diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/misc')
8 files changed, 227 insertions, 68 deletions
diff --git a/nixpkgs/nixos/modules/services/misc/anki-sync-server.md b/nixpkgs/nixos/modules/services/misc/anki-sync-server.md index 5d2b4da4d2fc..f58d3d8ad0da 100644 --- a/nixpkgs/nixos/modules/services/misc/anki-sync-server.md +++ b/nixpkgs/nixos/modules/services/misc/anki-sync-server.md @@ -16,7 +16,7 @@ unit which runs the sync server with an isolated user using the systemd `DynamicUser` option. This can be done by enabling the `anki-sync-server` service: -``` +```nix { ... }: { @@ -27,7 +27,7 @@ This can be done by enabling the `anki-sync-server` service: It is necessary to set at least one username-password pair under {option}`services.anki-sync-server.users`. For example -``` +```nix { services.anki-sync-server.users = [ { @@ -50,7 +50,7 @@ you want to expose the sync server directly to other computers (not recommended in most circumstances, because the sync server doesn't use HTTPS), then set the following options: -``` +```nix { services.anki-sync-server.host = "0.0.0.0"; services.anki-sync-server.openFirewall = true; diff --git a/nixpkgs/nixos/modules/services/misc/forgejo.md b/nixpkgs/nixos/modules/services/misc/forgejo.md index 14b21933e6b0..f234ebf44aef 100644 --- a/nixpkgs/nixos/modules/services/misc/forgejo.md +++ b/nixpkgs/nixos/modules/services/misc/forgejo.md @@ -57,23 +57,25 @@ locations and database, instead of having to copy or rename them. Make sure to disable `services.gitea`, when doing this. ```nix -services.gitea.enable = false; - -services.forgejo = { - enable = true; - user = "gitea"; - group = "gitea"; - stateDir = "/var/lib/gitea"; - database.name = "gitea"; - database.user = "gitea"; -}; - -users.users.gitea = { - home = "/var/lib/gitea"; - useDefaultShell = true; - group = "gitea"; - isSystemUser = true; -}; - -users.groups.gitea = {}; +{ + services.gitea.enable = false; + + services.forgejo = { + enable = true; + user = "gitea"; + group = "gitea"; + stateDir = "/var/lib/gitea"; + database.name = "gitea"; + database.user = "gitea"; + }; + + users.users.gitea = { + home = "/var/lib/gitea"; + useDefaultShell = true; + group = "gitea"; + isSystemUser = true; + }; + + users.groups.gitea = {}; +} ``` diff --git a/nixpkgs/nixos/modules/services/misc/gitlab.md b/nixpkgs/nixos/modules/services/misc/gitlab.md index 916b23584ed0..f7a5a8027489 100644 --- a/nixpkgs/nixos/modules/services/misc/gitlab.md +++ b/nixpkgs/nixos/modules/services/misc/gitlab.md @@ -10,19 +10,21 @@ configure a webserver to proxy HTTP requests to the socket. For instance, the following configuration could be used to use nginx as frontend proxy: -``` -services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts."git.example.com" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; +```nix +{ + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."git.example.com" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; }; -}; +} ``` ## Configuring {#module-services-gitlab-configuring} @@ -35,36 +37,38 @@ The default state dir is `/var/gitlab/state`. This is where all data like the repositories and uploads will be stored. A basic configuration with some custom settings could look like this: -``` -services.gitlab = { - enable = true; - databasePasswordFile = "/var/keys/gitlab/db_password"; - initialRootPasswordFile = "/var/keys/gitlab/root_password"; - https = true; - host = "git.example.com"; - port = 443; - user = "git"; - group = "git"; - smtp = { +```nix +{ + services.gitlab = { enable = true; - address = "localhost"; - port = 25; - }; - secrets = { - dbFile = "/var/keys/gitlab/db"; - secretFile = "/var/keys/gitlab/secret"; - otpFile = "/var/keys/gitlab/otp"; - jwsFile = "/var/keys/gitlab/jws"; - }; - extraConfig = { - gitlab = { - email_from = "gitlab-no-reply@example.com"; - email_display_name = "Example GitLab"; - email_reply_to = "gitlab-no-reply@example.com"; - default_projects_features = { builds = false; }; + databasePasswordFile = "/var/keys/gitlab/db_password"; + initialRootPasswordFile = "/var/keys/gitlab/root_password"; + https = true; + host = "git.example.com"; + port = 443; + user = "git"; + group = "git"; + smtp = { + enable = true; + address = "localhost"; + port = 25; + }; + secrets = { + dbFile = "/var/keys/gitlab/db"; + secretFile = "/var/keys/gitlab/secret"; + otpFile = "/var/keys/gitlab/otp"; + jwsFile = "/var/keys/gitlab/jws"; + }; + extraConfig = { + gitlab = { + email_from = "gitlab-no-reply@example.com"; + email_display_name = "Example GitLab"; + email_reply_to = "gitlab-no-reply@example.com"; + default_projects_features = { builds = false; }; + }; }; }; -}; +} ``` If you're setting up a new GitLab instance, generate new diff --git a/nixpkgs/nixos/modules/services/misc/mollysocket.nix b/nixpkgs/nixos/modules/services/misc/mollysocket.nix new file mode 100644 index 000000000000..f40caa4a782e --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/mollysocket.nix @@ -0,0 +1,133 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) getExe mkIf mkOption mkEnableOption optionals types; + + cfg = config.services.mollysocket; + configuration = format.generate "mollysocket.conf" cfg.settings; + format = pkgs.formats.toml { }; + package = pkgs.writeShellScriptBin "mollysocket" '' + MOLLY_CONF=${configuration} exec ${getExe pkgs.mollysocket} "$@" + ''; +in { + options.services.mollysocket = { + enable = mkEnableOption '' + [MollySocket](https://github.com/mollyim/mollysocket) for getting Signal + notifications via UnifiedPush + ''; + + settings = mkOption { + default = { }; + description = '' + Configuration for MollySocket. Available options are listed + [here](https://github.com/mollyim/mollysocket#configuration). + ''; + type = types.submodule { + freeformType = format.type; + options = { + host = mkOption { + default = "127.0.0.1"; + description = "Listening address of the web server"; + type = types.str; + }; + + port = mkOption { + default = 8020; + description = "Listening port of the web server"; + type = types.port; + }; + + allowed_endpoints = mkOption { + default = [ "*" ]; + description = "List of UnifiedPush servers"; + example = [ "https://ntfy.sh" ]; + type = with types; listOf str; + }; + + allowed_uuids = mkOption { + default = [ "*" ]; + description = "UUIDs of Signal accounts that may use this server"; + example = [ "abcdef-12345-tuxyz-67890" ]; + type = with types; listOf str; + }; + }; + }; + }; + + environmentFile = mkOption { + default = null; + description = '' + Environment file (see {manpage}`systemd.exec(5)` "EnvironmentFile=" + section for the syntax) passed to the service. This option can be + used to safely include secrets in the configuration. + ''; + example = "/run/secrets/mollysocket"; + type = with types; nullOr path; + }; + + logLevel = mkOption { + default = "info"; + description = "Set the {env}`RUST_LOG` environment variable"; + example = "debug"; + type = types.str; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ + package + ]; + + # see https://github.com/mollyim/mollysocket/blob/main/mollysocket.service + systemd.services.mollysocket = { + description = "MollySocket"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + environment.RUST_LOG = cfg.logLevel; + serviceConfig = let + capabilities = [ "" ] ++ optionals (cfg.settings.