diff options
Diffstat (limited to 'nixos/modules/services')
20 files changed, 504 insertions, 267 deletions
diff --git a/nixos/modules/services/desktops/bamf.nix b/nixos/modules/services/desktops/bamf.nix new file mode 100644 index 000000000000..0928ee81a648 --- /dev/null +++ b/nixos/modules/services/desktops/bamf.nix @@ -0,0 +1,23 @@ +# Bamf + +{ config, lib, pkgs, ... }: + +with lib; + +{ + ###### interface + + options = { + services.bamf = { + enable = mkEnableOption "bamf"; + }; + }; + + ###### implementation + + config = mkIf config.services.bamf.enable { + services.dbus.packages = [ pkgs.bamf ]; + + systemd.packages = [ pkgs.bamf ]; + }; +} diff --git a/nixos/modules/services/desktops/pipewire.nix b/nixos/modules/services/desktops/pipewire.nix index 263a06156f84..13f3d61e84ca 100644 --- a/nixos/modules/services/desktops/pipewire.nix +++ b/nixos/modules/services/desktops/pipewire.nix @@ -3,20 +3,34 @@ with lib; -{ +let + cfg = config.services.pipewire; + packages = with pkgs; [ pipewire ]; + +in { ###### interface options = { services.pipewire = { enable = mkEnableOption "pipewire service"; + + socketActivation = mkOption { + default = true; + type = types.bool; + description = '' + Automatically run pipewire when connections are made to the pipewire socket. + ''; + }; }; }; ###### implementation - config = mkIf config.services.pipewire.enable { - environment.systemPackages = [ pkgs.pipewire ]; + config = mkIf cfg.enable { + environment.systemPackages = packages; + + systemd.packages = packages; - systemd.packages = [ pkgs.pipewire ]; + systemd.user.sockets.pipewire.wantedBy = lib.mkIf cfg.socketActivation [ "sockets.target" ]; }; meta.maintainers = with lib.maintainers; [ jtojnar ]; diff --git a/nixos/modules/services/hardware/udisks2.nix b/nixos/modules/services/hardware/udisks2.nix index ad5dc8e8a49b..ed8703be921c 100644 --- a/nixos/modules/services/hardware/udisks2.nix +++ b/nixos/modules/services/hardware/udisks2.nix @@ -40,15 +40,8 @@ with lib; ''; services.udev.packages = [ pkgs.udisks2 ]; - - systemd.services.udisks2 = { - description = "Udisks2 service"; - serviceConfig = { - Type = "dbus"; - BusName = "org.freedesktop.UDisks2"; - ExecStart = "${pkgs.udisks2}/libexec/udisks2/udisksd --no-debug"; - }; - }; + + systemd.packages = [ pkgs.udisks2 ]; }; } diff --git a/nixos/modules/services/logging/journalwatch.nix b/nixos/modules/services/logging/journalwatch.nix index adabc6459148..2c9bc18c8c3c 100644 --- a/nixos/modules/services/logging/journalwatch.nix +++ b/nixos/modules/services/logging/journalwatch.nix @@ -241,6 +241,6 @@ in { }; meta = { - maintainers = with stdenv.lib.maintainers; [ florianjacob ]; + maintainers = with lib.maintainers; [ florianjacob ]; }; } diff --git a/nixos/modules/services/misc/autorandr.nix b/nixos/modules/services/misc/autorandr.nix index 3020130ad1f6..4708e16e2a6c 100644 --- a/nixos/modules/services/misc/autorandr.nix +++ b/nixos/modules/services/misc/autorandr.nix @@ -12,6 +12,16 @@ in { services.autorandr = { enable = mkEnableOption "handling of hotplug and sleep events by autorandr"; + + defaultTarget = mkOption { + default = "default"; + type = types.str; + description = '' + Fallback if no monitor layout can be detected. See the docs + (https://github.com/phillipberndt/autorandr/blob/v1.0/README.md#how-to-use) + for further reference. + ''; + }; }; }; @@ -22,13 +32,21 @@ in { environment.systemPackages = [ pkgs.autorandr ]; - systemd.packages = [ pkgs.autorandr ]; - systemd.services.autorandr = { wantedBy = [ "sleep.target" ]; + description = "Autorandr execution hook"; + after = [ "sleep.target" ]; + + serviceConfig = { + StartLimitInterval = 5; + StartLimitBurst = 1; + ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default ${cfg.defaultTarget}"; + Type = "oneshot"; + RemainAfterExit = false; + }; }; }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ gnidorah ma27 ]; } diff --git a/nixos/modules/services/misc/gpsd.nix b/nixos/modules/services/misc/gpsd.nix index 71de08609073..3bfcb636a3c6 100644 --- a/nixos/modules/services/misc/gpsd.nix +++ b/nixos/modules/services/misc/gpsd.nix @@ -53,6 +53,14 @@ in ''; }; + nowait = mkOption { + type = types.bool; + default = false; + description = '' + don't wait for client connects to poll GPS + ''; + }; + port = mkOption { type = types.int; default = 2947; @@ -99,7 +107,8 @@ in ExecStart = '' ${pkgs.gpsd}/sbin/gpsd -D "${toString cfg.debugLevel}" \ -S "${toString cfg.port}" \ - ${if cfg.readonly then "-b" else ""} \ + ${optionalString cfg.readonly "-b"} \ + ${optionalString cfg.nowait "-n"} \ "${cfg.device}" ''; }; diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index c4bd0e7f9eef..36f1dd8d2479 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -148,38 +148,42 @@ let ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept # Accept connections to the allowed TCP ports. - ${concatMapStrings (port: + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (port: '' - ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept + ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedTCPPorts - } + ) cfg.interfaces)} # Accept connections to the allowed TCP port ranges. - ${concatMapStrings (rangeAttr: + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (rangeAttr: let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in '' - ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept + ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedTCPPortRanges - } + ) cfg.interfaces)} # Accept packets on the allowed UDP ports. - ${concatMapStrings (port: + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (port: '' - ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept + ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedUDPPorts - } + ) cfg.interfaces)} # Accept packets on the allowed UDP port ranges. - ${concatMapStrings (rangeAttr: + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (rangeAttr: let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in '' - ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept + ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedUDPPortRanges - } + ) cfg.interfaces)} # Accept IPv4 multicast. Not a big security risk since # probably nobody is listening anyway. @@ -254,106 +258,30 @@ let fi ''; -in - -{ - - ###### interface - - options = { - - networking.firewall.enable = mkOption { - type = types.bool; - default = true; - description = - '' - Whether to enable the firewall. This is a simple stateful - firewall that blocks connection attempts to unauthorised TCP - or UDP ports on this machine. It does not affect packet - forwarding. - ''; - }; - - networking.firewall.logRefusedConnections = mkOption { - type = types.bool; - default = true; - description = - '' - Whether to log rejected or dropped incoming connections. - ''; - }; - - networking.firewall.logRefusedPackets = mkOption { - type = types.bool; - default = false; - description = - '' - Whether to log all rejected or dropped incoming packets. - This tends to give a lot of log messages, so it's mostly - useful for debugging. - ''; - }; - - networking.firewall.logRefusedUnicastsOnly = mkOption { - type = types.bool; - default = true; - description = - '' - If <option>networking.firewall.logRefusedPackets</option> - and this option are enabled, then only log packets - specifically directed at this machine, i.e., not broadcasts - or multicasts. - ''; - }; - - networking.firewall.rejectPackets = mkOption { - type = types.bool; - default = false; - description = - '' - If set, refused packets are rejected rather than dropped - (ignored). This means that an ICMP "port unreachable" error - message is sent back to the client (or a TCP RST packet in - case of an existing connection). Rejecting packets makes - port scanning somewhat easier. - ''; - }; - - networking.firewall.trustedInterfaces = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "enp0s2" ]; - description = - '' - Traffic coming in from these interfaces will be accepted - unconditionally. Traffic from the loopback (lo) interface - will always be accepted. - ''; - }; - - networking.firewall.allowedTCPPorts = mkOption { + commonOptions = { + allowedTCPPorts = mkOption { type = types.listOf types.int; default = [ ]; example = [ 22 80 ]; description = - '' + '' List of TCP ports on which incoming connections are accepted. ''; }; - networking.firewall.allowedTCPPortRanges = mkOption { + allowedTCPPortRanges = mkOption { type = types.listOf (types.attrsOf types.int); default = [ ]; example = [ { from = 8999; to = 9003; } ]; description = - '' + '' A range of TCP ports on which incoming connections are accepted. ''; }; - networking.firewall.allowedUDPPorts = mkOption { + allowedUDPPorts = mkOption { type = types.listOf types.int; default = [ ]; example = [ 53 ]; @@ -363,7 +291,7 @@ in ''; }; - networking.firewall.allowedUDPPortRanges = mkOption { + allowedUDPPortRanges = mkOption { type = types.listOf (types.attrsOf types.int); default = [ ]; example = [ { from = 60000; to = 61000; } ]; @@ -372,133 +300,226 @@ in Range of open UDP ports. ''; }; + }; - networking.firewall.allowPing = mkOption { - type = types.bool; - default = true; - description = - '' - Whether to respond to incoming ICMPv4 echo requests - ("pings"). ICMPv6 pings are always allowed because the - larger address space of IPv6 makes network scanning much - less effective. - ''; - }; +in - networking.firewall.pingLimit = mkOption { - type = types.nullOr (types.separatedString " "); - default = null; - example = "--limit 1/minute --limit-burst 5"; - description = - '' - If pings are allowed, this allows setting rate limits - on them. If non-null, this option should be in the form of - flags like "--limit 1/minute --limit-burst 5" - ''; - }; +{ - networking.firewall.checkReversePath = mkOption { - type = types.either types.bool (types.enum ["strict" "loose"]); - default = kernelHasRPFilter; - example = "loose"; - description = - '' - Performs a reverse path filter test on a packet. If a reply - to the packet would not be sent via the same interface that - the packet arrived on, it is refused. + ###### interface - If using asymmetric routing or other complicated routing, set - this option to loose mode or disable it and setup your own - counter-measures. + options = { - This option can be either true (or "strict"), "loose" (only - drop the packet if the source address is not reachable via any - interface) or false. Defaults to the value of - kernelHasRPFilter. + networking.firewall = { + enable = mkOption { + type = types.bool; + default = true; + description = + '' + Whether to enable the firewall. This is a simple stateful + firewall that blocks connection attempts to unauthorised TCP + or UDP ports on this machine. It does not affect packet + forwarding. + ''; + }; - (needs kernel 3.3+) - ''; - }; + logRefusedConnections = mkOption { + type = types.bool; + default = true; + description = + '' + Whether to log rejected or dropped incoming connections. + ''; + }; - networking.firewall.logReversePathDrops = mkOption { - type = types.bool; - default = false; - description = - '' - Logs dropped packets failing the reverse path filter test if - the option networking.firewall.checkReversePath is enabled. - ''; - }; + logRefusedPackets = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to log all rejected or dropped incoming packets. + This tends to give a lot of log messages, so it's mostly + useful for debugging. + ''; + }; - networking.firewall.connectionTrackingModules = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; - description = - '' - List of connection-tracking helpers that are auto-loaded. - The complete list of possible values is given in the example. - - As helpers can pose as a security risk, it is advised to - set this to an empty list and disable the setting - networking.firewall.autoLoadConntrackHelpers unless you - know what you are doing. Connection tracking is disabled - by default. - - Loading of helpers is recommended to be done through the - CT target. More info: - https://home.regit.org/netfilter-en/secure-use-of-helpers/ - ''; - }; + logRefusedUnicastsOnly = mkOption { + type = types.bool; + default = true; + description = + '' + If <option>networking.firewall.logRefusedPackets</option> + and this option are enabled, then only log packets + specifically directed at this machine, i.e., not broadcasts + or multicasts. + ''; + }; - networking.firewall.autoLoadConntrackHelpers = mkOption { - type = types.bool; - default = false; - description = - '' - Whether to auto-load connection-tracking helpers. - See the description at networking.firewall.connectionTrackingModules + rejectPackets = mkOption { + type = types.bool; + default = false; + description = + '' + If set, refused packets are rejected rather than dropped + (ignored). This means that an ICMP "port unreachable" error + message is sent back to the client (or a TCP RST packet in + case of an existing connection). Rejecting packets makes + port scanning somewhat easier. + ''; + }; - (needs kernel 3.5+) - ''; - }; + trustedInterfaces = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "enp0s2" ]; + description = + '' + Traffic coming in from these interfaces will be accepted + unconditionally. Traffic from the loopback (lo) interface + will always be accepted. + ''; + }; - networking.firewall.extraCommands = mkOption { - type = types.lines; - default = ""; - example = "iptables -A INPUT -p icmp -j ACCEPT"; - description = - '' - Additional shell commands executed as part of the firewall - initialisation script. These are executed just before the - final "reject" firewall rule is added, so they can be used - to allow packets that would otherwise be refused. - ''; - }; + allowPing = mkOption { + type = types.bool; + default = true; + description = + '' + Whether to respond to incoming ICMPv4 echo requests + ("pings"). ICMPv6 pings are always allowed because the + larger address space of IPv6 makes network scanning much + less effective. + ''; + }; - networking.firewall.extraPackages = mkOption { - type = types.listOf types.package; - default = [ ]; - example = literalExample "[ pkgs.ipset ]"; - description = - '' - Additional packages to be included in the environment of the system - as well as the path of networking.firewall.extraCommands. - ''; - }; + pingLimit = mkOption { + type = types.nullOr (types.separatedString " "); + default = null; + example = "--limit 1/minute --limit-burst 5"; + description = + '' + If pings are allowed, this allows setting rate limits + on them. If non-null, this option should be in the form of + flags like "--limit 1/minute --limit-burst 5" + ''; + }; - networking.firewall.extraStopCommands = mkOption { - type = types.lines; - default = ""; - example = "iptables -P INPUT ACCEPT"; - description = - '' - Additional shell commands executed as part of the firewall - shutdown script. These are executed just after the removal - of the NixOS input rule, or if the service enters a failed - state. - ''; - }; + checkReversePath = mkOption { + type = types.either types.bool (types.enum ["strict" "loose"]); + default = kernelHasRPFilter; + example = "loose"; + description = + '' + Performs a reverse path filter test on a packet. If a reply + to the packet would not be sent via the same interface that + the packet arrived on, it is refused. + + If using asymmetric routing or other complicated routing, set + this option to loose mode or disable it and setup your own + counter-measures. + + This option can be either true (or "strict"), "loose" (only + drop the packet if the source address is not reachable via any + interface) or false. Defaults to the value of + kernelHasRPFilter. + + (needs kernel 3.3+) + ''; + }; + + logReversePathDrops = mkOption { + type = types.bool; + default = false; + description = + '' + Logs dropped packets failing the reverse path filter test if + the option networking.firewall.checkReversePath is enabled. + ''; + }; + + connectionTrackingModules = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; + description = + '' + List of connection-tracking helpers that are auto-loaded. + The complete list of possible values is given in the example. + + As helpers can pose as a security risk, it is advised to + set this to an empty list and disable the setting + networking.firewall.autoLoadConntrackHelpers unless you + know what you are doing. Connection tracking is disabled + by default. + + Loading of helpers is recommended to be done through the + CT target. More info: + https://home.regit.org/netfilter-en/secure-use-of-helpers/ + ''; + }; + + autoLoadConntrackHelpers = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to auto-load connection-tracking helpers. + See the description at networking.firewall.connectionTrackingModules + + (needs kernel 3.5+) + ''; + }; + + extraCommands = mkOption { + type = types.lines; + default = ""; + example = "iptables -A INPUT -p icmp -j ACCEPT"; + description = + '' + Additional shell commands executed as part of the firewall + initialisation script. These are executed just before the + final "reject" firewall rule is added, so they can be used + to allow packets that would otherwise be refused. + ''; + }; + + extraPackages = mkOption { + type = types.listOf types.package; + default = [ ]; + example = literalExample "[ pkgs.ipset ]"; + description = + '' + Additional packages to be included in the environment of the system + as well as the path of networking.firewall.extraCommands. + ''; + }; + + extraStopCommands = mkOption { + type = types.lines; + default = ""; + example = "iptables -P INPUT ACCEPT"; + description = + '' + Additional shell commands executed as part of the firewall + shutdown script. These are executed just after the removal + of the NixOS input rule, or if the service enters a failed + state. + ''; + }; + + interfaces = mkOption { + default = { + default = mapAttrs (name: value: cfg."