diff options
Diffstat (limited to 'nixos/modules')
171 files changed, 3014 insertions, 601 deletions
diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index bc6583442edf..a8476bd2aaed 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -214,7 +214,8 @@ in '' # Create the required /bin/sh symlink; otherwise lots of things # (notably the system() function) won't work. - mkdir -m 0755 -p /bin + mkdir -p /bin + chmod 0755 /bin ln -sfn "${cfg.binsh}" /bin/.sh.tmp mv /bin/.sh.tmp /bin/sh # atomically replace /bin/sh ''; diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 2aed620eb154..967ad0846d75 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -685,7 +685,7 @@ in { shadow.gid = ids.gids.shadow; }; - system.activationScripts.users = { + system.activationScripts.users = if !config.systemd.sysusers.enable then { supportsDryActivation = true; text = '' install -m 0700 -d /root @@ -694,7 +694,7 @@ in { ${pkgs.perl.withPackages (p: [ p.FileSlurp p.JSON ])}/bin/perl \ -w ${./update-users-groups.pl} ${spec} ''; - }; + } else ""; # keep around for backwards compatibility system.activationScripts.update-lingering = let lingerDir = "/var/lib/systemd/linger"; @@ -711,7 +711,9 @@ in { ''; # Warn about user accounts with deprecated password hashing schemes - system.activationScripts.hashes = { + # This does not work when the users and groups are created by + # systemd-sysusers because the users are created too late then. + system.activationScripts.hashes = if !config.systemd.sysusers.enable then { deps = [ "users" ]; text = '' users=() @@ -729,7 +731,7 @@ in { printf ' - %s\n' "''${users[@]}" fi ''; - }; + } else ""; # keep around for backwards compatibility # for backwards compatibility system.activationScripts.groups = stringAfter [ "users" ] ""; diff --git a/nixos/modules/hardware/corectrl.nix b/nixos/modules/hardware/corectrl.nix index 8ef61a158d5c..b1d3f2f0ce7e 100644 --- a/nixos/modules/hardware/corectrl.nix +++ b/nixos/modules/hardware/corectrl.nix @@ -12,6 +12,10 @@ in Add your user to the corectrl group to run corectrl without needing to enter your password ''); + package = mkPackageOption pkgs "corectrl" { + extraDescription = "Useful for overriding the configuration options used for the package."; + }; + gpuOverclock = { enable = mkEnableOption (lib.mdDoc '' GPU overclocking @@ -32,9 +36,9 @@ in config = mkIf cfg.enable (lib.mkMerge [ { - environment.systemPackages = [ pkgs.corectrl ]; + environment.systemPackages = [ cfg.package ]; - services.dbus.packages = [ pkgs.corectrl ]; + services.dbus.packages = [ cfg.package ]; users.groups.corectrl = { }; diff --git a/nixos/modules/image/repart-image.nix b/nixos/modules/image/repart-image.nix index b4a1dfe51ff3..a12b4fb14fb1 100644 --- a/nixos/modules/image/repart-image.nix +++ b/nixos/modules/image/repart-image.nix @@ -10,6 +10,8 @@ , systemd , fakeroot , util-linux + + # filesystem tools , dosfstools , mtools , e2fsprogs @@ -18,8 +20,13 @@ , btrfs-progs , xfsprogs + # compression tools +, zstd +, xz + # arguments -, name +, imageFileBasename +, compression , fileSystems , partitions , split @@ -52,14 +59,25 @@ let }; fileSystemTools = builtins.concatMap (f: fileSystemToolMapping."${f}") fileSystems; + + compressionPkg = { + "zstd" = zstd; + "xz" = xz; + }."${compression.algorithm}"; + + compressionCommand = { + "zstd" = "zstd --no-progress --threads=0 -${toString compression.level}"; + "xz" = "xz --keep --verbose --threads=0 -${toString compression.level}"; + }."${compression.algorithm}"; in -runCommand name +runCommand imageFileBasename { nativeBuildInputs = [ systemd fakeroot util-linux + compressionPkg ] ++ fileSystemTools; } '' amendedRepartDefinitions=$(${amendRepartDefinitions} ${partitions} ${definitionsDirectory}) @@ -67,6 +85,7 @@ runCommand name mkdir -p $out cd $out + echo "Building image with systemd-repart..." unshare --map-root-user fakeroot systemd-repart \ --dry-run=no \ --empty=create \ @@ -75,6 +94,17 @@ runCommand name --definitions="$amendedRepartDefinitions" \ --split="${lib.boolToString split}" \ --json=pretty \ - image.raw \ + ${imageFileBasename}.raw \ | tee repart-output.json + + # Compression is implemented in the same derivation as opposed to in a + # separate derivation to allow users to save disk space. Disk images are + # already very space intensive so we want to allow users to mitigate this. + if ${lib.boolToString compression.enable}; then + for f in ${imageFileBasename}*; do + echo "Compressing $f with ${compression.algorithm}..." + # Keep the original file when compressing and only delete it afterwards + ${compressionCommand} $f && rm $f + done + fi '' diff --git a/nixos/modules/image/repart.nix b/nixos/modules/image/repart.nix index da4f45d9a639..ed584d9bf997 100644 --- a/nixos/modules/image/repart.nix +++ b/nixos/modules/image/repart.nix @@ -66,7 +66,53 @@ in name = lib.mkOption { type = lib.types.str; - description = lib.mdDoc "The name of the image."; + description = lib.mdDoc '' + Name of the image. + + If this option is unset but config.system.image.id is set, + config.system.image.id is used as the default value. + ''; + }; + + version = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = config.system.image.version; + defaultText = lib.literalExpression "config.system.image.version"; + description = lib.mdDoc "Version of the image"; + }; + + imageFileBasename = lib.mkOption { + type = lib.types.str; + readOnly = true; + description = lib.mdDoc '' + Basename of the image filename without any extension (e.g. `image_1`). + ''; + }; + + imageFile = lib.mkOption { + type = lib.types.str; + readOnly = true; + description = lib.mdDoc '' + Filename of the image including all extensions (e.g `image_1.raw` or + `image_1.raw.zst`). + ''; + }; + + compression = { + enable = lib.mkEnableOption (lib.mdDoc "Image compression"); + + algorithm = lib.mkOption { + type = lib.types.enum [ "zstd" "xz" ]; + default = "zstd"; + description = lib.mdDoc "Compression algorithm"; + }; + + level = lib.mkOption { + type = lib.types.int; + description = lib.mdDoc '' + Compression level. The available range depends on the used algorithm. + ''; + }; }; seed = lib.mkOption { @@ -131,6 +177,32 @@ in config = { + image.repart = + let + version = config.image.repart.version; + versionInfix = if version != null then "_${version}" else ""; + compressionSuffix = lib.optionalString cfg.compression.enable + { + "zstd" = ".zst"; + "xz" = ".xz"; + }."${cfg.compression.algorithm}"; + in + { + name = lib.mkIf (config.system.image.id != null) (lib.mkOptionDefault config.system.image.id); + imageFileBasename = cfg.name + versionInfix; + imageFile = cfg.imageFileBasename + ".raw" + compressionSuffix; + + compression = { + # Generally default to slightly faster than default compression + # levels under the assumption that most of the building will be done + # for development and release builds will be customized. + level = lib.mkOptionDefault { + "zstd" = 3; + "xz" = 3; + }."${cfg.compression.algorithm}"; + }; + }; + system.build.image = let fileSystems = lib.filter @@ -160,7 +232,7 @@ in in pkgs.callPackage ./repart-image.nix { systemd = cfg.package; - inherit (cfg) name split seed; + inherit (cfg) imageFileBasename compression split seed; inherit fileSystems definitionsDirectory partitions; }; diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index 45dbf45b3ae7..c929c3b37285 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -28,6 +28,8 @@ let DOCUMENTATION_URL = lib.optionalString (cfg.distroId == "nixos") "https://nixos.org/learn.html"; SUPPORT_URL = lib.optionalString (cfg.distroId == "nixos") "https://nixos.org/community.html"; BUG_REPORT_URL = lib.optionalString (cfg.distroId == "nixos") "https://github.com/NixOS/nixpkgs/issues"; + IMAGE_ID = lib.optionalString (config.system.image.id != null) config.system.image.id; + IMAGE_VERSION = lib.optionalString (config.system.image.version != null) config.system.image.version; } // lib.optionalAttrs (cfg.variant_id != null) { VARIANT_ID = cfg.variant_id; }; @@ -110,6 +112,38 @@ in example = "installer"; }; + image = { + + id = lib.mkOption { + type = types.nullOr (types.strMatching "^[a-z0-9._-]+$"); + default = null; + description = lib.mdDoc '' + Image identifier. + + This corresponds to the IMAGE_ID field in os-release. See the + upstream docs for more details on valid characters for this field: + https://www.freedesktop.org/software/systemd/man/latest/os-release.html#IMAGE_ID= + + You would only want to set this option if you're build NixOS appliance images. + ''; + }; + + version = lib.mkOption { + type = types.nullOr (types.strMatching "^[a-z0-9._-]+$"); + default = null; + description = lib.mdDoc '' + Image version. + + This corresponds to the IMAGE_VERSION field in os-release. See the + upstream docs for more details on valid characters for this field: + https://www.freedesktop.org/software/systemd/man/latest/os-release.html#IMAGE_VERSION= + + You would only want to set this option if you're build NixOS appliance images. + ''; + }; + + }; + stateVersion = mkOption { type = types.str; # TODO Remove this and drop the default of the option so people are forced to set it. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index e6fffd4716de..c2bcb2f78080 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -195,7 +195,6 @@ ./programs/haguichi.nix ./programs/hamster.nix ./programs/htop.nix - ./programs/hyprland.nix ./programs/iay.nix ./programs/iftop.nix ./programs/i3lock.nix @@ -273,6 +272,7 @@ ./programs/wavemon.nix ./programs/wayland/cardboard.nix ./programs/wayland/labwc.nix + ./programs/wayland/hyprland.nix ./programs/wayland/river.nix ./programs/wayland/sway.nix ./programs/wayland/waybar.nix @@ -446,6 +446,7 @@ ./services/databases/postgresql.nix ./services/databases/redis.nix ./services/databases/surrealdb.nix + ./services/databases/tigerbeetle.nix ./services/databases/victoriametrics.nix ./services/desktops/accountsservice.nix ./services/desktops/ayatana-indicators.nix @@ -506,7 +507,7 @@ ./services/editors/haste.nix ./services/editors/infinoted.nix ./services/finance/odoo.nix - ./services/games/asf.nix + ./services/games/archisteamfarm.nix ./services/games/crossfire-server.nix ./services/games/deliantra-server.nix ./services/games/factorio.nix @@ -633,6 +634,7 @@ ./services/matrix/appservice-irc.nix ./services/matrix/conduit.nix ./services/matrix/dendrite.nix + ./services/matrix/hebbot.nix ./services/matrix/maubot.nix ./services/matrix/mautrix-facebook.nix ./services/matrix/mautrix-telegram.nix @@ -832,6 +834,7 @@ ./services/monitoring/riemann-dash.nix ./services/monitoring/riemann-tools.nix ./services/monitoring/riemann.nix + ./services/monitoring/rustdesk-server.nix ./services/monitoring/scollector.nix ./services/monitoring/smartd.nix ./services/monitoring/snmpd.nix @@ -849,6 +852,7 @@ ./services/monitoring/vmagent.nix ./services/monitoring/vmalert.nix ./services/monitoring/vnstat.nix + ./services/monitoring/watchdogd.nix ./services/monitoring/zabbix-agent.nix ./services/monitoring/zabbix-proxy.nix ./services/monitoring/zabbix-server.nix @@ -1339,6 +1343,7 @@ ./services/web-apps/restya-board.nix ./services/web-apps/rimgo.nix ./services/web-apps/sftpgo.nix + ./services/web-apps/suwayomi-server.nix ./services/web-apps/rss-bridge.nix ./services/web-apps/selfoss.nix ./services/web-apps/shiori.nix @@ -1466,6 +1471,7 @@ ./system/boot/stratisroot.nix ./system/boot/modprobe.nix ./system/boot/networkd.nix + ./system/boot/uki.nix ./system/boot/unl0kr.nix ./system/boot/plymouth.nix ./system/boot/resolved.nix @@ -1486,6 +1492,7 @@ ./system/boot/systemd/repart.nix ./system/boot/systemd/shutdown.nix ./system/boot/systemd/sysupdate.nix + ./system/boot/systemd/sysusers.nix ./system/boot/systemd/tmpfiles.nix ./system/boot/systemd/user.nix ./system/boot/systemd/userdbd.nix @@ -1513,6 +1520,7 @@ ./tasks/filesystems/nfs.nix ./tasks/filesystems/ntfs.nix ./tasks/filesystems/reiserfs.nix + ./tasks/filesystems/sshfs.nix ./tasks/filesystems/squashfs.nix ./tasks/filesystems/unionfs-fuse.nix ./tasks/filesystems/vboxsf.nix diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 58f07b050b5c..0b10c0414147 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -39,6 +39,9 @@ with lib; # Allow the user to log in as root without a password. users.users.root.initialHashedPassword = ""; + # Don't require sudo/root to `reboot` or `poweroff`. + security.polkit.enable = true; + # Allow passwordless sudo from nixos user security.sudo = { enable = mkDefault true; diff --git a/nixos/modules/profiles/perlless.nix b/nixos/modules/profiles/perlless.nix new file mode 100644 index 000000000000..90abd14f077e --- /dev/null +++ b/nixos/modules/profiles/perlless.nix @@ -0,0 +1,31 @@ +# WARNING: If you enable this profile, you will NOT be able to switch to a new +# configuration and thus you will not be able to rebuild your system with +# nixos-rebuild! + +{ lib, ... }: + +{ + + # Disable switching to a new configuration. This is not a necessary + # limitation of a perlless system but just a current one. In the future, + # perlless switching might be possible. + system.switch.enable = lib.mkDefault false; + + # Remove perl from activation + boot.initrd.systemd.enable = lib.mkDefault true; + system.etc.overlay.enable = lib.mkDefault true; + systemd.sysusers.enable = lib.mkDefault true; + + # Random perl remnants + system.disableInstallerTools = lib.mkDefault true; + programs.less.lessopen = lib.mkDefault null; + programs.command-not-found.enable = lib.mkDefault false; + boot.enableContainers = lib.mkDefault false; + environment.defaultPackages = lib.mkDefault [ ]; + documentation.info.enable = lib.mkDefault false; + + # Check that the system does not contain a Nix store path that contains the + # string "perl". + system.forbiddenDependenciesRegex = "perl"; + +} diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix index 57cc925be465..1cdf22a7699d 100644 --- a/nixos/modules/programs/light.nix +++ b/nixos/modules/programs/light.nix @@ -9,6 +9,7 @@ in { options = { programs.light = { + enable = mkOption { default = false; type = types.bool; @@ -17,11 +18,60 @@ in and udev rules granting access to members of the "video" group. ''; }; + + brightnessKeys = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable brightness control with keyboard keys. + + This is mainly useful for minimalistic (desktop) environments. You + may want to leave this disabled if you run a feature-rich desktop + environment such as KDE, GNOME or Xfce as those handle the + brightness keys themselves. However, enabling brightness control + with this setting makes the control independent of X, so the keys + work in non-graphical ttys, so you might want to consider using this + instead of the default offered by the desktop environment. + + Enabling this will turn on {option}`services.actkbd`. + ''; + }; + + step = mkOption { + type = types.int; + default = 10; + description = '' + The percentage value by which to increase/decrease brightness. + ''; + }; + + }; + }; }; config = mkIf cfg.enable { environment.systemPackages = [ pkgs.light ]; services.udev.packages = [ pkgs.light ]; + services.actkbd = mkIf cfg.brightnessKeys.enable { + enable = true; + bindings = let + light = "${pkgs.light}/bin/light"; + step = toString cfg.brightnessKeys.step; + in [ + { + keys = [ 224 ]; + events = [ "key" ]; + # Use minimum brightness 0.1 so the display won't go totally black. + command = "${light} -N 0.1 && ${light} -U ${step}"; + } + { + keys = [ 225 ]; + events = [ "key" ]; + command = "${light} -A ${step}"; + } + ]; + }; }; } diff --git a/nixos/modules/programs/regreet.nix b/nixos/modules/programs/regreet.nix index 0c44d717044e..55d0c11781ab 100644 --- a/nixos/modules/programs/regreet.nix +++ b/nixos/modules/programs/regreet.nix @@ -78,11 +78,15 @@ in else settingsFormat.generate "regreet.toml" cfg.settings; }; - systemd.tmpfiles.rules = let - group = config.users.users.${config.services.greetd.settings.default_session.user}.group; - in [ - "d /var/log/regreet 0755 greeter ${group} - -" - "d /var/cache/regreet 0755 greeter ${group} - -" - ]; + systemd.tmpfiles.settings."10-regreet" = let + defaultConfig = { + user = "greeter"; + group = config.users.users.${config.services.greetd.settings.default_session.user}.group; + mode = "0755"; + }; + in { + "/var/log/regreet".d = defaultConfig; + "/var/cache/regreet".d = defaultConfig; + }; }; } diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index c39a3c8d509b..0c1461709c22 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -12,6 +12,7 @@ let '' #! ${pkgs.runtimeShell} -e export DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^DISPLAY=\(.*\)/\1/; t; d')" + export XAUTHORITY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^XAUTHORITY=\(.*\)/\1/; t; d')" export WAYLAND_DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^WAYLAND_DISPLAY=\(.*\)/\1/; t; d')" exec ${cfg.askPassword} "$@" ''; diff --git a/nixos/modules/programs/hyprland.nix b/nixos/modules/programs/wayland/hyprland.nix index 9061ce5da83a..9061ce5da83a 100644 --- a/nixos/modules/programs/hyprland.nix +++ b/nixos/modules/programs/wayland/hyprland.nix diff --git a/nixos/modules/security/acme/default.md b/nixos/modules/security/acme/default.md index 51ee0428d84e..38fbfbf0caec 100644 --- a/nixos/modules/security/acme/default.md +++ b/nixos/modules/security/acme/default.md @@ -72,7 +72,7 @@ services.nginx = { }; }; }; -} +}; ``` ## Using ACME certificates in Apache/httpd {#module-security-acme-httpd} @@ -111,7 +111,7 @@ services.nginx = { }; }; }; -} +}; # Alternative config for Apache users.users.wwwrun.extraGroups = [ "acme" ]; services.httpd = { @@ -131,7 +131,7 @@ services.httpd = { ''; }; }; -} +}; ``` Now you need to configure ACME to generate a certificate. @@ -181,7 +181,7 @@ services.bind = { extraConfig = "allow-update { key rfc2136key.example.com.; };"; } ]; -} +}; # Now we can configure ACME security.acme.acceptTerms = true; @@ -271,7 +271,7 @@ services.nginx = { acmeRoot = null; }; }; -} +}; ``` And that's it! Next time your configuration is rebuilt, or when diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index 7cc302969fb6..40d9c487996b 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -897,10 +897,10 @@ in { certs = attrValues cfg.certs; in [ { - assertion = cfg.email != null || all (certOpts: certOpts.email != null) certs; + assertion = cfg.defaults.email != null || all (certOpts: certOpts.email != null) certs; message = '' You must define `security.acme.certs.<name>.email` or - `security.acme.email` to register with the CA. Note that using + `security.acme.defaults.email` to register with the CA. Note that using many different addresses for certs may trigger account rate limits. ''; } diff --git a/nixos/modules/services/audio/gmediarender.nix b/nixos/modules/services/audio/gmediarender.nix index 545f2b1a2b60..a4cb89098db7 100644 --- a/nixos/modules/services/audio/gmediarender.nix +++ b/nixos/modules/services/audio/gmediarender.nix @@ -64,6 +64,7 @@ in config = mkIf cfg.enable { systemd = { services.gmediarender = { + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; description = "gmediarender server daemon"; diff --git a/nixos/modules/services/audio/jmusicbot.nix b/nixos/modules/services/audio/jmusicbot.nix index fd1d4da19284..e7803677d0fd 100644 --- a/nixos/modules/services/audio/jmusicbot.nix +++ b/nixos/modules/services/audio/jmusicbot.nix @@ -26,6 +26,7 @@ in config = mkIf cfg.enable { systemd.services.jmusicbot = { wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; description = "Discord music bot that's easy to set up and run yourself!"; serviceConfig = mkMerge [{ diff --git a/nixos/modules/services/audio/mopidy.nix b/nixos/modules/services/audio/mopidy.nix index 9d8e67b0ea47..8eebf0f9d1e1 100644 --- a/nixos/modules/services/audio/mopidy.nix +++ b/nixos/modules/services/audio/mopidy.nix @@ -70,9 +70,10 @@ in { config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - mopidy mopidy - -" - ]; + systemd.tmpfiles.settings."10-mopidy".${cfg.dataDir}.d = { + user = "mopidy"; + group = "mopidy"; + }; systemd.services.mopidy = { wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/audio/spotifyd.nix b/nixos/modules/services/audio/spotifyd.nix index 975be5a87cba..1194b6f200d7 100644 --- a/nixos/modules/services/audio/spotifyd.nix +++ b/nixos/modules/services/audio/spotifyd.nix @@ -50,6 +50,7 @@ in systemd.services.spotifyd = { wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" "sound.target" ]; description = "spotifyd, a Spotify playing daemon"; environment.SHELL = "/bin/sh"; diff --git a/nixos/modules/services/audio/ympd.nix b/nixos/modules/services/audio/ympd.nix index b74cc3f9c0b4..6e8d22dab3c8 100644 --- a/nixos/modules/services/audio/ympd.nix +++ b/nixos/modules/services/audio/ympd.nix @@ -50,6 +50,7 @@ in { description = "Standalone MPD Web GUI written in C"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; serviceConfig = { diff --git a/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixos/modules/services/continuous-integration/buildbot/master.nix index 446d19b8fd5a..9f702b17937c 100644 --- a/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -267,7 +267,7 @@ in { systemd.services.buildbot-master = { description = "Buildbot Continuous Integration Server."; - after = [ "network-online.target" ]; + after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; path = cfg.packages ++ cfg.pythonPackages python.pkgs; environment.PYTHONPATH = "${python.withPackages (self: cfg.pythonPackages self ++ [ package ])}/${python.sitePackages}"; diff --git a/nixos/modules/services/continuous-integration/gitea-actions-runner.nix b/nixos/modules/services/continuous-integration/gitea-actions-runner.nix index 3f2be9464849..06f0da3451a6 100644 --- a/nixos/modules/services/continuous-integration/gitea-actions-runner.nix +++ b/nixos/modules/services/continuous-integration/gitea-actions-runner.nix @@ -188,6 +188,7 @@ in nameValuePair "gitea-runner-${escapeSystemdPath name}" { inherit (instance) enable; description = "Gitea Actions Runner"; + wants = [ "network-online.target" ]; after = [ "network-online.target" ] ++ optionals (wantsDocker) [ diff --git a/nixos/modules/services/continuous-integration/github-runner/options.nix b/nixos/modules/services/continuous-integration/github-runner/options.nix index 2335826e8b66..b9b1ea05e967 100644 --- a/nixos/modules/services/continuous-integration/github-runner/options.nix +++ b/nixos/modules/services/continuous-integration/github-runner/options.nix @@ -153,6 +153,7 @@ with lib; type = types.attrs; description = lib.mdDoc '' Modify the systemd service. Can be used to, e.g., adjust the sandboxing options. + See {manpage}`systemd.exec(5)` for more options. ''; example = { ProtectHome = false; diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix index 46b03bba37be..54bbe69703f9 100644 --- a/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixos/modules/services/continuous-integration/hydra/default.nix @@ -393,6 +393,7 @@ in systemd.services.hydra-evaluator = { wantedBy = [ "multi-user.target" ]; requires = [ "hydra-init.service" ]; + wants = [ "network-online.target" ]; after = [ "hydra-init.service" "network.target" "network-online.target" ]; path = with pkgs; [ hydra-package nettools jq ]; restartTriggers = [ hydraConf ]; diff --git a/nixos/modules/services/databases/firebird.nix b/nixos/modules/services/databases/firebird.nix index 36c12eaaf5f1..431233ce5ed4 100644 --- a/nixos/modules/services/databases/firebird.nix +++ b/nixos/modules/services/databases/firebird.nix @@ -143,7 +143,7 @@ in # ConnectionTimeout = 180 #RemoteServiceName = gds_db - RemoteServicePort = ${cfg.port} + RemoteServicePort = ${toString cfg.port} # randomly choose port for server Event Notification #RemoteAuxPort = 0 diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix index d1574c98fe67..e821da8e58aa 100644 --- a/nixos/modules/services/databases/lldap.nix +++ b/nixos/modules/services/databases/lldap.nix @@ -104,6 +104,7 @@ in config = lib.mkIf cfg.enable { systemd.services.lldap = { description = "Lightweight LDAP server (lldap)"; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index a7a0909f55e1..df36e37976a4 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -294,6 +294,7 @@ in { "man:slapd-mdb" ]; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; serviceConfig = { User = cfg.user; diff --git a/nixos/modules/services/databases/tigerbeetle.md b/nixos/modules/services/databases/tigerbeetle.md new file mode 100644 index 000000000000..47394d443059 --- /dev/null +++ b/nixos/modules/services/databases/tigerbeetle.md @@ -0,0 +1,33 @@ +# TigerBeetle {#module-services-tigerbeetle} + +*Source:* {file}`modules/services/databases/tigerbeetle.nix` + +*Upstream documentation:* <https://docs.tigerbeetle.com/> + +TigerBeetle is a distributed financial accounting database designed for mission critical safety and performance. + +To enable TigerBeetle, add the following to your {file}`configuration.nix`: +``` + services.tigerbeetle.enable = true; +``` + +When first started, the TigerBeetle service will create its data file at {file}`/var/lib/tigerbeetle` unless the file already exists, in which case it will just use the existing file. +If you make changes to the configuration of TigerBeetle after its data file was already created (for example increasing the replica count), you may need to remove the existing file to avoid conflicts. + +## Configuring {#module-services-tigerbeetle-configuring} + +By default, TigerBeetle will only listen on a local interface. +To configure it to listen on a different interface (and to configure it to connect to other replicas, if you're creating more than one), you'll have to set the `addresses` option. +Note that the TigerBeetle module won't open any firewall ports automatically, so if you configure it to listen on an external interface, you'll need to ensure that connections can reach it: + +``` + services.tigerbeetle = { + enable = true; + addresses = [ "0.0.0.0:3001" ]; + }; + + networking.firewall.allowedTCPPorts = [ 3001 ]; +``` + +A complete list of options for TigerBeetle can be found [here](#opt-services.tigerbeetle.enable). + diff --git a/nixos/modules/services/databases/tigerbeetle.nix b/nixos/modules/services/databases/tigerbeetle.nix new file mode 100644 index 000000000000..b90a0703175f --- /dev/null +++ b/nixos/modules/services/databases/tigerbeetle.nix @@ -0,0 +1,115 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.tigerbeetle; +in +{ + meta = { + maintainers = with lib.maintainers; [ danielsidhion ]; + doc = ./tigerbeetle.md; + buildDocsInSandbox = true; + }; + + options = { + services.tigerbeetle = with lib; { + enable = mkEnableOption (mdDoc "TigerBeetle server"); + + package = mkPackageOption pkgs "tigerbeetle" { }; + + clusterId = mkOption { + type = types.either types.ints.unsigned (types.strMatching "[0-9]+"); + default = 0; + description = lib.mdDoc '' + The 128-bit cluster ID used to create the replica data file (if needed). + Since Nix only supports integers up to 64 bits, you need to pass a string to this if the cluster ID can't fit in 64 bits. + Otherwise, you can pass the cluster ID as either an integer or a string. + ''; + }; + + replicaIndex = mkOption { + type = types.ints.unsigned; + default = 0; + description = lib.mdDoc '' + The index (starting at 0) of the replica in the cluster. + ''; + }; + + replicaCount = mkOption { + type = types.ints.unsigned; + default = 1; + description = lib.mdDoc '' + The number of replicas participating in replication of the cluster. + ''; + }; + + cacheGridSize = mkOption { + type = types.strMatching "[0-9]+(K|M|G)B"; + default = "1GB"; + description = lib.mdDoc '' + The grid cache size. + The grid cache acts like a page cache for TigerBeetle. + It is recommended to set this as large as possible. + ''; + }; + + addresses = mkOption { + type = types.listOf types.nonEmptyStr; + default = [ "3001" ]; + description = lib.mdDoc '' + The addresses of all replicas in the cluster. + This should be a list of IPv4/IPv6 addresses with port numbers. + Either the address or port number (but not both) may be omitted, in which case a default of 127.0.0.1 or 3001 will be used. + The first address in the list corresponds to the address for replica 0, the second address for replica 1, and so on. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = + let + numAddresses = builtins.length cfg.addresses; + in + [ + { + assertion = cfg.replicaIndex < cfg.replicaCount; + message = "the TigerBeetle replica index must fit the configured replica count"; + } + { + assertion = cfg.replicaCount == numAddresses; + message = if cfg.replicaCount < numAddresses then "TigerBeetle must not have more addresses than the configured number of replicas" else "TigerBeetle must be configured with the addresses of all replicas"; + } + ]; + + systemd.services.tigerbeetle = + let + replicaDataPath = "/var/lib/tigerbeetle/${builtins.toString cfg.clusterId}_${builtins.toString cfg.replicaIndex}.tigerbeetle"; + in + { + description = "TigerBeetle server"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = '' + if ! test -e "${replicaDataPath}"; then + ${lib.getExe cfg.package} format --cluster="${builtins.toString cfg.clusterId}" --replica="${builtins.toString cfg.replicaIndex}" --replica-count="${builtins.toString cfg.replicaCount}" "${replicaDataPath}" + fi + ''; + + serviceConfig = { + Type = "exec"; + + DynamicUser = true; + ProtectHome = true; + DevicePolicy = "closed"; + + StateDirectory = "tigerbeetle"; + StateDirectoryMode = 700; + + ExecStart = "${lib.getExe cfg.package} start --cache-grid=${cfg.cacheGridSize} --addresses=${lib.escapeShellArg (builtins.concatStringsSep "," cfg.addresses)} ${replicaDataPath}"; + }; + }; + + environment.systemPackages = [ cfg.package ]; + }; +} diff --git a/nixos/modules/services/desktops/geoclue2.nix b/nixos/modules/services/desktops/geoclue2.nix index b04f46c26a56..2a68bb0b55f3 100644 --- a/nixos/modules/services/desktops/geoclue2.nix +++ b/nixos/modules/services/desktops/geoclue2.nix @@ -200,6 +200,7 @@ in }; systemd.services.geoclue = { + wants = lib.optionals cfg.enableWifi [ "network-online.target" ]; after = lib.optionals cfg.enableWifi [ "network-online.target" ]; # restart geoclue service when the configuration changes restartTriggers = [ @@ -217,6 +218,7 @@ in # we can't be part of a system service, and the agent should # be okay with the main service coming and going wantedBy = [ "default.target" ]; + wants = lib.optionals cfg.enableWifi [ "network-online.target" ]; after = lib.optionals cfg.enableWifi [ "network-online.target" ]; unitConfig.ConditionUser = "!@system"; serviceConfig = { diff --git a/nixos/modules/services/editors/emacs.nix b/nixos/modules/services/editors/emacs.nix index 6f45be6640bc..ff6fd85d8a9b 100644 --- a/nixos/modules/services/editors/emacs.nix +++ b/nixos/modules/services/editors/emacs.nix @@ -15,25 +15,6 @@ let fi ''; - desktopApplicationFile = pkgs.writeTextFile { - name = "emacsclient.desktop"; - destination = "/share/applications/emacsclient.desktop"; - text = '' - [Desktop Entry] - Name=Emacsclient - GenericName=Text Editor - Comment=Edit text - MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++; - Exec=emacseditor %F - Icon=emacs - Type=Application - Terminal=false - Categories=Development;TextEditor; - StartupWMClass=Emacs - Keywords=Text;Editor; - ''; - }; - in { @@ -102,7 +83,7 @@ in wantedBy = if cfg.startWithGraphical then [ "graphical-session.target" ] else [ "default.target" ]; }; - environment.systemPackages = [ cfg.package editorScript desktopApplicationFile ]; + environment.systemPackages = [ cfg.package editorScript ]; environment.variables.EDITOR = mkIf cfg.defaultEditor (mkOverride 900 "emacseditor"); }; diff --git a/nixos/modules/services/games/asf.nix b/nixos/modules/services/games/archisteamfarm.nix index 27d174d6726b..293e341bef38 100644 --- a/nixos/modules/services/games/asf.nix +++ b/nixos/modules/services/games/archisteamfarm.nix @@ -1,13 +1,11 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.services.archisteamfarm; format = pkgs.formats.json { }; - asf-config = format.generate "ASF.json" (cfg.settings // { + configFile = format.generate "ASF.json" (cfg.settings // { # we disable it because ASF cannot update itself anyways # and nixos takes care of restarting the service # is in theory not needed as this is already the default for default builds @@ -30,8 +28,8 @@ let in { options.services.archisteamfarm = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; description = lib.mdDoc '' If enabled, starts the ArchisSteamFarm service. For configuring the SteamGuard token you will need to use the web-ui, which is enabled by default over on 127.0.0.1:1242. @@ -40,14 +38,14 @@ in default = false; }; - web-ui = mkOption { - type = types.submodule { + web-ui = lib.mkOption { + type = lib.types.submodule { options = { - enable = mkEnableOption "" // { + enable = lib.mkEnableOption "" // { description = lib.mdDoc "Whether to start the web-ui. This is the preferred way of configuring things such as the steam guard token."; }; - package = mkPackageOption pkgs [ "ArchiSteamFarm" "ui" ] { + package = lib.mkPackageOption pkgs [ "ArchiSteamFarm" "ui" ] { extraDescription = '' ::: {.note} Contents must be in lib/dist @@ -65,7 +63,7 @@ in description = lib.mdDoc "The Web-UI hosted on 127.0.0.1:1242."; }; - package = mkPackageOption pkgs "ArchiSteamFarm" { + package = lib.mkPackageOption pkgs "ArchiSteamFarm" { extraDescription = '' ::: {.warning} Should always be the latest version, for security reasons, @@ -74,15 +72,15 @@ in ''; }; - dataDir = mkOption { - type = types.path; - default = "/var/lib/asf"; + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/archisteamfarm"; description = lib.mdDoc '' The ASF home directory used to store all data. If left as the default value this directory will automatically be created before the ASF server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.''; }; - settings = mkOption { + settings = lib.mkOption { type = format.type; description = lib.mdDoc '' The ASF.json file, all the options are documented [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config). @@ -96,13 +94,13 @@ in default = { }; }; - ipcPasswordFile = mkOption { - type = types.nullOr types.path; + ipcPasswordFile = lib.mkOption { + type = with lib.types; nullOr path; default = null; - description = lib.mdDoc "Path to a file containing the password. The file must be readable by the `asf` user/group."; + description = lib.mdDoc "Path to a file containing the password. The file must be readable by the `archisteamfarm` user/group."; }; - ipcSettings = mkOption { + ipcSettings = lib.mkOption { type = format.type; description = lib.mdDoc '' Settings to write to IPC.config. @@ -120,25 +118,25 @@ in default = { }; }; - bots = mkOption { - type = types.attrsOf (types.submodule { + bots = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { options = { - username = mkOption { - type = types.str; + username = lib.mkOption { + type = lib.types.str; description = lib.mdDoc "Name of the user to log in. Default is attribute name."; default = ""; }; - passwordFile = mkOption { - type = types.path; - description = lib.mdDoc "Path to a file containing the password. The file must be readable by the `asf` user/group."; + passwordFile = lib.mkOption { + type = lib.types.path; + description = lib.mdDoc "Path to a file containing the password. The file must be readable by the `archisteamfarm` user/group."; }; - enabled = mkOption { - type = types.bool; + enabled = lib.mkOption { + type = lib.types.bool; default = true; description = lib.mdDoc "Whether to enable the bot on startup."; }; - settings = mkOption { - type = types.attrs; + settings = lib.mkOption { + type = lib.types.attrs; description = lib.mdDoc '' Additional settings that are documented [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config). ''; @@ -152,7 +150,7 @@ in example = { exampleBot = { username = "alice"; - passwordFile = "/var/lib/asf/secrets/password"; + passwordFile = "/var/lib/archisteamfarm/secrets/password"; settings = { SteamParentalCode = "1234"; }; }; }; @@ -160,32 +158,34 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { + # TODO: drop with 24.11 + services.archisteamfarm.dataDir = lib.mkIf (lib.versionAtLeast config.system.stateVersion "24.05") (lib.mkDefault "/var/lib/asf"); users = { - users.asf = { + users.archisteamfarm = { home = cfg.dataDir; isSystemUser = true; - group = "asf"; + group = "archisteamfarm"; description = "Archis-Steam-Farm service user"; }; - groups.asf = { }; + groups.archisteamfarm = { }; }; systemd.services = { - asf = { + archisteamfarm = { description = "Archis-Steam-Farm Service"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig = mkMerge [ - (mkIf (cfg.dataDir == "/var/lib/asf") { - StateDirectory = "asf"; + serviceConfig = lib.mkMerge [ + (lib.mkIf (lib.hasPrefix "/var/lib/" cfg.dataDir) { + StateDirectory = lib.last (lib.splitString "/" cfg.dataDir); StateDirectoryMode = "700"; }) { - User = "asf"; - Group = "asf"; + User = "archisteamfarm"; + Group = "archisteamfarm"; WorkingDirectory = cfg.dataDir; Type = "simple"; ExecStart = "${lib.getExe cfg.package} --no-restart --process-required --service --system-required --path ${cfg.dataDir}"; @@ -217,12 +217,10 @@ in RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - UMask = "0077"; - - # we luckily already have systemd v247+ SecureBits = "noroot-locked"; + SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" ]; + UMask = "0077"; } ]; @@ -232,7 +230,7 @@ in mkdir -p $out # clean potential removed bots rm -rf $out/*.json - for i in ${strings.concatStringsSep " " (lists.map (x: "${getName x},${x}") (attrsets.mapAttrsToList mkBot cfg.bots))}; do IFS=","; + for i in ${lib.concatStringsSep " " (map (x: "${lib.getName x},${x}") (lib.mapAttrsToList mkBot cfg.bots))}; do IFS=","; set -- $i ln -fs $2 $out/$1 done @@ -242,22 +240,22 @@ in '' mkdir -p config - cp --no-preserve=mode ${asf-config} config/ASF.json + cp --no-preserve=mode ${configFile} config/ASF.json - ${optionalString (cfg.ipcPasswordFile != null) '' + ${lib.optionalString (cfg.ipcPasswordFile != null) '' ${replaceSecretBin} '#ipcPassword#' '${cfg.ipcPasswordFile}' config/ASF.json ''} - ${optionalString (cfg.ipcSettings != {}) '' + ${lib.optionalString (cfg.ipcSettings != {}) '' ln -fs ${ipc-config} config/IPC.config ''} - ${optionalString (cfg.ipcSettings != {}) '' + ${lib.optionalString (cfg.ipcSettings != {}) '' ln -fs ${createBotsScript}/* config/ ''} rm -f www - ${optionalString cfg.web-ui.enable '' + ${lib.optionalString cfg.web-ui.enable '' ln -s ${cfg.web-ui.package}/ www ''} ''; @@ -267,6 +265,6 @@ in meta = { buildDocsInSandbox = false; - maintainers = with maintainers; [ lom SuperSandro2000 ]; + maintainers = with lib.maintainers; [ lom SuperSandro2000 ]; }; } diff --git a/nixos/modules/services/hardware/fwupd.nix b/nixos/modules/services/hardware/fwupd.nix index 6b3a109ed6f7..6fbcbe676460 100644 --- a/nixos/modules/services/hardware/fwupd.nix +++ b/nixos/modules/services/hardware/fwupd.nix @@ -16,6 +16,7 @@ let "fwupd/fwupd.conf" = { source = format.generate "fwupd.conf" { fwupd = cfg.daemonSettings; + } // lib.optionalAttrs (lib.length (lib.attrNames cfg.uefiCapsuleSettings) != 0) { uefi_capsule = cfg.uefiCapsuleSettings; }; # fwupd tries to chmod the file if it doesn't have the right permissions diff --git a/nixos/modules/services/home-automation/evcc.nix b/nixos/modules/services/home-automation/evcc.nix index d0ce3fb4a1ce..f360f525b04b 100644 --- a/nixos/modules/services/home-automation/evcc.nix +++ b/nixos/modules/services/home-automation/evcc.nix @@ -41,6 +41,7 @@ in config = mkIf cfg.enable { systemd.services.evcc = { + wants = [ "network-online.target" ]; after = [ "network-online.target" "mosquitto.target" diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index bc470576b759..a01628968966 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -435,6 +435,7 @@ in { systemd.services.home-assistant = { description = "Home Assistant"; + wants = [ "network-online.target" ]; after = [ "network-online.target" diff --git a/nixos/modules/services/logging/journaldriver.nix b/nixos/modules/services/logging/journaldriver.nix index 59eedff90d60..4d21464018aa 100644 --- a/nixos/modules/services/logging/journaldriver.nix +++ b/nixos/modules/services/logging/journaldriver.nix @@ -84,6 +84,7 @@ in { systemd.services.journaldriver = { description = "Stackdriver Logging journal forwarder"; script = "${pkgs.journaldriver}/bin/journaldriver"; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 25c7017a1d25..8d298de6945b 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -4,7 +4,9 @@ let inherit (lib) any attrValues concatMapStringsSep concatStrings concatStringsSep flatten imap1 isList literalExpression mapAttrsToList mkEnableOption mkIf mkOption mkRemovedOptionModule optional optionalAttrs - optionalString singleton types; + optionalString singleton types mkRenamedOptionModule nameValuePair + mapAttrs' listToAttrs filter; + inherit (lib.strings) match; cfg = config.services.dovecot2; dovecotPkg = pkgs.dovecot; @@ -12,6 +14,58 @@ let baseDir = "/run/dovecot2"; stateDir = "/var/lib/dovecot"; + sieveScriptSettings = mapAttrs' (to: from: nameValuePair "sieve_${to}" "${stateDir}/sieve/${from}") cfg.sieve.scripts; + imapSieveMailboxSettings = listToAttrs (flatten (imap1 (idx: el: + singleton { + name = "imapsieve_mailbox${toString idx}_name"; + value = el.name; + } ++ optional (el.from != null) { + name = "imapsieve_mailbox${toString idx}_from"; + value = el.from; + } ++ optional (el.causes != []) { + name = "imapsieve_mailbox${toString idx}_causes"; + value = concatStringsSep "," el.causes; + } ++ optional (el.before != null) { + name = "imapsieve_mailbox${toString idx}_before"; + value = "file:${stateDir}/imapsieve/before/${baseNameOf el.before}"; + } ++ optional (el.after != null) { + name = "imapsieve_mailbox${toString idx}_after"; + value = "file:${stateDir}/imapsieve/after/${baseNameOf el.after}"; + } + ) cfg.imapsieve.mailbox)); + + mkExtraConfigCollisionWarning = term: '' + You referred to ${term} in `services.dovecot2.extraConfig`. + + Due to gradual transition to structured configuration for plugin configuration, it is possible + this will cause your plugin configuration to be ignored. + + Consider setting `services.dovecot2.pluginSettings.${term}` instead. + ''; + + # Those settings are automatically set based on other parts + # of this module. + automaticallySetPluginSettings = [ + "sieve_plugins" + "sieve_extensions" + "sieve_global_extensions" + "sieve_pipe_bin_dir" + ] + ++ (builtins.attrNames sieveScriptSettings) + ++ (builtins.attrNames imapSieveMailboxSettings); + + # The idea is to match everything that looks like `$term =` + # but not `# $term something something` + # or `# $term = some value` because those are comments. + configContainsSetting = lines: term: (match "^[^#]*\b${term}\b.*=" lines) != null; + + warnAboutExtraConfigCollisions = map mkExtraConfigCollisionWarning (filter (configContainsSetting cfg.extraConfig) automaticallySetPluginSettings); + + sievePipeBinScriptDirectory = pkgs.linkFarm "sieve-pipe-bins" (map (el: { + name = builtins.unsafeDiscardStringContext (baseNameOf el); + path = el; + }) cfg.sieve.pipeBins); + dovecotConf = concatStrings [ '' base_dir = ${baseDir} @@ -78,14 +132,6 @@ let ) ( - optionalString (cfg.sieveScripts != {}) '' - plugin { - ${concatStringsSep "\n" (mapAttrsToList (to: from: "sieve_${to} = ${stateDir}/sieve/${to}") cfg.sieveScripts)} - } - '' - ) - - ( optionalString (cfg.mailboxes != {}) '' namespace inbox { inbox=yes @@ -116,33 +162,12 @@ let '' ) + # General plugin settings: + # - sieve is mostly generated here, refer to `pluginSettings` to follow + # the control flow. '' plugin { - sieve_plugins = ${concatStringsSep " " cfg.sieve.plugins} - sieve_extensions = ${concatStringsSep " " (map (el: "+${el}") cfg.sieve.extensions)} - sieve_global_extensions = ${concatStringsSep " " (map (el: "+${el}") cfg.sieve.globalExtensions)} - '' - (optionalString (cfg.imapsieve.mailbox != []) '' - ${ - concatStringsSep "\n" (flatten (imap1 ( - idx: el: - singleton "imapsieve_mailbox${toString idx}_name = ${el.name}" - ++ optional (el.from != null) "imapsieve_mailbox${toString idx}_from = ${el.from}" - ++ optional (el.causes != null) "imapsieve_mailbox${toString idx}_causes = ${el.causes}" - ++ optional (el.before != null) "imapsieve_mailbox${toString idx}_before = file:${stateDir}/imapsieve/before/${baseNameOf el.before}" - ++ optional (el.after != null) "imapsieve_mailbox${toString idx}_after = file:${stateDir}/imapsieve/after/${baseNameOf el.after}" - ) - cfg.imapsieve.mailbox)) - } - '') - (optionalString (cfg.sieve.pipeBins != []) '' - sieve_pipe_bin_dir = ${pkgs.linkFarm "sieve-pipe-bins" (map (el: { - name = builtins.unsafeDiscardStringContext (baseNameOf el); - path = el; - }) - cfg.sieve.pipeBins)} - '') - '' + ${concatStringsSep "\n" (mapAttrsToList (key: value: " ${key} = ${value}") cfg.pluginSettings)} } '' @@ -199,6 +224,7 @@ in { imports = [ (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "") + (mkRenamedOptionModule [ "services" "dovecot2" "sieveScripts" ] [ "services" "dovecot2" "sieve" "scripts" ]) ]; options.services.dovecot2 = { @@ -337,12 +363,6 @@ in enableDHE = mkEnableOption (lib.mdDoc "ssl_dh and generation of primes for the key exchange") // { default = true; }; - sieveScripts = mkOption { - type = types.attrsOf types.path; - default = {}; - description = lib.mdDoc "Sieve scripts to be executed. Key is a sequence, e.g. 'before2', 'after' etc."; - }; - showPAMFailure = mkEnableOption (lib.mdDoc "showing the PAM failure message on authentication error (useful for OTPW)"); mailboxes = mkOption { @@ -376,6 +396,26 @@ in description = lib.mdDoc "Quota limit for the user in bytes. Supports suffixes b, k, M, G, T and %."; }; + + pluginSettings = mkOption { + # types.str does not coerce from packages, like `sievePipeBinScriptDirectory`. + type = types.attrsOf (types.oneOf [ types.str types.package ]); + default = {}; + example = literalExpression '' + { + sieve = "file:~/sieve;active=~/.dovecot.sieve"; + } + ''; + description = '' + Plugin settings for dovecot in general, e.g. `sieve`, `sieve_default`, etc. + + Some of the other knobs of this module will influence by default the plugin settings, but you + can still override any plugin settings. + + If you override a plugin setting, its value is cleared and you have to copy over the defaults. + ''; + }; + imapsieve.mailbox = mkOption { default = []; description = "Configure Sieve filtering rules on IMAP actions"; @@ -405,14 +445,14 @@ in }; causes = mkOption { - default = null; + default = [ ]; description = '' Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot2.imapsieve.mailbox.<name>.name when one of the listed IMAPSIEVE causes apply. This has no effect on the user script, which is always executed no matter the cause. ''; - example = "COPY"; - type = types.nullOr (types.enum [ "APPEND" "COPY" "FLAG" ]); + example = [ "COPY" "APPEND" ]; + type = types.listOf (types.enum [ "APPEND" "COPY" "FLAG" ]); }; before = mkOption { @@ -462,6 +502,12 @@ in type = types.listOf types.str; }; + scripts = mkOption { + type = types.attrsOf types.path; + default = {}; + description = lib.mdDoc "Sieve scripts to be executed. Key is a sequence, e.g. 'before2', 'after' etc."; + }; + pipeBins = mkOption { default = []; example = literalExpression '' @@ -476,7 +522,6 @@ in }; }; - config = mkIf cfg.enable { security.pam.services.dovecot2 = mkIf cfg.enablePAM {}; @@ -501,6 +546,13 @@ in ++ optional (cfg.sieve.pipeBins != []) "sieve_extprograms"; sieve.globalExtensions = optional (cfg.sieve.pipeBins != []) "vnd.dovecot.pipe"; + + pluginSettings = lib.mapAttrs (n: lib.mkDefault) ({ + sieve_plugins = concatStringsSep " " cfg.sieve.plugins; + sieve_extensions = concatStringsSep " " (map (el: "+${el}") cfg.sieve.extensions); + sieve_global_extensions = concatStringsSep " " (map (el: "+${el}") cfg.sieve.globalExtensions); + sieve_pipe_bin_dir = sievePipeBinScriptDirectory; + } // sieveScriptSettings // imapSieveMailboxSettings); }; users.users = { @@ -556,7 +608,7 @@ in # the source file and Dovecot won't try to compile it. preStart = '' rm -rf ${stateDir}/sieve ${stateDir}/imapsieve - '' + optionalString (cfg.sieveScripts != {}) '' + '' + optionalString (cfg.sieve.scripts != {}) '' mkdir -p ${stateDir}/sieve ${concatStringsSep "\n" ( mapAttrsToList ( @@ -569,7 +621,7 @@ in fi ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/sieve/${to}' '' - ) cfg.sieveScripts + ) cfg.sieve.scripts )} chown -R '${cfg.mailUser}:${cfg.mailGroup}' '${stateDir}/sieve' '' @@ -600,9 +652,7 @@ in environment.systemPackages = [ dovecotPkg ]; - warnings = mkIf (any isList options.services.dovecot2.mailboxes.definitions) [ - "Declaring `services.dovecot2.mailboxes' as a list is deprecated and will break eval in 21.05! See the release notes for more info for migration." - ]; + warnings = warnAboutExtraConfigCollisions; assertions = [ { @@ -615,8 +665,8 @@ in message = "dovecot is configured with showPAMFailure while enablePAM is disabled"; } { - assertion = cfg.sieveScripts != {} -> (cfg.mailUser != null && cfg.mailGroup != null); - message = "dovecot requires mailUser and mailGroup to be set when sieveScripts is set"; + assertion = cfg.sieve.scripts != {} -> (cfg.mailUser != null && cfg.mailGroup != null); + message = "dovecot requires mailUser and mailGroup to be set when `sieve.scripts` is set"; } ]; diff --git a/nixos/modules/services/mail/mlmmj.nix b/nixos/modules/services/mail/mlmmj.nix index 3f07fabcf177..66106a14499b 100644 --- a/nixos/modules/services/mail/mlmmj.nix +++ b/nixos/modules/services/mail/mlmmj.nix @@ -143,11 +143,13 @@ in environment.systemPackages = [ pkgs.mlmmj ]; - systemd.tmpfiles.rules = [ - ''d "${stateDir}" -'' - ''d "${spoolDir}/${cfg.listDomain}" -'' - ''Z "${spoolDir}" - "${cfg.user}" "${cfg.group}" -'' - ]; + systemd.tmpfiles.settings."10-mlmmj" = { + ${stateDir}.d = { }; + "${spoolDir}/${cfg.listDomain}".d = { }; + ${spoolDir}.Z = { + inherit (cfg) user group; + }; + }; systemd.services.mlmmj-maintd = { description = "mlmmj maintenance daemon"; diff --git a/nixos/modules/services/mail/postfixadmin.nix b/nixos/modules/services/mail/postfixadmin.nix index b86428770cb2..e7ebb6fbd648 100644 --- a/nixos/modules/services/mail/postfixadmin.nix +++ b/nixos/modules/services/mail/postfixadmin.nix @@ -99,7 +99,11 @@ in ${cfg.extraConfig} ''; - systemd.tmpfiles.rules = [ "d /var/cache/postfixadmin/templates_c 700 ${user} ${user}" ]; + systemd.tmpfiles.settings."10-postfixadmin"."