Merge remote-tracking branch 'origin/master' into staging-next

Conflicts: pkgs/development/compilers/llvm/common/default.nix
2025-07-13 21:50:33 +03:00 · 2024-09-29 20:10:12 +02:00 · 2024-09-29 20:10:12 +02:00 · ac037f0b18
commit ac037f0b18
parent 8e5ca58e0a af61785ba3
80 changed files with 1456 additions and 924 deletions
--- a/nixos/modules/services/blockchain/ethereum/geth.nix
+++ b/nixos/modules/services/blockchain/ethereum/geth.nix
@ -103,7 +103,7 @@ let
      };

      network = lib.mkOption {
-        type = lib.types.nullOr (lib.types.enum [ "goerli" "rinkeby" "yolov2" "ropsten" ]);
+        type = lib.types.nullOr (lib.types.enum [ "goerli" "holesky" "rinkeby" "yolov2" "ropsten" ]);
        default = null;
        description = "The network to connect to. Mainnet (null) is the default ethereum network.";
      };
--- a/nixos/modules/services/hardware/upower.nix
+++ b/nixos/modules/services/hardware/upower.nix
@ -85,7 +85,7 @@ in

      percentageLow = lib.mkOption {
        type = lib.types.ints.unsigned;
-        default = 10;
+        default = 20;
        description = ''
          When `usePercentageForPolicy` is
          `true`, the levels at which UPower will consider the
@ -103,7 +103,7 @@ in

      percentageCritical = lib.mkOption {
        type = lib.types.ints.unsigned;
-        default = 3;
+        default = 5;
        description = ''
          When `usePercentageForPolicy` is
          `true`, the levels at which UPower will consider the
--- a/nixos/modules/services/logging/logrotate.nix
+++ b/nixos/modules/services/logging/logrotate.nix
@ -260,6 +260,8 @@ in
        # hardening
        CapabilityBoundingSet = [
          "CAP_CHOWN"
+          "CAP_DAC_OVERRIDE"
+          "CAP_SETUID"
          "CAP_SETGID"
        ];
        DevicePolicy = "closed";
@ -280,16 +282,16 @@ in
        ProtectSystem = "full";
        RestrictNamespaces = true;
        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
+        RestrictSUIDSGID = false; # can create sgid directories
        SystemCallArchitectures = "native";
        SystemCallFilter = [
-          "@system-service"
+          "@system-service @setuid"
          "~@privileged @resources"
          "@chown"
        ];
        UMask = "0027";
      } // lib.optionalAttrs (!cfg.allowNetworking) {
-        PrivateNetwork = true;
+        PrivateNetwork = true; # e.g. mail delivery
        RestrictAddressFamilies = "none";
      };
    };
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@ -514,6 +514,12 @@ in

    environment.etc = {
      "NetworkManager/NetworkManager.conf".source = configFile;
+
+      # The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets;
+      # see https://github.com/NixOS/nixpkgs/issues/64965
+      "ipsec.secrets".text = ''
+        include ipsec.d/ipsec.nm-l2tp.secrets
+      '';
    }
    // builtins.listToAttrs (map
      (pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" {
--- a/nixos/modules/services/networking/strongswan.nix
+++ b/nixos/modules/services/networking/strongswan.nix
@ -3,14 +3,12 @@
 let

  inherit (builtins) toFile;
-  inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList
+  inherit (lib) concatMapStrings concatStringsSep mapAttrsToList
                mkIf mkEnableOption mkOption types literalExpression optionalString;

  cfg = config.services.strongswan;

-  ipsecSecrets = secrets: toFile "ipsec.secrets" (
-    concatMapStringsSep "\n" (f: "include ${f}") secrets
-  );
+  ipsecSecrets = secrets: concatMapStrings (f: "include ${f}\n") secrets;

  ipsecConf = {setup, connections, ca}:
    let
@ -138,16 +136,12 @@ in
  };


