movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

Merge remote-tracking branch 'origin/master' into staging-next

Browse source
This commit is contained in:
K900 2025-04-04 21:11:09 +03:00
commit 79542ad7f3
55 changed files with 894 additions and 363 deletions
Download patch file Download diff file Expand all files Collapse all files

1
nixos/modules/module-list.nix
View file

@ -1419,6 +1419,7 @@
./services/security/paretosecurity.nix
./services/security/pass-secret-service.nix
./services/security/physlock.nix
./services/security/pocket-id.nix
./services/security/shibboleth-sp.nix
./services/security/sks.nix
./services/security/sshguard.nix

20
nixos/modules/services/misc/paperless.nix
View file

@ -421,8 +421,7 @@ in
};
environment = env;
preStart =
''
preStart = ''
# remove old papaerless-manage symlink
# TODO: drop with NixOS 25.11
[[ -L '${cfg.dataDir}/paperless-manage' ]] && rm '${cfg.dataDir}/paperless-manage'
@ -448,13 +447,15 @@ in
${cfg.package}/bin/paperless-ngx document_index reindex
fi
echo ${cfg.package.version} > "$versionFile"
fi
''
+ lib.optionalString (cfg.passwordFile != null) ''
echo ${cfg.package.version} > "$versionFile"
fi
if ${lib.boolToString (cfg.passwordFile != null)} || [[ -n $PAPERLESS_ADMIN_PASSWORD ]]; then
export PAPERLESS_ADMIN_USER="''${PAPERLESS_ADMIN_USER:-admin}"
PAPERLESS_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD")
export PAPERLESS_ADMIN_PASSWORD
if [[ -e $CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD ]]; then
PAPERLESS_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD")
export PAPERLESS_ADMIN_PASSWORD
fi
superuserState="$PAPERLESS_ADMIN_USER:$PAPERLESS_ADMIN_PASSWORD"
superuserStateFile="${cfg.dataDir}/superuser-state"
@ -462,7 +463,8 @@ in
${cfg.package}/bin/paperless-ngx manage_superuser
echo "$superuserState" > "$superuserStateFile"
fi
'';
fi
'';
requires = lib.optional cfg.database.createLocally "postgresql.service";
after =
lib.optional enableRedis "redis-paperless.service"

14
nixos/modules/services/security/paretosecurity.nix
View file

@ -24,6 +24,17 @@
# dependencies here. This creates the necessary symlinks in the proper locations.
systemd.sockets.paretosecurity.wantedBy = [ "sockets.target" ];
# In NixOS, systemd services are configured with minimal PATH. However,
# paretosecurity helper looks for installed software to do its job, so
# it needs the full system PATH. For example, it runs `iptables` to see if
# firewall is configured. And it looks for various password managers to see
# if one is installed.
# The `paretosecurity-user` timer service that is configured lower has
# the same need.
systemd.services.paretosecurity.serviceConfig.Environment = [
"PATH=${config.system.path}/bin:${config.system.path}/sbin"
];
# Enable the tray icon and timer services if the trayIcon option is enabled
systemd.user = lib.mkIf config.services.paretosecurity.trayIcon {
services.paretosecurity-trayicon = {
@ -31,6 +42,9 @@
};
services.paretosecurity-user = {
wantedBy = [ "graphical-session.target" ];
serviceConfig.Environment = [
"PATH=${config.system.path}/bin:${config.system.path}/sbin"
];
};
timers.paretosecurity-user = {
wantedBy = [ "timers.target" ];

