diff options
Diffstat (limited to 'nixos/modules/services')
| -rw-r--r-- | nixos/modules/services/backup/bacula.nix | 222 | ||||
| -rw-r--r-- | nixos/modules/services/databases/lldap.nix | 17 | ||||
| -rw-r--r-- | nixos/modules/services/desktop-managers/plasma6.nix (renamed from nixos/modules/services/x11/desktop-managers/plasma6.nix) | 15 | ||||
| -rw-r--r-- | nixos/modules/services/development/hoogle.nix | 15 | ||||
| -rw-r--r-- | nixos/modules/services/monitoring/scrutiny.nix | 9 | ||||
| -rw-r--r-- | nixos/modules/services/networking/murmur.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/networking/unbound.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/services/security/esdm.nix | 101 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/gotosocial.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/x11/desktop-managers/default.nix | 2 |
11 files changed, 262 insertions, 131 deletions
diff --git a/nixos/modules/services/backup/bacula.nix b/nixos/modules/services/backup/bacula.nix index 5a75a46e5259..39975adf5909 100644 --- a/nixos/modules/services/backup/bacula.nix +++ b/nixos/modules/services/backup/bacula.nix @@ -4,11 +4,36 @@ # TODO: test configuration when building nixexpr (use -t parameter) # TODO: support sqlite3 (it's deprecate?) and mysql -with lib; let + inherit (lib) + concatStringsSep + literalExpression + mapAttrsToList + mdDoc + mkIf + mkOption + optional + optionalString + types + ; libDir = "/var/lib/bacula"; + yes_no = bool: if bool then "yes" else "no"; + tls_conf = tls_cfg: optionalString tls_cfg.enable ( + concatStringsSep + "\n" + ( + ["TLS Enable = yes;"] + ++ optional (tls_cfg.require != null) "TLS Require = ${yes_no tls_cfg.require};" + ++ optional (tls_cfg.certificate != null) ''TLS Certificate = "${tls_cfg.certificate}";'' + ++ [''TLS Key = "${tls_cfg.key}";''] + ++ optional (tls_cfg.verifyPeer != null) "TLS Verify Peer = ${yes_no tls_cfg.verifyPeer};" + ++ optional (tls_cfg.allowedCN != [ ]) "TLS Allowed CN = ${concatStringsSep " " (tls_cfg.allowedCN)};" + ++ optional (tls_cfg.caCertificateFile != null) ''TLS CA Certificate File = "${tls_cfg.caCertificateFile}";'' + ) + ); + fd_cfg = config.services.bacula-fd; fd_conf = pkgs.writeText "bacula-fd.conf" '' @@ -18,6 +43,7 @@ let WorkingDirectory = ${libDir}; Pid Directory = /run; ${fd_cfg.extraClientConfig} + ${tls_conf fd_cfg.tls} } ${concatStringsSep "\n" (mapAttrsToList (name: value: '' @@ -25,6 +51,7 @@ let Name = "${name}"; Password = ${value.password}; Monitor = ${value.monitor}; + ${tls_conf value.tls} } '') fd_cfg.director)} @@ -44,6 +71,7 @@ let WorkingDirectory = ${libDir}; Pid Directory = /run; ${sd_cfg.extraStorageConfig} + ${tls_conf sd_cfg.tls} } ${concatStringsSep "\n" (mapAttrsToList (name: value: '' @@ -70,6 +98,7 @@ let Name = "${name}"; Password = ${value.password}; Monitor = ${value.monitor}; + ${tls_conf value.tls} } '') sd_cfg.director)} @@ -90,6 +119,7 @@ let Working Directory = ${libDir}; Pid Directory = /run/; QueryFile = ${pkgs.bacula}/etc/query.sql; + ${tls_conf dir_cfg.tls} ${dir_cfg.extraDirectorConfig} } @@ -108,13 +138,99 @@ let ${dir_cfg.extraConfig} ''; - directorOptions = {...}: + linkOption = name: destination: "[${name}](#opt-${builtins.replaceStrings [ "<" ">"] ["_" "_"] destination})"; + tlsLink = destination: submodulePath: linkOption "${submodulePath}.${destination}" "${submodulePath}.${destination}"; + + tlsOptions = submodulePath: {...}: + { + options = { + enable = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Specifies if TLS should be enabled. + If this set to `false` TLS will be completely disabled, even if ${tlsLink "tls.require" submodulePath} is true. + ''; + }; + require = mkOption { + type = types.nullOr types.bool; + default = null; + description = mdDoc '' + Require TLS or TLS-PSK encryption. + This directive is ignored unless one of ${tlsLink "tls.enable" submodulePath} is true or TLS PSK Enable is set to `yes`. + If TLS is not required while TLS or TLS-PSK are enabled, then the Bacula component + will connect with other components either with or without TLS or TLS-PSK + + If ${tlsLink "tls.enable" submodulePath} or TLS-PSK is enabled and TLS is required, then the Bacula + component will refuse any connection request that does not use TLS. + ''; + }; + certificate = mkOption { + type = types.nullOr types.path; + default = null; + description = mdDoc '' + The full path to the PEM encoded TLS certificate. + It will be used as either a client or server certificate, + depending on the connection direction. + This directive is required in a server context, but it may + not be specified in a client context if ${tlsLink "tls.verifyPeer" submodulePath} is + `false` in the corresponding server context. + ''; + }; + key = mkOption { + type = types.path; + description = mdDoc '' + The path of a PEM encoded TLS private key. + It must correspond to the TLS certificate. + ''; + }; + verifyPeer = mkOption { + type = types.nullOr types.bool; + default = null; + description = mdDoc '' + Verify peer certificate. + Instructs server to request and verify the client's X.509 certificate. + Any client certificate signed by a known-CA will be accepted. + Additionally, the client's X509 certificate Common Name must meet the value of the Address directive. + If ${tlsLink "tls.allowedCN" submodulePath} is used, + the client's x509 certificate Common Name must also correspond to + one of the CN specified in the ${tlsLink "tls.allowedCN" submodulePath} directive. + This directive is valid only for a server and not in client context. + + Standard from Bacula is `true`. + ''; + }; + allowedCN = mkOption { + type = types.listOf types.str; + default = [ ]; + description = mdDoc '' + Common name attribute of allowed peer certificates. + This directive is valid for a server and in a client context. + If this directive is specified, the peer certificate will be verified against this list. + In the case this directive is configured on a server side, the allowed + CN list will not be checked if ${tlsLink "tls.verifyPeer" submodulePath} is false. + ''; + }; + caCertificateFile = mkOption { + type = types.nullOr types.path; + default = null; + description = mdDoc '' + The path specifying a PEM encoded TLS CA certificate(s). + Multiple certificates are permitted in the file. + One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context, unless + ${tlsLink "tls.verifyPeer" submodulePath} is false, and are always required in a client context. + ''; + }; + }; + }; + + directorOptions = submodulePath:{...}: { options = { password = mkOption { type = types.str; # TODO: required? - description = lib.mdDoc '' + description = mdDoc '' Specifies the password that must be supplied for the default Bacula Console to be authorized. The same password must appear in the Director resource of the Console configuration file. For added @@ -135,7 +251,7 @@ let type = types.enum [ "no" "yes" ]; default = "no"; example = "yes"; - description = lib.mdDoc '' + description = mdDoc '' If Monitor is set to `no`, this director will have full access to this Storage daemon. If Monitor is set to `yes`, this director will only be able to fetch the @@ -146,6 +262,13 @@ let security problems. ''; }; + + tls = mkOption { + type = types.submodule (tlsOptions "${submodulePath}.director.<name>"); + description = mdDoc '' + TLS Options for the Director in this Configuration. + ''; + }; }; }; @@ -154,7 +277,7 @@ let options = { changerDevice = mkOption { type = types.str; - description = lib.mdDoc '' + description = mdDoc '' The specified name-string must be the generic SCSI device name of the autochanger that corresponds to the normal read/write Archive Device specified in the Device resource. This generic SCSI device name @@ -173,7 +296,7 @@ let changerCommand = mkOption { type = types.str; - description = lib.mdDoc '' + description = mdDoc '' The name-string specifies an external program to be called that will automatically change volumes as required by Bacula. Normally, this directive will be specified only in the AutoChanger resource, which @@ -195,14 +318,14 @@ let }; devices = mkOption { - description = lib.mdDoc ""; + description = mdDoc ""; type = types.listOf types.str; }; extraAutochangerConfig = mkOption { default = ""; type = types.lines; - description = lib.mdDoc '' + description = mdDoc '' Extra configuration to be passed in Autochanger directive. ''; example = '' @@ -219,7 +342,7 @@ let archiveDevice = mkOption { # TODO: required? type = types.str; - description = lib.mdDoc '' + description = mdDoc '' The specified name-string gives the system file name of the storage device managed by this storage daemon. This will usually be the device file name of a removable storage device (tape drive), for @@ -236,7 +359,7 @@ let mediaType = mkOption { # TODO: required? type = types.str; - description = lib.mdDoc '' + description = mdDoc '' The specified name-string names the type of media supported by this device, for example, `DLT7000`. Media type names are arbitrary in that you set them to anything you want, but they must be @@ -274,7 +397,7 @@ let extraDeviceConfig = mkOption { default = ""; type = types.lines; - description = lib.mdDoc '' + description = mdDoc '' Extra configuration to be passed in Device directive. ''; example = '' @@ -295,7 +418,7 @@ in { enable = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = mdDoc '' Whether to enable the Bacula File Daemon. ''; }; @@ -304,7 +427,7 @@ in { default = "${config.networking.hostName}-fd"; defaultText = literalExpression ''"''${config.networking.hostName}-fd"''; type = types.str; - description = lib.mdDoc '' + description = mdDoc '' The client name that must be used by the Director when connecting. Generally, it is a good idea to use a name related to the machine so that error messages can be easily identified if you have multiple @@ -315,7 +438,7 @@ in { port = mkOption { default = 9102; type = types.port; - description = lib.mdDoc '' + description = mdDoc '' This specifies the port number on which the Client listens for Director connections. It must agree with the FDPort specified in the Client resource of the Director's configuration file. @@ -324,16 +447,26 @@ in { director = mkOption { default = {}; - description = lib.mdDoc '' + description = mdDoc '' This option defines director resources in Bacula File Daemon. ''; - type = with types; attrsOf (submodule directorOptions); + type = types.attrsOf (types.submodule (directorOptions "services.bacula-fd")); }; + + tls = mkOption { + type = types.submodule (tlsOptions "services.bacula-fd"); + default = { }; + description = mdDoc '' + TLS Options for the File Daemon. + Important notice: The backup won't be encrypted. + ''; + }; + extraClientConfig = mkOption { default = ""; type = types.lines; - description = lib.mdDoc '' + description = mdDoc '' Extra configuration to be passed in Client directive. ''; example = '' @@ -345,7 +478,7 @@ in { extraMessagesConfig = mkOption { default = ""; type = types.lines; - description = lib.mdDoc '' + description = mdDoc '' Extra configuration to be passed in Messages directive. ''; example = '' @@ -358,7 +491,7 @@ in { enable = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = mdDoc '' Whether to enable Bacula Storage Daemon. ''; }; @@ -367,7 +500,7 @@ in { default = "${config.networking.hostName}-sd"; defaultText = literalExpression ''"''${config.networking.hostName}-sd"''; type = types.str; - description = lib.mdDoc '' + description = mdDoc '' Specifies the Name of the Storage daemon. ''; }; @@ -375,7 +508,7 @@ in { port = mkOption { default = 9103; type = types.port; - description = lib.mdDoc '' + description = mdDoc '' Specifies port number on which the Storage daemon listens for Director connections. ''; @@ -383,32 +516,32 @@ in { director = mkOption { default = {}; - description = lib.mdDoc '' + description = mdDoc '' This option defines Director resources in Bacula Storage Daemon. ''; - type = with types; attrsOf (submodule directorOptions); + type = types.attrsOf (types.submodule (directorOptions "services.bacula-sd")); }; device = mkOption { default = {}; - description = lib.mdDoc '' + description = mdDoc '' This option defines Device resources in Bacula Storage Daemon. ''; - type = with types; attrsOf (submodule