diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2023-11-24 12:01:44 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-24 12:01:44 +0000 |
commit | f4335ece6ea78697906331710a8334381250e8f8 (patch) | |
tree | 514d66528a8562794d5b1ebd3930add5e35f6ad0 /nixos | |
parent | bae0615f2662966e838b2b55c75b55ac8cf38281 (diff) | |
parent | 18ffb605d570fc496cceb8793d83f3b530d0bf34 (diff) | |
download | nixlib-f4335ece6ea78697906331710a8334381250e8f8.tar nixlib-f4335ece6ea78697906331710a8334381250e8f8.tar.gz nixlib-f4335ece6ea78697906331710a8334381250e8f8.tar.bz2 nixlib-f4335ece6ea78697906331710a8334381250e8f8.tar.lz nixlib-f4335ece6ea78697906331710a8334381250e8f8.tar.xz nixlib-f4335ece6ea78697906331710a8334381250e8f8.tar.zst nixlib-f4335ece6ea78697906331710a8334381250e8f8.zip |
Merge staging-next into staging
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/security/clamav.nix | 90 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/invoiceplane.nix | 48 | ||||
-rw-r--r-- | nixos/modules/services/x11/xscreensaver.nix | 40 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/xscreensaver.nix | 64 |
7 files changed, 240 insertions, 6 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 4f9e49793f54..5867f70d35c2 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -184,6 +184,8 @@ - `services.knot` now supports `.settings` from RFC42. The previous `.extraConfig` still works the same, but it displays a warning now. +- `services.invoiceplane` now supports .settings from RFC42. The previous .extraConfig still works the same, but it displays a warning now. + - `mu` now does not install `mu4e` files by default. Users should get `mu4e` from Emacs lisp package set `emacs.pkgs.mu4e`. - `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index cafde7f9efdf..2e2b94e5a97b 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1406,6 +1406,7 @@ ./services/x11/xautolock.nix ./services/x11/xbanish.nix ./services/x11/xfs.nix + ./services/x11/xscreensaver.nix ./services/x11/xserver.nix ./system/activation/activatable-system.nix ./system/activation/activation-script.nix diff --git a/nixos/modules/services/security/clamav.nix b/nixos/modules/services/security/clamav.nix index a43435f2cdbb..c3893f4b09b2 100644 --- a/nixos/modules/services/security/clamav.nix +++ b/nixos/modules/services/security/clamav.nix @@ -15,6 +15,9 @@ let clamdConfigFile = pkgs.writeText "clamd.conf" (toKeyValue cfg.daemon.settings); freshclamConfigFile = pkgs.writeText "freshclam.conf" (toKeyValue cfg.updater.settings); + fangfrischConfigFile = pkgs.writeText "fangfrisch.conf" '' + ${lib.generators.toINI {} cfg.fangfrisch.settings} + ''; in { imports = [ @@ -66,6 +69,36 @@ in ''; }; }; + fangfrisch = { + enable = mkEnableOption (lib.mdDoc "ClamAV fangfrisch updater"); + + interval = mkOption { + type = types.str; + default = "hourly"; + description = lib.mdDoc '' + How often freshclam is invoked. See systemd.time(7) for more + information about the format. + ''; + }; + + settings = mkOption { + type = lib.types.submodule { + freeformType = with types; attrsOf (attrsOf (oneOf [ str int bool ])); + }; + default = { }; + example = { + securiteinfo = { + enabled = "yes"; + customer_id = "your customer_id"; + }; + }; + description = lib.mdDoc '' + fangfrisch configuration. Refer to <https://rseichter.github.io/fangfrisch/#_configuration>, + for details on supported values. + Note that by default urlhaus and sanesecurity are enabled. + ''; + }; + }; }; }; @@ -98,6 +131,15 @@ in DatabaseMirror = [ "database.clamav.net" ]; }; + services.clamav.fangfrisch.settings = { + DEFAULT.db_url = mkDefault "sqlite:////var/lib/clamav/fangfrisch_db.sqlite"; + DEFAULT.local_directory = mkDefault stateDir; + DEFAULT.log_level = mkDefault "INFO"; + urlhaus.enabled = mkDefault "yes"; + urlhaus.max_size = mkDefault "2MB"; + sanesecurity.enabled = mkDefault "yes"; + }; + environment.etc."clamav/freshclam.conf".source = freshclamConfigFile; environment.etc."clamav/clamd.conf".source = clamdConfigFile; @@ -146,5 +188,53 @@ in PrivateDevices = "yes"; }; }; + + systemd.services.clamav-fangfrisch-init = mkIf cfg.fangfrisch.enable { + wantedBy = [ "multi-user.target" ]; + # if