diff options
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/backup/postgresql-wal-receiver.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/mail/mailcatcher.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/mail/rspamd.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 14 | ||||
-rw-r--r-- | nixos/modules/services/misc/home-assistant.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/graphite.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/networking/prosody.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/matomo.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/restya-board.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/tt-rss.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/wordpress.nix | 22 |
12 files changed, 47 insertions, 24 deletions
diff --git a/nixos/modules/services/backup/postgresql-wal-receiver.nix b/nixos/modules/services/backup/postgresql-wal-receiver.nix index d9a37037992..3d9869d5343 100644 --- a/nixos/modules/services/backup/postgresql-wal-receiver.nix +++ b/nixos/modules/services/backup/postgresql-wal-receiver.nix @@ -169,13 +169,14 @@ in { systemd.services = with attrsets; mapAttrs' (name: config: nameValuePair "postgresql-wal-receiver-${name}" { description = "PostgreSQL WAL receiver (${name})"; wantedBy = [ "multi-user.target" ]; + startLimitIntervalSec = 0; # retry forever, useful in case of network disruption serviceConfig = { User = "postgres"; Group = "postgres"; KillSignal = "SIGINT"; Restart = "always"; - RestartSec = 30; + RestartSec = 60; }; inherit (config) environment; diff --git a/nixos/modules/services/mail/mailcatcher.nix b/nixos/modules/services/mail/mailcatcher.nix index fa8d41e918d..f5b4508b335 100644 --- a/nixos/modules/services/mail/mailcatcher.nix +++ b/nixos/modules/services/mail/mailcatcher.nix @@ -3,7 +3,7 @@ let cfg = config.services.mailcatcher; - inherit (lib) mkEnableOption mkIf mkOption types; + inherit (lib) mkEnableOption mkIf mkOption types optionalString; in { # interface @@ -54,6 +54,7 @@ in DynamicUser = true; Restart = "always"; ExecStart = "${pkgs.mailcatcher}/bin/mailcatcher --foreground --no-quit --http-ip ${cfg.http.ip} --http-port ${toString cfg.http.port} --smtp-ip ${cfg.smtp.ip} --smtp-port ${toString cfg.smtp.port}"; + AmbientCapabilities = optionalString (cfg.http.port < 1024 || cfg.smtp.port < 1024) "cap_net_bind_service"; }; }; }; diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 89aa9d17ff7..4db35d9e89a 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -68,7 +68,7 @@ let replaced with <literal>rspamd_proxy</literal>. ''; apply = let - from = "services.rspamd.workers.\”${name}\".type"; + from = "services.rspamd.workers.\"${name}\".type"; files = options.type.files; warning = "The option `${from}` defined in ${showFiles files} has enum value `proxy` which has been renamed to `rspamd_proxy`"; in x: if x == "proxy" then traceWarning warning "rspamd_proxy" else x; diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 66da6864fca..4c1ffead00c 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -223,7 +223,15 @@ in { statePath = mkOption { type = types.str; default = "/var/gitlab/state"; - description = "Gitlab state directory, logs are stored here."; + description = '' + Gitlab state directory. Configuration, repositories and + logs, among other things, are stored here. + + The directory will be created automatically if it doesn't + exist already. Its parent directories must be owned by + either <literal>root</literal> or the user set in + <option>services.gitlab.user</option>. + ''; }; backupPath = mkOption { @@ -673,6 +681,10 @@ in { openssh nodejs gnupg + + # Needed for GitLab project imports + gnutar + gzip ]; serviceConfig = { Type = "simple"; diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index f1b35124674..74702c97f55 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -224,6 +224,7 @@ in { KillSignal = "SIGINT"; PrivateTmp = true; RemoveIPC = true; + AmbientCapabilities = "cap_net_raw,cap_net_admin+eip"; }; path = [ "/run/wrappers" # needed for ping diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix index 64cb6c3da1e..f7874af3df2 100644 --- a/nixos/modules/services/monitoring/graphite.nix +++ b/nixos/modules/services/monitoring/graphite.nix @@ -239,7 +239,7 @@ in { description = "Any metrics received which match one of the experssions will be dropped."; default = null; type = types.nullOr types.str; - example = "^some\.noisy\.metric\.prefix\..*"; + example = "^some\\.noisy\\.metric\\.prefix\\..