commit 2d2b5e26d45f565be79d61727bf1306e41d3fe58 · pyrox.dev/nixpkgs

+7 -10

nixos/modules/services/search/manticore.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
       

     

       12
       9
        
         cfg = config.services.manticore;

     
···

       14
       11
        
       

     

       15
       12
        
         toSphinx =

     

       16
       13
        
           {

     

       17
       17
       -
             mkKeyValue ? generators.mkKeyValueDefault { } "=",

     

       14
       14
       +
             mkKeyValue ? lib.generators.mkKeyValueDefault { } "=",

     

       18
       15
        
             listsAsDuplicateKeys ? true,

     

       19
       16
        
           }:

     

       20
       17
        
           attrsOfAttrs:

     
···

       22
       19
        
             # map function to string for each key val

     

       23
       20
        
             mapAttrsToStringsSep =

     

       24
       21
        
               sep: mapFn: attrs:

     

       25
       25
       -
               concatStringsSep sep (mapAttrsToList mapFn attrs);

     

       22
       22
       +
               lib.concatStringsSep sep (lib.mapAttrsToList mapFn attrs);

     

       26
       23
        
             mkSection =

     

       27
       24
        
               sectName: sectValues:

     

       28
       25
        
               ''

     
···

       46
       43
        
         options = {

     

       47
       44
        
           services.manticore = {

     

       48
       45
        
       

     

       49
       49
       -
             enable = mkEnableOption "Manticoresearch";

     

       46
       46
       +
             enable = lib.mkEnableOption "Manticoresearch";

     

       50
       47
        
       

     

       51
       51
       -
             settings = mkOption {

     

       48
       48
       +
             settings = lib.mkOption {

     

       52
       49
        
               default = {

     

       53
       50
        
                 searchd = {

     

       54
       51
        
                   listen = [

     
···

       67
       64
        
                 <https://manual.manticoresearch.com/Server%20settings>

     

       68
       65
        
                 for more information.

     

       69
       66
        
               '';

     

       70
       70
       -
               type = types.submodule {

     

       67
       67
       +
               type = lib.types.submodule {

     

       71
       68
        
                 freeformType = format.type;

     

       72
       69
        
               };

     

       73
       73
       -
               example = literalExpression ''

     

       70
       70
       +
               example = lib.literalExpression ''

     

       74
       71
        
                 {

     

       75
       72
        
                   searchd = {

     

       76
       73
        
                       listen = [

     
···

       90
       87
        
           };

     

       91
       88
        
         };

     

       92
       89
        
       

     

       93
       93
       -
         config = mkIf cfg.enable {

     

       90
       90
       +
         config = lib.mkIf cfg.enable {

     

       94
       91
        
       

     

       95
       92
        
           systemd = {

     

       96
       93
        
             packages = [ pkgs.manticoresearch ];

+22 -25

nixos/modules/services/search/meilisearch.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.meilisearch;

     

       12
       9
        
       

     

       13
       10
        
       in

     

       14
       11
        
       {

     

       15
       12
        
       

     

       16
       16
       -
         meta.maintainers = with maintainers; [

     

       13
       13
       +
         meta.maintainers = with lib.maintainers; [

     

       17
       14
        
           Br1ght0ne

     

       18
       15
        
           happysalada

     

       19
       16
        
         ];

     
···

       22
       19
        
         ###### interface

     

       23
       20
        
       

     

       24
       21
        
         options.services.meilisearch = {

     

       25
       25
       -
           enable = mkEnableOption "MeiliSearch - a RESTful search API";

     

       22
       22
       +
           enable = lib.mkEnableOption "MeiliSearch - a RESTful search API";

     

       26
       23
        
       

     

       27
       27
       -
           package = mkPackageOption pkgs "meilisearch" {

     

       24
       24
       +
           package = lib.mkPackageOption pkgs "meilisearch" {

     

       28
       25
        
             extraDescription = ''

     

       29
       26
        
               Use this if you require specific features to be enabled. The default package has no features.

     

       30
       27
        
             '';

     

       31
       28
        
           };

     

       32
       29
        
       

     

       33
       33
       -
           listenAddress = mkOption {

     

       30
       30
       +
           listenAddress = lib.mkOption {

     

       34
       31
        
             description = "MeiliSearch listen address.";

     

       35
       32
        
             default = "127.0.0.1";

     

       36
       36
       -
             type = types.str;

     

       33
       33
       +
             type = lib.types.str;

     

       37
       34
        
           };

     

       38
       35
        
       

     

       39
       39
       -
           listenPort = mkOption {

     

       36
       36
       +
           listenPort = lib.mkOption {

     

       40
       37
        
             description = "MeiliSearch port to listen on.";

     

       41
       38
        
             default = 7700;

     

       42
       42
       -
             type = types.port;

     

       39
       39
       +
             type = lib.types.port;

     

       43
       40
        
           };

     

       44
       41
        
       

     

       45
       45
       -
           environment = mkOption {

     

       42
       42
       +
           environment = lib.mkOption {

     

       46
       43
        
             description = "Defines the running environment of MeiliSearch.";

     

       47
       44
        
             default = "development";

     

       48
       48
       -
             type = types.enum [

     

       45
       45
       +
             type = lib.types.enum [

     

       49
       46
        
               "development"

     

       50
       47
        
               "production"

     

       51
       48
        
             ];

     

       52
       49
        
           };

     

       53
       50
        
       

     

       54
       51
        
           # TODO change this to LoadCredentials once possible

     

       55
       55
       -
           masterKeyEnvironmentFile = mkOption {

     

       52
       52
       +
           masterKeyEnvironmentFile = lib.mkOption {

     

       56
       53
        
             description = ''

     

       57
       54
        
               Path to file which contains the master key.

     

       58
       55
        
               By doing so, all routes will be protected and will require a key to be accessed.

     
···

       61
       58
        
               MEILI_MASTER_KEY=my_secret_key

     

       62
       59
        
             '';

     

       63
       60
        
             default = null;

     

       64
       64
       -
             type = with types; nullOr path;

     

       61
       61
       +
             type = with lib.types; nullOr path;

     

       65
       62
        
           };

     

       66
       63
        
       

     

       67
       67
       -
           noAnalytics = mkOption {

     

       64
       64
       +
           noAnalytics = lib.mkOption {

     

       68
       65
        
             description = ''

     

       69
       66
        
               Deactivates analytics.

     

       70
       67
        
               Analytics allow MeiliSearch to know how many users are using MeiliSearch,

     
···

       72
       69
        
               This process is entirely anonymous.

     

       73
       70
        
             '';

     

       74
       71
        
             default = true;

     

       75
       75
       -
             type = types.bool;

     

       72
       72
       +
             type = lib.types.bool;

     

       76
       73
        
           };

     

       77
       74
        
       

     

       78
       78
       -
           logLevel = mkOption {

     

       75
       75
       +
           logLevel = lib.mkOption {

     

       79
       76
        
             description = ''

     

       80
       77
        
               Defines how much detail should be present in MeiliSearch's logs.

     

       81
       78
        
               MeiliSearch currently supports four log levels, listed in order of increasing verbosity:

     
···

       86
       83
        
                 Useful when diagnosing issues and debugging

     

       87
       84
        
             '';

     

       88
       85
        
             default = "INFO";

     

       89
       89
       -
             type = types.str;

     

       86
       86
       +
             type = lib.types.str;

     

       90
       87
        
           };

     

       91
       88
        
       

     

       92
       92
       -
           maxIndexSize = mkOption {

     

       89
       89
       +
           maxIndexSize = lib.mkOption {

     

       93
       90
        
             description = ''

     

       94
       91
        
               Sets the maximum size of the index.

     

       95
       92
        
               Value must be given in bytes or explicitly stating a base unit.

     
···

       97
       94
        
               Default is 100 GiB

     

       98
       95
        
             '';

     

       99
       96
        
             default = "107374182400";

     

       100
       100
       -
             type = types.str;

     

       97
       97
       +
             type = lib.types.str;

     

       101
       98
        
           };

     

       102
       99
        
       

     

       103
       103
       -
           payloadSizeLimit = mkOption {

     

       100
       100
       +
           payloadSizeLimit = lib.mkOption {

     

       104
       101
        
             description = ''

     

       105
       102
        
               Sets the maximum size of accepted JSON payloads.

     

       106
       103
        
               Value must be given in bytes or explicitly stating a base unit.

     
···

       108
       105
        
               Default is ~ 100 MB

     

       109
       106
        
             '';

     

       110
       107
        
             default = "104857600";

     

       111
       111
       -
             type = types.str;

     

       108
       108
       +
             type = lib.types.str;

     

       112
       109
        
           };

     

       113
       110
        
       

     

       114
       111
        
         };

     

       115
       112
        
       

     

       116
       113
        
         ###### implementation

     

       117
       114
        
       

     

       118
       118
       -
         config = mkIf cfg.enable {

     

       115
       115
       +
         config = lib.mkIf cfg.enable {

     

       119
       116
        
       

     

       120
       117
        
           # used to restore dumps

     

       121
       118
        
           environment.systemPackages = [ cfg.package ];

     
···

       127
       124
        
             environment = {

     

       128
       125
        
               MEILI_DB_PATH = "/var/lib/meilisearch";

     

       129
       126
        
               MEILI_HTTP_ADDR = "${cfg.listenAddress}:${toString cfg.listenPort}";

     

       130
       130
       -
               MEILI_NO_ANALYTICS = boolToString cfg.noAnalytics;

     

       127
       127
       +
               MEILI_NO_ANALYTICS = lib.boolToString cfg.noAnalytics;

     

       131
       128
        
               MEILI_ENV = cfg.environment;

     

       132
       129
        
               MEILI_DUMP_DIR = "/var/lib/meilisearch/dumps";

     

       133
       130
        
               MEILI_LOG_LEVEL = cfg.logLevel;

     
···

       137
       134
        
               ExecStart = "${cfg.package}/bin/meilisearch";

     

       138
       135
        
               DynamicUser = true;

     

       139
       136
        
               StateDirectory = "meilisearch";

     

       140
       140
       -
               EnvironmentFile = mkIf (cfg.masterKeyEnvironmentFile != null) cfg.masterKeyEnvironmentFile;

     

       137
       137
       +
               EnvironmentFile = lib.mkIf (cfg.masterKeyEnvironmentFile != null) cfg.masterKeyEnvironmentFile;

     

       141
       138
        
             };

     

       142
       139
        
           };

     

       143
       140
        
         };

+6 -9

nixos/modules/services/search/opensearch.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.opensearch;

     

       12
       9
        
       

     
···

       28
       25
        
       {

     

       29
       26
        
       

     

       30
       27
        
         options.services.opensearch = {

     

       31
       31
       -
           enable = mkEnableOption "OpenSearch";

     

       28
       28
       +
           enable = lib.mkEnableOption "OpenSearch";

     

       32
       29
        
       

     

       33
       30
        
           package = lib.mkPackageOption pkgs "OpenSearch" {

     

       34
       31
        
             default = [ "opensearch" ];

     
···

       113
       110
        
               rootLogger.level = info

     

       114
       111
        
               rootLogger.appenderRef.console.ref = console

     

       115
       112
        
             '';

     

       116
       116
       -
             type = types.str;

     

       113
       113
       +
             type = lib.types.str;

     

       117
       114
        
           };

     

       118
       115
        
       

     

       119
       116
        
           dataDir = lib.mkOption {

     

       120
       117
        
             type = lib.types.path;

     

       121
       118
        
             default = "/var/lib/opensearch";

     

       122
       122
       -
             apply = converge (removeSuffix "/");

     

       119
       119
       +
             apply = lib.converge (lib.removeSuffix "/");

     

       123
       120
        
             description = ''

     

       124
       121
        
               Data directory for OpenSearch. If you change this, you need to

     

       125
       122
        
               manually create the directory. You also need to create the

     
···

       173
       170
        
           };

     

       174
       171
        
         };

     

       175
       172
        
       

     

       176
       176
       -
         config = mkIf cfg.enable {

     

       173
       173
       +
         config = lib.mkIf cfg.enable {

     

       177
       174
        
           systemd.services.opensearch = {

     

       178
       175
        
             description = "OpenSearch Daemon";

     

       179
       176
        
             wantedBy = [ "multi-user.target" ];

     
···

       194
       191
        
                         set -o errexit -o pipefail -o nounset -o errtrace

     

       195
       192
        
                         shopt -s inherit_errexit

     

       196
       193
        
                       ''

     

       197
       197
       -
                       + (optionalString (!config.boot.isContainer) ''

     

       194
       194
       +
                       + (lib.optionalString (!config.boot.isContainer) ''

     

       198
       195
        
                         # Only set vm.max_map_count if lower than ES required minimum

     

       199
       196
        
                         # This avoids conflict if configured via boot.kernel.sysctl

     

       200
       197
        
                         if [ $(${pkgs.procps}/bin/sysctl -n vm.max_map_count) -lt 262144 ]; then

     
···

       268
       265
        
                 TimeoutStartSec = "infinity";

     

       269
       266
        
                 DynamicUser = usingDefaultUserAndGroup && usingDefaultDataDir;

     

       270
       267
        
               }

     

       271
       271
       -
               // (optionalAttrs (usingDefaultDataDir) {

     

       268
       268
       +
               // (lib.optionalAttrs (usingDefaultDataDir) {

     

       272
       269
        
                 StateDirectory = "opensearch";

     

       273
       270
        
                 StateDirectoryMode = "0700";

     

       274
       271
        
               });

+34 -36

nixos/modules/services/search/qdrant.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       7
        
       let

     

       10
       8
        
       

     

       11
       9
        
         cfg = config.services.qdrant;

     
···

       17
       15
        
       

     

       18
       16
        
         options = {

     

       19
       17
        
           services.qdrant = {

     

       20
       20
       -
             enable = mkEnableOption "Vector Search Engine for the next generation of AI applications";

     

       18
       18
       +
             enable = lib.mkEnableOption "Vector Search Engine for the next generation of AI applications";

     

       21
       19
        
       

     

       22
       22
       -
             settings = mkOption {

     

       20
       20
       +
             settings = lib.mkOption {

     

       23
       21
        
               description = ''

     

       24
       22
        
                 Configuration for Qdrant

     

       25
       23
        
                 Refer to <https://github.com/qdrant/qdrant/blob/master/config/config.yaml> for details on supported values.

     
···

       43
       41
        
                 telemetry_disabled = true;

     

       44
       42
        
               };

     

       45
       43
        
       

     

       46
       46
       -
               defaultText = literalExpression ''

     

       44
       44
       +
               defaultText = lib.literalExpression ''

     

       47
       45
        
                 {

     

       48
       46
        
                   storage = {

     

       49
       47
        
                     storage_path = "/var/lib/qdrant/storage";

     
···

       64
       62
        
           };

     

       65
       63
        
         };

     

       66
       64
        
       

     

       67
       67
       -
         config = mkIf cfg.enable {

     

       65
       65
       +
         config = lib.mkIf cfg.enable {

     

       68
       66
        
           services.qdrant.settings = {

     

       69
       69
       -
             service.static_content_dir = mkDefault pkgs.qdrant-web-ui;

     

       70
       70
       -
             storage.storage_path = mkDefault "/var/lib/qdrant/storage";

     

       71
       71
       -
             storage.snapshots_path = mkDefault "/var/lib/qdrant/snapshots";

     

       67
       67
       +
             service.static_content_dir = lib.mkDefault pkgs.qdrant-web-ui;

     

       68
       68
       +
             storage.storage_path = lib.mkDefault "/var/lib/qdrant/storage";

     

       69
       69
       +
             storage.snapshots_path = lib.mkDefault "/var/lib/qdrant/snapshots";

     

       72
       70
        
             # The following default values are the same as in the default config,

     

       73
       71
        
             # they are just written here for convenience.

     

       74
       74
       -
             storage.on_disk_payload = mkDefault true;

     

       75
       75
       -
             storage.wal.wal_capacity_mb = mkDefault 32;

     

       76
       76
       -
             storage.wal.wal_segments_ahead = mkDefault 0;

     

       77
       77
       -
             storage.performance.max_search_threads = mkDefault 0;

     

       78
       78
       -
             storage.performance.max_optimization_threads = mkDefault 1;

     

       79
       79
       -
             storage.optimizers.deleted_threshold = mkDefault 0.2;

     

       80
       80
       -
             storage.optimizers.vacuum_min_vector_number = mkDefault 1000;

     

       81
       81
       -
             storage.optimizers.default_segment_number = mkDefault 0;

     

       82
       82
       -
             storage.optimizers.max_segment_size_kb = mkDefault null;

     

       83
       83
       -
             storage.optimizers.memmap_threshold_kb = mkDefault null;

     

       84
       84
       -
             storage.optimizers.indexing_threshold_kb = mkDefault 20000;

     

       85
       85
       -
             storage.optimizers.flush_interval_sec = mkDefault 5;

     

       86
       86
       -
             storage.optimizers.max_optimization_threads = mkDefault 1;

     

       87
       87
       -
             storage.hnsw_index.m = mkDefault 16;

     

       88
       88
       -
             storage.hnsw_index.ef_construct = mkDefault 100;

     

       89
       89
       -
             storage.hnsw_index.full_scan_threshold_kb = mkDefault 10000;

     

       90
       90
       -
             storage.hnsw_index.max_indexing_threads = mkDefault 0;

     

       91
       91
       -
             storage.hnsw_index.on_disk = mkDefault false;

     

       92
       92
       -
             storage.hnsw_index.payload_m = mkDefault null;

     

       93
       93
       -
             service.max_request_size_mb = mkDefault 32;

     

       94
       94
       -
             service.max_workers = mkDefault 0;

     

       95
       95
       -
             service.http_port = mkDefault 6333;

     

       96
       96
       -
             service.grpc_port = mkDefault 6334;

     

       97
       97
       -
             service.enable_cors = mkDefault true;

     

       98
       98
       -
             cluster.enabled = mkDefault false;

     

       72
       72
       +
             storage.on_disk_payload = lib.mkDefault true;

     

       73
       73
       +
             storage.wal.wal_capacity_mb = lib.mkDefault 32;

     

       74
       74
       +
             storage.wal.wal_segments_ahead = lib.mkDefault 0;

     

       75
       75
       +
             storage.performance.max_search_threads = lib.mkDefault 0;

     

       76
       76
       +
             storage.performance.max_optimization_threads = lib.mkDefault 1;

     

       77
       77
       +
             storage.optimizers.deleted_threshold = lib.mkDefault 0.2;

     

       78
       78
       +
             storage.optimizers.vacuum_min_vector_number = lib.mkDefault 1000;

     

       79
       79
       +
             storage.optimizers.default_segment_number = lib.mkDefault 0;

     

       80
       80
       +
             storage.optimizers.max_segment_size_kb = lib.mkDefault null;

     

       81
       81
       +
             storage.optimizers.memmap_threshold_kb = lib.mkDefault null;

     

       82
       82
       +
             storage.optimizers.indexing_threshold_kb = lib.mkDefault 20000;

     

       83
       83
       +
             storage.optimizers.flush_interval_sec = lib.mkDefault 5;

     

       84
       84
       +
             storage.optimizers.max_optimization_threads = lib.mkDefault 1;

     

       85
       85
       +
             storage.hnsw_index.m = lib.mkDefault 16;

     

       86
       86
       +
             storage.hnsw_index.ef_construct = lib.mkDefault 100;

     

       87
       87
       +
             storage.hnsw_index.full_scan_threshold_kb = lib.mkDefault 10000;

     

       88
       88
       +
             storage.hnsw_index.max_indexing_threads = lib.mkDefault 0;

     

       89
       89
       +
             storage.hnsw_index.on_disk = lib.mkDefault false;

     

       90
       90
       +
             storage.hnsw_index.payload_m = lib.mkDefault null;

     

       91
       91
       +
             service.max_request_size_mb = lib.mkDefault 32;

     

       92
       92
       +
             service.max_workers = lib.mkDefault 0;

     

       93
       93
       +
             service.http_port = lib.mkDefault 6333;

     

       94
       94
       +
             service.grpc_port = lib.mkDefault 6334;

     

       95
       95
       +
             service.enable_cors = lib.mkDefault true;

     

       96
       96
       +
             cluster.enabled = lib.mkDefault false;

     

       99
       97
        
             # the following have been altered for security

     

       100
       100
       -
             service.host = mkDefault "127.0.0.1";

     

       101
       101
       -
             telemetry_disabled = mkDefault true;

     

       98
       98
       +
             service.host = lib.mkDefault "127.0.0.1";

     

       99
       99
       +
             telemetry_disabled = lib.mkDefault true;

     

       102
       100
        
           };

     

       103
       101
        
       

     

       104
       102
        
           systemd.services.qdrant = {

+5 -8

nixos/modules/services/search/quickwit.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.quickwit;

     

       12
       9
        
       

     
···

       19
       16
        
       {

     

       20
       17
        
       

     

       21
       18
        
         options.services.quickwit = {

     

       22
       22
       -
           enable = mkEnableOption "Quickwit";

     

       19
       19
       +
           enable = lib.mkEnableOption "Quickwit";

     

       23
       20
        
       

     

       24
       21
        
           package = lib.mkPackageOption pkgs "Quickwit" {

     

       25
       22
        
             default = [ "quickwit" ];

     
···

       83
       80
        
           dataDir = lib.mkOption {

     

       84
       81
        
             type = lib.types.path;

     

       85
       82
        
             default = "/var/lib/quickwit";

     

       86
       86
       -
             apply = converge (removeSuffix "/");

     

       83
       83
       +
             apply = lib.converge (lib.removeSuffix "/");

     

       87
       84
        
             description = ''

     

       88
       85
        
               Data directory for Quickwit. If you change this, you need to

     

       89
       86
        
               manually create the directory. You also need to create the

     
···

       130
       127
        
           };

     

       131
       128
        
         };

     

       132
       129
        
       

     

       133
       133
       -
         config = mkIf cfg.enable {

     

       130
       130
       +
         config = lib.mkIf cfg.enable {

     

       134
       131
        
           systemd.services.quickwit = {

     

       135
       132
        
             description = "Quickwit";

     

       136
       133
        
             wantedBy = [ "multi-user.target" ];

     
···

       143
       140
        
               {

     

       144
       141
        
                 ExecStart = ''

     

       145
       142
        
                   ${cfg.package}/bin/quickwit run --config ${quickwitYml} \

     

       146
       146
       -
                   ${escapeShellArgs cfg.extraFlags}

     

       143
       143
       +
                   ${lib.escapeShellArgs cfg.extraFlags}

     

       147
       144
        
                 '';

     

       148
       145
        
                 User = cfg.user;

     

       149
       146
        
                 Group = cfg.group;

     
···

       186
       183
        
                   "@chown"

     

       187
       184
        
                 ];

     

       188
       185
        
               }

     

       189
       189
       -
               // (optionalAttrs (usingDefaultDataDir) {

     

       186
       186
       +
               // (lib.optionalAttrs (usingDefaultDataDir) {

     

       190
       187
        
                 StateDirectory = "quickwit";

     

       191
       188
        
                 StateDirectoryMode = "0700";

     

       192
       189
        
               });

+34 -37

nixos/modules/services/security/certmgr.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.certmgr;

     

       12
       9
        
       

     

       13
       13
       -
         specs = mapAttrsToList (n: v: rec {

     

       10
       10
       +
         specs = lib.mapAttrsToList (n: v: rec {

     

       14
       11
        
           name = n + ".json";

     

       15
       15
       -
           path = if isAttrs v then pkgs.writeText name (builtins.toJSON v) else v;

     

       12
       12
       +
           path = if lib.isAttrs v then pkgs.writeText name (builtins.toJSON v) else v;

     

       16
       13
        
         }) cfg.specs;

     

       17
       14
        
       

     

       18
       15
        
         allSpecs = pkgs.linkFarm "certmgr.d" specs;

     
···

       29
       26
        
         );

     

       30
       27
        
       

     

       31
       28
        
         specPaths = map dirOf (

     

       32
       32
       -
           concatMap (

     

       29
       29
       +
           lib.concatMap (

     

       33
       30
        
             spec:

     

       34
       34
       -
             if isAttrs spec then

     

       35
       35
       -
               collect isString (filterAttrsRecursive (n: v: isAttrs v || n == "path") spec)

     

       31
       31
       +
             if lib.isAttrs spec then

     

       32
       32
       +
               lib.collect lib.isString (lib.filterAttrsRecursive (n: v: lib.isAttrs v || n == "path") spec)

     

       36
       33
        
             else

     

       37
       34
        
               [ spec ]

     

       38
       38
       -
           ) (attrValues cfg.specs)

     

       35
       35
       +
           ) (lib.attrValues cfg.specs)

     

       39
       36
        
         );

     

       40
       37
        
       

     

       41
       38
        
         preStart = ''

     

       42
       42
       -
           ${concatStringsSep " \\\n" ([ "mkdir -p" ] ++ map escapeShellArg specPaths)}

     

       39
       39
       +
           ${lib.concatStringsSep " \\\n" ([ "mkdir -p" ] ++ map lib.escapeShellArg specPaths)}

     

       43
       40
        
           ${cfg.package}/bin/certmgr -f ${certmgrYaml} check

     

       44
       41
        
         '';

     

       45
       42
        
       in

     

       46
       43
        
       {

     

       47
       44
        
         options.services.certmgr = {

     

       48
       48
       -
           enable = mkEnableOption "certmgr";

     

       45
       45
       +
           enable = lib.mkEnableOption "certmgr";

     

       49
       46
        
       

     

       50
       50
       -
           package = mkPackageOption pkgs "certmgr" { };

     

       47
       47
       +
           package = lib.mkPackageOption pkgs "certmgr" { };

     

       51
       48
        
       

     

       52
       52
       -
           defaultRemote = mkOption {

     

       53
       53
       -
             type = types.str;

     

       49
       49
       +
           defaultRemote = lib.mkOption {

     

       50
       50
       +
             type = lib.types.str;

     

       54
       51
        
             default = "127.0.0.1:8888";

     

       55
       52
        
             description = "The default CA host:port to use.";

     

       56
       53
        
           };

     

       57
       54
        
       

     

       58
       58
       -
           validMin = mkOption {

     

       55
       55
       +
           validMin = lib.mkOption {

     

       59
       56
        
             default = "72h";

     

       60
       60
       -
             type = types.str;

     

       57
       57
       +
             type = lib.types.str;

     

       61
       58
        
             description = "The interval before a certificate expires to start attempting to renew it.";

     

       62
       59
        
           };

     

       63
       60
        
       

     

       64
       64
       -
           renewInterval = mkOption {

     

       61
       61
       +
           renewInterval = lib.mkOption {

     

       65
       62
        
             default = "30m";

     

       66
       66
       -
             type = types.str;

     

       63
       63
       +
             type = lib.types.str;

     

       67
       64
        
             description = "How often to check certificate expirations and how often to update the cert_next_expires metric.";

     

       68
       65
        
           };

     

       69
       66
        
       

     

       70
       70
       -
           metricsAddress = mkOption {

     

       67
       67
       +
           metricsAddress = lib.mkOption {

     

       71
       68
        
             default = "127.0.0.1";

     

       72
       72
       -
             type = types.str;

     

       69
       69
       +
             type = lib.types.str;

     

       73
       70
        
             description = "The address for the Prometheus HTTP endpoint.";

     

       74
       71
        
           };

     

       75
       72
        
       

     

       76
       76
       -
           metricsPort = mkOption {

     

       73
       73
       +
           metricsPort = lib.mkOption {

     

       77
       74
        
             default = 9488;

     

       78
       78
       -
             type = types.ints.u16;

     

       75
       75
       +
             type = lib.types.ints.u16;

     

       79
       76
        
             description = "The port for the Prometheus HTTP endpoint.";

     

       80
       77
        
           };

     

       81
       78
        
       

     

       82
       82
       -
           specs = mkOption {

     

       79
       79
       +
           specs = lib.mkOption {

     

       83
       80
        
             default = { };

     

       84
       84
       -
             example = literalExpression ''

     

       81
       81
       +
             example = lib.literalExpression ''

     

       85
       82
        
               {

     

       86
       83
        
                 exampleCert =

     

       87
       84
        
                 let

     
···

       119
       116
        
               }

     

       120
       117
        
             '';

     

       121
       118
        
             type =

     

       122
       122
       -
               with types;

     

       119
       119
       +
               with lib.types;

     

       123
       120
        
               attrsOf (

     

       124
       121
        
                 either path (submodule {

     

       125
       122
        
                   options = {

     

       126
       126
       -
                     service = mkOption {

     

       123
       123
       +
                     service = lib.mkOption {

     

       127
       124
        
                       type = nullOr str;

     

       128
       125
        
                       default = null;

     

       129
       126
        
                       description = "The service on which to perform \<action\> after fetching.";

     

       130
       127
        
                     };

     

       131
       128
        
       

     

       132
       132
       -
                     action = mkOption {

     

       129
       129
       +
                     action = lib.mkOption {

     

       133
       130
        
                       type = addCheck str (

     

       134
       131
        
                         x:

     

       135
       132
        
                         cfg.svcManager == "command"

     
···

       144
       141
        
                     };

     

       145
       142
        
       

     

       146
       143
        
                     # These ought all to be specified according to certmgr spec def.

     

       147
       147
       -
                     authority = mkOption {

     

       144
       144
       +
                     authority = lib.mkOption {

     

       148
       145
        
                       type = attrs;

     

       149
       146
        
                       description = "certmgr spec authority object.";

     

       150
       147
        
                     };

     

       151
       148
        
       

     

       152
       152
       -
                     certificate = mkOption {

     

       149
       149
       +
                     certificate = lib.mkOption {

     

       153
       150
        
                       type = nullOr attrs;

     

       154
       151
        
                       description = "certmgr spec certificate object.";

     

       155
       152
        
                     };

     

       156
       153
        
       

     

       157
       157
       -
                     private_key = mkOption {

     

       154
       154
       +
                     private_key = lib.mkOption {

     

       158
       155
        
                       type = nullOr attrs;

     

       159
       156
        
                       description = "certmgr spec private_key object.";

     

       160
       157
        
                     };

     

       161
       158
        
       

     

       162
       162
       -
                     request = mkOption {

     

       159
       159
       +
                     request = lib.mkOption {

     

       163
       160
        
                       type = nullOr attrs;

     

       164
       161
        
                       description = "certmgr spec request object.";

     

       165
       162
        
                     };

     
···

       173
       170
        
             '';

     

       174
       171
        
           };

     

       175
       172
        
       

     

       176
       176
       -
           svcManager = mkOption {

     

       173
       173
       +
           svcManager = lib.mkOption {

     

       177
       174
        
             default = "systemd";

     

       178
       178
       -
             type = types.enum [

     

       175
       175
       +
             type = lib.types.enum [

     

       179
       176
        
               "circus"

     

       180
       177
        
               "command"

     

       181
       178
        
               "dummy"

     
···

       193
       190
        
       

     

       194
       191
        
         };

     

       195
       192
        
       

     

       196
       196
       -
         config = mkIf cfg.enable {

     

       193
       193
       +
         config = lib.mkIf cfg.enable {

     

       197
       194
        
           assertions = [

     

       198
       195
        
             {

     

       199
       196
        
               assertion = cfg.specs != { };

     
···

       201
       198
        
             }

     

       202
       199
        
             {

     

       203
       200
        
               assertion =

     

       204
       204
       -
                 !any (hasAttrByPath [

     

       201
       201
       +
                 !lib.any (lib.hasAttrByPath [

     

       205
       202
        
                   "authority"

     

       206
       203
        
                   "auth_key"

     

       207
       207
       -
                 ]) (attrValues cfg.specs);

     

       204
       204
       +
                 ]) (lib.attrValues cfg.specs);

     

       208
       205
        
               message = ''

     

       209
       206
        
                 Inline services.certmgr.specs are added to the Nix store rendering them world readable.

     

       210
       207
        
                 Specify paths as specs, if you want to use include auth_key - or use the auth_key_file option."

     
···

       214
       211
        
       

     

       215
       212
        
           systemd.services.certmgr = {

     

       216
       213
        
             description = "certmgr";

     

       217
       217
       -
             path = mkIf (cfg.svcManager == "command") [ pkgs.bash ];

     

       214
       214
       +
             path = lib.mkIf (cfg.svcManager == "command") [ pkgs.bash ];

     

       218
       215
        
             wants = [ "network-online.target" ];

     

       219
       216
        
             after = [ "network-online.target" ];

     

       220
       217
        
             wantedBy = [ "multi-user.target" ];

+51 -54

nixos/modules/services/security/cfssl.nix

···

       5
       5
        
         pkgs,

     

       6
       6
        
         ...

     

       7
       7
        
       }:

     

       8
       8
       -
       

     

       9
       9
       -
       with lib;

     

       10
       10
       -
       

     

       11
       8
        
       let

     

       12
       9
        
         cfg = config.services.cfssl;

     

       13
       10
        
       in

     

       14
       11
        
       {

     

       15
       12
        
         options.services.cfssl = {

     

       16
       16
       -
           enable = mkEnableOption "the CFSSL CA api-server";

     

       13
       13
       +
           enable = lib.mkEnableOption "the CFSSL CA api-server";

     

       17
       14
        
       

     

       18
       18
       -
           dataDir = mkOption {

     

       15
       15
       +
           dataDir = lib.mkOption {

     

       19
       16
        
             default = "/var/lib/cfssl";

     

       20
       20
       -
             type = types.path;

     

       17
       17
       +
             type = lib.types.path;

     

       21
       18
        
             description = ''

     

       22
       19
        
               The work directory for CFSSL.

     

       23
       20
        
       

     
···

       30
       27
        
             '';

     

       31
       28
        
           };

     

       32
       29
        
       

     

       33
       33
       -
           address = mkOption {

     

       30
       30
       +
           address = lib.mkOption {

     

       34
       31
        
             default = "127.0.0.1";

     

       35
       35
       -
             type = types.str;

     

       32
       32
       +
             type = lib.types.str;

     

       36
       33
        
             description = "Address to bind.";

     

       37
       34
        
           };

     

       38
       35
        
       

     

       39
       39
       -
           port = mkOption {

     

       36
       36
       +
           port = lib.mkOption {

     

       40
       37
        
             default = 8888;

     

       41
       41
       -
             type = types.port;

     

       38
       38
       +
             type = lib.types.port;

     

       42
       39
        
             description = "Port to bind.";

     

       43
       40
        
           };

     

       44
       41
        
       

     

       45
       45
       -
           ca = mkOption {

     

       46
       46
       -
             defaultText = literalExpression ''"''${cfg.dataDir}/ca.pem"'';

     

       47
       47
       -
             type = types.str;

     

       42
       42
       +
           ca = lib.mkOption {

     

       43
       43
       +
             defaultText = lib.literalExpression ''"''${cfg.dataDir}/ca.pem"'';

     

       44
       44
       +
             type = lib.types.str;

     

       48
       45
        
             description = "CA used to sign the new certificate -- accepts '[file:]fname' or 'env:varname'.";

     

       49
       46
        
           };

     

       50
       47
        
       

     

       51
       51
       -
           caKey = mkOption {

     

       52
       52
       -
             defaultText = literalExpression ''"file:''${cfg.dataDir}/ca-key.pem"'';

     

       53
       53
       -
             type = types.str;

     

       48
       48
       +
           caKey = lib.mkOption {

     

       49
       49
       +
             defaultText = lib.literalExpression ''"file:''${cfg.dataDir}/ca-key.pem"'';

     

       50
       50
       +
             type = lib.types.str;

     

       54
       51
        
             description = "CA private key -- accepts '[file:]fname' or 'env:varname'.";

     

       55
       52
        
           };

     

       56
       53
        
       

     

       57
       57
       -
           caBundle = mkOption {

     

       54
       54
       +
           caBundle = lib.mkOption {

     

       58
       55
        
             default = null;

     

       59
       59
       -
             type = types.nullOr types.path;

     

       56
       56
       +
             type = lib.types.nullOr lib.types.path;

     

       60
       57
        
             description = "Path to root certificate store.";

     

       61
       58
        
           };

     

       62
       59
        
       

     

       63
       63
       -
           intBundle = mkOption {

     

       60
       60
       +
           intBundle = lib.mkOption {

     

       64
       61
        
             default = null;

     

       65
       65
       -
             type = types.nullOr types.path;

     

       62
       62
       +
             type = lib.types.nullOr lib.types.path;

     

       66
       63
        
             description = "Path to intermediate certificate store.";

     

       67
       64
        
           };

     

       68
       65
        
       

     

       69
       69
       -
           intDir = mkOption {

     

       66
       66
       +
           intDir = lib.mkOption {

     

       70
       67
        
             default = null;

     

       71
       71
       -
             type = types.nullOr types.path;

     

       68
       68
       +
             type = lib.types.nullOr lib.types.path;

     

       72
       69
        
             description = "Intermediates directory.";

     

       73
       70
        
           };

     

       74
       71
        
       

     

       75
       75
       -
           metadata = mkOption {

     

       72
       72
       +
           metadata = lib.mkOption {

     

       76
       73
        
             default = null;

     

       77
       77
       -
             type = types.nullOr types.path;

     

       74
       74
       +
             type = lib.types.nullOr lib.types.path;

     

       78
       75
        
             description = ''

     

       79
       76
        
               Metadata file for root certificate presence.

     

       80
       77
        
               The content of the file is a json dictionary (k,v): each key k is

     
···

       83
       80
        
             '';

     

       84
       81
        
           };

     

       85
       82
        
       

     

       86
       86
       -
           remote = mkOption {

     

       83
       83
       +
           remote = lib.mkOption {

     

       87
       84
        
             default = null;

     

       88
       88
       -
             type = types.nullOr types.str;

     

       85
       85
       +
             type = lib.types.nullOr lib.types.str;

     

       89
       86
        
             description = "Remote CFSSL server.";

     

       90
       87
        
           };

     

       91
       88
        
       

     

       92
       92
       -
           configFile = mkOption {

     

       89
       89
       +
           configFile = lib.mkOption {

     

       93
       90
        
             default = null;

     

       94
       94
       -
             type = types.nullOr types.str;

     

       91
       91
       +
             type = lib.types.nullOr lib.types.str;

     

       95
       92
        
             description = "Path to configuration file. Do not put this in nix-store as it might contain secrets.";

     

       96
       93
        
           };

     

       97
       94
        
       

     

       98
       98
       -
           responder = mkOption {

     

       95
       95
       +
           responder = lib.mkOption {

     

       99
       96
        
             default = null;

     

       100
       100
       -
             type = types.nullOr types.path;

     

       97
       97
       +
             type = lib.types.nullOr lib.types.path;

     

       101
       98
        
             description = "Certificate for OCSP responder.";

     

       102
       99
        
           };

     

       103
       100
        
       

     

       104
       104
       -
           responderKey = mkOption {

     

       101
       101
       +
           responderKey = lib.mkOption {

     

       105
       102
        
             default = null;

     

       106
       106
       -
             type = types.nullOr types.str;

     

       103
       103
       +
             type = lib.types.nullOr lib.types.str;

     

       107
       104
        
             description = "Private key for OCSP responder certificate. Do not put this in nix-store.";

     

       108
       105
        
           };

     

       109
       106
        
       

     

       110
       110
       -
           tlsKey = mkOption {

     

       107
       107
       +
           tlsKey = lib.mkOption {

     

       111
       108
        
             default = null;

     

       112
       112
       -
             type = types.nullOr types.str;

     

       109
       109
       +
             type = lib.types.nullOr lib.types.str;

     

       113
       110
        
             description = "Other endpoint's CA private key. Do not put this in nix-store.";

     

       114
       111
        
           };

     

       115
       112
        
       

     

       116
       116
       -
           tlsCert = mkOption {

     

       113
       113
       +
           tlsCert = lib.mkOption {

     

       117
       114
        
             default = null;

     

       118
       118
       -
             type = types.nullOr types.path;

     

       115
       115
       +
             type = lib.types.nullOr lib.types.path;

     

       119
       116
        
             description = "Other endpoint's CA to set up TLS protocol.";

     

       120
       117
        
           };

     

       121
       118
        
       

     

       122
       122
       -
           mutualTlsCa = mkOption {

     

       119
       119
       +
           mutualTlsCa = lib.mkOption {

     

       123
       120
        
             default = null;

     

       124
       124
       -
             type = types.nullOr types.path;

     

       121
       121
       +
             type = lib.types.nullOr lib.types.path;

     

       125
       122
        
             description = "Mutual TLS - require clients be signed by this CA.";

     

       126
       123
        
           };

     

       127
       124
        
       

     

       128
       128
       -
           mutualTlsCn = mkOption {

     

       125
       125
       +
           mutualTlsCn = lib.mkOption {

     

       129
       126
        
             default = null;

     

       130
       130
       -
             type = types.nullOr types.str;

     

       127
       127
       +
             type = lib.types.nullOr lib.types.str;

     

       131
       128
        
             description = "Mutual TLS - regex for whitelist of allowed client CNs.";

     

       132
       129
        
           };

     

       133
       130
        
       

     

       134
       134
       -
           tlsRemoteCa = mkOption {

     

       131
       131
       +
           tlsRemoteCa = lib.mkOption {

     

       135
       132
        
             default = null;

     

       136
       136
       -
             type = types.nullOr types.path;

     

       133
       133
       +
             type = lib.types.nullOr lib.types.path;

     

       137
       134
        
             description = "CAs to trust for remote TLS requests.";

     

       138
       135
        
           };

     

       139
       136
        
       

     

       140
       140
       -
           mutualTlsClientCert = mkOption {

     

       137
       137
       +
           mutualTlsClientCert = lib.mkOption {

     

       141
       138
        
             default = null;

     

       142
       142
       -
             type = types.nullOr types.path;

     

       139
       139
       +
             type = lib.types.nullOr lib.types.path;

     

       143
       140
        
             description = "Mutual TLS - client certificate to call remote instance requiring client certs.";

     

       144
       141
        
           };

     

       145
       142
        
       

     

       146
       146
       -
           mutualTlsClientKey = mkOption {

     

       143
       143
       +
           mutualTlsClientKey = lib.mkOption {

     

       147
       144
        
             default = null;

     

       148
       148
       -
             type = types.nullOr types.path;

     

       145
       145
       +
             type = lib.types.nullOr lib.types.path;

     

       149
       146
        
             description = "Mutual TLS - client key to call remote instance requiring client certs. Do not put this in nix-store.";

     

       150
       147
        
           };

     

       151
       148
        
       

     

       152
       152
       -
           dbConfig = mkOption {

     

       149
       149
       +
           dbConfig = lib.mkOption {

     

       153
       150
        
             default = null;

     

       154
       154
       -
             type = types.nullOr types.path;

     

       151
       151
       +
             type = lib.types.nullOr lib.types.path;

     

       155
       152
        
             description = "Certificate db configuration file. Path must be writeable.";

     

       156
       153
        
           };

     

       157
       154
        
       

     

       158
       158
       -
           logLevel = mkOption {

     

       155
       155
       +
           logLevel = lib.mkOption {

     

       159
       156
        
             default = 1;

     

       160
       160
       -
             type = types.enum [

     

       157
       157
       +
             type = lib.types.enum [

     

       161
       158
        
               0

     

       162
       159
        
               1

     

       163
       160
        
               2

     
···

       169
       166
        
           };

     

       170
       167
        
         };

     

       171
       168
        
       

     

       172
       172
       -
         config = mkIf cfg.enable {

     

       169
       169
       +
         config = lib.mkIf cfg.enable {

     

       173
       170
        
           users.groups.cfssl = {

     

       174
       171
        
             gid = config.ids.gids.cfssl;

     

       175
       172
        
           };

     
···

       223
       220
        
                     (opt "loglevel" (toString logLevel))

     

       224
       221
        
                   ];

     

       225
       222
        
               }

     

       226
       226
       -
               (mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) {

     

       223
       223
       +
               (lib.mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) {

     

       227
       224
        
                 StateDirectory = baseNameOf cfg.dataDir;

     

       228
       225
        
                 StateDirectoryMode = 700;

     

       229
       226
        
               })

     
···

       231
       228
        
           };

     

       232
       229
        
       

     

       233
       230
        
           services.cfssl = {

     

       234
       234
       -
             ca = mkDefault "${cfg.dataDir}/ca.pem";

     

       235
       235
       -
             caKey = mkDefault "${cfg.dataDir}/ca-key.pem";

     

       231
       231
       +
             ca = lib.mkDefault "${cfg.dataDir}/ca.pem";

     

       232
       232
       +
             caKey = lib.mkDefault "${cfg.dataDir}/ca-key.pem";

     

       236
       233
        
           };

     

       237
       234
        
         };

     

       238
       235
        
       }

+45 -46

nixos/modules/services/security/clamav.nix

···

       1
       1
        
       { config, lib, pkgs, ... }:

     

       2
       2
       -
       with lib;

     

       3
       2
        
       let

     

       4
       3
        
         clamavUser = "clamav";

     

       5
       4
        
         stateDir = "/var/lib/clamav";

     

       6
       5
        
         clamavGroup = clamavUser;

     

       7
       6
        
         cfg = config.services.clamav;

     

       8
       7
        
       

     

       9
       9
       -
         toKeyValue = generators.toKeyValue {

     

       10
       10
       -
           mkKeyValue = generators.mkKeyValueDefault { } " ";

     

       8
       8
       +
         toKeyValue = lib.generators.toKeyValue {

     

       9
       9
       +
           mkKeyValue = lib.generators.mkKeyValueDefault { } " ";

     

       11
       10
        
           listsAsDuplicateKeys = true;

     

       12
       11
        
         };

     

       13
       12
        
       

     
···

       19
       18
        
       in

     

       20
       19
        
       {

     

       21
       20
        
         imports = [

     

       22
       22
       -
           (mkRemovedOptionModule [ "services" "clamav" "updater" "config" ] "Use services.clamav.updater.settings instead.")

     

       23
       23
       -
           (mkRemovedOptionModule [ "services" "clamav" "updater" "extraConfig" ] "Use services.clamav.updater.settings instead.")

     

       24
       24
       -
           (mkRemovedOptionModule [ "services" "clamav" "daemon" "extraConfig" ] "Use services.clamav.daemon.settings instead.")

     

       21
       21
       +
           (lib.mkRemovedOptionModule [ "services" "clamav" "updater" "config" ] "Use services.clamav.updater.settings instead.")

     

       22
       22
       +
           (lib.mkRemovedOptionModule [ "services" "clamav" "updater" "extraConfig" ] "Use services.clamav.updater.settings instead.")

     

       23
       23
       +
           (lib.mkRemovedOptionModule [ "services" "clamav" "daemon" "extraConfig" ] "Use services.clamav.daemon.settings instead.")

     

       25
       24
        
         ];

     

       26
       25
        
       

     

       27
       26
        
         options = {

     

       28
       27
        
           services.clamav = {

     

       29
       29
       -
             package = mkPackageOption pkgs "clamav" { };

     

       28
       28
       +
             package = lib.mkPackageOption pkgs "clamav" { };

     

       30
       29
        
             daemon = {

     

       31
       31
       -
               enable = mkEnableOption "ClamAV clamd daemon";

     

       30
       30
       +
               enable = lib.mkEnableOption "ClamAV clamd daemon";

     

       32
       31
        
       

     

       33
       33
       -
               settings = mkOption {

     

       34
       34
       -
                 type = with types; attrsOf (oneOf [ bool int str (listOf str) ]);

     

       32
       32
       +
               settings = lib.mkOption {

     

       33
       33
       +
                 type = with lib.types; attrsOf (oneOf [ bool int str (listOf str) ]);

     

       35
       34
        
                 default = { };

     

       36
       35
        
                 description = ''

     

       37
       36
        
                   ClamAV configuration. Refer to <https://linux.die.net/man/5/clamd.conf>,

     
···

       40
       39
        
               };

     

       41
       40
        
             };

     

       42
       41
        
             updater = {

     

       43
       43
       -
               enable = mkEnableOption "ClamAV freshclam updater";

     

       42
       42
       +
               enable = lib.mkEnableOption "ClamAV freshclam updater";

     

       44
       43
        
       

     

       45
       45
       -
               frequency = mkOption {

     

       46
       46
       -
                 type = types.int;

     

       44
       44
       +
               frequency = lib.mkOption {

     

       45
       45
       +
                 type = lib.types.int;

     

       47
       46
        
                 default = 12;

     

       48
       47
        
                 description = ''

     

       49
       48
        
                   Number of database checks per day.