/var/cache/postfixadmin/templates_c".d = { + inherit user; + group = user; + mode = "700"; + }; services.nginx = { enable = true; diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix index c883c143e523..3f1a695ab91a 100644 --- a/nixos/modules/services/mail/roundcube.nix +++ b/nixos/modules/services/mail/roundcube.nix @@ -250,6 +250,7 @@ in path = [ config.services.postgresql.package ]; }) { + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; script = let diff --git a/nixos/modules/services/mail/rss2email.nix b/nixos/modules/services/mail/rss2email.nix index 54404c5b5f4c..4939f979cafb 100644 --- a/nixos/modules/services/mail/rss2email.nix +++ b/nixos/modules/services/mail/rss2email.nix @@ -95,9 +95,11 @@ in { services.rss2email.config.to = cfg.to; - systemd.tmpfiles.rules = [ - "d /var/rss2email 0700 rss2email rss2email - -" - ]; + systemd.tmpfiles.settings."10-rss2email"."/var/rss2email".d = { + user = "rss2email"; + group = "rss2email"; + mode = "0700"; + }; systemd.services.rss2email = let conf = pkgs.writeText "rss2email.cfg" (lib.generators.toINI {} ({ diff --git a/nixos/modules/services/mail/sympa.nix b/nixos/modules/services/mail/sympa.nix index 04ae46f66eea..13fc8656a2b5 100644 --- a/nixos/modules/services/mail/sympa.nix +++ b/nixos/modules/services/mail/sympa.nix @@ -435,7 +435,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; - wants = sympaSubServices; + wants = sympaSubServices ++ [ "network-online.target" ]; before = sympaSubServices; serviceConfig = sympaServiceConfig "sympa_msg"; diff --git a/nixos/modules/services/mail/zeyple.nix b/nixos/modules/services/mail/zeyple.nix index e7f9ddd92dc2..9d4bc7f712d6 100644 --- a/nixos/modules/services/mail/zeyple.nix +++ b/nixos/modules/services/mail/zeyple.nix @@ -93,7 +93,11 @@ in { environment.etc."zeyple.conf".source = ini.generate "zeyple.conf" cfg.settings; - systemd.tmpfiles.rules = [ "f '${cfg.settings.zeyple.log_file}' 0600 ${cfg.user} ${cfg.group} - -" ]; + systemd.tmpfiles.settings."10-zeyple".${cfg.settings.zeyple.log_file}.f = { + inherit (cfg) user group; + mode = "0600"; + }; + services.logrotate = mkIf cfg.rotateLogs { enable = true; settings.zeyple = { diff --git a/nixos/modules/services/matrix/hebbot.nix b/nixos/modules/services/matrix/hebbot.nix new file mode 100644 index 000000000000..ebf175464ddd --- /dev/null +++ b/nixos/modules/services/matrix/hebbot.nix @@ -0,0 +1,78 @@ +{ lib +, config +, pkgs +, ... +}: + +let + inherit (lib) mkEnableOption mkOption mkIf types; + format = pkgs.formats.toml { }; + cfg = config.services.hebbot; + settingsFile = format.generate "config.toml" cfg.settings; + mkTemplateOption = templateName: mkOption { + type = types.path; + description = lib.mdDoc '' + A path to the Markdown file for the ${templateName}. + ''; + }; +in + { + meta.maintainers = [ lib.maintainers.raitobezarius ]; + options.services.hebbot = { + enable = mkEnableOption "hebbot"; + botPasswordFile = mkOption { + type = types.path; + description = lib.mdDoc '' + A path to the password file for your bot. + + Consider using a path that does not end up in your Nix store + as it would be world readable. + ''; + }; + templates = { + project = mkTemplateOption "project template"; + report = mkTemplateOption "report template"; + section = mkTemplateOption "section template"; + }; + settings = mkOption { + type = format.type; + default = { }; + description = lib.mdDoc '' + Configuration for Hebbot, see, for examples: + + - <https://github.com/matrix-org/twim-config/blob/master/config.toml> + - <https://gitlab.gnome.org/Teams/Websites/thisweek.gnome.org/-/blob/main/hebbot/config.toml> + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.hebbot = { + description = "hebbot - a TWIM-style Matrix bot written in Rust"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + ln -sf ${cfg.templates.project} ./project_template.md + ln -sf ${cfg.templates.report} ./report_template.md + ln -sf ${cfg.templates.section} ./section_template.md + ln -sf ${settingsFile} ./config.toml + ''; + + script = '' + export BOT_PASSWORD="$(cat $CREDENTIALS_DIRECTORY/bot-password-file)" + ${lib.getExe pkgs.hebbot} + ''; + + serviceConfig = { + DynamicUser = true; + Restart = "on-failure"; + LoadCredential = "bot-password-file:${cfg.botPasswordFile}"; + RestartSec = "10s"; + StateDirectory = "hebbot"; + WorkingDirectory = "hebbot"; + }; + }; + }; +} + diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index 50019d2a25cb..4c1c396eac05 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -1056,6 +1056,7 @@ in { systemd.targets.matrix-synapse = lib.mkIf hasWorkers { description = "Synapse Matrix parent target"; + wants = [ "network-online.target" ]; after = [ "network-online.target" ] ++ optional hasLocalPostgresDB "postgresql.service"; wantedBy = [ "multi-user.target" ]; }; @@ -1071,6 +1072,7 @@ in { requires = optional hasLocalPostgresDB "postgresql.service"; } else { + wants = [ "network-online.target" ]; after = [ "network-online.target" ] ++ optional hasLocalPostgresDB "postgresql.service"; requires = optional hasLocalPostgresDB "postgresql.service"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/misc/amazon-ssm-agent.nix b/nixos/modules/services/misc/amazon-ssm-agent.nix index 20b836abe164..89a1c0766510 100644 --- a/nixos/modules/services/misc/amazon-ssm-agent.nix +++ b/nixos/modules/services/misc/amazon-ssm-agent.nix @@ -41,6 +41,7 @@ in { # See https://github.com/aws/amazon-ssm-agent/blob/mainline/packaging/linux/amazon-ssm-agent.service systemd.services.amazon-ssm-agent = { inherit (cfg.package.meta) description; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/misc/bcg.nix b/nixos/modules/services/misc/bcg.nix index 9da4a879cdd0..ad0b9c871342 100644 --- a/nixos/modules/services/misc/bcg.nix +++ b/nixos/modules/services/misc/bcg.nix @@ -154,7 +154,7 @@ in in { description = "BigClown Gateway"; wantedBy = [ "multi-user.target" ]; - wants = mkIf config.services.mosquitto.enable [ "mosquitto.service" ]; + wants = [ "network-online.target" ] ++ lib.optional config.services.mosquitto.enable "mosquitto.service"; after = [ "network-online.target" ]; preStart = '' umask 077 diff --git a/nixos/modules/services/misc/domoticz.nix b/nixos/modules/services/misc/domoticz.nix index fd9fcf0b78eb..315092f93351 100644 --- a/nixos/modules/services/misc/domoticz.nix +++ b/nixos/modules/services/misc/domoticz.nix @@ -35,6 +35,7 @@ in { systemd.services."domoticz" = { description = pkgDesc; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; serviceConfig = { DynamicUser = true; diff --git a/nixos/modules/services/misc/etcd.nix b/nixos/modules/services/misc/etcd.nix index 73bdeb3b0afd..ee6a56db31d3 100644 --- a/nixos/modules/services/misc/etcd.nix +++ b/nixos/modules/services/misc/etcd.nix @@ -152,9 +152,10 @@ in { }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 etcd - - -" - ]; + systemd.tmpfiles.settings."10-etcd".${cfg.dataDir}.d = { + user = "etcd"; + mode = "0700"; + }; systemd.services.etcd = { description = "etcd key-value store"; diff --git a/nixos/modules/services/misc/etesync-dav.nix b/nixos/modules/services/misc/etesync-dav.nix index 9d99d548d95b..ae2b5ad04343 100644 --- a/nixos/modules/services/misc/etesync-dav.nix +++ b/nixos/modules/services/misc/etesync-dav.nix @@ -59,6 +59,7 @@ in systemd.services.etesync-dav = { description = "etesync-dav - A CalDAV and CardDAV adapter for EteSync"; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.etesync-dav ]; diff --git a/nixos/modules/services/misc/lidarr.nix b/nixos/modules/services/misc/lidarr.nix index 4dc0fc63863b..8ceb567e8801 100644 --- a/nixos/modules/services/misc/lidarr.nix +++ b/nixos/modules/services/misc/lidarr.nix @@ -45,9 +45,10 @@ in }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-lidarr".${cfg.dataDir}.d = { + inherit (cfg) user group; + mode = "0700"; + }; systemd.services.lidarr = { description = "Lidarr"; diff --git a/nixos/modules/services/misc/mediatomb.nix b/nixos/modules/services/misc/mediatomb.nix index d421d74c53ad..03235e9a1265 100644 --- a/nixos/modules/services/misc/mediatomb.nix +++ b/nixos/modules/services/misc/mediatomb.nix @@ -357,6 +357,7 @@ in { description = "${cfg.serverName} media Server"; # Gerbera might fail if the network interface is not available on startup # https://github.com/gerbera/gerbera/issues/1324 + wants = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${binaryCommand} --port ${toString cfg.port} ${interfaceFlag} ${configFlag} --home ${cfg.dataDir}"; diff --git a/nixos/modules/services/misc/metabase.nix b/nixos/modules/services/misc/metabase.nix index 883fa0b95911..5fc18e27eaae 100644 --- a/nixos/modules/services/misc/metabase.nix +++ b/nixos/modules/services/misc/metabase.nix @@ -77,6 +77,7 @@ in { systemd.services.metabase = { description = "Metabase server"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; environment = { MB_PLUGINS_DIR = "${dataDir}/plugins"; diff --git a/nixos/modules/services/misc/moonraker.nix b/nixos/modules/services/misc/moonraker.nix index 750dca9d0373..4e419aafa990 100644 --- a/nixos/modules/services/misc/moonraker.nix +++ b/nixos/modules/services/misc/moonraker.nix @@ -103,7 +103,7 @@ in { config = mkIf cfg.enable { warnings = [] - ++ optional (cfg.settings ? update_manager) + ++ optional (cfg.settings.update_manager.enable_system_updates or false) ''Enabling update_manager is not supported on NixOS and will lead to non-removable warnings in some clients.'' ++ optional (cfg.configDir != null) '' diff --git a/nixos/modules/services/misc/nix-gc.nix b/nixos/modules/services/misc/nix-gc.nix index 97596d28cd89..de6bd76c7eb9 100644 --- a/nixos/modules/services/misc/nix-gc.nix +++ b/nixos/modules/services/misc/nix-gc.nix @@ -1,7 +1,5 @@ { config, lib, ... }: -with lib; - let cfg = config.nix.gc; in @@ -14,14 +12,14 @@ in nix.gc = { - automatic = mkOption { + automatic = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = lib.mdDoc "Automatically run the garbage collector at a specific time."; }; - dates = mkOption { - type = types.str; + dates = lib.mkOption { + type = lib.types.singleLineStr; default = "03:15"; example = "weekly"; description = lib.mdDoc '' @@ -33,9 +31,9 @@ in ''; }; - randomizedDelaySec = mkOption { + randomizedDelaySec = lib.mkOption { default = "0"; - type = types.str; + type = lib.types.singleLineStr; example = "45min"; description = lib.mdDoc '' Add a randomized delay before each garbage collection. @@ -45,9 +43,9 @@ in ''; }; - persistent = mkOption { + persistent = lib.mkOption { default = true; - type = types.bool; + type = lib.types.bool; example = false; description = lib.mdDoc '' Takes a boolean argument. If true, the time when the service @@ -61,10 +59,10 @@ in ''; }; - options = mkOption { + options = lib.mkOption { default = ""; example = "--max-freed $((64 * 1024**3))"; - type = types.str; + type = lib.types.singleLineStr; description = lib.mdDoc '' Options given to {file}`nix-collect-garbage` when the garbage collector is run automatically. @@ -89,7 +87,8 @@ in systemd.services.nix-gc = lib.mkIf config.nix.enable { description = "Nix Garbage Collector"; script = "exec ${config.nix.package.out}/bin/nix-collect-garbage ${cfg.options}"; - startAt = optional cfg.automatic cfg.dates; + serviceConfig.Type = "oneshot"; + startAt = lib.optional cfg.automatic cfg.dates; }; systemd.timers.nix-gc = lib.mkIf cfg.automatic { diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix index b656692ca01c..cf9d6339c69b 100644 --- a/nixos/modules/services/misc/nix-ssh-serve.nix +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; let cfg = config.nix.sshServe; @@ -46,7 +46,7 @@ in { description = "Nix SSH store user"; isSystemUser = true; group = "nix-ssh"; - useDefaultShell = true; + shell = pkgs.bashInteractive; }; users.groups.nix-ssh = {}; diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix index 9794bbbec464..d9359d2b5cd4 100644 --- a/nixos/modules/services/misc/ollama.nix +++ b/nixos/modules/services/misc/ollama.nix @@ -9,6 +9,13 @@ in { enable = lib.mkEnableOption ( lib.mdDoc "Server for local large language models" ); + listenAddress = lib.mkOption { + type = lib.types.str; + default = "127.0.0.1:11434"; + description = lib.mdDoc '' + Specifies the bind address on which the ollama server HTTP interface listens. + ''; + }; package = lib.mkPackageOption pkgs "ollama" { }; }; }; @@ -23,6 +30,7 @@ in { environment = { HOME = "%S/ollama"; OLLAMA_MODELS = "%S/ollama/models"; + OLLAMA_HOST = cfg.listenAddress; }; serviceConfig = { ExecStart = "${lib.getExe cfg.package} serve"; diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 3c6832958f59..ca34a327dbdf 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -297,6 +297,7 @@ in wantedBy = [ "paperless-scheduler.service" ]; before = [ "paperless-scheduler.service" ]; after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; serviceConfig = defaultServiceConfig // { User = cfg.user; Type = "oneshot"; diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index 7036a372d1ea..47af24f024cd 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -230,7 +230,10 @@ in description = "Self-contained authentication service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig.ExecStart = "${cfg.package.out}/bin/portunus-orchestrator"; + serviceConfig = { + ExecStart = "${cfg.package}/bin/portunus-orchestrator"; + Restart = "on-failure"; + }; environment = { PORTUNUS_LDAP_SUFFIX = cfg.ldap.suffix; PORTUNUS_SERVER_BINARY = "${cfg.package}/bin/portunus-server"; diff --git a/nixos/modules/services/misc/radarr.nix b/nixos/modules/services/misc/radarr.nix index 618341cf614f..a5f264331ed3 100644 --- a/nixos/modules/services/misc/radarr.nix +++ b/nixos/modules/services/misc/radarr.nix @@ -40,9 +40,10 @@ in }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-radarr".${cfg.dataDir}.d = { + inherit (cfg) user group; + mode = "0700"; + }; systemd.services.radarr = { description = "Radarr"; diff --git a/nixos/modules/services/misc/readarr.nix b/nixos/modules/services/misc/readarr.nix index 3c84b13485a4..73868b4baa95 100644 --- a/nixos/modules/services/misc/readarr.nix +++ b/nixos/modules/services/misc/readarr.nix @@ -45,9 +45,10 @@ in }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-readarr".${cfg.dataDir}.d = { + inherit (cfg) user group; + mode = "0700"; + }; systemd.services.readarr = { description = "Readarr"; diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py index fec05728b2b6..b1eebb07686b 100644 --- a/nixos/modules/services/misc/taskserver/helper-tool.py +++ b/nixos/modules/services/misc/taskserver/helper-tool.py @@ -61,6 +61,10 @@ def run_as_taskd_user(): os.setuid(uid) +def run_as_taskd_group(): + gid = grp.getgrnam(TASKD_GROUP).gr_gid + os.setgid(gid) + def taskd_cmd(cmd, *args, **kwargs): """ Invoke taskd with the specified command with the privileges of the 'taskd' @@ -90,7 +94,7 @@ def certtool_cmd(*args, **kwargs): """ return subprocess.check_output( [CERTTOOL_COMMAND] + list(args), - preexec_fn=lambda: os.umask(0o077), + preexec_fn=run_as_taskd_group, stderr=subprocess.STDOUT, **kwargs ) @@ -156,17 +160,33 @@ def generate_key(org, user): sys.stderr.write(msg.format(user)) return - basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user) - if os.path.exists(basedir): + keysdir = os.path.join(TASKD_DATA_DIR, "keys" ) + orgdir = os.path.join(keysdir , org ) + userdir = os.path.join(orgdir , user ) + if os.path.exists(userdir): raise OSError("Keyfile directory for {} already exists.".format(user)) - privkey = os.path.join(basedir, "private.key") - pubcert = os.path.join(basedir, "public.cert") + privkey = os.path.join(userdir, "private.key") + pubcert = os.path.join(userdir, "public.cert") try: - os.makedirs(basedir, mode=0o700) + # We change the permissions and the owner ship of the base directories + # so that cfg.group and cfg.user could read the directories' contents. + # See also: https://bugs.python.org/issue42367 + for bd in [keysdir, orgdir, userdir]: + # Allow cfg.group, but not others to read the contents of this group + os.makedirs(bd, exist_ok=True) + # not using mode= argument to makedirs intentionally - forcing the + # permissions we want + os.chmod(bd, mode=0o750) + os.chown( + bd, + uid=pwd.getpwnam(TASKD_USER).pw_uid, + gid=grp.getgrnam(TASKD_GROUP).gr_gid, + ) certtool_cmd("-p", "--bits", CERT_BITS, "--outfile", privkey) + os.chmod(privkey, 0o640) template_data = [ "organization = {0}".format(org), @@ -187,7 +207,7 @@ def generate_key(org, user): "--outfile", pubcert ) except: - rmtree(basedir) + rmtree(userdir) raise diff --git a/nixos/modules/services/monitoring/alerta.nix b/nixos/modules/services/monitoring/alerta.nix index 6c7ebec4191c..0b0ab177e5e1 100644 --- a/nixos/modules/services/monitoring/alerta.nix +++ b/nixos/modules/services/monitoring/alerta.nix @@ -79,9 +79,10 @@ in }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.logDir}' - alerta alerta - -" - ]; + systemd.tmpfiles.settings."10-alerta".${cfg.logDir}.d = { + user = "alerta"; + group = "alerta"; + }; systemd.services.alerta = { description = "Alerta Monitoring System"; diff --git a/nixos/modules/services/monitoring/kapacitor.nix b/nixos/modules/services/monitoring/kapacitor.nix index 727b694047b4..c90878656899 100644 --- a/nixos/modules/services/monitoring/kapacitor.nix +++ b/nixos/modules/services/monitoring/kapacitor.nix @@ -160,9 +160,9 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.kapacitor ]; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-kapacitor".${cfg.dataDir}.d = { + inherit (cfg) user group; + }; systemd.services.kapacitor = { description = "Kapacitor Real-Time Stream Processing Engine"; diff --git a/nixos/modules/services/monitoring/mackerel-agent.nix b/nixos/modules/services/monitoring/mackerel-agent.nix index 62a7858500f2..5915634ed26f 100644 --- a/nixos/modules/services/monitoring/mackerel-agent.nix +++ b/nixos/modules/services/monitoring/mackerel-agent.nix @@ -84,6 +84,7 @@ in { # upstream service file in https://git.io/JUt4Q systemd.services.mackerel-agent = { description = "mackerel.io agent"; + wants = [ "network-online.target" ]; after = [ "network-online.target" "nss-lookup.target" ]; wantedBy = [ "multi-user.target" ]; environment = { diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index 5ed7cac48ae7..456a14169b95 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -374,7 +374,11 @@ in }; # munin_stats plugin breaks as of 2.0.33 when this doesn't exist - systemd.tmpfiles.rules = [ "d /run/munin 0755 munin munin -" ]; + systemd.tmpfiles.settings."10-munin"."/run/munin".d = { + mode = "0755"; + user = "munin"; + group = "munin"; + }; }) (mkIf cronCfg.enable { @@ -399,11 +403,17 @@ in }; }; - systemd.tmpfiles.rules = [ - "d /run/munin 0755 munin munin -" - "d /var/log/munin 0755 munin munin -" - "d /var/www/munin 0755 munin munin -" - "d /var/lib/munin 0755 munin munin -" - ]; + systemd.tmpfiles.settings."20-munin" = let + defaultConfig = { + mode = "0755"; + user = "munin"; + group = "munin"; + }; + in { + "/run/munin".d = defaultConfig; + "/var/log/munin".d = defaultConfig; + "/var/www/munin".d = defaultConfig; + "/var/lib/munin".d = defaultConfig; + }; })]; } diff --git a/nixos/modules/services/monitoring/osquery.nix b/nixos/modules/services/monitoring/osquery.nix index 4f6c2557a641..86ef3fc73213 100644 --- a/nixos/modules/services/monitoring/osquery.nix +++ b/nixos/modules/services/monitoring/osquery.nix @@ -90,8 +90,10 @@ in }; wantedBy = [ "multi-user.target" ]; }; - systemd.tmpfiles.rules = [ - "d ${dirname (cfg.flags.pidfile)} 0755 root root -" - ]; + systemd.tmpfiles.settings."10-osquery".${dirname (cfg.flags.pidfile)}.d = { + user = "root"; + group = "root"; + mode = "0755"; + }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/alertmanager.nix b/nixos/modules/services/monitoring/prometheus/alertmanager.nix index 4fd630015f35..bb426d8b7beb 100644 --- a/nixos/modules/services/monitoring/prometheus/alertmanager.nix +++ b/nixos/modules/services/monitoring/prometheus/alertmanager.nix @@ -174,6 +174,7 @@ in { systemd.services.alertmanager = { wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; preStart = '' ${lib.getBin pkgs.envsubst}/bin/envsubst -o "/tmp/alert-manager-substituted.yaml" \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/pve.nix b/nixos/modules/services/monitoring/prometheus/exporters/pve.nix index 20ee2e4b3238..83e740320df2 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/pve.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/pve.nix @@ -21,7 +21,7 @@ in type = with types; nullOr path; default = null; example = "/etc/prometheus-pve-exporter/pve.env"; - description = lib.mdDoc '' + description = '' Path to the service's environment file. This path can either be a computed path in /nix/store or a path in the local filesystem. The environment file should NOT be stored in /nix/store as it contains passwords and/or keys in plain text. @@ -34,7 +34,7 @@ in type = with types; nullOr path; default = null; example = "/etc/prometheus-pve-exporter/pve.yml"; - description = lib.mdDoc '' + description = '' Path to the service's config file. This path can either be a computed path in /nix/store or a path in the local filesystem. The config file should NOT be stored in /nix/store as it will contain passwords and/or keys in plain text. @@ -45,46 +45,66 @@ in ''; }; + server = { + keyFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/var/lib/prometheus-pve-exporter/privkey.key"; + description = '' + Path to a SSL private key file for the server + ''; + }; + + certFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/var/lib/prometheus-pve-exporter/full-chain.pem"; + description = '' + Path to a SSL certificate file for the server + ''; + }; + }; + collectors = { status = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect Node/VM/CT status ''; }; version = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect PVE version info ''; }; node = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect PVE node info ''; }; cluster = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect PVE cluster info ''; }; resources = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect PVE resources info ''; }; config = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Collect PVE onboot status ''; }; @@ -102,8 +122,10 @@ in --${optionalString (!cfg.collectors.cluster) "no-"}collector.cluster \ --${optionalString (!cfg.collectors.resources) "no-"}collector.resources \ --${optionalString (!cfg.collectors.config) "no-"}collector.config \ - %d/configFile \ - ${toString cfg.port} ${cfg.listenAddress} + ${optionalString (cfg.server.keyFile != null) "--server.keyfile ${cfg.server.keyFile}"} \ + ${optionalString (cfg.server.certFile != null) "--server.certfile ${cfg.server.certFile}"} \ + --config.file %d/configFile \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} ''; } // optionalAttrs (cfg.environmentFile != null) { EnvironmentFile = cfg.environmentFile; diff --git a/nixos/modules/services/monitoring/riemann-dash.nix b/nixos/modules/services/monitoring/riemann-dash.nix index 1ca8af14e777..1622d7a9b920 100644 --- a/nixos/modules/services/monitoring/riemann-dash.nix +++ b/nixos/modules/services/monitoring/riemann-dash.nix @@ -59,9 +59,10 @@ in { group = "riemanndash"; }; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - riemanndash riemanndash - -" - ]; + systemd.tmpfiles.settings."10-riemanndash".