From 327b0cff7aedc20a148d245b1182f43800acc1f5 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 19 Mar 2023 21:44:31 +0100 Subject: treewide: use more lib.optionalString --- nixos/modules/i18n/input-method/ibus.nix | 5 +---- nixos/modules/installer/cd-dvd/iso-image.nix | 4 ++-- nixos/modules/programs/less.nix | 2 +- nixos/modules/programs/tmux.nix | 16 ++++++++-------- nixos/modules/security/acme/default.nix | 4 ++-- nixos/modules/services/audio/snapserver.nix | 4 ++-- nixos/modules/services/backup/mysql-backup.nix | 2 +- nixos/modules/services/backup/restic.nix | 2 +- nixos/modules/services/blockchain/ethereum/geth.nix | 4 ++-- .../continuous-integration/jenkins/job-builder.nix | 2 +- nixos/modules/services/games/minetest-server.nix | 2 +- nixos/modules/services/logging/logrotate.nix | 5 ++--- nixos/modules/services/logging/syslogd.nix | 2 +- nixos/modules/services/mail/postfix.nix | 2 +- nixos/modules/services/misc/gammu-smsd.nix | 10 +++++----- nixos/modules/services/misc/gitlab.nix | 2 +- nixos/modules/services/misc/mbpfan.nix | 2 +- nixos/modules/services/misc/redmine.nix | 14 +++++++------- nixos/modules/services/misc/siproxd.nix | 2 +- .../monitoring/prometheus/exporters/collectd.nix | 4 ++-- .../modules/services/network-filesystems/openafs/lib.nix | 4 ++-- nixos/modules/services/networking/ndppd.nix | 2 +- nixos/modules/services/networking/ntopng.nix | 2 +- nixos/modules/services/networking/ssh/lshd.nix | 4 ++-- nixos/modules/services/networking/ssh/sshd.nix | 10 +++++----- nixos/modules/services/networking/strongswan.nix | 6 +++--- nixos/modules/services/networking/stunnel.nix | 4 ++-- nixos/modules/services/networking/xinetd.nix | 2 +- nixos/modules/services/security/oauth2_proxy.nix | 5 ++--- nixos/modules/services/system/cachix-agent/default.nix | 2 +- nixos/modules/services/web-apps/discourse.nix | 4 ++-- nixos/modules/services/web-servers/fcgiwrap.nix | 2 +- nixos/modules/services/web-servers/lighttpd/default.nix | 10 +++++----- nixos/modules/services/web-servers/nginx/default.nix | 4 ++-- nixos/modules/services/web-servers/tomcat.nix | 6 +++--- nixos/modules/system/boot/loader/grub/grub.nix | 4 ++-- .../system/boot/loader/systemd-boot/systemd-boot.nix | 6 +++--- nixos/modules/system/boot/luksroot.nix | 3 +-- nixos/modules/tasks/filesystems.nix | 2 +- nixos/modules/virtualisation/nixos-containers.nix | 8 ++++---- nixos/modules/virtualisation/qemu-vm.nix | 4 ++-- 41 files changed, 89 insertions(+), 95 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/i18n/input-method/ibus.nix b/nixos/modules/i18n/input-method/ibus.nix index 520db128acd9f..2a35afad2ac76 100644 --- a/nixos/modules/i18n/input-method/ibus.nix +++ b/nixos/modules/i18n/input-method/ibus.nix @@ -10,10 +10,7 @@ let check = x: (lib.types.package.check x) && (attrByPath ["meta" "isIbusEngine"] false x); }; - impanel = - if cfg.panel != null - then "--panel=${cfg.panel}" - else ""; + impanel = optionalString (cfg.panel != null) "--panel=${cfg.panel}"; ibusAutostart = pkgs.writeTextFile { name = "autostart-ibus-daemon"; diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 8fa070b03db31..ea17e2a705ede 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -22,8 +22,8 @@ let (option: '' menuentry '${defaults.name} ${ # Name appended to menuentry defaults to params if no specific name given. - option.name or (if option ? params then "(${option.params})" else "") - }' ${if option ? class then " --class ${option.class}" else ""} { + option.name or (optionalString (option ? params) "(${option.params})") + }' ${optionalString (option ? class) " --class ${option.class}"} { linux ${defaults.image} \''${isoboot} ${defaults.params} ${ option.params or "" } diff --git a/nixos/modules/programs/less.nix b/nixos/modules/programs/less.nix index a1134e774364a..81c68307aee14 100644 --- a/nixos/modules/programs/less.nix +++ b/nixos/modules/programs/less.nix @@ -11,7 +11,7 @@ let ${concatStringsSep "\n" (mapAttrsToList (command: action: "${command} ${action}") cfg.commands) } - ${if cfg.clearDefaultCommands then "#stop" else ""} + ${optionalString cfg.clearDefaultCommands "#stop"} #line-edit ${concatStringsSep "\n" diff --git a/nixos/modules/programs/tmux.nix b/nixos/modules/programs/tmux.nix index 4fb9175fb8d21..2e5c8c30e0f88 100644 --- a/nixos/modules/programs/tmux.nix +++ b/nixos/modules/programs/tmux.nix @@ -1,7 +1,7 @@ { config, pkgs, lib, ... }: let - inherit (lib) mkOption mkIf types; + inherit (lib) mkOption mkIf types optionalString; cfg = config.programs.tmux; @@ -17,17 +17,17 @@ let set -g base-index ${toString cfg.baseIndex} setw -g pane-base-index ${toString cfg.baseIndex} - ${if cfg.newSession then "new-session" else ""} + ${optionalString cfg.newSession "new-session"} - ${if cfg.reverseSplit then '' + ${optionalString cfg.reverseSplit '' bind v split-window -h bind s split-window -v - '' else ""} + ''} set -g status-keys ${cfg.keyMode} set -g mode-keys ${cfg.keyMode} - ${if cfg.keyMode == "vi" && cfg.customPaneNavigationAndResize then '' + ${optionalString (cfg.keyMode == "vi" && cfg.customPaneNavigationAndResize) '' bind h select-pane -L bind j select-pane -D bind k select-pane -U @@ -37,15 +37,15 @@ let bind -r J resize-pane -D ${toString cfg.resizeAmount} bind -r K resize-pane -U ${toString cfg.resizeAmount} bind -r L resize-pane -R ${toString cfg.resizeAmount} - '' else ""} + ''} - ${if (cfg.shortcut != defaultShortcut) then '' + ${optionalString (cfg.shortcut != defaultShortcut) '' # rebind main key: C-${cfg.shortcut} unbind C-${defaultShortcut} set -g prefix C-${cfg.shortcut} bind ${cfg.shortcut} send-prefix bind C-${cfg.shortcut} last-window - '' else ""} + ''} setw -g aggressive-resize ${boolToStr cfg.aggressiveResize} setw -g clock-mode-style ${if cfg.clock24 then "24" else "12"} diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index ef0636258994c..66d1d2c5d9c5b 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -781,11 +781,11 @@ in { # FIXME Most of these custom warnings and filters for security.acme.certs.* are required # because using mkRemovedOptionModule/mkChangedOptionModule with attrsets isn't possible. - warnings = filter (w: w != "") (mapAttrsToList (cert: data: if data.extraDomains != "_mkMergedOptionModule" then '' + warnings = filter (w: w != "") (mapAttrsToList (cert: data: optionalString (data.extraDomains != "_mkMergedOptionModule") '' The option definition `security.acme.certs.${cert}.extraDomains` has changed to `security.acme.certs.