     

       50
       49
        
                 '';

     

       51
       50
        
               };

     

       52
       51
        
       

     

       53
       53
       -
               interval = mkOption {

     

       54
       54
       -
                 type = types.str;

     

       52
       52
       +
               interval = lib.mkOption {

     

       53
       53
       +
                 type = lib.types.str;

     

       55
       54
        
                 default = "hourly";

     

       56
       55
        
                 description = ''

     

       57
       56
        
                   How often freshclam is invoked. See systemd.time(7) for more

     
···

       59
       58
        
                 '';

     

       60
       59
        
               };

     

       61
       60
        
       

     

       62
       62
       -
               settings = mkOption {

     

       63
       63
       -
                 type = with types; attrsOf (oneOf [ bool int str (listOf str) ]);

     

       61
       61
       +
               settings = lib.mkOption {

     

       62
       62
       +
                 type = with lib.types; attrsOf (oneOf [ bool int str (listOf str) ]);

     

       64
       63
        
                 default = { };

     

       65
       64
        
                 description = ''

     

       66
       65
        
                   freshclam configuration. Refer to <https://linux.die.net/man/5/freshclam.conf>,

     
···

       69
       68
        
               };

     

       70
       69
        
             };

     

       71
       70
        
             fangfrisch = {

     

       72
       72
       -
               enable = mkEnableOption "ClamAV fangfrisch updater";

     

       71
       71
       +
               enable = lib.mkEnableOption "ClamAV fangfrisch updater";

     

       73
       72
        
       

     

       74
       74
       -
               interval = mkOption {

     

       75
       75
       -
                 type = types.str;

     

       73
       73
       +
               interval = lib.mkOption {

     

       74
       74
       +
                 type = lib.types.str;

     

       76
       75
        
                 default = "hourly";

     

       77
       76
        
                 description = ''

     

       78
       77
        
                   How often freshclam is invoked. See systemd.time(7) for more

     
···

       80
       79
        
                 '';

     

       81
       80
        
               };

     

       82
       81
        
       

     

       83
       83
       -
               settings = mkOption {

     

       82
       82
       +
               settings = lib.mkOption {

     

       84
       83
        
                 type = lib.types.submodule {

     

       85
       85
       -
                   freeformType = with types; attrsOf (attrsOf (oneOf [ str int bool ]));

     

       84
       84
       +
                   freeformType = with lib.types; attrsOf (attrsOf (oneOf [ str int bool ]));

     

       86
       85
        
                 };

     

       87
       86
        
                 default = { };

     

       88
       87
        
                 example = {

     
···

       100
       99
        
             };

     

       101
       100
        
       

     

       102
       101
        
             scanner = {

     

       103
       103
       -
               enable = mkEnableOption "ClamAV scanner";

     

       102
       102
       +
               enable = lib.mkEnableOption "ClamAV scanner";

     

       104
       103
        
       

     

       105
       105
       -
               interval = mkOption {

     

       106
       106
       -
                 type = types.str;

     

       104
       104
       +
               interval = lib.mkOption {

     

       105
       105
       +
                 type = lib.types.str;

     

       107
       106
        
                 default = "*-*-* 04:00:00";

     

       108
       107
        
                 description = ''

     

       109
       108
        
                   How often clamdscan is invoked. See systemd.time(7) for more

     
···

       112
       111
        
                 '';

     

       113
       112
        
               };

     

       114
       113
        
       

     

       115
       115
       -
               scanDirectories = mkOption {

     

       116
       116
       -
                 type = with types; listOf str;

     

       114
       114
       +
               scanDirectories = lib.mkOption {

     

       115
       115
       +
                 type = with lib.types; listOf str;

     

       117
       116
        
                 default = [ "/home" "/var/lib" "/tmp" "/etc" "/var/tmp" ];

     

       118
       117
        
                 description = ''

     

       119
       118
        
                   List of directories to scan.

     
···

       124
       123
        
           };

     

       125
       124
        
         };

     

       126
       125
        
       

     

       127
       127
       -
         config = mkIf (cfg.updater.enable || cfg.daemon.enable) {

     

       126
       126
       +
         config = lib.mkIf (cfg.updater.enable || cfg.daemon.enable) {

     

       128
       127
        
           environment.systemPackages = [ cfg.package ];

     

       129
       128
        
       

     

       130
       129
        
           users.users.${clamavUser} = {

     
···

       153
       152
        
           };

     

       154
       153
        
       

     

       155
       154
        
           services.clamav.fangfrisch.settings = {

     

       156
       156
       -
             DEFAULT.db_url = mkDefault "sqlite:////var/lib/clamav/fangfrisch_db.sqlite";

     

       157
       157
       -
             DEFAULT.local_directory = mkDefault stateDir;

     

       158
       158
       -
             DEFAULT.log_level = mkDefault "INFO";

     

       159
       159
       -
             urlhaus.enabled = mkDefault "yes";

     

       160
       160
       -
             urlhaus.max_size = mkDefault "2MB";

     

       161
       161
       -
             sanesecurity.enabled = mkDefault "yes";

     

       155
       155
       +
             DEFAULT.db_url = lib.mkDefault "sqlite:////var/lib/clamav/fangfrisch_db.sqlite";

     

       156
       156
       +
             DEFAULT.local_directory = lib.mkDefault stateDir;

     

       157
       157
       +
             DEFAULT.log_level = lib.mkDefault "INFO";

     

       158
       158
       +
             urlhaus.enabled = lib.mkDefault "yes";

     

       159
       159
       +
             urlhaus.max_size = lib.mkDefault "2MB";

     

       160
       160
       +
             sanesecurity.enabled = lib.mkDefault "yes";

     

       162
       161
        
           };

     

       163
       162
        
       

     

       164
       163
        
           environment.etc."clamav/freshclam.conf".source = freshclamConfigFile;

     
···

       168
       167
        
             description = "ClamAV Antivirus Slice";

     

       169
       168
        
           };

     

       170
       169
        
       

     

       171
       171
       -
           systemd.services.clamav-daemon = mkIf cfg.daemon.enable {

     

       170
       170
       +
           systemd.services.clamav-daemon = lib.mkIf cfg.daemon.enable {

     

       172
       171
        
             description = "ClamAV daemon (clamd)";

     

       173
       173
       -
             after = optionals cfg.updater.enable [ "clamav-freshclam.service" ];

     

       174
       174
       -
             wants = optionals cfg.updater.enable [ "clamav-freshclam.service" ];

     

       172
       172
       +
             after = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ];

     

       173
       173
       +
             wants = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ];

     

       175
       174
        
             wantedBy = [ "multi-user.target" ];

     

       176
       175
        
             restartTriggers = [ clamdConfigFile ];

     

       177
       176
        
       

     
···

       189
       188
        
             };

     

       190
       189
        
           };

     

       191
       190
        
       

     

       192
       192
       -
           systemd.timers.clamav-freshclam = mkIf cfg.updater.enable {

     

       191
       191
       +
           systemd.timers.clamav-freshclam = lib.mkIf cfg.updater.enable {

     

       193
       192
        
             description = "Timer for ClamAV virus database updater (freshclam)";

     

       194
       193
        
             wantedBy = [ "timers.target" ];

     

       195
       194
        
             timerConfig = {

     
···

       198
       197
        
             };

     

       199
       198
        
           };

     

       200
       199
        
       

     

       201
       201
       -
           systemd.services.clamav-freshclam = mkIf cfg.updater.enable {

     

       200
       200
       +
           systemd.services.clamav-freshclam = lib.mkIf cfg.updater.enable {

     

       202
       201
        
             description = "ClamAV virus database updater (freshclam)";

     

       203
       202
        
             restartTriggers = [ freshclamConfigFile ];

     

       204
       203
        
             requires = [ "network-online.target" ];

     
···

       217
       216
        
             };

     

       218
       217
        
           };

     

       219
       218
        
       

     

       220
       220
       -
           systemd.services.clamav-fangfrisch-init = mkIf cfg.fangfrisch.enable {

     

       219
       219
       +
           systemd.services.clamav-fangfrisch-init = lib.mkIf cfg.fangfrisch.enable {

     

       221
       220
        
             wantedBy = [ "multi-user.target" ];

     

       222
       221
        
             # if the sqlite file can be found assume the database has already been initialised

     

       223
       222
        
             script = ''

     
···

       239
       238
        
             };

     

       240
       239
        
           };

     

       241
       240
        
       

     

       242
       242
       -
           systemd.timers.clamav-fangfrisch = mkIf cfg.fangfrisch.enable {

     

       241
       241
       +
           systemd.timers.clamav-fangfrisch = lib.mkIf cfg.fangfrisch.enable {

     

       243
       242
        
             description = "Timer for ClamAV virus database updater (fangfrisch)";

     

       244
       243
        
             wantedBy = [ "timers.target" ];

     

       245
       244
        
             timerConfig = {

     
···

       248
       247
        
             };

     

       249
       248
        
           };

     

       250
       249
        
       

     

       251
       251
       -
           systemd.services.clamav-fangfrisch = mkIf cfg.fangfrisch.enable {

     

       250
       250
       +
           systemd.services.clamav-fangfrisch = lib.mkIf cfg.fangfrisch.enable {

     

       252
       251
        
             description = "ClamAV virus database updater (fangfrisch)";

     

       253
       252
        
             restartTriggers = [ fangfrischConfigFile ];

     

       254
       253
        
             requires = [ "network-online.target" ];

     
···

       266
       265
        
             };

     

       267
       266
        
           };

     

       268
       267
        
       

     

       269
       269
       -
           systemd.timers.clamdscan = mkIf cfg.scanner.enable {

     

       268
       268
       +
           systemd.timers.clamdscan = lib.mkIf cfg.scanner.enable {

     

       270
       269
        
             description = "Timer for ClamAV virus scanner";

     

       271
       270
        
             wantedBy = [ "timers.target" ];

     

       272
       271
        
             timerConfig = {

     
···

       275
       274
        
             };

     

       276
       275
        
           };

     

       277
       276
        
       

     

       278
       278
       -
           systemd.services.clamdscan = mkIf cfg.scanner.enable {

     

       277
       277
       +
           systemd.services.clamdscan = lib.mkIf cfg.scanner.enable {

     

       279
       278
        
             description = "ClamAV virus scanner";

     

       280
       280
       -
             after = optionals cfg.updater.enable [ "clamav-freshclam.service" ];

     

       281
       281
       -
             wants = optionals cfg.updater.enable [ "clamav-freshclam.service" ];

     

       279
       279
       +
             after = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ];

     

       280
       280
       +
             wants = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ];

     

       282
       281
        
       

     

       283
       282
        
             serviceConfig = {

     

       284
       283
        
               Type = "oneshot";

+18 -21

nixos/modules/services/security/endlessh-go.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.endlessh-go;

     

       12
       9
        
       in

     

       13
       10
        
       {

     

       14
       11
        
         options.services.endlessh-go = {

     

       15
       15
       -
           enable = mkEnableOption "endlessh-go service";

     

       12
       12
       +
           enable = lib.mkEnableOption "endlessh-go service";

     

       16
       13
        
       

     

       17
       17
       -
           package = mkPackageOption pkgs "endlessh-go" { };

     

       14
       14
       +
           package = lib.mkPackageOption pkgs "endlessh-go" { };

     

       18
       15
        
       

     

       19
       19
       -
           listenAddress = mkOption {

     

       20
       20
       -
             type = types.str;

     

       16
       16
       +
           listenAddress = lib.mkOption {

     

       17
       17
       +
             type = lib.types.str;

     

       21
       18
        
             default = "0.0.0.0";

     

       22
       19
        
             example = "[::]";

     

       23
       20
        
             description = ''

     
···

       25
       22
        
             '';

     

       26
       23
        
           };

     

       27
       24
        
       

     

       28
       28
       -
           port = mkOption {

     

       29
       29
       -
             type = types.port;

     

       25
       25
       +
           port = lib.mkOption {

     

       26
       26
       +
             type = lib.types.port;

     

       30
       27
        
             default = 2222;

     

       31
       28
        
             example = 22;

     

       32
       29
        
             description = ''

     
···

       38
       35
        
           };

     

       39
       36
        
       

     

       40
       37
        
           prometheus = {

     

       41
       41
       -
             enable = mkEnableOption "Prometheus integration";

     

       38
       38
       +
             enable = lib.mkEnableOption "Prometheus integration";

     

       42
       39
        
       

     

       43
       43
       -
             listenAddress = mkOption {

     

       44
       44
       -
               type = types.str;

     

       40
       40
       +
             listenAddress = lib.mkOption {

     

       41
       41
       +
               type = lib.types.str;

     

       45
       42
        
               default = "0.0.0.0";

     

       46
       43
        
               example = "[::]";

     

       47
       44
        
               description = ''

     
···

       50
       47
        
               '';

     

       51
       48
        
             };

     

       52
       49
        
       

     

       53
       53
       -
             port = mkOption {

     

       54
       54
       -
               type = types.port;

     

       50
       50
       +
             port = lib.mkOption {

     

       51
       51
       +
               type = lib.types.port;

     

       55
       52
        
               default = 2112;

     

       56
       53
        
               example = 9119;

     

       57
       54
        
               description = ''

     
···

       61
       58
        
             };

     

       62
       59
        
           };

     

       63
       60
        
       

     

       64
       64
       -
           extraOptions = mkOption {

     

       65
       65
       -
             type = with types; listOf str;

     

       61
       61
       +
           extraOptions = lib.mkOption {

     

       62
       62
       +
             type = with lib.types; listOf str;

     

       66
       63
        
             default = [ ];

     

       67
       64
        
             example = [

     

       68
       65
        
               "-conn_type=tcp4"

     
···

       73
       70
        
             '';

     

       74
       71
        
           };

     

       75
       72
        
       

     

       76
       76
       -
           openFirewall = mkOption {

     

       77
       77
       -
             type = types.bool;

     

       73
       73
       +
           openFirewall = lib.mkOption {

     

       74
       74
       +
             type = lib.types.bool;

     

       78
       75
        
             default = false;

     

       79
       76
        
             description = ''

     

       80
       77
        
               Whether to open a firewall port for the SSH listener.

     
···

       82
       79
        
           };

     

       83
       80
        
         };

     

       84
       81
        
       

     

       85
       85
       -
         config = mkIf cfg.enable {

     

       82
       82
       +
         config = lib.mkIf cfg.enable {

     

       86
       83
        
           systemd.services.endlessh-go = {

     

       87
       84
        
             description = "SSH tarpit";

     

       88
       85
        
             requires = [ "network.target" ];

     
···

       90
       87
        
             serviceConfig =

     

       91
       88
        
               let

     

       92
       89
        
                 needsPrivileges = cfg.port < 1024 || cfg.prometheus.port < 1024;

     

       93
       93
       -
                 capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ];

     

       90
       90
       +
                 capabilities = [ "" ] ++ lib.optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ];

     

       94
       91
        
                 rootDirectory = "/run/endlessh-go";

     

       95
       92
        
               in

     

       96
       93
        
               {

     
···

       155
       152
        
           networking.firewall.allowedTCPPorts = with cfg; optionals openFirewall [ port ];

     

       156
       153
        
         };

     

       157
       154
        
       

     

       158
       158
       -
         meta.maintainers = with maintainers; [ azahi ];

     

       155
       155
       +
         meta.maintainers = with lib.maintainers; [ azahi ];

     

       159
       156
        
       }

+10 -13

nixos/modules/services/security/endlessh.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.endlessh;

     

       12
       9
        
       in

     

       13
       10
        
       {

     

       14
       11
        
         options.services.endlessh = {

     

       15
       15
       -
           enable = mkEnableOption "endlessh service";

     

       12
       12
       +
           enable = lib.mkEnableOption "endlessh service";

     

       16
       13
        
       

     

       17
       17
       -
           port = mkOption {

     

       18
       18
       -
             type = types.port;

     

       14
       14
       +
           port = lib.mkOption {

     

       15
       15
       +
             type = lib.types.port;

     

       19
       16
        
             default = 2222;

     

       20
       17
        
             example = 22;

     

       21
       18
        
             description = ''

     
···

       26
       23
        
             '';

     

       27
       24
        
           };

     

       28
       25
        
       

     

       29
       29
       -
           extraOptions = mkOption {

     

       30
       30
       -
             type = with types; listOf str;

     

       26
       26
       +
           extraOptions = lib.mkOption {

     

       27
       27
       +
             type = with lib.types; listOf str;

     

       31
       28
        
             default = [ ];

     

       32
       29
        
             example = [

     

       33
       30
        
               "-6"

     
···

       39
       36
        
             '';

     

       40
       37
        
           };

     

       41
       38
        
       

     

       42
       42
       -
           openFirewall = mkOption {

     

       43
       43
       -
             type = types.bool;

     

       39
       39
       +
           openFirewall = lib.mkOption {

     

       40
       40
       +
             type = lib.types.bool;

     

       44
       41
        
             default = false;

     

       45
       42
        
             description = ''

     

       46
       43
        
               Whether to open a firewall port for the SSH listener.

     
···

       48
       45
        
           };

     

       49
       46
        
         };

     

       50
       47
        
       

     

       51
       51
       -
         config = mkIf cfg.enable {

     

       48
       48
       +
         config = lib.mkIf cfg.enable {

     

       52
       49
        
           systemd.services.endlessh = {

     

       53
       50
        
             description = "SSH tarpit";

     

       54
       51
        
             requires = [ "network.target" ];

     
···

       56
       53
        
             serviceConfig =

     

       57
       54
        
               let

     

       58
       55
        
                 needsPrivileges = cfg.port < 1024;

     

       59
       59
       -
                 capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ];

     

       56
       56
       +
                 capabilities = [ "" ] ++ lib.optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ];

     

       60
       57
        
                 rootDirectory = "/run/endlessh";

     

       61
       58
        
               in

     

       62
       59
        
               {

     
···

       115
       112
        
           networking.firewall.allowedTCPPorts = with cfg; optionals openFirewall [ port ];

     

       116
       113
        
         };

     

       117
       114
        
       

     

       118
       118
       -
         meta.maintainers = with maintainers; [ azahi ];

     

       115
       115
       +
         meta.maintainers = with lib.maintainers; [ azahi ];

     

       119
       116
        
       }

+74 -77

nixos/modules/services/security/fail2ban.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.fail2ban;

     

       12
       9
        
       

     

       13
       10
        
         settingsFormat = pkgs.formats.keyValue { };

     

       14
       11
        
       

     

       15
       12
        
         configFormat = pkgs.formats.ini {

     

       16
       16
       -
           mkKeyValue = generators.mkKeyValueDefault { } " = ";

     

       13
       13
       +
           mkKeyValue = lib.generators.mkKeyValueDefault { } " = ";

     

       17
       14
        
         };

     

       18
       15
        
       

     

       19
       16
        
         mkJailConfig =

     

       20
       17
        
           name: attrs:

     

       21
       21
       -
           optionalAttrs (name != "DEFAULT") { inherit (attrs) enabled; }

     

       22
       22
       -
           // optionalAttrs (attrs.filter != null) {

     

       23
       23
       -
             filter = if (builtins.isString filter) then filter else name;

     

       18
       18
       +
           lib.optionalAttrs (name != "DEFAULT") { inherit (attrs) enabled; }

     

       19
       19
       +
           // lib.optionalAttrs (attrs.filter != null) {

     

       20
       20
       +
             filter = if (builtins.isString lib.filter) then lib.filter else name;

     

       24
       21
        
           }

     

       25
       22
        
           // attrs.settings;

     

       26
       23
        
       

     

       27
       24
        
         mkFilter =

     

       28
       25
        
           name: attrs:

     

       29
       29
       -
           nameValuePair "fail2ban/filter.d/${name}.conf" {

     

       26
       26
       +
           lib.nameValuePair "fail2ban/filter.d/${name}.conf" {

     

       30
       27
        
             source = configFormat.generate "filter.d/${name}.conf" attrs.filter;

     

       31
       28
        
           };

     

       32
       29
        
       

     

       33
       30
        
         fail2banConf = configFormat.generate "fail2ban.local" cfg.daemonSettings;

     

       34
       31
        
       

     

       35
       35
       -
         strJails = filterAttrs (_: builtins.isString) cfg.jails;

     

       36
       36
       -
         attrsJails = filterAttrs (_: builtins.isAttrs) cfg.jails;

     

       32
       32
       +
         strJails = lib.filterAttrs (_: builtins.isString) cfg.jails;

     

       33
       33
       +
         attrsJails = lib.filterAttrs (_: builtins.isAttrs) cfg.jails;

     

       37
       34
        
       

     

       38
       35
        
         jailConf =

     

       39
       36
        
           let

     

       40
       37
        
             configFile = configFormat.generate "jail.local" (

     

       41
       41
       -
               { INCLUDES.before = "paths-nixos.conf"; } // (mapAttrs mkJailConfig attrsJails)

     

       38
       38
       +
               { INCLUDES.before = "paths-nixos.conf"; } // (lib.mapAttrs mkJailConfig attrsJails)

     

       42
       39
        
             );

     

       43
       43
       -
             extraConfig = concatStringsSep "\n" (

     

       44
       44
       -
               attrValues (

     

       45
       45
       -
                 mapAttrs (

     

       40
       40
       +
             extraConfig = lib.concatStringsSep "\n" (

     

       41
       41
       +
               lib.attrValues (

     

       42
       42
       +
                 lib.mapAttrs (

     

       46
       43
        
                   name: def:

     

       47
       47
       -
                   optionalString (def != "") ''

     

       44
       44
       +
                   lib.optionalString (def != "") ''

     

       48
       45
        
                     [${name}]

     

       49
       46
        
                     ${def}

     

       50
       47
        
                   ''

     
···

       74
       71
        
       {

     

       75
       72
        
       

     

       76
       73
        
         imports = [

     

       77
       77
       -
           (mkRemovedOptionModule [

     

       74
       74
       +
           (lib.mkRemovedOptionModule [

     

       78
       75
        
             "services"

     

       79
       76
        
             "fail2ban"

     

       80
       77
        
             "daemonConfig"

     

       81
       78
        
           ] "The daemon is now configured through the attribute set `services.fail2ban.daemonSettings`.")

     

       82
       82
       -
           (mkRemovedOptionModule [ "services" "fail2ban" "extraSettings" ]

     

       79
       79
       +
           (lib.mkRemovedOptionModule [ "services" "fail2ban" "extraSettings" ]

     

       83
       80
        
             "The extra default configuration can now be set using `services.fail2ban.jails.DEFAULT.settings`."

     

       84
       81
        
           )

     

       85
       82
        
         ];

     
···

       88
       85
        
       

     

       89
       86
        
         options = {

     

       90
       87
        
           services.fail2ban = {

     

       91
       91
       -
             enable = mkOption {

     

       88
       88
       +
             enable = lib.mkOption {

     

       92
       89
        
               default = false;

     

       93
       93
       -
               type = types.bool;

     

       90
       90
       +
               type = lib.types.bool;

     

       94
       91
        
               description = ''

     

       95
       92
        
                 Whether to enable the fail2ban service.

     

       96
       93
        
       

     
···

       99
       96
        
               '';

     

       100
       97
        
             };

     

       101
       98
        
       

     

       102
       102
       -
             package = mkPackageOption pkgs "fail2ban" {

     

       99
       99
       +
             package = lib.mkPackageOption pkgs "fail2ban" {

     

       103
       100
        
               example = "fail2ban_0_11";

     

       104
       101
        
             };

     

       105
       102
        
       

     

       106
       106
       -
             packageFirewall = mkOption {

     

       103
       103
       +
             packageFirewall = lib.mkOption {

     

       107
       104
        
               default = config.networking.firewall.package;

     

       108
       108
       -
               defaultText = literalExpression "config.networking.firewall.package";

     

       109
       109
       -
               type = types.package;

     

       105
       105
       +
               defaultText = lib.literalExpression "config.networking.firewall.package";

     

       106
       106
       +
               type = lib.types.package;

     

       110
       107
        
               description = "The firewall package used by fail2ban service. Defaults to the package for your firewall (iptables or nftables).";

     

       111
       108
        
             };

     

       112
       109
        
       

     

       113
       113
       -
             extraPackages = mkOption {

     

       110
       110
       +
             extraPackages = lib.mkOption {

     

       114
       111
        
               default = [ ];

     

       115
       115
       -
               type = types.listOf types.package;

     

       112
       112
       +
               type = lib.types.listOf lib.types.package;

     

       116
       113
        
               example = lib.literalExpression "[ pkgs.ipset ]";

     

       117
       114
        
               description = ''

     

       118
       115
        
                 Extra packages to be made available to the fail2ban service. The example contains

     
···

       120
       117
        
               '';

     

       121
       118
        
             };

     

       122
       119
        
       

     

       123
       123
       -
             bantime = mkOption {

     

       120
       120
       +
             bantime = lib.mkOption {

     

       124
       121
        
               default = "10m";

     

       125
       125
       -
               type = types.str;

     

       122
       122
       +
               type = lib.types.str;

     

       126
       123
        
               example = "1h";

     

       127
       124
        
               description = "Number of seconds that a host is banned.";

     

       128
       125
        
             };

     

       129
       126
        
       

     

       130
       130
       -
             maxretry = mkOption {

     

       127
       127
       +
             maxretry = lib.mkOption {

     

       131
       128
        
               default = 3;

     

       132
       132
       -
               type = types.ints.unsigned;

     

       129
       129
       +
               type = lib.types.ints.unsigned;

     

       133
       130
        
               description = "Number of failures before a host gets banned.";

     

       134
       131
        
             };

     

       135
       132
        
       

     

       136
       136
       -
             banaction = mkOption {

     

       133
       133
       +
             banaction = lib.mkOption {

     

       137
       134
        
               default = if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport";

     

       138
       138
       -
               defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"'';

     

       139
       139
       -
               type = types.str;

     

       135
       135
       +
               defaultText = lib.literalExpression ''if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"'';

     

       136
       136
       +
               type = lib.types.str;

     

       140
       137
        
               description = ''

     

       141
       138
        
                 Default banning action (e.g. iptables, iptables-new, iptables-multiport,

     

       142
       139
        
                 iptables-ipset-proto6-allports, shorewall, etc). It is used to

     
···

       145
       142
        
               '';

     

       146
       143
        
             };

     

       147
       144
        
       

     

       148
       148
       -
             banaction-allports = mkOption {

     

       145
       145
       +
             banaction-allports = lib.mkOption {

     

       149
       146
        
               default = if config.networking.nftables.enable then "nftables-allports" else "iptables-allports";

     

       150
       150
       -
               defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"'';

     

       151
       151
       -
               type = types.str;

     

       147
       147
       +
               defaultText = lib.literalExpression ''if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"'';

     

       148
       148
       +
               type = lib.types.str;

     

       152
       149
        
               description = ''

     

       153
       150
        
                 Default banning action (e.g. iptables, iptables-new, iptables-multiport,

     

       154
       151
        
                 shorewall, etc) for "allports" jails. It is used to define action_* variables. Can be overridden

     
···

       156
       153
        
               '';

     

       157
       154
        
             };

     

       158
       155
        
       

     

       159
       159
       -
             bantime-increment.enable = mkOption {

     

       156
       156
       +
             bantime-increment.enable = lib.mkOption {

     

       160
       157
        
               default = false;

     

       161
       161
       -
               type = types.bool;

     

       158
       158
       +
               type = lib.types.bool;

     

       162
       159
        
               description = ''

     

       163
       160
        
                 "bantime.increment" allows to use database for searching of previously banned ip's to increase

     

       164
       161
        
                 a default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32 ...

