diff options
| author | Alyssa Ross <hi@alyssa.is> | 2020-04-01 15:50:50 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2020-04-01 15:50:50 +0000 |
| commit | 75eafe97f7df0d653bec67f3962214d7c357831f (patch) | |
| tree | 09f2cc901e0e637876cbb78d192dfe2fcfef8156 /nixpkgs/nixos/modules/services/misc | |
| parent | a53b121bf4331497da63df3b1b7f1a7897dad146 (diff) | |
| parent | a2e06fc3423c4be53181b15c28dfbe0bcf67dd73 (diff) | |
| download | nixlib-75eafe97f7df0d653bec67f3962214d7c357831f.tar nixlib-75eafe97f7df0d653bec67f3962214d7c357831f.tar.gz nixlib-75eafe97f7df0d653bec67f3962214d7c357831f.tar.bz2 nixlib-75eafe97f7df0d653bec67f3962214d7c357831f.tar.lz nixlib-75eafe97f7df0d653bec67f3962214d7c357831f.tar.xz nixlib-75eafe97f7df0d653bec67f3962214d7c357831f.tar.zst nixlib-75eafe97f7df0d653bec67f3962214d7c357831f.zip | |
Merge commit 'a2e06fc3423c4be53181b15c28dfbe0bcf67dd73'
Diffstat (limited to 'nixpkgs/nixos/modules/services/misc')
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/ankisyncd.nix | 79 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/autorandr.nix | 2 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/disnix.nix | 5 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/folding-at-home.nix | 67 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/freeswitch.nix | 103 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/home-assistant.nix | 16 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/matrix-synapse.nix | 46 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/matrix-synapse.xml | 224 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/parsoid.nix | 25 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/sssd.nix | 6 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/misc/zoneminder.nix | 4 |
11 files changed, 481 insertions, 96 deletions
diff --git a/nixpkgs/nixos/modules/services/misc/ankisyncd.nix b/nixpkgs/nixos/modules/services/misc/ankisyncd.nix new file mode 100644 index 000000000000..5fc19649d3d9 --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/ankisyncd.nix @@ -0,0 +1,79 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ankisyncd; + + name = "ankisyncd"; + + stateDir = "/var/lib/${name}"; + + authDbPath = "${stateDir}/auth.db"; + + sessionDbPath = "${stateDir}/session.db"; + + configFile = pkgs.writeText "ankisyncd.conf" (lib.generators.toINI {} { + sync_app = { + host = cfg.host; + port = cfg.port; + data_root = stateDir; + auth_db_path = authDbPath; + session_db_path = sessionDbPath; + + base_url = "/sync/"; + base_media_url = "/msync/"; + }; + }); +in + { + options.services.ankisyncd = { + enable = mkEnableOption "ankisyncd"; + + package = mkOption { + type = types.package; + default = pkgs.ankisyncd; + defaultText = literalExample "pkgs.ankisyncd"; + description = "The package to use for the ankisyncd command."; + }; + + host = mkOption { + type = types.str; + default = "localhost"; + description = "ankisyncd host"; + }; + + port = mkOption { + type = types.int; + default = 27701; + description = "ankisyncd port"; + }; + + openFirewall = mkOption { + default = false; + type = types.bool; + description = "Whether to open the firewall for the specified port."; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + + environment.etc."ankisyncd/ankisyncd.conf".source = configFile; + + systemd.services.ankisyncd = { + description = "ankisyncd - Anki sync server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ cfg.package ]; + + serviceConfig = { + Type = "simple"; + DynamicUser = true; + StateDirectory = name; + ExecStart = "${cfg.package}/bin/ankisyncd"; + Restart = "always"; + }; + }; + }; + } diff --git a/nixpkgs/nixos/modules/services/misc/autorandr.nix b/nixpkgs/nixos/modules/services/misc/autorandr.nix index 4708e16e2a6c..cf7fb5f78d3d 100644 --- a/nixpkgs/nixos/modules/services/misc/autorandr.nix +++ b/nixpkgs/nixos/modules/services/misc/autorandr.nix @@ -48,5 +48,5 @@ in { }; - meta.maintainers = with maintainers; [ gnidorah ma27 ]; + meta.maintainers = with maintainers; [ gnidorah ]; } diff --git a/nixpkgs/nixos/modules/services/misc/disnix.nix b/nixpkgs/nixos/modules/services/misc/disnix.nix index c21cb2afc3ca..b7b6eb7cd66e 100644 --- a/nixpkgs/nixos/modules/services/misc/disnix.nix +++ b/nixpkgs/nixos/modules/services/misc/disnix.nix @@ -61,10 +61,7 @@ in ++ optional cfg.useWebServiceInterface "${pkgs.dbus_java}/share/java/dbus.jar"; services.tomcat.webapps = optional cfg.useWebServiceInterface pkgs.DisnixWebService; - users.groups = singleton - { name = "disnix"; - gid = config.ids.gids.disnix; - }; + users.groups.disnix.gid = config.ids.gids.disnix; systemd.services = { disnix = mkIf cfg.enableMultiUser { diff --git a/nixpkgs/nixos/modules/services/misc/folding-at-home.nix b/nixpkgs/nixos/modules/services/misc/folding-at-home.nix deleted file mode 100644 index fd2ea3948f64..000000000000 --- a/nixpkgs/nixos/modules/services/misc/folding-at-home.