*"; }; whitelist = mkOption { diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index db4d0e328e2..887c89ddf3a 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -27,6 +27,7 @@ let [logging] level=${cfg.logLevel} + audit=${lib.boolToString config.security.audit.enable} [connection] ipv6.ip6-privacy=2 @@ -508,8 +509,9 @@ in { security.polkit.extraConfig = polkitConf; - services.dbus.packages = - optional cfg.enableStrongSwan pkgs.strongswanNM ++ cfg.packages; + services.dbus.packages = cfg.packages + ++ optional cfg.enableStrongSwan pkgs.strongswanNM + ++ optional (cfg.dns == "dnsmasq") pkgs.dnsmasq; services.udev.packages = cfg.packages; }; diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index 1ae063aa6bb..7a503e71166 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -465,7 +465,7 @@ in modules_enabled = { - ${ lib.concatStringsSep "\n\ \ " (lib.mapAttrsToList + ${ lib.concatStringsSep "\n " (lib.mapAttrsToList (name: val: optionalString val "${toLua name};") cfg.modules) } ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.package.communityModules)} diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index d9f840408cc..1e34aff8d17 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -105,8 +105,8 @@ in { default = null; example = { serverAliases = [ - "matomo.$\{config.networking.domain\}" - "stats.$\{config.networking.domain\}" + "matomo.\${config.networking.domain}" + "stats.\${config.networking.domain}" ]; enableACME = false; }; @@ -115,7 +115,7 @@ in { Either this option or the webServerUser option is mandatory. Set this to {} to just enable the virtualHost if you don't need any customization. If enabled, then by default, the <option>serverName</option> is - <literal>${user}.$\{config.networking.hostName\}.$\{config.networking.domain\}</literal>, + <literal>''${user}.''${config.networking.hostName}.''${config.networking.domain}</literal>, SSL is active, and certificates are acquired via ACME. If this is set to null (the default), no nginx virtualHost will be configured. ''; @@ -275,7 +275,7 @@ in { fastcgi_pass unix:${phpSocket}; ''; # Any other attempt to access any php files is forbidden - locations."~* ^.+\.php$".extraConfig = '' + locations."~* ^.+\\.php$".extraConfig = '' return 403; ''; # Disallow access to unneeded directories @@ -284,7 +284,7 @@ in { return 403; ''; # Disallow access to several helper files - locations."~* \.(?:bat|git|ini|sh|txt|tpl|xml|md)$".extraConfig = '' + locations."~* \\.(?:bat|git|ini|sh|txt|tpl|xml|md)$".extraConfig = '' return 403; ''; # No crawling of this site for bots that obey robots.txt - no useful information here. diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index 1e7882488ac..2c2f36ac598 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -235,7 +235,7 @@ in locations."/".root = "${runDir}/client"; - locations."~ \.php$" = { + locations."~ \\.php$" = { tryFiles = "$uri =404"; extraConfig = '' include ${pkgs.nginx}/conf/fastcgi_params; @@ -246,7 +246,7 @@ in ''; }; - locations."~* \.(css|js|less|html|ttf|woff|jpg|jpeg|gif|png|bmp|ico)" = { + locations."~* \\.(css|js|less|html|ttf|woff|jpg|jpeg|gif|png|bmp|ico)" = { root = "${runDir}/client"; extraConfig = '' if (-f $request_filename) { diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index abe4748591e..b92e3449894 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -548,7 +548,7 @@ let index = "index.php"; }; - locations."~ \.php$" = { + locations."~ \\.php$" = { extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.socket}; diff --git a/nixos/modules/services/web-apps/wordpress.nix b/nixos/modules/services/web-apps/wordpress.nix index 88475437058..e311dd917dd 100644 --- a/nixos/modules/services/web-apps/wordpress.nix +++ b/nixos/modules/services/web-apps/wordpress.nix @@ -61,6 +61,19 @@ let ?> ''; + secretsVars = [ "AUTH_KEY" "SECURE_AUTH_KEY" "LOOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT" ]; + secretsScript = hostStateDir: '' + if ! test -e "${hostStateDir}/secret-keys.php"; then + umask 0177 + echo "<?php" >> "${hostStateDir}/secret-keys.php" + ${concatMapStringsSep "\n" (var: '' + echo "define('${var}', '`tr -dc a-zA-Z0-9 </dev/urandom | head -c 64`');" >> "${hostStateDir}/secret-keys.php" + '') secretsVars} + echo "?>" >> "${hostStateDir}/secret-keys.php" + chmod 440 "${hostStateDir}/secret-keys.php" + fi + ''; + siteOpts = { lib, name, ... }: { options = { @@ -340,14 +353,7 @@ in wantedBy = [ "multi-user.target" ]; before = [ "phpfpm-wordpress-${hostName}.service" ]; after = optional cfg.database.createLocally "mysql.service"; - script = '' - if ! test -e "${stateDir hostName}/secret-keys.php"; then - echo "<?php" >> "${stateDir hostName}/secret-keys.php" - ${pkgs.curl}/bin/curl -s https://api.wordpress.org/secret-key/1.1/salt/ >> "${stateDir hostName}/secret-keys.php" - echo "?>" >> "${stateDir hostName}/secret-keys.php" - chmod 440 "${stateDir hostName}/secret-keys.php" - fi - ''; + script = secretsScript (stateDir hostName); serviceConfig = { Type = "oneshot"; |