${cert}.extraDomainNames` and is now a list of strings. Setting a custom webroot for extra domains is not possible, instead use separate certs. - '' else "") cfg.certs); + '') cfg.certs); assertions = let certs = attrValues cfg.certs; diff --git a/nixos/modules/services/audio/snapserver.nix b/nixos/modules/services/audio/snapserver.nix index 2af42eeb3705b..dbab741bf6fc7 100644 --- a/nixos/modules/services/audio/snapserver.nix +++ b/nixos/modules/services/audio/snapserver.nix @@ -275,9 +275,9 @@ in { warnings = # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85 - filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then '' + filter (w: w != "") (mapAttrsToList (k: v: optionalString (v.type == "spotify") '' services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead. - '' else "") cfg.streams); + '') cfg.streams); systemd.services.snapserver = { after = [ "network.target" ]; diff --git a/nixos/modules/services/backup/mysql-backup.nix b/nixos/modules/services/backup/mysql-backup.nix index 289291c6bd2f9..9fbc599cd41af 100644 --- a/nixos/modules/services/backup/mysql-backup.nix +++ b/nixos/modules/services/backup/mysql-backup.nix @@ -20,7 +20,7 @@ let ''; backupDatabaseScript = db: '' dest="${cfg.location}/${db}.gz" - if ${mariadb}/bin/mysqldump ${if cfg.singleTransaction then "--single-transaction" else ""} ${db} | ${gzip}/bin/gzip -c > $dest.tmp; then + if ${mariadb}/bin/mysqldump ${optionalString cfg.singleTransaction "--single-transaction"} ${db} | ${gzip}/bin/gzip -c > $dest.tmp; then mv $dest.tmp $dest echo "Backed up to $dest" else diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix index ca796cf7797e6..d19b98a3e4bbb 100644 --- a/nixos/modules/services/backup/restic.nix +++ b/nixos/modules/services/backup/restic.nix @@ -300,7 +300,7 @@ in filesFromTmpFile = "/run/restic-backups-${name}/includes"; backupPaths = if (backup.dynamicFilesFrom == null) - then if (backup.paths != null) then concatStringsSep " " backup.paths else "" + then optionalString (backup.paths != null) (concatStringsSep " " backup.paths) else "--files-from ${filesFromTmpFile}"; pruneCmd = optionals (builtins.length backup.pruneOpts > 0) [ (resticCmd + " forget --prune " + (concatStringsSep " " backup.pruneOpts)) diff --git a/nixos/modules/services/blockchain/ethereum/geth.nix b/nixos/modules/services/blockchain/ethereum/geth.nix index eca308dc366d1..d12516ca2f249 100644 --- a/nixos/modules/services/blockchain/ethereum/geth.nix +++ b/nixos/modules/services/blockchain/ethereum/geth.nix @@ -196,9 +196,9 @@ in --gcmode ${cfg.gcmode} \ --port ${toString cfg.port} \ --maxpeers ${toString cfg.maxpeers} \ - ${if cfg.http.enable then ''--http --http.addr ${cfg.http.address} --http.port ${toString cfg.http.port}'' else ""} \ + ${optionalString cfg.http.enable ''--http --http.addr ${cfg.http.address} --http.port ${toString cfg.http.port}''} \ ${optionalString (cfg.http.apis != null) ''--http.api ${lib.concatStringsSep "," cfg.http.apis}''} \ - ${if cfg.websocket.enable then ''--ws --ws.addr ${cfg.websocket.address} --ws.port ${toString cfg.websocket.port}'' else ""} \ + ${optionalString cfg.websocket.enable ''--ws --ws.addr ${cfg.websocket.address} --ws.port ${toString cfg.websocket.port}''} \ ${optionalString (cfg.websocket.apis != null) ''--ws.api ${lib.concatStringsSep "," cfg.websocket.apis}''} \ ${optionalString cfg.metrics.enable ''--metrics --metrics.addr ${cfg.metrics.address} --metrics.port ${toString cfg.metrics.port}''} \ --authrpc.addr ${cfg.authrpc.address} --authrpc.port ${toString cfg.authrpc.port} --authrpc.vhosts ${lib.concatStringsSep "," cfg.authrpc.vhosts} \ diff --git a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix index 3a1c6c1a371df..d6a8c2a3f7cce 100644 --- a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix +++ b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix @@ -242,7 +242,7 @@ in { jobdir="${jenkinsCfg.home}/$jenkinsjobname" rm -rf "$jobdir" done - '' + (if cfg.accessUser != "" then reloadScript else ""); + '' + (optionalString (cfg.accessUser != "") reloadScript); serviceConfig = { Type = "oneshot"; User = jenkinsCfg.user; diff --git a/nixos/modules/services/games/minetest-server.nix b/nixos/modules/services/games/minetest-server.nix index e8c96881673b5..578364ec542bb 100644 --- a/nixos/modules/services/games/minetest-server.nix +++ b/nixos/modules/services/games/minetest-server.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.minetest-server; - flag = val: name: if val != null then "--${name} ${toString val} " else ""; + flag = val: name: optionalString (val != null) "--${name} ${toString val} "; flags = [ (flag cfg.gameId "gameid") (flag cfg.world "world") diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix index b056f96c3630b..342ac5ec6e049 100644 --- a/nixos/modules/services/logging/logrotate.nix +++ b/nixos/modules/services/logging/logrotate.nix @@ -83,9 +83,8 @@ let }; mailOption = - if foldr (n: a: a || (n.mail or false) != false) false (attrValues cfg.settings) - then "--mail=${pkgs.mailutils}/bin/mail" - else ""; + optionalString (foldr (n: a: a || (n.mail or false) != false) false (attrValues cfg.settings)) + "--mail=${pkgs.mailutils}/bin/mail"; in { imports = [ diff --git a/nixos/modules/services/logging/syslogd.nix b/nixos/modules/services/logging/syslogd.nix index 43969402588db..553973e255f7e 100644 --- a/nixos/modules/services/logging/syslogd.nix +++ b/nixos/modules/services/logging/syslogd.nix @@ -7,7 +7,7 @@ let cfg = config.services.syslogd; syslogConf = pkgs.writeText "syslog.conf" '' - ${if (cfg.tty != "") then "kern.warning;*.err;authpriv.none /dev/${cfg.tty}" else ""} + ${optionalString (cfg.tty != "") "kern.warning;*.err;authpriv.none /dev/${cfg.tty}"} ${cfg.defaultConfig} ${cfg.extraConfig} ''; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 852340c05aa7a..23c47aaca7e23 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -234,7 +234,7 @@ let headerChecks = concatStringsSep "\n" (map (x: "${x.pattern} ${x.action}") cfg.headerChecks) + cfg.extraHeaderChecks; - aliases = let separator = if cfg.aliasMapType == "hash" then ":" else ""; in + aliases = let separator = optionalString (cfg.aliasMapType == "hash") ":"; in optionalString (cfg.postmasterAlias != "") '' postmaster${separator} ${cfg.postmasterAlias} '' diff --git a/nixos/modules/services/misc/gammu-smsd.nix b/nixos/modules/services/misc/gammu-smsd.nix index 83f4efe695a27..eff725f5a8685 100644 --- a/nixos/modules/services/misc/gammu-smsd.nix +++ b/nixos/modules/services/misc/gammu-smsd.nix @@ -10,7 +10,7 @@ let Connection = ${cfg.device.connection} SynchronizeTime = ${if cfg.device.synchronizeTime then "yes" else "no"} LogFormat = ${cfg.log.format} - ${if (cfg.device.pin != null) then "PIN = ${cfg.device.pin}" else ""} + ${optionalString (cfg.device.pin != null) "PIN = ${cfg.device.pin}"} ${cfg.extraConfig.gammu} @@ -33,10 +33,10 @@ let ${optionalString (cfg.backend.service == "sql" && cfg.backend.sql.driver == "native_pgsql") ( with cfg.backend; '' Driver = ${sql.driver} - ${if (sql.database!