278
nixos/modules/services/security/pocket-id.nix Normal file
View file

@ -0,0 +1,278 @@
{
lib,
pkgs,
config,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
optionalAttrs
optional
mkPackageOption
;
inherit (lib.types)
bool
path
str
submodule
;
cfg = config.services.pocket-id;
format = pkgs.formats.keyValue { };
settingsFile = format.generate "pocket-id-env-vars" cfg.settings;
in
{
meta.maintainers = with lib.maintainers; [
gepbird
ymstnt
];
options.services.pocket-id = {
enable = mkEnableOption "Pocket ID server";
package = mkPackageOption pkgs "pocket-id" { };
environmentFile = mkOption {
type = path;
description = ''
Path to an environment file loaded for the Pocket ID service.
This can be used to securely store tokens and secrets outside of the world-readable Nix store.
Example contents of the file:
MAXMIND_LICENSE_KEY=your-license-key
'';
default = "/dev/null";
example = "/var/lib/secrets/pocket-id";
};
settings = mkOption {
type = submodule {
freeformType = format.type;
options = {
PUBLIC_APP_URL = mkOption {
type = str;
description = ''
The URL where you will access the app.
'';
default = "http://localhost";
};
TRUST_PROXY = mkOption {
type = bool;
description = ''
Whether the app is behind a reverse proxy.
'';
default = false;
};
};
};
default = { };
description = ''
Environment variables that will be passed to Pocket ID, see
[configuration options](https://pocket-id.org/docs/configuration/environment-variables)
for supported values.
'';
};
dataDir = mkOption {
type = path;
default = "/var/lib/pocket-id";
description = ''
The directory where Pocket ID will store its data, such as the database.
'';
};
user = mkOption {
type = str;
default = "pocket-id";
description = "User account under which Pocket ID runs.";
};
group = mkOption {
type = str;
default = "pocket-id";
description = "Group account under which Pocket ID runs.";
};
};
config = mkIf cfg.enable {
warnings = (
optional (cfg.settings ? MAXMIND_LICENSE_KEY)
"config.services.pocket-id.settings.MAXMIND_LICENSE_KEY will be stored as plaintext in the Nix store. Use config.services.pocket-id.environmentFile instead."
);
systemd.tmpfiles.rules = [
"d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group}"
];
systemd.services = {
pocket-id-backend = {
description = "Pocket ID backend";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [
cfg.package
cfg.environmentFile
settingsFile
];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
WorkingDirectory = cfg.dataDir;
ExecStart = "${cfg.package}/bin/pocket-id-backend";
Restart = "always";
EnvironmentFile = [
cfg.environmentFile
settingsFile
];
# Hardening
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
DevicePolicy = "closed";
#IPAddressDeny = "any"; # communicates with the frontend
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateNetwork = false; # communicates with the frontend
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full"; # needs to write in cfg.dataDir
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = lib.concatStringsSep " " [
"~"
"@clock"
"@cpu-emulation"
"@debug"
"@module"
"@mount"
"@obsolete"
"@privileged"
"@raw-io"
"@reboot"
#"@resources" # vm test segfaults
"@swap"
];
UMask = "0077";
};
};
pocket-id-frontend = {
description = "Pocket ID frontend";
after = [
"network.target"
"pocket-id-backend.service"
];
wantedBy = [ "multi-user.target" ];
restartTriggers = [
cfg.package
cfg.environmentFile
settingsFile
];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.package}/bin/pocket-id-frontend";
Restart = "always";
EnvironmentFile = [
cfg.environmentFile
settingsFile
];
# Hardening
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
DevicePolicy = "closed";
#IPAddressDeny = "any"; # communicates with the backend and client
LockPersonality = true;
MemoryDenyWriteExecute = false; # V8_Fatal segfault
NoNewPrivileges = true;
PrivateDevices = true;
PrivateNetwork = false; # communicates with the backend and client
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = lib.concatStringsSep " " [
"~"
"@clock"
"@cpu-emulation"
"@debug"
"@module"
"@mount"
"@obsolete"
"@privileged"
"@raw-io"
"@reboot"
"@resources"
"@swap"
];
UMask = "0077";
};
};
};
users.users = optionalAttrs (cfg.user == "pocket-id") {
pocket-id = {
isSystemUser = true;
group = cfg.group;
description = "Pocket ID backend user";
home = cfg.dataDir;
};
};
users.groups = optionalAttrs (cfg.group == "pocket-id") {
pocket-id = { };
};
};
}

