diff options
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/misc/ids.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/dashboard.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/desktops/flatpak.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/misc/gitea.nix | 69 | ||||
-rw-r--r-- | nixos/modules/services/misc/home-assistant.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/misc/nix-daemon.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/cjdns.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/networking/wireguard.nix | 4 | ||||
-rw-r--r-- | nixos/modules/tasks/network-interfaces-scripted.nix | 2 | ||||
-rw-r--r-- | nixos/modules/tasks/scsi-link-power-management.nix | 26 |
11 files changed, 120 insertions, 18 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index cc7d86849824..bb97c707bf65 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -1,6 +1,14 @@ # This module defines the global list of uids and gids. We keep a # central list to prevent id collisions. +# IMPORTANT! +# We only add static uids and gids for services where it is not feasible +# to change uids/gids on service start, in example a service with a lot of +# files. Please also check if the service is applicable for systemd's +# DynamicUser option and does not need a uid/gid allocation at all. +# Systemd can also change ownership of service directories using the +# RuntimeDirectory/StateDirectory options. + { config, pkgs, lib, ... }: { diff --git a/nixos/modules/services/cluster/kubernetes/dashboard.nix b/nixos/modules/services/cluster/kubernetes/dashboard.nix index e331889b9dd5..d27389b6a1c7 100644 --- a/nixos/modules/services/cluster/kubernetes/dashboard.nix +++ b/nixos/modules/services/cluster/kubernetes/dashboard.nix @@ -70,7 +70,7 @@ in { resources = { limits = { cpu = "100m"; - memory = "50Mi"; + memory = "250Mi"; }; requests = { cpu = "100m"; diff --git a/nixos/modules/services/desktops/flatpak.nix b/nixos/modules/services/desktops/flatpak.nix index 024dc65629a8..cfca1893bd82 100644 --- a/nixos/modules/services/desktops/flatpak.nix +++ b/nixos/modules/services/desktops/flatpak.nix @@ -40,12 +40,12 @@ in { systemd.packages = [ pkgs.flatpak pkgs.xdg-desktop-portal ] ++ cfg.extraPortals; - environment.variables = { - PATH = [ - "$HOME/.local/share/flatpak/exports/bin" - "/var/lib/flatpak/exports/bin" - ]; + environment.profiles = [ + "$HOME/.local/share/flatpak/exports" + "/var/lib/flatpak/exports" + ]; + environment.variables = { XDG_DESKTOP_PORTAL_PATH = map (p: "${p}/share/xdg-desktop-portal/portals") cfg.extraPortals; }; }; diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 63e976ae566c..2d0f66de037d 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.services.gitea; + gitea = cfg.package; pg = config.services.postgresql; usePostgresql = cfg.database.type == "postgres"; configFile = pkgs.writeText "app.ini" '' @@ -57,6 +58,13 @@ in description = "Enable Gitea Service."; }; + package = mkOption { + default = pkgs.gitea; + type = types.package; + defaultText = "pkgs.gitea"; + description = "gitea derivation to use"; + }; + useWizard = mkOption { default = false; type = types.bool; @@ -156,6 +164,30 @@ in }; }; + dump = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable a timer that runs gitea dump to generate backup-files of the + current gitea database and repositories. + ''; + }; + + interval = mkOption { + type = types.str; + default = "04:31"; + example = "hourly"; + description = '' + Run a gitea dump at this interval. Runs by default at 04:31 every day. + + The format is described in + <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>. + ''; + }; + }; + appName = mkOption { type = types.str; default = "gitea: Gitea Service"; @@ -203,7 +235,7 @@ in staticRootPath = mkOption { type = types.str; - default = "${pkgs.gitea.data}"; + default = "${gitea.data}"; example = "/var/lib/gitea/data"; description = "Upper level of template and static files path."; }; @@ -223,7 +255,7 @@ in description = "gitea"; after = [ "network.target" "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.gitea.bin ]; + path = [ gitea.bin ]; preStart = let runConfig = "${cfg.stateDir}/custom/conf/app.ini"; @@ -253,7 +285,7 @@ in HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 4 -type f -wholename "*git/hooks/*") if [ "$HOOKS" ] then - sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${pkgs.gitea.bin}/bin/gitea,g' $HOOKS + sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea.bin}/bin/gitea,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/env,${pkgs.coreutils}/bin/env,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS @@ -261,7 +293,7 @@ in if [ ! -d ${cfg.stateDir}/conf/locale ] then mkdir -p ${cfg.stateDir}/conf - cp -r ${pkgs.gitea.out}/locale ${cfg.stateDir}/conf/locale + cp -r ${gitea.out}/locale ${cfg.stateDir}/conf/locale fi '' + optionalString (usePostgresql && cfg.database.createDatabase) '' if ! test -e "${cfg.stateDir}/db-created"; then @@ -288,7 +320,7 @@ in User = cfg.user; WorkingDirectory = cfg.stateDir; PermissionsStartOnly = true; - ExecStart = "${pkgs.gitea.bin}/bin/gitea web"; + ExecStart = "${gitea.bin}/bin/gitea web"; Restart = "always"; }; @@ -318,5 +350,32 @@ in name = "gitea-database-password"; text = cfg.database.password; }))); + + systemd.services.gitea-dump = { + description = "gitea dump"; + after = [ "gitea.service" ]; + wantedBy = [ "default.target" ]; + path = [ gitea.bin ]; + + environment = { + USER = cfg.user; + HOME = cfg.stateDir; + GITEA_WORK_DIR = cfg.stateDir; + }; + + serviceConfig = { + Type = "oneshot"; + User = cfg.user; + ExecStart = "${gitea.bin}/bin/gitea dump"; + WorkingDirectory = cfg.stateDir; + }; + }; + + systemd.timers.gitea-dump = { + description = "Update timer for gitea-dump"; + partOf = [ "gitea-dump.