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, lib, pkgs, ... }: -with lib; -let - stateDir = "/var/lib/foldingathome"; - cfg = config.services.foldingAtHome; - fahUser = "foldingathome"; -in { - - ###### interface - - options = { - - services.foldingAtHome = { - - enable = mkOption { - default = false; - description = '' - Whether to enable the Folding@Home to use idle CPU time. - ''; - }; - - nickname = mkOption { - default = "Anonymous"; - description = '' - A unique handle for statistics. - ''; - }; - - config = mkOption { - default = ""; - description = '' - Extra configuration. Contents will be added verbatim to the - configuration file. - ''; - }; - - }; - - }; - - ###### implementation - - config = mkIf cfg.enable { - - users.users.${fahUser} = - { uid = config.ids.uids.foldingathome; - description = "Folding@Home user"; - home = stateDir; - }; - - systemd.services.foldingathome = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -m 0755 -p ${stateDir} - chown ${fahUser} ${stateDir} - cp -f ${pkgs.writeText "client.cfg" cfg.config} ${stateDir}/client.cfg - ''; - script = "${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${fahUser} -c 'cd ${stateDir}; ${pkgs.foldingathome}/bin/fah6'"; - }; - - services.foldingAtHome.config = '' - [settings] - username=${cfg.nickname} - ''; - }; -} diff --git a/nixpkgs/nixos/modules/services/misc/freeswitch.nix b/nixpkgs/nixos/modules/services/misc/freeswitch.nix new file mode 100644 index 000000000000..0de5ba428110 --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/freeswitch.nix @@ -0,0 +1,103 @@ +{ config, lib, pkgs, ...}: +with lib; +let + cfg = config.services.freeswitch; + pkg = cfg.package; + configDirectory = pkgs.runCommand "freeswitch-config-d" { } '' + mkdir -p $out + cp -rT ${cfg.configTemplate} $out + chmod -R +w $out + ${concatStringsSep "\n" (mapAttrsToList (fileName: filePath: '' + mkdir -p $out/$(dirname ${fileName}) + cp ${filePath} $out/${fileName} + '') cfg.configDir)} + ''; + configPath = if cfg.enableReload + then "/etc/freeswitch" + else configDirectory; +in { + options = { + services.freeswitch = { + enable = mkEnableOption "FreeSWITCH"; + enableReload = mkOption { + default = false; + type = types.bool; + description = '' + Issue the <literal>reloadxml</literal> command to FreeSWITCH when configuration directory changes (instead of restart). + See <link xlink:href="https://freeswitch.org/confluence/display/FREESWITCH/Reloading">FreeSWITCH documentation</link> for more info. + The configuration directory is exposed at <filename>/etc/freeswitch</filename>. + See also <literal>systemd.services.*.restartIfChanged</literal>. + ''; + }; + configTemplate = mkOption { + type = types.path; + default = "${config.services.freeswitch.package}/share/freeswitch/conf/vanilla"; + defaultText = literalExample "\${config.services.freeswitch.package}/share/freeswitch/conf/vanilla"; + example = literalExample "\${config.services.freeswitch.package}/share/freeswitch/conf/minimal"; + description = '' + Configuration template to use. + See available templates in <link xlink:href="https://github.com/signalwire/freeswitch/tree/master/conf">FreeSWITCH repository</link>. + You can also set your own configuration directory. + ''; + }; + configDir = mkOption { + type = with types; attrsOf path; + default = { }; + example = literalExample '' + { + "freeswitch.xml" = ./freeswitch.xml; + "dialplan/default.xml" = pkgs.writeText "dialplan-default.xml" ''' + [xml lines] + '''; + } + ''; + description = '' + Override file in FreeSWITCH config template directory. + Each top-level attribute denotes a file path in the configuration directory, its value is the file path. + See <link xlink:href="https://freeswitch.org/confluence/display/FREESWITCH/Default+Configuration">FreeSWITCH