18
nixos/modules/services/security/vaultwarden/default.nix
View file

@ -65,6 +65,7 @@ let
vaultwarden = cfg.package.override { inherit (cfg) dbBackend; };
useSendmail = configEnv.USE_SENDMAIL or null == "true";
in
{
imports = [
@ -236,10 +237,10 @@ in
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
NoNewPrivileges = !useSendmail;
PrivateDevices = !useSendmail;
PrivateTmp = true;
PrivateUsers = true;
PrivateUsers = !useSendmail;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
@ -262,10 +263,13 @@ in
inherit StateDirectory;
StateDirectoryMode = "0700";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
SystemCallFilter =
[
"@system-service"
]
++ lib.optionals (!useSendmail) [
"~@privileged"
];
Restart = "always";
UMask = "0077";
};

2
nixos/modules/services/web-apps/archtika.nix
View file

@ -17,7 +17,7 @@ let
in
{
options.services.archtika = {
enable = mkEnableOption "Whether to enable the archtika service";
enable = mkEnableOption "the archtika CMS";
package = mkPackageOption pkgs "archtika" { };

16
nixos/modules/services/web-apps/onlyoffice.nix
View file

@ -114,7 +114,7 @@ in
proxy_pass http://onlyoffice-docservice/$2$3;
'';
# /etc/nginx/includes/ds-docservice.conf
#disable caching for api.js
# disable caching for api.js
"~ ^(\\/[\\d]+\\.[\\d]+\\.[\\d]+[\\.|-][\\w]+)?\\/(web-apps\\/apps\\/api\\/documents\\/api\\.js)$".extraConfig =
''
expires -1;
@ -124,26 +124,23 @@ in
"~ ^(\\/[\\d]+\\.[\\d]+\\.[\\d]+[\\.|-][\\w]+)?\\/(document_editor_service_worker\\.js)$".extraConfig =
''
expires 365d;
# gzip_static on;
alias ${cfg.package}/var/www/onlyoffice/documentserver/sdkjs/common/serviceworker/$2;
alias ${cfg.package}/var/www/onlyoffice/documentserver/sdkjs/common/serviceworker/$2;
'';
#suppress logging the unsupported locale error in web-apps
# suppress logging the unsupported locale error in web-apps
"~ ^(\\/[\\d]+\\.[\\d]+\\.[\\d]+[\\.|-][\\w]+)?\\/(web-apps)(\\/.*\\.json)$".extraConfig = ''
expires 365d;
error_log /dev/null crit;
alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
'';
#suppress logging the unsupported locale error in plugins
# suppress logging the unsupported locale error in plugins
"~ ^(\\/[\\d]+\\.[\\d]+\\.[\\d]+[\\.|-][\\w]+)?\\/(sdkjs-plugins)(\\/.*\\.json)$".extraConfig = ''
expires 365d;
error_log /dev/null crit;
# gzip_static on;
alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
'';
"~ ^(\\/[\\d]+\\.[\\d]+\\.[\\d]+[\\.|-][\\w]+)?\\/(web-apps|sdkjs|sdkjs-plugins|fonts|dictionaries)(\\/.*)$".extraConfig =
''
expires 365d;
# gzip_static on;
alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
'';
"~* ^(\\/cache\\/files.*)(\\/.*)".extraConfig = ''
@ -302,9 +299,8 @@ in
' /run/onlyoffice/config/default.json | sponge /run/onlyoffice/config/default.json
chmod u+w /run/onlyoffice/config/production-linux.json
jq '
.FileConverter.converter.x2tPath = "${cfg.x2t}/bin/x2t"
' /run/onlyoffice/config/production-linux.json | sponge /run/onlyoffice/config/production-linux.json
jq '.FileConverter.converter.x2tPath = "${cfg.x2t}/bin/x2t"' \
/run/onlyoffice/config/production-linux.json | sponge /run/onlyoffice/config/production-linux.json
if psql -d onlyoffice -c "SELECT 'task_result'::regclass;" >/dev/null; then
psql -f ${cfg.package}/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql