diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking')
31 files changed, 273 insertions, 169 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/bind.nix b/nixpkgs/nixos/modules/services/networking/bind.nix index 480d5a184f25..0c23fb7e40f0 100644 --- a/nixpkgs/nixos/modules/services/networking/bind.nix +++ b/nixpkgs/nixos/modules/services/networking/bind.nix @@ -229,9 +229,11 @@ in users.users.${bindUser} = { - uid = config.ids.uids.bind; + group = bindUser; description = "BIND daemon user"; + isSystemUser = true; }; + users.groups.${bindUser} = {}; systemd.services.bind = { description = "BIND Domain Name Server"; diff --git a/nixpkgs/nixos/modules/services/networking/consul.nix b/nixpkgs/nixos/modules/services/networking/consul.nix index ae7998913ee0..476ca738dd1b 100644 --- a/nixpkgs/nixos/modules/services/networking/consul.nix +++ b/nixpkgs/nixos/modules/services/networking/consul.nix @@ -159,10 +159,12 @@ in users.users.consul = { description = "Consul agent daemon user"; - uid = config.ids.uids.consul; + isSystemUser = true; + group = "consul"; # The shell is needed for health checks shell = "/run/current-system/sw/bin/bash"; }; + users.groups.consul = {}; environment = { etc."consul.json".text = builtins.toJSON configOptions; diff --git a/nixpkgs/nixos/modules/services/networking/coturn.nix b/nixpkgs/nixos/modules/services/networking/coturn.nix index 5f7d2893ae27..12098ec6d338 100644 --- a/nixpkgs/nixos/modules/services/networking/coturn.nix +++ b/nixpkgs/nixos/modules/services/networking/coturn.nix @@ -311,6 +311,7 @@ in { { users.users.turnserver = { uid = config.ids.uids.turnserver; + group = "turnserver"; description = "coturn TURN server user"; }; users.groups.turnserver = diff --git a/nixpkgs/nixos/modules/services/networking/dhcpd.nix b/nixpkgs/nixos/modules/services/networking/dhcpd.nix index 8966deac76cb..54e4f9002859 100644 --- a/nixpkgs/nixos/modules/services/networking/dhcpd.nix +++ b/nixpkgs/nixos/modules/services/networking/dhcpd.nix @@ -212,9 +212,11 @@ in users = { users.dhcpd = { - uid = config.ids.uids.dhcpd; + isSystemUser = true; + group = "dhcpd"; description = "DHCP daemon user"; }; + groups.dhcpd = {}; }; systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6; diff --git a/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix index 89360f4bf373..400d6e67044e 100644 --- a/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -217,6 +217,7 @@ in { home = "${dataDir}"; createHome = true; isSystemUser = true; + group = "dnscrypt-wrapper"; }; users.groups.dnscrypt-wrapper = { }; diff --git a/nixpkgs/nixos/modules/services/networking/dnsmasq.nix b/nixpkgs/nixos/modules/services/networking/dnsmasq.nix index 377d7bc57058..59a3ca2f28e3 100644 --- a/nixpkgs/nixos/modules/services/networking/dnsmasq.nix +++ b/nixpkgs/nixos/modules/services/networking/dnsmasq.nix @@ -87,9 +87,11 @@ in services.dbus.packages = [ dnsmasq ]; users.users.dnsmasq = { - uid = config.ids.uids.dnsmasq; + isSystemUser = true; + group = "dnsmasq"; description = "Dnsmasq daemon user"; }; + users.groups.dnsmasq = {}; networking.resolvconf = mkIf cfg.resolveLocalQueries { useLocalResolver = mkDefault true; diff --git a/nixpkgs/nixos/modules/services/networking/flannel.nix b/nixpkgs/nixos/modules/services/networking/flannel.nix index 32a7eb3ed69e..2d67a2a2ad22 100644 --- a/nixpkgs/nixos/modules/services/networking/flannel.nix +++ b/nixpkgs/nixos/modules/services/networking/flannel.nix @@ -164,7 +164,7 @@ in { path = [ pkgs.iptables ]; preStart = optionalString (cfg.storageBackend == "etcd") '' echo "setting network configuration" - until ${pkgs.etcdctl}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' + until ${pkgs.etcd}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' do echo "setting network