diff options
| author | Weijia Wang <9713184+wegank@users.noreply.github.com> | 2024-01-27 04:17:36 +0100 |
|---|---|---|
| committer | Weijia Wang <9713184+wegank@users.noreply.github.com> | 2024-01-27 04:17:36 +0100 |
| commit | 43545381393695f722344b085620937fa3367a8a (patch) | |
| tree | e2b7bdf1f0d5453341a4619f8a63948c6e6b2f76 /nixos | |
| parent | 4757f0e68df99bc7177c68dcc7c523e391d213cf (diff) | |
| parent | 741c01dfc130418b134d48dfbb68f9462f853e32 (diff) | |
| download | nixlib-43545381393695f722344b085620937fa3367a8a.tar nixlib-43545381393695f722344b085620937fa3367a8a.tar.gz nixlib-43545381393695f722344b085620937fa3367a8a.tar.bz2 nixlib-43545381393695f722344b085620937fa3367a8a.tar.lz nixlib-43545381393695f722344b085620937fa3367a8a.tar.xz nixlib-43545381393695f722344b085620937fa3367a8a.tar.zst nixlib-43545381393695f722344b085620937fa3367a8a.zip | |
Merge branch 'staging-next' into staging
Diffstat (limited to 'nixos')
57 files changed, 1138 insertions, 461 deletions
diff --git a/nixos/doc/manual/contributing-to-this-manual.chapter.md b/nixos/doc/manual/contributing-to-this-manual.chapter.md index 6245280e30f0..83e4773e6866 100644 --- a/nixos/doc/manual/contributing-to-this-manual.chapter.md +++ b/nixos/doc/manual/contributing-to-this-manual.chapter.md @@ -1,6 +1,6 @@ # Contributing to this manual {#chap-contributing} -The [DocBook] and CommonMark sources of the NixOS manual are in the [nixos/doc/manual](https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual) subdirectory of the [Nixpkgs](https://github.com/NixOS/nixpkgs) repository. +The sources of the NixOS manual are in the [nixos/doc/manual](https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual) subdirectory of the [Nixpkgs](https://github.com/NixOS/nixpkgs) repository. This manual uses the [Nixpkgs manual syntax](https://nixos.org/manual/nixpkgs/unstable/#sec-contributing-markup). You can quickly check your edits with the following: diff --git a/nixos/doc/manual/development/writing-documentation.chapter.md b/nixos/doc/manual/development/writing-documentation.chapter.md index 3d9bd318cf33..2e9dffd22ba8 100644 --- a/nixos/doc/manual/development/writing-documentation.chapter.md +++ b/nixos/doc/manual/development/writing-documentation.chapter.md @@ -7,7 +7,7 @@ worthy contribution to the project. ## Building the Manual {#sec-writing-docs-building-the-manual} -The DocBook sources of the [](#book-nixos-manual) are in the +The sources of the [](#book-nixos-manual) are in the [`nixos/doc/manual`](https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual) subdirectory of the Nixpkgs repository. @@ -29,65 +29,3 @@ nix-build nixos/release.nix -A manual.x86_64-linux When this command successfully finishes, it will tell you where the manual got generated. The HTML will be accessible through the `result` symlink at `./result/share/doc/nixos/index.html`. - -## Editing DocBook XML {#sec-writing-docs-editing-docbook-xml} - -For general information on how to write in DocBook, see [DocBook 5: The -Definitive Guide](https://tdg.docbook.org/tdg/5.1/). - -Emacs nXML Mode is very helpful for editing DocBook XML because it -validates the document as you write, and precisely locates errors. To -use it, see [](#sec-emacs-docbook-xml). - -[Pandoc](https://pandoc.org/) can generate DocBook XML from a multitude of -formats, which makes a good starting point. Here is an example of Pandoc -invocation to convert GitHub-Flavoured MarkDown to DocBook 5 XML: - -```ShellSession -pandoc -f markdown_github -t docbook5 docs.md -o my-section.md -``` - -Pandoc can also quickly convert a single `section.xml` to HTML, which is -helpful when drafting. - -Sometimes writing valid DocBook is too difficult. In this case, -submit your documentation updates in a [GitHub -Issue](https://github.com/NixOS/nixpkgs/issues/new) and someone will -handle the conversion to XML for you. - -## Creating a Topic {#sec-writing-docs-creating-a-topic} - -You can use an existing topic as a basis for the new topic or create a -topic from scratch. - -Keep the following guidelines in mind when you create and add a topic: - -- The NixOS [`book`](https://tdg.docbook.org/tdg/5.0/book.html) - element is in `nixos/doc/manual/manual.xml`. It includes several - [`parts`](https://tdg.docbook.org/tdg/5.0/book.html) which are in - subdirectories. - -- Store the topic file in the same directory as the `part` to which it - belongs. If your topic is about configuring a NixOS module, then the - XML file can be stored alongside the module definition `nix` file. - -- If you include multiple words in the file name, separate the words - with a dash. For example: `ipv6-config.xml`. - -- Make sure that the `xml:id` value is unique. You can use abbreviations - if the ID is too long. For example: `nixos-config`. - -- Determine whether your topic is a chapter or a section. If you are - unsure, open an existing topic file and check whether the main - element is chapter or section. - -## Adding a Topic to the Book {#sec-writing-docs-adding-a-topic} - -Open the parent CommonMark file and add a line to the list of -chapters with the file name of the topic that you created. If you -created a `section`, you add the file to the `chapter` file. If you created -a `chapter`, you add the file to the `part` file. - -If the topic is about configuring a NixOS module, it can be -automatically included in the manual by using the `meta.doc` attribute. -See [](#sec-meta-attributes) for an explanation. diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 0aaaa2abfc29..01e44b71f1e8 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -54,6 +54,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [ollama](https://ollama.ai), server for running large language models locally. +- [hebbot](https://github.com/haecker-felix/hebbot), a Matrix bot to generate "This Week in X" like blog posts. Available as [services.hebbot](#opt-services.hebbot.enable). + - [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable). The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server softwares. @@ -87,6 +89,13 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `nitter` requires a `guest_accounts.jsonl` to be provided as a path or loaded into the default location at `/var/lib/nitter/guest_accounts.jsonl`. See [Guest Account Branch Deployment](https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment) for details. +- `services.aria2.rpcSecret` has been replaced with `services.aria2.rpcSecretFile`. + This was done so that secrets aren't stored in the world-readable nix store. + To migrate, you will have create a file with the same exact string, and change + your module options to point to that file. For example, `services.aria2.rpcSecret = + "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"` + where the file `secret_file` contains the string `mysecret`. + - Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857) - `inetutils` now has a lower priority to avoid shadowing the commonly used `util-linux`. If one wishes to restore the default priority, simply use `lib.setPrio 5 inetutils` or override with `meta.priority = 5`. @@ -142,12 +151,10 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `services.avahi.nssmdns` got split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switch for IPv4 and IPv6 respectively. Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts. -- `multi-user.target` no longer depends on `network-online.target`. - This will potentially break services that assumed this was the case in the past. - This was changed for consistency with other distributions as well as improved boot times. - - We have added a warning for services that are - `after = [ "network-online.target" ]` but do not depend on it (e.g. using `wants`). +- A warning has been added for services that are + `after = [ "network-online.target" ]` but do not depend on it (e.g. using + `wants`), because the dependency that `multi-user.target` has on + `network-online.target` is planned for removal. - `services.archisteamfarm` no longer uses the abbreviation `asf` for its state directory (`/var/lib/asf`), user and group (both `asf`). Instead the long name `archisteamfarm` is used. Configurations with `system.stateVersion` 23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory. @@ -200,6 +207,19 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - The `-data` path is no longer required to run the package, and will be set to point to a folder in `$TMP` if missing. +- `nomad` has been updated - note that HashiCorp recommends updating one minor version at a time. Please check [their upgrade guide](https://developer.hashicorp.com/nomad/docs/upgrade) for information on safely updating clusters and potential breaking changes. + + - `nomad` is now Nomad 1.7.x. + + - `nomad_1_4` has been removed, as it is now unsupported upstream. + +- The `livebook` package is now built as a `mix release` instead of an `escript`. + This means that configuration now has to be done using [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) instead of command line arguments. + This has the further implication that the `livebook` service configuration has changed: + + - The `erlang_node_short_name`, `erlang_node_name`, `port` and `options` configuration parameters are gone, and have been replaced with an `environment` parameter. + Use the appropriate [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) inside `environment` to configure the service instead. + ## Other Notable Changes {#sec-release-24.05-notable-changes} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -243,11 +263,16 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`. +- New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.). + The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime. + - The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0. +- The netbird module now allows running multiple tunnels in parallel through [`services.netbird.tunnels`](#opt-services.netbird.tunnels). + - [Nginx virtual hosts](#opt-services.nginx.virtualHosts) using `forceSSL` or `globalRedirect` can now have redirect codes other than 301 through `redirectCode`. diff --git a/nixos/lib/test-driver/test_driver/machine.py b/nixos/lib/test-driver/test_driver/machine.py index da60b669fa27..93411a4a348e 100644 --- a/nixos/lib/test-driver/test_driver/machine.py +++ b/nixos/lib/test-driver/test_driver/machine.py @@ -768,6 +768,32 @@ class Machine: self.booted = False self.connected = False + def wait_for_qmp_event( + self, event_filter: Callable[[dict[str, Any]], bool], timeout: int = 60 * 10 + ) -> dict[str, Any]: + """ + Wait for a QMP event which you can filter with the `event_filter` function. + The function takes as an input a dictionary of the event and if it returns True, we return that event, + if it does not, we wait for the next event and retry. + + It will skip all events received in the meantime, if you want to keep them, + you have to do the bookkeeping yourself and store them somewhere. + + By default, it will wait up to 10 minutes, `timeout` is in seconds. + """ + if self.qmp_client is None: + raise RuntimeError("QMP API is not ready yet, is the VM ready?") + + start = time.time() + while True: + evt = self.qmp_client.wait_for_event(timeout=timeout) + if event_filter(evt): + return evt + + elapsed = time.time() - start + if elapsed >= timeout: + raise TimeoutError + def get_tty_text(self, tty: str) -> str: status, output = self.execute( f"fold -w$(stty -F /dev/tty{tty} size | " diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index fa9ca2225530..8d0233065560 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -214,6 +214,7 @@ ./programs/minipro.nix ./programs/miriway.nix ./programs/mosh.nix + ./programs/mouse-actions.nix ./programs/msmtp.nix ./programs/mtr.nix ./programs/nano.nix @@ -634,6 +635,7 @@ ./services/matrix/appservice-irc.nix ./services/matrix/conduit.nix ./services/matrix/dendrite.nix + ./services/matrix/hebbot.nix ./services/matrix/maubot.nix ./services/matrix/mautrix-facebook.nix ./services/matrix/mautrix-telegram.nix diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 58f07b050b5c..0b10c0414147 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -39,6 +39,9 @@ with lib; # Allow the user to log in as root without a password. users.users.root.initialHashedPassword = ""; + # Don't require sudo/root to `reboot` or `poweroff`. + security.polkit.enable = true; + # Allow passwordless sudo from nixos user security.sudo = { enable = mkDefault true; diff --git a/nixos/modules/programs/gamemode.nix b/nixos/modules/programs/gamemode.nix index 344f392852e2..2bb92ed8e0ef 100644 --- a/nixos/modules/programs/gamemode.nix +++ b/nixos/modules/programs/gamemode.nix @@ -90,6 +90,8 @@ in ]; }; }; + + users.groups.gamemode = { }; }; meta = { diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix index 57cc925be465..1cdf22a7699d 100644 --- a/nixos/modules/programs/light.nix +++ b/nixos/modules/programs/light.nix @@ -9,6 +9,7 @@ in { options = { programs.light = { + enable = mkOption { default = false; type = types.bool; @@ -17,11 +18,60 @@ in and udev rules granting access to members of the "video" group. ''; }; + + brightnessKeys = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable brightness control with keyboard keys. + + This is mainly useful for minimalistic (desktop) environments. You + may want to leave this disabled if you run a feature-rich desktop + environment such as KDE, GNOME or Xfce as those handle the + brightness keys themselves. However, enabling brightness control + with this setting makes the control independent of X, so the keys + work in non-graphical ttys, so you might want to consider using this + instead of the default offered by the desktop environment. + + Enabling this will turn on {option}`services.actkbd`. + ''; + }; + + step = mkOption { + type = types.int; + default = 10; + description = '' + The percentage value by which to increase/decrease brightness. + ''; + }; + + }; + }; }; config = mkIf cfg.enable { environment.systemPackages = [ pkgs.light ]; services.udev.packages = [ pkgs.light ]; + services.actkbd = mkIf cfg.brightnessKeys.enable { + enable = true; + bindings = let + light = "${pkgs.light}/bin/light"; + step = toString cfg.brightnessKeys.step; + in [ + { + keys = [ 224 ]; + events = [ "key" ]; + # Use minimum brightness 0.1 so the display won't go totally black. + command = "${light} -N 0.1 && ${light} -U ${step}"; + } + { + keys = [ 225 ]; + events = [ "key" ]; + command = "${light} -A ${step}"; + } + ]; + }; }; } diff --git a/nixos/modules/programs/mouse-actions.nix b/nixos/modules/programs/mouse-actions.nix new file mode 100644 index 000000000000..fdf39d56d383 --- /dev/null +++ b/nixos/modules/programs/mouse-actions.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.programs.mouse-actions; +in + { + options.programs.mouse-actions = { + enable = lib.mkEnableOption '' + mouse-actions udev rules. This is a prerequisite for using mouse-actions without being root. + ''; + }; + config = lib.mkIf cfg.enable { + services.udev.packages = [ pkgs.mouse-actions ]; + }; + } diff --git a/nixos/modules/programs/regreet.nix b/nixos/modules/programs/regreet.nix index 0c44d717044e..55d0c11781ab 100644 --- a/nixos/modules/programs/regreet.nix +++ b/nixos/modules/programs/regreet.nix @@ -78,11 +78,15 @@ in else settingsFormat.generate "regreet.toml" cfg.settings; }; - systemd.tmpfiles.rules = let - group = config.users.users.${config.services.greetd.settings.default_session.user}.group; - in [ - "d /var/log/regreet 0755 greeter ${group} - -" - "d /var/cache/regreet 0755 greeter ${group} - -" - ]; + systemd.tmpfiles.settings."10-regreet" = let + defaultConfig = { + user = "greeter"; + group = config.users.users.${config.services.greetd.settings.default_session.user}.group; + mode = "0755"; + }; + in { + "/var/log/regreet".d = defaultConfig; + "/var/cache/regreet".d = defaultConfig; + }; }; } diff --git a/nixos/modules/services/audio/mopidy.nix b/nixos/modules/services/audio/mopidy.nix index 9d8e67b0ea47..8eebf0f9d1e1 100644 --- a/nixos/modules/services/audio/mopidy.nix +++ b/nixos/modules/services/audio/mopidy.nix @@ -70,9 +70,10 @@ in { config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - mopidy mopidy - -" - ]; + systemd.tmpfiles.settings."10-mopidy".${cfg.dataDir}.d = { + user = "mopidy"; + group = "mopidy"; + }; systemd.services.mopidy = { wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/development/livebook.md b/nixos/modules/services/development/livebook.md index 5012e977a4f7..5315f2c2755a 100644 --- a/nixos/modules/services/development/livebook.md +++ b/nixos/modules/services/development/livebook.md @@ -15,11 +15,12 @@ which runs the server. { services.livebook = { enableUserService = true; - port = 20123; + environment = { + LIVEBOOK_PORT = 20123; + LIVEBOOK_PASSWORD = "mypassword"; + }; # See note below about security - environmentFile = pkgs.writeText "livebook.env" '' - LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - ''; + environmentFile = "/var/lib/livebook.env"; }; } ``` @@ -30,14 +31,19 @@ The Livebook server has the ability to run any command as the user it is running under, so securing access to it with a password is highly recommended. -Putting the password in the Nix configuration like above is an easy -way to get started but it is not recommended in the real world because -the `livebook.env` file will be added to the world-readable Nix store. -A better approach would be to put the password in some secure -user-readable location and set `environmentFile = /home/user/secure/livebook.env`. +Putting the password in the Nix configuration like above is an easy way to get +started but it is not recommended in the real world because the resulting +environment variables can be read by unprivileged users. A better approach +would be to put the password in some secure user-readable location and set +`environmentFile = /home/user/secure/livebook.env`. ::: +The [Livebook +documentation](https://hexdocs.pm/livebook/readme.html#environment-variables) +lists all the applicable environment variables. It is recommended to at least +set `LIVEBOOK_PASSWORD` or `LIVEBOOK_TOKEN_ENABLED=false`. + ### Extra dependencies {#module-services-livebook-extra-dependencies} By default, the Livebook service is run with minimum dependencies, but diff --git a/nixos/modules/services/development/livebook.nix b/nixos/modules/services/development/livebook.nix index 75729ff28efa..df0e6e01e97c 100644 --- a/nixos/modules/services/development/livebook.nix +++ b/nixos/modules/services/development/livebook.nix @@ -14,58 +14,64 @@ in package = mkPackageOption pkgs "livebook" { }; - environmentFile = mkOption { - type = types.path; + environment = mkOption { + type = with types; attrsOf (nullOr (oneOf [ bool int str ])); + default = { }; description = lib.mdDoc '' - Environment file as defined in {manpage}`systemd.exec(5)` passed to the service. + Environment variables to set. - This must contain at least `LIVEBOOK_PASSWORD` or - `LIVEBOOK_TOKEN_ENABLED=false`. See `livebook server --help` - for other options.''; - }; + Livebook is configured through the use of environment variables. The + available configuration options can be found in the [Livebook + documentation](https://hexdocs.pm/livebook/readme.html#environment-variables). - erlang_node_short_name = mkOption { - type = with types; nullOr str; - default = null; - example = "livebook"; - description = "A short name for the distributed node."; - }; + Note that all environment variables set through this configuration + parameter will be readable by anyone with access to the host + machine. Therefore, sensitive information like {env}`LIVEBOOK_PASSWORD` + or {env}`LIVEBOOK_COOKIE` should never be set using this configuration + option, but should instead use + [](#opt-services.livebook.environmentFile). See the documentation for + that option for more information. - erlang_node_name = mkOption { - type = with types; nullOr str; - default = null; - example = "livebook@127.0.0.1"; - description = "The name for the app distributed node."; - }; - - port = mkOption { - type = types.port; - default = 8080; - description = "The port to start the web application on."; - }; - - address = mkOption { - type = types.str; - default = "127.0.0.1"; - description = lib.mdDoc '' - The address to start the web application on. Must be a valid IPv4 or - IPv6 address. + Any environment variables specified in the + [](#opt-services.livebook.environmentFile) will supersede environment + variables specified in this option. ''; - }; - options = mkOption { - type = with types; attrsOf str; - default = { }; - description = lib.mdDoc '' - Additional options to pass as command-line arguments to the server. - ''; example = literalExpression '' { - cookie = "a value shared by all nodes in this