diff options
| author | Jan Tojnar <jtojnar@gmail.com> | 2021-04-25 02:50:48 +0200 |
|---|---|---|
| committer | Jan Tojnar <jtojnar@gmail.com> | 2021-04-25 02:50:48 +0200 |
| commit | 0f1c4558d362a34cddea207acafff4596058af0b (patch) | |
| tree | 1d6d8c4f8a53de539d6d2f284fdbe6cea053f8fe /nixos | |
| parent | 8fce6f76254543f8faf7900590a998d95cbc917f (diff) | |
| parent | 9839cda8dc0eae5fd2af4ffc970c95ebaa59b92c (diff) | |
| download | nixlib-0f1c4558d362a34cddea207acafff4596058af0b.tar nixlib-0f1c4558d362a34cddea207acafff4596058af0b.tar.gz nixlib-0f1c4558d362a34cddea207acafff4596058af0b.tar.bz2 nixlib-0f1c4558d362a34cddea207acafff4596058af0b.tar.lz nixlib-0f1c4558d362a34cddea207acafff4596058af0b.tar.xz nixlib-0f1c4558d362a34cddea207acafff4596058af0b.tar.zst nixlib-0f1c4558d362a34cddea207acafff4596058af0b.zip | |
Merge branch 'master' into staging-next
Choose binwalk 2.3.1, 27 is legacy version for Python 2.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/programs/flexoptix-app.nix | 25 | ||||
| -rw-r--r-- | nixos/modules/services/monitoring/nagios.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/mastodon.nix | 13 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/prometheus-exporters.nix | 6 |
6 files changed, 45 insertions, 3 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 0cd0659d1dad..811eae020d56 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -133,6 +133,7 @@ ./programs/file-roller.nix ./programs/firejail.nix ./programs/fish.nix + ./programs/flexoptix-app.nix ./programs/freetds.nix ./programs/fuse.nix ./programs/geary.nix diff --git a/nixos/modules/programs/flexoptix-app.nix b/nixos/modules/programs/flexoptix-app.nix new file mode 100644 index 000000000000..93dcdfeb5147 --- /dev/null +++ b/nixos/modules/programs/flexoptix-app.nix @@ -0,0 +1,25 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.programs.flexoptix-app; +in { + options = { + programs.flexoptix-app = { + enable = mkEnableOption "FLEXOPTIX app + udev rules"; + + package = mkOption { + description = "FLEXOPTIX app package to use"; + type = types.package; + default = pkgs.flexoptix-app; + defaultText = "\${pkgs.flexoptix-app}"; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + services.udev.packages = [ cfg.package ]; + }; +} diff --git a/nixos/modules/services/monitoring/nagios.nix b/nixos/modules/services/monitoring/nagios.nix index 9ac6869068f2..61214508a9c6 100644 --- a/nixos/modules/services/monitoring/nagios.nix +++ b/nixos/modules/services/monitoring/nagios.nix @@ -192,6 +192,7 @@ in path = [ pkgs.nagios ] ++ cfg.plugins; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + restartTriggers = [ nagiosCfgFile ]; serviceConfig = { User = "nagios"; @@ -201,7 +202,6 @@ in LogsDirectory = "nagios"; StateDirectory = "nagios"; ExecStart = "${pkgs.nagios}/bin/nagios /etc/nagios.cfg"; - X-ReloadIfChanged = nagiosCfgFile; }; }; diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 16e8ae2ec0b2..661320b5d00a 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -31,6 +31,8 @@ let // (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {}) // cfg.extraConfig; + systemCallsList = [ "@clock" "@cpu-emulation" "@debug" "@keyring" "@module" "@mount" "@obsolete" "@raw-io" "@reboot" "@resources" "@setuid" "@swap" ]; + cfgService = { # User and group User = cfg.user; @@ -68,7 +70,6 @@ let PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @reboot @resources @setuid @swap"; }; envFile = pkgs.writeText "mastodon.env" (lib.concatMapStrings (s: s + "\n") ( @@ -432,6 +433,8 @@ in { serviceConfig = { Type = "oneshot"; WorkingDirectory = cfg.package; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList; } // cfgService; after = [ "network.target" ]; @@ -457,6 +460,8 @@ in { Type = "oneshot"; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " systemCallsList; } // cfgService; after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []); wantedBy = [ "multi-user.target" ]; @@ -481,6 +486,8 @@ in { # Runtime directory and mode RuntimeDirectory = "mastodon-streaming"; RuntimeDirectoryMode = "0750"; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" ]); } // cfgService; }; @@ -503,6 +510,8 @@ in { # Runtime directory and mode RuntimeDirectory = "mastodon-web"; RuntimeDirectoryMode = "0750"; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" ]); } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; @@ -522,6 +531,8 @@ in { RestartSec = 20; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; + # System Call Filtering + SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@privileged" ]); } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 51c2f3febdc7..18e1263fef5e 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -887,6 +887,7 @@ in users.users = optionalAttrs (cfg.user == "nginx") { nginx = { group = cfg.group; + isSystemUser = true; uid = config.ids.uids.nginx; }; }; diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 62c0080dd516..9aa430c25a4f 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -118,6 +118,8 @@ let metricProvider = { services.bird2.enable = true; services.bird2.config = '' + router id 127.0.0.1; + protocol kernel MyObviousTestString { ipv4 { import all; @@ -132,7 +134,9 @@ let exporterTest = '' wait_for_unit("prometheus-bird-exporter.service") wait_for_open_port(9324) - succeed("curl -sSf http://localhost:9324/metrics | grep -q 'MyObviousTestString'") + wait_until_succeeds( + "curl -sSf http://localhost:9324/metrics | grep -q 'MyObviousTestString'" + ) ''; }; |