diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services')
8 files changed, 111 insertions, 77 deletions
diff --git a/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix b/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix index ae695baf42c6..07ca2727cf48 100644 --- a/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix +++ b/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix @@ -115,8 +115,7 @@ in { environment.systemPackages = [ cfg.package ] ++ lib.optional cfg.jack.enable jack-libs; - systemd.packages = [ cfg.package ] - ++ lib.optional cfg.pulse.enable cfg.package.pulse; + systemd.packages = [ cfg.package ]; # PipeWire depends on DBUS but doesn't list it. Without this booting # into a terminal results in the service crashing with an error. @@ -130,9 +129,13 @@ in { systemd.user.sockets.pipewire.enable = !cfg.systemWide; systemd.user.services.pipewire.enable = !cfg.systemWide; + # Mask pw-pulse if it's not wanted + systemd.user.services.pipewire-pulse.enable = cfg.pulse.enable; + systemd.user.sockets.pipewire-pulse.enable = cfg.pulse.enable; + systemd.sockets.pipewire.wantedBy = lib.mkIf cfg.socketActivation [ "sockets.target" ]; systemd.user.sockets.pipewire.wantedBy = lib.mkIf cfg.socketActivation [ "sockets.target" ]; - systemd.user.sockets.pipewire-pulse.wantedBy = lib.mkIf (cfg.socketActivation && cfg.pulse.enable) ["sockets.target"]; + systemd.user.sockets.pipewire-pulse.wantedBy = lib.mkIf cfg.socketActivation [ "sockets.target" ]; services.udev.packages = [ cfg.package ]; @@ -140,14 +143,14 @@ in { environment.etc."alsa/conf.d/49-pipewire-modules.conf" = mkIf cfg.alsa.enable { text = '' pcm_type.pipewire { - libs.native = ${cfg.package.lib}/lib/alsa-lib/libasound_module_pcm_pipewire.so ; + libs.native = ${cfg.package}/lib/alsa-lib/libasound_module_pcm_pipewire.so ; ${optionalString enable32BitAlsaPlugins - "libs.32Bit = ${pkgs.pkgsi686Linux.pipewire.lib}/lib/alsa-lib/libasound_module_pcm_pipewire.so ;"} + "libs.32Bit = ${pkgs.pkgsi686Linux.pipewire}/lib/alsa-lib/libasound_module_pcm_pipewire.so ;"} } ctl_type.pipewire { - libs.native = ${cfg.package.lib}/lib/alsa-lib/libasound_module_ctl_pipewire.so ; + libs.native = ${cfg.package}/lib/alsa-lib/libasound_module_ctl_pipewire.so ; ${optionalString enable32BitAlsaPlugins - "libs.32Bit = ${pkgs.pkgsi686Linux.pipewire.lib}/lib/alsa-lib/libasound_module_ctl_pipewire.so ;"} + "libs.32Bit = ${pkgs.pkgsi686Linux.pipewire}/lib/alsa-lib/libasound_module_ctl_pipewire.so ;"} } ''; }; diff --git a/nixpkgs/nixos/modules/services/monitoring/grafana.nix b/nixpkgs/nixos/modules/services/monitoring/grafana.nix index 5e21407042b6..f84d677f14d8 100644 --- a/nixpkgs/nixos/modules/services/monitoring/grafana.nix +++ b/nixpkgs/nixos/modules/services/monitoring/grafana.nix @@ -1841,6 +1841,7 @@ in serviceConfig = { WorkingDirectory = cfg.dataDir; User = "grafana"; + Restart = "on-failure"; RuntimeDirectory = "grafana"; RuntimeDirectoryMode = "0755"; # Hardening diff --git a/nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix b/nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix index 44fc359b6a7d..a146e7ab9543 100644 --- a/nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix +++ b/nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix @@ -301,6 +301,7 @@ in description = lib.mdDoc '' The addresses to send outgoing mail to. ''; + apply = x: if x == [] then null else lib.concatStringsSep "," x; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/ircd-hybrid/builder.sh b/nixpkgs/nixos/modules/services/networking/ircd-hybrid/builder.sh index d9d2e4264dfd..07a3788abf7d 100644 --- a/nixpkgs/nixos/modules/services/networking/ircd-hybrid/builder.sh +++ b/nixpkgs/nixos/modules/services/networking/ircd-hybrid/builder.sh @@ -1,4 +1,4 @@ -if [ -e .attrs.sh ]; then source .attrs.sh; fi +if [ -e "$NIX_ATTRS_SH_FILE" ]; then . "$NIX_ATTRS_SH_FILE"; elif [ -f .attrs.sh ]; then . .attrs.sh; fi source $stdenv/setup doSub() { diff --git a/nixpkgs/nixos/modules/services/networking/unbound.nix b/nixpkgs/nixos/modules/services/networking/unbound.nix index 0426dbb0c83c..b6579af10a79 100644 --- a/nixpkgs/nixos/modules/services/networking/unbound.nix +++ b/nixpkgs/nixos/modules/services/networking/unbound.nix @@ -166,7 +166,7 @@ in { services.unbound.settings = { server = { directory = mkDefault cfg.stateDir; - username = cfg.user; + username = ''""''; chroot = ''""''; pidfile = ''""''; # when running under systemd there is no need to daemonize @@ -245,14 +245,13 @@ in { NotifyAccess = "main"; Type = "notify"; - # FIXME: Which of these do we actually need, can we drop the chroot flag? AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" # needed if ip-transparent is set to true + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" - "CAP_SETGID" - "CAP_SETUID" - "CAP_SYS_CHROOT" - "CAP_SYS_RESOURCE" ]; User = cfg.user; @@ -266,22 +265,19 @@ in { ProtectControlGroups = true; ProtectKernelModules = true; ProtectSystem = "strict"; + ProtectClock = true; + ProtectHostname = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectKernelLogs = true; + ProtectKernelTunables = true; RuntimeDirectory = "unbound"; ConfigurationDirectory = "unbound"; StateDirectory = "unbound"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; RestrictRealtime = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ - "~@clock" - "@cpu-emulation" - "@debug" - "@keyring" - "@module" - "mount" - "@obsolete" - "@resources" - ]; + SystemCallFilter = [ "@system-service" ]; RestrictNamespaces = true; LockPersonality = true; RestrictSUIDSGID = true; diff --git a/nixpkgs/nixos/modules/services/search/opensearch.nix b/nixpkgs/nixos/modules/services/search/opensearch.nix index 9a50e7963138..ae79d5545fd7 100644 --- a/nixpkgs/nixos/modules/services/search/opensearch.nix +++ b/nixpkgs/nixos/modules/services/search/opensearch.nix @@ -72,6 +72,18 @@ in The port to listen on for transport traffic. ''; }; + + options."plugins.security.disabled" = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Whether to enable the security plugin, + `plugins.security.ssl.transport.keystore_filepath` or + `plugins.security.ssl.transport.server.pemcert_filepath` and + `plugins.security.ssl.transport.client.pemcert_filepath` + must be set for this plugin to be enabled. + ''; + }; }; default = {}; @@ -186,6 +198,13 @@ in shopt -s inherit_errexit # Install plugins + + # remove plugins directory if it is empty. + if [ -z "$(ls -A ${cfg.dataDir}/plugins)" ]; then + rm -r "${cfg.dataDir}/plugins" + fi + + ln -sfT "${cfg.package}/plugins" "${cfg.dataDir}/plugins" ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules diff --git a/nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix b/nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix index 5ebee48c3e0b..1fa69814c6c9 100644 --- a/nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix +++ b/nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix @@ -1,123 +1,110 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) + literalExpression + mdDoc + mkEnableOption + mkIf + mkOption + mkPackageOptionMD + mkRemovedOptionModule + types + ; cfg = config.services.plantuml-server; in { + imports = [ + (mkRemovedOptionModule [ "services" "plantuml-server" "allowPlantumlInclude" ] "This option has been removed from PlantUML.") + ]; + options = { services.plantuml-server = { - enable = mkEnableOption (lib.mdDoc "PlantUML server"); + enable = mkEnableOption (mdDoc "PlantUML server"); - package = mkOption { - type = types.package; - default = pkgs.plantuml-server; - defaultText = literalExpression "pkgs.plantuml-server"; - description = lib.mdDoc "PlantUML server package to use"; - }; + package = mkPackageOptionMD pkgs "plantuml-server" { }; packages = { - jdk = mkOption { - type = types.package; - default = pkgs.jdk; - defaultText = literalExpression "pkgs.jdk"; - description = lib.mdDoc "JDK package to use for the server"; - }; - jetty = mkOption { - type = types.package; - default = pkgs.jetty; - defaultText = literalExpression "pkgs.jetty"; - description = lib.mdDoc "Jetty package to use for the server"; + jdk = mkPackageOptionMD pkgs "jdk" { }; + jetty = mkPackageOptionMD pkgs "jetty" { + default = "jetty_11"; + extraDescription = '' + At the time of writing (v1.2023.12), PlantUML Server does not support + Jetty versions higher than 12.x. + + Jetty 12.x has introduced major breaking