diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/development/option-types.section.md | 2 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 4 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/programs/wayland/sway.nix | 13 | ||||
| -rw-r--r-- | nixos/modules/security/wrappers/wrapper.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/databases/postgresql.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/matrix/synapse.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/connman.nix | 69 | ||||
| -rw-r--r-- | nixos/modules/services/networking/netclient.nix | 27 | ||||
| -rw-r--r-- | nixos/modules/services/networking/tinyproxy.nix | 103 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/oci-containers.nix | 12 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 4 | ||||
| -rw-r--r-- | nixos/tests/pantheon.nix | 18 | ||||
| -rw-r--r-- | nixos/tests/tinyproxy.nix | 20 |
14 files changed, 234 insertions, 45 deletions
diff --git a/nixos/doc/manual/development/option-types.section.md b/nixos/doc/manual/development/option-types.section.md index 44bb3b4782e1..2ad3d6c4f949 100644 --- a/nixos/doc/manual/development/option-types.section.md +++ b/nixos/doc/manual/development/option-types.section.md @@ -528,7 +528,7 @@ The only required parameter is `name`. : A string representation of the type function name. -`definition` +`description` : Description of the type used in documentation. Give information of the type and any of its arguments. diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 3d9ff866242e..55f8627804d4 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -91,6 +91,8 @@ - [ZITADEL](https://zitadel.com), a turnkey identity and access management platform. Available as [services.zitadel](#opt-services.zitadel.enable). +- [netclient](https://github.com/gravitl/netclient), an automated WireGuard® Management Client. Available as [services.netclient](#opt-services.netclient.enable). + ## Backward Incompatibilities {#sec-release-23.11-incompatibilities} - `network-online.target` has been fixed to no longer time out for systems with `networking.useDHCP = true` and `networking.useNetworkd = true`. @@ -183,6 +185,8 @@ - `odoo` now defaults to 16, updated from 15. +- `varnish` was upgraded from 7.2.x to 7.4.x, see https://varnish-cache.org/docs/7.3/whats-new/upgrading-7.3.html and https://varnish-cache.org/docs/7.4/whats-new/upgrading-7.4.html for upgrade notes. The current LTS version is still offered as `varnish60`. + - `util-linux` is now supported on Darwin and is no longer an alias to `unixtools`. Use the `unixtools.util-linux` package for access to the Apple variants of the utilities. - `services.keyd` changed API. Now you can create multiple configuration files. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 811b82f28ce1..3e814300f19f 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -985,6 +985,7 @@ ./services/networking/ndppd.nix ./services/networking/nebula.nix ./services/networking/netbird.nix + ./services/networking/netclient.nix ./services/networking/networkd-dispatcher.nix ./services/networking/networkmanager.nix ./services/networking/nextdns.nix @@ -1082,6 +1083,7 @@ ./services/networking/thelounge.nix ./services/networking/tinc.nix ./services/networking/tinydns.nix + ./services/networking/tinyproxy.nix ./services/networking/tmate-ssh-server.nix ./services/networking/tox-bootstrapd.nix ./services/networking/tox-node.nix diff --git a/nixos/modules/programs/wayland/sway.nix b/nixos/modules/programs/wayland/sway.nix index 698d9c2b46c4..de739faabee9 100644 --- a/nixos/modules/programs/wayland/sway.nix +++ b/nixos/modules/programs/wayland/sway.nix @@ -42,6 +42,11 @@ in { <https://github.com/swaywm/sway/wiki> and "man 5 sway" for more information''); + enableRealtime = mkEnableOption (lib.mdDoc '' + add CAP_SYS_NICE capability on `sway` binary for realtime scheduling + privileges. This may improve latency and reduce stuttering, specially in + high load scenarios'') // { default = true; }; + package = mkOption { type = with types; nullOr package; default = defaultSwayPackage; @@ -149,6 +154,14 @@ in { "sway/config".source = mkOptionDefault "${cfg.package}/etc/sway/config"; }; }; + security.wrappers = mkIf (cfg.enableRealtime && cfg.package != null) { + sway = { + owner = "root"; + group = "root"; + source = "${cfg.package}/bin/sway"; + capabilities = "cap_sys_nice+ep"; + }; + }; # To make a Sway session available if a display manager like SDDM is enabled: services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; } (import ./wayland-session.nix { inherit lib pkgs; }) diff --git a/nixos/modules/security/wrappers/wrapper.nix b/nixos/modules/security/wrappers/wrapper.nix index da2fca98d5c5..27d46c630af5 100644 --- a/nixos/modules/security/wrappers/wrapper.nix +++ b/nixos/modules/security/wrappers/wrapper.nix @@ -5,7 +5,6 @@ stdenv.mkDerivation { name = "security-wrapper"; buildInputs = [ linuxHeaders ]; dontUnpack = true; - hardeningEnable = [ "pie" ]; CFLAGS = [ ''-DSOURCE_PROG="${sourceProg}"'' ] ++ (if debug then [ diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 7b30360590ec..7a4fa708eadf 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -106,7 +106,7 @@ in identMap = mkOption { type = types.lines; default = ""; - example = literalExample '' + example = '' map-name-0 system-username-0 database-username-0 map-name-1 system-username-1 database-username-1 ''; diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index 1fb89ec4b24f..e627c34cfac4 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -1057,7 +1057,7 @@ in { ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; - ReadWritePaths = [ cfg.dataDir ]; + ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ]; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index 498991419579..c626945ccd0c 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -1,55 +1,59 @@ { config, lib, pkgs, ... }: -with pkgs; -with lib; - let cfg = config.services.connman; configFile = pkgs.writeText "connman.conf" '' [General] - NetworkInterfaceBlacklist=${concatStringsSep "," cfg.networkInterfaceBlacklist} + NetworkInterfaceBlacklist=${lib.concatStringsSep "," cfg.networkInterfaceBlacklist} ${cfg.extraConfig} ''; enableIwd = cfg.wifi.backend == "iwd"; in { + meta.maintainers = with lib.maintainers; [ AndersonTorres ]; imports = [ - (mkRenamedOptionModule [ "networking" "connman" ] [ "services" "connman" ]) + (lib.mkRenamedOptionModule [ "networking" "connman" ] [ "services" "connman" ]) ]; ###### interface options = { - services.connman = { - - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = lib.mdDoc '' Whether to use ConnMan for managing your network connections. ''; }; - enableVPN = mkOption { - type = types.bool; + package = lib.mkOption { + type = lib.types.package; + description = lib.mdDoc "The connman package / build flavor"; + default = pkgs.connman; + defaultText = lib.literalExpression "pkgs.connman"; + example = lib.literalExpression "pkgs.connmanFull"; + }; + + enableVPN = lib.mkOption { + type = lib.types.bool; default = true; description = lib.mdDoc '' Whether to enable ConnMan VPN service. ''; }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; description = lib.mdDoc '' Configuration lines appended to the generated connman configuration file. ''; }; - networkInterfaceBlacklist = mkOption { - type = with types; listOf str; + networkInterfaceBlacklist = lib.mkOption { + type = with lib.types; listOf str; default = [ "vmnet" "vboxnet" "virbr" "ifb" "ve" ]; description = lib.mdDoc '' Default blacklisted interfaces, this includes NixOS containers interfaces (ve). @@ -57,8 +61,8 @@ in { }; wifi = { - backend = mkOption { - type = types.enum [ "wpa_supplicant" "iwd" ]; + backend = lib.mkOption { + type = lib.types.enum [ "wpa_supplicant" "iwd" ]; default = "wpa_supplicant"; description = lib.mdDoc '' Specify the Wi-Fi backend used. @@ -67,31 +71,20 @@ in { }; }; - extraFlags = mkOption { - type = with types; listOf str; + extraFlags = lib.mkOption { + type = with lib.types; listOf str; default = [ ]; example = [ "--nodnsproxy" ]; description = lib.mdDoc '' Extra flags to pass to connmand ''; }; - - package = mkOption { - type = types.package; - description = lib.mdDoc "The connman package / build flavor"; - default = connman; - defaultText = literalExpression "pkgs.connman"; - example = literalExpression "pkgs.connmanFull"; - }; - }; - }; ###### implementation - config = mkIf cfg.enable { - + config = lib.mkIf cfg.enable { assertions = [{ assertion = !config.networking.useDHCP; message = "You can not use services.connman with networking.useDHCP"; @@ -107,8 +100,8 @@ in { systemd.services.connman = { description = "Connection service"; wantedBy = [ "multi-user.target" ]; - after = [ "syslog.target" ] ++ optional enableIwd "iwd.service"; - requires = optional enableIwd "iwd.service"; + after = [ "syslog.target" ] ++ lib.optional enableIwd "iwd.service"; + requires = lib.optional enableIwd "iwd.service"; serviceConfig = { Type = "dbus"; BusName = "net.connman"; @@ -117,13 +110,13 @@ in { "${cfg.package}/sbin/connmand" "--config=${configFile}" "--nodaemon" - ] ++ optional enableIwd "--wifi=iwd_agent" + ] ++ lib.optional enableIwd "--wifi=iwd_agent" ++ cfg.extraFlags); StandardOutput = "null"; }; }; - systemd.services.connman-vpn = mkIf cfg.enableVPN { + systemd.services.connman-vpn = lib.mkIf cfg.enableVPN { description = "ConnMan VPN service"; wantedBy = [ "multi-user.target" ]; after = [ "syslog.target" ]; @@ -136,7 +129,7 @@ in { }; }; - systemd.services.net-connman-vpn = mkIf cfg.enableVPN { + systemd.services.net-connman-vpn = lib.mkIf cfg.enableVPN { description = "D-BUS Service"; serviceConfig = { Name = "net.connman.vpn"; @@ -150,9 +143,9 @@ in { networking = { useDHCP = false; wireless = { - enable = mkIf (!enableIwd) true; + enable = lib.mkIf (!enableIwd) true; dbusControlled = true; - iwd = mkIf enableIwd { + iwd = lib.mkIf enableIwd { enable = true; }; }; diff --git a/nixos/modules/services/networking/netclient.nix b/nixos/modules/services/networking/netclient.nix new file mode 100644 index 000000000000..124735fd716a --- /dev/null +++ b/nixos/modules/services/networking/netclient.nix @@ -0,0 +1,27 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.netclient; +in +{ + meta.maintainers = with lib.maintainers; [ wexder ]; + + options.services.netclient = { + enable = lib.mkEnableOption (lib.mdDoc "Netclient Daemon"); + package = lib.mkPackageOptionMD pkgs "netclient" { }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + systemd.services.netclient = { + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + description = "Netclient Daemon"; + serviceConfig = { + Type = "simple"; + ExecStart = "${lib.getExe cfg.package} daemon"; + Restart = "on-failure"; + RestartSec = "15s"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/tinyproxy.nix b/nixos/modules/services/networking/tinyproxy.nix new file mode 100644 index 000000000000..9bcd8bfd814b --- /dev/null +++ b/nixos/modules/services/networking/tinyproxy.nix @@ -0,0 +1,103 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.tinyproxy; + mkValueStringTinyproxy = with lib; v: + if true == v then "yes" + else if false == v then "no" + else generators.mkValueStringDefault {} v; + mkKeyValueTinyproxy = { + mkValueString ? mkValueStringDefault {} + }: sep: k: v: + if null == v then "" + else "${lib.strings.escape [sep] k}${sep}${mkValueString v}"; + + settingsFormat = (pkgs.formats.keyValue { + mkKeyValue = mkKeyValueTinyproxy { + mkValueString = mkValueStringTinyproxy; + } " "; + listsAsDuplicateKeys= true; + }); + configFile = settingsFormat.generate "tinyproxy.conf" cfg.settings; + +in +{ + + options = { + services.tinyproxy = { + enable = mkEnableOption (lib.mdDoc "Tinyproxy daemon"); + package = mkPackageOptionMD pkgs "tinyproxy" {}; + settings = mkOption { + description = lib.mdDoc "Configuration for [tinyproxy](https://tinyproxy.github.io/)."; + default = { }; + example = literalExpression ''{ + Port 8888; + Listen 127.0.0.1; + Timeout 600; + Allow 127.0.0.1; + Anonymous = ['"Host"' '"Authorization"']; + ReversePath = '"/example/" "http://www.example.com/"'; + }''; + type = types.submodule ({name, ...}: { + freeformType = settingsFormat.type; + options = { + Listen = mkOption { + type = types.str; + default = "127.0.0.1"; + description = lib.mdDoc '' + Specify which address to listen to. + ''; + }; + Port = mkOption { + type = types.int; + default = 8888; + description = lib.mdDoc '' + Specify which port to listen to. + ''; + }; + Anonymous = mkOption { + type = types.listOf types.str; + default = []; + description = lib.mdDoc '' + If an `Anonymous` keyword is present, then anonymous proxying is enabled. The headers listed with `Anonymous` are allowed through, while all others are denied. If no Anonymous keyword is present, then all headers are allowed through. You must include quotes around the headers. + ''; + }; + Filter = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + Tinyproxy supports filtering of web sites based on URLs or domains. This option specifies the location of the file containing the filter rules, one rule per line. + ''; + }; + }; + }); + }; + }; + }; + config = mkIf cfg.enable { + systemd.services.tinyproxy = { + description = "TinyProxy daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "tinyproxy"; + Group = "tinyproxy"; + Type = "simple"; + ExecStart = "${getExe