${cfg.dataDir}.d = { + user = "riemanndash"; + group = "riemanndash"; + }; systemd.services.riemann-dash = { wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/monitoring/rustdesk-server.nix b/nixos/modules/services/monitoring/rustdesk-server.nix new file mode 100644 index 000000000000..0a6a8e71672f --- /dev/null +++ b/nixos/modules/services/monitoring/rustdesk-server.nix @@ -0,0 +1,95 @@ +{ lib, pkgs, config, ... }: +let + TCPPorts = [21115 21116 21117 21118 21119]; + UDPPorts = [21116]; +in { + options.services.rustdesk-server = with lib; with types; { + enable = mkEnableOption "RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices."; + + package = mkPackageOption pkgs "rustdesk-server" {}; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open the connection ports. + TCP (${lib.concatStringsSep ", " (map toString TCPPorts)}) + UDP (${lib.concatStringsSep ", " (map toString UDPPorts)}) + ''; + }; + + relayIP = mkOption { + type = str; + description = '' + The public facing IP of the RustDesk relay. + ''; + }; + }; + + config = let + cfg = config.services.rustdesk-server; + serviceDefaults = { + enable = true; + requiredBy = [ "rustdesk.target" ]; + serviceConfig = { + Slice = "system-rustdesk.slice"; + User = "rustdesk"; + Group = "rustdesk"; + Environment = []; + WorkingDirectory = "/var/lib/rustdesk"; + StateDirectory = "rustdesk"; + StateDirectoryMode = "0750"; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictSUIDSGID = true; + }; + }; + in lib.mkIf cfg.enable { + users.users.rustdesk = { + description = "System user for RustDesk"; + isSystemUser = true; + group = "rustdesk"; + }; + users.groups.rustdesk = {}; + + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall TCPPorts; + networking.firewall.allowedUDPPorts = lib.mkIf cfg.openFirewall UDPPorts; + + systemd.slices.system-rustdesk = { + enable = true; + description = "Slice designed to contain RustDesk Signal & RustDesk Relay"; + }; + + systemd.targets.rustdesk = { + enable = true; + description = "Target designed to group RustDesk Signal & RustDesk Relay"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services.rustdesk-signal = lib.mkMerge [ serviceDefaults { + serviceConfig.ExecStart = "${cfg.package}/bin/hbbs -r ${cfg.relayIP}"; + } ]; + + systemd.services.rustdesk-relay = lib.mkMerge [ serviceDefaults { + serviceConfig.ExecStart = "${cfg.package}/bin/hbbr"; + } ]; + }; + + meta.maintainers = with lib.maintainers; [ ppom ]; +} diff --git a/nixos/modules/services/monitoring/teamviewer.nix b/nixos/modules/services/monitoring/teamviewer.nix index 9b1278317943..7c45247aa6d5 100644 --- a/nixos/modules/services/monitoring/teamviewer.nix +++ b/nixos/modules/services/monitoring/teamviewer.nix @@ -30,6 +30,7 @@ in description = "TeamViewer remote control daemon"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" "network.target" "dbus.service" ]; requires = [ "dbus.service" ]; preStart = "mkdir -pv /var/lib/teamviewer /var/log/teamviewer"; diff --git a/nixos/modules/services/monitoring/telegraf.nix b/nixos/modules/services/monitoring/telegraf.nix index ee28ee03adf3..3bab8aba7bd6 100644 --- a/nixos/modules/services/monitoring/telegraf.nix +++ b/nixos/modules/services/monitoring/telegraf.nix @@ -59,6 +59,7 @@ in { in { description = "Telegraf Agent"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; path = lib.optional (config.services.telegraf.extraConfig.inputs ? procstat) pkgs.procps; serviceConfig = { diff --git a/nixos/modules/services/monitoring/watchdogd.nix b/nixos/modules/services/monitoring/watchdogd.nix new file mode 100644 index 000000000000..e8d104651c6a --- /dev/null +++ b/nixos/modules/services/monitoring/watchdogd.nix @@ -0,0 +1,131 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.watchdogd; + + mkPluginOpts = plugin: defWarn: defCrit: { + enabled = mkEnableOption "watchdogd plugin ${plugin}"; + interval = mkOption { + type = types.ints.unsigned; + default = 300; + description = '' + Amount of seconds between every poll. + ''; + }; + logmark = mkOption { + type = types.bool; + default = false; + description = '' + Whether to log current stats every poll interval. + ''; + }; + warning = mkOption { + type = types.numbers.nonnegative; + default = defWarn; + description = '' + The high watermark level. Alert sent to log. + ''; + }; + critical = mkOption { + type = types.numbers.nonnegative; + default = defCrit; + description = '' + The critical watermark level. Alert sent to log, followed by reboot or script action. + ''; + }; + }; +in { + options.services.watchdogd = { + enable = mkEnableOption "watchdogd, an advanced system & process supervisor"; + package = mkPackageOption pkgs "watchdogd" { }; + + settings = mkOption { + type = with types; submodule { + freeformType = let + valueType = oneOf [ + bool + int + float + str + ]; + in attrsOf (either valueType (attrsOf valueType)); + + options = { + timeout = mkOption { + type = types.ints.unsigned; + default = 15; + description = '' + The WDT timeout before reset. + ''; + }; + interval = mkOption { + type = types.ints.unsigned; + default = 5; + description = '' + The kick interval, i.e. how often {manpage}`watchdogd(8)` should reset the WDT timer. + ''; + }; + + safe-exit = mkOption { + type = types.bool; + default = true; + description = '' + With {var}`safeExit` enabled, the daemon will ask the driver to disable the WDT before exiting. + However, some WDT drivers (or hardware) may not support this. + ''; + }; + + filenr = mkPluginOpts "filenr" 0.9 1.0; + + loadavg = mkPluginOpts "loadavg" 1.0 2.0; + + meminfo = mkPluginOpts "meminfo" 0.9 0.95; + }; + }; + default = { }; + description = '' + Configuration to put in {file}`watchdogd.conf`. + See {manpage}`watchdogd.conf(5)` for more details. + ''; + }; + }; + + config = let + toConfig = attrs: concatStringsSep "\n" (mapAttrsToList toValue attrs); + + toValue = name: value: + if isAttrs value + then pipe value [ + (mapAttrsToList toValue) + (map (s: " ${s}")) + (concatStringsSep "\n") + (s: "${name} {\n${s}\n}") + ] + else if isBool value + then "${name} = ${boolToString value}" + else if any (f: f value) [isString isInt isFloat] + then "${name} = ${toString value}" + else throw '' + Found invalid type in `services.watchdogd.settings`: '${typeOf value}' + ''; + + watchdogdConf = pkgs.writeText "watchdogd.conf" (toConfig cfg.settings); + in mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + systemd.services.watchdogd = { + documentation = [ + "man:watchdogd(8)" + "man:watchdogd.conf(5)" + ]; + wantedBy = [ "multi-user.target" ]; + description = "Advanced system & process supervisor"; + serviceConfig = { + Type = "simple"; + ExecStart = "${cfg.package}/bin/watchdogd -n -f ${watchdogdConf}"; + }; + }; + }; + + meta.maintainers = with maintainers; [ vifino ]; +} diff --git a/nixos/modules/services/network-filesystems/cachefilesd.nix b/nixos/modules/services/network-filesystems/cachefilesd.nix index da5a79a062c7..3fb6a19c6fa3 100644 --- a/nixos/modules/services/network-filesystems/cachefilesd.nix +++ b/nixos/modules/services/network-filesystems/cachefilesd.nix @@ -56,8 +56,10 @@ in }; }; - systemd.tmpfiles.rules = [ - "d ${cfg.cacheDir} 0700 root root - -" - ]; + systemd.tmpfiles.settings."10-cachefilesd".${cfg.cacheDir}.d = { + user = "root"; + group = "root"; + mode = "0700"; + }; }; } diff --git a/nixos/modules/services/network-filesystems/ceph.nix b/nixos/modules/services/network-filesystems/ceph.nix index 222905223b59..df9a2f802bb9 100644 --- a/nixos/modules/services/network-filesystems/ceph.nix +++ b/nixos/modules/services/network-filesystems/ceph.nix @@ -398,12 +398,18 @@ in in mkMerge targets; - systemd.tmpfiles.rules = [ - "d /etc/ceph - ceph ceph - -" - "d /run/ceph 0770 ceph ceph -" - "d /var/lib/ceph - ceph ceph - -"] - ++ optionals cfg.mgr.enable [ "d /var/lib/ceph/mgr - ceph ceph - -"] - ++ optionals cfg.mon.enable [ "d /var/lib/ceph/mon - ceph ceph - -"] - ++ optionals cfg.osd.enable [ "d /var/lib/ceph/osd - ceph ceph - -"]; + systemd.tmpfiles.settings."10-ceph" = let + defaultConfig = { + user = "ceph"; + group = "ceph"; + }; + in { + "/etc/ceph".d = defaultConfig; + "/run/ceph".d = defaultConfig // { mode = "0770"; }; + "/var/lib/ceph".d = defaultConfig; + "/var/lib/ceph/mgr".d = mkIf (cfg.mgr.enable) defaultConfig; + "/var/lib/ceph/mon".d = mkIf (cfg.mon.enable) defaultConfig; + "/var/lib/ceph/osd".d = mkIf (cfg.osd.enable) defaultConfig; + }; }; } diff --git a/nixos/modules/services/network-filesystems/kbfs.nix b/nixos/modules/services/network-filesystems/kbfs.nix index 33ff283d5e81..578675e75dc3 100644 --- a/nixos/modules/services/network-filesystems/kbfs.nix +++ b/nixos/modules/services/network-filesystems/kbfs.nix @@ -92,7 +92,12 @@ in { (mkIf cfg.enableRedirector { security.wrappers."keybase-redirector".source = "${pkgs.kbfs}/bin/redirector"; - systemd.tmpfiles.rules = [ "d /keybase 0755 root root 0" ]; + systemd.tmpfiles.settings."10-kbfs"."/keybase".d = { + user = "root"; + group = "root"; + mode = "0755"; + age = "0"; + }; # Upstream: https://github.com/keybase/client/blob/master/packaging/linux/systemd/keybase-redirector.service systemd.user.services.keybase-redirector = { diff --git a/nixos/modules/services/network-filesystems/kubo.nix b/nixos/modules/services/network-filesystems/kubo.nix index 10162c1633e7..9a05a28550d3 100644 --- a/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixos/modules/services/network-filesystems/kubo.nix @@ -312,12 +312,13 @@ in ipfs.gid = config.ids.gids.ipfs; }; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" - ] ++ optionals cfg.autoMount [ - "d '${cfg.settings.Mounts.IPFS}' - ${cfg.user} ${cfg.group} - -" - "d '${cfg.settings.Mounts.IPNS}' - ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-kubo" = let + defaultConfig = { inherit (cfg) user group; }; + in { + ${cfg.dataDir}.d = defaultConfig; + ${cfg.settings.Mounts.IPFS}.d = mkIf (cfg.autoMount) defaultConfig; + ${cfg.settings.Mounts.IPNS}.d = mkIf (cfg.autoMount) defaultConfig; + }; # The hardened systemd unit breaks the fuse-mount function according to documentation in the unit file itself systemd.packages = if cfg.autoMount diff --git a/nixos/modules/services/network-filesystems/openafs/client.nix b/nixos/modules/services/network-filesystems/openafs/client.nix index bb0fee087e62..02c3482ec657 100644 --- a/nixos/modules/services/network-filesystems/openafs/client.nix +++ b/nixos/modules/services/network-filesystems/openafs/client.nix @@ -215,6 +215,7 @@ in systemd.services.afsd = { description = "AFS client"; wantedBy = [ "multi-user.target" ]; + wants = lib.optional (!cfg.startDisconnected) "network-online.target"; after = singleton (if cfg.startDisconnected then "network.target" else "network-online.target"); serviceConfig = { RemainAfterExit = true; }; restartIfChanged = false; diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 5d02eac8e9f1..ef368ddbeefd 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -154,7 +154,7 @@ in }; securityType = mkOption { - type = types.str; + type = types.enum [ "auto" "user" "domain" "ads" ]; default = "user"; description = lib.mdDoc "Samba security type"; }; diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix index 9deeb7694d2a..e25f5c7b0379 100644 --- a/nixos/modules/services/networking/bird.nix +++ b/nixos/modules/services/networking/bird.nix @@ -18,6 +18,13 @@ in <http://bird.network.cz/> ''; }; + autoReload = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether bird2 should be automatically reloaded when the configuration changes. + ''; + }; checkConfig = mkOption { type = types.bool; default = true; @@ -68,7 +75,7 @@ in systemd.services.bird2 = { description = "BIRD Internet Routing Daemon"; wantedBy = [ "multi-user.target" ]; - reloadTriggers = [ config.environment.etc."bird/bird2.conf".source ]; + reloadTriggers = lib.optional cfg.autoReload config.environment.etc."bird/bird2.conf".source; serviceConfig = { Type = "forking"; Restart = "on-failure"; diff --git a/nixos/modules/services/networking/bitcoind.nix b/nixos/modules/services/networking/bitcoind.nix index 4512e666ba5b..59722e31c62a 100644 --- a/nixos/modules/services/networking/bitcoind.nix +++ b/nixos/modules/services/networking/bitcoind.nix @@ -198,6 +198,7 @@ in ''; in { description = "Bitcoin daemon"; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/nixos/modules/services/networking/charybdis.nix b/nixos/modules/services/networking/charybdis.nix index 168da243dba1..6eacdde7bb93 100644 --- a/nixos/modules/services/networking/charybdis.nix +++ b/nixos/modules/services/networking/charybdis.nix @@ -81,9 +81,9 @@ in gid = config.ids.gids.ircd; }; - systemd.tmpfiles.rules = [ - "d ${cfg.statedir} - ${cfg.user} ${cfg.group} - -" - ]; + systemd.tmpfiles.settings."10-charybdis".${cfg.statedir}.d = { + inherit (cfg) user group; + }; environment.etc."charybdis/ircd.conf".source = configFile; diff --git a/nixos/modules/services/networking/dante.nix b/nixos/modules/services/networking/dante.nix index 605f2d74f827..f0d1d6305c54 100644 --- a/nixos/modules/services/networking/dante.nix +++ b/nixos/modules/services/networking/dante.nix @@ -47,6 +47,7 @@ in systemd.services.dante = { description = "Dante SOCKS v4 and v5 compatible proxy server"; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/dnsdist.nix b/nixos/modules/services/networking/dnsdist.nix index 483300111df9..792185c9fbea 100644 --- a/nixos/modules/services/networking/dnsdist.nix +++ b/nixos/modules/services/networking/dnsdist.nix @@ -4,10 +4,79 @@ with lib; let cfg = config.services.dnsdist; + + toLua = lib.generators.toLua {}; + + mkBind = cfg: toLua "${cfg.listenAddress}:${toString cfg.listenPort}"; + configFile = pkgs.writeText "dnsdist.conf" '' - setLocal('${cfg.listenAddress}:${toString cfg.listenPort}') + setLocal(${mkBind cfg}) + ${lib.optionalString cfg.dnscrypt.enable dnscryptSetup} ${cfg.extraConfig} ''; + + dnscryptSetup = '' + last_rotation = 0 + cert_serial = 0 + provider_key = ${toLua cfg.dnscrypt.providerKey} + cert_lifetime = ${toLua cfg.dnscrypt.certLifetime} * 60 + + function file_exists(name) + local f = io.open(name, "r") + return f ~= nil and io.close(f) + end + + function dnscrypt_setup() + -- generate provider keys on first run + if provider_key == nil then + provider_key = "/var/lib/dnsdist/private.key" + if not file_exists(provider_key) then + generateDNSCryptProviderKeys("/var/lib/dnsdist/public.key", + "/var/lib/dnsdist/private.key") + print("DNSCrypt: generated provider keypair") + end + end + + -- generate resolver certificate + local now = os.time() + generateDNSCryptCertificate( + provider_key, "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", + cert_serial, now - 60, now + cert_lifetime) + addDNSCryptBind( + ${mkBind cfg.dnscrypt}, ${toLua cfg.dnscrypt.providerName}, + "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key") + end + + function maintenance() + -- certificate rotation + local now = os.time() + local dnscrypt = getDNSCryptBind(0) + + if ((now - last_rotation) > 0.9 * cert_lifetime) then + -- generate and start using a new certificate + dnscrypt:generateAndLoadInMemoryCertificate( + provider_key, cert_serial + 1, + now - 60, now + cert_lifetime) + + -- stop advertising the last certificate + dnscrypt:markInactive(cert_serial) + + -- remove the second to last certificate + if (cert_serial > 1) then + dnscrypt:removeInactiveCertificate(cert_serial - 1) + end + + print("DNSCrypt: rotated certificate") + + -- increment serial number + cert_serial = cert_serial + 1 + last_rotation = now + end + end + + dnscrypt_setup() + ''; + in { options = { services.dnsdist = { @@ -15,15 +84,69 @@ in { listenAddress = mkOption { type = types.str; - description = lib.mdDoc "Listen IP Address"; + description = lib.mdDoc "Listen IP address"; default = "0.0.0.0"; }; listenPort = mkOption { - type = types.int; + type = types.port; description = lib.mdDoc "Listen port"; default = 53; }; + dnscrypt = { + enable = mkEnableOption (lib.mdDoc "a DNSCrypt endpoint to dnsdist"); + + listenAddress = mkOption { + type = types.str; + description = lib.mdDoc "Listen IP address of the endpoint"; + default = "0.0.0.0"; + }; + + listenPort = mkOption { + type = types.port; + description = lib.mdDoc "Listen port of the endpoint"; + default = 443; + }; + + providerName = mkOption { + type = types.str; + default = "2.dnscrypt-cert.${config.networking.hostName}"; + defaultText = literalExpression "2.dnscrypt-cert.\${config.networking.hostName}"; + example = "2.dnscrypt-cert.myresolver"; + description = lib.mdDoc '' + The name that will be given to this DNSCrypt resolver. + + ::: {.note} + The provider name must start with `2.dnscrypt-cert.`. + ::: + ''; + }; + + providerKey = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + The filepath to the provider secret key. + If not given a new provider key pair will be generated in + /var/lib/dnsdist on the first run. + + ::: {.note} + The file must be readable by the dnsdist user/group. + ::: + ''; + }; + + certLifetime = mkOption { + type = types.ints.positive; + default = 15; + description = lib.mdDoc '' + The lifetime (in minutes) of the resolver certificate. + This will be automatically rotated before expiration. + ''; + }; + + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -35,6 +158,14 @@ in { }; config = mkIf cfg.enable { + users.users.dnsdist = { + description = "dnsdist daemons user"; + isSystemUser = true; + group = "dnsdist"; + }; + + users.groups.dnsdist = {}; + systemd.packages = [ pkgs.dnsdist ]; systemd.services.dnsdist = { @@ -42,8 +173,10 @@ in { startLimitIntervalSec = 0; serviceConfig = { - DynamicUser = true; - + User = "dnsdist"; + Group = "dnsdist"; + RuntimeDirectory = "dnsdist"; + StateDirectory = "dnsdist"; # upstream overrides for better nixos compatibility ExecStartPre = [ "" "${pkgs.dnsdist}/bin/dnsdist --check-config --config ${configFile}" ]; ExecStart = [ "" "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}" ]; diff --git a/nixos/modules/services/networking/ergo.nix b/nixos/modules/services/networking/ergo.nix index 033d4d9caf8a..1bee0f43f988 100644 --- a/nixos/modules/services/networking/ergo.nix +++ b/nixos/modules/services/networking/ergo.nix @@ -114,6 +114,7 @@ in { systemd.services.ergo = { description = "ergo server"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; serviceConfig = { User = cfg.user; diff --git a/nixos/modules/services/networking/expressvpn.nix b/nixos/modules/services/networking/expressvpn.nix index 30de6987d31f..05c24d8bccff 100644 --- a/nixos/modules/services/networking/expressvpn.nix +++ b/nixos/modules/services/networking/expressvpn.nix @@ -21,6 +21,7 @@ with lib; RestartSec = 5; }; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; }; }; diff --git a/nixos/modules/services/networking/frp.nix b/nixos/modules/services/networking/frp.nix index 218d532c12da..eb022308bc29 100644 --- a/nixos/modules/services/networking/frp.nix +++ b/nixos/modules/services/networking/frp.nix @@ -4,8 +4,8 @@ with lib; let cfg = config.services.frp; - settingsFormat = pkgs.formats.ini { }; - configFile = settingsFormat.generate "frp.ini" cfg.settings; + settingsFormat = pkgs.formats.toml { }; + configFile = settingsFormat.generate "frp.toml" cfg.settings; isClient = (cfg.role == "client"); isServer = (cfg.role == "server"); in @@ -31,17 +31,13 @@ in default = { }; description = mdDoc '' Frp configuration, for configuration options - see the example of [client](https://github.com/fatedier/frp/blob/dev/conf/frpc_legacy_full.ini) - or [server](https://github.com/fatedier/frp/blob/dev/conf/frps_legacy_full.ini) on github. - ''; - example = literalExpression '' - { - common = { - server_addr = "x.x.x.x"; - server_port = 7000; - }; - } + see the example of [client](https://github.com/fatedier/frp/blob/dev/conf/frpc_full_example.toml) + or [server](https://github.com/fatedier/frp/blob/dev/conf/frps_full_example.toml) on github. ''; + example = { + serverAddr = "x.x.x.x"; + serverPort = 7000; + }; }; }; }; @@ -62,7 +58,7 @@ in Type = "simple"; Restart = "on-failure"; RestartSec = 15; - ExecStart = "${cfg.package}/bin/${executableFile} -c ${configFile}"; + ExecStart = "${cfg.package}/bin/${executableFile} --strict_config -c ${configFile}"; StateDirectoryMode = optionalString isServer "0700"; DynamicUser = true; # Hardening diff --git a/nixos/modules/services/networking/headscale.nix b/nixos/modules/services/networking/headscale.nix index 4224a0578cc3..0159da37de87 100644 --- a/nixos/modules/services/networking/headscale.nix +++ b/nixos/modules/services/networking/headscale.nix @@ -444,10 +444,14 @@ in { tls_letsencrypt_cache_dir = "${dataDir}/.cache"; }; - # Setup the headscale configuration in a known path in /etc to - # allow both the Server and the Client use it to find the socket - # for communication. - environment.etc."headscale/config.yaml".source = configFile; + environment = { + # Setup the headscale configuration in a known path in /etc to + # allow both the Server and the Client use it to find the socket + # for communication. + etc."headscale/config.yaml".source = configFile; + + systemPackages = [ cfg.package ]; + }; users.groups.headscale = mkIf (cfg.group == "headscale") {}; @@ -460,6 +464,7 @@ in { systemd.services.headscale = { description = "headscale coordination server for Tailscale"; + wants = [ "network-online.target" ]; after = ["network-online.target"]; wantedBy = ["multi-user.target"]; restartTriggers = [configFile]; diff --git a/nixos/modules/services/networking/ircd-hybrid/default.nix b/nixos/modules/services/networking/ircd-hybrid/default.nix index 554b0f7bb8b4..64a34cc52d25 100644 --- a/nixos/modules/services/networking/ircd-hybrid/default.nix +++ b/nixos/modules/services/networking/ircd-hybrid/default.nix @@ -125,7 +125,8 @@ in systemd.services.ircd-hybrid = { description = "IRCD Hybrid server"; - after = [ "started networking" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; script = "${ircdService}/bin/control start"; }; diff --git a/nixos/modules/services/networking/ivpn.nix b/nixos/modules/services/networking/ivpn.nix index 6df630c1f194..6c9ae599e670 100644 --- a/nixos/modules/services/networking/ivpn.nix +++ b/nixos/modules/services/networking/ivpn.nix @@ -27,7 +27,7 @@ with lib; systemd.services.ivpn-service = { description = "iVPN daemon"; wantedBy = [ "multi-user.target" ]; - wants = [ "network.target" ]; + wants = [ "network.target" "network-online.target" ]; after = [ "network-online.target" "NetworkManager.service" diff --git a/nixos/modules/services/networking/jibri/default.nix b/nixos/modules/services/networking/jibri/default.nix index a931831fc281..73d11bdbee5a 100644 --- a/nixos/modules/services/networking/jibri/default.nix +++ b/nixos/modules/services/networking/jibri/default.nix @@ -395,11 +395,11 @@ in }; }; - systemd.tmpfiles.rules = [ - "d /var/log/jitsi/jibri 755 jibri jibri" - ]; - - + systemd.tmpfiles.settings."10-jibri"."