some options have default that are best described in prose, such as
defaults that depend on the system stateVersion, defaults that are
derivations specific to the surrounding context, or those where the
expression is much longer and harder to understand than a simple text
snippet.
escape interpolations in descriptions where possible, replace them with
sufficiently descriptive text elsewhere. also expand cfg.* paths in
descriptions.
adds defaultText for all options that use `cfg.*` values in their
defaults, but only for interpolations with no extra processing (other
than toString where necessary)
Previously the extraComponents added to an overriden package would not
have been considered in hardening measures enforced by the module.
Home Assistant is warning the user about component definitions having
moved away from YAML, so using an override to include support for a
component might become the better way moving forward.
The nix.daemonNiceLevel options allows for setting the nice level of the
Nix daemon process. On a modern Linux kernel with group scheduling the
nice level only affects threads relative to other threads in the same
task group (see sched(7)). Therefore this option has not the effect one
might expect.
The options daemonCPUSchedPolicy and daemonIOSchedClass are introduced
and the daemonIONiceLevel option renamed to daemonIOSchedPrority for
consistency. These options allow for more effective control over CPU
and I/O scheduling.
Instead of setting daemonNiceLevel to a high value to increase the
responsiveness of an interactive system during builds -- which would not
have the desired effect, as described above -- one could set both
daemonCPUSchedPolicy and daemonIOSchedClass to idle.
The latest version of Subsonic (6.1.6) does not suport Java SE 9 or later
because it depends on the JAXB APIs. Those are considered to be Java EE
APIs are no longer contained on the default classpath in Java SE 9 and
are completely removed in Java SE 11..
Don't worry, it's is true by default. But I think this is important to
have because NixOS indeed shouldn't need Nix at run time when the
installation is not being modified, and now we can verify that.
NixOS images that cannot "self-modify" are a legitamate
use-case that this supports more minimally. One should be able to e.g. do a
sshfs mount and use `nixos-install` to modify them remotely, or just
discard them and build fresh ones if they are run VMs or something.
The next step would be to make generations optional, allowing just
baking `/etc` and friends rather than using activation scripts. But
that's more involved so I'm leaving it out.
This is the first version of the mautrix-facebook module. Due to lack of secret support on NixOS as well as the requirement of a homeserver domain it requires some setup. For completeness here is my working config using NixOps secrets:
```nix
deployment.keys."mautrix-facebook-config.env" = {
text = ''
MAUTRIX_FACEBOOK_APPSERVICE_AS_TOKEN=${secrets.as_token}
MAUTRIX_FACEBOOK_APPSERVICE_HS_TOKEN=${secrets.hs_token}
'';
destDir = "/var/keys";
};
deployment.keys."mautrix-facebook-registration.yaml" = {
text = builtins.toJSON config.services.mautrix-facebook.registrationData;
destDir = "/var/keys";
user = "matrix-synapse";
};
users.users.matrix-synapse.extraGroups = ["keys"];
systemd.services.matrix-synapse.after = ["keys.service"];
systemd.services.matrix-synapse.wants = ["keys.service"];
services.mautrix-facebook = {
enable = true;
settings = {
homeserver.domain = "bots.kevincox.ca";
bridge = {
displayname_template = "{displayname}";
permissions = {
"@kevincox:matrix.org" = "admin";
};
};
};
environmentFile = "/var/keys/mautrix-facebook-config.env";
registrationData = {
as_token = secrets.as_token;
hs_token = secrets.hs_token;
};
};
systemd.services.mautrix-facebook = rec {
wants = ["keys.target"];
after = wants;
};
services.matrix-synapse.app_service_config_files = [
"/var/keys/mautrix-facebook-registration.yaml"
];
```
The MemoryDenyWriteExecute systemd option is widely known to be
incompatible with nodejs, and causes service crashes as reported in #119687.
Fixes#119687.
Adds the ability to provide the --write flag in addition to the --serve flag via
a new option, services.sshServe.write.