     

       165
       162
        
               '';

     

       166
       163
        
             };

     

       167
       164
        
       

     

       168
       168
       -
             bantime-increment.rndtime = mkOption {

     

       165
       165
       +
             bantime-increment.rndtime = lib.mkOption {

     

       169
       166
        
               default = null;

     

       170
       170
       -
               type = types.nullOr types.str;

     

       167
       167
       +
               type = lib.types.nullOr lib.types.str;

     

       171
       168
        
               example = "8m";

     

       172
       169
        
               description = ''

     

       173
       170
        
                 "bantime.rndtime" is the max number of seconds using for mixing with random time

     
···

       175
       172
        
               '';

     

       176
       173
        
             };

     

       177
       174
        
       

     

       178
       178
       -
             bantime-increment.maxtime = mkOption {

     

       175
       175
       +
             bantime-increment.maxtime = lib.mkOption {

     

       179
       176
        
               default = null;

     

       180
       180
       -
               type = types.nullOr types.str;

     

       177
       177
       +
               type = lib.types.nullOr lib.types.str;

     

       181
       178
        
               example = "48h";

     

       182
       179
        
               description = ''

     

       183
       180
        
                 "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)

     

       184
       181
        
               '';

     

       185
       182
        
             };

     

       186
       183
        
       

     

       187
       187
       -
             bantime-increment.factor = mkOption {

     

       184
       184
       +
             bantime-increment.factor = lib.mkOption {

     

       188
       185
        
               default = null;

     

       189
       189
       -
               type = types.nullOr types.str;

     

       186
       186
       +
               type = lib.types.nullOr lib.types.str;

     

       190
       187
        
               example = "4";

     

       191
       188
        
               description = ''

     

       192
       189
        
                 "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,

     
···

       194
       191
        
               '';

     

       195
       192
        
             };

     

       196
       193
        
       

     

       197
       197
       -
             bantime-increment.formula = mkOption {

     

       194
       194
       +
             bantime-increment.formula = lib.mkOption {

     

       198
       195
        
               default = null;

     

       199
       199
       -
               type = types.nullOr types.str;

     

       196
       196
       +
               type = lib.types.nullOr lib.types.str;

     

       200
       197
        
               example = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";

     

       201
       198
        
               description = ''

     

       202
       199
        
                 "bantime.formula" used by default to calculate next value of ban time, default value below,

     
···

       204
       201
        
               '';

     

       205
       202
        
             };

     

       206
       203
        
       

     

       207
       207
       -
             bantime-increment.multipliers = mkOption {

     

       204
       204
       +
             bantime-increment.multipliers = lib.mkOption {

     

       208
       205
        
               default = null;

     

       209
       209
       -
               type = types.nullOr types.str;

     

       206
       206
       +
               type = lib.types.nullOr lib.types.str;

     

       210
       207
        
               example = "1 2 4 8 16 32 64";

     

       211
       208
        
               description = ''

     

       212
       209
        
                 "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding

     
···

       216
       213
        
               '';

     

       217
       214
        
             };

     

       218
       215
        
       

     

       219
       219
       -
             bantime-increment.overalljails = mkOption {

     

       216
       216
       +
             bantime-increment.overalljails = lib.mkOption {

     

       220
       217
        
               default = null;

     

       221
       221
       -
               type = types.nullOr types.bool;

     

       218
       218
       +
               type = lib.types.nullOr lib.types.bool;

     

       222
       219
        
               example = true;

     

       223
       220
        
               description = ''

     

       224
       221
        
                 "bantime.overalljails" (if true) specifies the search of IP in the database will be executed

     
···

       226
       223
        
               '';

     

       227
       224
        
             };

     

       228
       225
        
       

     

       229
       229
       -
             ignoreIP = mkOption {

     

       226
       226
       +
             ignoreIP = lib.mkOption {

     

       230
       227
        
               default = [ ];

     

       231
       231
       -
               type = types.listOf types.str;

     

       228
       228
       +
               type = lib.types.listOf lib.types.str;

     

       232
       229
        
               example = [

     

       233
       230
        
                 "192.168.0.0/16"

     

       234
       231
        
                 "2001:DB8::42"

     
···

       239
       236
        
               '';

     

       240
       237
        
             };

     

       241
       238
        
       

     

       242
       242
       -
             daemonSettings = mkOption {

     

       239
       239
       +
             daemonSettings = lib.mkOption {

     

       243
       240
        
               inherit (configFormat) type;

     

       244
       241
        
       

     

       245
       245
       -
               defaultText = literalExpression ''

     

       242
       242
       +
               defaultText = lib.literalExpression ''

     

       246
       243
        
                 {

     

       247
       244
        
                   Definition = {

     

       248
       245
        
                     logtarget = "SYSLOG";

     
···

       258
       255
        
               '';

     

       259
       256
        
             };

     

       260
       257
        
       

     

       261
       261
       -
             jails = mkOption {

     

       258
       258
       +
             jails = lib.mkOption {

     

       262
       259
        
               default = { };

     

       263
       263
       -
               example = literalExpression ''

     

       260
       260
       +
               example = lib.literalExpression ''

     

       264
       261
        
                 {

     

       265
       262
        
                   apache-nohome-iptables = {

     

       266
       263
        
                     settings = {

     
···

       287
       284
        
                 };

     

       288
       285
        
               '';

     

       289
       286
        
               type =

     

       290
       290
       -
                 with types;

     

       287
       287
       +
                 with lib.types;

     

       291
       288
        
                 attrsOf (

     

       292
       289
        
                   either lines (

     

       293
       290
        
                     submodule (

     

       294
       291
        
                       { name, ... }:

     

       295
       292
        
                       {

     

       296
       293
        
                         options = {

     

       297
       297
       -
                           enabled = mkEnableOption "this jail" // {

     

       294
       294
       +
                           enabled = lib.mkEnableOption "this jail" // {

     

       298
       295
        
                             default = true;

     

       299
       296
        
                             readOnly = name == "DEFAULT";

     

       300
       297
        
                           };

     

       301
       298
        
       

     

       302
       302
       -
                           filter = mkOption {

     

       299
       299
       +
                           filter = lib.mkOption {

     

       303
       300
        
                             type = nullOr (either str configFormat.type);

     

       304
       301
        
       

     

       305
       302
        
                             default = null;

     

       306
       303
        
                             description = "Content of the filter used for this jail.";

     

       307
       304
        
                           };

     

       308
       305
        
       

     

       309
       309
       -
                           settings = mkOption {

     

       306
       306
       +
                           settings = lib.mkOption {

     

       310
       307
        
                             inherit (settingsFormat) type;

     

       311
       308
        
       

     

       312
       309
        
                             default = { };

     
···

       344
       341
        
       

     

       345
       342
        
         ###### implementation

     

       346
       343
        
       

     

       347
       347
       -
         config = mkIf cfg.enable {

     

       344
       344
       +
         config = lib.mkIf cfg.enable {

     

       348
       345
        
           assertions = [

     

       349
       346
        
             {

     

       350
       347
        
               assertion = cfg.bantime-increment.formula == null || cfg.bantime-increment.multipliers == null;

     
···

       354
       351
        
             }

     

       355
       352
        
           ];

     

       356
       353
        
       

     

       357
       357
       -
           warnings = mkIf (!config.networking.firewall.enable && !config.networking.nftables.enable) [

     

       354
       354
       +
           warnings = lib.mkIf (!config.networking.firewall.enable && !config.networking.nftables.enable) [

     

       358
       355
        
             "fail2ban can not be used without a firewall"

     

       359
       356
        
           ];

     

       360
       357
        
       

     
···

       371
       368
        
               "fail2ban/action.d".source = "${cfg.package}/etc/fail2ban/action.d/*.conf";

     

       372
       369
        
               "fail2ban/filter.d".source = "${cfg.package}/etc/fail2ban/filter.d/*.conf";

     

       373
       370
        
             }

     

       374
       374
       -
             // (mapAttrs' mkFilter (

     

       375
       375
       -
               filterAttrs (_: v: v.filter != null && !builtins.isString v.filter) attrsJails

     

       371
       371
       +
             // (lib.mapAttrs' mkFilter (

     

       372
       372
       +
               lib.filterAttrs (_: v: v.filter != null && !builtins.isString v.filter) attrsJails

     

       376
       373
        
             ));

     

       377
       374
        
       

     

       378
       375
        
           systemd.packages = [ cfg.package ];

     

       379
       376
        
           systemd.services.fail2ban = {

     

       380
       377
        
             wantedBy = [ "multi-user.target" ];

     

       381
       381
       -
             partOf = optional config.networking.firewall.enable "firewall.service";

     

       378
       378
       +
             partOf = lib.optional config.networking.firewall.enable "firewall.service";

     

       382
       379
        
       

     

       383
       380
        
             restartTriggers = [

     

       384
       381
        
               fail2banConf

     
···

       423
       420
        
       

     

       424
       421
        
           # Defaults for the daemon settings

     

       425
       422
        
           services.fail2ban.daemonSettings.Definition = {

     

       426
       426
       -
             logtarget = mkDefault "SYSLOG";

     

       427
       427
       -
             socket = mkDefault "/run/fail2ban/fail2ban.sock";

     

       428
       428
       -
             pidfile = mkDefault "/run/fail2ban/fail2ban.pid";

     

       429
       429
       -
             dbfile = mkDefault "/var/lib/fail2ban/fail2ban.sqlite3";

     

       423
       423
       +
             logtarget = lib.mkDefault "SYSLOG";

     

       424
       424
       +
             socket = lib.mkDefault "/run/fail2ban/fail2ban.sock";

     

       425
       425
       +
             pidfile = lib.mkDefault "/run/fail2ban/fail2ban.pid";

     

       426
       426
       +
             dbfile = lib.mkDefault "/var/lib/fail2ban/fail2ban.sqlite3";

     

       430
       427
        
           };

     

       431
       428
        
       

     

       432
       429
        
           # Add some reasonable default jails.  The special "DEFAULT" jail

     

       433
       430
        
           # sets default values for all other jails.

     

       434
       434
       -
           services.fail2ban.jails = mkMerge [

     

       431
       431
       +
           services.fail2ban.jails = lib.mkMerge [

     

       435
       432
        
             {

     

       436
       433
        
               DEFAULT.settings =

     

       437
       437
       -
                 (optionalAttrs cfg.bantime-increment.enable (

     

       434
       434
       +
                 (lib.optionalAttrs cfg.bantime-increment.enable (

     

       438
       435
        
                   {

     

       439
       436
        
                     "bantime.increment" = cfg.bantime-increment.enable;

     

       440
       437
        
                   }

     

       441
       441
       -
                   // (mapAttrs' (name: nameValuePair "bantime.${name}") (

     

       442
       442
       -
                     filterAttrs (n: v: v != null && n != "enable") cfg.bantime-increment

     

       438
       438
       +
                   // (lib.mapAttrs' (name: lib.nameValuePair "bantime.${name}") (

     

       439
       439
       +
                     lib.filterAttrs (n: v: v != null && n != "enable") cfg.bantime-increment

     

       443
       440
        
                   ))

     

       444
       441
        
                 ))

     

       445
       442
        
                 // {

     

       446
       443
        
                   # Miscellaneous options

     

       447
       444
        
                   inherit (cfg) banaction maxretry bantime;

     

       448
       448
       -
                   ignoreip = ''127.0.0.1/8 ${optionalString config.networking.enableIPv6 "::1"} ${concatStringsSep " " cfg.ignoreIP}'';

     

       445
       445
       +
                   ignoreip = ''127.0.0.1/8 ${lib.optionalString config.networking.enableIPv6 "::1"} ${lib.concatStringsSep " " cfg.ignoreIP}'';

     

       449
       446
        
                   backend = "systemd";

     

       450
       447
        
                   # Actions

     

       451
       448
        
                   banaction_allports = cfg.banaction-allports;

     
···

       453
       450
        
             }

     

       454
       451
        
       

     

       455
       452
        
             # Block SSH if there are too many failing connection attempts.

     

       456
       456
       -
             (mkIf config.services.openssh.enable {

     

       457
       457
       -
               sshd.settings.port = mkDefault (

     

       458
       458
       -
                 concatMapStringsSep "," builtins.toString config.services.openssh.ports

     

       453
       453
       +
             (lib.mkIf config.services.openssh.enable {

     

       454
       454
       +
               sshd.settings.port = lib.mkDefault (

     

       455
       455
       +
                 lib.concatMapStringsSep "," builtins.toString config.services.openssh.ports

     

       459
       456
        
               );

     

       460
       457
        
             })

     

       461
       458
        
           ];

     

       462
       459
        
       

     

       463
       460
        
           # Benefits from verbose sshd logging to observe failed login attempts,

     

       464
       461
        
           # so we set that here unless the user overrode it.

     

       465
       465
       -
           services.openssh.settings.LogLevel = mkDefault "VERBOSE";

     

       462
       462
       +
           services.openssh.settings.LogLevel = lib.mkDefault "VERBOSE";

     

       466
       463
        
         };

     

       467
       464
        
       }

+10 -13

nixos/modules/services/security/fprintd.nix

···

       1
       1
        
       { config, lib, pkgs, ... }:

     

       2
       2
       -
       

     

       3
       3
       -
       with lib;

     

       4
       4
       -
       

     

       5
       2
        
       let

     

       6
       3
        
       

     

       7
       4
        
         cfg = config.services.fprintd;

     
···

       18
       15
        
       

     

       19
       16
        
           services.fprintd = {

     

       20
       17
        
       

     

       21
       21
       -
             enable = mkEnableOption "fprintd daemon and PAM module for fingerprint readers handling";

     

       18
       18
       +
             enable = lib.mkEnableOption "fprintd daemon and PAM module for fingerprint readers handling";

     

       22
       19
        
       

     

       23
       23
       -
             package = mkOption {

     

       24
       24
       -
               type = types.package;

     

       20
       20
       +
             package = lib.mkOption {

     

       21
       21
       +
               type = lib.types.package;

     

       25
       22
        
               default = fprintdPkg;

     

       26
       26
       -
               defaultText = literalExpression "if config.services.fprintd.tod.enable then pkgs.fprintd-tod else pkgs.fprintd";

     

       23
       23
       +
               defaultText = lib.literalExpression "if config.services.fprintd.tod.enable then pkgs.fprintd-tod else pkgs.fprintd";

     

       27
       24
        
               description = ''

     

       28
       25
        
                 fprintd package to use.

     

       29
       26
        
               '';

     
···

       31
       28
        
       

     

       32
       29
        
             tod = {

     

       33
       30
        
       

     

       34
       34
       -
               enable = mkEnableOption "Touch OEM Drivers library support";

     

       31
       31
       +
               enable = lib.mkEnableOption "Touch OEM Drivers library support";

     

       35
       32
        
       

     

       36
       36
       -
               driver = mkOption {

     

       37
       37
       -
                 type = types.package;

     

       38
       38
       -
                 example = literalExpression "pkgs.libfprint-2-tod1-goodix";

     

       33
       33
       +
               driver = lib.mkOption {

     

       34
       34
       +
                 type = lib.types.package;

     

       35
       35
       +
                 example = lib.literalExpression "pkgs.libfprint-2-tod1-goodix";

     

       39
       36
        
                 description = ''

     

       40
       37
        
                   Touch OEM Drivers (TOD) package to use.

     

       41
       38
        
                 '';

     
···

       47
       44
        
       

     

       48
       45
        
         ###### implementation

     

       49
       46
        
       

     

       50
       50
       -
         config = mkIf cfg.enable {

     

       47
       47
       +
         config = lib.mkIf cfg.enable {

     

       51
       48
        
       

     

       52
       49
        
           services.dbus.packages = [ cfg.package ];

     

       53
       50
        
       

     
···

       55
       52
        
       

     

       56
       53
        
           systemd.packages = [ cfg.package ];

     

       57
       54
        
       

     

       58
       58
       -
           systemd.services.fprintd.environment = mkIf cfg.tod.enable {

     

       55
       55
       +
           systemd.services.fprintd.environment = lib.mkIf cfg.tod.enable {

     

       59
       56
        
             FP_TOD_DRIVERS_DIR = "${cfg.tod.driver}${cfg.tod.driver.driverPath}";

     

       60
       57
        
           };

     

       61
       58

+23 -27

nixos/modules/services/security/haka.nix

···

       1
       1
        
       # This module defines global configuration for Haka.

     

       2
       2
       -
       

     

       3
       2
        
       {

     

       4
       3
        
         config,

     

       5
       4
        
         lib,

     

       6
       5
        
         pkgs,

     

       7
       6
        
         ...

     

       8
       7
        
       }:

     

       9
       9
       -
       

     

       10
       10
       -
       with lib;

     

       11
       11
       -
       

     

       12
       8
        
       let

     

       13
       9
        
       

     

       14
       10
        
         cfg = config.services.haka;

     
···

       23
       19
        
             else

     

       24
       20
        
               "${haka}/share/haka/sample/${cfg.configFile}"

     

       25
       21
        
           }

     

       26
       26
       -
           ${optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"}

     

       22
       22
       +
           ${lib.optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"}

     

       27
       23
        
       

     

       28
       24
        
           [packet]

     

       29
       29
       -
           ${optionalString cfg.pcap ''module = "packet/pcap"''}

     

       30
       30
       -
           ${optionalString cfg.nfqueue ''module = "packet/nqueue"''}

     

       31
       31
       -
           ${optionalString cfg.dump.enable ''dump = "yes"''}

     

       32
       32
       -
           ${optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''}

     

       33
       33
       -
           ${optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''}

     

       25
       25
       +
           ${lib.optionalString cfg.pcap ''module = "packet/pcap"''}

     

       26
       26
       +
           ${lib.optionalString cfg.nfqueue ''module = "packet/nqueue"''}

     

       27
       27
       +
           ${lib.optionalString cfg.dump.enable ''dump = "yes"''}

     

       28
       28
       +
           ${lib.optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''}

     

       29
       29
       +
           ${lib.optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''}

     

       34
       30
        
       

     

       35
       31
        
           interfaces = "${lib.strings.concatStringsSep "," cfg.interfaces}"

     

       36
       32
        
       

     
···

       62
       58
        
       

     

       63
       59
        
           services.haka = {

     

       64
       60
        
       

     

       65
       65
       -
             enable = mkEnableOption "Haka";

     

       61
       61
       +
             enable = lib.mkEnableOption "Haka";

     

       66
       62
        
       

     

       67
       67
       -
             package = mkPackageOption pkgs "haka" { };

     

       63
       63
       +
             package = lib.mkPackageOption pkgs "haka" { };

     

       68
       64
        
       

     

       69
       69
       -
             configFile = mkOption {

     

       65
       65
       +
             configFile = lib.mkOption {

     

       70
       66
        
               default = "empty.lua";

     

       71
       67
        
               example = "/srv/haka/myfilter.lua";

     

       72
       72
       -
               type = types.str;

     

       68
       68
       +
               type = lib.types.str;

     

       73
       69
        
               description = ''

     

       74
       70
        
                 Specify which configuration file Haka uses.

     

       75
       71
        
                 It can be absolute path or a path relative to the sample directory of

     
···

       77
       73
        
               '';

     

       78
       74
        
             };

     

       79
       75
        
       

     

       80
       80
       -
             interfaces = mkOption {

     

       76
       76
       +
             interfaces = lib.mkOption {

     

       81
       77
        
               default = [ "eth0" ];

     

       82
       78
        
               example = [ "any" ];

     

       83
       83
       -
               type = with types; listOf str;

     

       79
       79
       +
               type = with lib.types; listOf str;

     

       84
       80
        
               description = ''

     

       85
       81
        
                 Specify which interface(s) Haka listens to.

     

       86
       82
        
                 Use 'any' to listen to all interfaces.

     

       87
       83
        
               '';

     

       88
       84
        
             };

     

       89
       85
        
       

     

       90
       90
       -
             threads = mkOption {

     

       86
       86
       +
             threads = lib.mkOption {

     

       91
       87
        
               default = 0;

     

       92
       88
        
               example = 4;

     

       93
       93
       -
               type = types.int;

     

       89
       89
       +
               type = lib.types.int;

     

       94
       90
        
               description = ''

     

       95
       91
        
                 The number of threads that will be used.

     

       96
       92
        
                 All system threads are used by default.

     

       97
       93
        
               '';

     

       98
       94
        
             };

     

       99
       95
        
       

     

       100
       100
       -
             pcap = mkOption {

     

       96
       96
       +
             pcap = lib.mkOption {

     

       101
       97
        
               default = true;

     

       102
       102
       -
               type = types.bool;

     

       98
       98
       +
               type = lib.types.bool;

     

       103
       99
        
               description = "Whether to enable pcap";

     

       104
       100
        
             };

     

       105
       101
        
       

     

       106
       106
       -
             nfqueue = mkEnableOption "nfqueue";

     

       102
       102
       +
             nfqueue = lib.mkEnableOption "nfqueue";

     

       107
       103
        
       

     

       108
       108
       -
             dump.enable = mkEnableOption "dump";

     

       109
       109
       -
             dump.input = mkOption {

     

       104
       104
       +
             dump.enable = lib.mkEnableOption "dump";

     

       105
       105
       +
             dump.input = lib.mkOption {

     

       110
       106
        
               default = "/tmp/input.pcap";

     

       111
       107
        
               example = "/path/to/file.pcap";

     

       112
       112
       -
               type = types.path;

     

       108
       108
       +
               type = lib.types.path;

     

       113
       109
        
               description = "Path to file where incoming packets are dumped";

     

       114
       110
        
             };

     

       115
       111
        
       

     

       116
       116
       -
             dump.output = mkOption {

     

       112
       112
       +
             dump.output = lib.mkOption {

     

       117
       113
        
               default = "/tmp/output.pcap";

     

       118
       114
        
               example = "/path/to/file.pcap";

     

       119
       119
       -
               type = types.path;

     

       115
       115
       +
               type = lib.types.path;

     

       120
       116
        
               description = "Path to file where outgoing packets are dumped";

     

       121
       117
        
             };

     

       122
       118
        
           };

     
···

       124
       120
        
       

     

       125
       121
        
         ###### implementation

     

       126
       122
        
       

     

       127
       127
       -
         config = mkIf cfg.enable {

     

       123
       123
       +
         config = lib.mkIf cfg.enable {

     

       128
       124
        
       

     

       129
       125
        
           assertions = [

     

       130
       126
        
             {

+4 -7

nixos/modules/services/security/haveged.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.haveged;

     

       12
       9
        
       

     
···

       20
       17
        
       

     

       21
       18
        
           services.haveged = {

     

       22
       19
        
       

     

       23
       23
       -
             enable = mkEnableOption ''

     

       20
       20
       +
             enable = lib.mkEnableOption ''

     

       24
       21
        
               haveged entropy daemon, which refills /dev/random when low.