/var/log/jitsi/jibri".d = { + user = "jibri"; + group = "jibri"; + mode = "755"; + }; # Configure Chromium to not show the "Chrome is being controlled by automatic test software" message. environment.etc."chromium/policies/managed/managed_policies.json".text = builtins.toJSON { CommandLineFlagSecurityWarningsEnabled = false; }; diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix index 5ca705976c41..656ddd41fd12 100644 --- a/nixos/modules/services/networking/kea.nix +++ b/nixos/modules/services/networking/kea.nix @@ -325,6 +325,9 @@ in "network-online.target" "time-sync.target" ]; + wants = [ + "network-online.target" + ]; wantedBy = [ "multi-user.target" ]; @@ -372,6 +375,9 @@ in "network-online.target" "time-sync.target" ]; + wants = [ + "network-online.target" + ]; wantedBy = [ "multi-user.target" ]; @@ -413,6 +419,7 @@ in "https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" "time-sync.target" diff --git a/nixos/modules/services/networking/keepalived/default.nix b/nixos/modules/services/networking/keepalived/default.nix index 429a47c3962c..599dfd52e271 100644 --- a/nixos/modules/services/networking/keepalived/default.nix +++ b/nixos/modules/services/networking/keepalived/default.nix @@ -59,9 +59,11 @@ let ${optionalString i.vmacXmitBase "vmac_xmit_base"} ${optionalString (i.unicastSrcIp != null) "unicast_src_ip ${i.unicastSrcIp}"} - unicast_peer { - ${concatStringsSep "\n" i.unicastPeers} - } + ${optionalString (builtins.length i.unicastPeers > 0) '' + unicast_peer { + ${concatStringsSep "\n" i.unicastPeers} + } + ''} virtual_ipaddress { ${concatMapStringsSep "\n" virtualIpLine i.virtualIps} @@ -138,6 +140,7 @@ let in { + meta.maintainers = [ lib.maintainers.raitobezarius ]; options = { services.keepalived = { diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix index d4bd81629c97..94c32586736a 100644 --- a/nixos/modules/services/networking/knot.nix +++ b/nixos/modules/services/networking/knot.nix @@ -44,6 +44,7 @@ let ++ [ (sec_list_fa "id" nix_def "template") ] ++ [ (sec_list_fa "domain" nix_def "zone") ] ++ [ (sec_plain nix_def "include") ] + ++ [ (sec_plain nix_def "clear") ] ); # A plain section contains directly attributes (we don't really check that ATM). diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index f2b158b98942..ad9eefb42252 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -596,6 +596,7 @@ in systemd.services.mosquitto = { description = "Mosquitto MQTT Broker Daemon"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; serviceConfig = { Type = "notify"; diff --git a/nixos/modules/services/networking/mullvad-vpn.nix b/nixos/modules/services/networking/mullvad-vpn.nix index 446c71f40764..5da4ca1d1d80 100644 --- a/nixos/modules/services/networking/mullvad-vpn.nix +++ b/nixos/modules/services/networking/mullvad-vpn.nix @@ -53,7 +53,7 @@ with lib; systemd.services.mullvad-daemon = { description = "Mullvad VPN daemon"; wantedBy = [ "multi-user.target" ]; - wants = [ "network.target" ]; + wants = [ "network.target" "network-online.target" ]; after = [ "network-online.target" "NetworkManager.service" diff --git a/nixos/modules/services/networking/nbd.nix b/nixos/modules/services/networking/nbd.nix index 454380aa3154..b4bf7ede8463 100644 --- a/nixos/modules/services/networking/nbd.nix +++ b/nixos/modules/services/networking/nbd.nix @@ -117,6 +117,7 @@ in boot.kernelModules = [ "nbd" ]; systemd.services.nbd-server = { + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; before = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/netbird.md b/nixos/modules/services/networking/netbird.md new file mode 100644 index 000000000000..a326207becc8 --- /dev/null +++ b/nixos/modules/services/networking/netbird.md @@ -0,0 +1,56 @@ +# Netbird {#module-services-netbird} + +## Quickstart {#module-services-netbird-quickstart} + +The absolute minimal configuration for the netbird daemon looks like this: + +```nix +services.netbird.enable = true; +``` + +This will set up a netbird service listening on the port `51820` associated to the +`wt0` interface. + +It is strictly equivalent to setting: + +```nix +services.netbird.tunnels.wt0.stateDir = "netbird"; +``` + +The `enable` option is mainly kept for backward compatibility, as defining netbird +tunnels through the `tunnels` option is more expressive. + +## Multiple connections setup {#module-services-netbird-multiple-connections} + +Using the `services.netbird.tunnels` option, it is also possible to define more than +one netbird service running at the same time. + +The following configuration will start a netbird daemon using the interface `wt1` and +the port 51830. Its configuration file will then be located at `/var/lib/netbird-wt1/config.json`. + +```nix +services.netbird.tunnels = { + wt1 = { + port = 51830; + }; +}; +``` + +To interact with it, you will need to specify the correct daemon address: + +```bash +netbird --daemon-addr unix:///var/run/netbird-wt1/sock ... +``` + +The address will by default be `unix:///var/run/netbird-<name>`. + +It is also possible to overwrite default options passed to the service, for +example: + +```nix +services.netbird.tunnels.wt1.environment = { + NB_DAEMON_ADDR = "unix:///var/run/toto.sock" +}; +``` + +This will set the socket to interact with the netbird service to `/var/run/toto.sock`. diff --git a/nixos/modules/services/networking/netbird.nix b/nixos/modules/services/networking/netbird.nix index 4b0bd63e9dbc..6a1511d4d084 100644 --- a/nixos/modules/services/networking/netbird.nix +++ b/nixos/modules/services/networking/netbird.nix @@ -1,60 +1,171 @@ -{ config, lib, pkgs, ... }: - -with lib; +{ + config, + lib, + pkgs, + ... +}: let - cfg = config.services.netbird; + inherit (lib) + attrNames + getExe + literalExpression + maintainers + mapAttrs' + mkDefault + mkEnableOption + mkIf + mkMerge + mkOption + mkPackageOption + nameValuePair + optional + versionOlder + ; + + inherit (lib.types) + attrsOf + port + str + submodule + ; + kernel = config.boot.kernelPackages; - interfaceName = "wt0"; -in { - meta.maintainers = with maintainers; [ misuzu ]; + + cfg = config.services.netbird; +in +{ + meta.maintainers = with maintainers; [ + misuzu + thubrecht + ]; + meta.doc = ./netbird.md; options.services.netbird = { enable = mkEnableOption (lib.mdDoc "Netbird daemon"); package = mkPackageOption pkgs "netbird" { }; - }; - - config = mkIf cfg.enable { - boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; - environment.systemPackages = [ cfg.package ]; + tunnels = mkOption { + type = attrsOf ( + submodule ( + { name, config, ... }: + { + options = { + port = mkOption { + type = port; + default = 51820; + description = '' + Port for the ${name} netbird interface. + ''; + }; - networking.dhcpcd.denyInterfaces = [ interfaceName ]; + environment = mkOption { + type = attrsOf str; + defaultText = literalExpression '' + { + NB_CONFIG = "/var/lib/''${stateDir}/config.json"; + NB_LOG_FILE = "console"; + NB_WIREGUARD_PORT = builtins.toString port; + NB_INTERFACE_NAME = name; + NB_DAMEON_ADDR = "/var/run/''${stateDir}" + } + ''; + description = '' + Environment for the netbird service, used to pass configuration options. + ''; + }; - systemd.network.networks."50-netbird" = mkIf config.networking.useNetworkd { - matchConfig = { - Name = interfaceName; - }; - linkConfig = { - Unmanaged = true; - ActivationPolicy = "manual"; - }; - }; + stateDir = mkOption { + type = str; + default = "netbird-${name}"; + description = '' + Directory storing the netbird configuration. + ''; + }; + }; - systemd.services.netbird = { - description = "A WireGuard-based mesh network that connects your devices into a single private network"; - documentation = [ "https://netbird.io/docs/" ]; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ - openresolv - ]; - serviceConfig = { - Environment = [ - "NB_CONFIG=/var/lib/netbird/config.json" - "NB_LOG_FILE=console" - ]; - ExecStart = "${cfg.package}/bin/netbird service run"; - Restart = "always"; - RuntimeDirectory = "netbird"; - StateDirectory = "netbird"; - WorkingDirectory = "/var/lib/netbird"; - }; - unitConfig = { - StartLimitInterval = 5; - StartLimitBurst = 10; - }; - stopIfChanged = false; + config.environment = builtins.mapAttrs (_: mkDefault) { + NB_CONFIG = "/var/lib/${config.stateDir}/config.json"; + NB_LOG_FILE = "console"; + NB_WIREGUARD_PORT = builtins.toString config.port; + NB_INTERFACE_NAME = name; + NB_DAEMON_ADDR = "unix:///var/run/${config.stateDir}/sock"; + }; + } + ) + ); + default = { }; + description = '' + Attribute set of Netbird tunnels, each one will spawn a daemon listening on ... + ''; }; }; + + config = mkMerge [ + (mkIf cfg.enable { + # For backwards compatibility + services.netbird.tunnels.wt0.stateDir = "netbird"; + }) + + (mkIf (cfg.tunnels != { }) { + boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; + + environment.systemPackages = [ cfg.package ]; + + networking.dhcpcd.denyInterfaces = attrNames cfg.tunnels; + + systemd.network.networks = mkIf config.networking.useNetworkd ( + mapAttrs' + ( + name: _: + nameValuePair "50-netbird-${name}" { + matchConfig = { + Name = name; + }; + linkConfig = { + Unmanaged = true; + ActivationPolicy = "manual"; + }; + } + ) + cfg.tunnels + ); + + systemd.services = + mapAttrs' + ( + name: + { environment, stateDir, ... }: + nameValuePair "netbird-${name}" { + description = "A WireGuard-based mesh network that connects your devices into a single private network"; + + documentation = [ "https://netbird.io/docs/" ]; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + path = with pkgs; [ openresolv ]; + + inherit environment; + + serviceConfig = { + ExecStart = "${getExe cfg.package} service run"; + Restart = "always"; + RuntimeDirectory = stateDir; + StateDirectory = stateDir; + StateDirectoryMode = "0700"; + WorkingDirectory = "/var/lib/${stateDir}"; + }; + + unitConfig = { + StartLimitInterval = 5; + StartLimitBurst = 10; + }; + + stopIfChanged = false; + } + ) + cfg.tunnels; + }) + ]; } diff --git a/nixos/modules/services/networking/ocserv.nix b/nixos/modules/services/networking/ocserv.nix index 9548fd92dbda..3c61d56b893e 100644 --- a/nixos/modules/services/networking/ocserv.nix +++ b/nixos/modules/services/networking/ocserv.nix @@ -85,6 +85,7 @@ in systemd.services.ocserv = { description = "OpenConnect SSL VPN server"; documentation = [ "man:ocserv(8)" ]; + wants = [ "network-online.target" ]; after = [ "dbus.service" "network-online.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix index db0a61b83469..8470f5e9cbc0 100644 --- a/nixos/modules/services/networking/pleroma.nix +++ b/nixos/modules/services/networking/pleroma.nix @@ -92,6 +92,7 @@ in { systemd.services.pleroma = { description = "Pleroma social network"; + wants = [ "network-online.target" ]; after = [ "network-online.target" "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ]; diff --git a/nixos/modules/services/networking/rosenpass.nix b/nixos/modules/services/networking/rosenpass.nix index d2a264b83d67..487cb6f60142 100644 --- a/nixos/modules/services/networking/rosenpass.nix +++ b/nixos/modules/services/networking/rosenpass.nix @@ -208,6 +208,7 @@ in in rec { wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; path = [ cfg.package pkgs.wireguard-tools ]; diff --git a/nixos/modules/services/networking/rxe.nix b/nixos/modules/services/networking/rxe.nix index 7dbb4823b4bc..07437ed71195 100644 --- a/nixos/modules/services/networking/rxe.nix +++ b/nixos/modules/services/networking/rxe.nix @@ -33,7 +33,7 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "systemd-modules-load.service" "network-online.target" ]; - wants = [ "network-pre.target" ]; + wants = [ "network-pre.target" "network-online.target" ]; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/networking/soju.nix b/nixos/modules/services/networking/soju.nix index 7f0ac3e3b8e6..d69ec08ca13a 100644 --- a/nixos/modules/services/networking/soju.nix +++ b/nixos/modules/services/networking/soju.nix @@ -110,6 +110,7 @@ in systemd.services.soju = { description = "soju IRC bouncer"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; serviceConfig = { DynamicUser = true; diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix index c8832ed4defb..a98850923955 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/module.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix @@ -55,6 +55,7 @@ in { systemd.services.strongswan-swanctl = { description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; path = with pkgs; [ kmod iproute2 iptables util-linux ]; environment = { diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index e58526814d1a..dcf04d2a1917 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -153,6 +153,7 @@ in description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; path = with pkgs; [ kmod iproute2 iptables util-linux ]; # XXX Linux + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; environment = { STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; diff --git a/nixos/modules/services/networking/syncplay.nix b/nixos/modules/services/networking/syncplay.nix index 0a66d93bf153..151259b6d4ad 100644 --- a/nixos/modules/services/networking/syncplay.nix +++ b/nixos/modules/services/networking/syncplay.nix @@ -107,6 +107,7 @@ in systemd.services.syncplay = { description = "Syncplay Service"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; serviceConfig = { diff --git a/nixos/modules/services/networking/wasabibackend.nix b/nixos/modules/services/networking/wasabibackend.nix index 938145b35ee8..e3a48afd2a2c 100644 --- a/nixos/modules/services/networking/wasabibackend.nix +++ b/nixos/modules/services/networking/wasabibackend.nix @@ -119,6 +119,7 @@ in { systemd.services.wasabibackend = { description = "wasabibackend server"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; environment = { DOTNET_PRINT_TELEMETRY_MESSAGE = "false"; diff --git a/nixos/modules/services/networking/znc/default.nix b/nixos/modules/services/networking/znc/default.nix index d3ba4a524197..e15233293cf2 100644 --- a/nixos/modules/services/networking/znc/default.nix +++ b/nixos/modules/services/networking/znc/default.nix @@ -243,6 +243,7 @@ in systemd.services.znc = { description = "ZNC Server"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; serviceConfig = { User = cfg.user; diff --git a/nixos/modules/services/security/certmgr.nix b/nixos/modules/services/security/certmgr.nix index db80e943973d..02cb7afe87ba 100644 --- a/nixos/modules/services/security/certmgr.nix +++ b/nixos/modules/services/security/certmgr.nix @@ -182,6 +182,7 @@ in systemd.services.certmgr = { description = "certmgr"; path = mkIf (cfg.svcManager == "command") [ pkgs.bash ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; inherit preStart; diff --git a/nixos/modules/services/security/clamav.nix b/nixos/modules/services/security/clamav.nix index d3164373ec01..4480c0cae60c 100644 --- a/nixos/modules/services/security/clamav.nix +++ b/nixos/modules/services/security/clamav.nix @@ -196,6 +196,7 @@ in systemd.services.clamav-freshclam = mkIf cfg.updater.enable { description = "ClamAV virus database updater (freshclam)"; restartTriggers = [ freshclamConfigFile ]; + requires = [ "network-online.target" ]; after = [ "network-online.target" ]; serviceConfig = { @@ -243,6 +244,7 @@ in systemd.services.clamav-fangfrisch = mkIf cfg.fangfrisch.enable { description = "ClamAV virus database updater (fangfrisch)"; restartTriggers = [ fangfrischConfigFile ]; + requires = [ "network-online.target" ]; after = [ "network-online.target" "clamav-fangfrisch-init.service" ]; serviceConfig = { diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 78916c907279..d1dc37d549d2 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -572,6 +572,7 @@ in description = "OAuth2 Proxy"; path = [ cfg.package ]; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; serviceConfig = { diff --git a/nixos/modules/services/system/cachix-agent/default.nix b/nixos/modules/services/system/cachix-agent/default.nix index 196d3291d555..f8020fe970f1 100644 --- a/nixos/modules/services/system/cachix-agent/default.nix +++ b/nixos/modules/services/system/cachix-agent/default.nix @@ -49,6 +49,7 @@ in { config = mkIf cfg.enable { systemd.services.cachix-agent = { description = "Cachix Deploy Agent"; + wants = [ "network-online.target" ]; after = ["network-online.target"]; path = [ config.nix.package ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/system/cachix-watch-store.nix b/nixos/modules/services/system/cachix-watch-store.nix index 8aa5f0358fa9..d48af29465aa 100644 --- a/nixos/modules/services/system/cachix-watch-store.nix +++ b/nixos/modules/services/system/cachix-watch-store.nix @@ -61,6 +61,7 @@ in config = mkIf cfg.enable { systemd.services.cachix-watch-store-agent = { description = "Cachix watch store Agent"; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; path = [ config.nix.package ]; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/system/cloud-init.nix b/nixos/modules/services/system/cloud-init.nix index d782bb1a3666..00ae77be4271 100644 --- a/nixos/modules/services/system/cloud-init.nix +++ b/nixos/modules/services/system/cloud-init.nix @@ -164,7 +164,10 @@ in systemd.services.cloud-init-local = { description = "Initial cloud-init job (pre-networking)"; wantedBy = [ "multi-user.target" ]; - before = [ "systemd-networkd.service" ]; + # In certain environments (AWS for example), cloud-init-local will + # first configure an IP through DHCP, and later delete it. + # This can cause race conditions with anything else trying to set IP through DHCP. + before = [ "systemd-networkd.service" "dhcpcd.service" ]; path = path; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index b47ebc92f93a..e8f8b48d0337 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -95,6 +95,7 @@ in uid = config.ids.uids.messagebus; description = "D-Bus system message bus daemon user"; home = homeDir; + homeMode = "0755"; group = "messagebus"; }; diff --git a/nixos/modules/services/torrent/deluge.nix b/nixos/modules/services/torrent/deluge.nix index 4802e3e1c63a..632d8aa98aa2 100644 --- a/nixos/modules/services/torrent/deluge.nix +++ b/nixos/modules/services/torrent/deluge.nix @@ -191,17 +191,25 @@ in { # Provide a default set of `extraPackages`. services.deluge.extraPackages = with pkgs; [ unzip gnutar xz bzip2 ]; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group}" - "d '${cfg.dataDir}/.config' 0770 ${cfg.user} ${cfg.group}" - "d '${cfg.dataDir}/.config/deluge' 0770 ${cfg.user} ${cfg.group}" - ] - ++ optional (cfg.config ? download_location) - "d '${cfg.config.download_location}' 0770 ${cfg.user} ${cfg.group}" - ++ optional (cfg.config ? torrentfiles_location) - "d '${cfg.config.torrentfiles_location}' 0770 ${cfg.user} ${cfg.group}" - ++ optional (cfg.config ? move_completed_path) - "d '${cfg.config.move_completed_path}' 0770 ${cfg.user} ${cfg.group}"; + systemd.tmpfiles.settings."10-deluged" = let + defaultConfig = { + inherit (cfg) user group; + mode = "0770"; + }; + in { + "${cfg.dataDir}".d = defaultConfig; + "${cfg.dataDir}/.config".d = defaultConfig; + "${cfg.dataDir}/.config/deluge".d = defaultConfig; + } + // optionalAttrs (cfg.config ? download_location) { + ${cfg.config.download_location}.d = defaultConfig; + } + // optionalAttrs (cfg.config ? torrentfiles_location) { + ${cfg.config.torrentfiles_location}.d = defaultConfig; + } + // optionalAttrs (cfg.config ? move_completed_path) { + ${cfg.config.move_completed_path}.d = defaultConfig; + }; systemd.services.deluged = { after = [ "network.target" ]; diff --git a/nixos/modules/services/video/epgstation/default.nix b/nixos/modules/services/video/epgstation/default.nix index a7468e7cc2b6..1b3258c3df8e 100644 --- a/nixos/modules/services/video/epgstation/default.nix +++ b/nixos/modules/services/video/epgstation/default.nix @@ -309,17 +309,25 @@ in (lib.mkIf cfg.usePreconfiguredStreaming streamingConfig) ]; - systemd.tmpfiles.rules = [ - "d '/var/lib/epgstation/key' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/streamfiles' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/drop' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/recorded' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/thumbnail' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/db/subscribers' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/db/migrations/mysql' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/db/migrations/postgres' - ${username} ${groupname} - -" - "d '/var/lib/epgstation/db/migrations/sqlite' - ${username} ${groupname} - -" - ]; + systemd.tmpfiles.settings."10-epgstation" = + lib.listToAttrs + (map (dir: lib.nameValuePair dir { + d = { + user = username; + group = groupname; + }; + }) + [ + "/var/lib/epgstation/key" + "/var/lib/epgstation/streamfiles" + "/var/lib/epgstation/drop" + "/var/lib/epgstation/recorded" + "/var/lib/epgstation/thumbnail" + "/var/lib/epgstation/db/subscribers" + "/var/lib/epgstation/db/migrations/mysql" + "/var/lib/epgstation/db/migrations/postgres" + "/var/lib/epgstation/db/migrations/sqlite" + ]); systemd.services.epgstation = { inherit description; diff --git a/nixos/modules/services/video/go2rtc/default.nix b/nixos/modules/services/video/go2rtc/default.nix index 13851fa0306f..9dddbb60baa8 100644 --- a/nixos/modules/services/video/go2rtc/default.nix +++ b/nixos/modules/services/video/go2rtc/default.nix @@ -94,6 +94,7 @@ in config = lib.mkIf cfg.enable { systemd.services.go2rtc = { + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; diff --git a/nixos/modules/services/video/mirakurun.nix b/nixos/modules/services/video/mirakurun.nix index 31f90650ba9a..208b34ab353a 100644 --- a/nixos/modules/services/video/mirakurun.nix +++ b/nixos/modules/services/video/mirakurun.nix @@ -165,9 +165,10 @@ in port = mkIf (cfg.port != null) cfg.port; }; - systemd.tmpfiles.rules = [ - "d '/etc/mirakurun' - ${username} ${groupname} - -" - ]; + systemd.tmpfiles.settings."10-mirakurun"."/etc/mirakurun".d = { + user = username; + group = groupname; + }; systemd.services.mirakurun = { description = mirakurun.meta.description; diff --git a/nixos/modules/services/web-apps/akkoma.nix b/nixos/modules/services/web-apps/akkoma.nix index 8980556ab014..4cd9e2664378 100644 --- a/nixos/modules/services/web-apps/akkoma.nix +++ b/nixos/modules/services/web-apps/akkoma.nix @@ -974,7 +974,7 @@ in { # This service depends on network-online.target and is sequenced after # it because it requires access to the Internet to function properly. bindsTo = [ "akkoma-config.service" ]; - wants = [ "network-online.service" ]; + wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; after = [ "akkoma-config.target" diff --git a/nixos/modules/services/web-apps/alps.nix b/nixos/modules/services/web-apps/alps.nix index 05fb676102df..81c6b8ad30b5 100644 --- a/nixos/modules/services/web-apps/alps.nix +++ b/nixos/modules/services/web-apps/alps.nix @@ -94,6 +94,7 @@ in { description = "alps is a simple and extensible webmail."; documentation = [ "https://git.sr.ht/~migadu/alps" ]; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; serviceConfig = { diff --git a/nixos/modules/services/web-apps/bookstack.nix b/nixos/modules/services/web-apps/bookstack.nix index d846c98577c8..4999eceb2b60 100644 --- a/nixos/modules/services/web-apps/bookstack.nix +++ b/nixos/modules/services/web-apps/bookstack.nix @@ -412,20 +412,25 @@ in { ''; }; - systemd.tmpfiles.rules = [ - "d ${cfg.dataDir} 0710 ${user} ${group} - -" - "d ${cfg.dataDir}/public 0750 ${user} ${group} - -" - "d ${cfg.dataDir}/public/uploads 0750 ${user} ${group} - -" - "d ${cfg.dataDir}/storage 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/app 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/fonts 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework/cache 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework/sessions 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/framework/views 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/logs 0700 ${user} ${group} - -" - "d ${cfg.dataDir}/storage/uploads 0700 ${user} ${group} - -" - ]; + systemd.tmpfiles.settings."10-bookstack" = let + defaultConfig = { + inherit user group; + mode = "0700"; + }; + in { + "${cfg.dataDir}".d = defaultConfig // { mode = "0710"; }; + "${cfg.dataDir}/public".d = defaultConfig // { mode = "0750"; }; + "${cfg.dataDir}/public/uploads".d = defaultConfig // { mode = "0750"; }; + "${cfg.dataDir}/storage".d = defaultConfig; + "${cfg.dataDir}/storage/app".d = defaultConfig; + "${cfg.dataDir}/storage/fonts".d = defaultConfig; + "${cfg.dataDir}/storage/framework".d = defaultConfig; + "${cfg.dataDir}/storage/framework/cache".d = defaultConfig; + "${cfg.dataDir}/storage/framework/sessions".d = defaultConfig; + "${cfg.dataDir}/storage/framework/views".d = defaultConfig; + "${cfg.dataDir}/storage/logs".d = defaultConfig; + "${cfg.dataDir}/storage/uploads".d = defaultConfig; + }; users = { users = mkIf (user == "bookstack") { diff --git a/nixos/modules/services/web-apps/c2fmzq-server.nix b/nixos/modules/services/web-apps/c2fmzq-server.nix index 87938fe160e1..dee131182de1 100644 --- a/nixos/modules/services/web-apps/c2fmzq-server.nix +++ b/nixos/modules/services/web-apps/c2fmzq-server.nix @@ -80,6 +80,7 @@ in { description = "c2FmZQ-server"; documentation = [ "https://github.com/c2FmZQ/c2FmZQ/blob/main/README.md" ]; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; serviceConfig = { diff --git a/nixos/modules/services/web-apps/code-server.nix b/nixos/modules/services/web-apps/code-server.nix index 11601f6c3044..d087deb7848d 100644 --- a/nixos/modules/services/web-apps/code-server.nix +++ b/nixos/modules/services/web-apps/code-server.nix @@ -205,6 +205,7 @@ in { systemd.services.code-server = { description = "Code server"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; path = cfg.extraPackages; environment = { diff --git a/nixos/modules/services/web-apps/freshrss.nix b/nixos/modules/services/web-apps/freshrss.nix index c8399143c37b..edec9d547a30 100644 --- a/nixos/modules/services/web-apps/freshrss.nix +++ b/nixos/modules/services/web-apps/freshrss.nix @@ -228,9 +228,10 @@ in }; users.groups."${cfg.user}" = { }; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - ]; + systemd.tmpfiles.settings."10-freshrss".${cfg.dataDir}.d = { + inherit (cfg) user; + group = config.users.users.${cfg.user}.group; + }; systemd.services.freshrss-config = let diff --git a/nixos/modules/services/web-apps/healthchecks.nix b/nixos/modules/services/web-apps/healthchecks.nix index e5e425a29d54..1d439f162313 100644 --- a/nixos/modules/services/web-apps/healthchecks.nix +++ b/nixos/modules/services/web-apps/healthchecks.nix @@ -176,6 +176,7 @@ in systemd.targets.healthchecks = { description = "Target for all Healthchecks services"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; }; diff --git a/nixos/modules/services/web-apps/mattermost.nix b/nixos/modules/services/web-apps/mattermost.nix index 503559432374..3d03c96d1c19 100644 --- a/nixos/modules/services/web-apps/mattermost.nix +++ b/nixos/modules/services/web-apps/mattermost.nix @@ -277,9 +277,7 @@ in # The systemd service will fail to execute the preStart hook # if the WorkingDirectory does not exist - systemd.tmpfiles.rules = [ - ''d "${cfg.statePath}" -'' - ]; + systemd.tmpfiles.settings."10-mattermost".${cfg.statePath}.d = { }; systemd.services.mattermost = { description = "Mattermost chat service"; diff --git a/nixos/modules/services/web-apps/moodle.nix b/nixos/modules/services/web-apps/moodle.nix index ce6a80054725..496a0e32436f 100644 --- a/nixos/modules/services/web-apps/moodle.nix +++ b/nixos/modules/services/web-apps/moodle.nix @@ -255,9 +255,10 @@ in } ]; }; - systemd.tmpfiles.rules = [ - "d '${stateDir}' 0750 ${user} ${group} - -" - ]; + systemd.tmpfiles.settings."10-moodle".