A user can now share their system as a remote builder with friends easily as
follows:
{
nix = {
sshServe = {
enable = true;
write = true;
keys = ["ssh-dss AAAAB3NzaC1k... alice@example.org"];
};
};
}
Co-authored-by: Raphael Megzari <raphael@megzari.com>
Matrix homeservers have two important domains. The user-visible server_name and the homeserver domain which serves most of the traffic but is really seen by users. The docs around this variable said "This is used by remote servers to connect to this server" which is very confusing because most of the remote server traffic actually goes the server domain, not the server_name domain. (The server_name domain is only used to fetch the .well-known file that points at the server domain).
I largely copied the wording from https://matrix-org.github.io/synapse/latest/usage/configuration/homeserver_sample_config.html as I found it much more clear.
* nixos/airsonic: make path to war file and jre configurable
* Apply suggestions from code review
Co-authored-by: Sumner Evans <me@sumnerevans.com>
Co-authored-by: Sumner Evans <me@sumnerevans.com>
Printers are usually connected over USB to serial interfaces that are
mounted as tty character devices owned by the dialout group. Add our
octoprint service to this group at runtime to allow access to these
printers.
The paperless project has moved on to paperless-ng and the original
paperless package in Nixpkgs has stopped working recently (due to
version incompatibility with the providede Django package).
Instead of investing more time into the old module we should migrate all
users to the new module instead.
Before this commit, the `flake` option was typed with `types.unspecified`.
This type get's merged via [`mergeDefaultOption`](ebb592a04c/lib/options.nix (L119-L128)), which has a line
```nix
else if all isFunction list then x: mergeDefaultOption loc (map (f: f x) list)
```
`lib.isFunction` detects an attrs in the shape of `{__functor = ...}` as
a function and hence this line substitutes such attrs with a function
(f: f x).
If now, a flake input has a `__functor` as it's output, this will
coerce the once attrs to a function. This breaks a lot of things later
in the stack, for example a later `lib.filterAttrs seive <LAMBDA>` will
fail for obious reasons.
According to @infinisil, `types.unspecified` is due to deprecation. In
the meantime this PR provides a specific fix for the specific problem
discovered.
Trying to steer NixOS users away from reporting bugs to the upstream,
when they don't have the capacity to support bugs that could be the
result of our downstreaming setup.
We don't want to have to wait for the timer to expire for the updater
to make its first run. This adds a timer unit which triggers the
geoipupdate.service unit immediately, but only runs if the configured
DatabaseDirectory doesn't exist yet.
The database directory needs to be created before the
geoipupdate.service unit is activated; otherwise, systemd will not be
able to set up the mount namespacing to grant the service read-write
access.
this adds support for software defined radio (SDR) devices by SDRplay.
SDRplay provides an unfree binary library and api-service as well
as a MIT licensed adapter library for SoapySDR for integration
with many popular SDR applications.
Enforce UMask on the systemd unit to restrict the permissions of files
created. Especially the homeserver signing key should not be world
readable, and media is served through synapse itself, so no other user
needs access to these files.
Use a prestart chmod to fixup the permissions on the signing key.
In newer versions of Nix (at least on 2.4pre20201102_550e11f) the
`extra-` prefix for config options received a special meaning and the
option `extra-sandbox-paths` isn't recognized anymore. This commit fixes
it.
It doesn't cause a behavior change when using older versions of Nix but
does cause an extra newline to appear in the config, thus changing the
hash.
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
ssm-agent expects files in /etc/amazon/ssm. The pkg substitutes a location in
the nix store for those default files, but if we ever want to adjust this
configuration on NixOS, we'd need the ability to modify that file.
This change to the nixos module writes copies of the default files from the nix
store to /etc/amazon/ssm. Future versions can add config, but right now this
would allow users to at least write out a text value to
environment.etc."amazon/ssm/amazon-ssm-agent.json".text to provide
their own config.
Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf
component to enumerate network interfaces via netlink. Since discovery
is all over the place lets allow AF_NETLINK unconditionally.
It also relies on pyroute2 now, which additionally tries to access files
in /proc/net, so we relax ProtectProc a bit by default as well.