deviceOptions); + type = types.attrsOf (types.submodule deviceOptions); }; autochanger = mkOption { default = {}; - description = lib.mdDoc '' + description = mdDoc '' This option defines Autochanger resources in Bacula Storage Daemon. ''; - type = with types; attrsOf (submodule autochangerOptions); + type = types.attrsOf (types.submodule autochangerOptions); }; extraStorageConfig = mkOption { default = ""; type = types.lines; - description = lib.mdDoc '' + description = mdDoc '' Extra configuration to be passed in Storage directive. ''; example = '' @@ -420,13 +553,21 @@ in { extraMessagesConfig = mkOption { default = ""; type = types.lines; - description = lib.mdDoc '' + description = mdDoc '' Extra configuration to be passed in Messages directive. ''; example = '' console = all ''; }; + tls = mkOption { + type = types.submodule (tlsOptions "services.bacula-sd"); + default = { }; + description = mdDoc '' + TLS Options for the Storage Daemon. + Important notice: The backup won't be encrypted. + ''; + }; }; @@ -434,7 +575,7 @@ in { enable = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = mdDoc '' Whether to enable Bacula Director Daemon. ''; }; @@ -443,7 +584,7 @@ in { default = "${config.networking.hostName}-dir"; defaultText = literalExpression ''"''${config.networking.hostName}-dir"''; type = types.str; - description = lib.mdDoc '' + description = mdDoc '' The director name used by the system administrator. This directive is required. ''; @@ -452,7 +593,7 @@ in { port = mkOption { default = 9101; type = types.port; - description = lib.mdDoc '' + description = mdDoc '' Specify the port (a positive integer) on which the Director daemon will listen for Bacula Console connections. This same port number must be specified in the Director resource of the Console @@ -465,7 +606,7 @@ in { password = mkOption { # TODO: required? type = types.str; - description = lib.mdDoc '' + description = mdDoc '' Specifies the password that must be supplied for a Director. ''; }; @@ -473,7 +614,7 @@ in { extraMessagesConfig = mkOption { default = ""; type = types.lines; - description = lib.mdDoc '' + description = mdDoc '' Extra configuration to be passed in Messages directive. ''; example = '' @@ -484,7 +625,7 @@ in { extraDirectorConfig = mkOption { default = ""; type = types.lines; - description = lib.mdDoc '' + description = mdDoc '' Extra configuration to be passed in Director directive. ''; example = '' @@ -496,13 +637,22 @@ in { extraConfig = mkOption { default = ""; type = types.lines; - description = lib.mdDoc '' + description = mdDoc '' Extra configuration for Bacula Director Daemon. ''; example = '' TODO ''; }; + + tls = mkOption { + type = types.submodule (tlsOptions "services.bacula-dir"); + default = { }; + description = mdDoc '' + TLS Options for the Director. + Important notice: The backup won't be encrypted. + ''; + }; }; }; diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix index e821da8e58aa..033de7af886f 100644 --- a/nixos/modules/services/databases/lldap.nix +++ b/nixos/modules/services/databases/lldap.nix @@ -107,10 +107,25 @@ in wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; + # lldap defaults to a hardcoded `jwt_secret` value if none is provided, which is bad, because + # an attacker could create a valid admin jwt access token fairly trivially. + # Because there are 3 different ways `jwt_secret` can be provided, we check if any one of them is present, + # and if not, bootstrap a secret in `/var/lib/lldap/jwt_secret_file` and give that to lldap. + script = lib.optionalString (!cfg.settings ? jwt_secret) '' + if [[ -z "$LLDAP_JWT_SECRET_FILE" ]] && [[ -z "$LLDAP_JWT_SECRET" ]]; then + if [[ ! -e "./jwt_secret_file" ]]; then + ${lib.getExe pkgs.openssl} rand -base64 -out ./jwt_secret_file 32 + fi + export LLDAP_JWT_SECRET_FILE="./jwt_secret_file" + fi + '' + '' + ${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings} + ''; serviceConfig = { - ExecStart = "${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings}"; StateDirectory = "lldap"; + StateDirectoryMode = "0750"; WorkingDirectory = "%S/lldap"; + UMask = "0027"; User = "lldap"; Group = "lldap"; DynamicUser = true; diff --git a/nixos/modules/services/x11/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix index a471a48c9002..1710d28954d6 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma6.nix +++ b/nixos/modules/services/desktop-managers/plasma6.nix @@ -5,8 +5,7 @@ utils, ... }: let - xcfg = config.services.xserver; - cfg = xcfg.desktopManager.plasma6; + cfg = config.services.desktopManager.plasma6; inherit (pkgs) kdePackages; inherit (lib) literalExpression mkDefault mkIf mkOption mkPackageOptionMD types; @@ -17,7 +16,7 @@ ''; in { options = { - services.xserver.desktopManager.plasma6 = { + services.desktopManager.plasma6 = { enable = mkOption { type = types.bool; default = false; @@ -44,6 +43,12 @@ in { }; }; + imports = [ + (lib.mkRenamedOptionModule [ "services" "xserver" "desktopManager" "plasma6" "enable" ] [ "services" "desktopManager" "plasma6" "enable" ]) + (lib.mkRenamedOptionModule [ "services" "xserver" "desktopManager" "plasma6" "enableQt5Integration" ] [ "services" "desktopManager" "plasma6" "enableQt5Integration" ]) + (lib.mkRenamedOptionModule [ "services" "xserver" "desktopManager" "plasma6" "notoPackage" ] [ "services" "desktopManager" "plasma6" "notoPackage" ]) + ]; + config = mkIf cfg.enable { assertions = [ { @@ -161,7 +166,7 @@ in { in requiredPackages ++ utils.removePackagesByName optionalPackages config.environment.plasma6.excludePackages - ++ lib.optionals config.services.xserver.desktopManager.plasma6.enableQt5Integration [ + ++ lib.optionals config.services.desktopManager.plasma6.enableQt5Integration [ breeze.qt5 plasma-integration.qt5 pkgs.plasma5Packages.kwayland-integration @@ -185,7 +190,7 @@ in { "/libexec" # for drkonqi ]; - environment.etc."X11/xkb".source = xcfg.xkb.dir; + environment.etc."X11/xkb".source = config.services.xserver.xkb.dir; # Add ~/.config/kdedefaults to XDG_CONFIG_DIRS for shells, since Plasma sets that. # FIXME: maybe we should append to XDG_CONFIG_DIRS in /etc/set-environment instead? diff --git a/nixos/modules/services/development/hoogle.nix b/nixos/modules/services/development/hoogle.nix index 88dd01fd8aab..c90bb7f01902 100644 --- a/nixos/modules/services/development/hoogle.nix +++ b/nixos/modules/services/development/hoogle.nix @@ -56,6 +56,16 @@ in { description = lib.mdDoc "Set the host to bind on."; default = "127.0.0.1"; }; + + extraOptions = mkOption { + type = types.listOf types.str; + default = []; + example = [ "--no-security-headers" ]; + description = lib.mdDoc '' + Additional command-line arguments to pass to + {command}`hoogle server` + ''; + }; }; config = mkIf cfg.enable { @@ -66,7 +76,10 @@ in { serviceConfig = { Restart = "always"; - ExecStart = ''${hoogleEnv}/bin/hoogle server --local --port ${toString cfg.port} --home ${cfg.home} --host ${cfg.host}''; + ExecStart = '' + ${hoogleEnv}/bin/hoogle server --local --port ${toString cfg.port} --home ${cfg.home} --host ${cfg.host} \ + ${concatStringsSep " " cfg.extraOptions} + ''; DynamicUser = true; diff --git a/nixos/modules/services/monitoring/scrutiny.nix b/nixos/modules/services/monitoring/scrutiny.nix index aef924ef840c..2862cdd80128 100644 --- a/nixos/modules/services/monitoring/scrutiny.nix +++ b/nixos/modules/services/monitoring/scrutiny.nix @@ -201,17 +201,12 @@ in Type = "oneshot"; ExecStart = "${getExe cfg.collector.package} run --config ${settingsFormat.generate "scrutiny-collector.yaml" cfg.collector.settings}"; }; + startAt = cfg.collector.schedule; }; }; timers = mkIf cfg.collector.enable { - scrutiny-collector = { - timerConfig = { - OnCalendar = cfg.collector.schedule; - Persistent = true; - Unit = "scrutiny-collector.service"; - }; - }; + scrutiny-collector.timerConfig.Persistent = true; }; }; }; diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index 5805f332a66f..1fb5063e5ad8 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -33,7 +33,7 @@ let sendversion=${boolToString cfg.sendVersion} ${optionalString (cfg.registerName != "") "registerName=${cfg.registerName}"} - ${optionalString (cfg.registerPassword == "") "registerPassword=${cfg.registerPassword}"} + ${optionalString (cfg.registerPassword != "") "registerPassword=${cfg.registerPassword}"} ${optionalString (cfg.registerUrl != "") "registerUrl=${cfg.registerUrl}"} ${optionalString (cfg.registerHostname != "") "registerHostname=${cfg.registerHostname}"} diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 607ae05fc52c..63804a3b1c54 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -436,6 +436,7 @@ in And if you edit a declarative profile NetworkManager will move it to the persistent storage and treat it like a ad-hoc one, but there will be two profiles as soon as the systemd unit from this option runs again which can be confusing since NetworkManager tools will start displaying two profiles with the same name and probably a bit different settings depending on what you edited. A profile won't be deleted even if it's removed from the config until the system reboots because that's when NetworkManager clears it's temp directory. + If `networking.resolvconf.enable` is true, attributes affecting the name resolution (such as `ignore-auto-dns`) may not end up changing `/etc/resolv.conf` as expected when other name services (for example `networking.dhcpcd`) are enabled. Run `resolvconf -l` in the terminal to see what each service produces. ''; }; environmentFiles = mkOption { diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 8438e472e11e..17c6789827b9 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -76,12 +76,13 @@ in { checkconf = mkOption { type = types.bool; - default = !cfg.settings ? include; - defaultText = "!config.services.unbound.settings ? include"; + default = !cfg.settings ? include && !cfg.settings ? remote-control; + defaultText = "!services.unbound.settings ? include && !services.unbound.settings ? remote-control"; description = lib.mdDoc '' Wether to check the resulting config file with unbound checkconf for syntax errors. - If settings.include is used, then this options is disabled, as the import can likely not be resolved at build time. + If settings.include is used, this options is disabled, as the import can likely not be accessed at build time. + If settings.remote-control is used, this option is disabled, too as the control-key-file, server-cert-file and server-key-file cannot be accessed at build time. ''; }; diff --git a/nixos/modules/services/security/esdm.nix b/nixos/modules/services/security/esdm.nix index 134b4be1a94c..c34fba1b3c75 100644 --- a/nixos/modules/services/security/esdm.nix +++ b/nixos/modules/services/security/esdm.nix @@ -4,49 +4,33 @@ let cfg = config.services.esdm; in { + imports = [ + # removed option 'services.esdm.cuseRandomEnable' + (lib.mkRemovedOptionModule [ "services" "esdm" "cuseRandomEnable" ] '' + Use services.esdm.enableLinuxCompatServices instead. + '') + # removed option 'services.esdm.cuseUrandomEnable' + (lib.mkRemovedOptionModule [ "services" "esdm" "cuseUrandomEnable" ] '' + Use services.esdm.enableLinuxCompatServices instead. + '') + # removed option 'services.esdm.procEnable' + (lib.mkRemovedOptionModule [ "services" "esdm" "procEnable" ] '' + Use services.esdm.enableLinuxCompatServices instead. + '') + # removed option 'services.esdm.verbose' + (lib.mkRemovedOptionModule [ "services" "esdm" "verbose" ] '' + There is no replacement. + '') + ]; + options.services.esdm = { enable = lib.mkEnableOption (lib.mdDoc "ESDM service configuration"); package = lib.mkPackageOption pkgs "esdm" { }; - serverEnable = lib.mkOption { - type = lib.types.bool; - default = true; - description = lib.mdDoc '' - Enable option for ESDM server service. If serverEnable == false, then the esdm-server - will not start. Also the subsequent services esdm-cuse-random, esdm-cuse-urandom - and esdm-proc will not start as these have the entry Want=esdm-server.service. - ''; - }; - cuseRandomEnable = lib.mkOption { - type = lib.types.bool; - default = true; - description = lib.mdDoc '' - Enable option for ESDM cuse-random service. Determines if the esdm-cuse-random.service - is started. - ''; - }; - cuseUrandomEnable = lib.mkOption { - type = lib.types.bool; - default = true; - description = lib.mdDoc '' - Enable option for ESDM cuse-urandom service. Determines if the esdm-cuse-urandom.service - is started. - ''; - }; - procEnable = lib.mkOption { + enableLinuxCompatServices = lib.mkOption { type = lib.types.bool; default = true; description = lib.mdDoc '' - Enable option for ESDM proc service. Determines if the esdm-proc.service - is started. - ''; - }; - verbose = lib.mkOption { - type = lib.types.bool; - default = false; - description = lib.mdDoc '' - Enable verbose ExecStart for ESDM. If verbose == true, then the corresponding "ExecStart" - values of the 4 aforementioned services are overwritten with the option - for the highest verbosity. + Enable /dev/random, /dev/urandom and /proc/sys/kernel/random/* userspace wrapper. ''; }; }; @@ -55,46 +39,13 @@ in lib.mkMerge [ ({ systemd.packages = [ cfg.package ]; - }) - # It is necessary to set those options for these services to be started by systemd in NixOS - (lib.mkIf cfg.serverEnable { systemd.services."esdm-server".wantedBy = [ "basic.target" ]; - systemd.services."esdm-server".serviceConfig = lib.mkIf cfg.verbose { - ExecStart = [ - " " # unset previous value defined in 'esdm-server.service' - "${cfg.package}/bin/esdm-server -f -vvvvvv" - ]; - }; - }) - - (lib.mkIf cfg.cuseRandomEnable { - systemd.services."esdm-cuse-random".wantedBy = [ "basic.target" ]; - systemd.services."esdm-cuse-random".serviceConfig = lib.mkIf cfg.verbose { - ExecStart = [ - " " # unset previous value defined in 'esdm-cuse-random.service' - "${cfg.package}/bin/esdm-cuse-random -f -v 6" - ]; - }; }) - - (lib.mkIf cfg.cuseUrandomEnable { - systemd.services."esdm-cuse-urandom".wantedBy = [ "basic.target" ]; - systemd.services."esdm-cuse-urandom".serviceConfig = lib.mkIf cfg.verbose { - ExecStart = [ - " " # unset previous value defined in 'esdm-cuse-urandom.service' - "${config.services.esdm.package}/bin/esdm-cuse-urandom -f -v 6" - ]; - }; - }) - - (lib.mkIf cfg.procEnable { - systemd.services."esdm-proc".wantedBy = [ "basic.target" ]; - systemd.services."esdm-proc".serviceConfig = lib.mkIf cfg.verbose { - ExecStart = [ - " " # unset previous value defined in 'esdm-proc.service' - "${cfg.package}/bin/esdm-proc --relabel -f -o allow_other /proc/sys/kernel/random -v 6" - ]; - }; + # It is necessary to set those options for these services to be started by systemd in NixOS + (lib.mkIf cfg.enableLinuxCompatServices { + systemd.targets."esdm-linux-compat".wantedBy = [ "basic.target" ]; + systemd.services."esdm-server-suspend".wantedBy = [ "sleep.target" "suspend.target" "hibernate.target" ]; + systemd.services."esdm-server-resume".wantedBy = [ "sleep.target" "suspend.target" "hibernate.target" ]; }) ]); diff --git a/nixos/modules/services/web-apps/gotosocial.nix b/nixos/modules/services/web-apps/gotosocial.nix index 45464f646da8..657509c11005 100644 --- a/nixos/modules/services/web-apps/gotosocial.nix +++ b/nixos/modules/services/web-apps/gotosocial.nix @@ -27,7 +27,7 @@ let in { meta.doc = ./gotosocial.md; - meta.maintainers = with lib.maintainers; [ misuzu ]; + meta.maintainers = with lib.maintainers; [ misuzu blakesmith ]; options.services.gotosocial = { enable = lib.mkEnableOption (lib.mdDoc "ActivityPub social network server"); diff --git a/nixos/modules/services/x11/desktop-managers/default.nix b/nixos/modules/services/x11/desktop-managers/default.nix index ecb8d1e91bde..33d0a7b52643 100644 --- a/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixos/modules/services/x11/desktop-managers/default.nix @@ -18,7 +18,7 @@ in # determines the default: later modules (if enabled) are preferred. # E.g., if Plasma 5 is enabled, it supersedes xterm. imports = [ - ./none.nix ./xterm.nix ./phosh.nix ./xfce.nix ./plasma5.nix ./plasma6.nix ./lumina.nix + ./none.nix ./xterm.nix ./phosh.nix ./xfce.nix ./plasma5.nix ../../desktop-managers/plasma6.nix ./lumina.nix ./lxqt.nix ./enlightenment.nix ./gnome.nix ./retroarch.nix ./kodi.nix ./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix ./cinnamon.nix ./budgie.nix ./deepin.nix |