= null) then "Database = ${sql.database}" else ""} - ${if (sql.host != null) then "Host = ${sql.host}" else ""} - ${if (sql.user != null) then "User = ${sql.user}" else ""} - ${if (sql.password != null) then "Password = ${sql.password}" else ""} + ${optionalString (sql.database!= null) "Database = ${sql.database}"} + ${optionalString (sql.host != null) "Host = ${sql.host}"} + ${optionalString (sql.user != null) "User = ${sql.user}"} + ${optionalString (sql.password != null) "Password = ${sql.password}"} '')} ${cfg.extraConfig.smsd} diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index d278b571a6410..12c67c5f5a1e7 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -1215,7 +1215,7 @@ in { enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly extraConfig = { auth.token = { - realm = "http${if cfg.https == true then "s" else ""}://${cfg.host}/jwt/auth"; + realm = "http${optionalString (cfg.https == true) "s"}://${cfg.host}/jwt/auth"; service = cfg.registry.serviceName; issuer = cfg.registry.issuer; rootcertbundle = cfg.registry.certFile; diff --git a/nixos/modules/services/misc/mbpfan.nix b/nixos/modules/services/misc/mbpfan.nix index 1a6b54854d1cd..e75c352541438 100644 --- a/nixos/modules/services/misc/mbpfan.nix +++ b/nixos/modules/services/misc/mbpfan.nix @@ -3,7 +3,7 @@ with lib; let cfg = config.services.mbpfan; - verbose = if cfg.verbose then "v" else ""; + verbose = optionalString cfg.verbose "v"; settingsFormat = pkgs.formats.ini {}; settingsFile = settingsFormat.generate "mbpfan.ini" cfg.settings; diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix index 58a595b5c76f5..d881ea913695c 100644 --- a/nixos/modules/services/misc/redmine.nix +++ b/nixos/modules/services/misc/redmine.nix @@ -283,13 +283,13 @@ in services.redmine.settings = { production = { - scm_subversion_command = if cfg.components.subversion then "${pkgs.subversion}/bin/svn" else ""; - scm_mercurial_command = if cfg.components.mercurial then "${pkgs.mercurial}/bin/hg" else ""; - scm_git_command = if cfg.components.git then "${pkgs.git}/bin/git" else ""; - scm_cvs_command = if cfg.components.cvs then "${pkgs.cvs}/bin/cvs" else ""; - scm_bazaar_command = if cfg.components.breezy then "${pkgs.breezy}/bin/bzr" else ""; - imagemagick_convert_command = if cfg.components.imagemagick then "${pkgs.imagemagick}/bin/convert" else ""; - gs_command = if cfg.components.ghostscript then "${pkgs.ghostscript}/bin/gs" else ""; + scm_subversion_command = optionalString cfg.components.subversion "${pkgs.subversion}/bin/svn"; + scm_mercurial_command = optionalString cfg.components.mercurial "${pkgs.mercurial}/bin/hg"; + scm_git_command = optionalString cfg.components.git "${pkgs.git}/bin/git"; + scm_cvs_command = optionalString cfg.components.cvs "${pkgs.cvs}/bin/cvs"; + scm_bazaar_command = optionalString cfg.components.breezy "${pkgs.breezy}/bin/bzr"; + imagemagick_convert_command = optionalString cfg.components.imagemagick "${pkgs.imagemagick}/bin/convert"; + gs_command = optionalString cfg.components.ghostscript "${pkgs.ghostscript}/bin/gs"; minimagick_font_path = "${cfg.components.minimagick_font_path}"; }; }; diff --git a/nixos/modules/services/misc/siproxd.nix b/nixos/modules/services/misc/siproxd.nix index f1a1ed4d29b38..99b25bdb8e9ed 100644 --- a/nixos/modules/services/misc/siproxd.nix +++ b/nixos/modules/services/misc/siproxd.nix @@ -20,7 +20,7 @@ let ${optionalString (cfg.hostsAllowReg != []) "hosts_allow_reg = ${concatStringsSep "," cfg.hostsAllowReg}"} ${optionalString (cfg.hostsAllowSip != []) "hosts_allow_sip = ${concatStringsSep "," cfg.hostsAllowSip}"} ${optionalString (cfg.hostsDenySip != []) "hosts_deny_sip = ${concatStringsSep "," cfg.hostsDenySip}"} - ${if (cfg.passwordFile != "") then "proxy_auth_pwfile = ${cfg.passwordFile}" else ""} + ${optionalString (cfg.passwordFile != "") "proxy_auth_pwfile = ${cfg.passwordFile}"} ${cfg.extraConfig} ''; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix index 0c2de683ecf72..f67596f05a3a1 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix @@ -58,10 +58,10 @@ in }; }; serviceOpts = let - collectSettingsArgs = if (cfg.collectdBinary.enable) then '' + collectSettingsArgs = optionalString (cfg.collectdBinary.enable) '' --collectd.listen-address ${cfg.collectdBinary.listenAddress}:${toString cfg.collectdBinary.port} \ --collectd.security-level ${cfg.collectdBinary.securityLevel} \ - '' else ""; + ''; in { serviceConfig = { ExecStart = '' diff --git a/nixos/modules/services/network-filesystems/openafs/lib.nix b/nixos/modules/services/network-filesystems/openafs/lib.nix index 80628f4dfaf29..e5e147a8dc338 100644 --- a/nixos/modules/services/network-filesystems/openafs/lib.nix +++ b/nixos/modules/services/network-filesystems/openafs/lib.nix @@ -1,13 +1,13 @@ { config, lib, ...}: let - inherit (lib) concatStringsSep mkOption types; + inherit (lib) concatStringsSep mkOption types optionalString; in { mkCellServDB = cellName: db: '' >${cellName} - '' + (concatStringsSep "\n" (map (dbm: if (dbm.ip != "" && dbm.dnsname != "") then dbm.ip + " #" + dbm.dnsname else "") + '' + (concatStringsSep "\n" (map (dbm: optionalString (dbm.ip != "" && dbm.dnsname != "") "${dbm.ip} #${dbm.dnsname}") db)) + "\n"; diff --git a/nixos/modules/services/networking/ndppd.nix b/nixos/modules/services/networking/ndppd.nix index 98c58d2d5db1b..d221c95ae6200 100644 --- a/nixos/modules/services/networking/ndppd.nix +++ b/nixos/modules/services/networking/ndppd.nix @@ -17,7 +17,7 @@ let ttl ${toString proxy.ttl} ${render proxy.rules (ruleNetworkName: rule: '' rule ${prefer rule.network ruleNetworkName} { - ${rule.method}${if rule.method == "iface" then " ${rule.interface}" else ""} + ${rule.method}${optionalString (rule.method == "iface") " ${rule.interface}"} }'')} }'')} ''); diff --git a/nixos/modules/services/networking/ntopng.nix b/nixos/modules/services/networking/ntopng.nix index e6344d7ff3b34..bf7ec19f02a68 100644 --- a/nixos/modules/services/networking/ntopng.nix +++ b/nixos/modules/services/networking/ntopng.nix @@ -86,7 +86,7 @@ in redis.createInstance = mkOption { type = types.nullOr types.str; - default = if versionAtLeast config.system.stateVersion "22.05" then "ntopng" else ""; + default = optionalString (versionAtLeast config.system.stateVersion "22.05") "ntopng"; description = lib.mdDoc '' Local Redis instance name. Set to `null` to disable local Redis instance. Defaults to `""` for diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix index 7932bac9ca3a1..af64969c2fcd4 100644 --- a/nixos/modules/services/networking/ssh/lshd.nix +++ b/nixos/modules/services/networking/ssh/lshd.nix @@ -169,11 +169,11 @@ in else (concatStrings (map (i: "--interface=\"${i}\"") interfaces))} \ -h "${hostKey}" \ - ${if !syslog then "--no-syslog" else ""} \ + ${optionalString (!syslog) "--no-syslog" } \ ${if passwordAuthentication then "--password" else "--no-password" } \ ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \ ${if rootLogin then "--root-login" else "--no-root-login" } \ - ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \ + ${optionalString (loginShell != null) "--login-shell=\"${loginShell}\"" } \ ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \ ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \ ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \ diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 5f225682b7779..9982da304a489 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -474,10 +474,10 @@ in mkdir -m 0755 -p "$(dirname '${k.path}')" ssh-keygen \ -t "${k.type}" \ - ${if k ? bits then "-b ${toString k.bits}" else ""} \ - ${if k ? rounds then "-a ${toString k.rounds}" else ""} \ - ${if k ? comment then "-C '${k.comment}'" else ""} \ - ${if k ? openSSHFormat && k.openSSHFormat then "-o" else ""} \ + ${optionalString (k ? bits) "-b ${toString k.bits}"} \ + ${optionalString (k ? rounds) "-a ${toString k.rounds}"} \ + ${optionalString (k ? comment) "-C '${k.comment}'"} \ + ${optionalString (k ? openSSHFormat && k.openSSHFormat) "-o"} \ -f "${k.path}" \ -N "" fi @@ -550,7 +550,7 @@ in '') cfg.ports} ${concatMapStrings ({ port, addr, ... }: '' - ListenAddress ${addr}${if port != null then ":" + toString port else ""} + ListenAddress ${addr}${optionalString (port != null) (":" + toString port)} '') cfg.listenAddresses} ${optionalString cfgc.setXAuthLocation '' diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 8b1398bfd47d4..e58526814d1ad 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -4,7 +4,7 @@ let inherit (builtins) toFile; inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList - mkIf mkEnableOption mkOption types literalExpression; + mkIf mkEnableOption mkOption types literalExpression optionalString; cfg = config.services.strongswan; @@ -34,8 +34,8 @@ let strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' charon { - ${if managePlugins then "load_modular = no" else ""} - ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} + ${optionalString managePlugins "load_modular = no"} + ${optionalString managePlugins ("load = " + (concatStringsSep " " enabledPlugins))} plugins { stroke { secrets_file = ${secretsFile} diff --git a/nixos/modules/services/networking/stunnel.nix b/nixos/modules/services/networking/stunnel.nix index 4f592fb312d33..996e9b2253921 100644 --- a/nixos/modules/services/networking/stunnel.nix +++ b/nixos/modules/services/networking/stunnel.nix @@ -154,8 +154,8 @@ in environment.systemPackages = [ pkgs.stunnel ]; environment.etc."stunnel.cfg".text = '' - ${ if cfg.user != null then "setuid = ${cfg.user}" else "" } - ${ if cfg.group != null then "setgid = ${cfg.group}" else "" } + ${ optionalString (cfg.user != null) "setuid = ${cfg.user}" } + ${ optionalString (cfg.group != null) "setgid = ${cfg.group}" } debug = ${cfg.logLevel} diff --git a/nixos/modules/services/networking/xinetd.nix b/nixos/modules/services/networking/xinetd.nix index b9120f37ba247..fb3de7077e31e 100644 --- a/nixos/modules/services/networking/xinetd.nix +++ b/nixos/modules/services/networking/xinetd.nix @@ -27,7 +27,7 @@ let ${optionalString srv.unlisted "type = UNLISTED"} ${optionalString (srv.flags != "") "flags = ${srv.flags}"} socket_type = ${if srv.protocol == "udp" then "dgram" else "stream"} - ${if srv.port != 0 then "port = ${toString srv.port}" else ""} + ${optionalString (srv.port != 0) "port = ${toString srv.port}"} wait = ${if srv.protocol == "udp" then "yes" else "no"} user = ${srv.user} server = ${srv.server} diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index e3f8e75ca2476..12547acabfe05 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -72,15 +72,14 @@ let } // (getProviderOptions cfg cfg.provider) // cfg.extraConfig; mapConfig = key: attr: - if attr != null && attr != [] then ( + optionalString (attr != null && attr != []) ( if isDerivation attr then mapConfig key (toString attr) else if (builtins.typeOf attr) == "set" then concatStringsSep " " (mapAttrsToList (name: value: mapConfig (key + "-" + name) value) attr) else if (builtins.typeOf attr) == "list" then concatMapStringsSep " " (mapConfig key) attr else if (builtins.typeOf attr) == "bool" then "--${key}=${boolToString attr}" else if (builtins.typeOf attr) == "string" then "--${key}='${attr}'" else - "--${key}=${toString attr}") - else ""; + "--${key}=${toString attr}"); configString = concatStringsSep " " (mapAttrsToList mapConfig allConfig); in diff --git a/nixos/modules/services/system/cachix-agent/default.nix b/nixos/modules/services/system/cachix-agent/default.nix index 11769d4e3095f..06494ddb631af 100644 --- a/nixos/modules/services/system/cachix-agent/default.nix +++ b/nixos/modules/services/system/cachix-agent/default.nix @@ -72,7 +72,7 @@ in { EnvironmentFile = cfg.credentialsFile; ExecStart = '' ${cfg.package}/bin/cachix ${lib.optionalString cfg.verbose "--verbose"} ${lib.optionalString (cfg.host != null) "--host ${cfg.host}"} \ - deploy agent ${cfg.name} ${if cfg.profile != null then cfg.profile else ""} + deploy agent ${cfg.name} ${optionalString (cfg.profile != null) cfg.profile} ''; }; }; diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 151fb812ddea6..5b2bd5aeeb09c 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -1025,8 +1025,8 @@ in services.postfix = lib.mkIf cfg.mail.incoming.enable { enable = true; - sslCert = if cfg.sslCertificate != null then cfg.sslCertificate else ""; - sslKey = if cfg.sslCertificateKey != null then cfg.sslCertificateKey else ""; + sslCert = lib.optionalString (cfg.sslCertificate != null) cfg.sslCertificate; + sslKey = lib.optionalString (cfg.sslCertificateKey != null) cfg.sslCertificateKey; origin = cfg.hostname; relayDomains = [ cfg.hostname ]; diff --git a/nixos/modules/services/web-servers/fcgiwrap.nix b/nixos/modules/services/web-servers/fcgiwrap.nix index f9c91fb35db23..3a57ef383065b 100644 --- a/nixos/modules/services/web-servers/fcgiwrap.nix +++ b/nixos/modules/services/web-servers/fcgiwrap.nix @@ -54,7 +54,7 @@ in { serviceConfig = { ExecStart = "${pkgs.fcgiwrap}/sbin/fcgiwrap -c ${builtins.toString cfg.preforkProcesses} ${ - if (cfg.socketType != "unix") then "-s ${cfg.socketType}:${cfg.socketAddress}" else "" + optionalString (cfg.socketType != "unix") "-s ${cfg.socketType}:${cfg.socketAddress}" }"; } // (if cfg.user != null && cfg.group != null then { User = cfg.user; diff --git a/nixos/modules/services/web-servers/lighttpd/default.nix b/nixos/modules/services/web-servers/lighttpd/default.nix index 811afe8e0af66..0438e12e7da82 100644 --- a/nixos/modules/services/web-servers/lighttpd/default.nix +++ b/nixos/modules/services/web-servers/lighttpd/default.nix @@ -64,7 +64,7 @@ let ]; maybeModuleString = moduleName: - if elem moduleName cfg.enableModules then ''"${moduleName}"'' else ""; + optionalString (elem moduleName cfg.enableModules) ''"${moduleName}"''; modulesIncludeString = concatStringsSep ",\n" (filter (x: x != "") (map maybeModuleString allKnownModules)); @@ -106,15 +106,15 @@ let static-file.exclude-extensions = ( ".fcgi", ".php", ".rb", "~", ".inc" ) index-file.names = ( "index.html" ) - ${if cfg.mod_userdir then '' + ${optionalString cfg.mod_userdir '' userdir.path = "public_html" - '' else ""} + ''} - ${if cfg.mod_status then '' + ${optionalString cfg.mod_status '' status.status-url = "/server-status" status.statistics-url = "/server-statistics" status.config-url = "/server-config" - '' else ""} + ''} ${cfg.extraConfig} ''; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 02b173b1e957a..7811876369b38 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -318,7 +318,7 @@ let listenString = { addr, port, ssl, extraParameters ? [], ... }: # UDP listener for QUIC transport protocol. - (if ssl && vhost.quic then " + (optionalString (ssl && vhost.quic) " listen ${addr}:${toString port} quic " + optionalString vhost.default "default_server " + optionalString vhost.reuseport "reuseport " @@ -326,7 +326,7 @@ let let inCompatibleParameters = [ "ssl" "proxy_protocol" "http2" ]; isCompatibleParameter = param: !(any (p: p == param) inCompatibleParameters); in filter isCompatibleParameter extraParameters)) - + ";" else "") + + ";") + " listen ${addr}:${toString port} " diff --git a/nixos/modules/services/web-servers/tomcat.nix b/nixos/modules/services/web-servers/tomcat.nix index d8bfee547c79a..4d2c36287be69 100644 --- a/nixos/modules/services/web-servers/tomcat.nix +++ b/nixos/modules/services/web-servers/tomcat.nix @@ -234,11 +234,11 @@ in ln -sfn ${tomcat}/conf/$i ${cfg.baseDir}/conf/`basename $i` done - ${if cfg.extraConfigFiles != [] then '' + ${optionalString (cfg.extraConfigFiles != []) '' for i in ${toString cfg.extraConfigFiles}; do ln -sfn $i ${cfg.baseDir}/conf/`basename $i` done - '' else ""} + ''} # Create a modified catalina.properties file # Change all references from CATALINA_HOME to CATALINA_BASE and add support for shared libraries @@ -345,7 +345,7 @@ in # Symlink all the given web applications files or paths into the webapps/ directory # of this virtual host - for i in "${if virtualHost ? webapps then toString virtualHost.webapps else ""}"; do + for i in "${optionalString (virtualHost ? webapps) (toString virtualHost.webapps)}"; do if [ -f $i ]; then # If the given web application is a file, symlink it into the webapps/ directory ln -sfn $i ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $i` diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 121d7e88e74de..5c0a07fb51272 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -33,7 +33,7 @@ let then realGrub.override { efiSupport = cfg.efiSupport; } else null; - f = x: if x == null then "" else "" + x; + f = x: optionalString (x != null) ("" + x); grubConfig = args: let @@ -52,7 +52,7 @@ let fullName = lib.getName realGrub; fullVersion = lib.getVersion realGrub; grubEfi = f grubEfi; - grubTargetEfi = if cfg.efiSupport && (cfg.version == 2) then f (grubEfi.grubTarget or "") else ""; + grubTargetEfi = optionalString (cfg.efiSupport && (cfg.version == 2)) (f (grubEfi.grubTarget or "")); bootPath = args.path; storePath = config.boot.loader.grub.storePath; bootloaderId = if args.efiBootloaderId == null then "${config.system.nixos.distroName}${efiSysMountPoint'}" else args.efiBootloaderId; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index 757dc080d4b61..8a3e89e5888bc 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -20,7 +20,7 @@ let nix = config.nix.package.out; - timeout = if config.boot.loader.timeout != null then config.boot.loader.timeout else ""; + timeout = optionalString (config.boot.loader.timeout != null) config.boot.loader.timeout; editor = if cfg.editor then "True" else "False"; @@ -32,9 +32,9 @@ let inherit (config.system.nixos) distroName; - memtest86 = if cfg.memtest86.enable then pkgs.memtest86-efi else ""; + memtest86 = optionalString cfg.memtest86.enable pkgs.memtest86-efi; - netbootxyz = if cfg.netbootxyz.enable then pkgs.netbootxyz-efi else ""; + netbootxyz = optionalString cfg.netbootxyz.enable pkgs.netbootxyz-efi; copyExtraFiles = pkgs.writeShellScript "copy-extra-files" '' empty_file=$(${pkgs.coreutils}/bin/mktemp) diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 8954c90812f92..b8f36538e70fe 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -1024,13 +1024,12 @@ in copy_bin_and_libs ${pkgs.gnupg}/libexec/scdaemon ${concatMapStringsSep "\n" (x: - if x.gpgCard != null then + optionalString (x.gpgCard != null) '' mkdir -p $out/secrets/gpg-keys/${x.device} cp -a ${x.gpgCard.encryptedPass} $out/secrets/gpg-keys/${x.device}/cryptkey.gpg cp -a ${x.gpgCard.publicKey} $out/secrets/gpg-keys/${x.device}/pubkey.asc '' - else "" ) (attrValues luks.devices) } ''} diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 822f1593474eb..326862f836a5c 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -319,7 +319,7 @@ in message = let fs = head (filter notAutoResizable fileSystems); in - "Mountpoint '${fs.mountPoint}': 'autoResize = true' is not supported for 'fsType = \"${fs.fsType}\"':${if fs.fsType == "auto" then " fsType has to be explicitly set and" else ""} only the ext filesystems and f2fs support it."; + "Mountpoint '${fs.mountPoint}': 'autoResize = true' is not supported for 'fsType = \"${fs.fsType}\"':${optionalString (fs.fsType == "auto") " fsType has to be explicitly set and"} only the ext filesystems and f2fs support it."; } ]; diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index 669981da59740..d54e2ed3f3ae1 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -170,11 +170,11 @@ let --setenv HOST_PORT="$HOST_PORT" \ --setenv PATH="$PATH" \ ${optionalString cfg.ephemeral "--ephemeral"} \ - ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then - ''--capability="${concatStringsSep "," cfg.additionalCapabilities}"'' else "" + ${optionalString (cfg.additionalCapabilities != null && cfg.additionalCapabilities != []) + ''--capability="${concatStringsSep "," cfg.additionalCapabilities}"'' } \ - ${if cfg.tmpfs != null && cfg.tmpfs != [] then - ''--tmpfs=${concatStringsSep " --tmpfs=" cfg.tmpfs}'' else "" + ${optionalString (cfg.tmpfs != null && cfg.tmpfs != []) + ''--tmpfs=${concatStringsSep " --tmpfs=" cfg.tmpfs}'' } \ ${containerInit cfg} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init" ''; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index a55a21a46a538..154fdd2e01bea 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -214,11 +214,11 @@ let mkdir $out diskImage=$out/disk.img ${qemu}/bin/qemu-img create -f qcow2 $diskImage "120M" - ${if cfg.useEFIBoot then '' + ${lib.optionalString cfg.useEFIBoot '' efiVars=$out/efi-vars.fd cp ${cfg.efi.variables} $efiVars chmod 0644 $efiVars - '' else ""} + ''} ''; buildInputs = [ pkgs.util-linux ]; QEMU_OPTS = "-nographic -serial stdio -monitor none" -- cgit 1.4.1 From f8d5d6cd02fb4ba53d1aaef097d89ab13028b400 Mon Sep 17 00:00:00 2001 From: ThinkChaos Date: Tue, 13 Dec 2022 12:08:47 -0500 Subject: nixos/gitea: disable `createDatabase` assert when using sqlite Assert doesn't make sense in that case since `database.user` isn't used. --- nixos/modules/services/misc/gitea.