withName socketToUnit) cfg.sockets + // mapAttrs' (_: withName targetToUnit) cfg.targets + // mapAttrs' (_: withName timerToUnit) cfg.timers + // listToAttrs (map (withName mountToUnit) cfg.mounts) + // listToAttrs (map (withName automountToUnit) cfg.automounts); # Environment of PID 1 systemd.managerEnvironment = { diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 00441b693d670..cc32b2a15e7ce 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -490,18 +490,18 @@ in { targets.initrd.aliases = ["default.target"]; units = - mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit n v)) cfg.paths - // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services - // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit n v)) cfg.slices - // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.sockets - // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit n v)) cfg.targets - // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit n v)) cfg.timers + mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit v)) cfg.paths + // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit v)) cfg.services + // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit v)) cfg.slices + // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit v)) cfg.sockets + // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit v)) cfg.targets + // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit v)) cfg.timers // listToAttrs (map (v: let n = escapeSystemdPath v.where; - in nameValuePair "${n}.mount" (mountToUnit n v)) cfg.mounts) + in nameValuePair "${n}.mount" (mountToUnit v)) cfg.mounts) // listToAttrs (map (v: let n = escapeSystemdPath v.where; - in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts); + in nameValuePair "${n}.automount" (automountToUnit v)) cfg.automounts); # make sure all the /dev nodes are set up services.systemd-tmpfiles-setup-dev.wantedBy = ["sysinit.target"]; diff --git a/nixos/modules/system/boot/systemd/user.nix b/nixos/modules/system/boot/systemd/user.nix index 4c7b51ee22b74..2685cf7e283a2 100644 --- a/nixos/modules/system/boot/systemd/user.nix +++ b/nixos/modules/system/boot/systemd/user.nix @@ -175,12 +175,12 @@ in { }; systemd.user.units = - mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit n v)) cfg.paths - // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services - // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit n v)) cfg.slices - // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.sockets - // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit n v)) cfg.targets - // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit n v)) cfg.timers; + mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit v)) cfg.paths + // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit v)) cfg.services + // mapAttrs' (n: v: nameValuePair "${n}.slice" (sliceToUnit v)) cfg.slices + // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit v)) cfg.sockets + // mapAttrs' (n: v: nameValuePair "${n}.target" (targetToUnit v)) cfg.targets + // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit v)) cfg.timers; # Generate timer units for all services that have a ‘startAt’ value. systemd.user.timers = diff --git a/nixos/modules/virtualisation/digital-ocean-config.nix b/nixos/modules/virtualisation/digital-ocean-config.nix index 2d5bc0661d48d..4ef2b85551c66 100644 --- a/nixos/modules/virtualisation/digital-ocean-config.nix +++ b/nixos/modules/virtualisation/digital-ocean-config.nix @@ -41,7 +41,7 @@ with lib; kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; initrd.kernelModules = [ "virtio_scsi" ]; kernelModules = [ "virtio_pci" "virtio_net" ]; - loader.grub.devices = lib.mkDefault ["/dev/vda"]; + loader.grub.devices = ["/dev/vda"]; }; services.openssh = { enable = mkDefault true; diff --git a/nixos/release-small.nix b/nixos/release-small.nix index d4de2fd8df4fb..091c2b1f305be 100644 --- a/nixos/release-small.nix +++ b/nixos/release-small.nix @@ -81,6 +81,7 @@ in rec { php postgresql python + release-checks rsyslog stdenv subversion diff --git a/nixos/tests/caddy.nix b/nixos/tests/caddy.nix index 41d8e57de4686..0efe8f94e39dd 100644 --- a/nixos/tests/caddy.nix +++ b/nixos/tests/caddy.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "caddy"; meta = with pkgs.lib.maintainers; { - maintainers = [ xfix Br1ght0ne ]; + maintainers = [ Br1ght0ne ]; }; nodes = { diff --git a/nixos/tests/earlyoom.nix b/nixos/tests/earlyoom.nix index 75bdf56899b30..b7850ddeaaab3 100644 --- a/nixos/tests/earlyoom.nix +++ b/nixos/tests/earlyoom.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ lib, ... }: { name = "earlyoom"; meta = { - maintainers = with lib.maintainers; [ ncfavier ]; + maintainers = with lib.maintainers; [ ncfavier AndersonTorres ]; }; machine = { diff --git a/nixos/tests/phosh.nix b/nixos/tests/phosh.nix index 78d6da31beee1..d505f0ffc5245 100644 --- a/nixos/tests/phosh.nix +++ b/nixos/tests/phosh.nix @@ -25,6 +25,10 @@ in { }; }; + environment.systemPackages = [ + pkgs.phosh-mobile-settings + ]; + systemd.services.phosh = { environment = { # Accelerated graphics fail on phoc 0.20 (wlroots 0.15) @@ -63,8 +67,13 @@ in { phone.screenshot("03launcher") with subtest("Check the on-screen keyboard shows"): - phone.send_chars("setting", delay=0.2) + phone.send_chars("mobile setting", delay=0.2) phone.wait_for_text("123") # A button on the OSK phone.screenshot("04osk") + + with subtest("Check mobile-phosh-settings starts"): + phone.send_chars("\n") + phone.wait_for_text("Tweak advanced mobile settings"); + phone.screenshot("05settings") ''; }) diff --git a/nixos/tests/radicale.nix b/nixos/tests/radicale.nix index 66650dce4a008..868b28085a675 100644 --- a/nixos/tests/radicale.nix +++ b/nixos/tests/radicale.nix @@ -6,7 +6,7 @@ let port = "5232"; filesystem_folder = "/data/radicale"; - cli = "${pkgs.calendar-cli}/bin/calendar-cli --caldav-user ${user} --caldav-pass ${password}"; + cli = "${lib.getExe pkgs.calendar-cli} --caldav-user ${user} --caldav-pass ${password}"; in { name = "radicale3"; meta.maintainers = with lib.maintainers; [ dotlambda ]; diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index 1a39cc73c8868..4b087d403f37d 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "systemd"; - nodes.machine = { lib, ... }: { + nodes.machine = { config, lib, ... }: { imports = [ common/user-account.nix common/x11.nix ]; virtualisation.emptyDiskImages = [ 512 512 ]; @@ -38,9 +38,18 @@ import ./make-test-python.nix ({ pkgs, ... }: { script = "true"; }; + systemd.services.testDependency1 = { + description = "Test Dependency 1"; + wantedBy = [ config.systemd.services."testservice1".name ]; + serviceConfig.Type = "oneshot"; + script = '' + true + ''; + }; + systemd.services.testservice1 = { description = "Test Service 1"; - wantedBy = [ "multi-user.target" ]; + wantedBy = [ config.systemd.targets.multi-user.name ]; serviceConfig.Type = "oneshot"; script = '' if [ "$XXX_SYSTEM" = foo ]; then diff --git a/nixos/tests/wpa_supplicant.nix b/nixos/tests/wpa_supplicant.nix index 8c701ca7d5f71..5e3b39f27ecf3 100644 --- a/nixos/tests/wpa_supplicant.nix +++ b/nixos/tests/wpa_supplicant.nix @@ -102,17 +102,34 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: test2.psk = "@PSK_SPECIAL@"; # should be replaced test3.psk = "@PSK_MISSING@"; # should not be replaced test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced + test5.psk = "@PSK_AWK_REGEX@"; # should be replaced }; # secrets environmentFile = pkgs.writeText "wpa-secrets" '' PSK_VALID="S0m3BadP4ssw0rd"; # taken from https://github.com/minimaxir/big-list-of-naughty-strings - PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~"; + PSK_SPECIAL=",./;'[]\/\-= <>?:\"{}|_+ !@#$%^&*()`~"; + PSK_AWK_REGEX="PassowrdWith&symbol"; ''; }; }; + imperative = { ... }: { + imports = [ ../modules/profiles/minimal.nix ]; + + # add a virtual wlan interface + boot.kernelModules = [ "mac80211_hwsim" ]; + + # wireless client + networking.wireless = { + enable = lib.mkOverride 0 true; + userControlled.enable = true; + allowAuxiliaryImperativeNetworks = true; + interfaces = [ "wlan1" ]; + }; + }; + # Test connecting to the SAE-only hotspot using SAE machineSae = machineWithHostapd { networking.wireless = { @@ -171,6 +188,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: basic.fail(f"grep -q @PSK_SPECIAL@ {config_file}") basic.succeed(f"grep -q @PSK_MISSING@ {config_file}") basic.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}") + basic.succeed(f"grep -q 'PassowrdWith&symbol' {config_file}") with subtest("WPA2 fallbacks have been generated"): assert int(basic.succeed(f"grep -c sae-only {config_file}")) == 1 @@ -185,6 +203,15 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: assert "Failed to connect" not in status, \ "Failed to connect to the daemon" + with subtest("Daemon can be configured imperatively"): + imperative.wait_for_unit("wpa_supplicant-wlan1.service") + imperative.wait_until_succeeds("wpa_cli -i wlan1 status") + imperative.succeed("wpa_cli -i wlan1 add_network") + imperative.succeed("wpa_cli -i wlan1 set_network 0 ssid '\"nixos-test\"'") + imperative.succeed("wpa_cli -i wlan1 set_network 0 psk '\"reproducibility\"'") + imperative.succeed("wpa_cli -i wlan1 save_config") + imperative.succeed("grep -q nixos-test /etc/wpa_supplicant.conf") + machineSae.wait_for_unit("hostapd.service") machineSae.copy_from_vm("/run/hostapd/wlan0.hostapd.conf") with subtest("Daemon can connect to the SAE access point using SAE"): |