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; + in { + EnvironmentFile = cfg.environmentFile; + ExecStart = "${getExe package} server"; + KillSignal = "SIGINT"; + Restart = "on-failure"; + StateDirectory = "mollysocket"; + TimeoutStopSec = 5; + WorkingDirectory = "/var/lib/mollysocket"; + + # hardening + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + DevicePolicy = "closed"; + DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; + UMask = "0077"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ dotlambda ]; +} diff --git a/nixpkgs/nixos/modules/services/misc/paperless.nix b/nixpkgs/nixos/modules/services/misc/paperless.nix index 9314c4f3848d..9301d1f68725 100644 --- a/nixpkgs/nixos/modules/services/misc/paperless.nix +++ b/nixpkgs/nixos/modules/services/misc/paperless.nix @@ -27,6 +27,8 @@ let name = "paperless_ngx_nltk_data"; paths = pkg.nltkData; }; + } // optionalAttrs (cfg.openMPThreadingWorkaround) { + OMP_NUM_THREADS = "1"; } // (lib.mapAttrs (_: s: if (lib.isAttrs s || lib.isList s) then builtins.toJSON s else if lib.isBool s then lib.boolToString s @@ -199,6 +201,20 @@ in }; package = mkPackageOption pkgs "paperless-ngx" { }; + + openMPThreadingWorkaround = mkEnableOption '' + a workaround for document classifier timeouts. + + Paperless uses OpenBLAS via scikit-learn for document classification. + + The default is to use threading for OpenMP but this would cause the + document classifier to spin on one core seemingly indefinitely if there + are large amounts of classes per classification; causing it to + effectively never complete due to running into timeouts. + + This sets `OMP_NUM_THREADS` to `1` in order to mitigate the issue. See + https://github.com/NixOS/nixpkgs/issues/240591 for more information. + '' // mkOption { default = true; }; }; config = mkIf cfg.enable { diff --git a/nixpkgs/nixos/modules/services/misc/sourcehut/default.md b/nixpkgs/nixos/modules/services/misc/sourcehut/default.md index 44d58aa0bef3..f965c395038a 100644 --- a/nixpkgs/nixos/modules/services/misc/sourcehut/default.md +++ b/nixpkgs/nixos/modules/services/misc/sourcehut/default.md @@ -12,7 +12,7 @@ This NixOS module also provides basic configuration integrating Sourcehut into l and `services.postgresql` services. A very basic configuration may look like this: -``` +```nix { pkgs, ... }: let fqdn = @@ -66,9 +66,9 @@ in { # Settings to setup what certificates are used for which endpoint. virtualHosts = { "${fqdn}".enableACME = true; - "meta.${fqdn}".useACMEHost = fqdn: - "man.${fqdn}".useACMEHost = fqdn: - "git.${fqdn}".useACMEHost = fqdn: + "meta.${fqdn}".useACMEHost = fqdn; + "man.${fqdn}".useACMEHost = fqdn; + "git.${fqdn}".useACMEHost = fqdn; }; }; } diff --git a/nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix b/nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix index a8300ecd5233..1b1fde78ad0a 100644 --- a/nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix +++ b/nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix @@ -20,7 +20,10 @@ let manage = pkgs.writeShellScript "manage" '' set -o allexport # Export the following env vars ${lib.toShellVars env} - exec ${pkg}/bin/tandoor-recipes "$@" + eval "$(${config.systemd.package}/bin/systemctl show -pUID,GID,MainPID tandoor-recipes.service)" + exec ${pkgs.util-linux}/bin/nsenter \ + -t $MainPID -m -S $UID -G $GID \ + ${pkg}/bin/tandoor-recipes "$@" ''; in { @@ -82,6 +85,7 @@ in Restart = "on-failure"; User = "tandoor_recipes"; + Group = "tandoor_recipes"; DynamicUser = true; StateDirectory = "tandoor-recipes"; WorkingDirectory = "/var/lib/tandoor-recipes"; diff --git a/nixpkgs/nixos/modules/services/misc/weechat.md b/nixpkgs/nixos/modules/services/misc/weechat.md index 21f41be5b4a0..fb20ebe1e4db 100644 --- a/nixpkgs/nixos/modules/services/misc/weechat.md +++ b/nixpkgs/nixos/modules/services/misc/weechat.md @@ -12,7 +12,7 @@ unit which runs the chat client in a detached session. This can be done by enabling the `weechat` service: -``` +```nix { ... }: { @@ -30,7 +30,7 @@ allow your another user to attach to this session, the `screenrc` needs to be tweaked by adding [multiuser](https://www.gnu.org/software/screen/manual/html_node/Multiuser.html#Multiuser) support: -``` +```nix { programs.screen.screenrc = '' multiuser on |