-  config = with cfg;
-  let
-    secretsFile = ipsecSecrets cfg.secrets;
-  in
-  mkIf enable
+  config = with cfg; mkIf enable
    {

    # here we should use the default strongswan ipsec.secrets and
    # append to it (default one is empty so not a pb for now)
-    environment.etc."ipsec.secrets".source = secretsFile;
+    environment.etc."ipsec.secrets".text = ipsecSecrets cfg.secrets;

    systemd.services.strongswan = {
      description = "strongSwan IPSec Service";
@ -156,7 +150,10 @@ in
      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
      environment = {
-        STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
+        STRONGSWAN_CONF = strongswanConf {
+          inherit setup connections ca managePlugins enabledPlugins;
+          secretsFile = "/etc/ipsec.secrets";
+        };
      };
      serviceConfig = {
        ExecStart  = "${pkgs.strongswan}/sbin/ipsec start --nofork";
--- a/nixos/modules/services/web-servers/bluemap.nix
+++ b/nixos/modules/services/web-servers/bluemap.nix
@ -13,6 +13,9 @@ let
        (format.generate "${name}.conf" value))
      cfg.maps);

+  addonsFolder = pkgs.linkFarm "addons"
+    (lib.attrsets.mapAttrs' (name: value: lib.nameValuePair "${name}.jar" value) cfg.addons);
+
  storageFolder = pkgs.linkFarm "storage"
    (lib.attrsets.mapAttrs' (name: value:
      lib.nameValuePair "${name}.conf"
@ -25,11 +28,16 @@ let
    "core.conf" = coreConfig;
    "webapp.conf" = webappConfig;
    "webserver.conf" = webserverConfig;
-    "resourcepacks" = pkgs.linkFarm "resourcepacks" cfg.resourcepacks;
+    "packs" = pkgs.linkFarm "packs" cfg.resourcepacks;
+    "addons" = addonsFolder;
  };

  inherit (lib) mkOption;
 in {
+  imports = [
+    (lib.mkRenamedOptionModule [ "services" "bluemap" "resourcepacks" ] [ "services" "bluemap" "packs" ])
+  ];
+
  options.services.bluemap = {
    enable = lib.mkEnableOption "bluemap";

@ -219,6 +227,26 @@ in {
      '';
    };

+    addons = mkOption {
+      type = lib.types.attrsOf lib.types.pathInStore;
+      default = { };
+      description = ''
+        A set of jar addons to be loaded.
+
+        See <https://bluemap.bluecolored.de/3rdPartySupport.html> for a list of officially recognized addons.
+      '';
+
+      example = lib.literalExpression ''
+        {
+          blueBridge = ./blueBridge.jar;
+          blueBorder = pkgs.fetchurl {
+            url = "https://github.com/pop4959/BlueBorder/releases/download/1.1.1/BlueBorder-1.1.1.jar";
+            hash = "...";
+          };
+        }
+      '';
+    };
+
    storage = mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        freeformType = format.type;
@ -249,10 +277,13 @@ in {
      '';
    };

-    resourcepacks = mkOption {
+    packs = mkOption {
      type = lib.types.attrsOf lib.types.pathInStore;
      default = { };
-      description = "A set of resourcepacks to use, loaded in alphabetical order";
+      description = ''
+        A set of resourcepacks, datapacks, and mods to extract resources from,
+        loaded in alphabetical order.
+      '';
    };
  };

@ -293,11 +324,12 @@ in {
      "${cfg.host}" = {
        root = config.services.bluemap.webRoot;
        locations = {
-          "~* ^/maps/[^/]*/tiles/[^/]*.json$".extraConfig = ''
-            error_page 404 =200 /assets/emptyTile.json;
+          "@empty".return = "204";
+
+          "~* ^/maps/[^/]*/tiles/".extraConfig = ''
+            error_page 404 = @empty;
            gzip_static always;
          '';
-          "~* ^/maps/[^/]*/tiles/[^/]*.png$".tryFiles = "$uri =204";
        };
      };
    };