Skip to content

Commit

Permalink
Merge master into haskell-updates
Browse files Browse the repository at this point in the history
  • Loading branch information
github-actions[bot] authored Dec 28, 2023
2 parents b2e27ff + ddd6c02 commit f604139
Show file tree
Hide file tree
Showing 176 changed files with 3,213 additions and 1,172 deletions.
11 changes: 10 additions & 1 deletion maintainers/maintainer-list.nix
Original file line number Diff line number Diff line change
Expand Up @@ -711,6 +711,15 @@
githubId = 20405311;
name = "Aksh Gupta";
};
al3xtjames = {
email = "nix@alextjam.es";
github = "al3xtjames";
githubId = 5672538;
name = "Alex James";
keys = [{
fingerprint = "F354 FFAB EA89 A49D 33ED 2590 4729 B829 AC5F CC72";
}];
};
alanpearce = {
email = "alan@alanpearce.eu";
github = "alanpearce";
Expand Down Expand Up @@ -16016,7 +16025,7 @@
};
running-grass = {
name = "Leo Liu";
email = "467195537@qq.com";
email = "hi@grass.show";
github = "running-grass";
githubId = 17241154;
keys = [{
Expand Down
2 changes: 2 additions & 0 deletions nixos/doc/manual/release-notes/rl-2405.section.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ In addition to numerous new and upgraded packages, this release has the followin

- [GNS3](https://www.gns3.com/), a network software emulator. Available as [services.gns3-server](#opt-services.gns3-server.enable).

- [rspamd-trainer](https://gitlab.com/onlime/rspamd-trainer), script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training.

- [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable).
The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server softwares.

Expand Down
3 changes: 2 additions & 1 deletion nixos/modules/config/swap.nix
Original file line number Diff line number Diff line change
Expand Up @@ -258,7 +258,8 @@ in
# avoid this race condition.
after = [ "systemd-modules-load.service" ];
wantedBy = [ "${realDevice'}.swap" ];
before = [ "${realDevice'}.swap" ];
before = [ "${realDevice'}.swap" "shutdown.target"];
conflicts = [ "shutdown.target" ];
path = [ pkgs.util-linux pkgs.e2fsprogs ]
++ optional sw.randomEncryption.enable pkgs.cryptsetup;

Expand Down
1 change: 1 addition & 0 deletions nixos/modules/module-list.nix
Original file line number Diff line number Diff line change
Expand Up @@ -620,6 +620,7 @@
./services/mail/public-inbox.nix
./services/mail/roundcube.nix
./services/mail/rspamd.nix
./services/mail/rspamd-trainer.nix
./services/mail/rss2email.nix
./services/mail/schleuder.nix
./services/mail/spamassassin.nix
Expand Down
3 changes: 2 additions & 1 deletion nixos/modules/security/apparmor.nix
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,8 @@ in
"local-fs.target"
"systemd-journald-audit.socket"
];
before = [ "sysinit.target" ];
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig = {
Description="Load AppArmor policies";
Expand Down
4 changes: 3 additions & 1 deletion nixos/modules/security/auditd.nix
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ with lib;
systemd.services.auditd = {
description = "Linux Audit daemon";
wantedBy = [ "basic.target" ];
before = [ "shutdown.target" ];
conflicts = [ "shutdown.target "];

unitConfig = {
ConditionVirtualization = "!container";
Expand All @@ -23,7 +25,7 @@ with lib;
path = [ pkgs.audit ];

serviceConfig = {
ExecStartPre="${pkgs.coreutils}/bin/mkdir -p /var/log/audit";
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/log/audit";
ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange";
};
};
Expand Down
6 changes: 4 additions & 2 deletions nixos/modules/security/duosec.nix
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,8 @@ in

systemd.services.login-duo = lib.mkIf cfg.ssh.enable {
wantedBy = [ "sysinit.target" ];
before = [ "sysinit.target" ];
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
script = ''
if test -f "${cfg.secretKeyFile}"; then
Expand All @@ -216,7 +217,8 @@ in

systemd.services.pam-duo = lib.mkIf cfg.ssh.enable {
wantedBy = [ "sysinit.target" ];
before = [ "sysinit.target" ];
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
script = ''
if test -f "${cfg.secretKeyFile}"; then
Expand Down
3 changes: 2 additions & 1 deletion nixos/modules/security/wrappers/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,8 @@ in
systemd.services.suid-sgid-wrappers = {
description = "Create SUID/SGID Wrappers";
wantedBy = [ "sysinit.target" ];
before = [ "sysinit.target" ];
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
unitConfig.RequiresMountsFor = [ "/nix/store" "/run/wrappers" ];
serviceConfig.Type = "oneshot";
Expand Down
13 changes: 12 additions & 1 deletion nixos/modules/services/development/livebook.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ which runs the server.
port = 20123;
# See note below about security
environmentFile = pkgs.writeText "livebook.env" ''
LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
'';
};
}
Expand All @@ -37,3 +37,14 @@ A better approach would be to put the password in some secure
user-readable location and set `environmentFile = /home/user/secure/livebook.env`.

:::

### Extra dependencies {#module-services-livebook-extra-dependencies}

By default, the Livebook service is run with minimum dependencies, but
some features require additional packages. For example, the machine
learning Kinos require `gcc` and `gnumake`. To add these, use
`extraPackages`:

```
services.livebook.extraPackages = with pkgs; [ gcc gnumake ];
```
15 changes: 13 additions & 2 deletions nixos/modules/services/development/livebook.nix
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ in
# future, this can be changed to a system service.
enableUserService = mkEnableOption "a user service for Livebook";

package = mkPackageOption pkgs "livebook" { };

environmentFile = mkOption {
type = types.path;
description = lib.mdDoc ''
Expand Down Expand Up @@ -63,6 +65,15 @@ in
}
'';
};

extraPackages = mkOption {
type = with types; listOf package;
default = [ ];
description = lib.mdDoc ''
Extra packages to make available to the Livebook service.
'';
example = literalExpression "with pkgs; [ gcc gnumake ]";
};
};

config = mkIf cfg.enableUserService {
Expand All @@ -79,9 +90,9 @@ in
sname = cfg.erlang_node_short_name;
} // cfg.options);
in
"${pkgs.livebook}/bin/livebook server ${args}";
"${cfg.package}/bin/livebook server ${args}";
};
path = [ pkgs.bash ];
path = [ pkgs.bash ] ++ cfg.extraPackages;
wantedBy = [ "default.target" ];
};
};
Expand Down
76 changes: 76 additions & 0 deletions nixos/modules/services/mail/rspamd-trainer.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
{ config, lib, pkgs, ... }:

with lib;

let

cfg = config.services.rspamd-trainer;
format = pkgs.formats.toml { };

in {
options.services.rspamd-trainer = {

enable = mkEnableOption (mdDoc "Spam/ham trainer for rspamd");

settings = mkOption {
default = { };
description = mdDoc ''
IMAP authentication configuration for rspamd-trainer. For supplying
the IMAP password, use the `secrets` option.
'';
type = types.submodule {
freeformType = format.type;
};
example = literalExpression ''
{
HOST = "localhost";
USERNAME = "spam@example.com";
INBOXPREFIX = "INBOX/";
}
'';
};

secrets = lib.mkOption {
type = with types; listOf path;
description = lib.mdDoc ''
A list of files containing the various secrets. Should be in the
format expected by systemd's `EnvironmentFile` directory. For the
IMAP account password use `PASSWORD = mypassword`.
'';
default = [ ];
};

};

config = mkIf cfg.enable {

systemd = {
services.rspamd-trainer = {
description = "Spam/ham trainer for rspamd";
serviceConfig = {
ExecStart = "${pkgs.rspamd-trainer}/bin/rspamd-trainer";
WorkingDirectory = "/var/lib/rspamd-trainer";
StateDirectory = [ "rspamd-trainer/log" ];
Type = "oneshot";
DynamicUser = true;
EnvironmentFile = [
( format.generate "rspamd-trainer-env" cfg.settings )
cfg.secrets
];
};
};
timers."rspamd-trainer" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "10m";
OnUnitActiveSec = "10m";
Unit = "rspamd-trainer.service";
};
};
};

};

meta.maintainers = with lib.maintainers; [ onny ];