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index e019e431a1890..c2fc680d367fc 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -359,7 +359,7 @@ in config = mkIf cfg.enable { assertions = [ - { assertion = cfg.database.createDatabase -> cfg.database.user == cfg.user; + { assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user; message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned"; } ]; -- cgit 1.4.1 From 184131f50dc568f971174b8a5d5033c363115c45 Mon Sep 17 00:00:00 2001 From: ThinkChaos Date: Tue, 13 Dec 2022 12:11:37 -0500 Subject: nixos/gitea: make service group configurable --- nixos/modules/services/misc/gitea.nix | 60 ++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 26 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index c2fc680d367fc..86a9b21b008e0 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -66,6 +66,12 @@ in description = lib.mdDoc "User account under which gitea runs."; }; + group = mkOption { + type = types.str; + default = "gitea"; + description = lib.mdDoc "Group under which gitea runs."; + }; + database = { type = mkOption { type = types.enum [ "sqlite3" "mysql" "postgres" ]; @@ -457,29 +463,29 @@ in }; systemd.tmpfiles.rules = [ - "d '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -" - "z '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -" - "Z '${cfg.dump.backupDir}' - ${cfg.user} gitea - -" - "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} gitea - -" - "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} gitea - -" - "Z '${cfg.lfs.contentDir}' - ${cfg.user} gitea - -" - "d '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" - "z '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" - "Z '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}' 0750 ${cfg.user} gitea - -" - "d '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -" - "d '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -" - "d '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -" - "d '${cfg.stateDir}/data' 0750 ${cfg.user} gitea - -" - "d '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -" - "z '${cfg.stateDir}' 0750 ${cfg.user} gitea - -" - "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} gitea - -" - "z '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -" - "z '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -" - "z '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -" - "z '${cfg.stateDir}/data' 0750 ${cfg.user} gitea - -" - "z '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -" - "Z '${cfg.stateDir}' - ${cfg.user} gitea - -" + "d '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -" + "Z '${cfg.dump.backupDir}' - ${cfg.user} ${cfg.group} - -" + "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" + "Z '${cfg.lfs.contentDir}' - ${cfg.user} ${cfg.group} - -" + "d '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -" + "Z '${cfg.repositoryRoot}' - ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/custom' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} ${cfg.group} - -" + "z '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.stateDir}/custom' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -" + "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" # If we have a folder or symlink with gitea locales, remove it # And symlink the current gitea locales in place @@ -565,7 +571,7 @@ in serviceConfig = { Type = "simple"; User = cfg.user; - Group = "gitea"; + Group = cfg.group; WorkingDirectory = cfg.stateDir; ExecStart = "${exe} web --pid /run/gitea/gitea.pid"; Restart = "always"; @@ -614,12 +620,14 @@ in description = "Gitea Service"; home = cfg.stateDir; useDefaultShell = true; - group = "gitea"; + group = cfg.group; isSystemUser = true; }; }; - users.groups.gitea = {}; + users.groups = mkIf (cfg.group == "gitea") { + gitea = {}; + }; warnings = optional (cfg.database.password != "") "config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead." ++ -- cgit 1.4.1 From f7b9a1c561e9c03bad210b9d98dc576a47d1e029 Mon Sep 17 00:00:00 2001 From: ThinkChaos Date: Mon, 27 Feb 2023 12:58:29 -0500 Subject: nixos/gitea: disable LFS related code when it is not configured --- nixos/modules/services/misc/gitea.nix | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 86a9b21b008e0..3679faf9ab914 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -399,7 +399,6 @@ in { DOMAIN = cfg.domain; STATIC_ROOT_PATH = toString cfg.staticRootPath; - LFS_JWT_SECRET = "#lfsjwtsecret#"; ROOT_URL = cfg.rootUrl; } (mkIf cfg.enableUnixSocket { @@ -412,8 +411,8 @@ in }) (mkIf cfg.lfs.enable { LFS_START_SERVER = true; + LFS_JWT_SECRET = "#lfsjwtsecret#"; }) - ]; session = { @@ -434,7 +433,7 @@ in JWT_SECRET = "#oauth2jwtsecret#"; }; - lfs = mkIf (cfg.lfs.enable) { + lfs = mkIf cfg.lfs.enable { PATH = cfg.lfs.contentDir; }; }; @@ -466,9 +465,6 @@ in "d '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -" "Z '${cfg.dump.backupDir}' - ${cfg.user} ${cfg.group} - -" - "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" - "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" - "Z '${cfg.lfs.contentDir}' - ${cfg.user} ${cfg.group} - -" "d '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -" "Z '${cfg.repositoryRoot}' - ${cfg.user} ${cfg.group} - -" @@ -490,6 +486,11 @@ in # If we have a folder or symlink with gitea locales, remove it # And symlink the current gitea locales in place "L+ '${cfg.stateDir}/conf/locale' - - - - ${cfg.package.out}/locale" + + ] ++ lib.optionals cfg.lfs.enable [ + "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" + "Z '${cfg.lfs.contentDir}' - ${cfg.user} ${cfg.group} - -" ]; systemd.services.gitea = { @@ -532,9 +533,11 @@ in ${exe} generate secret JWT_SECRET > ${oauth2JwtSecret} fi + ${lib.optionalString cfg.lfs.enable '' if [ ! -s ${lfsJwtSecret} ]; then ${exe} generate secret LFS_JWT_SECRET > ${lfsJwtSecret} fi + ''} if [ ! -s ${internalToken} ]; then ${exe} generate secret INTERNAL_TOKEN > ${internalToken} @@ -544,9 +547,12 @@ in ${replaceSecretBin} '#secretkey#' '${secretKey}' '${runConfig}' ${replaceSecretBin} '#dbpass#' '${cfg.database.passwordFile}' '${runConfig}' ${replaceSecretBin} '#oauth2jwtsecret#' '${oauth2JwtSecret}' '${runConfig}' - ${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}' ${replaceSecretBin} '#internaltoken#' '${internalToken}' '${runConfig}' + ${lib.optionalString cfg.lfs.enable '' + ${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}'" + ''} + ${lib.optionalString (cfg.mailerPasswordFile != null) '' ${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}' ''} -- cgit 1.4.1 From eba0db3c1cee4a04e6e39711f42a0788f90c5e75 Mon Sep 17 00:00:00 2001 From: ThinkChaos Date: Tue, 13 Dec 2022 12:53:31 -0500 Subject: nixos/gitea: add `customDir` option Use case is storing secrets in a non persistent directory as I manage them separately from this module. --- nixos/modules/services/misc/gitea.nix | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 3679faf9ab914..086096631a40a 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -57,7 +57,14 @@ in stateDir = mkOption { default = "/var/lib/gitea"; type = types.str; - description = lib.mdDoc "gitea data directory."; + description = lib.mdDoc "Gitea data directory."; + }; + + customDir = mkOption { + default = "${cfg.stateDir}/custom"; + defaultText = literalExpression ''"''${config.${opt.stateDir}}/custom"''; + type = types.str; + description = lib.mdDoc "Gitea custom directory. Used for config, custom templates and other options."; }; user = mkOption { @@ -470,15 +477,15 @@ in "Z '${cfg.repositoryRoot}' - ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" - "d '${cfg.stateDir}/custom' 0750 ${cfg.user} ${cfg.group} - -" - "d '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" - "z '${cfg.stateDir}/custom' 0750 ${cfg.user} ${cfg.group} - -" - "z '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -" + "z '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -" "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" @@ -507,12 +514,12 @@ in # lfs_jwt_secret. # We have to consider this to stay compatible with older installations. preStart = let - runConfig = "${cfg.stateDir}/custom/conf/app.ini"; - secretKey = "${cfg.stateDir}/custom/conf/secret_key"; - oauth2JwtSecret = "${cfg.stateDir}/custom/conf/oauth2_jwt_secret"; - oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET - lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET - internalToken = "${cfg.stateDir}/custom/conf/internal_token"; + runConfig = "${cfg.customDir}/conf/app.ini"; + secretKey = "${cfg.customDir}/conf/secret_key"; + oauth2JwtSecret = "${cfg.customDir}/conf/oauth2_jwt_secret"; + oldLfsJwtSecret = "${cfg.customDir}/conf/jwt_secret"; # old file for LFS_JWT_SECRET + lfsJwtSecret = "${cfg.customDir}/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET + internalToken = "${cfg.customDir}/conf/internal_token"; replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; in '' # copy custom configuration and generate a random secret key if needed @@ -585,7 +592,7 @@ in RuntimeDirectory = "gitea"; RuntimeDirectoryMode = "0755"; # Access write directories - ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ]; + ReadWritePaths = [ cfg.customDir cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ]; UMask = "0027"; # Capabilities CapabilityBoundingSet = ""; @@ -618,6 +625,7 @@ in USER = cfg.user; HOME = cfg.stateDir; GITEA_WORK_DIR = cfg.stateDir; + GITEA_CUSTOM = cfg.customDir; }; }; -- cgit 1.4.1 From 2901c2f94e3b0688209000862a925162cb77b070 Mon Sep 17 00:00:00 2001 From: ThinkChaos Date: Tue, 13 Dec 2022 12:56:04 -0500 Subject: nixos/gitea: quote paths in preStart script --- nixos/modules/services/misc/gitea.nix | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 086096631a40a..fea264e0f97b2 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -525,29 +525,29 @@ in # copy custom configuration and generate a random secret key if needed ${optionalString (!cfg.useWizard) '' function gitea_setup { - cp -f ${configFile} ${runConfig} + cp -f '${configFile}' '${runConfig}' - if [ ! -s ${secretKey} ]; then - ${exe} generate secret SECRET_KEY > ${secretKey} + if [ ! -s '${secretKey}' ]; then + ${exe} generate secret SECRET_KEY > '${secretKey}' fi # Migrate LFS_JWT_SECRET filename - if [[ -s ${oldLfsJwtSecret} && ! -s ${lfsJwtSecret} ]]; then - mv ${oldLfsJwtSecret} ${lfsJwtSecret} + if [[ -s '${oldLfsJwtSecret}' && ! -s '${lfsJwtSecret}' ]]; then + mv '${oldLfsJwtSecret}' '${lfsJwtSecret}' fi - if [ ! -s ${oauth2JwtSecret} ]; then - ${exe} generate secret JWT_SECRET > ${oauth2JwtSecret} + if [ ! -s '${oauth2JwtSecret}' ]; then + ${exe} generate secret JWT_SECRET > '${oauth2JwtSecret}' fi ${lib.optionalString cfg.lfs.enable '' - if [ ! -s ${lfsJwtSecret} ]; then - ${exe} generate secret LFS_JWT_SECRET > ${lfsJwtSecret} + if [ ! -s '${lfsJwtSecret}' ]; then + ${exe} generate secret LFS_JWT_SECRET > '${lfsJwtSecret}' fi ''} - if [ ! -s ${internalToken} ]; then - ${exe} generate secret INTERNAL_TOKEN > ${internalToken} + if [ ! -s '${internalToken}' ]; then + ${exe} generate secret INTERNAL_TOKEN > '${internalToken}' fi chmod u+w '${runConfig}' -- cgit 1.4.1 From 70cf02924e65c8c9c9faa55a240ef40b66ecf7ef Mon Sep 17 00:00:00 2001 From: ThinkChaos Date: Tue, 13 Dec 2022 12:58:10 -0500 Subject: nixos/gitea: convert more simple settings to freeform Also update `settings.server.PROTOCOL` to use non deprecated values. --- nixos/doc/manual/release-notes/rl-2305.section.md | 2 + nixos/modules/services/misc/gitea.nix | 114 +++++++++++----------- 2 files changed, 57 insertions(+), 59 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 73690ee3bb69f..c5c818049d5d6 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -419,6 +419,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `k3s` can now be configured with an EnvironmentFile for its systemd service, allowing secrets to be provided without ending up in the Nix Store. +- `gitea` module options have been changed to be RFC042 conforming (i.e. some options were moved to be located under `services.gitea.settings`) + - `boot.initrd.luks.device.