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = cfg.dump.interval; + }; }; } diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index 1dc7b44ee37b..05555353f207 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -128,9 +128,17 @@ in { you might need to specify it in <literal>extraPackages</literal>. ''; }; + + openFirewall = mkOption { + default = false; + type = types.bool; + description = "Whether to open the firewall for the specified port."; + }; }; config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + systemd.services.home-assistant = { description = "Home Assistant"; after = [ "network.target" ]; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 277ae9e292ce..8b940d71ebee 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -340,7 +340,7 @@ in default = [ "$HOME/.nix-defexpr/channels" - "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs" + "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" "nixos-config=/etc/nixos/configuration.nix" "/nix/var/nix/profiles/per-user/root/channels" ]; diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index 12c2677c3368..39b62bdc7094 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -260,7 +260,8 @@ in RestartSec = 1; CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID"; ProtectSystem = true; - MemoryDenyWriteExecute = true; + # Doesn't work on i686, causing service to fail + MemoryDenyWriteExecute = !pkgs.stdenv.isi686; ProtectHome = true; PrivateTmp = true; }; diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 857657eea4db..6f5e7d8d456e 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -192,6 +192,7 @@ in security.apparmor.profiles = singleton (pkgs.writeText "apparmor-dnscrypt-proxy" '' ${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy { /dev/null rw, + /dev/random r, /dev/urandom r, /etc/passwd r, @@ -211,6 +212,9 @@ in ${getLib pkgs.gcc.cc}/lib/libssp.so.* mr, ${getLib pkgs.libsodium}/lib/libsodium.so.* mr, ${getLib pkgs.systemd}/lib/libsystemd.so.* mr, + ${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so.* mr, + ${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so.* mr, + ${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so.* mr, ${getLib pkgs.xz}/lib/liblzma.so.* mr, ${getLib pkgs.libgcrypt}/lib/libgcrypt.so.* mr, ${getLib pkgs.libgpgerror}/lib/libgpg-error.so.* mr, diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 0591917c7423..acb4778d8485 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -193,7 +193,7 @@ let after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; environment.DEVICE = name; - path = with pkgs; [ kmod iproute wireguard ]; + path = with pkgs; [ kmod iproute wireguard-tools ]; serviceConfig = { Type = "oneshot"; @@ -279,7 +279,7 @@ in config = mkIf (cfg.interfaces != {}) { boot.extraModulePackages = [ kernel.wireguard ]; - environment.systemPackages = [ pkgs.wireguard ]; + environment.systemPackages = [ pkgs.wireguard-tools ]; systemd.services = mapAttrs' generateUnit cfg.interfaces; diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index e754a1e8718d..c4a2bd1f75fd 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -209,7 +209,7 @@ let '' echo "${cidr}" >> $state echo -n "adding route ${cidr}... " - if out=$(ip route add "${cidr}" ${options} ${via} dev "${i.name}" 2>&1); then + if out=$(ip route add "${cidr}" ${options} ${via} dev "${i.name}" proto static 2>&1); then echo "done" elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then echo "'ip route add "${cidr}" ${options} ${via} dev "${i.name}"' failed: $out" diff --git a/nixos/modules/tasks/scsi-link-power-management.nix b/nixos/modules/tasks/scsi-link-power-management.nix index 484c0a0186d7..69599bda6d32 100644 --- a/nixos/modules/tasks/scsi-link-power-management.nix +++ b/nixos/modules/tasks/scsi-link-power-management.nix @@ -2,7 +2,20 @@ with lib; -let cfg = config.powerManagement.scsiLinkPolicy; in +let + + cfg = config.powerManagement.scsiLinkPolicy; + + kernel = config.boot.kernelPackages.kernel; + + allowedValues = [ + "min_power" + "max_performance" + "medium_power" + "med_power_with_dipm" + ]; + +in { ###### interface @@ -11,10 +24,13 @@ let cfg = config.powerManagement.scsiLinkPolicy; in powerManagement.scsiLinkPolicy = mkOption { default = null; - type = types.nullOr (types.enum [ "min_power" "max_performance" "medium_power" ]); + type = types.nullOr (types.enum allowedValues); description = '' SCSI link power management policy. The kernel default is "max_performance". + </para><para> + "med_power_with_dipm" is supported by kernel versions + 4.15 and newer. ''; }; @@ -24,6 +40,12 @@ let cfg = config.powerManagement.scsiLinkPolicy; in ###### implementation config = mkIf (cfg != null) { + + assertions = singleton { + assertion = (cfg == "med_power_with_dipm") -> versionAtLeast kernel.version "4.15"; + message = "med_power_with_dipm is not supported for kernels older than 4.15"; + }; + services.udev.extraRules = '' SUBSYSTEM=="scsi_host", ACTION=="add", KERNEL=="host*", ATTR{link_power_management_policy}="${cfg}" ''; |