cluster"; + LIVEBOOK_PORT = 8080; } ''; }; + environmentFile = mkOption { + type = with types; nullOr types.path; + default = null; + description = lib.mdDoc '' + Additional dnvironment file as defined in {manpage}`systemd.exec(5)`. + + Secrets like {env}`LIVEBOOK_PASSWORD` (which is used to specify the + password needed to access the livebook site) or {env}`LIVEBOOK_COOKIE` + (which is used to specify the + [cookie](https://www.erlang.org/doc/reference_manual/distributed.html#security) + used to connect to the running Elixir system) may be passed to the + service without making them readable to everyone with access to + systemctl by using this configuration parameter. + + Note that this file needs to be available on the host on which + `livebook` is running. + + For security purposes, this file should contain at least + {env}`LIVEBOOK_PASSWORD` or {env}`LIVEBOOK_TOKEN_ENABLED=false`. + + See the [Livebook + documentation](https://hexdocs.pm/livebook/readme.html#environment-variables) + and the [](#opt-services.livebook.environment) configuration parameter + for further options. + ''; + example = "/var/lib/livebook.env"; + }; + extraPackages = mkOption { type = with types; listOf package; default = [ ]; @@ -81,17 +87,12 @@ in serviceConfig = { Restart = "always"; EnvironmentFile = cfg.environmentFile; - ExecStart = - let - args = lib.cli.toGNUCommandLineShell { } ({ - inherit (cfg) port; - ip = cfg.address; - name = cfg.erlang_node_name; - sname = cfg.erlang_node_short_name; - } // cfg.options); - in - "${cfg.package}/bin/livebook server ${args}"; + ExecStart = "${cfg.package}/bin/livebook start"; + KillMode = "mixed"; }; + environment = mapAttrs (name: value: + if isBool value then boolToString value else toString value) + cfg.environment; path = [ pkgs.bash ] ++ cfg.extraPackages; wantedBy = [ "default.target" ]; }; diff --git a/nixos/modules/services/home-automation/esphome.nix b/nixos/modules/services/home-automation/esphome.nix index 4fc007a97683..3c0fd8aed08a 100644 --- a/nixos/modules/services/home-automation/esphome.nix +++ b/nixos/modules/services/home-automation/esphome.nix @@ -63,6 +63,12 @@ in ''; type = types.listOf types.str; }; + + usePing = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc "Use ping to check online status of devices instead of mDNS"; + }; }; config = mkIf cfg.enable { @@ -74,8 +80,10 @@ in wantedBy = ["multi-user.target"]; path = [cfg.package]; - # platformio fails to determine the home directory when using DynamicUser - environment.PLATFORMIO_CORE_DIR = "${stateDir}/.platformio"; + environment = { + # platformio fails to determine the home directory when using DynamicUser + PLATFORMIO_CORE_DIR = "${stateDir}/.platformio"; + } // lib.optionalAttrs cfg.usePing { ESPHOME_DASHBOARD_USE_PING = "true"; }; serviceConfig = { ExecStart = "${cfg.package}/bin/esphome dashboard ${esphomeParams} ${stateDir}"; diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 25c7017a1d25..8d298de6945b 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -4,7 +4,9 @@ let inherit (lib) any attrValues concatMapStringsSep concatStrings concatStringsSep flatten imap1 isList literalExpression mapAttrsToList mkEnableOption mkIf mkOption mkRemovedOptionModule optional optionalAttrs - optionalString singleton types; + optionalString singleton types mkRenamedOptionModule nameValuePair + mapAttrs' listToAttrs filter; + inherit (lib.strings) match; cfg = config.services.dovecot2; dovecotPkg = pkgs.dovecot; @@ -12,6 +14,58 @@ let baseDir = "/run/dovecot2"; stateDir = "/var/lib/dovecot"; + sieveScriptSettings = mapAttrs' (to: from: nameValuePair "sieve_${to}" "${stateDir}/sieve/${from}") cfg.sieve.scripts; + imapSieveMailboxSettings = listToAttrs (flatten (imap1 (idx: el: + singleton { + name = "imapsieve_mailbox${toString idx}_name"; + value = el.name; + } ++ optional (el.from != null) { + name = "imapsieve_mailbox${toString idx}_from"; + value = el.from; + } ++ optional (el.causes != []) { + name = "imapsieve_mailbox${toString idx}_causes"; + value = concatStringsSep "," el.causes; + } ++ optional (el.before != null) { + name = "imapsieve_mailbox${toString idx}_before"; + value = "file:${stateDir}/imapsieve/before/${baseNameOf el.before}"; + } ++ optional (el.after != null) { + name = "imapsieve_mailbox${toString idx}_after"; + value = "file:${stateDir}/imapsieve/after/${baseNameOf el.after}"; + } + ) cfg.imapsieve.mailbox)); + + mkExtraConfigCollisionWarning = term: '' + You referred to ${term} in `services.dovecot2.extraConfig`. + + Due to gradual transition to structured configuration for plugin configuration, it is possible + this will cause your plugin configuration to be ignored. + + Consider setting `services.dovecot2.pluginSettings.${term}` instead. + ''; + + # Those settings are automatically set based on other parts + # of this module. + automaticallySetPluginSettings = [ + "sieve_plugins" + "sieve_extensions" + "sieve_global_extensions" + "sieve_pipe_bin_dir" + ] + ++ (builtins.attrNames sieveScriptSettings) + ++ (builtins.attrNames imapSieveMailboxSettings); + + # The idea is to match everything that looks like `$term =` + # but not `# $term something something` + # or `# $term = some value` because those are comments. + configContainsSetting = lines: term: (match "^[^#]*\b${term}\b.*=" lines) != null; + + warnAboutExtraConfigCollisions = map mkExtraConfigCollisionWarning (filter (configContainsSetting cfg.extraConfig) automaticallySetPluginSettings); + + sievePipeBinScriptDirectory = pkgs.linkFarm "sieve-pipe-bins" (map (el: { + name = builtins.unsafeDiscardStringContext (baseNameOf el); + path = el; + }) cfg.sieve.pipeBins); + dovecotConf = concatStrings [ '' base_dir = ${baseDir} @@ -78,14 +132,6 @@ let ) ( - optionalString (cfg.sieveScripts != {}) '' - plugin { - ${concatStringsSep "\n" (mapAttrsToList (to: from: "sieve_${to} = ${stateDir}/sieve/${to}") cfg.sieveScripts)} - } - '' - ) - - ( optionalString (cfg.mailboxes != {}) '' namespace inbox { inbox=yes @@ -116,33 +162,12 @@ let '' ) + # General plugin settings: + # - sieve is mostly generated here, refer to `pluginSettings` to follow + # the control flow. '' plugin { - sieve_plugins = ${concatStringsSep " " cfg.sieve.plugins} - sieve_extensions = ${concatStringsSep " " (map (el: "+${el}") cfg.sieve.extensions)} - sieve_global_extensions = ${concatStringsSep " " (map (el: "+${el}") cfg.sieve.globalExtensions)} - '' - (optionalString (cfg.imapsieve.mailbox != []) '' - ${ - concatStringsSep "\n" (flatten (imap1 ( - idx: el: - singleton "imapsieve_mailbox${toString idx}_name = ${el.name}" - ++ optional (el.from != null) "imapsieve_mailbox${toString idx}_from = ${el.from}" - ++ optional (el.causes != null) "imapsieve_mailbox${toString idx}_causes = ${el.causes}" - ++ optional (el.before != null) "imapsieve_mailbox${toString idx}_before = file:${stateDir}/imapsieve/before/${baseNameOf el.before}" - ++ optional (el.after != null) "imapsieve_mailbox${toString idx}_after = file:${stateDir}/imapsieve/after/${baseNameOf el.after}" - ) - cfg.imapsieve.mailbox)) - } - '') - (optionalString (cfg.sieve.pipeBins != []) '' - sieve_pipe_bin_dir = ${pkgs.linkFarm "sieve-pipe-bins" (map (el: { - name = builtins.unsafeDiscardStringContext (baseNameOf el); - path = el; - }) - cfg.sieve.pipeBins)} - '') - '' + ${concatStringsSep "\n" (mapAttrsToList (key: value: " ${key} = ${value}") cfg.pluginSettings)} } '' @@ -199,6 +224,7 @@ in { imports = [ (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "") + (mkRenamedOptionModule [ "services" "dovecot2" "sieveScripts" ] [ "services" "dovecot2" "sieve" "scripts" ]) ]; options.services.dovecot2 = { @@ -337,12 +363,6 @@ in enableDHE = mkEnableOption (lib.mdDoc "ssl_dh and generation of primes for the key exchange") // { default = true; }; - sieveScripts = mkOption { - type = types.attrsOf types.path; - default = {}; - description = lib.mdDoc "Sieve scripts to be executed. Key is a sequence, e.g. 'before2', 'after' etc."; - }; - showPAMFailure = mkEnableOption (lib.mdDoc "showing the PAM failure message on authentication error (useful for OTPW)"); mailboxes = mkOption { @@ -376,6 +396,26 @@ in description = lib.mdDoc "Quota limit for the user in bytes. Supports suffixes b, k, M, G, T and %."; }; + + pluginSettings = mkOption { + # types.str does not coerce from packages, like `sievePipeBinScriptDirectory`. + type = types.attrsOf (types.oneOf [ types.str types.package ]); + default = {}; + example = literalExpression '' + { + sieve = "file:~/sieve;active=~/.dovecot.sieve"; + } + ''; + description = '' + Plugin settings for dovecot in general, e.g. `sieve`, `sieve_default`, etc. + + Some of the other knobs of this module will influence by default the plugin settings, but you + can still override any plugin settings. + + If you override a plugin setting, its value is cleared and you have to copy over the defaults. + ''; + }; + imapsieve.mailbox = mkOption { default = []; description = "Configure Sieve filtering rules on IMAP actions"; @@ -405,14 +445,14 @@ in }; causes = mkOption { - default = null; + default = [ ]; description = '' Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot2.imapsieve.mailbox.<name>.name when one of the listed IMAPSIEVE causes apply. This has no effect on the user script, which is always executed no matter the cause. ''; - example = "COPY"; - type = types.nullOr (types.enum [ "APPEND" "COPY" "FLAG" ]); + example = [ "COPY" "APPEND" ]; + type = types.listOf (types.enum [ "APPEND" "COPY" "FLAG" ]); }; before = mkOption { @@ -462,6 +502,12 @@ in type = types.listOf types.str; }; + scripts = mkOption { + type = types.attrsOf types.path; + default = {}; + description = lib.mdDoc "Sieve scripts to be executed. Key is a sequence, e.g. 'before2', 'after' etc."; + }; + pipeBins = mkOption { default = []; example = literalExpression '' @@ -476,7 +522,6 @@ in }; }; - config = mkIf cfg.enable { security.pam.services.dovecot2 = mkIf cfg.enablePAM {}; @@ -501,6 +546,13 @@ in ++ optional (cfg.sieve.pipeBins != []) "sieve_extprograms"; sieve.globalExtensions = optional (cfg.sieve.pipeBins != []) "vnd.dovecot.pipe"; + + pluginSettings = lib.mapAttrs (n: lib.mkDefault) ({ + sieve_plugins = concatStringsSep " " cfg.sieve.plugins; + sieve_extensions = concatStringsSep " " (map (el: "+${el}") cfg.sieve.extensions); + sieve_global_extensions = concatStringsSep " " (map (el: "+${el}") cfg.sieve.globalExtensions); + sieve_pipe_bin_dir = sievePipeBinScriptDirectory; + } // sieveScriptSettings // imapSieveMailboxSettings); }; users.users = { @@ -556,7 +608,7 @@ in # the source file and Dovecot won't try to compile it. preStart = '' rm -rf ${stateDir}/sieve ${stateDir}/imapsieve - '' + optionalString (cfg.sieveScripts != {}) '' + '' + optionalString (cfg.sieve.scripts != {}) '' mkdir -p ${stateDir}/sieve ${concatStringsSep "\n" ( mapAttrsToList ( @@ -569,7 +621,7 @@ in fi ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/sieve/${to}' '' - ) cfg.sieveScripts + ) cfg.sieve.scripts )} chown -R '${cfg.mailUser}:${cfg.mailGroup}' '${stateDir}/sieve' '' @@ -600,9 +652,7 @@ in environment.systemPackages = [ dovecotPkg ]; - warnings = mkIf (any isList options.services.dovecot2.mailboxes.definitions) [ - "Declaring `services.dovecot2.mailboxes' as a list is deprecated and will break eval in 21.05! See the release notes for more info for migration." - ]; + warnings = warnAboutExtraConfigCollisions; assertions = [ { @@ -615,8 +665,8 @@ in message = "dovecot is configured with showPAMFailure while enablePAM is disabled"; } { - assertion = cfg.sieveScripts != {} -> (cfg.mailUser != null && cfg.mailGroup != null); - message = "dovecot requires mailUser and mailGroup to be set when sieveScripts is set"; + assertion = cfg.sieve.scripts != {} -> (cfg.mailUser != null && cfg.mailGroup != null); + message = "dovecot requires mailUser and mailGroup to be set when `sieve.scripts` is set"; } ]; diff --git a/nixos/modules/services/mail/mlmmj.nix b/nixos/modules/services/mail/mlmmj.nix index 3f07fabcf177..66106a14499b 100644 --- a/nixos/modules/services/mail/mlmmj.nix +++ b/nixos/modules/services/mail/mlmmj.nix @@ -143,11 +143,13 @@ in environment.systemPackages = [ pkgs.mlmmj ]; - systemd.tmpfiles.rules = [ - ''d "${stateDir}" -'' - ''d "${spoolDir}/${cfg.listDomain}" -'' - ''Z "${spoolDir}" - "${cfg.user}" "${cfg.group}" -'' - ]; + systemd.tmpfiles.settings."10-mlmmj" = { + ${stateDir}.d = { }; + "${spoolDir}/${cfg.listDomain}".d = { }; + ${spoolDir}.Z = { + inherit (cfg) user group; + }; + }; systemd.services.mlmmj-maintd = { description = "mlmmj maintenance daemon"; diff --git a/nixos/modules/services/mail/postfixadmin.nix b/nixos/modules/services/mail/postfixadmin.nix index b86428770cb2..e7ebb6fbd648 100644 --- a/nixos/modules/services/mail/postfixadmin.nix +++ b/nixos/modules/services/mail/postfixadmin.nix @@ -99,7 +99,11 @@ in ${cfg.extraConfig} ''; - systemd.tmpfiles.rules = [ "d /var/cache/postfixadmin/templates_c 700 ${user} ${user}" ]; + systemd.tmpfiles.settings."10-postfixadmin"."/var/cache/postfixadmin/templates_c".d = { + inherit user; + group = user; + mode = "700"; + }; services.nginx = { enable = true; diff --git a/nixos/modules/services/mail/rss2email.nix b/nixos/modules/services/mail/rss2email.nix index 54404c5b5f4c..4939f979cafb 100644 --- a/nixos/modules/services/mail/rss2email.nix +++ b/nixos/modules/services/mail/rss2email.nix @@ -95,9 +95,11 @@ in { services.rss2email.config.to = cfg.to; - systemd.tmpfiles.rules = [ - "d /var/rss2email 0700 rss2email rss2email - -" - ]; + systemd.tmpfiles.settings."10-rss2email"."/var/rss2email".d = { + user = "rss2email"; + group = "rss2email"; + mode = "0700"; + }; systemd.services.rss2email = let conf = pkgs.writeText "rss2email.cfg" (lib.generators.toINI {} ({ diff --git a/nixos/modules/services/mail/zeyple.nix b/nixos/modules/services/mail/zeyple.nix index e7f9ddd92dc2..9d4bc7f712d6 100644 --- a/nixos/modules/services/mail/zeyple.nix +++ b/nixos/modules/services/mail/zeyple.nix @@ -93,7 +93,11 @@ in { environment.etc."zeyple.conf".source = ini.generate "zeyple.conf" cfg.settings; - systemd.tmpfiles.rules = [ "f '${cfg.settings.zeyple.log_file}' 0600 ${cfg.user} ${cfg.group} - -" ]; + systemd.tmpfiles.settings."10-zeyple".${cfg.settings.zeyple.log_file}.f = { + inherit (cfg) user group; + mode = "0600"; + }; + services.logrotate = mkIf cfg.rotateLogs { enable = true; settings.zeyple = { diff --git a/nixos/modules/services/matrix/hebbot.nix b/nixos/modules/services/matrix/hebbot.nix new file mode 100644 index 000000000000..ebf175464ddd --- /dev/null +++ b/nixos/modules/services/matrix/hebbot.nix @@ -0,0 +1,78 @@ +{ lib +, config +, pkgs +, ... +}: + +let + inherit (lib) mkEnableOption mkOption mkIf types; + format = pkgs.formats.toml { }; + cfg = config.services.hebbot; + settingsFile = format.generate "config.toml" cfg.settings; + mkTemplateOption = templateName: mkOption { + type = types.path; + description = lib.mdDoc '' + A path to the Markdown file for the ${templateName}. + ''; + }; +in + { + meta.maintainers = [ lib.maintainers.raitobezarius ]; + options.services.hebbot = { + enable = mkEnableOption "hebbot"; + botPasswordFile = mkOption { + type = types.path; + description = lib.mdDoc '' + A path to the password file for your bot. + + Consider using a path that does not end up in your Nix store + as it would be world readable. + ''; + }; + templates = { + project = mkTemplateOption "project template"; + report = mkTemplateOption "report template"; + section = mkTemplateOption "section template"; + }; + settings = mkOption { + type = format.type; + default = { }; + description = lib.mdDoc '' + Configuration for Hebbot, see, for examples: + + - <https://github.com/matrix-org/twim-config/blob/master/config.toml> + - <https://gitlab.gnome.org/Teams/Websites/thisweek.gnome.org/-/blob/main/hebbot/config.toml> + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.hebbot = { + description = "hebbot - a TWIM-style Matrix bot written in Rust"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + ln -sf ${cfg.templates.project} ./project_template.md + ln -sf ${cfg.templates.report} ./report_template.md + ln -sf ${cfg.templates.section} ./section_template.md + ln -sf ${settingsFile} ./config.toml + ''; + + script = '' + export BOT_PASSWORD="$(cat $CREDENTIALS_DIRECTORY/bot-password-file)" + ${lib.getExe pkgs.hebbot} + ''; + + serviceConfig = { + DynamicUser = true; + Restart = "on-failure"; + LoadCredential = "bot-password-file:${cfg.botPasswordFile}"; + RestartSec = "10s"; + StateDirectory = "hebbot"; + WorkingDirectory = "hebbot"; + }; + }; + }; +} + diff --git a/nixos/modules/services/misc/etcd.nix b/nixos/modules/services/misc/etcd.nix index 73bdeb3b0afd..ee6a56db31d3 100644 --- a/nixos/modules/services/misc/etcd.nix +++ b/nixos/modules/services/misc/etcd.nix @@ -152,9 +152,10 @@ in { }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 etcd - - -" - ]; + systemd.tmpfiles.settings."10-etcd".${cfg.dataDir}.d = { + user = "etcd"; + mode = "0700"; + }; systemd.services.etcd = { description = "etcd key-value store"; diff --git a/nixos/modules/services/misc/lidarr.nix b/nixos/modules/services/misc/lidarr.nix index 4dc0fc63863b..8ceb567e8801 100644 --- a/nixos/modules/services/misc/lidarr.nix +++ b/nixos/modules/services/misc/lidarr.nix @@ -45,9 +45,10 @@ in }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-lidarr".${cfg.dataDir}.d = { + inherit (cfg) user group; + mode = "0700"; + }; systemd.services.lidarr = { description = "Lidarr"; diff --git a/nixos/modules/services/misc/radarr.nix b/nixos/modules/services/misc/radarr.nix index 618341cf614f..a5f264331ed3 100644 --- a/nixos/modules/services/misc/radarr.nix +++ b/nixos/modules/services/misc/radarr.nix @@ -40,9 +40,10 @@ in }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-radarr".${cfg.dataDir}.d = { + inherit (cfg) user group; + mode = "0700"; + }; systemd.services.radarr = { description = "Radarr"; diff --git a/nixos/modules/services/misc/readarr.nix b/nixos/modules/services/misc/readarr.nix index 3c84b13485a4..73868b4baa95 100644 --- a/nixos/modules/services/misc/readarr.nix +++ b/nixos/modules/services/misc/readarr.nix @@ -45,9 +45,10 @@ in }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-readarr".${cfg.dataDir}.d = { + inherit (cfg) user group; + mode = "0700"; + }; systemd.services.readarr = { description = "Readarr"; diff --git a/nixos/modules/services/monitoring/alerta.nix b/nixos/modules/services/monitoring/alerta.nix index 6c7ebec4191c..0b0ab177e5e1 100644 --- a/nixos/modules/services/monitoring/alerta.nix +++ b/nixos/modules/services/monitoring/alerta.nix @@ -79,9 +79,10 @@ in }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.logDir}' - alerta alerta - -" - ]; + systemd.tmpfiles.settings."10-alerta".${cfg.logDir}.d = { + user = "alerta"; + group = "alerta"; + }; systemd.services.alerta = { description = "Alerta Monitoring System"; diff --git a/nixos/modules/services/monitoring/kapacitor.nix b/nixos/modules/services/monitoring/kapacitor.nix index 727b694047b4..c90878656899 100644 --- a/nixos/modules/services/monitoring/kapacitor.nix +++ b/nixos/modules/services/monitoring/kapacitor.nix @@ -160,9 +160,9 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.kapacitor ]; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-kapacitor".${cfg.dataDir}.d = { + inherit (cfg) user group; + }; systemd.services.kapacitor = { description = "Kapacitor Real-Time Stream Processing Engine"; diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index 5ed7cac48ae7..456a14169b95 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -374,7 +374,11 @@ in }; # munin_stats plugin breaks as of 2.0.33 when this doesn't exist - systemd.tmpfiles.rules = [ "d /run/munin 0755 munin munin -" ]; + systemd.tmpfiles.settings."10-munin"."/run/munin".d = { + mode = "0755"; + user = "munin"; + group = "munin"; + }; }) (mkIf cronCfg.enable { @@ -399,11 +403,17 @@ in }; }; - systemd.tmpfiles.rules = [ - "d /run/munin 0755 munin munin -" - "d /var/log/munin 0755 munin munin -" - "d /var/www/munin 0755 munin munin -" - "d /var/lib/munin 0755 munin munin -" - ]; + systemd.tmpfiles.settings."20-munin" = let + defaultConfig = { + mode = "0755"; + user = "munin"; + group = "munin"; + }; + in { + "/run/munin".d = defaultConfig; + "/var/log/munin".d = defaultConfig; + "/var/www/munin".d = defaultConfig; + "/var/lib/munin".d = defaultConfig; + }; })]; } diff --git a/nixos/modules/services/monitoring/osquery.nix b/nixos/modules/services/monitoring/osquery.nix index 4f6c2557a641..86ef3fc73213 100644 --- a/nixos/modules/services/monitoring/osquery.nix +++ b/nixos/modules/services/monitoring/osquery.nix @@ -90,8 +90,10 @@ in }; wantedBy = [ "multi-user.target" ]; }; - systemd.tmpfiles.rules = [ - "d ${dirname (cfg.flags.pidfile)} 0755 root root -" - ]; + systemd.tmpfiles.settings."10-osquery".${dirname (cfg.flags.pidfile)}.d = { + user = "root"; + group = "root"; + mode = "0755"; + }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/exporters/pve.nix b/nixos/modules/services/monitoring/prometheus/exporters/pve.nix index 20ee2e4b3238..83e740320df2 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/pve.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/pve.nix @@ -21,7 +21,7 @@ in type = with types; nullOr path; default = null; example = "/etc/prometheus-pve-exporter/pve.env"; - description = lib.mdDoc '' + description = '' Path to the service's environment file. This path can either be a computed path in /nix/store or a path in the local filesystem. The environment file should NOT be stored in /nix/store as it contains passwords and/or keys in plain text. @@ -34,7 +34,7 @@ in type = with types; nullOr path; default = null; example = "/etc/prometheus-pve-exporter/pve.yml"; - description = lib.mdDoc '' + description = '' Path to the service's config file. This path can either be a computed path in /nix/store or a path in the local filesystem. The config file should NOT be stored in /nix/store as it will contain passwords and/or keys in plain text. @@ -45,46 +45,66 @@ in ''; }; + server = { + keyFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/var/lib/prometheus-pve-exporter/privkey.key"; + description = '' + Path to a SSL private key file for the server + ''; + }; + + certFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/var/lib/prometheus-pve-exporter/full-chain.pem"; + description = '' + Path to a SSL certificate file for the server + ''; + }; + }; + collectors = { status = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect Node/VM/CT status ''; }; version = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect PVE version info ''; }; node = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect PVE node info ''; }; cluster = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect PVE cluster info ''; }; resources = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect PVE resources info ''; }; config = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect PVE onboot status ''; }; @@ -102,8 +122,10 @@ in --${optionalString (!cfg.collectors.cluster) "no-"}collector.cluster \ --${optionalString (!cfg.collectors.resources) "no-"}collector.resources \ --${optionalString (!cfg.collectors.config) "no-"}collector.config \ - %d/configFile \ - ${toString cfg.port} ${cfg.listenAddress} + ${optionalString (cfg.server.keyFile != null) "--server.keyfile ${cfg.server.keyFile}"} \ + ${optionalString (cfg.server.certFile != null) "--server.certfile ${cfg.server.certFile}"} \ + --config.file %d/configFile \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} ''; } // optionalAttrs (cfg.environmentFile != null) { EnvironmentFile = cfg.environmentFile; diff --git a/nixos/modules/services/monitoring/riemann-dash.nix b/nixos/modules/services/monitoring/riemann-dash.nix index 1ca8af14e777..1622d7a9b920 100644 --- a/nixos/modules/services/monitoring/riemann-dash.nix +++ b/nixos/modules/services/monitoring/riemann-dash.nix @@ -59,9 +59,10 @@ in { group = "riemanndash"; }; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - riemanndash riemanndash - -" - ]; + systemd.tmpfiles.settings."10-riemanndash".${cfg.dataDir}.d = { + user = "riemanndash"; + group = "riemanndash"; + }; systemd.services.riemann-dash = { wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/network-filesystems/cachefilesd.nix b/nixos/modules/services/network-filesystems/cachefilesd.nix index da5a79a062c7..3fb6a19c6fa3 100644 --- a/nixos/modules/services/network-filesystems/cachefilesd.nix +++ b/nixos/modules/services/network-filesystems/cachefilesd.nix @@ -56,8 +56,10 @@ in }; }; - systemd.tmpfiles.rules = [ - "d ${cfg.cacheDir} 0700 root root - -" - ]; + systemd.tmpfiles.settings."10-cachefilesd".${cfg.cacheDir}.d = { + user = "root"; + group = "root"; + mode = "0700"; + }; }; } diff --git a/nixos/modules/services/network-filesystems/ceph.nix b/nixos/modules/services/network-filesystems/ceph.nix index 222905223b59..df9a2f802bb9 100644 --- a/nixos/modules/services/network-filesystems/ceph.nix +++ b/nixos/modules/services/network-filesystems/ceph.nix @@ -398,12 +398,18 @@ in in mkMerge targets; - systemd.tmpfiles.rules = [ - "d /etc/ceph - ceph ceph - -" - "d /run/ceph 0770 ceph ceph -" - "d /var/lib/ceph - ceph ceph - -"] - ++ optionals cfg.mgr.enable [ "d /var/lib/ceph/mgr - ceph ceph - -"] - ++ optionals cfg.mon.enable [ "d /var/lib/ceph/mon - ceph ceph - -"] - ++ optionals cfg.osd.enable [ "d /var/lib/ceph/osd - ceph ceph - -"]; + systemd.tmpfiles.settings."10-ceph" = let + defaultConfig = { + user = "ceph"; + group = "ceph"; + }; + in { + "/etc/ceph".d = defaultConfig; + "/run/ceph".d = defaultConfig // { mode = "0770"; }; + "/var/lib/ceph".d = defaultConfig; + "/var/lib/ceph/mgr".d = mkIf (cfg.mgr.enable) defaultConfig; + "/var/lib/ceph/mon".d = mkIf (cfg.mon.enable) defaultConfig; + "/var/lib/ceph/osd".d = mkIf (cfg.osd.enable) defaultConfig; + }; }; } diff --git a/nixos/modules/services/network-filesystems/kbfs.nix b/nixos/modules/services/network-filesystems/kbfs.nix index 33ff283d5e81..578675e75dc3 100644 --- a/nixos/modules/services/network-filesystems/kbfs.nix +++ b/nixos/modules/services/network-filesystems/kbfs.nix @@ -92,7 +92,12 @@ in { (mkIf cfg.enableRedirector { security.wrappers."keybase-redirector".source = "${pkgs.kbfs}/bin/redirector"; - systemd.tmpfiles.rules = [ "d /keybase 0755 root root 0" ]; + systemd.tmpfiles.settings."10-kbfs"."/keybase".d = { + user = "root"; + group = "root"; + mode = "0755"; + age = "0"; + }; # Upstream: https://github.com/keybase/client/blob/master/packaging/linux/systemd/keybase-redirector.service systemd.user.services.keybase-redirector = { diff --git a/nixos/modules/services/network-filesystems/kubo.nix b/nixos/modules/services/network-filesystems/kubo.nix index 10162c1633e7..9a05a28550d3 100644 --- a/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixos/modules/services/network-filesystems/kubo.nix @@ -312,12 +312,13 @@ in ipfs.gid = config.ids.gids.ipfs; }; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" - ] ++ optionals cfg.autoMount [ - "d '${cfg.settings.Mounts.IPFS}' - ${cfg.user} ${cfg.group} - -" - "d '${cfg.settings.Mounts.IPNS}' - ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-kubo" = let + defaultConfig = { inherit (cfg) user group; }; + in { + ${cfg.dataDir}.d = defaultConfig; + ${cfg.settings.Mounts.IPFS}.d = mkIf (cfg.autoMount) defaultConfig; + ${cfg.settings.Mounts.IPNS}.d = mkIf (cfg.autoMount) defaultConfig; + }; # The hardened systemd unit breaks the fuse-mount function according to documentation in the unit file itself systemd.packages = if cfg.autoMount diff --git a/nixos/modules/services/networking/aria2.nix b/nixos/modules/services/networking/aria2.nix index e848869cc0ac..1fb55b836798 100644 --- a/nixos/modules/services/networking/aria2.nix +++ b/nixos/modules/services/networking/aria2.nix @@ -18,11 +18,14 @@ let dir=${cfg.downloadDir} listen-port=${concatStringsSep "," (rangesToStringList cfg.listenPortRange)} rpc-listen-port=${toString cfg.rpcListenPort} - rpc-secret=${cfg.rpcSecret} ''; in { + imports = [ + (mkRemovedOptionModule [ "services" "aria2" "rpcSecret" ] "Use services.aria2.rpcSecretFile instead") + ]; + options = { services.aria2 = { enable = mkOption { @@ -65,11 +68,11 @@ in default = 6800; description = lib.mdDoc "Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535"; }; - rpcSecret = mkOption { - type = types.str; - default = "aria2rpc"; + rpcSecretFile = mkOption { + type = types.path; + example = "/run/secrets/aria2-rpc-token.txt"; description = lib.mdDoc '' - Set RPC secret authorization token. + A file containing the RPC secret authorization token. Read https://aria2.github.io/manual/en/html/aria2c.html#rpc-auth to know how this option value is used. ''; }; @@ -117,6 +120,7 @@ in touch "${sessionFile}" fi cp -f "${settingsFile}" "${settingsDir}/aria2.conf" + echo "rpc-secret=$(cat "$CREDENTIALS_DIRECTORY/rpcSecretFile")" >> "${settingsDir}/aria2.conf" ''; serviceConfig = { @@ -125,6 +129,7 @@ in ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "aria2"; Group = "aria2"; + LoadCredential="rpcSecretFile:${cfg.rpcSecretFile}"; }; }; }; diff --git a/nixos/modules/services/networking/charybdis.nix b/nixos/modules/services/networking/charybdis.nix index 168da243dba1..6eacdde7bb93 100644 --- a/nixos/modules/services/networking/charybdis.nix +++ b/nixos/modules/services/networking/charybdis.nix @@ -81,9 +81,9 @@ in gid = config.ids.gids.ircd; }; - systemd.tmpfiles.rules = [ - "d ${cfg.statedir} - ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-charybdis".${cfg.statedir}.d = { + inherit (cfg) user group; + }; environment.etc."charybdis/ircd.conf".source = configFile; diff --git a/nixos/modules/services/networking/dnsdist.nix b/nixos/modules/services/networking/dnsdist.nix index 483300111df9..792185c9fbea 100644 --- a/nixos/modules/services/networking/dnsdist.nix +++ b/nixos/modules/services/networking/dnsdist.nix @@ -4,10 +4,79 @@ with lib; let cfg = config.services.dnsdist; + + toLua = lib.generators.toLua {}; + + mkBind = cfg: toLua "${cfg.listenAddress}:${toString cfg.listenPort}"; + configFile = pkgs.writeText "dnsdist.conf" '' - setLocal('${cfg.listenAddress}:${toString cfg.listenPort}') + setLocal(${mkBind cfg}) + ${lib.optionalString cfg.dnscrypt.enable dnscryptSetup} ${cfg.extraConfig} ''; + + dnscryptSetup = '' + last_rotation = 0 + cert_serial = 0 + provider_key = ${toLua cfg.dnscrypt.providerKey} + cert_lifetime = ${toLua cfg.dnscrypt.certLifetime} * 60 + + function file_exists(name) + local f = io.open(name, "r") + return f ~= nil and io.close(f) + end + + function dnscrypt_setup() + -- generate provider keys on first run + if provider_key == nil then + provider_key = "/var/lib/dnsdist/private.key" + if not file_exists(provider_key) then + generateDNSCryptProviderKeys("/var/lib/dnsdist/public.key", + "/var/lib/dnsdist/private.key") + print("DNSCrypt: generated provider keypair") + end + end + + -- generate resolver certificate + local now = os.time() + generateDNSCryptCertificate( + provider_key, "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", + cert_serial, now - 60, now + cert_lifetime) + addDNSCryptBind( + ${mkBind cfg.dnscrypt}, ${toLua cfg.dnscrypt.providerName}, + "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key") + end + + function maintenance() + -- certificate rotation + local now = os.time() + local dnscrypt = getDNSCryptBind(0) + + if ((now - last_rotation) > 0.9 * cert_lifetime) then + -- generate and start using a new certificate + dnscrypt:generateAndLoadInMemoryCertificate( + provider_key, cert_serial + 1, + now - 60, now + cert_lifetime) + + -- stop advertising the last certificate + dnscrypt:markInactive(cert_serial) + + -- remove the second to last certificate + if (cert_serial > 1) then + dnscrypt:removeInactiveCertificate(cert_serial - 1) + end + + print("DNSCrypt: rotated certificate") + + -- increment serial number + cert_serial = cert_serial + 1 + last_rotation = now + end + end + + dnscrypt_setup() + ''; + in { options = { services.dnsdist = { @@ -15,15 +84,69 @@ in { listenAddress = mkOption { type = types.str; - description = lib.mdDoc "Listen IP Address"; + description = lib.mdDoc "Listen IP address"; default = "0.0.0.0"; }; listenPort = mkOption { - type = types.int; + type = types.port; description = lib.mdDoc "Listen port"; default = 53; }; + dnscrypt = { + enable = mkEnableOption (lib.mdDoc "a DNSCrypt endpoint to dnsdist"); + + listenAddress = mkOption { + type = types.str; + description = lib.mdDoc "Listen IP address of the endpoint"; + default = "0.0.0.0"; + }; + + listenPort = mkOption { + type = types.port; + description = lib.mdDoc "Listen port of the endpoint"; + default = 443; + }; + + providerName = mkOption { + type = types.str; + default = "2.dnscrypt-cert.