documentation</link> for more info. + Also check available templates in <link xlink:href="https://github.com/signalwire/freeswitch/tree/master/conf">FreeSWITCH repository</link>. + ''; + }; + package = mkOption { + type = types.package; + default = pkgs.freeswitch; + defaultText = literalExample "pkgs.freeswitch"; + example = literalExample "pkgs.freeswitch"; + description = '' + FreeSWITCH package. + ''; + }; + }; + }; + config = mkIf cfg.enable { + environment.etc.freeswitch = mkIf cfg.enableReload { + source = configDirectory; + }; + systemd.services.freeswitch-config-reload = mkIf cfg.enableReload { + before = [ "freeswitch.service" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configDirectory ]; + serviceConfig = { + ExecStart = "${pkgs.systemd}/bin/systemctl try-reload-or-restart freeswitch.service"; + RemainAfterExit = true; + Type = "oneshot"; + }; + }; + systemd.services.freeswitch = { + description = "Free and open-source application server for real-time communication"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + StateDirectory = "freeswitch"; + ExecStart = "${pkg}/bin/freeswitch -nf \\ + -mod ${pkg}/lib/freeswitch/mod \\ + -conf ${configPath} \\ + -base /var/lib/freeswitch"; + ExecReload = "${pkg}/bin/fs_cli -x reloadxml"; + Restart = "always"; + RestartSec = "5s"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/misc/home-assistant.nix b/nixpkgs/nixos/modules/services/misc/home-assistant.nix index cc113ca2d0c1..86033d02bf3f 100644 --- a/nixpkgs/nixos/modules/services/misc/home-assistant.nix +++ b/nixpkgs/nixos/modules/services/misc/home-assistant.nix @@ -96,7 +96,20 @@ in { config = mkOption { default = null; - type = with types; nullOr attrs; + # Migrate to new option types later: https://github.com/NixOS/nixpkgs/pull/75584 + type = with lib.types; let + valueType = nullOr (oneOf [ + bool + int + float + str + (lazyAttrsOf valueType) + (listOf valueType) + ]) // { + description = "Yaml value"; + emptyValue.value = {}; + }; + in valueType; example = literalExample '' { homeassistant = { @@ -251,6 +264,7 @@ in { home = cfg.configDir; createHome = true; group = "hass"; + extraGroups = [ "dialout" ]; uid = config.ids.uids.hass; }; diff --git a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix index 750f4a292fb4..d02fa13bb99c 100644 --- a/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixpkgs/nixos/modules/services/misc/matrix-synapse.nix @@ -111,6 +111,9 @@ app_service_config_files: ${builtins.toJSON cfg.app_service_config_files} ${cfg.extraConfig} ''; + + hasLocalPostgresDB = let args = cfg.database_args; in + usePostgresql && (!(args ? host) || (elem args.host [ "localhost" "127.0.0.1" "::1" ])); in { options = { services.matrix-synapse = { @@ -354,13 +357,6 @@ in { The database engine name. Can be sqlite or psycopg2. ''; }; - create_local_database = mkOption { - type = types.bool; - default = true; - description = '' - Whether to create a local database automatically. - ''; - }; database_name = mkOption { type = types.str; default = "matrix-synapse"; @@ -657,6 +653,25 @@ in { }; config = mkIf cfg.enable { + assertions = [ + { assertion = hasLocalPostgresDB -> config.services.postgresql.enable; + message = '' + Cannot deploy matrix-synapse with a configuration for a local postgresql database + and a missing postgresql service. Since 20.03 it's mandatory to manually configure the + database (please read the thread in https://github.com/NixOS/nixpkgs/pull/80447 for + further reference). + + If you + - try to deploy a fresh synapse, you need to configure the database yourself. An example + for this can be found in <nixpkgs/nixos/tests/matrix-synapse.nix> + - update your existing matrix-synapse instance, you simply need to add `services.postgresql.enable = true` + to your configuration. + + For further information about this update, please read the release-notes of 20.03 carefully. + ''; + } + ]; + users.users.matrix-synapse = { group = "matrix-synapse"; home = cfg.dataDir; @@ -669,18 +684,9 @@ in { gid = config.ids.gids.matrix-synapse; }; - services.postgresql = mkIf (usePostgresql && cfg.create_local_database) { - enable = mkDefault true; - ensureDatabases = [ cfg.database_name ]; - ensureUsers = [{ - name = cfg.database_user; - ensurePermissions = { "DATABASE \"${cfg.database_name}\"" = "ALL