` has a new `tryEmptyPassphrase` option, this is useful for OEM's who need to install an encrypted disk with a future settable passphrase - Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release. diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index fea264e0f97b2..a5d7a73dd06aa 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -26,9 +26,18 @@ in imports = [ (mkRenamedOptionModule [ "services" "gitea" "cookieSecure" ] [ "services" "gitea" "settings" "session" "COOKIE_SECURE" ]) (mkRenamedOptionModule [ "services" "gitea" "disableRegistration" ] [ "services" "gitea" "settings" "service" "DISABLE_REGISTRATION" ]) + (mkRenamedOptionModule [ "services" "gitea" "domain" ] [ "services" "gitea" "settings" "server" "DOMAIN" ]) + (mkRenamedOptionModule [ "services" "gitea" "httpAddress" ] [ "services" "gitea" "settings" "server" "HTTP_ADDR" ]) + (mkRenamedOptionModule [ "services" "gitea" "httpPort" ] [ "services" "gitea" "settings" "server" "HTTP_PORT" ]) (mkRenamedOptionModule [ "services" "gitea" "log" "level" ] [ "services" "gitea" "settings" "log" "LEVEL" ]) (mkRenamedOptionModule [ "services" "gitea" "log" "rootPath" ] [ "services" "gitea" "settings" "log" "ROOT_PATH" ]) + (mkRenamedOptionModule [ "services" "gitea" "rootUrl" ] [ "services" "gitea" "settings" "server" "ROOT_URL" ]) (mkRenamedOptionModule [ "services" "gitea" "ssh" "clonePort" ] [ "services" "gitea" "settings" "server" "SSH_PORT" ]) + (mkRenamedOptionModule [ "services" "gitea" "staticRootPath" ] [ "services" "gitea" "settings" "server" "STATIC_ROOT_PATH" ]) + + (mkChangedOptionModule [ "services" "gitea" "enableUnixSocket" ] [ "services" "gitea" "settings" "server" "PROTOCOL" ] ( + config: if config.services.gitea.enableUnixSocket then "http+unix" else "http" + )) (mkRemovedOptionModule [ "services" "gitea" "ssh" "enable" ] "services.gitea.ssh.enable has been migrated into freeform setting services.gitea.settings.server.DISABLE_SSH. Keep in mind that the setting is inverted") ]; @@ -229,44 +238,6 @@ in description = lib.mdDoc "Path to the git repositories."; }; - domain = mkOption { - type = types.str; - default = "localhost"; - description = lib.mdDoc "Domain name of your server."; - }; - - rootUrl = mkOption { - type = types.str; - default = "http://localhost:3000/"; - description = lib.mdDoc "Full public URL of gitea server."; - }; - - httpAddress = mkOption { - type = types.str; - default = "0.0.0.0"; - description = lib.mdDoc "HTTP listen address."; - }; - - httpPort = mkOption { - type = types.port; - default = 3000; - description = lib.mdDoc "HTTP listen port."; - }; - - enableUnixSocket = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Configure Gitea to listen on a unix socket instead of the default TCP port."; - }; - - staticRootPath = mkOption { - type = types.either types.str types.path; - default = cfg.package.data; - defaultText = literalExpression "package.data"; - example = "/var/lib/gitea/data"; - description = lib.mdDoc "Upper level of template and static files path."; - }; - mailerPasswordFile = mkOption { type = types.nullOr types.str; default = null; @@ -298,7 +269,7 @@ in }; } ''; - type = with types; submodule { + type = types.submodule { freeformType = format.type; options = { log = { @@ -316,6 +287,46 @@ in }; server = { + PROTOCOL = mkOption { + type = types.enum [ "http" "https" "fcgi" "http+unix" "fcgi+unix" ]; + default = "http"; + description = lib.mdDoc ''Listen protocol. `+unix` means "over unix", not "in addition to."''; + }; + + HTTP_ADDR = mkOption { + type = types.either types.str types.path; + default = if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0"; + defaultText = literalExpression ''if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0"''; + description = lib.mdDoc "Listen address. Must be a path when using a unix socket."; + }; + + HTTP_PORT = mkOption { + type = types.port; + default = 3000; + description = lib.mdDoc "Listen port. Ignored when using a unix socket."; + }; + + DOMAIN = mkOption { + type = types.str; + default = "localhost"; + description = lib.mdDoc "Domain name of your server."; + }; + + ROOT_URL = mkOption { + type = types.str; + default = "http://${cfg.settings.server.DOMAIN}:${toString cfg.settings.server.HTTP_PORT}/"; + defaultText = literalExpression ''"http://''${config.services.gitea.settings.server.DOMAIN}:''${toString config.services.gitea.settings.server.HTTP_PORT}/"''; + description = lib.mdDoc "Full public URL of gitea server."; + }; + + STATIC_ROOT_PATH = mkOption { + type = types.either types.str types.path; + default = cfg.package.data; + defaultText = literalExpression "config.${opt.package}.data"; + example = "/var/lib/gitea/data"; + description = lib.mdDoc "Upper level of template and static files path."; + }; + DISABLE_SSH = mkOption { type = types.bool; default = false; @@ -402,25 +413,10 @@ in ROOT = cfg.repositoryRoot; }; - server = mkMerge [ - { - DOMAIN = cfg.domain; - STATIC_ROOT_PATH = toString cfg.staticRootPath; - ROOT_URL = cfg.rootUrl; - } - (mkIf cfg.enableUnixSocket { - PROTOCOL = "http+unix"; - HTTP_ADDR = "/run/gitea/gitea.sock"; - }) - (mkIf (!cfg.enableUnixSocket) { - HTTP_ADDR = cfg.httpAddress; - HTTP_PORT = cfg.httpPort; - }) - (mkIf cfg.lfs.enable { - LFS_START_SERVER = true; - LFS_JWT_SECRET = "#lfsjwtsecret#"; - }) - ]; + server = mkIf cfg.lfs.enable { + LFS_START_SERVER = true; + LFS_JWT_SECRET = "#lfsjwtsecret#"; + }; session = { COOKIE_NAME = lib.mkDefault "session"; @@ -522,7 +518,7 @@ in internalToken = "${cfg.customDir}/conf/internal_token"; replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; in '' - # copy custom configuration and generate a random secret key if needed + # copy custom configuration and generate random secrets if needed ${optionalString (!cfg.useWizard) '' function gitea_setup { cp -f '${configFile}' '${runConfig}' -- cgit 1.4.1 From 066166cf496e5d5b2b4ea681d2d43246c995b7ef Mon Sep 17 00:00:00 2001 From: datafoo <34766150+datafoo@users.noreply.github.com> Date: Wed, 19 Apr 2023 14:11:40 +0200 Subject: nixos/fail2ban: add extraSettings option --- nixos/modules/services/security/fail2ban.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 1962d3f59c9f5..93962d40ce4b4 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -209,6 +209,20 @@ in ''; }; + extraSettings = mkOption { + type = with types; attrsOf (oneOf [ bool ints.positive str ]); + default = {}; + description = lib.mdDoc '' + Extra default configuration for all jails (i.e. `[DEFAULT]`). See + for an overview. + ''; + example = literalExpression '' + { + findtime = "15m"; + } + ''; + }; + jails = mkOption { default = { }; example = literalExpression '' @@ -335,6 +349,10 @@ in # Actions banaction = ${cfg.banaction} banaction_allports = ${cfg.banaction-allports} + ${optionalString (cfg.extraSettings != {}) '' + # Extra settings + ${generators.toKeyValue {} cfg.extraSettings} + ''} ''; # Block SSH if there are too many failing connection attempts. # Benefits from verbose sshd logging to observe failed login attempts, -- cgit 1.4.1