}
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ in {
type = types.listOf types.str;
example = literalExpression ''
[
"/run/kea-dhcp4/kea-dhcp4.socket"
"/run/kea-dhcp6/kea-dhcp6.socket"
"/run/kea/kea-dhcp4.socket"
"/run/kea/kea-dhcp6.socket"
]
'';
description = lib.mdDoc ''
Expand All @@ -31,13 +31,15 @@ in {
];
serviceConfig = {
User = "kea";
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-kea-exporter}/bin/kea-exporter \
--address ${cfg.listenAddress} \
--port ${toString cfg.port} \
${concatStringsSep " " cfg.controlSocketPaths}
'';
SupplementaryGroups = [ "kea" ];
RuntimeDirectory = "kea";
RuntimeDirectoryPreserve = true;
RestrictAddressFamilies = [
# Need AF_UNIX to collect data
"AF_UNIX"
Expand Down
3 changes: 2 additions & 1 deletion nixos/modules/services/networking/firewall-iptables.nix
Original file line number Diff line number Diff line change
Expand Up @@ -308,8 +308,9 @@ in
description = "Firewall";
wantedBy = [ "sysinit.target" ];
wants = [ "network-pre.target" ];
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
before = [ "network-pre.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];

path = [ cfg.package ] ++ cfg.extraPackages;

Expand Down
22 changes: 10 additions & 12 deletions nixos/modules/services/networking/kea.nix
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,8 @@ in
DynamicUser = true;
User = "kea";
ConfigurationDirectory = "kea";
RuntimeDirectory = "kea";
RuntimeDirectoryPreserve = true;
StateDirectory = "kea";
UMask = "0077";
};
Expand Down Expand Up @@ -288,8 +290,8 @@ in
];

environment = {
KEA_PIDFILE_DIR = "/run/kea-ctrl-agent";
KEA_LOCKFILE_DIR = "/run/kea-ctrl-agent";
KEA_PIDFILE_DIR = "/run/kea";
KEA_LOCKFILE_DIR = "/run/kea";
};

restartTriggers = [
Expand All @@ -300,7 +302,6 @@ in
ExecStart = "${package}/bin/kea-ctrl-agent -c /etc/kea/ctrl-agent.conf ${lib.escapeShellArgs cfg.ctrl-agent.extraArgs}";
KillMode = "process";
Restart = "on-failure";
RuntimeDirectory = "kea-ctrl-agent";
} // commonServiceConfig;
};
})
Expand Down Expand Up @@ -329,8 +330,8 @@ in
];

environment = {
KEA_PIDFILE_DIR = "/run/kea-dhcp4";
KEA_LOCKFILE_DIR = "/run/kea-dhcp4";
KEA_PIDFILE_DIR = "/run/kea";
KEA_LOCKFILE_DIR = "/run/kea";
};

restartTriggers = [
Expand All @@ -348,7 +349,6 @@ in
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
RuntimeDirectory = "kea-dhcp4";
} // commonServiceConfig;
};
})
Expand Down Expand Up @@ -377,8 +377,8 @@ in
];

environment = {
KEA_PIDFILE_DIR = "/run/kea-dhcp6";
KEA_LOCKFILE_DIR = "/run/kea-dhcp6";
KEA_PIDFILE_DIR = "/run/kea";
KEA_LOCKFILE_DIR = "/run/kea";
};

restartTriggers = [
Expand All @@ -394,7 +394,6 @@ in
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE"
];
RuntimeDirectory = "kea-dhcp6";
} // commonServiceConfig;
};
})
Expand Down Expand Up @@ -423,8 +422,8 @@ in
];

environment = {
KEA_PIDFILE_DIR = "/run/kea-dhcp-ddns";
KEA_LOCKFILE_DIR = "/run/kea-dhcp-ddns";
KEA_PIDFILE_DIR = "/run/kea";
KEA_LOCKFILE_DIR = "/run/kea";
};

restartTriggers = [
Expand All @@ -439,7 +438,6 @@ in
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE"
];
RuntimeDirectory = "kea-dhcp-ddns";
} // commonServiceConfig;
};
})
Expand Down
Loading

0 comments on commit f604139

Please sign in to comment.