PRIVILEGES"; }; - }]; - }; - systemd.services.matrix-synapse = { description = "Synapse Matrix homeserver"; - after = [ "network.target" ] ++ lib.optional config.services.postgresql.enable "postgresql.service" ; + after = [ "network.target" ] ++ optional hasLocalPostgresDB "postgresql.service"; wantedBy = [ "multi-user.target" ]; preStart = '' ${cfg.package}/bin/homeserver \ @@ -709,6 +715,12 @@ in { The `trusted_third_party_id_servers` option as been removed in `matrix-synapse` v1.4.0 as the behavior is now obsolete. '') + (mkRemovedOptionModule [ "services" "matrix-synapse" "create_local_database" ] '' + Database configuration must be done manually. An exemplary setup is demonstrated in + <nixpkgs/nixos/tests/matrix-synapse.nix> + '') ]; + meta.doc = ./matrix-synapse.xml; + } diff --git a/nixpkgs/nixos/modules/services/misc/matrix-synapse.xml b/nixpkgs/nixos/modules/services/misc/matrix-synapse.xml new file mode 100644 index 000000000000..053a3b2a563f --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/matrix-synapse.xml @@ -0,0 +1,224 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-matrix"> + <title>Matrix</title> + <para> + <link xlink:href="https://matrix.org/">Matrix</link> is an open standard for + interoperable, decentralised, real-time communication over IP. It can be used + to power Instant Messaging, VoIP/WebRTC signalling, Internet of Things + communication - or anywhere you need a standard HTTP API for publishing and + subscribing to data whilst tracking the conversation history. + </para> + <para> + This chapter will show you how to set up your own, self-hosted Matrix + homeserver using the Synapse reference homeserver, and how to serve your own + copy of the Riot web client. See the + <link xlink:href="https://matrix.org/docs/projects/try-matrix-now.html">Try + Matrix Now!</link> overview page for links to Riot Apps for Android and iOS, + desktop clients, as well as bridges to other networks and other projects + around Matrix. + </para> + <section xml:id="module-services-matrix-synapse"> + <title>Synapse Homeserver</title> + + <para> + <link xlink:href="https://github.com/matrix-org/synapse">Synapse</link> is + the reference homeserver implementation of Matrix from the core development + team at matrix.org. The following configuration example will set up a + synapse server for the <literal>example.org</literal> domain, served from + the host <literal>myhostname.example.org</literal>. For more information, + please refer to the + <link xlink:href="https://github.com/matrix-org/synapse#synapse-installation"> + installation instructions of Synapse </link>. +<programlisting> +let + fqdn = + let + join = hostName: domain: hostName + optionalString (domain != null) ".${domain}"; + in join config.networking.hostName config.networking.domain; +in { + networking = { + <link linkend="opt-networking.hostName">hostName</link> = "myhostname"; + <link linkend="opt-networking.domain">domain</link> = "example.org"; + }; + <link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ]; + + <link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true; + <link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link> = '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + + services.nginx = { + <link linkend="opt-services.nginx.enable">enable</link> = true; + # only recommendedProxySettings and recommendedGzipSettings are strictly required, + # but the rest make sense as well + <link linkend="opt-services.nginx.recommendedTlsSettings">recommendedTlsSettings</link> = true; + <link linkend="opt-services.nginx.recommendedOptimisation">recommendedOptimisation</link> = true; + <link linkend="opt-services.nginx.recommendedGzipSettings">recommendedGzipSettings</link> = true; + <link linkend="opt-services.nginx.recommendedProxySettings">recommendedProxySettings</link> = true; + + <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { + # This host section can be placed on a different host than the rest, + # i.e. to delegate from the host being accessible as ${config.networking.domain} + # to another host actually running the Matrix homeserver. + "${config.networking.domain}" = { + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/server".extraConfig</link> = + let + # use 443 instead of the default 8448 port to unite + # the client-server and server-server