${config.networking.hostName}"; + defaultText = literalExpression "2.dnscrypt-cert.\${config.networking.hostName}"; + example = "2.dnscrypt-cert.myresolver"; + description = lib.mdDoc '' + The name that will be given to this DNSCrypt resolver. + + ::: {.note} + The provider name must start with `2.dnscrypt-cert.`. + ::: + ''; + }; + + providerKey = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + The filepath to the provider secret key. + If not given a new provider key pair will be generated in + /var/lib/dnsdist on the first run. + + ::: {.note} + The file must be readable by the dnsdist user/group. + ::: + ''; + }; + + certLifetime = mkOption { + type = types.ints.positive; + default = 15; + description = lib.mdDoc '' + The lifetime (in minutes) of the resolver certificate. + This will be automatically rotated before expiration. + ''; + }; + + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -35,6 +158,14 @@ in { }; config = mkIf cfg.enable { + users.users.dnsdist = { + description = "dnsdist daemons user"; + isSystemUser = true; + group = "dnsdist"; + }; + + users.groups.dnsdist = {}; + systemd.packages = [ pkgs.dnsdist ]; systemd.services.dnsdist = { @@ -42,8 +173,10 @@ in { startLimitIntervalSec = 0; serviceConfig = { - DynamicUser = true; - + User = "dnsdist"; + Group = "dnsdist"; + RuntimeDirectory = "dnsdist"; + StateDirectory = "dnsdist"; # upstream overrides for better nixos compatibility ExecStartPre = [ "" "${pkgs.dnsdist}/bin/dnsdist --check-config --config ${configFile}" ]; ExecStart = [ "" "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}" ]; diff --git a/nixos/modules/services/networking/headscale.nix b/nixos/modules/services/networking/headscale.nix index 95b5fcf6ebde..0159da37de87 100644 --- a/nixos/modules/services/networking/headscale.nix +++ b/nixos/modules/services/networking/headscale.nix @@ -444,10 +444,14 @@ in { tls_letsencrypt_cache_dir = "${dataDir}/.cache"; }; - # Setup the headscale configuration in a known path in /etc to - # allow both the Server and the Client use it to find the socket - # for communication. - environment.etc."headscale/config.yaml".source = configFile; + environment = { + # Setup the headscale configuration in a known path in /etc to + # allow both the Server and the Client use it to find the socket + # for communication. + etc."headscale/config.yaml".source = configFile; + + systemPackages = [ cfg.package ]; + }; users.groups.headscale = mkIf (cfg.group == "headscale") {}; diff --git a/nixos/modules/services/networking/jibri/default.nix b/nixos/modules/services/networking/jibri/default.nix index a931831fc281..73d11bdbee5a 100644 --- a/nixos/modules/services/networking/jibri/default.nix +++ b/nixos/modules/services/networking/jibri/default.nix @@ -395,11 +395,11 @@ in }; }; - systemd.tmpfiles.rules = [ - "d /var/log/jitsi/jibri 755 jibri jibri" - ]; - - + systemd.tmpfiles.settings."10-jibri"."/var/log/jitsi/jibri".d = { + user = "jibri"; + group = "jibri"; + mode = "755"; + }; # Configure Chromium to not show the "Chrome is being controlled by automatic test software" message. environment.etc."chromium/policies/managed/managed_policies.json".text = builtins.toJSON { CommandLineFlagSecurityWarningsEnabled = false; }; diff --git a/nixos/modules/services/networking/netbird.md b/nixos/modules/services/networking/netbird.md new file mode 100644 index 000000000000..a326207becc8 --- /dev/null +++ b/nixos/modules/services/networking/netbird.md @@ -0,0 +1,56 @@ +# Netbird {#module-services-netbird} + +## Quickstart {#module-services-netbird-quickstart} + +The absolute minimal configuration for the netbird daemon looks like this: + +```nix +services.netbird.enable = true; +``` + +This will set up a netbird service listening on the port `51820` associated to the +`wt0` interface. + +It is strictly equivalent to setting: + +```nix +services.netbird.tunnels.wt0.stateDir = "netbird"; +``` + +The `enable` option is mainly kept for backward compatibility, as defining netbird +tunnels through the `tunnels` option is more expressive. + +## Multiple connections setup {#module-services-netbird-multiple-connections} + +Using the `services.netbird.tunnels` option, it is also possible to define more than +one netbird service running at the same time. + +The following configuration will start a netbird daemon using the interface `wt1` and +the port 51830. Its configuration file will then be located at `/var/lib/netbird-wt1/config.json`. + +```nix +services.netbird.tunnels = { + wt1 = { + port = 51830; + }; +}; +``` + +To interact with it, you will need to specify the correct daemon address: + +```bash +netbird --daemon-addr unix:///var/run/netbird-wt1/sock ... +``` + +The address will by default be `unix:///var/run/netbird-<name>`. + +It is also possible to overwrite default options passed to the service, for +example: + +```nix +services.netbird.tunnels.wt1.environment = { + NB_DAEMON_ADDR = "unix:///var/run/toto.sock" +}; +``` + +This will set the socket to interact with the netbird service to `/var/run/toto.sock`. diff --git a/nixos/modules/services/networking/netbird.nix b/nixos/modules/services/networking/netbird.nix index 4b0bd63e9dbc..6a1511d4d084 100644 --- a/nixos/modules/services/networking/netbird.nix +++ b/nixos/modules/services/networking/netbird.nix @@ -1,60 +1,171 @@ -{ config, lib, pkgs, ... }: - -with lib; +{ + config, + lib, + pkgs, + ... +}: let - cfg = config.services.netbird; + inherit (lib) + attrNames + getExe + literalExpression + maintainers + mapAttrs' + mkDefault + mkEnableOption + mkIf + mkMerge + mkOption + mkPackageOption + nameValuePair + optional + versionOlder + ; + + inherit (lib.types) + attrsOf + port + str + submodule + ; + kernel = config.boot.kernelPackages; - interfaceName = "wt0"; -in { - meta.maintainers = with maintainers; [ misuzu ]; + + cfg = config.services.netbird; +in +{ + meta.maintainers = with maintainers; [ + misuzu + thubrecht + ]; + meta.doc = ./netbird.md; options.services.netbird = { enable = mkEnableOption (lib.mdDoc "Netbird daemon"); package = mkPackageOption pkgs "netbird" { }; - }; - - config = mkIf cfg.enable { - boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; - environment.systemPackages = [ cfg.package ]; + tunnels = mkOption { + type = attrsOf ( + submodule ( + { name, config, ... }: + { + options = { + port = mkOption { + type = port; + default = 51820; + description = '' + Port for the ${name} netbird interface. + ''; + }; - networking.dhcpcd.denyInterfaces = [ interfaceName ]; + environment = mkOption { + type = attrsOf str; + defaultText = literalExpression '' + { + NB_CONFIG = "/var/lib/''${stateDir}/config.json"; + NB_LOG_FILE = "console"; + NB_WIREGUARD_PORT = builtins.toString port; + NB_INTERFACE_NAME = name; + NB_DAMEON_ADDR = "/var/run/''${stateDir}" + } + ''; + description = '' + Environment for the netbird service, used to pass configuration options. + ''; + }; - systemd.network.networks."50-netbird" = mkIf config.networking.useNetworkd { - matchConfig = { - Name = interfaceName; - }; - linkConfig = { - Unmanaged = true; - ActivationPolicy = "manual"; - }; - }; + stateDir = mkOption { + type = str; + default = "netbird-${name}"; + description = '' + Directory storing the netbird configuration. + ''; + }; + }; - systemd.services.netbird = { - description = "A WireGuard-based mesh network that connects your devices into a single private network"; - documentation = [ "https://netbird.io/docs/" ]; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ - openresolv - ]; - serviceConfig = { - Environment = [ - "NB_CONFIG=/var/lib/netbird/config.json" - "NB_LOG_FILE=console" - ]; - ExecStart = "${cfg.package}/bin/netbird service run"; - Restart = "always"; - RuntimeDirectory = "netbird"; - StateDirectory = "netbird"; - WorkingDirectory = "/var/lib/netbird"; - }; - unitConfig = { - StartLimitInterval = 5; - StartLimitBurst = 10; - }; - stopIfChanged = false; + config.environment = builtins.mapAttrs (_: mkDefault) { + NB_CONFIG = "/var/lib/${config.stateDir}/config.json"; + NB_LOG_FILE = "console"; + NB_WIREGUARD_PORT = builtins.toString config.port; + NB_INTERFACE_NAME = name; + NB_DAEMON_ADDR = "unix:///var/run/${config.stateDir}/sock"; + }; + } + ) + ); + default = { }; + description = '' + Attribute set of Netbird tunnels, each one will spawn a daemon listening on ... + ''; }; }; + + config = mkMerge [ + (mkIf cfg.enable { + # For backwards compatibility + services.netbird.tunnels.wt0.stateDir = "netbird"; + }) + + (mkIf (cfg.tunnels != { }) { + boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; + + environment.systemPackages = [ cfg.package ]; + + networking.dhcpcd.denyInterfaces = attrNames cfg.tunnels; + + systemd.network.networks = mkIf config.networking.useNetworkd ( + mapAttrs' + ( + name: _: + nameValuePair "50-netbird-${name}" { + matchConfig = { + Name = name; + }; + linkConfig = { + Unmanaged = true; + ActivationPolicy = "manual"; + }; + } + ) + cfg.tunnels + ); + + systemd.services = + mapAttrs' + ( + name: + { environment, stateDir, ... }: + nameValuePair "netbird-${name}" { + description = "A WireGuard-based mesh network that connects your devices into a single private network"; + + documentation = [ "https://netbird.io/docs/" ]; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + path = with pkgs; [ openresolv ]; + + inherit environment; + + serviceConfig = { + ExecStart = "${getExe cfg.package} service run"; + Restart = "always"; + RuntimeDirectory = stateDir; + StateDirectory = stateDir; + StateDirectoryMode = "0700"; + WorkingDirectory = "/var/lib/${stateDir}"; + }; + + unitConfig = { + StartLimitInterval = 5; + StartLimitBurst = 10; + }; + + stopIfChanged = false; + } + ) + cfg.tunnels; + }) + ]; } diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 1070e4e25296..f11fe57d6ce5 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -74,11 +74,10 @@ in { systemd.services.tailscaled = { wantedBy = [ "multi-user.target" ]; path = [ - config.networking.resolvconf.package # for configuring DNS in some configs pkgs.procps # for collecting running services (opt-in feature) pkgs.getent # for `getent` to look up user shells pkgs.kmod # required to pass tailscale's v6nat check - ]; + ] ++ lib.optional config.networking.resolvconf.enable config.networking.resolvconf.package; serviceConfig.Environment = [ "PORT=${toString cfg.port}" ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName}"'' diff --git a/nixos/modules/services/torrent/deluge.nix b/nixos/modules/services/torrent/deluge.nix index 4802e3e1c63a..632d8aa98aa2 100644 --- a/nixos/modules/services/torrent/deluge.nix +++ b/nixos/modules/services/torrent/deluge.nix @@ -191,17 +191,25 @@ in { # Provide a default set of `extraPackages`. services.deluge.extraPackages = with pkgs; [ unzip gnutar xz bzip2 ]; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group}" - "d '${cfg.dataDir}/.config' 0770 ${cfg.user} ${cfg.group}" - "d '${cfg.dataDir}/.config/deluge' 0770 ${cfg.user} ${cfg.group}" - ] - ++ optional (cfg.config ? download_location) - "d '${cfg.config.download_location}' 0770 ${cfg.user} ${cfg.group}" - ++ optional (cfg.config ? torrentfiles_location) - "d '${cfg.config.torrentfiles_location}' 0770 ${cfg.user} ${cfg.group}" - ++ optional (cfg.config ? move_completed_path) - "d '${cfg.config.move_completed_path}' 0770 ${cfg.user} ${cfg.group}"; + systemd.tmpfiles.settings."10-deluged" = let + defaultConfig = { + inherit (cfg) user group; + mode = "0770"; + }; + in { + "${cfg.dataDir}".d = defaultConfig; + "${cfg.dataDir}/.config".d = defaultConfig; + "${cfg.dataDir}/.config/deluge".d = defaultConfig; + } + // optionalAttrs (cfg.config ? download_location) { + ${cfg.config.download_location}.d = defaultConfig; + } + // optionalAttrs (cfg.config ? torrentfiles_location) { + ${cfg.config.torrentfiles_location}.d = defaultConfig; + } + // optionalAttrs (cfg.config ? move_completed_path) { + ${cfg.config.move_completed_path}.d = defaultConfig; + }; systemd.services.deluged = { after = [ "network.target" ]; diff --git a/nixos/modules/services/video/epgstation/default.nix b/nixos/modules/services/video/epgstation/default.nix index a7468e7cc2b6..1b3258c3df8e 100644 --- a/nixos/modules/services/video/epgstation/default.nix +++ b/nixos/modules/services/video/epgstation/default.nix @@ -309,17 +309,25 @@ in (lib.mkIf cfg.usePreconfiguredStreaming streamingConfig) ]; - systemd.tmpfiles.rules = [ - "d '/var/lib/epgstation/key' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/streamfiles' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/drop' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/recorded' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/thumbnail' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/db/subscribers' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/db/migrations/mysql' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/db/migrations/postgres' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/db/migrations/sqlite' - ${username} ${groupname} - -" - ]; + systemd.tmpfiles.settings."10-epgstation" = + lib.listToAttrs + (map (dir: lib.nameValuePair dir { + d = { + user = username; + group = groupname; + }; + }) + [ + "/var/lib/epgstation/key" + "/var/lib/epgstation/streamfiles" + "/var/lib/epgstation/drop" + "/var/lib/epgstation/recorded" + "/var/lib/epgstation/thumbnail" + "/var/lib/epgstation/db/subscribers" + "/var/lib/epgstation/db/migrations/mysql" + "/var/lib/epgstation/db/migrations/postgres" + "/var/lib/epgstation/db/migrations/sqlite" + ]); systemd.services.epgstation = { inherit description; diff --git a/nixos/modules/services/video/mirakurun.nix b/nixos/modules/services/video/mirakurun.nix index 31f90650ba9a..208b34ab353a 100644 --- a/nixos/modules/services/video/mirakurun.nix +++ b/nixos/modules/services/video/mirakurun.nix @@ -165,9 +165,10 @@ in port = mkIf (cfg.port != null) cfg.port; }; - systemd.tmpfiles.rules = [ - "d '/etc/mirakurun' - ${username} ${groupname} - -" - ]; + systemd.tmpfiles.settings."10-mirakurun"."/etc/mirakurun".d = { + user = username; + group = groupname; + }; systemd.services.mirakurun = { description = mirakurun.meta.description; diff --git a/nixos/modules/services/web-apps/bookstack.nix b/nixos/modules/services/web-apps/bookstack.nix index d846c98577c8..4999eceb2b60 100644 --- a/nixos/modules/services/web-apps/bookstack.nix +++ b/nixos/modules/services/web-apps/bookstack.nix @@ -412,20 +412,25 @@ in { ''; }; - systemd.tmpfiles.rules = [ - "d ${cfg.dataDir} 0710 ${user} ${group} - -" - "d ${cfg.dataDir}/public 0750 ${user} ${group} - -" - "d ${cfg.dataDir}/public/uploads 0750 ${user} ${group} - -" - "d ${cfg.dataDir}/storage 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/app 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/fonts 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework/cache 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework/sessions 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework/views 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/logs 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/uploads 0700 ${user} ${group} - -" - ]; + systemd.tmpfiles.settings."10-bookstack" = let + defaultConfig = { + inherit user group; + mode = "0700"; + }; + in { + "${cfg.dataDir}".d = defaultConfig // { mode = "0710"; }; + "${cfg.dataDir}/public".d = defaultConfig // { mode = "0750"; }; + "${cfg.dataDir}/public/uploads".d = defaultConfig // { mode = "0750"; }; + "${cfg.dataDir}/storage".d = defaultConfig; + "${cfg.dataDir}/storage/app".d = defaultConfig; + "${cfg.dataDir}/storage/fonts".d = defaultConfig; + "${cfg.dataDir}/storage/framework".d = defaultConfig; + "${cfg.dataDir}/storage/framework/cache".d = defaultConfig; + "${cfg.dataDir}/storage/framework/sessions".d = defaultConfig; + "${cfg.dataDir}/storage/framework/views".d = defaultConfig; + "${cfg.dataDir}/storage/logs".d = defaultConfig; + "${cfg.dataDir}/storage/uploads".d = defaultConfig; + }; users = { users = mkIf (user == "bookstack") { diff --git a/nixos/modules/services/web-apps/freshrss.nix b/nixos/modules/services/web-apps/freshrss.nix index c8399143c37b..edec9d547a30 100644 --- a/nixos/modules/services/web-apps/freshrss.nix +++ b/nixos/modules/services/web-apps/freshrss.nix @@ -228,9 +228,10 @@ in }; users.groups."${cfg.user}" = { }; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - ]; + systemd.tmpfiles.settings."10-freshrss".${cfg.dataDir}.d = { + inherit (cfg) user; + group = config.users.users.${cfg.user}.group; + }; systemd.services.freshrss-config = let diff --git a/nixos/modules/services/web-apps/mattermost.nix b/nixos/modules/services/web-apps/mattermost.nix index 503559432374..3d03c96d1c19 100644 --- a/nixos/modules/services/web-apps/mattermost.nix +++ b/nixos/modules/services/web-apps/mattermost.nix @@ -277,9 +277,7 @@ in # The systemd service will fail to execute the preStart hook # if the WorkingDirectory does not exist - systemd.tmpfiles.rules = [ - ''d "${cfg.statePath}" -'' - ]; + systemd.tmpfiles.settings."10-mattermost".${cfg.statePath}.d = { }; systemd.services.mattermost = { description = "Mattermost chat service"; diff --git a/nixos/modules/services/web-apps/moodle.nix b/nixos/modules/services/web-apps/moodle.nix index ce6a80054725..496a0e32436f 100644 --- a/nixos/modules/services/web-apps/moodle.nix +++ b/nixos/modules/services/web-apps/moodle.nix @@ -255,9 +255,10 @@ in } ]; }; - systemd.tmpfiles.rules = [ - "d '${stateDir}' 0750 ${user} ${group} - -" - ]; + systemd.tmpfiles.settings."10-moodle".${stateDir}.d = { + inherit user group; + mode = "0750"; + }; systemd.services.moodle-init = { wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/web-apps/nifi.nix b/nixos/modules/services/web-apps/nifi.nix index 5ce561077836..c0fc443f0df7 100644 --- a/nixos/modules/services/web-apps/nifi.nix +++ b/nixos/modules/services/web-apps/nifi.nix @@ -163,10 +163,15 @@ in { Please do not disable HTTPS mode in production. In this mode, access to the nifi is opened without authentication. ''; - systemd.tmpfiles.rules = [ - "d '/var/lib/nifi/conf' 0750 ${cfg.user} ${cfg.group}" - "L+ '/var/lib/nifi/lib' - - - - ${cfg.package}/lib" - ]; + systemd.tmpfiles.settings."10-nifi" = { + "/var/lib/nifi/conf".d = { + inherit (cfg) user group; + mode = "0750"; + }; + "/var/lib/nifi/lib"."L+" = { + argument = "${cfg.package}/lib"; + }; + }; systemd.services.nifi = { diff --git a/nixos/modules/services/web-apps/writefreely.nix b/nixos/modules/services/web-apps/writefreely.nix index f92afa9276e3..2e9a34897909 100644 --- a/nixos/modules/services/web-apps/writefreely.nix +++ b/nixos/modules/services/web-apps/writefreely.nix @@ -334,8 +334,10 @@ in { optionalAttrs (cfg.group == "writefreely") { writefreely = { }; }; }; - systemd.tmpfiles.rules = - [ "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" ]; + systemd.tmpfiles.settings."10-writefreely".