     

       25
       22
        
               NOTE: does nothing on kernels newer than 5.6

     

       26
       23
        
             '';

     

       27
       24
        
             # source for the note https://github.com/jirka-h/haveged/issues/57

     

       28
       25
        
       

     

       29
       29
       -
             refill_threshold = mkOption {

     

       30
       30
       -
               type = types.int;

     

       26
       26
       +
             refill_threshold = lib.mkOption {

     

       27
       27
       +
               type = lib.types.int;

     

       31
       28
        
               default = 1024;

     

       32
       29
        
               description = ''

     

       33
       30
        
                 The number of bits of available entropy beneath which

     
···

       39
       36
        
       

     

       40
       37
        
         };

     

       41
       38
        
       

     

       42
       42
       -
         config = mkIf cfg.enable {

     

       39
       39
       +
         config = lib.mkIf cfg.enable {

     

       43
       40
        
       

     

       44
       41
        
           # https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service

     

       45
       42
        
           systemd.services.haveged = {

+7 -10

nixos/modules/services/security/hologram-agent.nix

···

       4
       4
        
         lib,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.hologram-agent;

     

       12
       9
        
       

     
···

       19
       16
        
       {

     

       20
       17
        
         options = {

     

       21
       18
        
           services.hologram-agent = {

     

       22
       22
       -
             enable = mkOption {

     

       23
       23
       -
               type = types.bool;

     

       19
       19
       +
             enable = lib.mkOption {

     

       20
       20
       +
               type = lib.types.bool;

     

       24
       21
        
               default = false;

     

       25
       22
        
               description = "Whether to enable the Hologram agent for AWS instance credentials";

     

       26
       23
        
             };

     

       27
       24
        
       

     

       28
       28
       -
             dialAddress = mkOption {

     

       29
       29
       -
               type = types.str;

     

       25
       25
       +
             dialAddress = lib.mkOption {

     

       26
       26
       +
               type = lib.types.str;

     

       30
       27
        
               default = "localhost:3100";

     

       31
       28
        
               description = "Hologram server and port.";

     

       32
       29
        
             };

     

       33
       30
        
       

     

       34
       34
       -
             httpPort = mkOption {

     

       35
       35
       -
               type = types.str;

     

       31
       31
       +
             httpPort = lib.mkOption {

     

       32
       32
       +
               type = lib.types.str;

     

       36
       33
        
               default = "80";

     

       37
       34
        
               description = "Port for metadata service to listen on.";

     

       38
       35
        
             };

     
···

       40
       37
        
           };

     

       41
       38
        
         };

     

       42
       39
        
       

     

       43
       43
       -
         config = mkIf cfg.enable {

     

       40
       40
       +
         config = lib.mkIf cfg.enable {

     

       44
       41
        
           boot.kernelModules = [ "dummy" ];

     

       45
       42
        
       

     

       46
       43
        
           networking.interfaces.dummy0.ipv4.addresses = [

+31 -34

nixos/modules/services/security/hologram-server.nix

···

       4
       4
        
         lib,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.hologram-server;

     

       12
       9
        
       

     
···

       38
       35
        
       {

     

       39
       36
        
         options = {

     

       40
       37
        
           services.hologram-server = {

     

       41
       41
       -
             enable = mkOption {

     

       42
       42
       -
               type = types.bool;

     

       38
       38
       +
             enable = lib.mkOption {

     

       39
       39
       +
               type = lib.types.bool;

     

       43
       40
        
               default = false;

     

       44
       41
        
               description = "Whether to enable the Hologram server for AWS instance credentials";

     

       45
       42
        
             };

     

       46
       43
        
       

     

       47
       47
       -
             listenAddress = mkOption {

     

       48
       48
       -
               type = types.str;

     

       44
       44
       +
             listenAddress = lib.mkOption {

     

       45
       45
       +
               type = lib.types.str;

     

       49
       46
        
               default = "0.0.0.0:3100";

     

       50
       47
        
               description = "Address and port to listen on";

     

       51
       48
        
             };

     

       52
       49
        
       

     

       53
       53
       -
             ldapHost = mkOption {

     

       54
       54
       -
               type = types.str;

     

       50
       50
       +
             ldapHost = lib.mkOption {

     

       51
       51
       +
               type = lib.types.str;

     

       55
       52
        
               description = "Address of the LDAP server to use";

     

       56
       53
        
             };

     

       57
       54
        
       

     

       58
       58
       -
             ldapInsecure = mkOption {

     

       59
       59
       -
               type = types.bool;

     

       55
       55
       +
             ldapInsecure = lib.mkOption {

     

       56
       56
       +
               type = lib.types.bool;

     

       60
       57
        
               default = false;

     

       61
       58
        
               description = "Whether to connect to LDAP over SSL or not";

     

       62
       59
        
             };

     

       63
       60
        
       

     

       64
       64
       -
             ldapUserAttr = mkOption {

     

       65
       65
       -
               type = types.str;

     

       61
       61
       +
             ldapUserAttr = lib.mkOption {

     

       62
       62
       +
               type = lib.types.str;

     

       66
       63
        
               default = "cn";

     

       67
       64
        
               description = "The LDAP attribute for usernames";

     

       68
       65
        
             };

     

       69
       66
        
       

     

       70
       70
       -
             ldapBaseDN = mkOption {

     

       71
       71
       -
               type = types.str;

     

       67
       67
       +
             ldapBaseDN = lib.mkOption {

     

       68
       68
       +
               type = lib.types.str;

     

       72
       69
        
               description = "The base DN for your Hologram users";

     

       73
       70
        
             };

     

       74
       71
        
       

     

       75
       75
       -
             ldapBindDN = mkOption {

     

       76
       76
       -
               type = types.str;

     

       72
       72
       +
             ldapBindDN = lib.mkOption {

     

       73
       73
       +
               type = lib.types.str;

     

       77
       74
        
               description = "DN of account to use to query the LDAP server";

     

       78
       75
        
             };

     

       79
       76
        
       

     

       80
       80
       -
             ldapBindPassword = mkOption {

     

       81
       81
       -
               type = types.str;

     

       77
       77
       +
             ldapBindPassword = lib.mkOption {

     

       78
       78
       +
               type = lib.types.str;

     

       82
       79
        
               description = "Password of account to use to query the LDAP server";

     

       83
       80
        
             };

     

       84
       81
        
       

     

       85
       85
       -
             enableLdapRoles = mkOption {

     

       86
       86
       -
               type = types.bool;

     

       82
       82
       +
             enableLdapRoles = lib.mkOption {

     

       83
       83
       +
               type = lib.types.bool;

     

       87
       84
        
               default = false;

     

       88
       85
        
               description = "Whether to assign user roles based on the user's LDAP group memberships";

     

       89
       86
        
             };

     

       90
       87
        
       

     

       91
       91
       -
             groupClassAttr = mkOption {

     

       92
       92
       -
               type = types.str;

     

       88
       88
       +
             groupClassAttr = lib.mkOption {

     

       89
       89
       +
               type = lib.types.str;

     

       93
       90
        
               default = "groupOfNames";

     

       94
       91
        
               description = "The objectclass attribute to search for groups when enableLdapRoles is true";

     

       95
       92
        
             };

     

       96
       93
        
       

     

       97
       97
       -
             roleAttr = mkOption {

     

       98
       98
       -
               type = types.str;

     

       94
       94
       +
             roleAttr = lib.mkOption {

     

       95
       95
       +
               type = lib.types.str;

     

       99
       96
        
               default = "businessCategory";

     

       100
       97
        
               description = "Which LDAP group attribute to search for authorized role ARNs";

     

       101
       98
        
             };

     

       102
       99
        
       

     

       103
       103
       -
             awsAccount = mkOption {

     

       104
       104
       -
               type = types.str;

     

       100
       100
       +
             awsAccount = lib.mkOption {

     

       101
       101
       +
               type = lib.types.str;

     

       105
       102
        
               description = "AWS account number";

     

       106
       103
        
             };

     

       107
       104
        
       

     

       108
       108
       -
             awsDefaultRole = mkOption {

     

       109
       109
       -
               type = types.str;

     

       105
       105
       +
             awsDefaultRole = lib.mkOption {

     

       106
       106
       +
               type = lib.types.str;

     

       110
       107
        
               description = "AWS default role";

     

       111
       108
        
             };

     

       112
       109
        
       

     

       113
       113
       -
             statsAddress = mkOption {

     

       114
       114
       -
               type = types.str;

     

       110
       110
       +
             statsAddress = lib.mkOption {

     

       111
       111
       +
               type = lib.types.str;

     

       115
       112
        
               default = "";

     

       116
       113
        
               description = "Address of statsd server";

     

       117
       114
        
             };

     

       118
       115
        
       

     

       119
       119
       -
             cacheTimeoutSeconds = mkOption {

     

       120
       120
       -
               type = types.int;

     

       116
       116
       +
             cacheTimeoutSeconds = lib.mkOption {

     

       117
       117
       +
               type = lib.types.int;

     

       121
       118
        
               default = 3600;

     

       122
       119
        
               description = "How often (in seconds) to refresh the LDAP cache";

     

       123
       120
        
             };

     

       124
       121
        
           };

     

       125
       122
        
         };

     

       126
       123
        
       

     

       127
       127
       -
         config = mkIf cfg.enable {

     

       124
       124
       +
         config = lib.mkIf cfg.enable {

     

       128
       125
        
           systemd.services.hologram-server = {

     

       129
       126
        
             description = "Provide EC2 instance credentials to machines outside of EC2";

     

       130
       127
        
             after = [ "network.target" ];

+5 -8

nixos/modules/services/security/infnoise.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.infnoise;

     

       12
       9
        
       in

     

       13
       10
        
       {

     

       14
       11
        
         options = {

     

       15
       12
        
           services.infnoise = {

     

       16
       16
       -
             enable = mkEnableOption "the Infinite Noise TRNG driver";

     

       13
       13
       +
             enable = lib.mkEnableOption "the Infinite Noise TRNG driver";

     

       17
       14
        
       

     

       18
       18
       -
             fillDevRandom = mkOption {

     

       15
       15
       +
             fillDevRandom = lib.mkOption {

     

       19
       16
        
               description = ''

     

       20
       17
        
                 Whether to run the infnoise driver as a daemon to refill /dev/random.

     

       21
       18
        
       

     

       22
       19
        
                 If disabled, you can use the `infnoise` command-line tool to

     

       23
       20
        
                 manually obtain randomness.

     

       24
       21
        
               '';

     

       25
       25
       -
               type = types.bool;

     

       22
       22
       +
               type = lib.types.bool;

     

       26
       23
        
               default = true;

     

       27
       24
        
             };

     

       28
       25
        
           };

     

       29
       26
        
         };

     

       30
       27
        
       

     

       31
       31
       -
         config = mkIf cfg.enable {

     

       28
       28
       +
         config = lib.mkIf cfg.enable {

     

       32
       29
        
           environment.systemPackages = [ pkgs.infnoise ];

     

       33
       30
        
       

     

       34
       31
        
           services.udev.extraRules = ''

     

       35
       32
        
             SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service"

     

       36
       33
        
           '';

     

       37
       34
        
       

     

       38
       38
       -
           systemd.services.infnoise = mkIf cfg.fillDevRandom {

     

       35
       35
       +
           systemd.services.infnoise = lib.mkIf cfg.fillDevRandom {

     

       39
       36
        
             description = "Infinite Noise TRNG driver";

     

       40
       37
        
       

     

       41
       38
        
             bindsTo = [ "dev-infnoise.device" ];

+4 -7

nixos/modules/services/security/munge.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
       

     

       12
       9
        
         cfg = config.services.munge;

     
···

       20
       17
        
         options = {

     

       21
       18
        
       

     

       22
       19
        
           services.munge = {

     

       23
       23
       -
             enable = mkEnableOption "munge service";

     

       20
       20
       +
             enable = lib.mkEnableOption "munge service";

     

       24
       21
        
       

     

       25
       25
       -
             password = mkOption {

     

       22
       22
       +
             password = lib.mkOption {

     

       26
       23
        
               default = "/etc/munge/munge.key";

     

       27
       27
       -
               type = types.path;

     

       24
       24
       +
               type = lib.types.path;

     

       28
       25
        
               description = ''

     

       29
       26
        
                 The path to a daemon's secret key.

     

       30
       27
        
               '';

     
···

       36
       33
        
       

     

       37
       34
        
         ###### implementation

     

       38
       35
        
       

     

       39
       39
       -
         config = mkIf cfg.enable {

     

       36
       36
       +
         config = lib.mkIf cfg.enable {

     

       40
       37
        
       

     

       41
       38
        
           environment.systemPackages = [ pkgs.munge ];

     

       42
       39

+5 -8

nixos/modules/services/security/nginx-sso.nix

···

       1
       1
        
       { config, lib, pkgs, utils, ... }:

     

       2
       2
       -
       

     

       3
       3
       -
       with lib;

     

       4
       4
       -
       

     

       5
       2
        
       let

     

       6
       3
        
         cfg = config.services.nginx.sso;

     

       7
       4
        
         format = pkgs.formats.yaml { };

     

       8
       5
        
         configPath = "/var/lib/nginx-sso/config.yaml";

     

       9
       6
        
       in {

     

       10
       7
        
         options.services.nginx.sso = {

     

       11
       11
       -
           enable = mkEnableOption "nginx-sso service";

     

       8
       8
       +
           enable = lib.mkEnableOption "nginx-sso service";

     

       12
       9
        
       

     

       13
       13
       -
           package = mkPackageOption pkgs "nginx-sso" { };

     

       10
       10
       +
           package = lib.mkPackageOption pkgs "nginx-sso" { };

     

       14
       11
        
       

     

       15
       15
       -
           configuration = mkOption {

     

       12
       12
       +
           configuration = lib.mkOption {

     

       16
       13
        
             type = format.type;

     

       17
       14
        
             default = {};

     

       18
       18
       -
             example = literalExpression ''

     

       15
       15
       +
             example = lib.literalExpression ''

     

       19
       16
        
               {

     

       20
       17
        
                 listen = { addr = "127.0.0.1"; port = 8080; };

     

       21
       18
        
       

     
···

       48
       45
        
           };

     

       49
       46
        
         };

     

       50
       47
        
       

     

       51
       51
       -
         config = mkIf cfg.enable {

     

       48
       48
       +
         config = lib.mkIf cfg.enable {

     

       52
       49
        
           systemd.services.nginx-sso = {

     

       53
       50
        
             description = "Nginx SSO Backend";

     

       54
       51
        
             after = [ "network.target" ];

+39 -40

nixos/modules/services/security/opensnitch.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.opensnitch;

     

       12
       9
        
         format = pkgs.formats.json { };

     

       13
       10
        
       

     

       14
       14
       -
         predefinedRules = flip mapAttrs cfg.rules (

     

       11
       11
       +
         predefinedRules = lib.flip lib.mapAttrs cfg.rules (

     

       15
       12
        
           name: cfg: {

     

       16
       13
        
             file = pkgs.writeText "rule" (builtins.toJSON cfg);

     

       17
       14
        
           }

     
···

       21
       18
        
       {

     

       22
       19
        
         options = {

     

       23
       20
        
           services.opensnitch = {

     

       24
       24
       -
             enable = mkEnableOption "Opensnitch application firewall";

     

       21
       21
       +
             enable = lib.mkEnableOption "Opensnitch application firewall";

     

       25
       22
        
       

     

       26
       26
       -
             rules = mkOption {

     

       23
       23
       +
             rules = lib.mkOption {

     

       27
       24
        
               default = { };

     

       28
       28
       -
               example = literalExpression ''

     

       25
       25
       +
               example = lib.literalExpression ''

     

       29
       26
        
                 {

     

       30
       27
        
                   "tor" = {

     

       31
       28
        
                     "name" = "tor";

     
···

       50
       47
        
                 for available options.

     

       51
       48
        
               '';

     

       52
       49
        
       

     

       53
       53
       -
               type = types.submodule {

     

       50
       50
       +
               type = lib.types.submodule {

     

       54
       51
        
                 freeformType = format.type;

     

       55
       52
        
               };

     

       56
       53
        
             };

     

       57
       54
        
       

     

       58
       58
       -
             settings = mkOption {

     

       59
       59
       -
               type = types.submodule {

     

       55
       55
       +
             settings = lib.mkOption {

     

       56
       56
       +
               type = lib.types.submodule {

     

       60
       57
        
                 freeformType = format.type;

     

       61
       58
        
       

     

       62
       59
        
                 options = {

     

       63
       60
        
                   Server = {

     

       64
       61
        
       

     

       65
       65
       -
                     Address = mkOption {

     

       66
       66
       -
                       type = types.str;

     

       62
       62
       +
                     Address = lib.mkOption {

     

       63
       63
       +
                       type = lib.types.str;

     

       67
       64
        
                       description = ''

     

       68
       65
        
                         Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is

     

       69
       66
        
                         mandatory) or TCP socket (192.168.1.100:50051).

     

       70
       67
        
                       '';

     

       71
       68
        
                     };

     

       72
       69
        
       

     

       73
       73
       -
                     LogFile = mkOption {

     

       74
       74
       -
                       type = types.path;

     

       70
       70
       +
                     LogFile = lib.mkOption {

     

       71
       71
       +
                       type = lib.types.path;

     

       75
       72
        
                       description = ''

     

       76
       73
        
                         File to write logs to (use /dev/stdout to write logs to standard

     

       77
       74
        
                         output).

     
···

       80
       77
        
       

     

       81
       78
        
                   };

     

       82
       79
        
       

     

       83
       83
       -
                   DefaultAction = mkOption {

     

       84
       84
       -
                     type = types.enum [

     

       80
       80
       +
                   DefaultAction = lib.mkOption {

     

       81
       81
       +
                     type = lib.types.enum [

     

       85
       82
        
                       "allow"

     

       86
       83
        
                       "deny"

     

       87
       84
        
                     ];

     
···

       91
       88
        
                     '';

     

       92
       89
        
                   };

     

       93
       90
        
       

     

       94
       94
       -
                   InterceptUnknown = mkOption {

     

       95
       95
       -
                     type = types.bool;

     

       91
       91
       +
                   InterceptUnknown = lib.mkOption {

     

       92
       92
       +
                     type = lib.types.bool;

     

       96
       93
        
                     description = ''

     

       97
       94
        
                       Whether to intercept spare connections.

     

       98
       95
        
                     '';

     

       99
       96
        
                   };

     

       100
       97
        
       

     

       101
       101
       -
                   ProcMonitorMethod = mkOption {

     

       102
       102
       -
                     type = types.enum [

     

       98
       98
       +
                   ProcMonitorMethod = lib.mkOption {

     

       99
       99
       +
                     type = lib.types.enum [

     

       103
       100
        
                       "ebpf"

     

       104
       101
        
                       "proc"

     

       105
       102
        
                       "ftrace"

     
···

       110
       107
        
                     '';

     

       111
       108
        
                   };

     

       112
       109
        
       

     

       113
       113
       -
                   LogLevel = mkOption {

     

       114
       114
       -
                     type = types.enum [

     

       110
       110
       +
                   LogLevel = lib.mkOption {

     

       111
       111
       +
                     type = lib.types.enum [

     

       115
       112
        
                       0

     

       116
       113
        
                       1

     

       117
       114
        
                       2

     
···

       124
       121
        
                     '';

     

       125
       122
        
                   };

     

       126
       123
        
       

     

       127
       127
       -
                   Firewall = mkOption {

     

       128
       128
       -
                     type = types.enum [

     

       124
       124
       +
                   Firewall = lib.mkOption {

     

       125
       125
       +
                     type = lib.types.enum [

     

       129
       126
        
                       "iptables"

     

       130
       127
        
                       "nftables"

     

       131
       128
        
                     ];

     
···

       136
       133
        
       

     

       137
       134
        
                   Stats = {

     

       138
       135
        
       

     

       139
       139
       -
                     MaxEvents = mkOption {

     

       140
       140
       -
                       type = types.int;

     

       136
       136
       +
                     MaxEvents = lib.mkOption {

     

       137
       137
       +
                       type = lib.types.int;

     

       141
       138
        
                       description = ''

     

       142
       139
        
                         Max events to send to the GUI.

     

       143
       140
        
                       '';

     

       144
       141
        
                     };

     

       145
       142
        
       

     

       146
       146
       -
                     MaxStats = mkOption {

     

       147
       147
       -
                       type = types.int;

     

       143
       143
       +
                     MaxStats = lib.mkOption {

     

       144
       144
       +
                       type = lib.types.int;

     

       148
       145
        
                       description = ''

     

       149
       146
        
                         Max stats per item to keep in backlog.

     

       150
       147
        
                       '';

     
···

       152
       149
        
       

     

       153
       150
        
                   };

     

       154
       151
        
       

     

       155
       155
       -
                   Ebpf.ModulesPath = mkOption {

     

       156
       156
       -
                     type = types.path;

     

       152
       152
       +
                   Ebpf.ModulesPath = lib.mkOption {

     

       153
       153
       +
                     type = lib.types.path;

     

       157
       154
        
                     default =

     

       158
       155
        
                       if cfg.settings.ProcMonitorMethod == "ebpf" then

     

       159
       156
        
                         "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd"

     

       160
       157
        
                       else

     

       161
       158
        
                         null;

     

       162
       162
       -
                     defaultText = literalExpression ''

     

       159
       159
       +
                     defaultText = lib.literalExpression ''

     

       163
       160
        
                       if cfg.settings.ProcMonitorMethod == "ebpf" then

     

       164
       161
        
                         "\\$\\{config.boot.kernelPackages.opensnitch-ebpf\\}/etc/opensnitchd"

     

       165
       162
        
                       else null;

     
···

       170
       167
        
                     '';

     

       171
       168
        
                   };

     

       172
       169
        
       

     

       173
       173
       -
                   Rules.Path = mkOption {

     

       174
       174
       -
                     type = types.path;

     

       170
       170
       +
                   Rules.Path = lib.mkOption {

     

       171
       171
       +
                     type = lib.types.path;

     

       175
       172
        
                     default = "/var/lib/opensnitch/rules";

     

       176
       173
        
                     description = ''

     

       177
       174
        
                       Path to the directory where firewall rules can be found and will

     
···

       189
       186
        
           };

     

       190
       187
        
         };

     

       191
       188
        
       

     

       192
       192
       -
         config = mkIf cfg.enable {

     

       189
       189
       +
         config = lib.mkIf cfg.enable {

     

       193
       190
        
       

     

       194
       191
        
           # pkg.opensnitch is referred to elsewhere in the module so we don't need to worry about it being garbage collected

     

       195
       195
       -
           services.opensnitch.settings = mapAttrs (_: v: mkDefault v) (

     

       192
       192
       +
           services.opensnitch.settings = lib.mapAttrs (_: v: lib.mkDefault v) (

     

       196
       193
        
             builtins.fromJSON (

     

       197
       194
        
               builtins.unsafeDiscardStringContext (

     

       198
       195
        
                 builtins.readFile "${pkgs.opensnitch}/etc/opensnitchd/default-config.json"

     
···

       210
       207
        
                   "${pkgs.opensnitch}/bin/opensnitchd --config-file ${format.generate "default-config.json" cfg.settings}"

     

       211
       208
        
                 ];

     

       212
       209
        
               };

     

       213
       213
       -
               preStart = mkIf (cfg.rules != { }) (

     

       210
       210
       +
               preStart = lib.mkIf (cfg.rules != { }) (

     

       214
       211
        
                 let

     

       215
       215
       -
                   rules = flip mapAttrsToList predefinedRules (

     

       212
       212
       +
                   rules = lib.flip lib.mapAttrsToList predefinedRules (

     

       216
       213
        
                     file: content: {

     

       217
       214
        
                       inherit (content) file;

     

       218
       215
        
                       local = "${cfg.settings.Rules.Path}/${file}.json";

     
···

       225
       222
        
                   # declared in `cfg.rules` (i.e. all networks that were "removed" from

     

       226
       223
        
                   # `cfg.rules`).

     

       227
       224
        
                   find ${cfg.settings.Rules.Path} -type l -lname '${builtins.storeDir}/*' ${

     

       228
       228
       -
                     optionalString (rules != { }) ''

     

       229
       229
       -
                       -not \( ${concatMapStringsSep " -o " ({ local, ... }: "-name '${baseNameOf local}*'") rules} \) \

     

       225
       225
       +
                     lib.optionalString (rules != { }) ''

     

       226
       226
       +
                       -not \( ${

     

       227
       227
       +
                         lib.concatMapStringsSep " -o " ({ local, ... }: "-name '${baseNameOf local}*'") rules

     

       228
       228
       +
                       } \) \

     

       230
       229
        
                     ''

     

       231
       230
        
                   } -delete

     

       232
       232
       -
                   ${concatMapStrings (

     

       231
       231
       +
                   ${lib.concatMapStrings (

     

       233
       232
        
                     { file, local }:

     

       234
       233
        
                     ''

     

       235
       234
        
                       ln -sf '${file}' "${local}"

+4 -7

nixos/modules/services/security/pass-secret-service.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.passSecretService;

     

       12
       9
        
       in

     

       13
       10
        
       {

     

       14
       11
        
         options.services.passSecretService = {

     

       15
       15
       -
           enable = mkEnableOption "pass secret service";

     

       12
       12
       +
           enable = lib.mkEnableOption "pass secret service";

     

       16
       13
        
       

     

       17
       17
       -
           package = mkPackageOption pkgs "pass-secret-service" {

     

       14
       14
       +
           package = lib.mkPackageOption pkgs "pass-secret-service" {

     

       18
       15
        
             example = "pass-secret-service.override { python3 = pkgs.python310 }";

     

       19
       16
        
           };

     

       20
       17
        
         };

     

       21
       18
        
       

     

       22
       22
       -
         config = mkIf cfg.enable {

     

       19
       19
       +
         config = lib.mkIf cfg.enable {

     

       23
       20
        
           systemd.packages = [ cfg.package ];

     

       24
       21
        
           services.dbus.packages = [ cfg.package ];

     

       25
       22
        
         };

     

       26
       23
        
       

     

       27
       27
       -
         meta.maintainers = with maintainers; [ aidalgol ];

     

       24
       24
       +
         meta.maintainers = with lib.maintainers; [ aidalgol ];

     

       28
       25
        
       }

+53 -52

nixos/modules/services/security/physlock.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.physlock;

     

       12
       9
        
       in

     
···

       19
       16
        
       

     

       20
       17
        
           services.physlock = {

     

       21
       18
        
       

     

       22
       22
       -
             enable = mkOption {

     

       23
       23
       -
               type = types.bool;

     

       19
       19
       +
             enable = lib.mkOption {

     

       20
       20
       +
               type = lib.types.bool;

     

       24
       21
        
               default = false;

     

       25
       22
        
               description = ''

     

       26
       23
        
                 Whether to enable the {command}`physlock` screen locking mechanism.