${name}") commonOptions; + }; + type = with types; attrsOf (submodule [ { options = commonOptions; } ]); + description = + '' + Interface-specific open ports. Setting this value will override + all values of the <literal>networking.firewall.allowed*</literal> + options. + ''; + }; + } // commonOptions; }; diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index 5cd26b31533d..fcc813e6898f 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -248,7 +248,7 @@ in systemd.services.murmur = { description = "Murmur Chat Service"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target "]; + after = [ "network-online.target "]; serviceConfig = { Type = "forking"; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index cdc3a3525904..b0bc1c83d6b7 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -6,6 +6,9 @@ with lib; let cfg = config.networking.networkmanager; + dynamicHostsEnabled = + cfg.dynamicHosts.enable && cfg.dynamicHosts.hostsDirs != {}; + # /var/lib/misc is for dnsmasq.leases. stateDirs = "/var/lib/NetworkManager /var/lib/dhclient /var/lib/misc"; @@ -317,6 +320,52 @@ in { so you don't need to to that yourself. ''; }; + + dynamicHosts = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enabling this option requires the + <option>networking.networkmanager.dns</option> option to be + set to <literal>dnsmasq</literal>. If enabled, the directories + defined by the + <option>networking.networkmanager.dynamicHosts.hostsDirs</option> + option will be set up when the service starts. The dnsmasq instance + managed by NetworkManager will then watch those directories for + hosts files (see the <literal>--hostsdir</literal> option of + dnsmasq). This way a non-privileged user can add or override DNS + entries on the local system (depending on what hosts directories + that are configured).. + ''; + }; + hostsDirs = mkOption { + type = with types; attrsOf (submodule { + options = { + user = mkOption { + type = types.str; + default = "root"; + description = '' + The user that will own the hosts directory. + ''; + }; + group = mkOption { + type = types.str; + default = "root"; + description = '' + The group that will own the hosts directory. + ''; + }; + }; + }); + default = {}; + description = '' + Defines a set of directories (relative to + <literal>/run/NetworkManager/hostdirs</literal>) that dnsmasq will + watch for hosts files. + ''; + }; + }; }; }; @@ -325,10 +374,17 @@ in { config = mkIf cfg.enable { - assertions = [{ - assertion = config.networking.wireless.enable == false; - message = "You can not use networking.networkmanager with networking.wireless"; - }]; + assertions = [ + { assertion = config.networking.wireless.enable == false; + message = "You can not use networking.networkmanager with networking.wireless"; + } + { assertion = !dynamicHostsEnabled || (dynamicHostsEnabled && cfg.dns == "dnsmasq"); + message = '' + To use networking.networkmanager.dynamicHosts you also need to set + networking.networkmanager.dns = "dnsmasq" + ''; + } + ]; environment.etc = with cfg.basePackages; [ { source = configFile; @@ -362,7 +418,13 @@ in { ++ lib.imap1 (i: s: { inherit (s) source; target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; - }) cfg.dispatcherScripts; + }) cfg.dispatcherScripts + ++ optional (dynamicHostsEnabled) + { target = "NetworkManager/dnsmasq.d/dyndns.conf"; + text = concatMapStrings (n: '' + hostsdir=/run/NetworkManager/hostsdirs/${n} + '') (attrNames cfg.dynamicHosts.hostsDirs); + }; environment.systemPackages = cfg.packages; @@ -398,6 +460,21 @@ in { ''; }; + systemd.services.nm-setup-hostsdirs = mkIf dynamicHostsEnabled { + wantedBy = [ "network-manager.service" ]; + before = [ "network-manager.service" ]; + partOf = [ "network-manager.service" ]; + script = concatStrings (mapAttrsToList (n: d: '' + mkdir -p "/run/NetworkManager/hostsdirs/${n}" + chown "${d.user}:${d.group}" "/run/NetworkManager/hostsdirs/${n}" + chmod 0775 "/run/NetworkManager/hostsdirs/${n}" + '') cfg.dynamicHosts.hostsDirs); + serviceConfig = { + Type = "oneshot"; + RemainAfterExist = true; + }; + }; + # Turn off NixOS' network management networking = { useDHCP = false; diff --git a/nixos/modules/services/networking/quagga.nix b/nixos/modules/services/networking/quagga.nix index 22204e53203c..5acdd5af8f8f 100644 --- a/nixos/modules/services/networking/quagga.nix +++ b/nixos/modules/services/networking/quagga.nix @@ -95,26 +95,25 @@ in { ###### interface - - options.services.quagga = + imports = [ { - - zebra = (serviceOptions "zebra") // { - - enable = mkOption { - type = types.bool; - default = any isEnabled services; - description = '' - Whether to enable the Zebra routing manager. - - The Zebra routing manager is automatically enabled - if any routing protocols are configured. - ''; + options.services.quagga = { + zebra = (serviceOptions "zebra") // { + enable = mkOption { + type = types.bool; + default = any isEnabled services; + description = '' + Whether to enable the Zebra routing manager. + + The Zebra routing manager is automatically enabled + if any routing protocols are configured. + ''; + }; }; - }; - - } // (genAttrs services serviceOptions); + } + { options.services.quagga = (genAttrs services serviceOptions); } + ]; ###### implementation diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 8b04fac089ef..7b2d1920f0f1 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -198,6 +198,10 @@ in [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; + example = + [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; rounds = 100; openSSHFormat = true; } + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; rounds = 100; comment = "key comment"; } + ]; description = '' NixOS can automatically generate SSH host keys. This option specifies the path, type and size of each key. See @@ -358,7 +362,14 @@ in ${flip concatMapStrings cfg.hostKeys (k: '' if ! [ -f "${k.path}" ]; then - ssh-keygen -t "${k.type}" ${if k ? bits then "-b ${toString k.bits}" else ""} -f "${k.path}" -N "" + ssh-keygen \ + -t "${k.type}" \ + ${if k ? bits then "-b ${toString k.bits}" else ""} \ + ${if k ? rounds then "-a ${toString k.rounds}" else ""} \ + ${if k ? comment then "-C '${k.comment}'" else ""} \ + ${if k ? openSSHFormat && k.openSSHFormat then "-o" else ""} \ + -f "${k.path}" \ + -N "" fi '')} ''; @@ -404,6 +415,9 @@ in unixAuth = cfg.passwordAuthentication; }; + # These values are merged with the ones defined externally, see: + # https://github.com/NixOS/nixpkgs/pull/10155 + # https://github.com/NixOS/nixpkgs/pull/41745 services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; diff --git a/nixos/modules/services/networking/supplicant.nix b/nixos/modules/services/networking/supplicant.nix index dc90a4bcc620..3c4321ab9e9d 100644 --- a/nixos/modules/services/networking/supplicant.nix +++ b/nixos/modules/services/networking/supplicant.nix @@ -183,7 +183,7 @@ in example = literalExample '' { "wlan0 wlan1" = { - configFile = "/etc/wpa_supplicant"; + configFile.path = "/etc/wpa_supplicant.conf"; userControlled.group = "network"; extraConf = ''' ap_scan=1 diff --git a/nixos/modules/services/networking/znc.nix b/nixos/modules/services/networking/znc.nix index 76e4899c85ee..6f477e3b1460 100644 --- a/nixos/modules/services/networking/znc.nix +++ b/nixos/modules/services/networking/znc.nix @@ -36,6 +36,7 @@ let IPv4 = true IPv6 = true SSL = ${boolToString confOpts.useSSL} + ${lib.optionalString (confOpts.uriPrefix != null) "URIPrefix = ${confOpts.uriPrefix}"} </Listener> <User ${confOpts.userName}> @@ -310,6 +311,16 @@ in ''; }; + uriPrefix = mkOption { + type = types.nullOr types.str; + default = null; + example = "/znc/"; + description = '' + An optional URI prefix for the ZNC web interface. Can be + used to make ZNC available behind a reverse proxy. + ''; + }; + extraZncConf = mkOption { default = ""; type = types.lines; diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix new file mode 100644 index 000000000000..2aa2c57fd22c --- /dev/null +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -0,0 +1,64 @@ +{ pkgs, config, lib, ... }: +with lib; +let + cfg = config.services.oauth2_proxy.nginx; +in +{ + options.services.oauth2_proxy.nginx = { + proxy = mkOption { + type = types.string; + default = config.services.oauth2_proxy.httpAddress; + description = '' + The address of the reverse proxy endpoint for oauth2_proxy + ''; + }; + virtualHosts = mkOption { + type = types.listOf types.string; + default = []; + description = '' + A list of nginx virtual hosts to put behind the oauth2 proxy + ''; + }; + }; + config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) { + enable = true; + }; + config.services.nginx = mkMerge ((optional (cfg.virtualHosts != []) { + recommendedProxySettings = true; # needed because duplicate headers + }) ++ (map (vhost: { + virtualHosts.