summaryrefslogtreecommitdiffstats
path: root/nixos
diff options
context:
space:
mode:
authorgithub-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>2021-01-10 01:03:35 +0000
committerGitHub <noreply@github.com>2021-01-10 01:03:35 +0000
commit433c7b069cd23e6aa5076cf5414e6c46023df795 (patch)
tree690c945d9be403f9d834c5d9dd9b922c084cceb9 /nixos
parentfcbe48c79793e614092ba278e05d5594995a88e3 (diff)
parentdb1dd04c9f49d6cfb1d22977a9b8f88e72e3e41d (diff)
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r--nixos/doc/manual/release-notes/rl-2009.xml8
-rw-r--r--nixos/doc/manual/release-notes/rl-2103.xml5
-rw-r--r--nixos/modules/module-list.nix1
-rw-r--r--nixos/modules/services/audio/mpd.nix64
-rw-r--r--nixos/modules/services/misc/nzbhydra2.nix78
-rw-r--r--nixos/modules/services/x11/desktop-managers/gnome3.nix6
-rw-r--r--nixos/tests/all-tests.nix1
-rw-r--r--nixos/tests/nzbhydra2.nix17
8 files changed, 156 insertions, 24 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index 3da8080958ee..0b1d0d509d78 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -1343,6 +1343,14 @@ CREATE ROLE postgres LOGIN SUPERUSER;
It was chosen to do this as it has a usability breaking issue (see issue <link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>)
that makes it unsuitable to be a default app.
</para>
+ <note>
+ <para>
+ Issue <link
+ xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>
+ is now fixed and <package>gnome3.epiphany</package> is once
+ again installed by default.
+ </para>
+ </note>
</listitem>
<listitem>
<para>
diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml
index 05daca1d710c..9070957aee4a 100644
--- a/nixos/doc/manual/release-notes/rl-2103.xml
+++ b/nixos/doc/manual/release-notes/rl-2103.xml
@@ -504,6 +504,11 @@ http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/e
The option's description was incorrect regarding ownership management and has been simplified greatly.
</para>
</listitem>
+ <listitem>
+ <para>
+ The GNOME desktop manager once again installs <package>gnome3.epiphany</package> by default.
+ </para>
+ </listitem>
</itemizedlist>
</section>
</section>
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 8fd5d4519fdd..c2a9e0f32015 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -492,6 +492,7 @@
./services/misc/nix-ssh-serve.nix
./services/misc/novacomd.nix
./services/misc/nzbget.nix
+ ./services/misc/nzbhydra2.nix
./services/misc/octoprint.nix
./services/misc/osrm.nix
./services/misc/packagekit.nix
diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix
index e09e4861646c..c8e5045f6dc2 100644
--- a/nixos/modules/services/audio/mpd.nix
+++ b/nixos/modules/services/audio/mpd.nix
@@ -10,6 +10,14 @@ let
gid = config.ids.gids.mpd;
cfg = config.services.mpd;
+ credentialsPlaceholder = (creds:
+ let
+ placeholders = (imap0
+ (i: c: ''password "{{password-${toString i}}}@${concatStringsSep "," c.permissions}"'')
+ creds);
+ in
+ concatStringsSep "\n" placeholders);
+
mpdConf = pkgs.writeText "mpd.conf" ''
# This file was automatically generated by NixOS. Edit mpd's configuration
# via NixOS' configuration.nix, as this file will be rewritten upon mpd's
@@ -32,6 +40,8 @@ let
}
''}
+ ${credentialsPlaceholder cfg.credentials}
+
${cfg.extraConfig}
'';
@@ -152,16 +162,35 @@ in {
'';
};
- credentialsFile = mkOption {
- type = types.path;
+ credentials = mkOption {
+ type = types.listOf (types.submodule {
+ options = {
+ passwordFile = mkOption {
+ type = types.path;
+ description = ''
+ Path to file containing the password.
+ '';
+ };
+ permissions = let
+ perms = ["read" "add" "control" "admin"];
+ in mkOption {
+ type = types.listOf (types.enum perms);
+ default = [ "read" ];
+ description = ''
+ List of permissions that are granted with this password.
+ Permissions can be "${concatStringsSep "\", \"" perms}".
+ '';
+ };
+ };
+ });
description = ''
- Path to a file to be merged with the settings during the service startup.
- Useful to merge a file which is better kept out of the Nix store
- because it contains sensible data like MPD's password. Example may look like this:
- <literal>password "myMpdPassword@read,add,control,admin"</literal>
+ Credentials and permissions for accessing the mpd server.