     
···

       35
       32
        
               '';

     

       36
       33
        
             };

     

       37
       34
        
       

     

       38
       38
       -
             allowAnyUser = mkOption {

     

       39
       39
       -
               type = types.bool;

     

       35
       35
       +
             allowAnyUser = lib.mkOption {

     

       36
       36
       +
               type = lib.types.bool;

     

       40
       37
        
               default = false;

     

       41
       38
        
               description = ''

     

       42
       39
        
                 Whether to allow any user to lock the screen. This will install a

     
···

       46
       43
        
               '';

     

       47
       44
        
             };

     

       48
       45
        
       

     

       49
       49
       -
             disableSysRq = mkOption {

     

       50
       50
       -
               type = types.bool;

     

       46
       46
       +
             disableSysRq = lib.mkOption {

     

       47
       47
       +
               type = lib.types.bool;

     

       51
       48
        
               default = true;

     

       52
       49
        
               description = ''

     

       53
       50
        
                 Whether to disable SysRq when locked with physlock.

     

       54
       51
        
               '';

     

       55
       52
        
             };

     

       56
       53
        
       

     

       57
       57
       -
             lockMessage = mkOption {

     

       58
       58
       -
               type = types.str;

     

       54
       54
       +
             lockMessage = lib.mkOption {

     

       55
       55
       +
               type = lib.types.str;

     

       59
       56
        
               default = "";

     

       60
       57
        
               description = ''

     

       61
       58
        
                 Message to show on physlock login terminal.

     

       62
       59
        
               '';

     

       63
       60
        
             };

     

       64
       61
        
       

     

       65
       65
       -
             muteKernelMessages = mkOption {

     

       66
       66
       -
               type = types.bool;

     

       62
       62
       +
             muteKernelMessages = lib.mkOption {

     

       63
       63
       +
               type = lib.types.bool;

     

       67
       64
        
               default = false;

     

       68
       65
        
               description = ''

     

       69
       66
        
                 Disable kernel messages on console while physlock is running.

     
···

       72
       69
        
       

     

       73
       70
        
             lockOn = {

     

       74
       71
        
       

     

       75
       75
       -
               suspend = mkOption {

     

       76
       76
       -
                 type = types.bool;

     

       72
       72
       +
               suspend = lib.mkOption {

     

       73
       73
       +
                 type = lib.types.bool;

     

       77
       74
        
                 default = true;

     

       78
       75
        
                 description = ''

     

       79
       76
        
                   Whether to lock screen with physlock just before suspend.

     

       80
       77
        
                 '';

     

       81
       78
        
               };

     

       82
       79
        
       

     

       83
       83
       -
               hibernate = mkOption {

     

       84
       84
       -
                 type = types.bool;

     

       80
       80
       +
               hibernate = lib.mkOption {

     

       81
       81
       +
                 type = lib.types.bool;

     

       85
       82
        
                 default = true;

     

       86
       83
        
                 description = ''

     

       87
       84
        
                   Whether to lock screen with physlock just before hibernate.

     

       88
       85
        
                 '';

     

       89
       86
        
               };

     

       90
       87
        
       

     

       91
       91
       -
               extraTargets = mkOption {

     

       92
       92
       -
                 type = types.listOf types.str;

     

       88
       88
       +
               extraTargets = lib.mkOption {

     

       89
       89
       +
                 type = lib.types.listOf lib.types.str;

     

       93
       90
        
                 default = [ ];

     

       94
       91
        
                 example = [ "display-manager.service" ];

     

       95
       92
        
                 description = ''

     
···

       110
       107
        
       

     

       111
       108
        
         ###### implementation

     

       112
       109
        
       

     

       113
       113
       -
         config = mkIf cfg.enable (mkMerge [

     

       114
       114
       -
           {

     

       110
       110
       +
         config = lib.mkIf cfg.enable (

     

       111
       111
       +
           lib.mkMerge [

     

       112
       112
       +
             {

     

       115
       113
        
       

     

       116
       116
       -
             # for physlock -l and physlock -L

     

       117
       117
       -
             environment.systemPackages = [ pkgs.physlock ];

     

       114
       114
       +
               # for physlock -l and physlock -L

     

       115
       115
       +
               environment.systemPackages = [ pkgs.physlock ];

     

       118
       116
        
       

     

       119
       119
       -
             systemd.services.physlock = {

     

       120
       120
       -
               enable = true;

     

       121
       121
       -
               description = "Physlock";

     

       122
       122
       -
               wantedBy =

     

       123
       123
       -
                 optional cfg.lockOn.suspend "suspend.target"

     

       124
       124
       -
                 ++ optional cfg.lockOn.hibernate "hibernate.target"

     

       125
       125
       -
                 ++ cfg.lockOn.extraTargets;

     

       126
       126
       -
               before =

     

       127
       127
       -
                 optional cfg.lockOn.suspend "systemd-suspend.service"

     

       128
       128
       -
                 ++ optional cfg.lockOn.hibernate "systemd-hibernate.service"

     

       129
       129
       -
                 ++ optional (cfg.lockOn.hibernate || cfg.lockOn.suspend) "systemd-suspend-then-hibernate.service"

     

       130
       130
       -
                 ++ cfg.lockOn.extraTargets;

     

       131
       131
       -
               serviceConfig = {

     

       132
       132
       -
                 Type = "forking";

     

       133
       133
       -
                 ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.muteKernelMessages "m"}${optionalString cfg.disableSysRq "s"}${

     

       134
       134
       -
                   optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\""

     

       135
       135
       -
                 }";

     

       117
       117
       +
               systemd.services.physlock = {

     

       118
       118
       +
                 enable = true;

     

       119
       119
       +
                 description = "Physlock";

     

       120
       120
       +
                 wantedBy =

     

       121
       121
       +
                   lib.optional cfg.lockOn.suspend "suspend.target"

     

       122
       122
       +
                   ++ lib.optional cfg.lockOn.hibernate "hibernate.target"

     

       123
       123
       +
                   ++ cfg.lockOn.extraTargets;

     

       124
       124
       +
                 before =

     

       125
       125
       +
                   lib.optional cfg.lockOn.suspend "systemd-suspend.service"

     

       126
       126
       +
                   ++ lib.optional cfg.lockOn.hibernate "systemd-hibernate.service"

     

       127
       127
       +
                   ++ lib.optional (

     

       128
       128
       +
                     cfg.lockOn.hibernate || cfg.lockOn.suspend

     

       129
       129
       +
                   ) "systemd-suspend-then-hibernate.service"

     

       130
       130
       +
                   ++ cfg.lockOn.extraTargets;

     

       131
       131
       +
                 serviceConfig = {

     

       132
       132
       +
                   Type = "forking";

     

       133
       133
       +
                   ExecStart = "${pkgs.physlock}/bin/physlock -d${lib.optionalString cfg.muteKernelMessages "m"}${lib.optionalString cfg.disableSysRq "s"}${

     

       134
       134
       +
                     lib.optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\""

     

       135
       135
       +
                   }";

     

       136
       136
       +
                 };

     

       136
       137
        
               };

     

       137
       137
       -
             };

     

       138
       138
        
       

     

       139
       139
       -
             security.pam.services.physlock = { };

     

       139
       139
       +
               security.pam.services.physlock = { };

     

       140
       140
        
       

     

       141
       141
       -
           }

     

       141
       141
       +
             }

     

       142
       142
        
       

     

       143
       143
       -
           (mkIf cfg.allowAnyUser {

     

       143
       143
       +
             (lib.mkIf cfg.allowAnyUser {

     

       144
       144
        
       

     

       145
       145
       -
             security.wrappers.physlock = {

     

       146
       146
       -
               setuid = true;

     

       147
       147
       -
               owner = "root";

     

       148
       148
       -
               group = "root";

     

       149
       149
       -
               source = "${pkgs.physlock}/bin/physlock";

     

       150
       150
       -
             };

     

       145
       145
       +
               security.wrappers.physlock = {

     

       146
       146
       +
                 setuid = true;

     

       147
       147
       +
                 owner = "root";

     

       148
       148
       +
                 group = "root";

     

       149
       149
       +
                 source = "${pkgs.physlock}/bin/physlock";

     

       150
       150
       +
               };

     

       151
       151
        
       

     

       152
       152
       -
           })

     

       153
       153
       -
         ]);

     

       152
       152
       +
             })

     

       153
       153
       +
           ]

     

       154
       154
       +
         );

     

       154
       155
        
       

     

       155
       156
        
       }

+15 -18

nixos/modules/services/security/sks.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.sks;

     

       12
       9
        
         sksPkg = cfg.package;

     
···

       16
       13
        
       

     

       17
       14
        
       in

     

       18
       15
        
       {

     

       19
       19
       -
         meta.maintainers = with maintainers; [

     

       16
       16
       +
         meta.maintainers = with lib.maintainers; [

     

       20
       17
        
           calbrecht

     

       21
       18
        
           jcumming

     

       22
       19
        
         ];

     
···

       25
       22
        
       

     

       26
       23
        
           services.sks = {

     

       27
       24
        
       

     

       28
       28
       -
             enable = mkEnableOption ''

     

       25
       25
       +
             enable = lib.mkEnableOption ''

     

       29
       26
        
               SKS (synchronizing key server for OpenPGP) and start the database

     

       30
       27
        
               server. You need to create "''${dataDir}/dump/*.gpg" for the initial

     

       31
       28
        
               import'';

     

       32
       29
        
       

     

       33
       33
       -
             package = mkPackageOption pkgs "sks" { };

     

       30
       30
       +
             package = lib.mkPackageOption pkgs "sks" { };

     

       34
       31
        
       

     

       35
       35
       -
             dataDir = mkOption {

     

       36
       36
       -
               type = types.path;

     

       32
       32
       +
             dataDir = lib.mkOption {

     

       33
       33
       +
               type = lib.types.path;

     

       37
       34
        
               default = "/var/db/sks";

     

       38
       35
        
               example = "/var/lib/sks";

     

       39
       36
        
               # TODO: The default might change to "/var/lib/sks" as this is more

     
···

       46
       43
        
               '';

     

       47
       44
        
             };

     

       48
       45
        
       

     

       49
       49
       -
             extraDbConfig = mkOption {

     

       50
       50
       -
               type = types.str;

     

       46
       46
       +
             extraDbConfig = lib.mkOption {

     

       47
       47
       +
               type = lib.types.str;

     

       51
       48
        
               default = "";

     

       52
       49
        
               description = ''

     

       53
       50
        
                 Set contents of the files "KDB/DB_CONFIG" and "PTree/DB_CONFIG" within

     
···

       60
       57
        
               '';

     

       61
       58
        
             };

     

       62
       59
        
       

     

       63
       63
       -
             hkpAddress = mkOption {

     

       60
       60
       +
             hkpAddress = lib.mkOption {

     

       64
       61
        
               default = [

     

       65
       62
        
                 "127.0.0.1"

     

       66
       63
        
                 "::1"

     

       67
       64
        
               ];

     

       68
       68
       -
               type = types.listOf types.str;

     

       65
       65
       +
               type = lib.types.listOf lib.types.str;

     

       69
       66
        
               description = ''

     

       70
       67
        
                 Domain names, IPv4 and/or IPv6 addresses to listen on for HKP

     

       71
       68
        
                 requests.

     

       72
       69
        
               '';

     

       73
       70
        
             };

     

       74
       71
        
       

     

       75
       75
       -
             hkpPort = mkOption {

     

       72
       72
       +
             hkpPort = lib.mkOption {

     

       76
       73
        
               default = 11371;

     

       77
       77
       -
               type = types.ints.u16;

     

       74
       74
       +
               type = lib.types.ints.u16;

     

       78
       75
        
               description = "HKP port to listen on.";

     

       79
       76
        
             };

     

       80
       77
        
       

     

       81
       81
       -
             webroot = mkOption {

     

       82
       82
       -
               type = types.nullOr types.path;

     

       78
       78
       +
             webroot = lib.mkOption {

     

       79
       79
       +
               type = lib.types.nullOr lib.types.path;

     

       83
       80
        
               default = "${sksPkg.webSamples}/OpenPKG";

     

       84
       84
       -
               defaultText = literalExpression ''"''${package.webSamples}/OpenPKG"'';

     

       81
       81
       +
               defaultText = lib.literalExpression ''"''${package.webSamples}/OpenPKG"'';

     

       85
       82
        
               description = ''

     

       86
       83
        
                 Source directory (will be symlinked, if not null) for the files the

     

       87
       84
        
                 built-in webserver should serve. SKS (''${pkgs.sks.webSamples})

     
···

       96
       93
        
           };

     

       97
       94
        
         };

     

       98
       95
        
       

     

       99
       99
       -
         config = mkIf cfg.enable {

     

       96
       96
       +
         config = lib.mkIf cfg.enable {

     

       100
       97
        
       

     

       101
       98
        
           users = {

     

       102
       99
        
             users.sks = {

+25 -28

nixos/modules/services/security/sshguard.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.sshguard;

     

       12
       9
        
       

     
···

       19
       16
        
                 "-o cat"

     

       20
       17
        
                 "-n1"

     

       21
       18
        
               ]

     

       22
       22
       -
               ++ (map (name: "-t ${escapeShellArg name}") cfg.services)

     

       19
       19
       +
               ++ (map (name: "-t ${lib.escapeShellArg name}") cfg.services)

     

       23
       20
        
             );

     

       24
       21
        
             backend = if config.networking.nftables.enable then "sshg-fw-nft-sets" else "sshg-fw-ipset";

     

       25
       22
        
           in

     
···

       36
       33
        
         options = {

     

       37
       34
        
       

     

       38
       35
        
           services.sshguard = {

     

       39
       39
       -
             enable = mkOption {

     

       36
       36
       +
             enable = lib.mkOption {

     

       40
       37
        
               default = false;

     

       41
       41
       -
               type = types.bool;

     

       38
       38
       +
               type = lib.types.bool;

     

       42
       39
        
               description = "Whether to enable the sshguard service.";

     

       43
       40
        
             };

     

       44
       41
        
       

     

       45
       45
       -
             attack_threshold = mkOption {

     

       42
       42
       +
             attack_threshold = lib.mkOption {

     

       46
       43
        
               default = 30;

     

       47
       47
       -
               type = types.int;

     

       44
       44
       +
               type = lib.types.int;

     

       48
       45
        
               description = ''

     

       49
       46
        
                 Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.

     

       50
       47
        
               '';

     

       51
       48
        
             };

     

       52
       49
        
       

     

       53
       53
       -
             blacklist_threshold = mkOption {

     

       50
       50
       +
             blacklist_threshold = lib.mkOption {

     

       54
       51
        
               default = null;

     

       55
       52
        
               example = 120;

     

       56
       56
       -
               type = types.nullOr types.int;

     

       53
       53
       +
               type = lib.types.nullOr lib.types.int;

     

       57
       54
        
               description = ''

     

       58
       55
        
                 Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.

     

       59
       56
        
               '';

     

       60
       57
        
             };

     

       61
       58
        
       

     

       62
       62
       -
             blacklist_file = mkOption {

     

       59
       59
       +
             blacklist_file = lib.mkOption {

     

       63
       60
        
               default = "/var/lib/sshguard/blacklist.db";

     

       64
       64
       -
               type = types.path;

     

       61
       61
       +
               type = lib.types.path;

     

       65
       62
        
               description = ''

     

       66
       63
        
                 Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.

     

       67
       64
        
               '';

     

       68
       65
        
             };

     

       69
       66
        
       

     

       70
       70
       -
             blocktime = mkOption {

     

       67
       67
       +
             blocktime = lib.mkOption {

     

       71
       68
        
               default = 120;

     

       72
       72
       -
               type = types.int;

     

       69
       69
       +
               type = lib.types.int;

     

       73
       70
        
               description = ''

     

       74
       71
        
                 Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.

     

       75
       72
        
       

     
···

       77
       74
        
               '';

     

       78
       75
        
             };

     

       79
       76
        
       

     

       80
       80
       -
             detection_time = mkOption {

     

       77
       77
       +
             detection_time = lib.mkOption {

     

       81
       78
        
               default = 1800;

     

       82
       82
       -
               type = types.int;

     

       79
       79
       +
               type = lib.types.int;

     

       83
       80
        
               description = ''

     

       84
       81
        
                 Remember potential attackers for up to detection_time seconds before resetting their score.

     

       85
       82
        
               '';

     

       86
       83
        
             };

     

       87
       84
        
       

     

       88
       88
       -
             whitelist = mkOption {

     

       85
       85
       +
             whitelist = lib.mkOption {

     

       89
       86
        
               default = [ ];

     

       90
       87
        
               example = [

     

       91
       88
        
                 "198.51.100.56"

     

       92
       89
        
                 "198.51.100.2"

     

       93
       90
        
               ];

     

       94
       94
       -
               type = types.listOf types.str;

     

       91
       91
       +
               type = lib.types.listOf lib.types.str;

     

       95
       92
        
               description = ''

     

       96
       93
        
                 Whitelist a list of addresses, hostnames, or address blocks.

     

       97
       94
        
               '';

     

       98
       95
        
             };

     

       99
       96
        
       

     

       100
       100
       -
             services = mkOption {

     

       97
       97
       +
             services = lib.mkOption {

     

       101
       98
        
               default = [ "sshd" ];

     

       102
       99
        
               example = [

     

       103
       100
        
                 "sshd"

     

       104
       101
        
                 "exim"

     

       105
       102
        
               ];

     

       106
       106
       -
               type = types.listOf types.str;

     

       103
       103
       +
               type = lib.types.listOf lib.types.str;

     

       107
       104
        
               description = ''

     

       108
       105
        
                 Systemd services sshguard should receive logs of.

     

       109
       106
        
               '';

     
···

       113
       110
        
       

     

       114
       111
        
         ###### implementation

     

       115
       112
        
       

     

       116
       116
       -
         config = mkIf cfg.enable {

     

       113
       113
       +
         config = lib.mkIf cfg.enable {

     

       117
       114
        
       

     

       118
       115
        
           environment.etc."sshguard.conf".source = configFile;

     

       119
       116
        
       

     
···

       122
       119
        
       

     

       123
       120
        
             wantedBy = [ "multi-user.target" ];

     

       124
       121
        
             after = [ "network.target" ];

     

       125
       125
       -
             partOf = optional config.networking.firewall.enable "firewall.service";

     

       122
       122
       +
             partOf = lib.optional config.networking.firewall.enable "firewall.service";

     

       126
       123
        
       

     

       127
       124
        
             restartTriggers = [ configFile ];

     

       128
       125
        
       

     
···

       149
       146
        
             # of the ipsets. So instead, we create both the ipsets and

     

       150
       147
        
             # firewall rules before sshguard starts.

     

       151
       148
        
             preStart =

     

       152
       152
       -
               optionalString config.networking.firewall.enable ''

     

       149
       149
       +
               lib.optionalString config.networking.firewall.enable ''

     

       153
       150
        
                 ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet

     

       154
       151
        
                 ${pkgs.iptables}/bin/iptables  -I INPUT -m set --match-set sshguard4 src -j DROP

     

       155
       152
        
               ''

     

       156
       156
       -
               + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''

     

       153
       153
       +
               + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''

     

       157
       154
        
                 ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6

     

       158
       155
        
                 ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP

     

       159
       156
        
               '';

     

       160
       157
        
       

     

       161
       158
        
             postStop =

     

       162
       162
       -
               optionalString config.networking.firewall.enable ''

     

       159
       159
       +
               lib.optionalString config.networking.firewall.enable ''

     

       163
       160
        
                 ${pkgs.iptables}/bin/iptables  -D INPUT -m set --match-set sshguard4 src -j DROP

     

       164
       161
        
                 ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4

     

       165
       162
        
               ''

     

       166
       166
       -
               + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''

     

       163
       163
       +
               + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''

     

       167
       164
        
                 ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP

     

       168
       165
        
                 ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6

     

       169
       166
        
               '';

     
···

       179
       176
        
                       "-a ${toString cfg.attack_threshold}"

     

       180
       177
        
                       "-p ${toString cfg.blocktime}"

     

       181
       178
        
                       "-s ${toString cfg.detection_time}"

     

       182
       182
       -
                       (optionalString (

     

       179
       179
       +
                       (lib.optionalString (

     

       183
       180
        
                         cfg.blacklist_threshold != null

     

       184
       181
        
                       ) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")

     

       185
       182
        
                     ]

     

       186
       186
       -
                     ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist)

     

       183
       183
       +
                     ++ (map (name: "-w ${lib.escapeShellArg name}") cfg.whitelist)

     

       187
       184
        
                   );

     

       188
       185
        
                 in

     

       189
       186
        
                 "${pkgs.sshguard}/bin/sshguard ${args}";

+2 -5

nixos/modules/services/security/sslmate-agent.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.sslmate-agent;

     

       12
       9
        
       

     
···

       16
       13
        
       

     

       17
       14
        
         options = {

     

       18
       15
        
           services.sslmate-agent = {

     

       19
       19
       -
             enable = mkEnableOption "sslmate-agent, a daemon for managing SSL/TLS certificates on a server";

     

       16
       16
       +
             enable = lib.mkEnableOption "sslmate-agent, a daemon for managing SSL/TLS certificates on a server";

     

       20
       17
        
           };

     

       21
       18
        
         };

     

       22
       19
        
       

     

       23
       23
       -
         config = mkIf cfg.enable {

     

       20
       20
       +
         config = lib.mkIf cfg.enable {

     

       24
       21
        
           environment.systemPackages = with pkgs; [ sslmate-agent ];

     

       25
       22
        
       

     

       26
       23
        
           systemd = {

+9 -10

nixos/modules/services/security/tang.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       with lib;

     

       8
       7
        
       let

     

       9
       8
        
         cfg = config.services.tang;

     

       10
       9
        
       in

     

       11
       10
        
       {

     

       12
       11
        
         options.services.tang = {

     

       13
       13
       -
           enable = mkEnableOption "tang";

     

       12
       12
       +
           enable = lib.mkEnableOption "tang";

     

       14
       13
        
       

     

       15
       15
       -
           package = mkOption {

     

       16
       16
       -
             type = types.package;

     

       14
       14
       +
           package = lib.mkOption {

     

       15
       15
       +
             type = lib.types.package;

     

       17
       16
        
             default = pkgs.tang;

     

       18
       18
       -
             defaultText = literalExpression "pkgs.tang";

     

       17
       17
       +
             defaultText = lib.literalExpression "pkgs.tang";

     

       19
       18
        
             description = "The tang package to use.";

     

       20
       19
        
           };

     

       21
       20
        
       

     

       22
       22
       -
           listenStream = mkOption {

     

       23
       23
       -
             type = with types; listOf str;

     

       21
       21
       +
           listenStream = lib.mkOption {

     

       22
       22
       +
             type = with lib.types; listOf str;

     

       24
       23
        
             default = [ "7654" ];

     

       25
       24
        
             example = [

     

       26
       25
        
               "198.168.100.1:7654"

     
···

       33
       32
        
             '';

     

       34
       33
        
           };

     

       35
       34
        
       

     

       36
       36
       -
           ipAddressAllow = mkOption {

     

       35
       35
       +
           ipAddressAllow = lib.mkOption {

     

       37
       36
        
             example = [ "192.168.1.0/24" ];

     

       38
       38
       -
             type = types.listOf types.str;

     

       37
       37
       +
             type = lib.types.listOf lib.types.str;

     

       39
       38
        
             description = ''

     

       40
       39
        
               Whitelist a list of address prefixes.

     

       41
       40
        
               Preferably, internal addresses should be used.

     
···

       43
       42
        
           };

     

       44
       43
        
       

     

       45
       44
        
         };

     

       46
       46
       -
         config = mkIf cfg.enable {

     

       45
       45
       +
         config = lib.mkIf cfg.enable {

     

       47
       46
        
           environment.systemPackages = [ cfg.package ];

     

       48
       47
        
       

     

       49
       48
        
           systemd.services."tangd@" = {

+145 -140

nixos/modules/services/security/tor.nix

···

       5
       5
        
         pkgs,

     

       6
       6
        
         ...