configuration, retry" sleep 1 diff --git a/nixpkgs/nixos/modules/services/networking/git-daemon.nix b/nixpkgs/nixos/modules/services/networking/git-daemon.nix index 98f80dd4bc40..6be72505c216 100644 --- a/nixpkgs/nixos/modules/services/networking/git-daemon.nix +++ b/nixpkgs/nixos/modules/services/networking/git-daemon.nix @@ -107,6 +107,7 @@ in users.users = optionalAttrs (cfg.user == "git") { git = { uid = config.ids.uids.git; + group = "git"; description = "Git daemon user"; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/iodine.nix b/nixpkgs/nixos/modules/services/networking/iodine.nix index 46051d7044b5..f67e2d9a5e71 100644 --- a/nixpkgs/nixos/modules/services/networking/iodine.nix +++ b/nixpkgs/nixos/modules/services/networking/iodine.nix @@ -190,6 +190,7 @@ in users.users.${iodinedUser} = { uid = config.ids.uids.iodined; + group = "iodined"; description = "Iodine daemon user"; }; users.groups.iodined.gid = config.ids.gids.iodined; diff --git a/nixpkgs/nixos/modules/services/networking/morty.nix b/nixpkgs/nixos/modules/services/networking/morty.nix index e110a5c86101..c627feb527b6 100644 --- a/nixpkgs/nixos/modules/services/networking/morty.nix +++ b/nixpkgs/nixos/modules/services/networking/morty.nix @@ -77,7 +77,9 @@ in createHome = true; home = "/var/lib/morty"; isSystemUser = true; + group = "morty"; }; + users.groups.morty = {}; systemd.services.morty = { diff --git a/nixpkgs/nixos/modules/services/networking/ncdns.nix b/nixpkgs/nixos/modules/services/networking/ncdns.nix index d30fe0f6f6d1..c5ea5d950573 100644 --- a/nixpkgs/nixos/modules/services/networking/ncdns.nix +++ b/nixpkgs/nixos/modules/services/networking/ncdns.nix @@ -245,8 +245,10 @@ in users.users.ncdns = { isSystemUser = true; + group = "ncdns"; description = "ncdns daemon user"; }; + users.groups.ncdns = {}; systemd.services.ncdns = { description = "ncdns daemon"; diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index c8861171dd6c..ba13f575c39e 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -464,6 +464,7 @@ in { users.users = { nm-openvpn = { uid = config.ids.uids.nm-openvpn; + group = "nm-openvpn"; extraGroups = [ "networkmanager" ]; }; nm-iodine = { diff --git a/nixpkgs/nixos/modules/services/networking/ngircd.nix b/nixpkgs/nixos/modules/services/networking/ngircd.nix index 4b2fa7795922..1b631de3b025 100644 --- a/nixpkgs/nixos/modules/services/networking/ngircd.nix +++ b/nixpkgs/nixos/modules/services/networking/ngircd.nix @@ -52,8 +52,11 @@ in { }; users.users.ngircd = { - uid = config.ids.uids.ngircd; + isSystemUser = true; + group = "ngircd"; description = "ngircd user."; }; + users.groups.ngircd = {}; + }; } diff --git a/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix b/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix index cc061bf6e3b9..0083990cff5a 100644 --- a/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix +++ b/nixpkgs/nixos/modules/services/networking/nntp-proxy.nix @@ -6,8 +6,6 @@ let inherit (pkgs) nntp-proxy; - proxyUser = "nntp-proxy"; - cfg = config.services.nntp-proxy; configBool = b: if b then "TRUE" else "FALSE"; @@ -210,16 +208,18 @@ in config = mkIf cfg.enable { - users.users.${proxyUser} = - { uid = config.ids.uids.nntp-proxy; - description = "NNTP-Proxy daemon user"; - }; + users.users.nntp-proxy = { + isSystemUser = true; + group = "nntp-proxy"; + description = "NNTP-Proxy daemon user"; + }; + users.groups.nntp-proxy = {}; systemd.services.nntp-proxy = { description = "NNTP proxy"; after = [ "network.target" "nss-lookup.