pkgs.tinyproxy} -d -c ${configFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; + KillSignal = "SIGINT"; + TimeoutStopSec = "30s"; + Restart = "on-failure"; + }; + }; + + users.users.tinyproxy = { + group = "tinyproxy"; + isSystemUser = true; + }; + users.groups.tinyproxy = {}; + }; + meta.maintainers = with maintainers; [ tcheronneau ]; +} diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index a9f4ab77f866..71f5d7a752c8 100644 --- a/nixos/modules/virtualisation/oci-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -66,6 +66,17 @@ let ''; }; + labels = mkOption { + type = with types; attrsOf str; + default = {}; + description = lib.mdDoc "Labels to attach to the container at runtime."; + example = literalExpression '' + { + "traefik.https.routers.example.rule" = "Host(`example.container`)"; + } + ''; + }; + entrypoint = mkOption { type = with types; nullOr str; description = lib.mdDoc "Override the default entrypoint of the image."; @@ -277,6 +288,7 @@ let ++ map (p: "-p ${escapeShellArg p}") container.ports ++ optional (container.user != null) "-u ${escapeShellArg container.user}" ++ map (v: "-v ${escapeShellArg v}") container.volumes + ++ (mapAttrsToList (k: v: "-l ${escapeShellArg k}=${escapeShellArg v}") container.labels) ++ optional (container.workdir != null) "-w ${escapeShellArg container.workdir}" ++ map escapeShellArg container.extraOptions ++ [container.image] diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index da788cc159c8..3f19ed548121 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -819,6 +819,7 @@ in { timezone = handleTest ./timezone.nix {}; tinc = handleTest ./tinc {}; tinydns = handleTest ./tinydns.nix {}; + tinyproxy = handleTest ./tinyproxy.nix {}; tinywl = handleTest ./tinywl.nix {}; tmate-ssh-server = handleTest ./tmate-ssh-server.nix { }; tomcat = handleTest ./tomcat.nix {}; @@ -855,8 +856,7 @@ in { uwsgi = handleTest ./uwsgi.nix {}; v2ray = handleTest ./v2ray.nix {}; varnish60 = handleTest ./varnish.nix { package = pkgs.varnish60; }; - varnish72 = handleTest ./varnish.nix { package = pkgs.varnish72; }; - varnish73 = handleTest ./varnish.nix { package = pkgs.varnish73; }; + varnish74 = handleTest ./varnish.nix { package = pkgs.varnish74; }; vault = handleTest ./vault.nix {}; vault-agent = handleTest ./vault-agent.nix {}; vault-dev = handleTest ./vault-dev.nix {}; diff --git a/nixos/tests/pantheon.nix b/nixos/tests/pantheon.nix index dee6964644c5..be1351283d99 100644 --- a/nixos/tests/pantheon.nix +++ b/nixos/tests/pantheon.nix @@ -50,6 +50,20 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : machine.wait_for_window("io.elementary.wingpanel") machine.wait_until_succeeds("pgrep plank") machine.wait_for_window("plank") + machine.wait_until_succeeds("pgrep -f gsd-media-keys") + machine.wait_for_unit("bamfdaemon.service", "${user.name}") + machine.wait_for_unit("io.elementary.files.xdg-desktop-portal.service", "${user.name}") + + with subtest("Open elementary videos"): + machine.execute("su - ${user.name} -c 'DISPLAY=:0 io.elementary.videos >&2 &'") + machine.sleep(2) + machine.wait_for_window("io.elementary.videos") + machine.wait_for_text("No Videos Open") + + with subtest("Open elementary calendar"): + machine.execute("su - ${user.name} -c 'DISPLAY=:0 io.elementary.calendar >&2 &'") + machine.sleep(2) + machine.wait_for_window("io.elementary.calendar") with subtest("Open system settings"): machine.execute("su - ${user.name} -c 'DISPLAY=:0 io.elementary.switchboard >&2 &'") @@ -63,7 +77,9 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with subtest("Check if gala has ever coredumped"): machine.fail("coredumpctl --json=short | grep gala") - machine.sleep(20) + # So you can see the dock in the below screenshot. + machine.succeed("su - ${user.name} -c 'DISPLAY=:0 xdotool mousemove 450 1000 >&2 &'") + machine.sleep(10) machine.screenshot("screen") ''; }) diff --git a/nixos/tests/tinyproxy.nix b/nixos/tests/tinyproxy.nix new file mode 100644 index 000000000000..b8448d4c23b6 --- /dev/null +++ b/nixos/tests/tinyproxy.nix @@ -0,0 +1,20 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "tinyproxy"; + + nodes.machine = { config, pkgs, ... }: { + services.tinyproxy = { + enable = true; + settings = { + Listen = "127.0.0.1"; + Port = 8080; + }; + }; + }; + + testScript = '' + machine.wait_for_unit("tinyproxy.service") + machine.wait_for_open_port(8080) + + machine.succeed('curl -s http://localhost:8080 |grep -i tinyproxy') + ''; +}) |