     

       7
       7
        
       }:

     

       8
       8
       -
       

     

       9
       8
        
       with builtins;

     

       10
       10
       -
       with lib;

     

       11
       11
       -
       

     

       12
       9
        
       let

     

       13
       10
        
         cfg = config.services.tor;

     

       14
       11
        
         opt = options.services.tor;

     
···

       44
       41
        
             ]);

     

       45
       42
        
         optionBool =

     

       46
       43
        
           optionName:

     

       47
       47
       -
           mkOption {

     

       48
       48
       -
             type = with types; nullOr bool;

     

       44
       44
       +
           lib.mkOption {

     

       45
       45
       +
             type = with lib.types; nullOr bool;

     

       49
       46
        
             default = null;

     

       50
       47
        
             description = (descriptionGeneric optionName);

     

       51
       48
        
           };

     

       52
       49
        
         optionInt =

     

       53
       50
        
           optionName:

     

       54
       54
       -
           mkOption {

     

       55
       55
       -
             type = with types; nullOr int;

     

       51
       51
       +
           lib.mkOption {

     

       52
       52
       +
             type = with lib.types; nullOr int;

     

       56
       53
        
             default = null;

     

       57
       54
        
             description = (descriptionGeneric optionName);

     

       58
       55
        
           };

     

       59
       56
        
         optionString =

     

       60
       57
        
           optionName:

     

       61
       61
       -
           mkOption {

     

       62
       62
       -
             type = with types; nullOr str;

     

       58
       58
       +
           lib.mkOption {

     

       59
       59
       +
             type = with lib.types; nullOr str;

     

       63
       60
        
             default = null;

     

       64
       61
        
             description = (descriptionGeneric optionName);

     

       65
       62
        
           };

     

       66
       63
        
         optionStrings =

     

       67
       64
        
           optionName:

     

       68
       68
       -
           mkOption {

     

       69
       69
       -
             type = with types; listOf str;

     

       65
       65
       +
           lib.mkOption {

     

       66
       66
       +
             type = with lib.types; listOf str;

     

       70
       67
        
             default = [ ];

     

       71
       68
        
             description = (descriptionGeneric optionName);

     

       72
       69
        
           };

     

       73
       73
       -
         optionAddress = mkOption {

     

       70
       70
       +
         optionAddress = lib.mkOption {

     

       74
       71
        
           type = with types; nullOr str;

     

       75
       72
        
           default = null;

     

       76
       73
        
           example = "0.0.0.0";

     
···

       78
       75
        
             IPv4 or IPv6 (if between brackets) address.

     

       79
       76
        
           '';

     

       80
       77
        
         };

     

       81
       81
       -
         optionUnix = mkOption {

     

       78
       78
       +
         optionUnix = lib.mkOption {

     

       82
       79
        
           type = with types; nullOr path;

     

       83
       80
        
           default = null;

     

       84
       81
        
           description = ''

     

       85
       82
        
             Unix domain socket path to use.

     

       86
       83
        
           '';

     

       87
       84
        
         };

     

       88
       88
       -
         optionPort = mkOption {

     

       85
       85
       +
         optionPort = lib.mkOption {

     

       89
       86
        
           type =

     

       90
       87
        
             with types;

     

       91
       88
        
             nullOr (oneOf [

     
···

       96
       93
        
         };

     

       97
       94
        
         optionPorts =

     

       98
       95
        
           optionName:

     

       99
       99
       -
           mkOption {

     

       100
       100
       -
             type = with types; listOf port;

     

       96
       96
       +
           lib.mkOption {

     

       97
       97
       +
             type = with lib.types; listOf port;

     

       101
       98
        
             default = [ ];

     

       102
       99
        
             description = (descriptionGeneric optionName);

     

       103
       100
        
           };

     

       104
       101
        
         optionIsolablePort =

     

       105
       105
       -
           with types;

     

       102
       102
       +
           with lib.types;

     

       106
       103
        
           oneOf [

     

       107
       104
        
             port

     

       108
       105
        
             (enum [ "auto" ])

     
···

       114
       111
        
                     addr = optionAddress;

     

       115
       112
        
                     port = optionPort;

     

       116
       113
        
                     flags = optionFlags;

     

       117
       117
       -
                     SessionGroup = mkOption {

     

       114
       114
       +
                     SessionGroup = lib.mkOption {

     

       118
       115
        
                       type = nullOr int;

     

       119
       116
        
                       default = null;

     

       120
       117
        
                     };

     

       121
       118
        
                   }

     

       122
       122
       -
                   // genAttrs isolateFlags (

     

       119
       119
       +
                   // lib.genAttrs isolateFlags (

     

       123
       120
        
                     name:

     

       124
       124
       -
                     mkOption {

     

       121
       121
       +
                     lib.mkOption {

     

       125
       122
        
                       type = types.bool;

     

       126
       123
        
                       default = false;

     

       127
       124
        
                     }

     
···

       136
       133
        
           ];

     

       137
       134
        
         optionIsolablePorts =

     

       138
       135
        
           optionName:

     

       139
       139
       -
           mkOption {

     

       136
       136
       +
           lib.mkOption {

     

       140
       137
        
             default = [ ];

     

       141
       141
       -
             type = with types; either optionIsolablePort (listOf optionIsolablePort);

     

       138
       138
       +
             type = with lib.types; either optionIsolablePort (listOf optionIsolablePort);

     

       142
       139
        
             description = (descriptionGeneric optionName);

     

       143
       140
        
           };

     

       144
       141
        
         isolateFlags = [

     
···

       171
       168
        
               "WorldWritable"

     

       172
       169
        
             ] ++ isolateFlags;

     

       173
       170
        
           in

     

       174
       174
       -
           with types;

     

       171
       171
       +
           with lib.types;

     

       175
       172
        
           oneOf [

     

       176
       173
        
             port

     

       177
       174
        
             (submodule (

     
···

       183
       180
        
                     addr = optionAddress;

     

       184
       181
        
                     port = optionPort;

     

       185
       182
        
                     flags = optionFlags;

     

       186
       186
       -
                     SessionGroup = mkOption {

     

       183
       183
       +
                     SessionGroup = lib.mkOption {

     

       187
       184
        
                       type = nullOr int;

     

       188
       185
        
                       default = null;

     

       189
       186
        
                     };

     

       190
       187
        
                   }

     

       191
       191
       -
                   // genAttrs flags (

     

       188
       188
       +
                   // lib.genAttrs flags (

     

       192
       189
        
                     name:

     

       193
       193
       -
                     mkOption {

     

       190
       190
       +
                     lib.mkOption {

     

       194
       191
        
                       type = types.bool;

     

       195
       192
        
                       default = false;

     

       196
       193
        
                     }

     

       197
       194
        
                   );

     

       198
       198
       -
                 config = mkIf doConfig {

     

       195
       195
       +
                 config = lib.mkIf doConfig {

     

       199
       196
        
                   # Only add flags in SOCKSPort to avoid duplicates

     

       200
       197
        
                   flags =

     

       201
       198
        
                     filter (name: config.${name} == true) flags

     
···

       204
       201
        
               }

     

       205
       202
        
             ))

     

       206
       203
        
           ];

     

       207
       207
       -
         optionFlags = mkOption {

     

       204
       204
       +
         optionFlags = lib.mkOption {

     

       208
       205
        
           type = with types; listOf str;

     

       209
       206
        
           default = [ ];

     

       210
       207
        
         };

     

       211
       208
        
         optionORPort =

     

       212
       209
        
           optionName:

     

       213
       213
       -
           mkOption {

     

       210
       210
       +
           lib.mkOption {

     

       214
       211
        
             default = [ ];

     

       215
       212
        
             example = 443;

     

       216
       213
        
             type =

     

       217
       217
       -
               with types;

     

       214
       214
       +
               with lib.types;

     

       218
       215
        
               oneOf [

     

       219
       216
        
                 port

     

       220
       217
        
                 (enum [ "auto" ])

     
···

       238
       235
        
                           port = optionPort;

     

       239
       236
        
                           flags = optionFlags;

     

       240
       237
        
                         }

     

       241
       241
       -
                         // genAttrs flags (

     

       238
       238
       +
                         // lib.genAttrs flags (

     

       242
       239
        
                           name:

     

       243
       243
       -
                           mkOption {

     

       240
       240
       +
                           lib.mkOption {

     

       244
       241
        
                             type = types.bool;

     

       245
       242
        
                             default = false;

     

       246
       243
        
                           }

     
···

       256
       253
        
           };

     

       257
       254
        
         optionBandwidth =

     

       258
       255
        
           optionName:

     

       259
       259
       -
           mkOption {

     

       260
       260
       -
             type = with types; nullOr (either int str);

     

       256
       256
       +
           lib.mkOption {

     

       257
       257
       +
             type = with lib.types; nullOr (either int str);

     

       261
       258
        
             default = null;

     

       262
       259
        
             description = (descriptionGeneric optionName);

     

       263
       260
        
           };

     

       264
       261
        
         optionPath =

     

       265
       262
        
           optionName:

     

       266
       266
       -
           mkOption {

     

       267
       267
       -
             type = with types; nullOr path;

     

       263
       263
       +
           lib.mkOption {

     

       264
       264
       +
             type = with lib.types; nullOr path;

     

       268
       265
        
             default = null;

     

       269
       266
        
             description = (descriptionGeneric optionName);

     

       270
       267
        
           };

     
···

       323
       320
        
       in

     

       324
       321
        
       {

     

       325
       322
        
         imports = [

     

       326
       326
       -
           (mkRenamedOptionModule

     

       323
       323
       +
           (lib.mkRenamedOptionModule

     

       327
       324
        
             [ "services" "tor" "client" "dns" "automapHostsSuffixes" ]

     

       328
       325
        
             [ "services" "tor" "settings" "AutomapHostsSuffixes" ]

     

       329
       326
        
           )

     

       330
       330
       -
           (mkRemovedOptionModule [

     

       327
       327
       +
           (lib.mkRemovedOptionModule [

     

       331
       328
        
             "services"

     

       332
       329
        
             "tor"

     

       333
       330
        
             "client"

     

       334
       331
        
             "dns"

     

       335
       332
        
             "isolationOptions"

     

       336
       333
        
           ] "Use services.tor.settings.DNSPort instead.")

     

       337
       337
       -
           (mkRemovedOptionModule [

     

       334
       334
       +
           (lib.mkRemovedOptionModule [

     

       338
       335
        
             "services"

     

       339
       336
        
             "tor"

     

       340
       337
        
             "client"

     

       341
       338
        
             "dns"

     

       342
       339
        
             "listenAddress"

     

       343
       340
        
           ] "Use services.tor.settings.DNSPort instead.")

     

       344
       344
       -
           (mkRemovedOptionModule [

     

       341
       341
       +
           (lib.mkRemovedOptionModule [

     

       345
       342
        
             "services"

     

       346
       343
        
             "tor"

     

       347
       344
        
             "client"

     

       348
       345
        
             "privoxy"

     

       349
       346
        
             "enable"

     

       350
       347
        
           ] "Use services.privoxy.enable and services.privoxy.enableTor instead.")

     

       351
       351
       -
           (mkRemovedOptionModule [

     

       348
       348
       +
           (lib.mkRemovedOptionModule [

     

       352
       349
        
             "services"

     

       353
       350
        
             "tor"

     

       354
       351
        
             "client"

     

       355
       352
        
             "socksIsolationOptions"

     

       356
       353
        
           ] "Use services.tor.settings.SOCKSPort instead.")

     

       357
       357
       -
           (mkRemovedOptionModule [

     

       354
       354
       +
           (lib.mkRemovedOptionModule [

     

       358
       355
        
             "services"

     

       359
       356
        
             "tor"

     

       360
       357
        
             "client"

     

       361
       358
        
             "socksListenAddressFaster"

     

       362
       359
        
           ] "Use services.tor.settings.SOCKSPort instead.")

     

       363
       363
       -
           (mkRenamedOptionModule

     

       360
       360
       +
           (lib.mkRenamedOptionModule

     

       364
       361
        
             [ "services" "tor" "client" "socksPolicy" ]

     

       365
       362
        
             [ "services" "tor" "settings" "SocksPolicy" ]

     

       366
       363
        
           )

     

       367
       367
       -
           (mkRemovedOptionModule [

     

       364
       364
       +
           (lib.mkRemovedOptionModule [

     

       368
       365
        
             "services"

     

       369
       366
        
             "tor"

     

       370
       367
        
             "client"

     

       371
       368
        
             "transparentProxy"

     

       372
       369
        
             "isolationOptions"

     

       373
       370
        
           ] "Use services.tor.settings.TransPort instead.")

     

       374
       374
       -
           (mkRemovedOptionModule [

     

       371
       371
       +
           (lib.mkRemovedOptionModule [

     

       375
       372
        
             "services"

     

       376
       373
        
             "tor"

     

       377
       374
        
             "client"

     

       378
       375
        
             "transparentProxy"

     

       379
       376
        
             "listenAddress"

     

       380
       377
        
           ] "Use services.tor.settings.TransPort instead.")

     

       381
       381
       -
           (mkRenamedOptionModule

     

       378
       378
       +
           (lib.mkRenamedOptionModule

     

       382
       379
        
             [ "services" "tor" "controlPort" ]

     

       383
       380
        
             [ "services" "tor" "settings" "ControlPort" ]

     

       384
       381
        
           )

     

       385
       385
       -
           (mkRemovedOptionModule [

     

       382
       382
       +
           (lib.mkRemovedOptionModule [

     

       386
       383
        
             "services"

     

       387
       384
        
             "tor"

     

       388
       385
        
             "extraConfig"

     

       389
       386
        
           ] "Please use services.tor.settings instead.")

     

       390
       390
       -
           (mkRenamedOptionModule

     

       387
       387
       +
           (lib.mkRenamedOptionModule

     

       391
       388
        
             [ "services" "tor" "hiddenServices" ]

     

       392
       389
        
             [ "services" "tor" "relay" "onionServices" ]

     

       393
       390
        
           )

     

       394
       394
       -
           (mkRenamedOptionModule

     

       391
       391
       +
           (lib.mkRenamedOptionModule

     

       395
       392
        
             [ "services" "tor" "relay" "accountingMax" ]

     

       396
       393
        
             [ "services" "tor" "settings" "AccountingMax" ]

     

       397
       394
        
           )

     

       398
       398
       -
           (mkRenamedOptionModule

     

       395
       395
       +
           (lib.mkRenamedOptionModule

     

       399
       396
        
             [ "services" "tor" "relay" "accountingStart" ]

     

       400
       397
        
             [ "services" "tor" "settings" "AccountingStart" ]

     

       401
       398
        
           )

     

       402
       402
       -
           (mkRenamedOptionModule

     

       399
       399
       +
           (lib.mkRenamedOptionModule

     

       403
       400
        
             [ "services" "tor" "relay" "address" ]

     

       404
       401
        
             [ "services" "tor" "settings" "Address" ]

     

       405
       402
        
           )

     

       406
       406
       -
           (mkRenamedOptionModule

     

       403
       403
       +
           (lib.mkRenamedOptionModule

     

       407
       404
        
             [ "services" "tor" "relay" "bandwidthBurst" ]

     

       408
       405
        
             [ "services" "tor" "settings" "BandwidthBurst" ]

     

       409
       406
        
           )

     

       410
       410
       -
           (mkRenamedOptionModule

     

       407
       407
       +
           (lib.mkRenamedOptionModule

     

       411
       408
        
             [ "services" "tor" "relay" "bandwidthRate" ]

     

       412
       409
        
             [ "services" "tor" "settings" "BandwidthRate" ]

     

       413
       410
        
           )

     

       414
       414
       -
           (mkRenamedOptionModule

     

       411
       411
       +
           (lib.mkRenamedOptionModule

     

       415
       412
        
             [ "services" "tor" "relay" "bridgeTransports" ]

     

       416
       413
        
             [ "services" "tor" "settings" "ServerTransportPlugin" "transports" ]

     

       417
       414
        
           )

     

       418
       418
       -
           (mkRenamedOptionModule

     

       415
       415
       +
           (lib.mkRenamedOptionModule

     

       419
       416
        
             [ "services" "tor" "relay" "contactInfo" ]

     

       420
       417
        
             [ "services" "tor" "settings" "ContactInfo" ]

     

       421
       418
        
           )

     

       422
       422
       -
           (mkRenamedOptionModule

     

       419
       419
       +
           (lib.mkRenamedOptionModule

     

       423
       420
        
             [ "services" "tor" "relay" "exitPolicy" ]

     

       424
       421
        
             [ "services" "tor" "settings" "ExitPolicy" ]

     

       425
       422
        
           )

     

       426
       426
       -
           (mkRemovedOptionModule [

     

       423
       423
       +
           (lib.mkRemovedOptionModule [

     

       427
       424
        
             "services"

     

       428
       425
        
             "tor"

     

       429
       426
        
             "relay"

     

       430
       427
        
             "isBridge"

     

       431
       428
        
           ] "Use services.tor.relay.role instead.")

     

       432
       432
       -
           (mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.")

     

       433
       433
       -
           (mkRenamedOptionModule

     

       429
       429
       +
           (lib.mkRemovedOptionModule [

     

       430
       430
       +
             "services"

     

       431
       431
       +
             "tor"

     

       432
       432
       +
             "relay"

     

       433
       433
       +
             "isExit"

     

       434
       434
       +
           ] "Use services.tor.relay.role instead.")

     

       435
       435
       +
           (lib.mkRenamedOptionModule

     

       434
       436
        
             [ "services" "tor" "relay" "nickname" ]

     

       435
       437
        
             [ "services" "tor" "settings" "Nickname" ]

     

       436
       438
        
           )

     

       437
       437
       -
           (mkRenamedOptionModule [ "services" "tor" "relay" "port" ] [ "services" "tor" "settings" "ORPort" ])

     

       438
       438
       -
           (mkRenamedOptionModule

     

       439
       439
       +
           (lib.mkRenamedOptionModule

     

       440
       440
       +
             [ "services" "tor" "relay" "port" ]

     

       441
       441
       +
             [ "services" "tor" "settings" "ORPort" ]

     

       442
       442
       +
           )

     

       443
       443
       +
           (lib.mkRenamedOptionModule

     

       439
       444
        
             [ "services" "tor" "relay" "portSpec" ]

     

       440
       445
        
             [ "services" "tor" "settings" "ORPort" ]

     

       441
       446
        
           )

     
···

       443
       448
        
       

     

       444
       449
        
         options = {

     

       445
       450
        
           services.tor = {

     

       446
       446
       -
             enable = mkEnableOption ''

     

       451
       451
       +
             enable = lib.mkEnableOption ''

     

       447
       452
        
               Tor daemon.

     

       448
       453
        
                       By default, the daemon is run without

     

       449
       454
        
                       relay, exit, bridge or client connectivity'';

     

       450
       455
        
       

     

       451
       451
       -
             openFirewall = mkEnableOption "opening of the relay port(s) in the firewall";

     

       456
       456
       +
             openFirewall = lib.mkEnableOption "opening of the relay port(s) in the firewall";

     

       452
       457
        
       

     

       453
       453
       -
             package = mkPackageOption pkgs "tor" { };

     

       458
       458
       +
             package = lib.mkPackageOption pkgs "tor" { };

     

       454
       459
        
       

     

       455
       460
        
             enableGeoIP =

     

       456
       456
       -
               mkEnableOption ''

     

       461
       461
       +
               lib.mkEnableOption ''

     

       457
       462
        
                 use of GeoIP databases.

     

       458
       463
        
                         Disabling this will disable by-country statistics for bridges and relays

     

       459
       464
        
                         and some client and third-party software functionality''

     
···

       461
       466
        
                 default = true;

     

       462
       467
        
               };

     

       463
       468
        
       

     

       464
       464
       -
             controlSocket.enable = mkEnableOption ''

     

       469
       469
       +
             controlSocket.enable = lib.mkEnableOption ''

     

       465
       470
        
               control socket,

     

       466
       471
        
                       created in `${runDir}/control`'';

     

       467
       472
        
       

     

       468
       473
        
             client = {

     

       469
       469
       -
               enable = mkEnableOption ''

     

       474
       474
       +
               enable = lib.mkEnableOption ''

     

       470
       475
        
                 the routing of application connections.

     

       471
       476
        
                           You might want to disable this if you plan running a dedicated Tor relay'';

     

       472
       477
        
       

     

       473
       473
       -
               transparentProxy.enable = mkEnableOption "transparent proxy";

     

       474
       474
       -
               dns.enable = mkEnableOption "DNS resolver";

     

       478
       478
       +
               transparentProxy.enable = lib.mkEnableOption "transparent proxy";

     

       479
       479
       +
               dns.enable = lib.mkEnableOption "DNS resolver";

     

       475
       480
        
       

     

       476
       476
       -
               socksListenAddress = mkOption {

     

       481
       481
       +
               socksListenAddress = lib.mkOption {

     

       477
       482
        
                 type = optionSOCKSPort false;

     

       478
       483
        
                 default = {

     

       479
       484
        
                   addr = "127.0.0.1";

     
···

       491
       496
        
                 '';

     

       492
       497
        
               };

     

       493
       498
        
       

     

       494
       494
       -
               onionServices = mkOption {

     

       499
       499
       +
               onionServices = lib.mkOption {

     

       495
       500
        
                 description = (descriptionGeneric "HiddenServiceDir");

     

       496
       501
        
                 default = { };

     

       497
       502
        
                 example = {

     
···

       499
       504
        
                     clientAuthorizations = [ "/run/keys/tor/alice.prv.x25519" ];

     

       500
       505
        
                   };

     

       501
       506
        
                 };

     

       502
       502
       -
                 type = types.attrsOf (

     

       503
       503
       -
                   types.submodule (

     

       507
       507
       +
                 type = lib.types.attrsOf (

     

       508
       508
       +
                   lib.types.submodule (

     

       504
       509
        
                     { name, config, ... }:

     

       505
       510
        
                     {

     

       506
       506
       -
                       options.clientAuthorizations = mkOption {

     

       511
       511
       +
                       options.clientAuthorizations = lib.mkOption {

     

       507
       512
        
                         description = ''

     

       508
       513
        
                           Clients' authorizations for a v3 onion service,

     

       509
       514
        
                           as a list of files containing each one private key, in the format:

     
···

       512
       517
        
                           ```

     

       513
       518
        
                           ${descriptionGeneric "_client_authorization"}

     

       514
       519
        
                         '';

     

       515
       515
       -
                         type = with types; listOf path;

     

       520
       520
       +
                         type = with lib.types; listOf path;

     

       516
       521
        
                         default = [ ];

     

       517
       522
        
                         example = [ "/run/keys/tor/alice.prv.x25519" ];

     

       518
       523
        
                       };

     
···

       523
       528
        
             };

     

       524
       529
        
       

     

       525
       530
        
             relay = {

     

       526
       526
       -
               enable = mkEnableOption "tor relaying" // {

     

       531
       531
       +
               enable = lib.mkEnableOption "tor relaying" // {

     

       527
       532
        
                 description = ''

     

       528
       533
        
                   Whether to enable relaying of Tor traffic for others.

     

       529
       534
        
       

     
···

       538
       543
        
                 '';

     

       539
       544
        
               };

     

       540
       545
        
       

     

       541
       541
       -
               role = mkOption {

     

       542
       542
       -
                 type = types.enum [

     

       546
       546
       +
               role = lib.mkOption {

     

       547
       547
       +
                 type = lib.types.enum [

     

       543
       548
        
                   "exit"

     

       544
       549
        
                   "relay"

     

       545
       550
        
                   "bridge"

     
···

       629
       634
        
                 '';

     

       630
       635
        
               };

     

       631
       636
        
       

     

       632
       632
       -
               onionServices = mkOption {

     

       637
       637
       +
               onionServices = lib.mkOption {

     

       633
       638
        
                 description = (descriptionGeneric "HiddenServiceDir");

     

       634
       639
        
                 default = { };

     

       635
       640
        
                 example = {

     
···

       640
       645
        
                     ];

     

       641
       646
        
                   };

     

       642
       647
        
                 };

     

       643
       643
       -
                 type = types.attrsOf (

     

       644
       644
       -
                   types.submodule (

     

       648
       648
       +
                 type = lib.types.attrsOf (

     

       649
       649
       +
                   lib.types.submodule (

     

       645
       650
        
                     { name, config, ... }:

     

       646
       651
        
                     {

     

       647
       647
       -
                       options.path = mkOption {

     

       648
       648
       -
                         type = types.path;

     

       652
       652
       +
                       options.path = lib.mkOption {

     

       653
       653
       +
                         type = lib.types.path;

     

       649
       654
        
                         description = ''

     

       650
       655
        
                           Path where to store the data files of the hidden service.

     

       651
       656
        
                           If the {option}`secretKey` is null

     
···

       653
       658
        
                           otherwise to `${runDir}/onion/$onion`.

     

       654
       659
        
                         '';

     

       655
       660
        
                       };

     

       656
       656
       -
                       options.secretKey = mkOption {

     

       657
       657
       -
                         type = with types; nullOr path;

     

       661
       661
       +
                       options.secretKey = lib.mkOption {

     

       662
       662
       +
                         type = with lib.types; nullOr path;

     

       658
       663
        
                         default = null;

     

       659
       664
        
                         example = "/run/keys/tor/onion/expyuzz4wqqyqhjn/hs_ed25519_secret_key";

     

       660
       665
        
                         description = ''

     
···

       665
       670
        
                           from this file if they do not exist.

