diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2021-01-10 01:03:35 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-10 01:03:35 +0000 |
commit | 433c7b069cd23e6aa5076cf5414e6c46023df795 (patch) | |
tree | 690c945d9be403f9d834c5d9dd9b922c084cceb9 /nixos | |
parent | fcbe48c79793e614092ba278e05d5594995a88e3 (diff) | |
parent | db1dd04c9f49d6cfb1d22977a9b8f88e72e3e41d (diff) |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 8 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2103.xml | 5 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/audio/mpd.nix | 64 | ||||
-rw-r--r-- | nixos/modules/services/misc/nzbhydra2.nix | 78 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/gnome3.nix | 6 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/nzbhydra2.nix | 17 |
8 files changed, 156 insertions, 24 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 3da8080958ee..0b1d0d509d78 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -1343,6 +1343,14 @@ CREATE ROLE postgres LOGIN SUPERUSER; It was chosen to do this as it has a usability breaking issue (see issue <link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>) that makes it unsuitable to be a default app. </para> + <note> + <para> + Issue <link + xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link> + is now fixed and <package>gnome3.epiphany</package> is once + again installed by default. + </para> + </note> </listitem> <listitem> <para> diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 05daca1d710c..9070957aee4a 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -504,6 +504,11 @@ http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/e The option's description was incorrect regarding ownership management and has been simplified greatly. </para> </listitem> + <listitem> + <para> + The GNOME desktop manager once again installs <package>gnome3.epiphany</package> by default. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 8fd5d4519fdd..c2a9e0f32015 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -492,6 +492,7 @@ ./services/misc/nix-ssh-serve.nix ./services/misc/novacomd.nix ./services/misc/nzbget.nix + ./services/misc/nzbhydra2.nix ./services/misc/octoprint.nix ./services/misc/osrm.nix ./services/misc/packagekit.nix diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index e09e4861646c..c8e5045f6dc2 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -10,6 +10,14 @@ let gid = config.ids.gids.mpd; cfg = config.services.mpd; + credentialsPlaceholder = (creds: + let + placeholders = (imap0 + (i: c: ''password "{{password-${toString i}}}@${concatStringsSep "," c.permissions}"'') + creds); + in + concatStringsSep "\n" placeholders); + mpdConf = pkgs.writeText "mpd.conf" '' # This file was automatically generated by NixOS. Edit mpd's configuration # via NixOS' configuration.nix, as this file will be rewritten upon mpd's @@ -32,6 +40,8 @@ let } ''} + ${credentialsPlaceholder cfg.credentials} + ${cfg.extraConfig} ''; @@ -152,16 +162,35 @@ in { ''; }; - credentialsFile = mkOption { - type = types.path; + credentials = mkOption { + type = types.listOf (types.submodule { + options = { + passwordFile = mkOption { + type = types.path; + description = '' + Path to file containing the password. + ''; + }; + permissions = let + perms = ["read" "add" "control" "admin"]; + in mkOption { + type = types.listOf (types.enum perms); + default = [ "read" ]; + description = '' + List of permissions that are granted with this password. + Permissions can be "${concatStringsSep "\", \"" perms}". + ''; + }; + }; + }); description = '' - Path to a file to be merged with the settings during the service startup. - Useful to merge a file which is better kept out of the Nix store - because it contains sensible data like MPD's password. Example may look like this: - <literal>password "myMpdPassword@read,add,control,admin"</literal> + Credentials and permissions for accessing the mpd server. ''; - default = "/dev/null"; - example = "/var/lib/secrets/mpd.conf"; + default = []; + example = [ + {passwordFile = "/var/lib/secrets/mpd_readonly_password"; permissions = [ "read" ];} + {passwordFile = "/var/lib/secrets/mpd_admin_password"; permissions = ["read" "add" "control" "admin"];} + ]; }; fluidsynth = mkOption { @@ -201,12 +230,15 @@ in { serviceConfig = mkMerge [ { User = "${cfg.user}"; - ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /etc/mpd.conf"; - ExecStartPre = pkgs.writeScript "mpd-start-pre" '' - #!