diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2023-09-24 18:00:54 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-24 18:00:54 +0000 |
| commit | 03a82ba5d495090ac4e4a73ba67e6c60538349fc (patch) | |
| tree | 3adfc077af243c67d01abd14f450aa9c69a714a6 /nixos | |
| parent | b6d5fc29bcdc28e8685141815a20ca95ea6189d8 (diff) | |
| parent | 05698bba1eba1497c045b8463ec6ef4630582343 (diff) | |
| download | nixlib-03a82ba5d495090ac4e4a73ba67e6c60538349fc.tar nixlib-03a82ba5d495090ac4e4a73ba67e6c60538349fc.tar.gz nixlib-03a82ba5d495090ac4e4a73ba67e6c60538349fc.tar.bz2 nixlib-03a82ba5d495090ac4e4a73ba67e6c60538349fc.tar.lz nixlib-03a82ba5d495090ac4e4a73ba67e6c60538349fc.tar.xz nixlib-03a82ba5d495090ac4e4a73ba67e6c60538349fc.tar.zst nixlib-03a82ba5d495090ac4e4a73ba67e6c60538349fc.zip | |
Merge master into staging-next
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/mtr-exporter.nix | 111 | ||||
| -rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 21 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/garage.nix | 9 | ||||
| -rw-r--r-- | nixos/tests/openssh.nix | 33 |
5 files changed, 141 insertions, 35 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index efb0f17873ea..c128f004ee81 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -229,6 +229,8 @@ - `rome` was removed because it is no longer maintained and is succeeded by `biome`. +- The `services.mtr-exporter.target` has been removed in favor of `services.mtr-exporter.jobs` which allows specifying multiple targets. + ## Other Notable Changes {#sec-release-23.11-notable-changes} - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration. diff --git a/nixos/modules/services/networking/mtr-exporter.nix b/nixos/modules/services/networking/mtr-exporter.nix index 43ebbbe96d05..af694c3e736b 100644 --- a/nixos/modules/services/networking/mtr-exporter.nix +++ b/nixos/modules/services/networking/mtr-exporter.nix @@ -2,63 +2,114 @@ let inherit (lib) - maintainers types mkEnableOption mkOption mkIf - literalExpression escapeShellArg escapeShellArgs; + maintainers types literalExpression + escapeShellArg escapeShellArgs + mkEnableOption mkOption mkRemovedOptionModule mkIf mdDoc + optionalString concatMapStrings concatStringsSep; + cfg = config.services.mtr-exporter; + + jobsConfig = pkgs.writeText "mtr-exporter.conf" (concatMapStrings (job: '' + ${job.name} -- ${job.schedule} -- ${concatStringsSep " " job.flags} ${job.address} + '') cfg.jobs); in { + imports = [ + (mkRemovedOptionModule [ "services" "mtr-exporter" "target" ] "Use services.mtr-exporter.jobs instead.") + (mkRemovedOptionModule [ "services" "mtr-exporter" "mtrFlags" ] "Use services.mtr-exporter.jobs.<job>.flags instead.") + ]; + options = { services = { mtr-exporter = { - enable = mkEnableOption (lib.mdDoc "a Prometheus exporter for MTR"); + enable = mkEnableOption (mdDoc "a Prometheus exporter for MTR"); - target = mkOption { + address = mkOption { type = types.str; - example = "example.org"; - description = lib.mdDoc "Target to check using MTR."; - }; - - interval = mkOption { - type = types.int; - default = 60; - description = lib.mdDoc "Interval between MTR checks in seconds."; + default = "127.0.0.1"; + description = lib.mdDoc "Listen address for MTR exporter."; }; port = mkOption { type = types.port; default = 8080; - description = lib.mdDoc "Listen port for MTR exporter."; + description = mdDoc "Listen port for MTR exporter."; }; - address = mkOption { - type = types.str; - default = "127.0.0.1"; - description = lib.mdDoc "Listen address for MTR exporter."; + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + example = ["-flag.deprecatedMetrics"]; + description = mdDoc '' + Extra command line options to pass to MTR exporter. + ''; }; - mtrFlags = mkOption { - type = with types; listOf str; - default = []; - example = ["-G1"]; - description = lib.mdDoc "Additional flags to pass to MTR."; + package = mkOption { + type = types.package; + default = pkgs.mtr-exporter; + defaultText = literalExpression "pkgs.mtr-exporter"; + description = mdDoc "The MTR exporter package to use."; + }; + + mtrPackage = mkOption { + type = types.package; + default = pkgs.mtr; + defaultText = literalExpression "pkgs.mtr"; + description = mdDoc "The MTR package to use."; + }; + + jobs = mkOption { + description = mdDoc "List of MTR jobs. Will be added to /etc/mtr-exporter.conf"; + type = types.nonEmptyListOf (types.submodule { + options = { + name = mkOption { + type = types.str; + description = mdDoc "Name of ICMP pinging job."; + }; + + address = mkOption { + type = types.str; + example = "host.example.org:1234"; + description = mdDoc "Target address for MTR client."; + }; + + schedule = mkOption { + type = types.str; + default = "@every 60s"; + example = "@hourly"; + description = mdDoc "Schedule of MTR checks. Also accepts Cron format."; + }; + + flags = mkOption { + type = with types; listOf str; + default = []; + example = ["-G1"]; + description = mdDoc "Additional flags to pass to MTR."; + }; + }; + }); }; }; }; }; config = mkIf cfg.enable { + environment.etc."mtr-exporter.conf" = { + source = jobsConfig; + }; + systemd.services.mtr-exporter = { - script = '' - exec ${pkgs.mtr-exporter}/bin/mtr-exporter \ - -mtr ${pkgs.mtr}/bin/mtr \ - -schedule '@every ${toString cfg.interval}s' \ - -bind ${escapeShellArg cfg.address}:${toString cfg.port} \ - -- \ - ${escapeShellArgs (cfg.mtrFlags ++ [ cfg.target ])} - ''; wantedBy = [ "multi-user.target" ]; requires = [ "network.target" ]; after = [ "network.target" ]; serviceConfig = { + ExecStart = '' + ${cfg.package}/bin/mtr-exporter \ + -mtr '${cfg.mtrPackage}/bin/mtr' \ + -bind ${escapeShellArg "${cfg.address}:${toString cfg.port}"} \ + -jobs '${jobsConfig}' \ + ${escapeShellArgs cfg.extraFlags} + ''; Restart = "on-failure"; # Hardening CapabilityBoundingSet = [ "" ]; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 702423ef09cd..bf2f5230c738 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -27,13 +27,11 @@ let mkValueString = mkValueStringSshd; } " ";}); - configFile = settingsFormat.generate "config" cfg.settings; - sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } '' + configFile = settingsFormat.generate "sshd.conf-settings" cfg.settings; + sshconf = pkgs.runCommand "sshd.conf-final" { } '' cat ${configFile} - >$out <<EOL ${cfg.extraConfig} EOL - - sshd -G -f $out ''; cfg = config.services.openssh; @@ -576,6 +574,21 @@ in '')} ''; + system.checks = [ + (pkgs.runCommand "check-sshd-config" + { + nativeBuildInputs = [ validationPackage ]; + } '' + ${concatMapStringsSep "\n" + (lport: "sshd -G -T -C lport=${toString lport} -f ${sshconf} > /dev/null") + cfg.ports} + ${concatMapStringsSep "\n" + (la: "sshd -G -T -C laddr=${la.addr},lport=${toString la.port} -f ${sshconf} > /dev/null") + cfg.listenAddresses} + touch $out + '') + ]; + assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true; message = "cannot enable X11 forwarding without setting xauth location";} (let diff --git a/nixos/modules/services/web-servers/garage.nix b/nixos/modules/services/web-servers/garage.nix index 8b5734b5a2ce..80fb24fe2c5e 100644 --- a/nixos/modules/services/web-servers/garage.nix +++ b/nixos/modules/services/web-servers/garage.nix @@ -23,6 +23,12 @@ in example = { RUST_BACKTRACE="yes"; }; }; + environmentFile = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc "File containing environment variables to be passed to the Garage server."; + default = null; + }; + logLevel = mkOption { type = types.enum (["info" "debug" "trace"]); default = "info"; @@ -80,7 +86,7 @@ in after = [ "network.target" "network-online.target" ]; wants = [ "network.target" "network-online.target" ]; wantedBy = [ "multi-user.target" ]; - restartTriggers = [ configFile ]; + restartTriggers = [ configFile ] ++ (lib.optional (cfg.environmentFile != null) cfg.environmentFile); serviceConfig = { ExecStart = "${cfg.package}/bin/garage server"; @@ -88,6 +94,7 @@ in DynamicUser = lib.mkDefault true; ProtectHome = true; NoNewPrivileges = true; + EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; }; environment = { RUST_LOG = lib.mkDefault "garage=${cfg.logLevel}"; diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 4083f5906d79..d771ffd3e0f7 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -52,6 +52,36 @@ in { }; }; + server_match_rule = + { ... }: + + { + services.openssh = { + enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ]; + extraConfig = '' + # Combined test for two (predictable) Match criterias + Match LocalAddress 127.0.0.1 LocalPort 22 + PermitRootLogin yes + + # Separate tests for Match criterias + Match User root + PermitRootLogin yes + Match Group root + PermitRootLogin yes + Match Host nohost.example + PermitRootLogin yes + Match LocalAddress 127.0.0.1 + PermitRootLogin yes + Match LocalPort 22 + PermitRootLogin yes + Match RDomain nohost.example + PermitRootLogin yes + Match Address 127.0.0.1 + PermitRootLogin yes + ''; + }; + }; + client = { ... }: { }; @@ -114,5 +144,8 @@ in { with subtest("localhost-only"): server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'") server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'") + + with subtest("match-rules"): + server_match_rule.succeed("ss -nlt | grep '127.0.0.1:22'") ''; }) |