${stateDir}.d = { + inherit user group; + mode = "0750"; + }; systemd.services.moodle-init = { wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/web-apps/netbox.nix b/nixos/modules/services/web-apps/netbox.nix index 88d40b3abc52..d034f3234a2b 100644 --- a/nixos/modules/services/web-apps/netbox.nix +++ b/nixos/modules/services/web-apps/netbox.nix @@ -75,13 +75,17 @@ in { package = lib.mkOption { type = lib.types.package; default = - if lib.versionAtLeast config.system.stateVersion "23.11" + if lib.versionAtLeast config.system.stateVersion "24.05" + then pkgs.netbox_3_7 + else if lib.versionAtLeast config.system.stateVersion "23.11" then pkgs.netbox_3_6 else if lib.versionAtLeast config.system.stateVersion "23.05" then pkgs.netbox_3_5 else pkgs.netbox_3_3; defaultText = lib.literalExpression '' - if lib.versionAtLeast config.system.stateVersion "23.11" + if lib.versionAtLeast config.system.stateVersion "24.05" + then pkgs.netbox_3_7 + else if lib.versionAtLeast config.system.stateVersion "23.11" then pkgs.netbox_3_6 else if lib.versionAtLeast config.system.stateVersion "23.05" then pkgs.netbox_3_5 @@ -267,6 +271,7 @@ in { systemd.targets.netbox = { description = "Target for all NetBox services"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" "redis-netbox.service" ]; }; @@ -305,12 +310,13 @@ in { ${pkg}/bin/netbox trace_paths --no-input ${pkg}/bin/netbox collectstatic --no-input ${pkg}/bin/netbox remove_stale_contenttypes --no-input - # TODO: remove the condition when we remove netbox_3_3 - ${lib.optionalString - (lib.versionAtLeast cfg.package.version "3.5.0") - "${pkg}/bin/netbox reindex --lazy"} + ${pkg}/bin/netbox reindex --lazy ${pkg}/bin/netbox clearsessions - ${pkg}/bin/netbox clearcache + ${lib.optionalString + # The clearcache command was removed in 3.7.0: + # https://github.com/netbox-community/netbox/issues/14458 + (lib.versionOlder cfg.package.version "3.7.0") + "${pkg}/bin/netbox clearcache"} echo "${cfg.package.version}" > "$versionFile" ''; diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 38c51251aac1..0b19265942c0 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -99,11 +99,101 @@ let mysqlLocal = cfg.database.createLocally && cfg.config.dbtype == "mysql"; pgsqlLocal = cfg.database.createLocally && cfg.config.dbtype == "pgsql"; + nextcloudGreaterOrEqualThan = versionAtLeast cfg.package.version; + nextcloudOlderThan = versionOlder cfg.package.version; + # https://github.com/nextcloud/documentation/pull/11179 - ocmProviderIsNotAStaticDirAnymore = versionAtLeast cfg.package.version "27.1.2" - || (versionOlder cfg.package.version "27.0.0" - && versionAtLeast cfg.package.version "26.0.8"); + ocmProviderIsNotAStaticDirAnymore = nextcloudGreaterOrEqualThan "27.1.2" + || (nextcloudOlderThan "27.0.0" && nextcloudGreaterOrEqualThan "26.0.8"); + + overrideConfig = let + c = cfg.config; + requiresReadSecretFunction = c.dbpassFile != null || c.objectstore.s3.enable; + objectstoreConfig = let s3 = c.objectstore.s3; in optionalString s3.enable '' + 'objectstore' => [ + 'class' => '\\OC\\Files\\ObjectStore\\S3', + 'arguments' => [ + 'bucket' => '${s3.bucket}', + 'autocreate' => ${boolToString s3.autocreate}, + 'key' => '${s3.key}', + 'secret' => nix_read_secret('${s3.secretFile}'), + ${optionalString (s3.hostname != null) "'hostname' => '${s3.hostname}',"} + ${optionalString (s3.port != null) "'port' => ${toString s3.port},"} + 'use_ssl' => ${boolToString s3.useSsl}, + ${optionalString (s3.region != null) "'region' => '${s3.region}',"} + 'use_path_style' => ${boolToString s3.usePathStyle}, + ${optionalString (s3.sseCKeyFile != null) "'sse_c_key' => nix_read_secret('${s3.sseCKeyFile}'),"} + ], + ] + ''; + showAppStoreSetting = cfg.appstoreEnable != null || cfg.extraApps != {}; + renderedAppStoreSetting = + let + x = cfg.appstoreEnable; + in + if x == null then "false" + else boolToString x; + mkAppStoreConfig = name: { enabled, writable, ... }: optionalString enabled '' + [ 'path' => '${webroot}/${name}', 'url' => '/${name}', 'writable' => ${boolToString writable} ], + ''; + in pkgs.writeText "nextcloud-config.php" '' + <?php + ${optionalString requiresReadSecretFunction '' + function nix_read_secret($file) { + if (!file_exists($file)) { + throw new \RuntimeException(sprintf( + "Cannot start Nextcloud, secret file %s set by NixOS doesn't seem to " + . "exist! Please make sure that the file exists and has appropriate " + . "permissions for user & group 'nextcloud'!", + $file + )); + } + return trim(file_get_contents($file)); + }''} + function nix_decode_json_file($file, $error) { + if (!file_exists($file)) { + throw new \RuntimeException(sprintf($error, $file)); + } + $decoded = json_decode(file_get_contents($file), true); + + if (json_last_error() !== JSON_ERROR_NONE) { + throw new \RuntimeException(sprintf("Cannot decode %s, because: %s", $file, json_last_error_msg())); + } + return $decoded; + } + $CONFIG = [ + 'apps_paths' => [ + ${concatStrings (mapAttrsToList mkAppStoreConfig appStores)} + ], + ${optionalString (showAppStoreSetting) "'appstoreenabled' => ${renderedAppStoreSetting},"} + ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"} + ${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"} + ${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"} + ${optionalString (c.dbuser != null) "'dbuser' => '${c.dbuser}',"} + ${optionalString (c.dbtableprefix != null) "'dbtableprefix' => '${toString c.dbtableprefix}',"} + ${optionalString (c.dbpassFile != null) '' + 'dbpassword' => nix_read_secret( + "${c.dbpassFile}" + ), + '' + } + 'dbtype' => '${c.dbtype}', + ${objectstoreConfig} + ]; + + $CONFIG = array_replace_recursive($CONFIG, nix_decode_json_file( + "${jsonFormat.generate "nextcloud-extraOptions.json" cfg.extraOptions}", + "impossible: this should never happen (decoding generated extraOptions file %s failed)" + )); + + ${optionalString (cfg.secretFile != null) '' + $CONFIG = array_replace_recursive($CONFIG, nix_decode_json_file( + "${cfg.secretFile}", + "Cannot start Nextcloud, secrets file %s set by NixOS doesn't exist!" + )); + ''} + ''; in { imports = [ @@ -787,107 +877,23 @@ in { timerConfig.Unit = "nextcloud-cron.service"; }; - systemd.tmpfiles.rules = ["d ${cfg.home} 0750 nextcloud nextcloud"]; + systemd.tmpfiles.rules = map (dir: "d ${dir} 0750 nextcloud nextcloud - -") [ + "${cfg.home}" + "${datadir}/config" + "${datadir}/data" + "${cfg.home}/store-apps" + ] ++ [ + "L+ ${datadir}/config/override.config.php - - - - ${overrideConfig}" + ]; systemd.services = { # When upgrading the Nextcloud package, Nextcloud can report errors such as # "The files of the app [all apps in /var/lib/nextcloud/apps] were not replaced correctly" # Restarting phpfpm on Nextcloud package update fixes these issues (but this is a workaround). - phpfpm-nextcloud.restartTriggers = [ webroot ]; + phpfpm-nextcloud.restartTriggers = [ webroot overrideConfig ]; nextcloud-setup = let c = cfg.config; - requiresReadSecretFunction = c.dbpassFile != null || c.objectstore.s3.enable; - objectstoreConfig = let s3 = c.objectstore.s3; in optionalString s3.enable '' - 'objectstore' => [ - 'class' => '\\OC\\Files\\ObjectStore\\S3', - 'arguments' => [ - 'bucket' => '${s3.bucket}', - 'autocreate' => ${boolToString s3.autocreate}, - 'key' => '${s3.key}', - 'secret' => nix_read_secret('${s3.secretFile}'), - ${optionalString (s3.hostname != null) "'hostname' => '${s3.hostname}',"} - ${optionalString (s3.port != null) "'port' => ${toString s3.port},"} - 'use_ssl' => ${boolToString s3.useSsl}, - ${optionalString (s3.region != null) "'region' => '${s3.region}',"} - 'use_path_style' => ${boolToString s3.usePathStyle}, - ${optionalString (s3.sseCKeyFile != null) "'sse_c_key' => nix_read_secret('${s3.sseCKeyFile}'),"} - ], - ] - ''; - - showAppStoreSetting = cfg.appstoreEnable != null || cfg.extraApps != {}; - renderedAppStoreSetting = - let - x = cfg.appstoreEnable; - in - if x == null then "false" - else boolToString x; - - nextcloudGreaterOrEqualThan = req: versionAtLeast cfg.package.version req; - - mkAppStoreConfig = name: { enabled, writable, ... }: optionalString enabled '' - [ 'path' => '${webroot}/${name}', 'url' => '/${name}', 'writable' => ${boolToString writable} ], - ''; - - overrideConfig = pkgs.writeText "nextcloud-config.php" '' - <?php - ${optionalString requiresReadSecretFunction '' - function nix_read_secret($file) { - if (!file_exists($file)) { - throw new \RuntimeException(sprintf( - "Cannot start Nextcloud, secret file %s set by NixOS doesn't seem to " - . "exist! Please make sure that the file exists and has appropriate " - . "permissions for user & group 'nextcloud'!", - $file - )); - } - return trim(file_get_contents($file)); - }''} - function nix_decode_json_file($file, $error) { - if (!file_exists($file)) { - throw new \RuntimeException(sprintf($error, $file)); - } - $decoded = json_decode(file_get_contents($file), true); - - if (json_last_error() !== JSON_ERROR_NONE) { - throw new \RuntimeException(sprintf("Cannot decode %s, because: %s", $file, json_last_error_msg())); - } - - return $decoded; - } - $CONFIG = [ - 'apps_paths' => [ - ${concatStrings (mapAttrsToList mkAppStoreConfig appStores)} - ], - ${optionalString (showAppStoreSetting) "'appstoreenabled' => ${renderedAppStoreSetting},"} - ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"} - ${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"} - ${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"} - ${optionalString (c.dbuser != null) "'dbuser' => '${c.dbuser}',"} - ${optionalString (c.dbtableprefix != null) "'dbtableprefix' => '${toString c.dbtableprefix}',"} - ${optionalString (c.dbpassFile != null) '' - 'dbpassword' => nix_read_secret( - "${c.dbpassFile}" - ), - '' - } - 'dbtype' => '${c.dbtype}', - ${objectstoreConfig} - ]; - - $CONFIG = array_replace_recursive($CONFIG, nix_decode_json_file( - "${jsonFormat.generate "nextcloud-extraOptions.json" cfg.extraOptions}", - "impossible: this should never happen (decoding generated extraOptions file %s failed)" - )); - - ${optionalString (cfg.secretFile != null) '' - $CONFIG = array_replace_recursive($CONFIG, nix_decode_json_file( - "${cfg.secretFile}", - "Cannot start Nextcloud, secrets file %s set by NixOS doesn't exist!" - )); - ''} - ''; occInstallCmd = let mkExport = { arg, value }: "export ${arg}=${value}"; dbpass = { @@ -932,6 +938,7 @@ in { after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; requires = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; path = [ occ ]; + restartTriggers = [ overrideConfig ]; script = '' ${optionalString (c.dbpassFile != null) '' if [ ! -r "${c.dbpassFile}" ]; then @@ -959,18 +966,6 @@ in { fi '') [ "nix-apps" "apps" ]} - # create nextcloud directories. - # if the directories exist already with wrong permissions, we fix that - for dir in ${datadir}/config ${datadir}/data ${cfg.home}/store-apps; do - if [ ! -e $dir ]; then - install -o nextcloud -g nextcloud -d $dir - elif [ $(stat -c "%G" $dir) != "nextcloud" ]; then - chgrp -R nextcloud $dir - fi - done - - ln -sf ${overrideConfig} ${datadir}/config/override.config.php - # Do not install if already installed if [[ ! -e ${datadir}/config/config.php ]]; then ${occInstallCmd} diff --git a/nixos/modules/services/web-apps/nifi.nix b/nixos/modules/services/web-apps/nifi.nix index 5ce561077836..c0fc443f0df7 100644 --- a/nixos/modules/services/web-apps/nifi.nix +++ b/nixos/modules/services/web-apps/nifi.nix @@ -163,10 +163,15 @@ in { Please do not disable HTTPS mode in production. In this mode, access to the nifi is opened without authentication. ''; - systemd.tmpfiles.rules = [ - "d '/var/lib/nifi/conf' 0750 ${cfg.user} ${cfg.group}" - "L+ '/var/lib/nifi/lib' - - - - ${cfg.package}/lib" - ]; + systemd.tmpfiles.settings."10-nifi" = { + "/var/lib/nifi/conf".d = { + inherit (cfg) user group; + mode = "0750"; + }; + "/var/lib/nifi/lib"."L+" = { + argument = "${cfg.package}/lib"; + }; + }; systemd.services.nifi = { diff --git a/nixos/modules/services/web-apps/openvscode-server.nix b/nixos/modules/services/web-apps/openvscode-server.nix index 76a19dccae16..81b9d1f3b4c8 100644 --- a/nixos/modules/services/web-apps/openvscode-server.nix +++ b/nixos/modules/services/web-apps/openvscode-server.nix @@ -159,6 +159,7 @@ in systemd.services.openvscode-server = { description = "OpenVSCode server"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; path = cfg.extraPackages; environment = cfg.extraEnvironment; diff --git a/nixos/modules/services/web-apps/peering-manager.nix b/nixos/modules/services/web-apps/peering-manager.nix index d6f6077268d4..0382ce717473 100644 --- a/nixos/modules/services/web-apps/peering-manager.nix +++ b/nixos/modules/services/web-apps/peering-manager.nix @@ -196,6 +196,7 @@ in { systemd.targets.peering-manager = { description = "Target for all Peering Manager services"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" "redis-peering-manager.service" ]; }; diff --git a/nixos/modules/services/web-apps/suwayomi-server.md b/nixos/modules/services/web-apps/suwayomi-server.md new file mode 100644 index 000000000000..ff1e06c8a53a --- /dev/null +++ b/nixos/modules/services/web-apps/suwayomi-server.md @@ -0,0 +1,108 @@ +# Suwayomi-Server {#module-services-suwayomi-server} + +A free and open source manga reader server that runs extensions built for Tachiyomi. + +## Basic usage {#module-services-suwayomi-server-basic-usage} + +By default, the module will execute Suwayomi-Server backend and web UI: + +```nix +{ ... }: + +{ + services.suwayomi-server = { + enable = true; + }; +} +``` + +It runs in the systemd service named `suwayomi-server` in the data directory `/var/lib/suwayomi-server`. + +You can change the default parameters with some other parameters: +```nix +{ ... }: + +{ + services.suwayomi-server = { + enable = true; + + dataDir = "/var/lib/suwayomi"; # Default is "/var/lib/suwayomi-server" + openFirewall = true; + + settings = { + server.port = 4567; + }; + }; +} +``` + +If you want to create a desktop icon, you can activate the system tray option: + +```nix +{ ... }: + +{ + services.suwayomi-server = { + enable = true; + + dataDir = "/var/lib/suwayomi"; # Default is "/var/lib/suwayomi-server" + openFirewall = true; + + settings = { + server.port = 4567; + server.enableSystemTray = true; + }; + }; +} +``` + +## Basic authentication {#module-services-suwayomi-server-basic-auth} + +You can configure a basic authentication to the web interface with: + +```nix +{ ... }: + +{ + services.suwayomi-server = { + enable = true; + + openFirewall = true; + + settings = { + server.port = 4567; + server = { + basicAuthEnabled = true; + basicAuthUsername = "username"; + + # NOTE: this is not a real upstream option + basicAuthPasswordFile = ./path/to/the/password/file; + }; + }; + }; +} +``` + +## Extra configuration {#module-services-suwayomi-server-extra-config} + +Not all the configuration options are available directly in this module, but you can add the other options of suwayomi-server with: + +```nix +{ ... }: + +{ + services.suwayomi-server = { + enable = true; + + openFirewall = true; + + settings = { + server = { + port = 4567; + autoDownloadNewChapters = false; + maxSourcesInParallel" = 6; + }; + }; + }; +} +``` diff --git a/nixos/modules/services/web-apps/suwayomi-server.nix b/nixos/modules/services/web-apps/suwayomi-server.nix new file mode 100644 index 000000000000..c4c1540edbee --- /dev/null +++ b/nixos/modules/services/web-apps/suwayomi-server.nix @@ -0,0 +1,260 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.services.suwayomi-server; + inherit (lib) mkOption mdDoc mkEnableOption mkIf types; +in +{ + options = { + services.suwayomi-server = { + enable = mkEnableOption (mdDoc "Suwayomi, a free and open source manga reader server that runs extensions built for Tachiyomi."); + + package = lib.mkPackageOptionMD pkgs "suwayomi-server" { }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/suwayomi-server"; + example = "/var/data/mangas"; + description = mdDoc '' + The path to the data directory in which Suwayomi-Server will download scans. + ''; + }; + + user = mkOption { + type = types.str; + default = "suwayomi"; + example = "root"; + description = mdDoc '' + User account under which Suwayomi-Server runs. + ''; + }; + + group = mkOption { + type = types.str; + default = "suwayomi"; + example = "medias"; + description = mdDoc '' + Group under which Suwayomi-Server runs. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Whether to open the firewall for the port in {option}`services.suwayomi-server.settings.server.port`. + ''; + }; + + settings = mkOption { + type = types.submodule { + freeformType = + let + recursiveAttrsType = with types; attrsOf (nullOr (oneOf [ + str + path + int + float + bool + (listOf str) + (recursiveAttrsType // { description = "instances of this type recursively"; }) + ])); + in + recursiveAttrsType; + options = { + server = { + ip = mkOption { + type = types.str; + default = "0.0.0.0"; + example = "127.0.0.1"; + description = mdDoc '' + The ip that Suwayomi will bind to. + ''; + }; + + port = mkOption { + type = types.port; + default = 8080; + example = 4567; + description = mdDoc '' + The port that Suwayomi will listen to. + ''; + }; + + basicAuthEnabled = mkEnableOption (mdDoc '' + Add basic access authentication to Suwayomi-Server. + Enabling this option is useful when hosting on a public network/the Internet + ''); + + basicAuthUsername = mkOption { + type = types.nullOr types.str; + default = null; + description = mdDoc '' + The username value that you have to provide when authenticating. + ''; + }; + + # NOTE: this is not a real upstream option + basicAuthPasswordFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/secrets/suwayomi-server-password"; + description = mdDoc '' + The password file containing the value that you have to provide when authenticating. + ''; + }; + + downloadAsCbz = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Download chapters as `.cbz` files. + ''; + }; + + localSourcePath = mkOption { + type = types.path; + default = cfg.dataDir; + defaultText = lib.literalExpression "suwayomi-server.dataDir"; + example = "/var/data/local_mangas"; + description = mdDoc '' + Path to the local source folder. + ''; + }; + + systemTrayEnabled = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Whether to enable a system tray icon, if possible. + ''; + }; + }; + }; + }; + description = mdDoc '' + Configuration to write to {file}`server.conf`. + See <https://github.com/Suwayomi/Suwayomi-Server/wiki/Configuring-Suwayomi-Server> for more information. + ''; + default = { }; + example = { + server.socksProxyEnabled = true; + server.socksProxyHost = "yourproxyhost.com"; + server.socksProxyPort = "8080"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + + assertions = [{ + assertion = with cfg.settings.server; basicAuthEnabled -> (basicAuthUsername != null && basicAuthPasswordFile != null); + message = '' + [suwayomi-server]: the username and the password file cannot be null when the basic auth is enabled + ''; + }]; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.server.port ]; + + users.groups = mkIf (cfg.group == "suwayomi") { + suwayomi = { }; + }; + + users.users = mkIf (cfg.user == "suwayomi") { + suwayomi = { + group = cfg.group; + # Need to set the user home because the package writes to ~/.local/Tachidesk + home = cfg.dataDir; + description = "Suwayomi Daemon user"; + isSystemUser = true; + }; + }; + + systemd.tmpfiles.settings."10-suwayomi-server" = { + "${cfg.dataDir}/.local/share/Tachidesk".d = { + mode = "0700"; + inherit (cfg) user group; + }; + }; + + systemd.services.suwayomi-server = + let + flattenConfig = prefix: config: + lib.foldl' + lib.mergeAttrs + { } + (lib.attrValues + (lib.mapAttrs + (k: v: + if !(lib.isAttrs v) + then { "${prefix}${k}" = v; } + else flattenConfig "${prefix}${k}." v + ) + config + ) + ); + + # HOCON is a JSON superset that suwayomi-server use for configuration + toHOCON = attr: + let + attrType = builtins.typeOf attr; + in + if builtins.elem attrType [ "string" "path" "int" "float" ] + then ''"${toString attr}"'' + else if attrType == "bool" + then lib.boolToString attr + else if attrType == "list" + then "[\n${lib.concatMapStringsSep ",\n" toHOCON attr}\n]" + else # attrs, lambda, null + throw '' + [suwayomi-server]: invalid config value type '${attrType}'. + ''; + + configFile = pkgs.writeText "server.conf" (lib.pipe cfg.settings [ + (settings: lib.recursiveUpdate settings { + server.basicAuthPasswordFile = null; + server.basicAuthPassword = + if settings.server.basicAuthEnabled + then "$TACHIDESK_SERVER_BASIC_AUTH_PASSWORD" + else null; + }) + (flattenConfig "") + (lib.filterAttrs (_: x: x != null)) + (lib.mapAttrsToList (name: value: ''${name} = ${toHOCON value}'')) + lib.concatLines + ]); + + in + { + description = "A free and open source manga reader server that runs extensions built for Tachiyomi."; + + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + script = '' + ${lib.optionalString cfg.settings.server.basicAuthEnabled '' + export TACHIDESK_SERVER_BASIC_AUTH_PASSWORD="$(<${cfg.settings.server.basicAuthPasswordFile})" + ''} + ${lib.getExe pkgs.envsubst} -i ${configFile} -o ${cfg.dataDir}/.local/share/Tachidesk/server.conf + ${lib.getExe cfg.package} -Dsuwayomi.tachidesk.config.server.rootDir=${cfg.dataDir} + ''; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + + Type = "simple"; + Restart = "on-failure"; + + StateDirectory = mkIf (cfg.dataDir == "/var/lib/suwayomi-server") "suwayomi-server"; + }; + }; + }; + + meta = { + maintainers = with lib.maintainers; [ ratcornu ]; + doc = ./suwayomi-server.md; + }; +} diff --git a/nixos/modules/services/web-apps/wordpress.nix b/nixos/modules/services/web-apps/wordpress.nix index 002d6683b2ed..2f7306309d69 100644 --- a/nixos/modules/services/web-apps/wordpress.nix +++ b/nixos/modules/services/web-apps/wordpress.nix @@ -174,22 +174,22 @@ let List of path(s) to respective language(s) which are copied from the 'languages' directory. ''; example = literalExpression '' - [( + [ # Let's package the German language. # For other languages try to replace language and country code in the download URL with your desired one. # Reference https://translate.wordpress.org for available translations and # codes. - language-de = pkgs.stdenv.mkDerivation { + (pkgs.stdenv.mkDerivation { name = "language-de"; src = pkgs.fetchurl { url = "https://de.wordpress.org/wordpress-''${pkgs.wordpress.version}-de_DE.tar.gz"; # Name is required to invalidate the hash when wordpress is updated - name = "wordpress-''${pkgs.wordpress.version}-language-de" + name = "wordpress-''${pkgs.wordpress.version}-language-de"; sha256 = "sha256-dlas0rXTSV4JAl8f/UyMbig57yURRYRhTMtJwF9g8h0="; }; installPhase = "mkdir -p $out; cp -r ./wp-content/languages/* $out/"; - }; - )]; + }) + ]; ''; }; diff --git a/nixos/modules/services/web-apps/writefreely.nix b/nixos/modules/services/web-apps/writefreely.nix index f92afa9276e3..2e9a34897909 100644 --- a/nixos/modules/services/web-apps/writefreely.nix +++ b/nixos/modules/services/web-apps/writefreely.nix @@ -334,8 +334,10 @@ in { optionalAttrs (cfg.group == "writefreely") { writefreely = { }; }; }; - systemd.tmpfiles.rules = - [ "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" ]; + systemd.tmpfiles.settings."10-writefreely".