changes, see + <https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.0> and + <https://eclipse.dev/jetty/documentation/jetty-12/programming-guide/index.html#pg-migration-11-to-12> + ''; }; }; user = mkOption { type = types.str; default = "plantuml"; - description = lib.mdDoc "User which runs PlantUML server."; + description = mdDoc "User which runs PlantUML server."; }; group = mkOption { type = types.str; default = "plantuml"; - description = lib.mdDoc "Group which runs PlantUML server."; + description = mdDoc "Group which runs PlantUML server."; }; home = mkOption { - type = types.str; + type = types.path; default = "/var/lib/plantuml"; - description = lib.mdDoc "Home directory of the PlantUML server instance."; + description = mdDoc "Home directory of the PlantUML server instance."; }; listenHost = mkOption { type = types.str; default = "127.0.0.1"; - description = lib.mdDoc "Host to listen on."; + description = mdDoc "Host to listen on."; }; listenPort = mkOption { type = types.int; default = 8080; - description = lib.mdDoc "Port to listen on."; + description = mdDoc "Port to listen on."; }; plantumlLimitSize = mkOption { type = types.int; default = 4096; - description = lib.mdDoc "Limits image width and height."; + description = mdDoc "Limits image width and height."; }; - graphvizPackage = mkOption { - type = types.package; - default = pkgs.graphviz; - defaultText = literalExpression "pkgs.graphviz"; - description = lib.mdDoc "Package containing the dot executable."; - }; + graphvizPackage = mkPackageOptionMD pkgs "graphviz" { }; plantumlStats = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Set it to on to enable statistics report (https://plantuml.com/statistics-report)."; + description = mdDoc "Set it to on to enable statistics report (https://plantuml.com/statistics-report)."; }; httpAuthorization = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc "When calling the proxy endpoint, the value of HTTP_AUTHORIZATION will be used to set the HTTP Authorization header."; - }; - - allowPlantumlInclude = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Enables !include processing which can read files from the server into diagrams. Files are read relative to the current working directory."; + description = mdDoc "When calling the proxy endpoint, the value of HTTP_AUTHORIZATION will be used to set the HTTP Authorization header."; }; }; }; config = mkIf cfg.enable { - users.users.${cfg.user} = { - isSystemUser = true; - group = cfg.group; - home = cfg.home; - createHome = true; - }; - - users.groups.${cfg.group} = {}; - systemd.services.plantuml-server = { description = "PlantUML server"; wantedBy = [ "multi-user.target" ]; path = [ cfg.home ]; + environment = { PLANTUML_LIMIT_SIZE = builtins.toString cfg.plantumlLimitSize; GRAPHVIZ_DOT = "${cfg.graphvizPackage}/bin/dot"; PLANTUML_STATS = if cfg.plantumlStats then "on" else "off"; HTTP_AUTHORIZATION = cfg.httpAuthorization; - ALLOW_PLANTUML_INCLUDE = if cfg.allowPlantumlInclude then "true" else "false"; }; script = '' ${cfg.packages.jdk}/bin/java \ @@ -128,13 +115,40 @@ in jetty.http.host=${cfg.listenHost} \ jetty.http.port=${builtins.toString cfg.listenPort} ''; + serviceConfig = { User = cfg.user; Group = cfg.group; + StateDirectory = mkIf (cfg.home == "/var/lib/plantuml") "plantuml"; + StateDirectoryMode = mkIf (cfg.home == "/var/lib/plantuml") "0750"; + + # Hardening + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateNetwork = false; PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" ]; }; }; }; - meta.maintainers = with lib.maintainers; [ truh ]; + meta.maintainers = with lib.maintainers; [ truh anthonyroussel ]; } diff --git a/nixpkgs/nixos/modules/services/web-servers/jboss/builder.sh b/nixpkgs/nixos/modules/services/web-servers/jboss/builder.sh index ac573089cd5a..8c49b87db060 100644 --- a/nixpkgs/nixos/modules/services/web-servers/jboss/builder.sh +++ b/nixpkgs/nixos/modules/services/web-servers/jboss/builder.sh @@ -1,6 +1,6 @@ set -e -if [ -e .attrs.sh ]; then source .attrs.sh; fi +if [ -e "$NIX_ATTRS_SH_FILE" ]; then . "$NIX_ATTRS_SH_FILE"; elif [ -f .attrs.sh ]; then . .attrs.sh; fi source $stdenv/setup mkdir -p $out/bin |