the sqlite file can be found assume the database has already been initialised + script = '' + db_url="${cfg.fangfrisch.settings.DEFAULT.db_url}" + db_path="''${db_url#sqlite:///}" + + if [ ! -f "$db_path" ]; then + ${pkgs.fangfrisch}/bin/fangfrisch --conf ${fangfrischConfigFile} initdb + fi + ''; + serviceConfig = { + Type = "oneshot"; + StateDirectory = "clamav"; + RuntimeDirectory = "clamav"; + User = clamavUser; + Group = clamavGroup; + PrivateTmp = "yes"; + PrivateDevices = "yes"; + }; + }; + + systemd.timers.clamav-fangfrisch = mkIf cfg.fangfrisch.enable { + description = "Timer for ClamAV virus database updater (fangfrisch)"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = cfg.fangfrisch.interval; + Unit = "clamav-fangfrisch.service"; + }; + }; + + systemd.services.clamav-fangfrisch = mkIf cfg.fangfrisch.enable { + description = "ClamAV virus database updater (fangfrisch)"; + restartTriggers = [ fangfrischConfigFile ]; + after = [ "network-online.target" "clamav-fangfrisch-init.service" ]; + + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.fangfrisch}/bin/fangfrisch --conf ${fangfrischConfigFile} refresh"; + StateDirectory = "clamav"; + RuntimeDirectory = "clamav"; + User = clamavUser; + Group = clamavGroup; + PrivateTmp = "yes"; + PrivateDevices = "yes"; + }; + }; }; } diff --git a/nixos/modules/services/web-apps/invoiceplane.nix b/nixos/modules/services/web-apps/invoiceplane.nix index f419b75cf70f..429520470a0d 100644 --- a/nixos/modules/services/web-apps/invoiceplane.nix +++ b/nixos/modules/services/web-apps/invoiceplane.nix @@ -28,7 +28,19 @@ let REMOVE_INDEXPHP=true ''; - extraConfig = hostName: cfg: pkgs.writeText "extraConfig.php" '' + mkPhpValue = v: + if isString v then escapeShellArg v + # NOTE: If any value contains a , (comma) this will not get escaped + else if isList v && any lib.strings.isCoercibleToString v then escapeShellArg (concatMapStringsSep "," toString v) + else if isInt v then toString v + else if isBool v then boolToString v + else abort "The Invoiceplane config value ${lib.generators.toPretty {} v} can not be encoded." + ; + + extraConfig = hostName: cfg: let + settings = mapAttrsToList (k: v: "${k}=${mkPhpValue v}") cfg.settings; + in pkgs.writeText "extraConfig.php" '' + ${concatStringsSep "\n" settings} ${toString cfg.extraConfig} ''; @@ -182,11 +194,31 @@ let InvoicePlane configuration. Refer to <https://github.com/InvoicePlane/InvoicePlane/blob/master/ipconfig.php.example> for details on supported values. + + **Note**: Please pass structured settings via + `services.invoiceplane.sites.${name}.settings` instead, this option + will get deprecated in the future. ''; }; - cron = { + settings = mkOption { + type = types.attrsOf types.anything; + default = {}; + description = lib.mdDoc '' + Structural InvoicePlane configuration. Refer to + <https://github.com/InvoicePlane/InvoicePlane/blob/master/ipconfig.php.example> + for details and supported values. + ''; + example = literalExpression '' + { + SETUP_COMPLETED = true; + DISABLE_SETUP = true; + IP_URL = "https://invoice.example.com"; + } + ''; + }; + cron = { enable = mkOption { type = types.bool; default = false; @@ -197,12 +229,10 @@ let on how to configure it. ''; }; - key = mkOption { type = types.str; description = lib.mdDoc "Cron key taken from the administration page."; }; - }; }; @@ -239,8 +269,14 @@ in # implementation config = mkIf (eachSite != {}) (mkMerge [{ - assertions = flatten (mapAttrsToList (hostName: cfg: - [{ assertion = cfg.database.createLocally -> cfg.database.user == user; + warnings = flatten (mapAttrsToList (hostName: cfg: [ + (optional (cfg.extraConfig != null) '' + services.invoiceplane.sites."${hostName}".extraConfig will be deprecated in future releases, please use the settings option now. + '') + ]) eachSite); + + assertions = flatten (mapAttrsToList (hostName: cfg: [ + { assertion = cfg.database.createLocally -> cfg.database.user == user; message = ''services.invoiceplane.sites."${hostName}".database.user must be ${user} if the database is to be automatically provisioned''; } { assertion = cfg.database.createLocally -> cfg.database.passwordFile == null; diff --git a/nixos/modules/services/x11/xscreensaver.nix b/nixos/modules/services/x11/xscreensaver.nix new file mode 100644 index 000000000000..dc269b892ebc --- /dev/null +++ b/nixos/modules/services/x11/xscreensaver.