${pkgs.runtimeShell} + ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /run/mpd/mpd.conf"; + ExecStartPre = pkgs.writeShellScript "mpd-start-pre" '' set -euo pipefail - cat ${mpdConf} ${cfg.credentialsFile} > /etc/mpd.conf + install -m 600 ${mpdConf} /run/mpd/mpd.conf + ${pkgs.replace}/bin/replace-literal -fe ${ + concatStringsSep " -a " (imap0 (i: c: "\"{{password-${toString i}}}\" \"$(cat ${c.passwordFile})\"") cfg.credentials) + } /run/mpd/mpd.conf ''; + RuntimeDirectory = "mpd"; Type = "notify"; LimitRTPRIO = 50; LimitRTTIME = "infinity"; @@ -230,14 +262,6 @@ in { }) ]; }; - environment.etc."mpd.conf" = { - mode = "0640"; - group = cfg.group; - user = cfg.user; - # To be modified by the service' ExecStartPre - text = '' - ''; - }; users.users = optionalAttrs (cfg.user == name) { ${name} = { diff --git a/nixos/modules/services/misc/nzbhydra2.nix b/nixos/modules/services/misc/nzbhydra2.nix new file mode 100644 index 000000000000..c396b4b8f6e9 --- /dev/null +++ b/nixos/modules/services/misc/nzbhydra2.nix @@ -0,0 +1,78 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let cfg = config.services.nzbhydra2; + +in { + options = { + services.nzbhydra2 = { + enable = mkEnableOption "NZBHydra2"; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/nzbhydra2"; + description = "The directory where NZBHydra2 stores its data files."; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = + "Open ports in the firewall for the NZBHydra2 web interface."; + }; + + package = mkOption { + type = types.package; + default = pkgs.nzbhydra2; + defaultText = "pkgs.nzbhydra2"; + description = "NZBHydra2 package to use."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.tmpfiles.rules = + [ "d '${cfg.dataDir}' 0700 nzbhydra2 nzbhydra2 - -" ]; + + systemd.services.nzbhydra2 = { + description = "NZBHydra2"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + User = "nzbhydra2"; + Group = "nzbhydra2"; + ExecStart = + "${cfg.package}/bin/nzbhydra2 --nobrowser --datafolder '${cfg.dataDir}'"; + Restart = "on-failure"; + # Hardening + NoNewPrivileges = true; + PrivateTmp = true; + PrivateDevices = true; + DevicePolicy = "closed"; + ProtectSystem = "strict"; + ReadWritePaths = cfg.dataDir; + ProtectHome = "read-only"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies ="AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + LockPersonality = true; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ 5076 ]; }; + + users.users.nzbhydra2 = { + group = "nzbhydra2"; + isSystemUser = true; + }; + + users.groups.nzbhydra2 = {}; + }; +} diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 68a65d77d62f..a36a47d376b6 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -19,7 +19,7 @@ let defaultFavoriteAppsOverride = '' [org.gnome.shell] - favorite-apps=[ 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ] + favorite-apps=[ 'org.gnome.Epiphany.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ] ''; nixos-gsettings-desktop-schemas = let @@ -409,9 +409,7 @@ in baobab cheese eog - /* Not in good standing on nixos: - * https://github.com/NixOS/nixpkgs/issues/98819 - /* epiphany */ + epiphany gedit gnome-calculator gnome-calendar diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 8d04f10157e7..d53c6f6511e3 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -274,6 +274,7 @@ in novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {}; nsd = handleTest ./nsd.nix {}; nzbget = handleTest ./nzbget.nix {}; + nzbhydra2 = handleTest ./nzbhydra2.nix {}; oh-my-zsh = handleTest ./oh-my-zsh.nix {}; openarena = handleTest ./openarena.nix {}; openldap = handleTest ./openldap.nix {}; diff --git a/nixos/tests/nzbhydra2.nix b/nixos/tests/nzbhydra2.nix new file mode 100644 index 000000000000..c82c756c3a1c --- /dev/null +++ b/nixos/tests/nzbhydra2.nix @@ -0,0 +1,17 @@ +import ./make-test-python.nix ({ lib, ... }: + + with lib; + + { + name = "nzbhydra2"; + meta.maintainers = with maintainers; [ jamiemagee ]; + + nodes.machine = { pkgs, ... }: { services.nzbhydra2.enable = true; }; + + testScript = '' + machine.start() + machine.wait_for_unit("nzbhydra2.service") + machine.wait_for_open_port(5076) + machine.succeed("curl --fail http://localhost:5076/") + ''; + }) |