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig = { User="${proxyUser}"; }; + serviceConfig = { User="nntp-proxy"; }; serviceConfig.ExecStart = "${nntp-proxy}/bin/nntp-proxy ${confFile}"; preStart = '' if [ ! \( -f ${cfg.sslCert} -a -f ${cfg.sslKey} \) ]; then diff --git a/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix b/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix index 861b0db01a48..1dffbd78bbe4 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix @@ -10,8 +10,6 @@ let stateDir = "/var/lib/ntp"; - ntpUser = "ntp"; - configFile = pkgs.writeText "ntp.conf" '' driftfile ${stateDir}/ntp.drift @@ -27,7 +25,7 @@ let ${cfg.extraConfig} ''; - ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup ${toString cfg.extraFlags}"; + ntpFlags = "-c ${configFile} -u ntp:ntp ${toString cfg.extraFlags}"; in @@ -119,11 +117,13 @@ in systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "ntpd.service"; }; - users.users.${ntpUser} = - { uid = config.ids.uids.ntp; + users.users.ntp = + { isSystemUser = true; + group = "ntp"; description = "NTP daemon user"; home = stateDir; }; + users.groups.ntp = {}; systemd.services.ntpd = { description = "NTP Daemon"; @@ -135,7 +135,7 @@ in preStart = '' mkdir -m 0755 -p ${stateDir} - chown ${ntpUser} ${stateDir} + chown ntp ${stateDir} ''; serviceConfig = { diff --git a/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix b/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix index 67a04d48d308..9f3892e3b538 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix @@ -61,10 +61,12 @@ in environment.etc."ntpd.conf".text = configFile; users.users.ntp = { - uid = config.ids.uids.ntp; + isSystemUser = true; + group = "ntp"; description = "OpenNTP daemon user"; home = "/var/empty"; }; + users.groups.ntp = {}; systemd.services.openntpd = { description = "OpenNTP Server"; diff --git a/nixpkgs/nixos/modules/services/networking/pleroma.nix b/nixpkgs/nixos/modules/services/networking/pleroma.nix index bd75083a4a78..93ab29b71e5c 100644 --- a/nixpkgs/nixos/modules/services/networking/pleroma.nix +++ b/nixpkgs/nixos/modules/services/networking/pleroma.nix @@ -74,7 +74,7 @@ in { users."${cfg.user}" = { description = "Pleroma user"; home = cfg.stateDir; - extraGroups = [ cfg.group ]; + group = cfg.group; isSystemUser = true; }; groups."${cfg.group}" = {}; diff --git a/nixpkgs/nixos/modules/services/networking/pleroma.xml b/nixpkgs/nixos/modules/services/networking/pleroma.xml index 9ab0be3d947c..ad0a481af28b 100644 --- a/nixpkgs/nixos/modules/services/networking/pleroma.xml +++ b/nixpkgs/nixos/modules/services/networking/pleroma.xml @@ -4,129 +4,185 @@ version="5.0" xml:id="module-services-pleroma"> <title>Pleroma</title> - <para><link xlink:href="https://pleroma.social/">Pleroma</link> is a lightweight activity pub server.</para> - <section xml:id="module-services-pleroma-getting-started"> - <title>Quick Start</title> - <para>To get quickly started, you can use this sample NixOS configuration and adapt it to your use case.</para> - <para><programlisting> - { - security.acme = { - email = "root@tld"; - acceptTerms = true; - certs = { - "social.tld.com" = { - webroot = "/var/www/social.tld.com"; - email = "root@tld"; - group = "nginx"; - }; - }; - }; - services = { - pleroma = { - enable = true; - secretConfigFile = "/var/lib/pleroma/secrets.exs"; - configs = [ - '' - import Config - - config :pleroma, Pleroma.Web.Endpoint, - url: [host: "social.tld.com", scheme: "https", port: 443], - http: [ip: {127, 0, 0, 1}, port: 4000] - - config :pleroma, :instance, - name: "NixOS test pleroma server", - email: "pleroma@social.tld.com", - notify_email: "pleroma@social.tld.com", - limit: 5000, - registrations_open: true - - config :pleroma, :media_proxy, - enabled: false, - redirect_on_failure: true - #base_url: "https://cache.pleroma.social" - - config :pleroma, Pleroma.Repo, - adapter: Ecto.Adapters.Postgres, - username: "pleroma", - password: "${test-db-passwd}", - database: "pleroma", - hostname: "localhost", - pool_size: 10, - prepare: :named, - parameters: [ - plan_cache_mode: "force_custom_plan" - ] - - config :pleroma, :database, rum_enabled: false - config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" - config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" - config :pleroma, configurable_from_database: false - '' - ]; - }; - postgresql = { - enable = true; - package = pkgs.postgresql_12; - }; - nginx = { - enable = true; - addSSL = true; - sslCertificate = "/var/lib/acme/social.tld.com/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/social.tld.com/key.pem"; - root = "/var/www/social.tld.com"; - # ACME endpoint - locations."/.well-known/acme-challenge" = { - root = "/var/www/social.tld.com/"; - }; - virtualHosts."social.tld.com" = { - addSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:4000"; - extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; - add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; - if ($request_method = OPTIONS) { - return 204; - } - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - client_max_body_size 16m; - ''; - }; - }; - }; - }; - }; - </programlisting></para> - <para>Note that you'll need to seed your database and upload your pleroma secrets to the path pointed by <literal>config.pleroma.secretConfigFile</literal>. You can find more informations about how to do that in the <link linkend="module-services-pleroma-generate-config">next</link> section.</para> - </section> + <para> + <link xlink:href="https://pleroma.social/">Pleroma</link> is a lightweight activity pub server.</para> <section xml:id="module-services-pleroma-generate-config"> - <title>Generating the Pleroma Config and Seed the Database</title> - - <para>Before using this service, you'll need to generate your -server configuration and its associated database seed. The -<literal>pleroma_ctl</literal> CLI utility can help you with that. You -can start with <literal>pleroma_ctl instance gen --output config.exs ---output-psql setup.psql</literal>, this will prompt you some -questions and will generate both your config file and database initial -migration. </para> -<para>For more details about this configuration format, please have a look at the <link xlink:href="https://docs-develop.pleroma.social/backend/configuration/cheatsheet/">upstream documentation</link>.</para> -<para>To seed your database, you can use the <literal>setup.psql</literal> file you just generated by running + <title>Generating the Pleroma config</title> + <para>The <literal>pleroma_ctl</literal> CLI utility will prompt you some questions and it will generate an initial config file. This is an example of usage +<programlisting> +<prompt>$ </prompt>mkdir tmp-pleroma +<prompt>$ </prompt>cd tmp-pleroma +<prompt>$ </prompt>nix-shell -p pleroma-otp +<prompt>$ </prompt>pleroma_ctl instance gen --output config.exs --output-psql setup.psql +</programlisting> + </para> + <para>The <literal>config.exs</literal> file can be further customized following the instructions on the <link xlink:href="https://docs-develop.pleroma.social/backend/configuration/cheatsheet/">upstream documentation</link>. Many refinements can be applied also after the service is running.</para> + </section> + <section xml:id="module-services-pleroma-initialize-db"> + <title>Initializing the database</title> + <para>First, the Postgresql service must be enabled in the NixOS configuration +<programlisting> +services.postgresql = { + enable = true; + package = pkgs.postgresql_13; +}; +</programlisting> +and activated with the usual +<programlisting> +<prompt>$ </prompt>nixos-rebuild switch +</programlisting> + </para> + <para>Then you can create and seed the database, using the <literal>setup.psql</literal> file that you generated in the previous section, by running +<programlisting> +<prompt>$ </prompt>sudo -u postgres psql -f setup.psql +</programlisting> + </para> + </section> + <section xml:id="module-services-pleroma-enable"> + <title>Enabling the Pleroma service locally</title> + <para>In this section we will enable the Pleroma service only locally, so its configurations can be improved incrementally.