diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2023-09-21 18:00:53 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-09-21 18:00:53 +0000 |
commit | 25421963c797b02308d2e08d6e7b58c11d1dd40e (patch) | |
tree | 09a32951a13bdd0aed7041efd6e121298ac7455f /nixos | |
parent | 4c610adf95276c9c810b715121bd24ad453dc77a (diff) | |
parent | e12483116b3b51a185a33a272bf351e357ba9a99 (diff) | |
download | nixlib-25421963c797b02308d2e08d6e7b58c11d1dd40e.tar nixlib-25421963c797b02308d2e08d6e7b58c11d1dd40e.tar.gz nixlib-25421963c797b02308d2e08d6e7b58c11d1dd40e.tar.bz2 nixlib-25421963c797b02308d2e08d6e7b58c11d1dd40e.tar.lz nixlib-25421963c797b02308d2e08d6e7b58c11d1dd40e.tar.xz nixlib-25421963c797b02308d2e08d6e7b58c11d1dd40e.tar.zst nixlib-25421963c797b02308d2e08d6e7b58c11d1dd40e.zip |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 1 | ||||
-rw-r--r-- | nixos/modules/hardware/glasgow.nix | 23 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/matrix/synapse.nix | 39 | ||||
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 42 | ||||
-rw-r--r-- | nixos/modules/services/networking/nftables.nix | 1 |
6 files changed, 65 insertions, 42 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index ca3d96072b7f..13b8dc6e2244 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -222,6 +222,7 @@ order, or relying on `mkBefore` and `mkAfter`, but may impact users calling `mkOrder n` with n ≤ 400. +- `networking.networkmanager.firewallBackend` was removed as NixOS is now using iptables-nftables-compat even when using iptables, therefore Networkmanager now uses the nftables backend unconditionally. ## Other Notable Changes {#sec-release-23.11-notable-changes} diff --git a/nixos/modules/hardware/glasgow.nix b/nixos/modules/hardware/glasgow.nix new file mode 100644 index 000000000000..f8ebb772c47b --- /dev/null +++ b/nixos/modules/hardware/glasgow.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.hardware.glasgow; + +in +{ + options.hardware.glasgow = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Enables Glasgow udev rules and ensures 'plugdev' group exists. + This is a prerequisite to using Glasgow without being root. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + services.udev.packages = [ pkgs.glasgow ]; + users.groups.plugdev = { }; + }; +} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 811a46563fb4..e17d430e59b6 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -61,6 +61,7 @@ ./hardware/flipperzero.nix ./hardware/flirc.nix ./hardware/gkraken.nix + ./hardware/glasgow.nix ./hardware/gpgsmartcards.nix ./hardware/hackrf.nix ./hardware/i2c.nix diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index 554e9ca2ecc3..5cce36f41e50 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -15,26 +15,26 @@ let usePostgresql && (!(args ? host) || (elem args.host [ "localhost" "127.0.0.1" "::1" ])); hasWorkers = cfg.workers != { }; + listenerSupportsResource = resource: listener: + lib.any ({ names, ... }: builtins.elem resource names) listener.resources; + + clientListener = findFirst + (listenerSupportsResource "client") + null + (cfg.settings.listeners + ++ concatMap ({ worker_listeners, ... }: worker_listeners) (attrValues cfg.workers)); + registerNewMatrixUser = let - isIpv6 = x: lib.length (lib.splitString ":" x) > 1; - listener = - lib.findFirst ( - listener: lib.any ( - resource: lib.any ( - name: name == "client" - ) resource.names - ) listener.resources - ) (lib.last cfg.settings.listeners) cfg.settings.listeners; - # FIXME: Handle cases with missing client listener properly, - # don't rely on lib.last, this will not work. + isIpv6 = hasInfix ":"; # add a tail, so that without any bind_addresses we still have a useable address - bindAddress = head (listener.bind_addresses ++ [ "127.0.0.1" ]); - listenerProtocol = if listener.tls + bindAddress = head (clientListener.bind_addresses ++ [ "127.0.0.1" ]); + listenerProtocol = if clientListener.tls then "https" else "http"; in + assert assertMsg (clientListener != null) "No client listener found in synapse or one of its workers"; pkgs.writeShellScriptBin "matrix-synapse-register_new_matrix_user" '' exec ${cfg.package}/bin/register_new_matrix_user \ $@ \ @@ -44,7 +44,7 @@ let "[${bindAddress}]" else "${bindAddress}" - }:${builtins.toString listener.port}/" + }:${builtins.toString clientListener.port}/" ''; defaultExtras = [ @@ -938,6 +938,13 @@ in { config = mkIf cfg.enable { assertions = [ { + assertion = clientListener != null; + message = '' + At least one listener which serves the `client` resource via HTTP is required + by synapse in `services.matrix-synapse.settings.listeners` or in one of the workers! + ''; + } + { assertion = hasLocalPostgresDB -> config.services.postgresql.enable; message = '' Cannot deploy matrix-synapse with a configuration for a local postgresql database @@ -969,13 +976,13 @@ in { ( listener: listener.port == main.port - && (lib.any (resource: builtins.elem "replication" resource.names) listener.resources) + && listenerSupportsResource "replication" listener && (lib.any (bind: bind == main.host || bind == "0.0.0.0" || bind == "::") listener.bind_addresses) ) null cfg.settings.listeners; in - hasWorkers -> (listener != null); + hasWorkers -> (cfg.settings.instance_map ? main && listener != null); message = '' Workers for matrix-synapse require setting `services.matrix-synapse.settings.instance_map.main` to any listener configured in `services.matrix-synapse.settings.listeners` with a `"replication"` diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 6bc46a9a90e4..53c847ee3ca2 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -30,13 +30,11 @@ let configFile = pkgs.writeText "NetworkManager.conf" (lib.concatStringsSep "\n" [ (mkSection "main" { plugins = "keyfile"; - dhcp = cfg.dhcp; - dns = cfg.dns; + inherit (cfg) dhcp dns; # If resolvconf is disabled that means that resolv.conf is managed by some other module. rc-manager = if config.networking.resolvconf.enable then "resolvconf" else "unmanaged"; - firewall-backend = cfg.firewallBackend; }) (mkSection "keyfile" { unmanaged-devices = @@ -233,15 +231,6 @@ in ''; }; - firewallBackend = mkOption { - type = types.enum [ "iptables" "nftables" "none" ]; - default = "iptables"; - description = lib.mdDoc '' - Which firewall backend should be used for configuring masquerading with shared mode. - If set to none, NetworkManager doesn't manage the configuration at all. - ''; - }; - logLevel = mkOption { type = types.enum [ "OFF" "ERR" "WARN" "INFO" "DEBUG" "TRACE" ]; default = "WARN"; @@ -340,20 +329,20 @@ in default = [ ]; example = literalExpression '' [ { - source = pkgs.writeText "upHook" ''' - - if [ "$2" != "up" ]; then - logger "exit: event $2 != up" - exit - fi - - # coreutils and iproute are in PATH too - logger "Device $DEVICE_IFACE coming up" - '''; - type = "basic"; - } ]''; + source = pkgs.writeText "upHook" ''' + if [ "$2" != "up" ]; then + logger "exit: event $2 != up" + exit + fi + + # coreutils and iproute are in PATH too + logger "Device $DEVICE_IFACE coming up" + '''; + type = "basic"; + } ] + ''; description = lib.mdDoc '' - A list of scripts which will be executed in response to network events. + A list of scripts which will be executed in response to network events. ''; }; @@ -413,6 +402,9 @@ in them via the DNS server in your network, or use environment.etc to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir. '') + (mkRemovedOptionModule [ "networking" "networkmanager" "firewallBackend" ] '' + This option was removed as NixOS is now using iptables-nftables-compat even when using iptables, therefore Networkmanager now uses the nftables backend unconditionally. + '') ]; diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index 47159ade328c..a0afdb452752 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -248,7 +248,6 @@ in config = mkIf cfg.enable { boot.blacklistedKernelModules = [ "ip_tables" ]; environment.systemPackages = [ pkgs.nftables ]; - networking.networkmanager.firewallBackend = mkDefault "nftables"; # versionOlder for backportability, remove afterwards networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11" || (cfg.rulesetFile != null || cfg.ruleset != "")); systemd.services.nftables = { |