This leaves us with these options unsecured:
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✗ PrivateDevices= Service potentially has access to hardware devices 0.2
✗ PrivateUsers= Service has access to other users 0.2
✗ SystemCallFilter=~@resources System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed) 0.2
✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ SupplementaryGroups= Service runs with supplementary groups 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1
→ Overall exposure level for home-assistant.service: 1.6 OK 🙂
The reap function culls expired pastes outside of the process serving
the pastes. Previously the database could accumulate a large number of
pastes and while they were expired they would not be deleted unless
accessed from the frontend.
Individual settings would previously overwrite the whole config, but
now individual values can be overwritten.
Fix missing slash to make the database path an absolute path per
https://docs.sqlalchemy.org/en/14/core/engines.html#sqlite.
Drop preferred_lexers, it's not set to anything meaningful anyway.
Home-assistant through its `--runner` commandline flag supports sending
exit code 100 when the `homeassistant.restart` service is called.
With `RestartForceExitStatus` we can listen for that specific exit code
and restart the whole systemd unit, providing an actual clean restart
with fresh processes. Additional treat exit code 100 as a successful
termination.
This is what is still exposed, and it should still allow things to work
as usual.
✗ PrivateNetwork= Service has access to the host's … 0.5
✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc… 0.3
✗ DeviceAllow= Service has a device ACL with som… 0.1
✗ IPAddressDeny= Service does not define an IP add… 0.2
✗ PrivateDevices= Service potentially has access to… 0.2
✗ PrivateUsers= Service has access to other users 0.2
✗ SystemCallFilter=~@resources System call allow list defined fo… 0.2
✗ RootDirectory=/RootImage= Service runs within the host's ro… 0.1
✗ SupplementaryGroups= Service runs with supplementary g… 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
→ Overall exposure level for home-assistant.service: 1.6 OK :-)
This can grow to as much as ~1.9 if you use one of the bluetooth or nmap
trackers or the emulated_hue component, all of which required elevated
permisssions.
This ensures that newly created secrets will have the permissions
`0640`. With this change it's ensured that no sensitive information will
be word-readable at any time.
Related to #121293.
Strictly speaking this is a breaking change since each new directory
(including data-files) aren't world-readable anymore, but actually these
shouldn't be, unless there's a good reason for it.
This is what is still exposed, and it allows me to control my lamps from
within home-assistant.
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✗ PrivateDevices= Service potentially has access to hardware devices 0.2
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ SupplementaryGroups= Service runs with supplementary groups 0.1
✗ MemoryDenyWriteExecute= Service may create writable executable memory mappings 0.1
→ Overall exposure level for zigbee2mqtt.service: 1.3 OK 🙂
The upstream recommended minimum length for db_key_base is 30 bytes,
which our option descriptions repeated. Recently, however, upstream
has, in many places, moved to using aes-256-gcm, which requires a key
of exactly 32 bytes. To allow for shorter keys, the upstream code pads
the key in some places. However, in many others, it just truncates the
key if it's too long, leaving it too short if it was to begin
with. This adds a patch that fixes this and updates the descriptions
to recommend a key of at least 32 characters.
See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
This version contains a vulnerability[1], and isn't maintained. The
original reason to have two jellyfin versions was to allow end-users to
backup the database before the layout was upgraded, but these backups
should be done periodically.
[1]: <https://nvd.nist.gov/vuln/detail/CVE-2021-21402>
As the only consequence of isSystemUser is that if the uid is null then
it's allocated below 500, if a user has uid = something below 500 then
we don't require isSystemUser to be set.
Motivation: https://github.com/NixOS/nixpkgs/issues/112647
This should reduce memory fragmentation drastically and is recommended
by both the Puma and the Sidekiq author. It's also the default value
for Ruby deployments on Heroku.
Commit 5395397f removed the assertions from the buildMachines to
ensure that either system or systems is set for each buildmachine.
This patch re-implements those assertions.
The symptom is that if both system and systems are omitted, then the
/etc/machines file has the wrong number of columns and any attempt to
run a `nix` operation that has to perform a build will fail with a
`strtoull` exception.