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.xscreensaver; +in +{ + options.services.xscreensaver = { + enable = lib.mkEnableOption "xscreensaver user service"; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.xscreensaver; + defaultText = lib.literalExpression "pkgs.xscreensaver"; + description = "Which xscreensaver package to use."; + }; + }; + + config = lib.mkIf cfg.enable { + # Make xscreensaver-auth setuid root so that it can (try to) prevent the OOM + # killer from unlocking the screen. + security.wrappers.xscreensaver-auth = { + setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.xscreensaver}/libexec/xscreensaver/xscreensaver-auth"; + }; + + systemd.user.services.xscreensaver = { + enable = true; + description = "XScreenSaver"; + after = [ "graphical-session-pre.target" ]; + partOf = [ "graphical-session.target" ]; + wantedBy = [ "graphical-session.target" ]; + path = [ cfg.package ]; + serviceConfig.ExecStart = "${cfg.package}/bin/xscreensaver -no-splash"; + }; + }; + + meta.maintainers = with lib.maintainers; [ vancluever AndersonTorres ]; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 3b0871e36a77..f8894df631ef 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -927,6 +927,7 @@ in { xmonad-xdg-autostart = handleTest ./xmonad-xdg-autostart.nix {}; xpadneo = handleTest ./xpadneo.nix {}; xrdp = handleTest ./xrdp.nix {}; + xscreensaver = handleTest ./xscreensaver.nix {}; xss-lock = handleTest ./xss-lock.nix {}; xterm = handleTest ./xterm.nix {}; xxh = handleTest ./xxh.nix {}; diff --git a/nixos/tests/xscreensaver.nix b/nixos/tests/xscreensaver.nix new file mode 100644 index 000000000000..820ddbb0e962 --- /dev/null +++ b/nixos/tests/xscreensaver.nix @@ -0,0 +1,64 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "pass-secret-service"; + meta.maintainers = with lib.maintainers; [ vancluever AndersonTorres ]; + + nodes = { + ok = { nodes, pkgs, ... }: + { + imports = [ ./common/x11.nix ./common/user-account.nix ]; + test-support.displayManager.auto.user = "alice"; + services.xscreensaver.enable = true; + }; + + empty_wrapperPrefix = { nodes, pkgs, ... }: + { + imports = [ ./common/x11.nix ./common/user-account.nix ]; + test-support.displayManager.auto.user = "alice"; + services.xscreensaver.enable = true; + nixpkgs.overlays = [ + (self: super: { + xscreensaver = super.xscreensaver.override { + wrapperPrefix = ""; + }; + }) + ]; + }; + + bad_wrapperPrefix = { nodes, pkgs, ... }: + { + imports = [ ./common/x11.nix ./common/user-account.nix ]; + test-support.displayManager.auto.user = "alice"; + services.xscreensaver.enable = true; + nixpkgs.overlays = [ + (self: super: { + xscreensaver = super.xscreensaver.override { + wrapperPrefix = "/a/bad/path"; + }; + }) + ]; + }; + }; + + testScript = '' + ok.wait_for_x() + ok.wait_for_unit("xscreensaver", "alice") + _, output_ok = ok.systemctl("status xscreensaver", "alice") + assert 'To prevent the kernel from randomly unlocking' not in output_ok + assert 'your screen via the out-of-memory killer' not in output_ok + assert '"xscreensaver-auth" must be setuid root' not in output_ok + + empty_wrapperPrefix.wait_for_x() + empty_wrapperPrefix.wait_for_unit("xscreensaver", "alice") + _, output_empty_wrapperPrefix = empty_wrapperPrefix.systemctl("status xscreensaver", "alice") + assert 'To prevent the kernel from randomly unlocking' in output_empty_wrapperPrefix + assert 'your screen via the out-of-memory killer' in output_empty_wrapperPrefix + assert '"xscreensaver-auth" must be setuid root' in output_empty_wrapperPrefix + + bad_wrapperPrefix.wait_for_x() + bad_wrapperPrefix.wait_for_unit("xscreensaver", "alice") + _, output_bad_wrapperPrefix = bad_wrapperPrefix.systemctl("status xscreensaver", "alice") + assert 'To prevent the kernel from randomly unlocking' in output_bad_wrapperPrefix + assert 'your screen via the out-of-memory killer' in output_bad_wrapperPrefix + assert '"xscreensaver-auth" must be setuid root' in output_bad_wrapperPrefix + ''; +}) |