</para> + <para>This is an example of configuration, where <link linkend="opt-services.pleroma.configs">services.pleroma.configs</link> option contains the content of the file <literal>config.exs</literal>, generated <link linkend="module-services-pleroma-generate-config">in the first section</link>, but with the secrets (database password, endpoint secret key, salts, etc.) removed. Removing secrets is important, because otherwise they will be stored publicly in the Nix store. +<programlisting> +services.pleroma = { + enable = true; + secretConfigFile = "/var/lib/pleroma/secrets.exs"; + configs = [ + '' + import Config + + config :pleroma, Pleroma.Web.Endpoint, + url: [host: "pleroma.example.net", scheme: "https", port: 443], + http: [ip: {127, 0, 0, 1}, port: 4000] + + config :pleroma, :instance, + name: "Test", + email: "admin@example.net", + notify_email: "admin@example.net", + limit: 5000, + registrations_open: true + + config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + + config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "pleroma", + database: "pleroma", + hostname: "localhost" + + # Configure web push notifications + config :web_push_encryption, :vapid_details, + subject: "mailto:admin@example.net" + + # ... TO CONTINUE ... + '' + ]; +}; +</programlisting> + </para> + <para>Secrets must be moved into a file pointed by <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link>, in our case <literal>/var/lib/pleroma/secrets.exs</literal>. This file can be created copying the previously generated <literal>config.exs</literal> file and then removing all the settings, except the secrets. This is an example +<programlisting> +# Pleroma instance passwords + +import Config + +config :pleroma, Pleroma.Web.Endpoint, + secret_key_base: "<the secret generated by pleroma_ctl>", + signing_salt: "<the secret generated by pleroma_ctl>" + +config :pleroma, Pleroma.Repo, + password: "<the secret generated by pleroma_ctl>" + +# Configure web push notifications +config :web_push_encryption, :vapid_details, + public_key: "<the secret generated by pleroma_ctl>", + private_key: "<the secret generated by pleroma_ctl>" + +# ... TO CONTINUE ... +</programlisting> + Note that the lines of the same configuration group are comma separated (i.e. all the lines end with a comma, except the last one), so when the lines with passwords are added or removed, commas must be adjusted accordingly.</para> + + <para>The service can be enabled with the usual +<programlisting> +<prompt>$ </prompt>nixos-rebuild switch +</programlisting> + </para> + <para>The service is accessible only from the local <literal>127.0.0.1:4000</literal> port. It can be tested using a port forwarding like this +<programlisting> +<prompt>$ </prompt>ssh -L 4000:localhost:4000 myuser@example.net +</programlisting> +and then accessing <link xlink:href="http://localhost:4000">http://localhost:4000</link> from a web browser.</para> + </section> + <section xml:id="module-services-pleroma-admin-user"> + <title>Creating the admin user</title> + <para>After Pleroma service is running, all <link xlink:href="https://docs-develop.pleroma.social/">Pleroma administration utilities</link> can be used. In particular an admin user can be created with +<programlisting> +<prompt>$ </prompt>pleroma_ctl user new <nickname> <email> --admin --moderator --password <password> +</programlisting> + </para> + </section> + <section xml:id="module-services-pleroma-nginx"> + <title>Configuring Nginx</title> + <para>In this configuration, Pleroma is listening only on the local port 4000. Nginx can be configured as a Reverse Proxy, for forwarding requests from public ports to the Pleroma service. This is an example of configuration, using +<link xlink:href="https://letsencrypt.org/">Let's Encrypt</link> for the TLS certificates <programlisting> - sudo -u postgres psql -f setup.psql -</programlisting></para> - <para>In regard of the pleroma service configuration you also just generated, you'll need to split it in two parts. The "public" part, which do not contain any secrets and thus can be safely stored in the Nix store and its "private" counterpart containing some secrets (database password, endpoint secret key, salts, etc.).</para> +security.acme = { + email = "root@example.net"; + acceptTerms = true; +}; - <para>The public part will live in your NixOS machine configuration in the <link linkend="opt-services.pleroma.configs">services.pleroma.configs</link> option. However, it's up to you to upload the secret pleroma configuration to the path pointed by <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link>. You can do that manually or rely on a third party tool such as <link xlink:href="https://github.com/DBCDK/morph">Morph</link> or <link xlink:href="https://github.com/NixOS/nixops">NixOps</link>.</para> +services.nginx = { + enable = true; + addSSL = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + recommendedProxySettings = false; + # NOTE: if enabled, the NixOS proxy optimizations will override the Pleroma + # specific settings, and they will enter in conflict. + + virtualHosts = { + "pleroma.example.net" = { + http2 = true; + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:4000"; + + extraConfig = '' + etag on; + gzip on; + + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; + add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; + if ($request_method = OPTIONS) { + return 204; + } + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + + client_max_body_size 16m; + # NOTE: increase if users need to upload very big files + ''; + }; + }; + }; +}; +</programlisting> + </para> </section> </chapter> diff --git a/nixpkgs/nixos/modules/services/networking/radicale.nix b/nixpkgs/nixos/modules/services/networking/radicale.nix index 8c632c319d3c..368259b5b0bf 100644 --- a/nixpkgs/nixos/modules/services/networking/radicale.nix +++ b/nixpkgs/nixos/modules/services/networking/radicale.nix @@ -140,9 +140,12 @@ in { environment.systemPackages = [ pkg ]; - users.users.radicale.uid = config.ids.uids.radicale; + users.users.radicale = { + isSystemUser = true; + group = "radicale"; + }; - users.groups.radicale.gid = config.ids.gids.radicale; + users.groups.radicale = {}; systemd.services.radicale = { description = "A Simple Calendar and Contact Server"; diff --git a/nixpkgs/nixos/modules/services/networking/radvd.nix b/nixpkgs/nixos/modules/services/networking/radvd.nix index 53fac4b7b72d..6e8db55bbf0d 100644 --- a/nixpkgs/nixos/modules/services/networking/radvd.nix +++ b/nixpkgs/nixos/modules/services/networking/radvd.nix @@ -55,9 +55,12 @@ in config = mkIf cfg.enable { users.users.radvd = - { uid = config.ids.uids.radvd; + { + isSystemUser = true; + group = "radvd"; description = "Router Advertisement Daemon User"; }; + users.groups.radvd = {}; systemd.services.radvd = { description = "IPv6 Router Advertisement Daemon"; diff --git a/nixpkgs/nixos/modules/services/networking/rdnssd.nix b/nixpkgs/nixos/modules/services/networking/rdnssd.nix index 469504c43172..fd04bb8108f0 100644 --- a/nixpkgs/nixos/modules/services/networking/rdnssd.nix +++ b/nixpkgs/nixos/modules/services/networking/rdnssd.nix @@ -72,8 +72,10 @@ in users.users.rdnssd = { description = "RDNSSD Daemon User"; - uid = config.ids.uids.rdnssd; + isSystemUser = true; + group = "rdnssd"; }; + users.groups.rdnssd = {}; }; diff --git a/nixpkgs/nixos/modules/services/networking/shout.nix b/nixpkgs/nixos/modules/services/networking/shout.nix index 405808491ea4..cca03a8f88a1 100644 --- a/nixpkgs/nixos/modules/services/networking/shout.nix +++ b/nixpkgs/nixos/modules/services/networking/shout.nix @@ -83,11 +83,13 @@ in { config = mkIf cfg.enable { users.users.shout = { - uid = config.ids.uids.shout; + isSystemUser = true; + group = "shout"; description = "Shout daemon user"; home = shoutHome; createHome = true; }; + users.groups.shout = {}; systemd.services.shout = { description = "Shout web IRC client"; diff --git a/nixpkgs/nixos/modules/services/networking/smokeping.nix b/nixpkgs/nixos/modules/services/networking/smokeping.nix index 4470c18fd533..0f123fd18776 100644 --- a/nixpkgs/nixos/modules/services/networking/smokeping.nix +++ b/nixpkgs/nixos/modules/services/networking/smokeping.nix @@ -259,7 +259,7 @@ in user = mkOption { type = types.str; default = "smokeping"; - description = "User that runs smokeping and (optionally) thttpd"; + description = "User that runs smokeping and (optionally) thttpd. A group of the same name will be created as well."; }; webService = mkOption { type = types.bool; @@ -278,18 +278,23 @@ in } ]; security.wrappers = { - fping.source = "${pkgs.fping}/bin/fping"; - fping6.source = "${pkgs.fping}/bin/fping6"; + fping = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.fping}/bin/fping"; + }; }; environment.systemPackages = [ pkgs.fping ]; users.users.${cfg.user} = { isNormalUser = false; isSystemUser = true; - uid = config.ids.uids.smokeping; + group = cfg.user; description = "smokeping daemon user"; home = smokepingHome; createHome = true; }; + users.groups.${cfg.user} = {}; systemd.services.smokeping = { wantedBy = [ "multi-user.target"]; serviceConfig = { diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index 04879eb7d82d..311fd5abccad 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -410,11 +410,13 @@ in users.users = { sshd = { isSystemUser = true; + group = "sshd"; description = "SSH privilege separation user"; }; } // (optionalAttrs (cfg.authorizedKeysCommand != null) { ${cfg.authorizedKeysCommandUser} = {}; }); + users.groups.sshd = {}; services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server"; diff --git a/nixpkgs/nixos/modules/services/networking/tinydns.nix b/nixpkgs/nixos/modules/services/networking/tinydns.nix index 79507b2ebcdd..2c44ad49296d 100644 --- a/nixpkgs/nixos/modules/services/networking/tinydns.nix +++ b/nixpkgs/nixos/modules/services/networking/tinydns.nix @@ -32,7 +32,11 @@ with lib; config = mkIf config.services.tinydns.enable { environment.systemPackages = [ pkgs.djbdns ]; - users.users.tinydns.isSystemUser = true; + users.users.tinydns = { + isSystemUser = true; + group = "tinydns"; + }; + users.groups.tinydns = {}; systemd.services.tinydns = { description = "djbdns tinydns server"; diff --git a/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix b/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix index f88e34827d00..7c13724e084a 100644 --- a/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix +++ b/nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix @@ -3,15 +3,15 @@ with lib; let - home = "/var/lib/tox-bootstrapd"; - PIDFile = "${home}/pid"; + WorkingDirectory = "/var/lib/tox-bootstrapd"; + PIDFile = "${WorkingDirectory}/pid"; pkg = pkgs.libtoxcore; cfg = config.services.toxBootstrapd; cfgFile = builtins.toFile "tox-bootstrapd.conf" '' port = ${toString cfg.port} - keys_file_path = "${home}/keys" + keys_file_path = "${WorkingDirectory}/keys" pid_file_path = "${PIDFile}" ${cfg.extraConfig} ''; @@ -36,7 +36,7 @@ in keysFile = mkOption { type = types.str; - default = "${home}/keys"; + default = "${WorkingDirectory}/keys"; description = "Node key file."; }; @@ -56,13 +56,6 @@ in config = mkIf config.services.toxBootstrapd.enable { - users.users.tox-bootstrapd = - { uid = config.ids.uids.tox-bootstrapd; - description = "Tox bootstrap daemon user"; - inherit home; - createHome = true; - }; - systemd.services.tox-bootstrapd = { description = "Tox DHT bootstrap daemon"; after = [ "network.target" ]; @@ -70,8 +63,10 @@ in serviceConfig = { ExecStart = "${pkg}/bin/tox-bootstrapd --config=${cfgFile}"; Type = "forking"; - inherit PIDFile; - User = "tox-bootstrapd"; + inherit PIDFile WorkingDirectory; + AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; + DynamicUser = true; + StateDirectory = "tox-bootstrapd"; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/toxvpn.nix b/nixpkgs/nixos/modules/services/networking/toxvpn.nix index 9e97faeebc1e..1765ef3ea2d9 100644 --- a/nixpkgs/nixos/modules/services/networking/toxvpn.nix +++ b/nixpkgs/nixos/modules/services/networking/toxvpn.nix @@ -59,10 +59,12 @@ with lib; users.users = { toxvpn = { - uid = config.ids.uids.toxvpn; + isSystemUser = true; + group = "toxvpn"; home = "/var/lib/toxvpn"; createHome = true; }; }; + users.groups.toxvpn = {}; }; } diff --git a/nixpkgs/nixos/modules/services/networking/tvheadend.nix b/nixpkgs/nixos/modules/services/networking/tvheadend.nix index ccf879996631..19a10a03bd9b 100644 --- a/nixpkgs/nixos/modules/services/networking/tvheadend.nix +++ b/nixpkgs/nixos/modules/services/networking/tvheadend.nix @@ -29,8 +29,10 @@ in description = "Tvheadend Service user"; home = "/var/lib/tvheadend"; createHome = true; - uid = config.ids.uids.tvheadend; + isSystemUser = true; + group = "tvheadend"; }; + users.groups.tvheadend = {}; systemd.services.tvheadend = { description = "Tvheadend TV streaming server"; diff --git a/nixpkgs/nixos/modules/services/networking/unifi.nix b/nixpkgs/nixos/modules/services/networking/unifi.nix index 2e320378cc9a..73170ebfc903 100644 --- a/nixpkgs/nixos/modules/services/networking/unifi.nix +++ b/nixpkgs/nixos/modules/services/networking/unifi.nix @@ -115,10 +115,12 @@ in config = mkIf cfg.enable { users.users.unifi = { - uid = config.ids.uids.unifi; + isSystemUser = true; + group = "unifi"; description = "UniFi controller daemon user"; home = "${stateDir}"; }; + users.groups.unifi = {}; networking.firewall = mkIf cfg.openPorts { # https://help.ubnt.com/hc/en-us/articles/218506997 diff --git a/nixpkgs/nixos/modules/services/networking/vsftpd.nix b/nixpkgs/nixos/modules/services/networking/vsftpd.nix index c57994533c17..5489f74bf032 100644 --- a/nixpkgs/nixos/modules/services/networking/vsftpd.nix +++ b/nixpkgs/nixos/modules/services/networking/vsftpd.nix @@ -282,7 +282,8 @@ in users.users = { "vsftpd" = { - uid = config.ids.uids.vsftpd; + group = "vsftpd"; + isSystemUser = true; description = "VSFTPD user"; home = if cfg.localRoot != null then cfg.localRoot # <= Necessary for virtual users. @@ -297,6 +298,7 @@ in }; }; + users.groups.vsftpd = {}; users.groups.ftp.gid = config.ids.gids.ftp; # If you really have to access root via FTP use mkOverride or userlistDeny diff --git a/nixpkgs/nixos/modules/services/networking/x2goserver.nix b/nixpkgs/nixos/modules/services/networking/x2goserver.nix index 48020fc1ceca..554e51f9d4ff 100644 --- a/nixpkgs/nixos/modules/services/networking/x2goserver.nix +++ b/nixpkgs/nixos/modules/services/networking/x2goserver.nix @@ -88,12 +88,14 @@ in { source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl"; owner = "x2go"; group = "x2go"; + setuid = false; setgid = true; }; security.wrappers.x2goprintWrapper = { source = "${pkgs.x2goserver}/bin/x2goprint"; owner = "x2go"; group = "x2go"; + setuid = false; setgid = true; }; |