${vhost} = { + locations."/oauth2/" = { + proxyPass = cfg.proxy; + extraConfig = '' + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Auth-Request-Redirect $request_uri; + ''; + }; + locations."/oauth2/auth" = { + proxyPass = cfg.proxy; + extraConfig = '' + proxy_set_header X-Scheme $scheme; + # nginx auth_request includes headers but not body + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + ''; + }; + locations."/".extraConfig = '' + auth_request /oauth2/auth; + error_page 401 = /oauth2/sign_in; + + # pass information via X-User and X-Email headers to backend, + # requires running with --set-xauthrequest flag + auth_request_set $user $upstream_http_x_auth_request_user; + auth_request_set $email $upstream_http_x_auth_request_email; + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + + # if you enabled --cookie-refresh, this is needed for it to work with auth_request + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + ''; + + }; + }) cfg.virtualHosts)); +} diff --git a/nixos/modules/services/system/kerberos.nix b/nixos/modules/services/system/kerberos.nix index 4f2e2fdf662b..d85dee089827 100644 --- a/nixos/modules/services/system/kerberos.nix +++ b/nixos/modules/services/system/kerberos.nix @@ -41,8 +41,8 @@ in flags = "REUSE NAMEINARGS"; protocol = "tcp"; user = "root"; - server = "${pkgs.tcp_wrappers}/sbin/tcpd"; - serverArgs = "${pkgs.heimdalFull}/sbin/kadmind"; + server = "${pkgs.tcp_wrappers}/bin/tcpd"; + serverArgs = "${pkgs.heimdalFull}/bin/kadmind"; }; systemd.services.kdc = { @@ -51,13 +51,13 @@ in preStart = '' mkdir -m 0755 -p ${stateDir} ''; - script = "${heimdalFull}/sbin/kdc"; + script = "${heimdalFull}/bin/kdc"; }; systemd.services.kpasswdd = { description = "Kerberos Password Changing daemon"; wantedBy = [ "multi-user.target" ]; - script = "${heimdalFull}/sbin/kpasswdd"; + script = "${heimdalFull}/bin/kpasswdd"; }; }; diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index ed38eb9ce1e9..42affb06b51f 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -241,6 +241,6 @@ in { meta = { doc = ./matomo-doc.xml; - maintainers = with stdenv.lib.maintainers; [ florianjacob ]; + maintainers = with lib.maintainers; [ florianjacob ]; }; } diff --git a/nixos/modules/services/web-apps/nexus.nix b/nixos/modules/services/web-apps/nexus.nix index 30876889cf25..050f8757fa5f 100644 --- a/nixos/modules/services/web-apps/nexus.nix +++ b/nixos/modules/services/web-apps/nexus.nix @@ -130,5 +130,5 @@ in }; }; - meta.maintainers = with stdenv.lib.maintainers; [ ironpinguin ]; + meta.maintainers = with lib.maintainers; [ ironpinguin ]; } diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index b71ff0531cc8..eb8ee9b5cf46 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -656,7 +656,7 @@ in message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } ]; - warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port}";}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts); + warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts); users.users = optionalAttrs (mainCfg.user == "wwwrun") (singleton { name = "wwwrun"; diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 7dcc600d2664..ae155470419d 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -43,12 +43,6 @@ in default = true; description = "Enable the XFWM (default) window manager."; }; - - screenLock = mkOption { - type = types.enum [ "xscreensaver" "xlockmore" "slock" ]; - default = "xlockmore"; - description = "Application used by XFCE to lock the screen."; - }; }; }; @@ -92,7 +86,7 @@ in thunar-volman # TODO: drop ] ++ (if config.hardware.pulseaudio.enable then [ xfce4-mixer-pulse xfce4-volumed-pulse ] - else [ xfce4-mixer xfce4-volumed ]) + else [ xfce4-mixer xfce4-volumed ]) # TODO: NetworkManager doesn't belong here ++ optionals config.networking.networkmanager.enable [ networkmanagerapplet ] ++ optionals config.powerManagement.enable [ xfce4-power-manager ] diff --git a/nixos/modules/services/x11/hardware/libinput.nix b/nixos/modules/services/x11/hardware/libinput.nix index d0a87f183b6f..072004d5dd91 100644 --- a/nixos/modules/services/x11/hardware/libinput.nix +++ b/nixos/modules/services/x11/hardware/libinput.nix @@ -116,7 +116,7 @@ in { }; scrollMethod = mkOption { - type = types.enum [ "twofinger" "edge" "none" ]; + type = types.enum [ "twofinger" "edge" "button" "none" ]; default = "twofinger"; example = "edge"; description = |