'';
- default = "/dev/null";
- example = "/var/lib/secrets/mpd.conf";
+ default = [];
+ example = [
+ {passwordFile = "/var/lib/secrets/mpd_readonly_password"; permissions = [ "read" ];}
+ {passwordFile = "/var/lib/secrets/mpd_admin_password"; permissions = ["read" "add" "control" "admin"];}
+ ];
};
fluidsynth = mkOption {
@@ -201,12 +230,15 @@ in {
serviceConfig = mkMerge [
{
User = "${cfg.user}";
- ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /etc/mpd.conf";
- ExecStartPre = pkgs.writeScript "mpd-start-pre" ''
- #!${pkgs.runtimeShell}
+ ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /run/mpd/mpd.conf";
+ ExecStartPre = pkgs.writeShellScript "mpd-start-pre" ''
set -euo pipefail
- cat ${mpdConf} ${cfg.credentialsFile} > /etc/mpd.conf
+ install -m 600 ${mpdConf} /run/mpd/mpd.conf
+ ${pkgs.replace}/bin/replace-literal -fe ${
+ concatStringsSep " -a " (imap0 (i: c: "\"{{password-${toString i}}}\" \"$(cat ${c.passwordFile})\"") cfg.credentials)
+ } /run/mpd/mpd.conf
'';
+ RuntimeDirectory = "mpd";
Type = "notify";
LimitRTPRIO = 50;
LimitRTTIME = "infinity";
@@ -230,14 +262,6 @@ in {
})
];
};
- environment.etc."mpd.conf" = {
- mode = "0640";
- group = cfg.group;
- user = cfg.user;
- # To be modified by the service' ExecStartPre
- text = ''
- '';
- };
users.users = optionalAttrs (cfg.user == name) {
${name} = {
diff --git a/nixos/modules/services/misc/nzbhydra2.nix b/nixos/modules/services/misc/nzbhydra2.nix
new file mode 100644
index 000000000000..c396b4b8f6e9
--- /dev/null
+++ b/nixos/modules/services/misc/nzbhydra2.nix
@@ -0,0 +1,78 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let cfg = config.services.nzbhydra2;
+
+in {
+ options = {
+ services.nzbhydra2 = {
+ enable = mkEnableOption "NZBHydra2";
+
+ dataDir = mkOption {
+ type = types.str;
+ default = "/var/lib/nzbhydra2";
+ description = "The directory where NZBHydra2 stores its data files.";
+ };
+
+ openFirewall = mkOption {
+ type = types.bool;
+ default = false;
+ description =
+ "Open ports in the firewall for the NZBHydra2 web interface.";
+ };
+
+ package = mkOption {
+ type = types.package;
+ default = pkgs.nzbhydra2;
+ defaultText = "pkgs.nzbhydra2";
+ description = "NZBHydra2 package to use.";
+ };
+ };
+ };
+
+ config = mkIf cfg.enable {
+ systemd.tmpfiles.rules =
+ [ "d '${cfg.dataDir}' 0700 nzbhydra2 nzbhydra2 - -" ];
+
+ systemd.services.nzbhydra2 = {
+ description = "NZBHydra2";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+
+ serviceConfig = {
+ Type = "simple";
+ User = "nzbhydra2";
+ Group = "nzbhydra2";
+ ExecStart =
+ "${cfg.package}/bin/nzbhydra2 --nobrowser --datafolder '${cfg.dataDir}'";
+ Restart = "on-failure";
+ # Hardening
+ NoNewPrivileges = true;
+ PrivateTmp = true;
+ PrivateDevices = true;
+ DevicePolicy = "closed";
+ ProtectSystem = "strict";
+ ReadWritePaths = cfg.dataDir;
+ ProtectHome = "read-only";
+ ProtectControlGroups = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ RestrictAddressFamilies ="AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ LockPersonality = true;
+ };
+ };
+
+ networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ 5076 ]; };
+
+ users.users.nzbhydra2 = {
+ group = "nzbhydra2";
+ isSystemUser = true;
+ };
+
+ users.groups.nzbhydra2 = {};
+ };
+}
diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix
index 68a65d77d62f..a36a47d376b6 100644
--- a/nixos/modules/services/x11/desktop-managers/gnome3.nix
+++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix
@@ -19,7 +19,7 @@ let
defaultFavoriteAppsOverride = ''
[org.gnome.shell]
- favorite-apps=[ 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ]
+ favorite-apps=[ 'org.gnome.Epiphany.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ]
'';
nixos-gsettings-desktop-schemas = let
@@ -409,9 +409,7 @@ in
baobab
cheese
eog
- /* Not in good standing on nixos:
- * https://github.com/NixOS/nixpkgs/issues/98819
- /* epiphany */
+ epiphany
gedit
gnome-calculator
gnome-calendar
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 8d04f10157e7..d53c6f6511e3 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -274,6 +274,7 @@ in
novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {};
nsd = handleTest ./nsd.nix {};
nzbget = handleTest ./nzbget.nix {};
+ nzbhydra2 = handleTest ./nzbhydra2.nix {};
oh-my-zsh = handleTest ./oh-my-zsh.nix {};
openarena = handleTest ./openarena.nix {};
openldap = handleTest ./openldap.nix {};
diff --git a/nixos/tests/nzbhydra2.nix b/nixos/tests/nzbhydra2.nix
new file mode 100644
index 000000000000..c82c756c3a1c
--- /dev/null
+++ b/nixos/tests/nzbhydra2.nix
@@ -0,0 +1,17 @@
+import ./make-test-python.nix ({ lib, ... }:
+
+ with lib;
+
+ {
+ name = "nzbhydra2";
+ meta.maintainers = with maintainers; [ jamiemagee ];
+
+ nodes.machine = { pkgs, ... }: { services.nzbhydra2.enable = true; };
+
+ testScript = ''
+ machine.start()
+ machine.wait_for_unit("nzbhydra2.service")
+ machine.wait_for_open_port(5076)
+ machine.succeed("curl --fail http://localhost:5076/")
+ '';
+ })
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-25 10:45:55 +0000