${cfg.stateDir}.d = { + inherit (cfg) user group; + mode = "0750"; + }; systemd.services.writefreely = { after = [ "network.target" ] diff --git a/nixos/modules/system/boot/clevis.md b/nixos/modules/system/boot/clevis.md index 91eb728a919e..dcbf55de60a8 100644 --- a/nixos/modules/system/boot/clevis.md +++ b/nixos/modules/system/boot/clevis.md @@ -14,20 +14,20 @@ JWE files have to be created through the clevis command line. 3 types of policie Secrets are pinned against the presence of a TPM2 device, for example: ``` -echo hi | clevis encrypt tpm2 '{}' > hi.jwe +echo -n hi | clevis encrypt tpm2 '{}' > hi.jwe ``` 2) Tang policies Secrets are pinned against the presence of a Tang server, for example: ``` -echo hi | clevis encrypt tang '{"url": "http://tang.local"}' > hi.jwe +echo -n hi | clevis encrypt tang '{"url": "http://tang.local"}' > hi.jwe ``` 3) Shamir Secret Sharing Using Shamir's Secret Sharing ([sss](https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing)), secrets are pinned using a combination of the two preceding policies. For example: ``` -echo hi | clevis encrypt sss \ +echo -n hi | clevis encrypt sss \ '{"t": 2, "pins": {"tpm2": {"pcr_ids": "0"}, "tang": {"url": "http://tang.local"}}}' \ > hi.jwe ``` diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 331ca5103ba6..e29fa49ea23b 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -428,7 +428,13 @@ in config = { - warnings = concatLists ( + warnings = let + mkOneNetOnlineWarn = typeStr: name: def: lib.optional + (lib.elem "network-online.target" def.after && !(lib.elem "network-online.target" (def.wants ++ def.requires ++ def.bindsTo))) + "${name}.${typeStr} is ordered after 'network-online.target' but doesn't depend on it"; + mkNetOnlineWarns = typeStr: defs: lib.concatLists (lib.mapAttrsToList (mkOneNetOnlineWarn typeStr) defs); + mkMountNetOnlineWarns = typeStr: defs: lib.concatLists (map (m: mkOneNetOnlineWarn typeStr m.what m) defs); + in concatLists ( mapAttrsToList (name: service: let @@ -449,40 +455,31 @@ in ] ) cfg.services + ) + ++ (mkNetOnlineWarns "target" cfg.targets) + ++ (mkNetOnlineWarns "service" cfg.services) + ++ (mkNetOnlineWarns "socket" cfg.sockets) + ++ (mkNetOnlineWarns "timer" cfg.timers) + ++ (mkNetOnlineWarns "path" cfg.paths) + ++ (mkMountNetOnlineWarns "mount" cfg.mounts) + ++ (mkMountNetOnlineWarns "automount" cfg.automounts) + ++ (mkNetOnlineWarns "slice" cfg.slices); + + assertions = concatLists ( + mapAttrsToList + (name: service: + map (message: { + assertion = false; + inherit message; + }) (concatLists [ + (optional ((builtins.elem "network-interfaces.target" service.after) || (builtins.elem "network-interfaces.target" service.wants)) + "Service '${name}.service' is using the deprecated target network-interfaces.target, which no longer exists. Using network.target is recommended instead." + ) + ]) + ) + cfg.services ); - assertions = let - mkOneAssert = typeStr: name: def: { - assertion = lib.elem "network-online.target" def.after -> lib.elem "network-online.target" (def.wants ++ def.requires ++ def.bindsTo); - message = "${name}.${typeStr} is ordered after 'network-online.target' but doesn't depend on it"; - }; - mkAsserts = typeStr: lib.mapAttrsToList (mkOneAssert typeStr); - mkMountAsserts = typeStr: map (m: mkOneAssert typeStr m.what m); - in mkMerge [ - (concatLists ( - mapAttrsToList - (name: service: - map (message: { - assertion = false; - inherit message; - }) (concatLists [ - (optional ((builtins.elem "network-interfaces.target" service.after) || (builtins.elem "network-interfaces.target" service.wants)) - "Service '${name}.service' is using the deprecated target network-interfaces.target, which no longer exists. Using network.target is recommended instead." - ) - ]) - ) - cfg.services - )) - (mkAsserts "target" cfg.targets) - (mkAsserts "service" cfg.services) - (mkAsserts "socket" cfg.sockets) - (mkAsserts "timer" cfg.timers) - (mkAsserts "path" cfg.paths) - (mkMountAsserts "mount" cfg.mounts) - (mkMountAsserts "automount" cfg.automounts) - (mkAsserts "slice" cfg.slices) - ]; - system.build.units = cfg.units; system.nssModules = [ cfg.package.out ]; @@ -658,6 +655,7 @@ in systemd.services.systemd-udev-settle.restartIfChanged = false; # Causes long delays in nixos-rebuild systemd.targets.local-fs.unitConfig.X-StopOnReconfiguration = true; systemd.targets.remote-fs.unitConfig.X-StopOnReconfiguration = true; + systemd.targets.network-online.wantedBy = [ "multi-user.target" ]; systemd.services.systemd-importd.environment = proxy_env; systemd.services.systemd-pstore.wantedBy = [ "sysinit.target" ]; # see #81138 diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index a9730913604b..3f9dd173d3bf 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -242,7 +242,7 @@ in { discourse = handleTest ./discourse.nix {}; dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {}; dnscrypt-wrapper = runTestOn ["x86_64-linux"] ./dnscrypt-wrapper; - dnsdist = handleTest ./dnsdist.nix {}; + dnsdist = import ./dnsdist.nix { inherit pkgs runTest; }; doas = handleTest ./doas.nix {}; docker = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker.nix {}; docker-rootless = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker-rootless.nix {}; diff --git a/nixos/tests/cinnamon-wayland.nix b/nixos/tests/cinnamon-wayland.nix index 824a606004cc..1629ead16f41 100644 --- a/nixos/tests/cinnamon-wayland.nix +++ b/nixos/tests/cinnamon-wayland.nix @@ -64,7 +64,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { # This is not supported at the moment. # https://trello.com/b/HHs01Pab/cinnamon-wayland machine.execute("${su "cinnamon-screensaver-command -l >&2 &"}") - machine.wait_until_succeeds("journalctl -b --grep 'Cinnamon Screensaver is unavailable on Wayland'") + machine.wait_until_succeeds("journalctl -b --grep 'cinnamon-screensaver is disabled in wayland sessions'") with subtest("Open GNOME Terminal"): machine.succeed("${su "dbus-launch gnome-terminal"}") diff --git a/nixos/tests/dnsdist.nix b/nixos/tests/dnsdist.nix index e72fa05ff282..9921be419a75 100644 --- a/nixos/tests/dnsdist.nix +++ b/nixos/tests/dnsdist.nix @@ -1,48 +1,113 @@ -import ./make-test-python.nix ( - { pkgs, ... }: { - name = "dnsdist"; - meta = with pkgs.lib; { - maintainers = with maintainers; [ jojosch ]; - }; +{ pkgs, runTest }: - nodes.machine = { pkgs, lib, ... }: { - services.bind = { - enable = true; - extraOptions = "empty-zones-enable no;"; - zones = lib.singleton { - name = "."; - master = true; - file = pkgs.writeText "root.zone" '' - $TTL 3600 - . IN SOA ns.example.org. admin.example.org. ( 1 3h 1h 1w 1d ) - . IN NS ns.example.org. - - ns.example.org. IN A 192.168.0.1 - ns.example.org. IN AAAA abcd::1 - - 1.0.168.192.in-addr.arpa IN PTR ns.example.org. - ''; - }; - }; - services.dnsdist = { - enable = true; - listenPort = 5353; - extraConfig = '' - newServer({address="127.0.0.1:53", name="local-bind"}) +let + + inherit (pkgs) lib; + + baseConfig = { + networking.nameservers = [ "::1" ]; + services.bind = { + enable = true; + extraOptions = "empty-zones-enable no;"; + zones = lib.singleton { + name = "."; + master = true; + file = pkgs.writeText "root.zone" '' + $TTL 3600 + . IN SOA ns.example.org. admin.example.org. ( 1 3h 1h 1w 1d ) + . IN NS ns.example.org. + + ns.example.org. IN A 192.168.0.1 + ns.example.org. IN AAAA abcd::1 + + 1.0.168.192.in-addr.arpa IN PTR ns.example.org. ''; }; - - environment.systemPackages = with pkgs; [ dig ]; }; + services.dnsdist = { + enable = true; + listenPort = 5353; + extraConfig = '' + newServer({address="127.0.0.1:53", name="local-bind"}) + ''; + }; + }; + +in + +{ + + base = runTest { + name = "dnsdist-base"; + meta.maintainers = with lib.maintainers; [ jojosch ]; + + nodes.machine = baseConfig; testScript = '' machine.wait_for_unit("bind.service") machine.wait_for_open_port(53) - machine.succeed("dig @127.0.0.1 +short -x 192.168.0.1 | grep -qF ns.example.org") + machine.succeed("host -p 53 192.168.0.1 | grep -qF ns.example.org") machine.wait_for_unit("dnsdist.service") machine.wait_for_open_port(5353) - machine.succeed("dig @127.0.0.1 -p 5353 +short -x 192.168.0.1 | grep -qF ns.example.org") + machine.succeed("host -p 5353 192.168.0.1 | grep -qF ns.example.org") + ''; + }; + + dnscrypt = runTest { + name = "dnsdist-dnscrypt"; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + + nodes.server = lib.mkMerge [ + baseConfig + { + networking.firewall.allowedTCPPorts = [ 443 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; + services.dnsdist.dnscrypt.enable = true; + services.dnsdist.dnscrypt.providerKey = "${./dnscrypt-wrapper/secret.key}"; + } + ]; + + nodes.client = { + services.dnscrypt-proxy2.enable = true; + services.dnscrypt-proxy2.upstreamDefaults = false; + services.dnscrypt-proxy2.settings = + { server_names = [ "server" ]; + listen_addresses = [ "[::1]:53" ]; + cache = false; + # Computed using https://dnscrypt.info/stamps/ + static.server.stamp = + "sdns://AQAAAAAAAAAADzE5Mi4xNjguMS4yOjQ0MyAUQdg6_RIIpK6pHkINhrv7nxwIG5c7b_m5NJVT3A1AXRYyLmRuc2NyeXB0LWNlcnQuc2VydmVy"; + }; + networking.nameservers = [ "::1" ]; + }; + + testScript = '' + with subtest("The DNSCrypt server is accepting connections"): + server.wait_for_unit("bind.service") + server.wait_for_unit("dnsdist.service") + server.wait_for_open_port(443) + almost_expiration = server.succeed("date --date '14min'").strip() + + with subtest("The DNSCrypt client can connect to the server"): + client.wait_until_succeeds("journalctl -u dnscrypt-proxy2 --grep '\[server\] OK'") + + with subtest("DNS queries over UDP are working"): + client.wait_for_open_port(53) + client.succeed("host -U 192.168.0.1 | grep -qF ns.example.org") + + with subtest("DNS queries over TCP are working"): + client.wait_for_open_port(53) + client.succeed("host -T 192.168.0.1 | grep -qF ns.example.org") + + with subtest("The server rotates the ephemeral keys"): + server.succeed(f"date -s '{almost_expiration}'") + client.succeed(f"date -s '{almost_expiration}'") + server.wait_until_succeeds("journalctl -u dnsdist --grep 'rotated certificate'") + + with subtest("The client can still connect to the server"): + client.wait_until_succeeds("host -T 192.168.0.1") + client.wait_until_succeeds("host -U 192.168.0.1") ''; - } -) + }; +} diff --git a/nixos/tests/livebook-service.nix b/nixos/tests/livebook-service.nix index 56b4eb932f34..f428412e1644 100644 --- a/nixos/tests/livebook-service.nix +++ b/nixos/tests/livebook-service.nix @@ -9,13 +9,15 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { services.livebook = { enableUserService = true; - port = 20123; + environment = { + LIVEBOOK_PORT = 20123; + LIVEBOOK_COOKIE = "chocolate chip"; + LIVEBOOK_TOKEN_ENABLED = true; + + }; environmentFile = pkgs.writeText "livebook.env" '' LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ''; - options = { - cookie = "chocolate chip"; - }; }; }; }; |