${cfg.stateDir}.d = { + inherit (cfg) user group; + mode = "0750"; + }; systemd.services.writefreely = { after = [ "network.target" ] diff --git a/nixos/modules/services/web-servers/agate.nix b/nixos/modules/services/web-servers/agate.nix index dce425035ff7..e03174c87945 100644 --- a/nixos/modules/services/web-servers/agate.nix +++ b/nixos/modules/services/web-servers/agate.nix @@ -71,6 +71,7 @@ in systemd.services.agate = { description = "Agate"; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; script = diff --git a/nixos/modules/services/web-servers/mighttpd2.nix b/nixos/modules/services/web-servers/mighttpd2.nix index bdd6d8b62aa3..bb75dc4f2ff4 100644 --- a/nixos/modules/services/web-servers/mighttpd2.nix +++ b/nixos/modules/services/web-servers/mighttpd2.nix @@ -101,6 +101,7 @@ in { ]; systemd.services.mighttpd2 = { description = "Mighttpd2 web server"; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/nixos/modules/services/web-servers/minio.nix b/nixos/modules/services/web-servers/minio.nix index 6431db250476..be6946657e23 100644 --- a/nixos/modules/services/web-servers/minio.nix +++ b/nixos/modules/services/web-servers/minio.nix @@ -98,6 +98,7 @@ in services.minio = { description = "Minio Object Storage"; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/nixos/modules/services/web-servers/traefik.nix b/nixos/modules/services/web-servers/traefik.nix index cc2c680b3342..fc9eb504ebf8 100644 --- a/nixos/modules/services/web-servers/traefik.nix +++ b/nixos/modules/services/web-servers/traefik.nix @@ -144,6 +144,7 @@ in { systemd.services.traefik = { description = "Traefik web server"; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; startLimitIntervalSec = 86400; diff --git a/nixos/modules/services/web-servers/ttyd.nix b/nixos/modules/services/web-servers/ttyd.nix index 3b1d87ccb483..e545869ca432 100644 --- a/nixos/modules/services/web-servers/ttyd.nix +++ b/nixos/modules/services/web-servers/ttyd.nix @@ -180,10 +180,11 @@ in # Runs login which needs to be run as root # login: Cannot possibly work without effective root User = "root"; + LoadCredential = lib.optionalString (cfg.passwordFile != null) "TTYD_PASSWORD_FILE:${cfg.passwordFile}"; }; script = if cfg.passwordFile != null then '' - PASSWORD=$(cat ${escapeShellArg cfg.passwordFile}) + PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/TTYD_PASSWORD_FILE") ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ --credential ${escapeShellArg cfg.username}:"$PASSWORD" \ ${pkgs.shadow}/bin/login diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 4a8f2f61caaf..36f25d5547ca 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -804,14 +804,14 @@ in ]; system.checks = singleton (pkgs.runCommand "xkb-validated" { - inherit (cfg.xkb) model layout variant options; + inherit (cfg.xkb) dir model layout variant options; nativeBuildInputs = with pkgs.buildPackages; [ xkbvalidate ]; preferLocalBuild = true; } '' ${optionalString (config.environment.sessionVariables ? XKB_CONFIG_ROOT) "export XKB_CONFIG_ROOT=${config.environment.sessionVariables.XKB_CONFIG_ROOT}" } - xkbvalidate "$model" "$layout" "$variant" "$options" + XKB_CONFIG_ROOT="$dir" xkbvalidate "$model" "$layout" "$variant" "$options" touch "$out" ''); diff --git a/nixos/modules/system/activation/switch-to-configuration.pl b/nixos/modules/system/activation/switch-to-configuration.pl index e2f66a287bc4..ba45231465fb 100755 --- a/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixos/modules/system/activation/switch-to-configuration.pl @@ -889,9 +889,15 @@ while (my $f = <$list_active_users>) { close($list_active_users) || die("Unable to close the file handle to loginctl"); -# Set the new tmpfiles -print STDERR "setting up tmpfiles\n"; -system("$new_systemd/bin/systemd-tmpfiles", "--create", "--remove", "--exclude-prefix=/dev") == 0 or $res = 3; +# Restart sysinit-reactivation.target. +# This target only exists to restart services ordered before sysinit.target. We +# cannot use X-StopOnReconfiguration to restart sysinit.target because then ALL +# services of the system would be restarted since all normal services have a +# default dependency on sysinit.target. sysinit-reactivation.target ensures +# that services ordered BEFORE sysinit.target get re-started in the correct +# order. Ordering between these services is respected. +print STDERR "restarting sysinit-reactivation.target\n"; +system("$new_systemd/bin/systemctl", "restart", "sysinit-reactivation.target") == 0 or $res = 4; # Before reloading we need to ensure that the units are still active. They may have been # deactivated because one of their requirements got stopped. If they are inactive diff --git a/nixos/modules/system/boot/clevis.md b/nixos/modules/system/boot/clevis.md index 91eb728a919e..dcbf55de60a8 100644 --- a/nixos/modules/system/boot/clevis.md +++ b/nixos/modules/system/boot/clevis.md @@ -14,20 +14,20 @@ JWE files have to be created through the clevis command line. 3 types of policie Secrets are pinned against the presence of a TPM2 device, for example: ``` -echo hi | clevis encrypt tpm2 '{}' > hi.jwe +echo -n hi | clevis encrypt tpm2 '{}' > hi.jwe ``` 2) Tang policies Secrets are pinned against the presence of a Tang server, for example: ``` -echo hi | clevis encrypt tang '{"url": "http://tang.local"}' > hi.jwe +echo -n hi | clevis encrypt tang '{"url": "http://tang.local"}' > hi.jwe ``` 3) Shamir Secret Sharing Using Shamir's Secret Sharing ([sss](https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing)), secrets are pinned using a combination of the two preceding policies. For example: ``` -echo hi | clevis encrypt sss \ +echo -n hi | clevis encrypt sss \ '{"t": 2, "pins": {"tpm2": {"pcr_ids": "0"}, "tang": {"url": "http://tang.local"}}}' \ > hi.jwe ``` diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index d1e7a0cb8178..6f0f62546a01 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -136,7 +136,6 @@ sub GetFs { chomp $fs; my @fields = split / /, $fs; my $mountPoint = $fields[4]; - next unless -d $mountPoint; my @mountOptions = split /,/, $fields[5]; # Skip the optional fields. @@ -155,6 +154,11 @@ sub GetFs { # Is it better than our current match? if (length($mountPoint) > length($bestFs->mount)) { + + # -d performs a stat, which can hang forever on network file systems, + # so we only make this call last, when it's likely that this is the mount point we need. + next unless -d $mountPoint; + $bestFs = Fs->new(device => $device, type => $fsType, mount => $mountPoint); } } diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 6cd46f30373b..055afe95df60 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -15,6 +15,19 @@ import json from typing import NamedTuple, Dict, List from dataclasses import dataclass +# These values will be replaced with actual values during the package build +EFI_SYS_MOUNT_POINT = "@efiSysMountPoint@" +TIMEOUT = "@timeout@" +EDITOR = bool("@editor@") +CONSOLE_MODE = "@consoleMode@" +BOOTSPEC_TOOLS = "@bootspecTools@" +DISTRO_NAME = "@distroName@" +NIX = "@nix@" +SYSTEMD = "@systemd@" +CONFIGURATION_LIMIT = int("@configurationLimit@") +CAN_TOUCH_EFI_VARIABLES = "@canTouchEfiVariables@" +GRACEFUL = "@graceful@" +COPY_EXTRA_FILES = "@copyExtraFiles@" @dataclass class BootSpec: @@ -29,7 +42,6 @@ class BootSpec: initrdSecrets: str | None = None - libc = ctypes.CDLL("libc.so.6") class SystemIdentifier(NamedTuple): @@ -75,16 +87,16 @@ def generation_conf_filename(profile: str | None, generation: int, specialisatio def write_loader_conf(profile: str | None, generation: int, specialisation: str | None) -> None: - with open("@efiSysMountPoint@/loader/loader.conf.tmp", 'w') as f: - if "@timeout@" != "": - f.write("timeout @timeout@\n") + with open(f"{EFI_SYS_MOUNT_POINT}/loader/loader.conf.tmp", 'w') as f: + if TIMEOUT != "": + f.write(f"timeout {TIMEOUT}\n") f.write("default %s\n" % generation_conf_filename(profile, generation, specialisation)) - if not @editor@: + if not EDITOR: f.write("editor 0\n") - f.write("console-mode @consoleMode@\n") + f.write(f"console-mode {CONSOLE_MODE}\n") f.flush() os.fsync(f.fileno()) - os.rename("@efiSysMountPoint@/loader/loader.conf.tmp", "@efiSysMountPoint@/loader/loader.conf") + os.rename(f"{EFI_SYS_MOUNT_POINT}/loader/loader.conf.tmp", f"{EFI_SYS_MOUNT_POINT}/loader/loader.conf") def get_bootspec(profile: str | None, generation: int) -> BootSpec: @@ -95,7 +107,7 @@ def get_bootspec(profile: str | None, generation: int) -> BootSpec: bootspec_json = json.load(boot_json_f) else: boot_json_str = subprocess.check_output([ - "@bootspecTools@/bin/synthesize", + f"{BOOTSPEC_TOOLS}/bin/synthesize", "--version", "1", system_directory, @@ -116,7 +128,7 @@ def copy_from_file(file: str, dry_run: bool = False) -> str: store_dir = os.path.basename(os.path.dirname(store_file_path)) efi_file_path = "/efi/nixos/%s-%s.efi" % (store_dir, suffix) if not dry_run: - copy_if_not_exists(store_file_path, "@efiSysMountPoint@%s" % (efi_file_path)) + copy_if_not_exists(store_file_path, f"{EFI_SYS_MOUNT_POINT}%s" % (efi_file_path)) return efi_file_path def write_entry(profile: str | None, generation: int, specialisation: str | None, @@ -126,13 +138,14 @@ def write_entry(profile: str | None, generation: int, specialisation: str | None kernel = copy_from_file(bootspec.kernel) initrd = copy_from_file(bootspec.initrd) - title = "@distroName@{profile}{specialisation}".format( + title = "{name}{profile}{specialisation}".format( + name=DISTRO_NAME, profile=" [" + profile + "]" if profile else "", specialisation=" (%s)" % specialisation if specialisation else "") try: if bootspec.initrdSecrets is not None: - subprocess.check_call([bootspec.initrdSecrets, "@efiSysMountPoint@%s" % (initrd)]) + subprocess.check_call([bootspec.initrdSecrets, f"{EFI_SYS_MOUNT_POINT}%s" % (initrd)]) except subprocess.CalledProcessError: if current: print("failed to create initrd secrets!", file=sys.stderr) @@ -142,7 +155,7 @@ def write_entry(profile: str | None, generation: int, specialisation: str | None f'for "{title} - Configuration {generation}", an older generation', file=sys.stderr) print("note: this is normal after having removed " "or renamed a file in `boot.initrd.secrets`", file=sys.stderr) - entry_file = "@efiSysMountPoint@/loader/entries/%s" % ( + entry_file = f"{EFI_SYS_MOUNT_POINT}/loader/entries/%s" % ( generation_conf_filename(profile, generation, specialisation)) tmp_path = "%s.tmp" % (entry_file) kernel_params = "init=%s " % bootspec.init @@ -167,7 +180,7 @@ def write_entry(profile: str | None, generation: int, specialisation: str | None def get_generations(profile: str | None = None) -> list[SystemIdentifier]: gen_list = subprocess.check_output([ - "@nix@/bin/nix-env", + f"{NIX}/bin/nix-env", "--list-generations", "-p", "/nix/var/nix/profiles/%s" % ("system-profiles/" + profile if profile else "system"), @@ -176,7 +189,7 @@ def get_generations(profile: str | None = None) -> list[SystemIdentifier]: gen_lines = gen_list.split('\n') gen_lines.pop() - configurationLimit = @configurationLimit@ + configurationLimit = CONFIGURATION_LIMIT configurations = [ SystemIdentifier( profile=profile, @@ -189,14 +202,14 @@ def get_generations(profile: str | None = None) -> list[SystemIdentifier]: def remove_old_entries(gens: list[SystemIdentifier]) -> None: - rex_profile = re.compile(r"^@efiSysMountPoint@/loader/entries/nixos-(.*)-generation-.*\.conf$") - rex_generation = re.compile(r"^@efiSysMountPoint@/loader/entries/nixos.*-generation-([0-9]+)(-specialisation-.*)?\.conf$") + rex_profile = re.compile(r"^" + re.escape(EFI_SYS_MOUNT_POINT) + "/loader/entries/nixos-(.*)-generation-.*\.conf$") + rex_generation = re.compile(r"^" + re.escape(EFI_SYS_MOUNT_POINT) + "/loader/entries/nixos.*-generation-([0-9]+)(-specialisation-.*)?\.conf$") known_paths = [] for gen in gens: bootspec = get_bootspec(gen.profile, gen.generation) known_paths.append(copy_from_file(bootspec.kernel, True)) known_paths.append(copy_from_file(bootspec.initrd, True)) - for path in glob.iglob("@efiSysMountPoint@/loader/entries/nixos*-generation-[1-9]*.conf"): + for path in glob.iglob(f"{EFI_SYS_MOUNT_POINT}/loader/entries/nixos*-generation-[1-9]*.conf"): if rex_profile.match(path): prof = rex_profile.sub(r"\1", path) else: @@ -207,7 +220,7 @@ def remove_old_entries(gens: list[SystemIdentifier]) -> None: continue if not (prof, gen_number, None) in gens: os.unlink(path) - for path in glob.iglob("@efiSysMountPoint@/efi/nixos/*"): + for path in glob.iglob(f"{EFI_SYS_MOUNT_POINT}/efi/nixos/*"): if not path in known_paths and not os.path.isdir(path): os.unlink(path) @@ -230,7 +243,7 @@ def install_bootloader(args: argparse.Namespace) -> None: # Since systemd version 232 a machine ID is required and it might not # be there on newly installed systems, so let's generate one so that # bootctl can find it and we can also pass it to write_entry() later. - cmd = ["@systemd@/bin/systemd-machine-id-setup", "--print"] + cmd = [f"{SYSTEMD}/bin/systemd-machine-id-setup", "--print"] machine_id = subprocess.run( cmd, text=True, check=True, stdout=subprocess.PIPE ).stdout.rstrip() @@ -242,22 +255,22 @@ def install_bootloader(args: argparse.Namespace) -> None: # flags to pass to bootctl install/update bootctl_flags = [] - if "@canTouchEfiVariables@" != "1": + if CAN_TOUCH_EFI_VARIABLES != "1": bootctl_flags.append("--no-variables") - if "@graceful@" == "1": + if GRACEFUL == "1": bootctl_flags.append("--graceful") if os.getenv("NIXOS_INSTALL_BOOTLOADER") == "1": # bootctl uses fopen() with modes "wxe" and fails if the file exists. - if os.path.exists("@efiSysMountPoint@/loader/loader.conf"): - os.unlink("@efiSysMountPoint@/loader/loader.conf") + if os.path.exists(f"{EFI_SYS_MOUNT_POINT}/loader/loader.conf"): + os.unlink(f"{EFI_SYS_MOUNT_POINT}/loader/loader.conf") - subprocess.check_call(["@systemd@/bin/bootctl", "--esp-path=@efiSysMountPoint@"] + bootctl_flags + ["install"]) + subprocess.check_call([f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}"] + bootctl_flags + ["install"]) else: # Update bootloader to latest if needed - available_out = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[2] - installed_out = subprocess.check_output(["@systemd@/bin/bootctl", "--esp-path=@efiSysMountPoint@", "status"], universal_newlines=True) + available_out = subprocess.check_output([f"{SYSTEMD}/bin/bootctl", "--version"], universal_newlines=True).split()[2] + installed_out = subprocess.check_output([f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}", "status"], universal_newlines=True) # See status_binaries() in systemd bootctl.c for code which generates this installed_match = re.search(r"^\W+File:.*/EFI/(?:BOOT|systemd)/.*\.efi \(systemd-boot ([\d.]+[^)]*)\)$", @@ -276,10 +289,10 @@ def install_bootloader(args: argparse.Namespace) -> None: if installed_version < available_version: print("updating systemd-boot from %s to %s" % (installed_version, available_version)) - subprocess.check_call(["@systemd@/bin/bootctl", "--esp-path=@efiSysMountPoint@"] + bootctl_flags + ["update"]) + subprocess.check_call([f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}"] + bootctl_flags + ["update"]) - os.makedirs("@efiSysMountPoint@/efi/nixos", exist_ok=True) - os.makedirs("@efiSysMountPoint@/loader/entries", exist_ok=True) + os.makedirs(f"{EFI_SYS_MOUNT_POINT}/efi/nixos", exist_ok=True) + os.makedirs(f"{EFI_SYS_MOUNT_POINT}/loader/entries", exist_ok=True) gens = get_generations() for profile in get_profiles(): @@ -302,9 +315,9 @@ def install_bootloader(args: argparse.Namespace) -> None: else: raise e - for root, _, files in os.walk('@efiSysMountPoint@/efi/nixos/.extra-files', topdown=False): - relative_root = root.removeprefix("@efiSysMountPoint@/efi/nixos/.extra-files").removeprefix("/") - actual_root = os.path.join("@efiSysMountPoint@", relative_root) + for root, _, files in os.walk(f"{EFI_SYS_MOUNT_POINT}/efi/nixos/.extra-files", topdown=False): + relative_root = root.removeprefix(f"{EFI_SYS_MOUNT_POINT}/efi/nixos/.extra-files").removeprefix("/") + actual_root = os.path.join(f"{EFI_SYS_MOUNT_POINT}", relative_root) for file in files: actual_file = os.path.join(actual_root, file) @@ -317,14 +330,14 @@ def install_bootloader(args: argparse.Namespace) -> None: os.rmdir(actual_root) os.rmdir(root) - os.makedirs("@efiSysMountPoint@/efi/nixos/.extra-files", exist_ok=True) + os.makedirs(f"{EFI_SYS_MOUNT_POINT}/efi/nixos/.extra-files", exist_ok=True) - subprocess.check_call("@copyExtraFiles@") + subprocess.check_call(COPY_EXTRA_FILES) def main() -> None: - parser = argparse.ArgumentParser(description='Update @distroName@-related systemd-boot files') - parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help='The default @distroName@ config to boot') + parser = argparse.ArgumentParser(description=f"Update {DISTRO_NAME}-related systemd-boot files") + parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help=f"The default {DISTRO_NAME} config to boot") args = parser.parse_args() try: @@ -334,9 +347,9 @@ def main() -> None: # it can leave the system in an unbootable state, when a crash/outage # happens shortly after an update. To decrease the likelihood of this # event sync the efi filesystem after each update. - rc = libc.syncfs(os.open("@efiSysMountPoint@", os.O_RDONLY)) + rc = libc.syncfs(os.open(f"{EFI_SYS_MOUNT_POINT}", os.O_RDONLY)) if rc != 0: - print("could not sync @efiSysMountPoint@: {}".format(os.strerror(rc)), file=sys.stderr) + print(f"could not sync {EFI_SYS_MOUNT_POINT}: {os.strerror(rc)}", file=sys.stderr) if __name__ == '__main__': diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index 9d55c21077d1..3b140726c2d6 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -81,7 +81,11 @@ in { type = types.bool; - description = lib.mdDoc "Whether to enable the systemd-boot (formerly gummiboot) EFI boot manager"; + description = lib.mdDoc '' + Whether to enable the systemd-boot (formerly gummiboot) EFI boot manager. + For more information about systemd-boot: + https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/ + ''; }; editor = mkOption { diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 221e90b6f38f..86a3875e2c67 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -1076,7 +1076,7 @@ in boot.initrd.systemd = { contents."/etc/crypttab".source = stage1Crypttab; - extraBin.systemd-cryptsetup = "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup"; + extraBin.systemd-cryptsetup = "${config.boot.initrd.systemd.package}/bin/systemd-cryptsetup"; additionalUpstreamUnits = [ "cryptsetup-pre.target" @@ -1084,7 +1084,7 @@ in "remote-cryptsetup.target" ]; storePaths = [ - "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup" + "${config.boot.initrd.systemd.package}/bin/systemd-cryptsetup" "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-cryptsetup-generator" ]; diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 538f71cc0b9a..c42c88163c56 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -95,6 +95,29 @@ in ''; }; + services.resolved.dnsovertls = mkOption { + default = "false"; + example = "true"; + type = types.enum [ "true" "opportunistic" "false" ]; + description = lib.mdDoc '' + If set to + - `"true"`: + all DNS lookups will be encrypted. This requires + that the DNS server supports DNS-over-TLS and + has a valid certificate. If the hostname was specified + via the `address#hostname` format in {option}`services.resolved.domains` + then the specified hostname is used to validate its certificate. + - `"opportunistic"`: + all DNS lookups will attempt to be encrypted, but will fallback + to unecrypted requests if the server does not support DNS-over-TLS. + Note that this mode does allow for a malicious party to conduct a + downgrade attack by immitating the DNS server and pretending to not + support encryption. + - `"false"`: + all DNS lookups are done unencrypted. + ''; + }; + services.resolved.extraConfig = mkOption { default = ""; type = types.lines; @@ -141,6 +164,7 @@ in "Domains=${concatStringsSep " " cfg.domains}"} LLMNR=${cfg.llmnr} DNSSEC=${cfg.dnssec} + DNSOverTLS=${cfg.dnsovertls} ${config.services.resolved.extraConfig} ''; diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 086e5d65da2f..59cf1a47fb7f 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -86,9 +86,14 @@ touch /etc/initrd-release # Function for waiting for device(s) to appear. waitDevice() { local device="$1" - # Split device string using ':' as a delimiter as bcachefs - # uses this for multi-device filesystems, i.e. /dev/sda1:/dev/sda2:/dev/sda3 - local IFS=':' + # Split device string using ':' as a delimiter, bcachefs uses + # this for multi-device filesystems, i.e. /dev/sda1:/dev/sda2:/dev/sda3 + local IFS + + # bcachefs is the only known use for this at the moment + # Preferably, the 'UUID=' syntax should be enforced, but + # this is kept for compatibility reasons + if [ "$fsType" = bcachefs ]; then IFS=':'; fi # USB storage devices tend to appear with some delay. It would be # great if we had a way to synchronously wait for them, but diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index c3902007906a..e29fa49ea23b 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -428,7 +428,13 @@ in config = { - warnings = concatLists ( + warnings = let + mkOneNetOnlineWarn = typeStr: name: def: lib.optional + (lib.elem "network-online.target" def.after && !(lib.elem "network-online.target" (def.wants ++ def.requires ++ def.bindsTo))) + "${name}.${typeStr} is ordered after 'network-online.target' but doesn't depend on it"; + mkNetOnlineWarns = typeStr: defs: lib.concatLists (lib.mapAttrsToList (mkOneNetOnlineWarn typeStr) defs); + mkMountNetOnlineWarns = typeStr: defs: lib.concatLists (map (m: mkOneNetOnlineWarn typeStr m.what m) defs); + in concatLists ( mapAttrsToList (name: service: let @@ -449,7 +455,15 @@ in ] ) cfg.services - ); + ) + ++ (mkNetOnlineWarns "target" cfg.targets) + ++ (mkNetOnlineWarns "service" cfg.services) + ++ (mkNetOnlineWarns "socket" cfg.sockets) + ++ (mkNetOnlineWarns "timer" cfg.timers) + ++ (mkNetOnlineWarns "path" cfg.paths) + ++ (mkMountNetOnlineWarns "mount" cfg.mounts) + ++ (mkMountNetOnlineWarns "automount" cfg.automounts) + ++ (mkNetOnlineWarns "slice" cfg.slices); assertions = concatLists ( mapAttrsToList @@ -569,6 +583,13 @@ in unitConfig.X-StopOnReconfiguration = true; }; + # This target only exists so that services ordered before sysinit.target + # are restarted in the correct order, notably BEFORE the other services, + # when switching configurations. + systemd.targets.sysinit-reactivation = { + description = "Reactivate sysinit units"; + }; + systemd.units = mapAttrs' (n: v: nameValuePair "${n}.path" (pathToUnit n v)) cfg.paths // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 4ae07944afc3..26cc016869b3 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -70,6 +70,7 @@ let "systemd-tmpfiles-setup.service" "timers.target" "umount.target" + "systemd-bsod.service" ] ++ cfg.additionalUpstreamUnits; upstreamWants = [ @@ -424,6 +425,7 @@ in { storePaths = [ # systemd tooling + "${cfg.package}/lib/systemd/systemd-executor" "${cfg.package}/lib/systemd/systemd-fsck" "${cfg.package}/lib/systemd/systemd-hibernate-resume" "${cfg.package}/lib/systemd/systemd-journald" @@ -433,6 +435,7 @@ in { "${cfg.package}/lib/systemd/systemd-shutdown" "${cfg.package}/lib/systemd/systemd-sulogin-shell" "${cfg.package}/lib/systemd/systemd-sysctl" + "${cfg.package}/lib/systemd/systemd-bsod" # generators "${cfg.package}/lib/systemd/system-generators/systemd-debug-generator" diff --git a/nixos/modules/system/boot/systemd/sysusers.nix b/nixos/modules/system/boot/systemd/sysusers.nix new file mode 100644 index 000000000000..c619c2d91eb0 --- /dev/null +++ b/nixos/modules/system/boot/systemd/sysusers.nix @@ -0,0 +1,169 @@ +{ config, lib, pkgs, utils, ... }: + +let + + cfg = config.systemd.sysusers; + userCfg = config.users; + + sysusersConfig = pkgs.writeTextDir "00-nixos.conf" '' + # Type Name ID GECOS Home directory Shell + + # Users + ${lib.concatLines (lib.mapAttrsToList + (username: opts: + let + uid = if opts.uid == null then "-" else toString opts.uid; + in + ''u ${username} ${uid}:${opts.group} "${opts.description}" ${opts.home} ${utils.toShellPath opts.shell}'' + ) + userCfg.users) + } + + # Groups + ${lib.concatLines (lib.mapAttrsToList + (groupname: opts: ''g ${groupname} ${if opts.gid == null then "-" else toString opts.gid}'') userCfg.groups) + } + + # Group membership + ${lib.concatStrings (lib.mapAttrsToList + (groupname: opts: (lib.concatMapStrings (username: "m ${username} ${groupname}\n")) opts.members ) userCfg.groups) + } + ''; + + staticSysusersCredentials = pkgs.runCommand "static-sysusers-credentials" { } '' + mkdir $out; cd $out + ${lib.concatLines ( + (lib.mapAttrsToList + (username: opts: "echo -n '${opts.initialHashedPassword}' > 'passwd.hashed-password.${username}'") + (lib.filterAttrs (_username: opts: opts.initialHashedPassword != null) userCfg.users)) + ++ + (lib.mapAttrsToList + (username: opts: "echo -n '${opts.initialPassword}' > 'passwd.plaintext-password.${username}'") + (lib.filterAttrs (_username: opts: opts.initialPassword != null) userCfg.users)) + ++ + (lib.mapAttrsToList + (username: opts: "cat '${opts.hashedPasswordFile}' > 'passwd.hashed-password.${username}'") + (lib.filterAttrs (_username: opts: opts.hashedPasswordFile != null) userCfg.users)) + ) + } + ''; + + staticSysusers = pkgs.runCommand "static-sysusers" + { + nativeBuildInputs = [ pkgs.systemd ]; + } '' + mkdir $out + export CREDENTIALS_DIRECTORY=${staticSysusersCredentials} + systemd-sysusers --root $out ${sysusersConfig}/00-nixos.conf + ''; + +in + +{ + + options = { + + # This module doesn't set it's own user options but reuses the ones from + # users-groups.nix + + systemd.sysusers = { + enable = lib.mkEnableOption (lib.mdDoc "systemd-sysusers") // { + description = lib.mdDoc '' + If enabled, users are created with systemd-sysusers instead of with + the custom `update-users-groups.pl` script. + + Note: This is experimental. + ''; + }; + }; + + }; + + config = lib.mkIf cfg.enable { + + assertions = [ + { + assertion = config.system.activationScripts.users == ""; + message = "system.activationScripts.users has to be empty to use systemd-sysusers"; + } + { + assertion = config.users.mutableUsers -> config.system.etc.overlay.enable; + message = "config.users.mutableUsers requires config.system.etc.overlay.enable."; + } + ]; + + systemd = lib.mkMerge [ + ({ + + # Create home directories, do not create /var/empty even if that's a user's + # home. + tmpfiles.settings.home-directories = lib.mapAttrs' + (username: opts: lib.nameValuePair opts.home { + d = { + mode = opts.homeMode; + user = username; + group = opts.group; + }; + }) + (lib.filterAttrs (_username: opts: opts.home != "/var/empty") userCfg.users); + }) + + (lib.mkIf config.users.mutableUsers { + additionalUpstreamSystemUnits = [ + "systemd-sysusers.service" + ]; + + services.systemd-sysusers = { + # Enable switch-to-configuration to restart the service. + unitConfig.ConditionNeedsUpdate = [ "" ]; + requiredBy = [ "sysinit-reactivation.target" ]; + before = [ "sysinit-reactivation.target" ]; + restartTriggers = [ "${config.environment.etc."sysusers.d".source}" ]; + + serviceConfig = { + LoadCredential = lib.mapAttrsToList + (username: opts: "passwd.hashed-password.