port for simplicity + server = { "m.server" = "${fqdn}:443"; }; + in '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/client".extraConfig</link> = + let + client = { + "m.homeserver" = { "base_url" = "https://${fqdn}"; }; + "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + # ACAO required to allow riot-web on any URL to request this json file + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + }; + + # Reverse proxy for Matrix client-server and server-server communication + ${fqdn} = { + <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; + + # Or do a redirect instead of the 404, or whatever is appropriate for you. + # But do not put a Matrix Web client here! See the Riot Web section below. + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."/".extraConfig</link> = '' + return 404; + ''; + + # forward all Matrix API calls to the synapse Matrix homeserver + locations."/_matrix" = { + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.proxyPass">proxyPass</link> = "http://[::1]:8008"; # without a trailing / + }; + }; + }; + }; + services.matrix-synapse = { + <link linkend="opt-services.matrix-synapse.enable">enable</link> = true; + <link linkend="opt-services.matrix-synapse.server_name">server_name</link> = config.networking.domain; + <link linkend="opt-services.matrix-synapse.listeners">listeners</link> = [ + { + <link linkend="opt-services.matrix-synapse.listeners._.port">port</link> = 8008; + <link linkend="opt-services.matrix-synapse.listeners._.bind_address">bind_address</link> = "::1"; + <link linkend="opt-services.matrix-synapse.listeners._.type">type</link> = "http"; + <link linkend="opt-services.matrix-synapse.listeners._.tls">tls</link> = false; + <link linkend="opt-services.matrix-synapse.listeners._.x_forwarded">x_forwarded</link> = true; + <link linkend="opt-services.matrix-synapse.listeners._.resources">resources</link> = [ + { + <link linkend="opt-services.matrix-synapse.listeners._.resources._.names">names</link> = [ "client" "federation" ]; + <link linkend="opt-services.matrix-synapse.listeners._.resources._.compress">compress</link> = false; + } + ]; + } + ]; + }; +}; +</programlisting> + </para> + + <para> + If the <code>A</code> and <code>AAAA</code> DNS records on + <literal>example.org</literal> do not point on the same host as the records + for <code>myhostname.example.org</code>, you can easily move the + <code>/.well-known</code> virtualHost section of the code to the host that + is serving <literal>example.org</literal>, while the rest stays on + <literal>myhostname.example.org</literal> with no other changes required. + This pattern also allows to seamlessly move the homeserver from + <literal>myhostname.example.org</literal> to + <literal>myotherhost.example.org</literal> by only changing the + <code>/.well-known</code> redirection target. + </para> + + <para> + If you want to run a server with public registration by anybody, you can + then enable <literal><link linkend="opt-services.matrix-synapse.enable_registration">services.matrix-synapse.enable_registration</link> = + true;</literal>. Otherwise, or you can generate a registration secret with + <command>pwgen -s 64 1</command> and set it with + <option><link linkend="opt-services.matrix-synapse.registration_shared_secret">services.matrix-synapse.registration_shared_secret</link></option>. To + create a new user or admin, run the following after you have set the secret + and have rebuilt NixOS: +<screen> +<prompt>$ </prompt>nix run nixpkgs.matrix-synapse +<prompt>$ </prompt>register_new_matrix_user -k <replaceable>your-registration-shared-secret</replaceable> http://localhost:8008 +<prompt>New user localpart: </prompt><replaceable>your-username</replaceable> +<prompt>Password:</prompt> +<prompt>Confirm password:</prompt> +<prompt>Make admin [no]:</prompt> +Success! +</screen> + In the example, this would create a user with the Matrix Identifier + <literal>@your-username:example.org</literal>. Note that the registration + secret ends up in the nix store and therefore is world-readable by any user + on your machine, so it makes sense to only temporarily activate the + <link linkend="opt-services.matrix-synapse.registration_shared_secret">registration_shared_secret</link> + option until a better solution for NixOS is in place. + </para> + </section> + <section xml:id="module-services-matrix-riot-web"> + <title>Riot Web Client</title> + + <para> + <link xlink:href="https://github.com/vector-im/riot-web/">Riot Web</link> is + the reference web client for Matrix and developed by the core team at + matrix.org. The following snippet can be optionally added to the code before + to complete the synapse installation with a web client served at + <code>https://riot.myhostname.example.org</code> and + <code>https://riot.example.org</code>. Alternatively, you can use the hosted + copy at <link xlink:href="https://riot.im/app">https://riot.im/app</link>, + or use other web clients or native client applications. Due to the + <literal>/.well-known</literal> urls set up done above, many clients should + fill in the required connection details automatically when you enter your + Matrix Identifier. See + <link xlink:href="https://matrix.org/docs/projects/try-matrix-now.html">Try + Matrix Now!</link> for a list of existing clients and their supported + featureset. +<programlisting> +{ + services.nginx.virtualHosts."riot.${fqdn}" = { + <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ + "riot.${config.networking.domain}" + ]; + + <link linkend="opt-services.nginx.virtualHosts._name_.root">root</link> = pkgs.riot-web.override { + conf = { + default_server_config."m.homeserver" = { + "base_url" = "${config.networking.domain}"; + "server_name" = "${fqdn}"; + }; + }; + }; + }; +} +</programlisting> + </para> + + <para> + Note that the Riot developers do not recommend running Riot and your Matrix + homeserver on the same fully-qualified domain name for security reasons. In + the example, this means that you should not reuse the + <literal>myhostname.example.org</literal> virtualHost to also serve Riot, + but instead serve it on a different subdomain, like + <literal>riot.example.org</literal> in the example. See the + <link xlink:href="https://github.com/vector-im/riot-web#important-security-note">Riot + Important Security Notes</link> for more information on this subject. + </para> + </section> +</chapter> diff --git a/nixpkgs/nixos/modules/services/misc/parsoid.nix b/nixpkgs/nixos/modules/services/misc/parsoid.nix index 61626e78f8b3..09b7f977bfbf 100644 --- a/nixpkgs/nixos/modules/services/misc/parsoid.nix +++ b/nixpkgs/nixos/modules/services/misc/parsoid.nix @@ -6,7 +6,7 @@ let cfg = config.services.parsoid; - parsoid = pkgs.nodePackages."parsoid-git://github.com/abbradar/parsoid#stable"; + parsoid = pkgs.nodePackages.parsoid; confTree = { worker_heartbeat_timeout = 300000; @@ -98,8 +98,29 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - User = "nobody"; ExecStart = "${parsoid}/lib/node_modules/parsoid/bin/server.js -c ${confFile} -n ${toString cfg.workers}"; + + DynamicUser = true; + User = "parsoid"; + Group = "parsoid"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + #MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/sssd.nix b/nixpkgs/nixos/modules/services/misc/sssd.nix index 6b64045dde88..36008d257410 100644 --- a/nixpkgs/nixos/modules/services/misc/sssd.nix +++ b/nixpkgs/nixos/modules/services/misc/sssd.nix @@ -88,9 +88,7 @@ in { exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@" ''; }; - services.openssh.extraConfig = '' - AuthorizedKeysCommand /etc/ssh/authorized_keys_command - AuthorizedKeysCommandUser nobody - ''; + services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command"; + services.openssh.authorizedKeysCommandUser = "nobody"; })]; } diff --git a/nixpkgs/nixos/modules/services/misc/zoneminder.nix b/nixpkgs/nixos/modules/services/misc/zoneminder.nix index d7f7324580c0..d5b3537068d3 100644 --- a/nixpkgs/nixos/modules/services/misc/zoneminder.nix +++ b/nixpkgs/nixos/modules/services/misc/zoneminder.nix @@ -77,6 +77,8 @@ in { `config.services.zoneminder.database.createLocally` to true. Otherwise, when set to `false` (the default), you will have to create the database and database user as well as populate the database yourself. + Additionally, you will need to run `zmupdate.pl` yourself when + upgrading to a newer version. ''; webserver = mkOption { @@ -330,6 +332,8 @@ in { ${config.services.mysql.package}/bin/mysql < ${pkg}/share/zoneminder/db/zm_create.sql touch "/var/lib/${dirName}/db-created" fi + + ${zoneminder}/bin/zmupdate.pl -nointeractive ''; serviceConfig = { User = user; |