${username}:${opts.hashedPasswordFile}") + (lib.filterAttrs (_username: opts: opts.hashedPasswordFile != null) userCfg.users); + SetCredential = (lib.mapAttrsToList + (username: opts: "passwd.hashed-password.${username}:${opts.initialHashedPassword}") + (lib.filterAttrs (_username: opts: opts.initialHashedPassword != null) userCfg.users)) + ++ + (lib.mapAttrsToList + (username: opts: "passwd.plaintext-password.${username}:${opts.initialPassword}") + (lib.filterAttrs (_username: opts: opts.initialPassword != null) userCfg.users)) + ; + }; + }; + }) + ]; + + environment.etc = lib.mkMerge [ + (lib.mkIf (!userCfg.mutableUsers) { + "passwd" = { + source = "${staticSysusers}/etc/passwd"; + mode = "0644"; + }; + "group" = { + source = "${staticSysusers}/etc/group"; + mode = "0644"; + }; + "shadow" = { + source = "${staticSysusers}/etc/shadow"; + mode = "0000"; + }; + "gshadow" = { + source = "${staticSysusers}/etc/gshadow"; + mode = "0000"; + }; + }) + + (lib.mkIf userCfg.mutableUsers { + "sysusers.d".source = sysusersConfig; + }) + ]; + + }; + + meta.maintainers = with lib.maintainers; [ nikstur ]; + +} diff --git a/nixos/modules/system/boot/systemd/tmpfiles.nix b/nixos/modules/system/boot/systemd/tmpfiles.nix index 183e2033ecb0..dae23eddd1e2 100644 --- a/nixos/modules/system/boot/systemd/tmpfiles.nix +++ b/nixos/modules/system/boot/systemd/tmpfiles.nix @@ -150,6 +150,41 @@ in "systemd-tmpfiles-setup.service" ]; + # Allow systemd-tmpfiles to be restarted by switch-to-configuration. This + # service is not pulled into the normal boot process. It only exists for + # switch-to-configuration. + # + # This needs to be a separate unit because it does not execute + # systemd-tmpfiles with `--boot` as that is supposed to only be executed + # once at boot time. + # + # Keep this aligned with the upstream `systemd-tmpfiles-setup.service` unit. + systemd.services."systemd-tmpfiles-resetup" = { + description = "Re-setup tmpfiles on a system that is already running."; + + requiredBy = [ "sysinit-reactivation.target" ]; + after = [ "local-fs.target" "systemd-sysusers.service" "systemd-journald.service" ]; + before = [ "sysinit-reactivation.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + restartTriggers = [ config.environment.etc."tmpfiles.d".source ]; + + unitConfig.DefaultDependencies = false; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "systemd-tmpfiles --create --remove --exclude-prefix=/dev"; + SuccessExitStatus = "DATAERR CANTCREAT"; + ImportCredential = [ + "tmpfiles.*" + "loging.motd" + "login.issue" + "network.hosts" + "ssh.authorized_keys.root" + ]; + }; + }; + environment.etc = { "tmpfiles.d".source = (pkgs.symlinkJoin { name = "tmpfiles.d"; diff --git a/nixos/modules/system/boot/uki.nix b/nixos/modules/system/boot/uki.nix new file mode 100644 index 000000000000..63c4e0c0e391 --- /dev/null +++ b/nixos/modules/system/boot/uki.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }: + +let + + cfg = config.boot.uki; + + inherit (pkgs.stdenv.hostPlatform) efiArch; + + format = pkgs.formats.ini { }; + ukifyConfig = format.generate "ukify.conf" cfg.settings; + +in + +{ + options = { + + boot.uki = { + name = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc "Name of the UKI"; + }; + + version = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = config.system.image.version; + defaultText = lib.literalExpression "config.system.image.version"; + description = lib.mdDoc "Version of the image or generation the UKI belongs to"; + }; + + settings = lib.mkOption { + type = format.type; + description = lib.mdDoc '' + The configuration settings for ukify. These control what the UKI + contains and how it is built. + ''; + }; + }; + + system.boot.loader.ukiFile = lib.mkOption { + type = lib.types.str; + internal = true; + description = lib.mdDoc "Name of the UKI file"; + }; + + }; + + config = { + + boot.uki.name = lib.mkOptionDefault (if config.system.image.id != null then + config.system.image.id + else + "nixos"); + + boot.uki.settings = lib.mkOptionDefault { + UKI = { + Linux = "${config.boot.kernelPackages.kernel}/${config.system.boot.loader.kernelFile}"; + Initrd = "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}"; + Cmdline = "init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}"; + Stub = "${pkgs.systemd}/lib/systemd/boot/efi/linux${efiArch}.efi.stub"; + Uname = "${config.boot.kernelPackages.kernel.modDirVersion}"; + OSRelease = "@${config.system.build.etc}/etc/os-release"; + # This is needed for cross compiling. + EFIArch = efiArch; + }; + }; + + system.boot.loader.ukiFile = + let + name = config.boot.uki.name; + version = config.boot.uki.version; + versionInfix = if version != null then "_${version}" else ""; + in + name + versionInfix + ".efi"; + + system.build.uki = pkgs.runCommand config.system.boot.loader.ukiFile { } '' + mkdir -p $out + ${pkgs.buildPackages.systemdUkify}/lib/systemd/ukify build \ + --config=${ukifyConfig} \ + --output="$out/${config.system.boot.loader.ukiFile}" + ''; + + meta.maintainers = with lib.maintainers; [ nikstur ]; + + }; +} diff --git a/nixos/modules/system/etc/build-composefs-dump.py b/nixos/modules/system/etc/build-composefs-dump.py new file mode 100644 index 000000000000..923d40008b63 --- /dev/null +++ b/nixos/modules/system/etc/build-composefs-dump.py @@ -0,0 +1,209 @@ +#!/usr/bin/env python3 + +"""Build a composefs dump from a Json config + +See the man page of composefs-dump for details about the format: +https://github.com/containers/composefs/blob/main/man/composefs-dump.md + +Ensure to check the file with the check script when you make changes to it: + +./check-build-composefs-dump.sh ./build-composefs_dump.py +""" + +import glob +import json +import os +import sys +from enum import Enum +from pathlib import Path +from typing import Any + +Attrs = dict[str, Any] + + +class FileType(Enum): + """The filetype as defined by the `st_mode` stat field in octal + + You can check the st_mode stat field of a path in Python with + `oct(os.stat("/path/").st_mode)` + """ + + directory = "4" + file = "10" + symlink = "12" + + +class ComposefsPath: + path: str + size: int + filetype: FileType + mode: str + uid: str + gid: str + payload: str + rdev: str = "0" + nlink: int = 1 + mtime: str = "1.0" + content: str = "-" + digest: str = "-" + + def __init__( + self, + attrs: Attrs, + size: int, + filetype: FileType, + mode: str, + payload: str, + path: str | None = None, + ): + if path is None: + path = attrs["target"] + self.path = "/" + path + self.size = size + self.filetype = filetype + self.mode = mode + self.uid = attrs["uid"] + self.gid = attrs["gid"] + self.payload = payload + + def write_line(self) -> str: + line_list = [ + str(self.path), + str(self.size), + f"{self.filetype.value}{self.mode}", + str(self.nlink), + str(self.uid), + str(self.gid), + str(self.rdev), + str(self.mtime), + str(self.payload), + str(self.content), + str(self.digest), + ] + return " ".join(line_list) + + +def eprint(*args, **kwargs) -> None: + print(args, **kwargs, file=sys.stderr) + + +def leading_directories(path: str) -> list[str]: + """Return the leading directories of path + + Given the path "alsa/conf.d/50-pipewire.conf", for example, this function + returns `[ "alsa", "alsa/conf.d" ]`. + """ + parents = list(Path(path).parents) + parents.reverse() + # remove the implicit `.` from the start of a relative path or `/` from an + # absolute path + del parents[0] + return [str(i) for i in parents] + + +def add_leading_directories( + target: str, attrs: Attrs, paths: dict[str, ComposefsPath] +) -> None: + """Add the leading directories of a target path to the composefs paths + + mkcomposefs expects that all leading directories are explicitly listed in + the dump file. Given the path "alsa/conf.d/50-pipewire.conf", for example, + this function adds "alsa" and "alsa/conf.d" to the composefs paths. + """ + path_components = leading_directories(target) + for component in path_components: + composefs_path = ComposefsPath( + attrs, + path=component, + size=4096, + filetype=FileType.directory, + mode="0755", + payload="-", + ) + paths[component] = composefs_path + + +def main() -> None: + """Build a composefs dump from a Json config + + This config describes the files that the final composefs image is supposed + to contain. + """ + config_file = sys.argv[1] + if not config_file: + eprint("No config file was supplied.") + sys.exit(1) + + with open(config_file, "rb") as f: + config = json.load(f) + + if not config: + eprint("Config is empty.") + sys.exit(1) + + eprint("Building composefs dump...") + + paths: dict[str, ComposefsPath] = {} + for attrs in config: + target = attrs["target"] + source = attrs["source"] + mode = attrs["mode"] + + if "*" in source: # Path with globbing + glob_sources = glob.glob(source) + for glob_source in glob_sources: + basename = os.path.basename(glob_source) + glob_target = f"{target}/{basename}" + + composefs_path = ComposefsPath( + attrs, + path=glob_target, + size=100, + filetype=FileType.symlink, + mode="0777", + payload=glob_source, + ) + + paths[glob_target] = composefs_path + add_leading_directories(glob_target, attrs, paths) + else: # Without globbing + if mode == "symlink": + composefs_path = ComposefsPath( + attrs, + # A high approximation of the size of a symlink + size=100, + filetype=FileType.symlink, + mode="0777", + payload=source, + ) + else: + if os.path.isdir(source): + composefs_path = ComposefsPath( + attrs, + size=4096, + filetype=FileType.directory, + mode=mode, + payload=source, + ) + else: + composefs_path = ComposefsPath( + attrs, + size=os.stat(source).st_size, + filetype=FileType.file, + mode=mode, + payload=target, + ) + paths[target] = composefs_path + add_leading_directories(target, attrs, paths) + + composefs_dump = ["/ 4096 40755 1 0 0 0 0.0 - - -"] # Root directory + for key in sorted(paths): + composefs_path = paths[key] + eprint(composefs_path.path) + composefs_dump.append(composefs_path.write_line()) + + print("\n".join(composefs_dump)) + + +if __name__ == "__main__": + main() diff --git a/nixos/modules/system/etc/check-build-composefs-dump.sh b/nixos/modules/system/etc/check-build-composefs-dump.sh new file mode 100755 index 000000000000..da61651d1a5d --- /dev/null +++ b/nixos/modules/system/etc/check-build-composefs-dump.sh @@ -0,0 +1,8 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p black ruff mypy + +file=$1 + +black --check --diff $file +ruff --line-length 88 $file +mypy --strict $file diff --git a/nixos/modules/system/etc/etc-activation.nix b/nixos/modules/system/etc/etc-activation.nix index 780104950186..f47fd771c659 100644 --- a/nixos/modules/system/etc/etc-activation.nix +++ b/nixos/modules/system/etc/etc-activation.nix @@ -1,12 +1,96 @@ { config, lib, ... }: -let - inherit (lib) stringAfter; -in { + +{ imports = [ ./etc.nix ]; - config = { - system.activationScripts.etc = - stringAfter [ "users" "groups" ] config.system.build.etcActivationCommands; - }; + config = lib.mkMerge [ + + { + system.activationScripts.etc = + lib.stringAfter [ "users" "groups" ] config.system.build.etcActivationCommands; + } + + (lib.mkIf config.system.etc.overlay.enable { + + assertions = [ + { + assertion = config.boot.initrd.systemd.enable; + message = "`system.etc.overlay.enable` requires `boot.initrd.systemd.enable`"; + } + { + assertion = (!config.system.etc.overlay.mutable) -> config.systemd.sysusers.enable; + message = "`system.etc.overlay.mutable = false` requires `systemd.sysusers.enable`"; + } + { + assertion = lib.versionAtLeast config.boot.kernelPackages.kernel.version "6.6"; + message = "`system.etc.overlay.enable requires a newer kernel, at least version 6.6"; + } + { + assertion = config.systemd.sysusers.enable -> (config.users.mutableUsers == config.system.etc.overlay.mutable); + message = '' + When using systemd-sysusers and mounting `/etc` via an overlay, users + can only be mutable when `/etc` is mutable and vice versa. + ''; + } + ]; + + boot.initrd.availableKernelModules = [ "loop" "erofs" "overlay" ]; + + boot.initrd.systemd = { + mounts = [ + { + where = "/run/etc-metadata"; + what = "/sysroot${config.system.build.etcMetadataImage}"; + type = "erofs"; + options = "loop"; + unitConfig.RequiresMountsFor = [ + "/sysroot/nix/store" + ]; + } + { + where = "/sysroot/etc"; + what = "overlay"; + type = "overlay"; + options = lib.concatStringsSep "," ([ + "relatime" + "redirect_dir=on" + "metacopy=on" + "lowerdir=/run/etc-metadata::/sysroot${config.system.build.etcBasedir}" + ] ++ lib.optionals config.system.etc.overlay.mutable [ + "rw" + "upperdir=/sysroot/.rw-etc/upper" + "workdir=/sysroot/.rw-etc/work" + ] ++ lib.optionals (!config.system.etc.overlay.mutable) [ + "ro" + ]); + wantedBy = [ "initrd-fs.target" ]; + before = [ "initrd-fs.target" ]; + requires = lib.mkIf config.system.etc.overlay.mutable [ "rw-etc.service" ]; + after = lib.mkIf config.system.etc.overlay.mutable [ "rw-etc.service" ]; + unitConfig.RequiresMountsFor = [ + "/sysroot/nix/store" + "/run/etc-metadata" + ]; + } + ]; + services = lib.mkIf config.system.etc.overlay.mutable { + rw-etc = { + unitConfig = { + DefaultDependencies = false; + RequiresMountsFor = "/sysroot"; + }; + serviceConfig = { + Type = "oneshot"; + ExecStart = '' + /bin/mkdir -p -m 0755 /sysroot/.rw-etc/upper /sysroot/.rw-etc/work + ''; + }; + }; + }; + }; + + }) + + ]; } diff --git a/nixos/modules/system/etc/etc.nix b/nixos/modules/system/etc/etc.nix index ea61e7384e60..baf37ba6def3 100644 --- a/nixos/modules/system/etc/etc.nix +++ b/nixos/modules/system/etc/etc.nix @@ -62,6 +62,16 @@ let ]) etc'} ''; + etcHardlinks = filter (f: f.mode != "symlink") etc'; + + build-composefs-dump = pkgs.runCommand "build-composefs-dump.py" + { + buildInputs = [ pkgs.python3 ]; + } '' + install ${./build-composefs-dump.py} $out + patchShebangs --host $out + ''; + in { @@ -72,6 +82,30 @@ in options = { + system.etc.overlay = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Mount `/etc` as an overlayfs instead of generating it via a perl script. + + Note: This is currently experimental. Only enable this option if you're + confident that you can recover your system if it breaks. + ''; + }; + + mutable = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether to mount `/etc` mutably (i.e. read-write) or immutably (i.e. read-only). + + If this is false, only the immutable lowerdir is mounted. If it is + true, a writable upperdir is mounted on top. + ''; + }; + }; + environment.etc = mkOption { default = {}; example = literalExpression '' @@ -190,12 +224,84 @@ in config = { system.build.etc = etc; - system.build.etcActivationCommands = - '' - # Set up the statically computed bits of /etc. - echo "setting up /etc..." - ${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl ${./setup-etc.pl} ${etc}/etc + system.build.etcActivationCommands = let + etcOverlayOptions = lib.concatStringsSep "," ([ + "relatime" + "redirect_dir=on" + "metacopy=on" + ] ++ lib.optionals config.system.etc.overlay.mutable [ + "upperdir=/.rw-etc/upper" + "workdir=/.rw-etc/work" + ]); + in if config.system.etc.overlay.enable then '' + # This script atomically remounts /etc when switching configuration. On a (re-)boot + # this should not run because /etc is mounted via a systemd mount unit + # instead. To a large extent this mimics what composefs does. Because + # it's relatively simple, however, we avoid the composefs dependency. + if [[ ! $IN_NIXOS_SYSTEMD_STAGE1 ]]; then + echo "remounting /etc..." + + tmpMetadataMount=$(mktemp --directory) + mount --type erofs ${config.system.build.etcMetadataImage} $tmpMetadataMount + + # Mount the new /etc overlay to a temporary private mount. + # This needs the indirection via a private bind mount because you + # cannot move shared mounts. + tmpEtcMount=$(mktemp --directory) + mount --bind --make-private $tmpEtcMount $tmpEtcMount + mount --type overlay overlay \ + --options lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \ + $tmpEtcMount + + # Move the new temporary /etc mount underneath the current /etc mount. + # + # This should eventually use util-linux to perform this move beneath, + # however, this functionality is not yet in util-linux. See this + # tracking issue: https://github.com/util-linux/util-linux/issues/2604 + ${pkgs.move-mount-beneath}/bin/move-mount --move --beneath $tmpEtcMount /etc + + # Unmount the top /etc mount to atomically reveal the new mount. + umount /etc + + fi + '' else '' + # Set up the statically computed bits of /etc. + echo "setting up /etc..." + ${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl ${./setup-etc.pl} ${etc}/etc + ''; + + system.build.etcBasedir = pkgs.runCommandLocal "etc-lowerdir" { } '' + set -euo pipefail + + makeEtcEntry() { + src="$1" + target="$2" + + mkdir -p "$out/$(dirname "$target")" + cp "$src" "$out/$target" + } + + mkdir -p "$out" + ${concatMapStringsSep "\n" (etcEntry: escapeShellArgs [ + "makeEtcEntry" + # Force local source paths to be added to the store + "${etcEntry.source}" + etcEntry.target + ]) etcHardlinks} + ''; + + system.build.etcMetadataImage = + let + etcJson = pkgs.writeText "etc-json" (builtins.toJSON etc'); + etcDump = pkgs.runCommand "etc-dump" { } "${build-composefs-dump} ${etcJson} > $out"; + in + pkgs.runCommand "etc-metadata.erofs" { + nativeBuildInputs = [ pkgs.composefs pkgs.erofs-utils ]; + } '' + mkcomposefs --from-file ${etcDump} $out + fsck.erofs $out ''; + }; } diff --git a/nixos/modules/tasks/auto-upgrade.nix b/nixos/modules/tasks/auto-upgrade.nix index 29e3e313336f..22311871274b 100644 --- a/nixos/modules/tasks/auto-upgrade.nix +++ b/nixos/modules/tasks/auto-upgrade.nix @@ -109,6 +109,17 @@ in { ''; }; + fixedRandomDelay = mkOption { + default = false; + type = types.bool; + example = true; + description = lib.mdDoc '' + Make the randomized delay consistent between runs. + This reduces the jitter between automatic upgrades. + See {option}`randomizedDelaySec` for configuring the randomized delay. + ''; + }; + rebootWindow = mkOption { description = lib.mdDoc '' Define a lower and upper time value (in HH:MM format) which @@ -253,6 +264,7 @@ in { systemd.timers.nixos-upgrade = { timerConfig = { RandomizedDelaySec = cfg.randomizedDelaySec; + FixedRandomDelay = cfg.fixedRandomDelay; Persistent = cfg.persistent; }; }; diff --git a/nixos/modules/tasks/filesystems/bcachefs.nix b/nixos/modules/tasks/filesystems/bcachefs.nix index fdb149a3d9a1..3b990ce30b21 100644 --- a/nixos/modules/tasks/filesystems/bcachefs.nix +++ b/nixos/modules/tasks/filesystems/bcachefs.nix @@ -123,9 +123,14 @@ in inherit assertions; # needed for systemd-remount-fs system.fsPackages = [ pkgs.bcachefs-tools ]; - # FIXME: Remove this line when the default kernel has bcachefs + # FIXME: Remove this line when the LTS (default) kernel is at least version 6.7 boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; - systemd.services = lib.mapAttrs' (mkUnits "") (lib.filterAttrs (n: fs: (fs.fsType == "bcachefs") && (!utils.fsNeededForBoot fs)) config.fileSystems); + services.udev.packages = [ pkgs.bcachefs-tools ]; + + systemd = { + packages = [ pkgs.bcachefs-tools ]; + services = lib.mapAttrs' (mkUnits "") (lib.filterAttrs (n: fs: (fs.fsType == "bcachefs") && (!utils.fsNeededForBoot fs)) config.fileSystems); + }; } (lib.mkIf ((lib.elem "bcachefs" config.boot.initrd.supportedFilesystems) || (bootFs != {})) { diff --git a/nixos/modules/tasks/filesystems/sshfs.nix b/nixos/modules/tasks/filesystems/sshfs.nix new file mode 100644 index 000000000000..cd71dda16d8b --- /dev/null +++ b/nixos/modules/tasks/filesystems/sshfs.nix @@ -0,0 +1,7 @@ +{ config, lib, pkgs, ... }: + +{ + config = lib.mkIf (lib.any (fs: fs == "sshfs" || fs == "fuse.sshfs") config.boot.supportedFilesystems) { + system.fsPackages = [ pkgs.sshfs ]; + }; +} diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 9ee77cd79a9b..6aa718c1975d 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -207,7 +207,10 @@ in networking.usePredictableInterfaceNames = false; # Make it easy to log in as root when running the test interactively. - users.users.root.initialHashedPassword = mkOverride 150 ""; + # This needs to be a file because of a quirk in systemd credentials, + # where you cannot specify an empty string as a value. systemd-sysusers + # uses credentials to set passwords on users. + users.users.root.hashedPasswordFile = mkOverride 150 "${pkgs.writeText "hashed-password.root" ""}"; services.xserver.displayManager.job.logToJournal = true; diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index aa44f2642697..f0d9b95f81f6 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -71,6 +71,7 @@ in systemd.services.fetch-ec2-metadata = { wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = ["network-online.target"]; path = [ pkgs.curl ]; script = builtins.readFile ./ec2-metadata-fetcher.sh; diff --git a/nixos/modules/virtualisation/incus.nix b/nixos/modules/virtualisation/incus.nix index 3e48f8873ed4..ea4cb916aa08 100644 --- a/nixos/modules/virtualisation/incus.nix +++ b/nixos/modules/virtualisation/incus.nix @@ -150,10 +150,12 @@ in after = [ "network-online.target" "lxcfs.service" - ] ++ (lib.optional cfg.socketActivation "incus.socket"); + "incus.socket" + ]; requires = [ "lxcfs.service" - ] ++ (lib.optional cfg.socketActivation "incus.socket"); + "incus.socket" + ]; wants = [ "network-online.target" ]; @@ -183,7 +185,7 @@ in }; }; - systemd.sockets.incus = lib.mkIf cfg.socketActivation { + systemd.sockets.incus = { description = "Incus UNIX socket"; wantedBy = [ "sockets.target" ]; @@ -191,7 +193,6 @@ in ListenStream = "/var/lib/incus/unix.socket"; SocketMode = "0660"; SocketGroup = "incus-admin"; - Service = "incus.service"; }; }; diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 885fb4e07853..e0d61b175494 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -214,16 +214,14 @@ in { LimitNPROC = "infinity"; TasksMax = "infinity"; - Restart = "on-failure"; - TimeoutStartSec = "${cfg.startTimeout}s"; - TimeoutStopSec = "30s"; - # By default, `lxd` loads configuration files from hard-coded # `/usr/share/lxc/config` - since this is a no-go for us, we have to # explicitly tell it where the actual configuration files are Environment = lib.mkIf (config.virtualisation.lxc.lxcfs.enable) "LXD_LXC_TEMPLATE_CONFIG=${pkgs.lxcfs}/share/lxc/config"; }; + + unitConfig.ConditionPathExists = "!/var/lib/incus/.migrated-from-lxd"; }; systemd.services.lxd-preseed = lib.mkIf (cfg.preseed != null) { diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index a4a40346f093..07ed08ab2f84 100644 --- a/nixos/modules/virtualisation/oci-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -267,6 +267,7 @@ let }; in { wantedBy = [] ++ optional (container.autoStart) "multi-user.target"; + wants = lib.optional (container.imageFile == null) "network-online.target"; after = lib.optionals (cfg.backend == "docker") [ "docker.service" "docker.socket" ] # if imageFile is not set, the service needs the network to download the image from the registry ++ lib.optionals (container.imageFile == null) [ "network-online.target" ] diff --git a/nixos/modules/virtualisation/podman/default.nix b/nixos/modules/virtualisation/podman/default.nix index ec0b713e58b3..47382f9beab0 100644 --- a/nixos/modules/virtualisation/podman/default.nix +++ b/nixos/modules/virtualisation/podman/default.nix @@ -150,26 +150,33 @@ in }; - config = lib.mkIf cfg.enable - { + config = + let + networkConfig = ({ + dns_enabled = false; + driver = "bridge"; + id = "0000000000000000000000000000000000000000000000000000000000000000"; + internal = false; + ipam_options = { driver = "host-local"; }; + ipv6_enabled = false; + name = "podman"; + network_interface = "podman0"; + subnets = [{ gateway = "10.88.0.1"; subnet = "10.88.0.0/16"; }]; + } // cfg.defaultNetwork.settings); + inherit (networkConfig) dns_enabled network_interface; + in + lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ] ++ lib.optional cfg.dockerCompat dockerCompat; # https://github.com/containers/podman/blob/097cc6eb6dd8e598c0e8676d21267b4edb11e144/docs/tutorials/basic_networking.md#default-network environment.etc."containers/networks/podman.json" = lib.mkIf (cfg.defaultNetwork.settings != { }) { - source = json.generate "podman.json" ({ - dns_enabled = false; - driver = "bridge"; - id = "0000000000000000000000000000000000000000000000000000000000000000"; - internal = false; - ipam_options = { driver = "host-local"; }; - ipv6_enabled = false; - name = "podman"; - network_interface = "podman0"; - subnets = [{ gateway = "10.88.0.1"; subnet = "10.88.0.0/16"; }]; - } // cfg.defaultNetwork.settings); + source = json.generate "podman.json" networkConfig; }; + # containers cannot reach aardvark-dns otherwise + networking.firewall.interfaces.${network_interface}.allowedUDPPorts = lib.mkIf dns_enabled [ 53 ]; + virtualisation.containers = { enable = true; # Enable common /etc/containers configuration containersConf.settings = { |