     

       666
       671
        
                         '';

     

       667
       672
        
                       };

     

       668
       668
       -
                       options.authorizeClient = mkOption {

     

       673
       673
       +
                       options.authorizeClient = lib.mkOption {

     

       669
       674
        
                         description = (descriptionGeneric "HiddenServiceAuthorizeClient");

     

       670
       675
        
                         default = null;

     

       671
       671
       -
                         type = types.nullOr (

     

       672
       672
       -
                           types.submodule (

     

       676
       676
       +
                         type = lib.types.nullOr (

     

       677
       677
       +
                           lib.types.submodule (

     

       673
       678
        
                             { ... }:

     

       674
       679
        
                             {

     

       675
       680
        
                               options = {

     

       676
       676
       -
                                 authType = mkOption {

     

       677
       677
       -
                                   type = types.enum [

     

       681
       681
       +
                                 authType = lib.mkOption {

     

       682
       682
       +
                                   type = lib.types.enum [

     

       678
       683
        
                                     "basic"

     

       679
       684
        
                                     "stealth"

     

       680
       685
        
                                   ];

     
···

       684
       689
        
                                     that also hides service activity from unauthorized clients.

     

       685
       690
        
                                   '';

     

       686
       691
        
                                 };

     

       687
       687
       -
                                 clientNames = mkOption {

     

       688
       688
       -
                                   type = with types; nonEmptyListOf (strMatching "[A-Za-z0-9+-_]+");

     

       692
       692
       +
                                 clientNames = lib.mkOption {

     

       693
       693
       +
                                   type = with lib.types; nonEmptyListOf (strMatching "[A-Za-z0-9+-_]+");

     

       689
       694
        
                                   description = ''

     

       690
       695
        
                                     Only clients that are listed here are authorized to access the hidden service.

     

       691
       696
        
                                     Generated authorization data can be found in {file}`${stateDir}/onion/$name/hostname`.

     
···

       698
       703
        
                           )

     

       699
       704
        
                         );

     

       700
       705
        
                       };

     

       701
       701
       -
                       options.authorizedClients = mkOption {

     

       706
       706
       +
                       options.authorizedClients = lib.mkOption {

     

       702
       707
        
                         description = ''

     

       703
       708
        
                           Authorized clients for a v3 onion service,

     

       704
       709
        
                           as a list of public key, in the format:

     
···

       707
       712
        
                           ```

     

       708
       713
        
                           ${descriptionGeneric "_client_authorization"}

     

       709
       714
        
                         '';

     

       710
       710
       -
                         type = with types; listOf str;

     

       715
       715
       +
                         type = with lib.types; listOf str;

     

       711
       716
        
                         default = [ ];

     

       712
       717
        
                         example = [ "descriptor:x25519:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ];

     

       713
       718
        
                       };

     

       714
       714
       -
                       options.map = mkOption {

     

       719
       719
       +
                       options.map = lib.mkOption {

     

       715
       720
        
                         description = (descriptionGeneric "HiddenServicePort");

     

       716
       721
        
                         type =

     

       717
       717
       -
                           with types;

     

       722
       722
       +
                           with lib.types;

     

       718
       723
        
                           listOf (oneOf [

     

       719
       724
        
                             port

     

       720
       725
        
                             (submodule (

     
···

       722
       727
        
                               {

     

       723
       728
        
                                 options = {

     

       724
       729
        
                                   port = optionPort;

     

       725
       725
       -
                                   target = mkOption {

     

       730
       730
       +
                                   target = lib.mkOption {

     

       726
       731
        
                                     default = null;

     

       727
       732
        
                                     type = nullOr (

     

       728
       733
        
                                       submodule (

     
···

       752
       757
        
                             v

     

       753
       758
        
                         );

     

       754
       759
        
                       };

     

       755
       755
       -
                       options.version = mkOption {

     

       760
       760
       +
                       options.version = lib.mkOption {

     

       756
       761
        
                         description = (descriptionGeneric "HiddenServiceVersion");

     

       757
       762
        
                         type =

     

       758
       758
       -
                           with types;

     

       763
       763
       +
                           with lib.types;

     

       759
       764
        
                           nullOr (enum [

     

       760
       765
        
                             2

     

       761
       766
        
                             3

     

       762
       767
        
                           ]);

     

       763
       768
        
                         default = null;

     

       764
       769
        
                       };

     

       765
       765
       -
                       options.settings = mkOption {

     

       770
       770
       +
                       options.settings = lib.mkOption {

     

       766
       771
        
                         description = ''

     

       767
       772
        
                           Settings of the onion service.

     

       768
       773
        
                           ${descriptionGeneric "_hidden_service_options"}

     

       769
       774
        
                         '';

     

       770
       775
        
                         default = { };

     

       771
       771
       -
                         type = types.submodule {

     

       776
       776
       +
                         type = lib.types.submodule {

     

       772
       777
        
                           freeformType =

     

       773
       773
       -
                             with types;

     

       778
       778
       +
                             with lib.types;

     

       774
       779
        
                             (attrsOf (

     

       775
       780
        
                               nullOr (oneOf [

     

       776
       781
        
                                 str

     
···

       784
       789
        
                             };

     

       785
       790
        
                           options.HiddenServiceAllowUnknownPorts = optionBool "HiddenServiceAllowUnknownPorts";

     

       786
       791
        
                           options.HiddenServiceDirGroupReadable = optionBool "HiddenServiceDirGroupReadable";

     

       787
       787
       -
                           options.HiddenServiceExportCircuitID = mkOption {

     

       792
       792
       +
                           options.HiddenServiceExportCircuitID = lib.mkOption {

     

       788
       793
        
                             description = (descriptionGeneric "HiddenServiceExportCircuitID");

     

       789
       789
       -
                             type = with types; nullOr (enum [ "haproxy" ]);

     

       794
       794
       +
                             type = with lib.types; nullOr (enum [ "haproxy" ]);

     

       790
       795
        
                             default = null;

     

       791
       796
        
                           };

     

       792
       792
       -
                           options.HiddenServiceMaxStreams = mkOption {

     

       797
       797
       +
                           options.HiddenServiceMaxStreams = lib.mkOption {

     

       793
       798
        
                             description = (descriptionGeneric "HiddenServiceMaxStreams");

     

       794
       794
       -
                             type = with types; nullOr (ints.between 0 65535);

     

       799
       799
       +
                             type = with lib.types; nullOr (ints.between 0 65535);

     

       795
       800
        
                             default = null;

     

       796
       801
        
                           };

     

       797
       802
        
                           options.HiddenServiceMaxStreamsCloseCircuit = optionBool "HiddenServiceMaxStreamsCloseCircuit";

     

       798
       798
       -
                           options.HiddenServiceNumIntroductionPoints = mkOption {

     

       803
       803
       +
                           options.HiddenServiceNumIntroductionPoints = lib.mkOption {

     

       799
       804
        
                             description = (descriptionGeneric "HiddenServiceNumIntroductionPoints");

     

       800
       800
       -
                             type = with types; nullOr (ints.between 0 20);

     

       805
       805
       +
                             type = with lib.types; nullOr (ints.between 0 20);

     

       801
       806
        
                             default = null;

     

       802
       807
        
                           };

     

       803
       808
        
                           options.HiddenServiceSingleHopMode = optionBool "HiddenServiceSingleHopMode";

     
···

       822
       827
        
               };

     

       823
       828
        
             };

     

       824
       829
        
       

     

       825
       825
       -
             settings = mkOption {

     

       830
       830
       +
             settings = lib.mkOption {

     

       826
       831
        
               description = ''

     

       827
       832
        
                 See [torrc manual](https://2019.www.torproject.org/docs/tor-manual.html.en)

     

       828
       833
        
                 for documentation.

     

       829
       834
        
               '';

     

       830
       835
        
               default = { };

     

       831
       831
       -
               type = types.submodule {

     

       836
       836
       +
               type = lib.types.submodule {

     

       832
       837
        
                 freeformType =

     

       833
       833
       -
                   with types;

     

       838
       838
       +
                   with lib.types;

     

       834
       839
        
                   (attrsOf (

     

       835
       840
        
                     nullOr (oneOf [

     

       836
       841
        
                       str

     
···

       872
       877
        
                 options.CellStatistics = optionBool "CellStatistics";

     

       873
       878
        
                 options.ClientAutoIPv6ORPort = optionBool "ClientAutoIPv6ORPort";

     

       874
       879
        
                 options.ClientDNSRejectInternalAddresses = optionBool "ClientDNSRejectInternalAddresses";

     

       875
       875
       -
                 options.ClientOnionAuthDir = mkOption {

     

       880
       880
       +
                 options.ClientOnionAuthDir = lib.mkOption {

     

       876
       881
        
                   description = (descriptionGeneric "ClientOnionAuthDir");

     

       877
       882
        
                   default = null;

     

       878
       878
       -
                   type = with types; nullOr path;

     

       883
       883
       +
                   type = with lib.types; nullOr path;

     

       879
       884
        
                 };

     

       880
       885
        
                 options.ClientPreferIPv6DirPort = optionBool "ClientPreferIPv6DirPort"; # default is null and like "auto"

     

       881
       886
        
                 options.ClientPreferIPv6ORPort = optionBool "ClientPreferIPv6ORPort"; # default is null and like "auto"

     
···

       885
       890
        
                 options.ConnDirectionStatistics = optionBool "ConnDirectionStatistics";

     

       886
       891
        
                 options.ConstrainedSockets = optionBool "ConstrainedSockets";

     

       887
       892
        
                 options.ContactInfo = optionString "ContactInfo";

     

       888
       888
       -
                 options.ControlPort = mkOption rec {

     

       893
       893
       +
                 options.ControlPort = lib.mkOption rec {

     

       889
       894
        
                   description = (descriptionGeneric "ControlPort");

     

       890
       895
        
                   default = [ ];

     

       891
       896
        
                   example = [ { port = 9051; } ];

     

       892
       897
        
                   type =

     

       893
       893
       -
                     with types;

     

       898
       898
       +
                     with lib.types;

     

       894
       899
        
                     oneOf [

     

       895
       900
        
                       port

     

       896
       901
        
                       (enum [ "auto" ])

     
···

       914
       919
        
                                 addr = optionAddress;

     

       915
       920
        
                                 port = optionPort;

     

       916
       921
        
                               }

     

       917
       917
       -
                               // genAttrs flags (

     

       922
       922
       +
                               // lib.genAttrs flags (

     

       918
       923
        
                                 name:

     

       919
       919
       -
                                 mkOption {

     

       924
       924
       +
                                 lib.mkOption {

     

       920
       925
        
                                   type = types.bool;

     

       921
       926
        
                                   default = false;

     

       922
       927
        
                                 }

     
···

       946
       951
        
                 options.DormantOnFirstStartup = optionBool "DormantOnFirstStartup";

     

       947
       952
        
                 options.DormantTimeoutDisabledByIdleStreams = optionBool "DormantTimeoutDisabledByIdleStreams";

     

       948
       953
        
                 options.DirCache = optionBool "DirCache";

     

       949
       949
       -
                 options.DirPolicy = mkOption {

     

       954
       954
       +
                 options.DirPolicy = lib.mkOption {

     

       950
       955
        
                   description = (descriptionGeneric "DirPolicy");

     

       951
       951
       -
                   type = with types; listOf str;

     

       956
       956
       +
                   type = with lib.types; listOf str;

     

       952
       957
        
                   default = [ ];

     

       953
       958
        
                   example = [ "accept *:*" ];

     

       954
       959
        
                 };

     
···

       973
       978
        
                 options.ExitPolicyRejectPrivate = optionBool "ExitPolicyRejectPrivate";

     

       974
       979
        
                 options.ExitPortStatistics = optionBool "ExitPortStatistics";

     

       975
       980
        
                 options.ExitRelay = optionBool "ExitRelay"; # default is null and like "auto"

     

       976
       976
       -
                 options.ExtORPort = mkOption {

     

       981
       981
       +
                 options.ExtORPort = lib.mkOption {

     

       977
       982
        
                   description = (descriptionGeneric "ExtORPort");

     

       978
       983
        
                   default = null;

     

       979
       984
        
                   type =

     

       980
       980
       -
                     with types;

     

       985
       985
       +
                     with lib.types;

     

       981
       986
        
                     nullOr (oneOf [

     

       982
       987
        
                       port

     

       983
       988
        
                       (enum [ "auto" ])

     
···

       1009
       1014
        
                 options.GeoIPFile = optionPath "GeoIPFile";

     

       1010
       1015
        
                 options.GeoIPv6File = optionPath "GeoIPv6File";

     

       1011
       1016
        
                 options.GuardfractionFile = optionPath "GuardfractionFile";

     

       1012
       1012
       -
                 options.HidServAuth = mkOption {

     

       1017
       1017
       +
                 options.HidServAuth = lib.mkOption {

     

       1013
       1018
        
                   description = (descriptionGeneric "HidServAuth");

     

       1014
       1019
        
                   default = [ ];

     

       1015
       1020
        
                   type =

     

       1016
       1016
       -
                     with types;

     

       1021
       1021
       +
                     with lib.types;

     

       1017
       1022
        
                     listOf (oneOf [

     

       1018
       1023
        
                       (submodule {

     

       1019
       1024
        
                         options = {

     

       1020
       1020
       -
                           onion = mkOption {

     

       1025
       1025
       +
                           onion = lib.mkOption {

     

       1021
       1026
        
                             type = strMatching "[a-z2-7]{16}\\.onion";

     

       1022
       1027
        
                             description = "Onion address.";

     

       1023
       1028
        
                             example = "xxxxxxxxxxxxxxxx.onion";

     

       1024
       1029
        
                           };

     

       1025
       1025
       -
                           auth = mkOption {

     

       1030
       1030
       +
                           auth = lib.mkOption {

     

       1026
       1031
        
                             type = strMatching "[A-Za-z0-9+/]{22}";

     

       1027
       1032
        
                             description = "Authentication cookie.";

     

       1028
       1033
        
                           };

     
···

       1062
       1067
        
                 options.PidFile = optionPath "PidFile";

     

       1063
       1068
        
                 options.ProtocolWarnings = optionBool "ProtocolWarnings";

     

       1064
       1069
        
                 options.PublishHidServDescriptors = optionBool "PublishHidServDescriptors";

     

       1065
       1065
       -
                 options.PublishServerDescriptor = mkOption {

     

       1070
       1070
       +
                 options.PublishServerDescriptor = lib.mkOption {

     

       1066
       1071
        
                   description = (descriptionGeneric "PublishServerDescriptor");

     

       1067
       1072
        
                   type =

     

       1068
       1068
       -
                     with types;

     

       1073
       1073
       +
                     with lib.types;

     

       1069
       1074
        
                     nullOr (enum [

     

       1070
       1075
        
                       false

     

       1071
       1076
        
                       true

     
···

       1091
       1096
        
                 options.ServerDNSRandomizeCase = optionBool "ServerDNSRandomizeCase";

     

       1092
       1097
        
                 options.ServerDNSResolvConfFile = optionPath "ServerDNSResolvConfFile";

     

       1093
       1098
        
                 options.ServerDNSSearchDomains = optionBool "ServerDNSSearchDomains";

     

       1094
       1094
       -
                 options.ServerTransportPlugin = mkOption {

     

       1099
       1099
       +
                 options.ServerTransportPlugin = lib.mkOption {

     

       1095
       1100
        
                   description = (descriptionGeneric "ServerTransportPlugin");

     

       1096
       1101
        
                   default = null;

     

       1097
       1102
        
                   type =

     

       1098
       1098
       -
                     with types;

     

       1103
       1103
       +
                     with lib.types;

     

       1099
       1104
        
                     nullOr (

     

       1100
       1105
        
                       submodule (

     

       1101
       1106
        
                         { ... }:

     

       1102
       1107
        
                         {

     

       1103
       1108
        
                           options = {

     

       1104
       1104
       -
                             transports = mkOption {

     

       1109
       1109
       +
                             transports = lib.mkOption {

     

       1105
       1110
        
                               description = "List of pluggable transports.";

     

       1106
       1111
        
                               type = listOf str;

     

       1107
       1112
        
                               example = [

     
···

       1111
       1116
        
                                 "scramblesuit"

     

       1112
       1117
        
                               ];

     

       1113
       1118
        
                             };

     

       1114
       1114
       -
                             exec = mkOption {

     

       1119
       1119
       +
                             exec = lib.mkOption {

     

       1115
       1120
        
                               type = types.str;

     

       1116
       1121
        
                               description = "Command of pluggable transport.";

     

       1117
       1122
        
                             };

     
···

       1120
       1125
        
                       )

     

       1121
       1126
        
                     );

     

       1122
       1127
        
                 };

     

       1123
       1123
       -
                 options.ShutdownWaitLength = mkOption {

     

       1124
       1124
       -
                   type = types.int;

     

       1128
       1128
       +
                 options.ShutdownWaitLength = lib.mkOption {

     

       1129
       1129
       +
                   type = lib.types.int;

     

       1125
       1130
        
                   default = 30;

     

       1126
       1131
        
                   description = (descriptionGeneric "ShutdownWaitLength");

     

       1127
       1132
        
                 };

     

       1128
       1133
        
                 options.SocksPolicy = optionStrings "SocksPolicy" // {

     

       1129
       1134
        
                   example = [ "accept *:*" ];

     

       1130
       1135
        
                 };

     

       1131
       1131
       -
                 options.SOCKSPort = mkOption {

     

       1136
       1136
       +
                 options.SOCKSPort = lib.mkOption {

     

       1132
       1137
        
                   description = (descriptionGeneric "SOCKSPort");

     

       1133
       1138
        
                   default = lib.optionals cfg.settings.HiddenServiceNonAnonymousMode [ { port = 0; } ];

     

       1134
       1134
       -
                   defaultText = literalExpression ''

     

       1139
       1139
       +
                   defaultText = lib.literalExpression ''

     

       1135
       1140
        
                     if config.${opt.settings}.HiddenServiceNonAnonymousMode == true

     

       1136
       1141
        
                     then [ { port = 0; } ]

     

       1137
       1142
        
                     else [ ]

     

       1138
       1143
        
                   '';

     

       1139
       1144
        
                   example = [ { port = 9090; } ];

     

       1140
       1140
       -
                   type = types.listOf (optionSOCKSPort true);

     

       1145
       1145
       +
                   type = lib.types.listOf (optionSOCKSPort true);

     

       1141
       1146
        
                 };

     

       1142
       1147
        
                 options.TestingTorNetwork = optionBool "TestingTorNetwork";

     

       1143
       1148
        
                 options.TransPort = optionIsolablePorts "TransPort";

     

       1144
       1144
       -
                 options.TransProxyType = mkOption {

     

       1149
       1149
       +
                 options.TransProxyType = lib.mkOption {

     

       1145
       1150
        
                   description = (descriptionGeneric "TransProxyType");

     

       1146
       1151
        
                   type =

     

       1147
       1147
       -
                     with types;

     

       1152
       1152
       +
                     with lib.types;

     

       1148
       1153
        
                     nullOr (enum [

     

       1149
       1154
        
                       "default"

     

       1150
       1155
        
                       "TPROXY"

     
···

       1168
       1173
        
           };

     

       1169
       1174
        
         };

     

       1170
       1175
        
       

     

       1171
       1171
       -
         config = mkIf cfg.enable {

     

       1176
       1176
       +
         config = lib.mkIf cfg.enable {

     

       1172
       1177
        
           # Not sure if `cfg.relay.role == "private-bridge"` helps as tor

     

       1173
       1178
        
           # sends a lot of stats

     

       1174
       1179
        
           warnings =

     
···

       1295
       1300
        
             ))

     

       1296
       1301
        
           ];

     

       1297
       1302
        
       

     

       1298
       1298
       -
           networking.firewall = mkIf cfg.openFirewall {

     

       1303
       1303
       +
           networking.firewall = lib.mkIf cfg.openFirewall {

     

       1299
       1304
        
             allowedTCPPorts =

     

       1300
       1305
        
               concatMap

     

       1301
       1306
        
                 (

+9 -10

nixos/modules/services/security/torify.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       with lib;

     

       8
       7
        
       let

     

       9
       8
        
       

     

       10
       9
        
         cfg = config.services.tor;

     
···

       29
       28
        
       

     

       30
       29
        
           services.tor.tsocks = {

     

       31
       30
        
       

     

       32
       32
       -
             enable = mkOption {

     

       33
       33
       -
               type = types.bool;

     

       31
       31
       +
             enable = lib.mkOption {

     

       32
       32
       +
               type = lib.types.bool;

     

       34
       33
        
               default = false;

     

       35
       34
        
               description = ''

     

       36
       35
        
                 Whether to build tsocks wrapper script to relay application traffic via Tor.

     
···

       45
       44
        
               '';

     

       46
       45
        
             };

     

       47
       46
        
       

     

       48
       48
       -
             server = mkOption {

     

       49
       49
       -
               type = types.str;

     

       47
       47
       +
             server = lib.mkOption {

     

       48
       48
       +
               type = lib.types.str;

     

       50
       49
        
               default = "localhost:9050";

     

       51
       50
        
               example = "192.168.0.20";

     

       52
       51
        
               description = ''

     
···

       54
       53
        
               '';

     

       55
       54
        
             };

     

       56
       55
        
       

     

       57
       57
       -
             config = mkOption {

     

       58
       58
       -
               type = types.lines;

     

       56
       56
       +
             config = lib.mkOption {

     

       57
       57
       +
               type = lib.types.lines;

     

       59
       58
        
               default = "";

     

       60
       59
        
               description = ''

     

       61
       60
        
                 Extra configuration. Contents will be added verbatim to TSocks

     
···

       69
       68
        
       

     

       70
       69
        
         ###### implementation

     

       71
       70
        
       

     

       72
       72
       -
         config = mkIf cfg.tsocks.enable {

     

       71
       71
       +
         config = lib.mkIf cfg.tsocks.enable {

     

       73
       72
        
       

     

       74
       73
        
           environment.systemPackages = [ torify ]; # expose it to the users

     

       75
       74
        
       

     

       76
       75
        
           services.tor.tsocks.config = ''

     

       77
       77
       -
             server = ${toString (head (splitString ":" cfg.tsocks.server))}

     

       78
       78
       -
             server_port = ${toString (tail (splitString ":" cfg.tsocks.server))}

     

       76
       76
       +
             server = ${toString (lib.head (lib.splitString ":" cfg.tsocks.server))}

     

       77
       77
       +
             server_port = ${toString (lib.tail (lib.splitString ":" cfg.tsocks.server))}

     

       79
       78
        
       

     

       80
       79
        
             local = 127.0.0.0/255.128.0.0

     

       81
       80
        
             local = 127.128.0.0/255.192.0.0

+19 -22

nixos/modules/services/security/torsocks.nix

···

       1
       1
        
       { config, lib, pkgs, ... }:

     

       2
       2
       -
       

     

       3
       3
       -
       with lib;

     

       4
       4
       -
       

     

       5
       2
        
       let

     

       6
       3
        
         cfg = config.services.tor.torsocks;

     

       7
       7
       -
         optionalNullStr = b: v: optionalString (b != null) v;

     

       4
       4
       +
         optionalNullStr = b: v: lib.optionalString (b != null) v;

     

       8
       5
        
       

     

       9
       6
        
         configFile = server: ''

     

       10
       10
       -
           TorAddress ${toString (head (splitString ":" server))}

     

       11
       11
       -
           TorPort    ${toString (tail (splitString ":" server))}

     

       7
       7
       +
           TorAddress ${toString (lib.head (lib.splitString ":" server))}

     

       8
       8
       +
           TorPort    ${toString (lib.tail (lib.splitString ":" server))}

     

       12
       9
        
       

     

       13
       10
        
           OnionAddrRange ${cfg.onionAddrRange}

     

       14
       11
        
       

     
···

       34
       31
        
       {

     

       35
       32
        
         options = {

     

       36
       33
        
           services.tor.torsocks = {

     

       37
       37
       -
             enable = mkOption {

     

       38
       38
       -
               type        = types.bool;

     

       34
       34
       +
             enable = lib.mkOption {

     

       35
       35
       +
               type        = lib.types.bool;

     

       39
       36
        
               default     = config.services.tor.enable && config.services.tor.client.enable;

     

       40
       40
       -
               defaultText = literalExpression "config.services.tor.enable && config.services.tor.client.enable";

     

       37
       37
       +
               defaultText = lib.literalExpression "config.services.tor.enable && config.services.tor.client.enable";

     

       41
       38
        
               description = ''

     

       42
       39
        
                 Whether to build `/etc/tor/torsocks.conf`

     

       43
       40
        
                 containing the specified global torsocks configuration.

     

       44
       41
        
               '';

     

       45
       42
        
             };

     

       46
       43
        
       

     

       47
       47
       -
             server = mkOption {

     

       48
       48
       -
               type    = types.str;

     

       44
       44
       +
             server = lib.mkOption {

     

       45
       45
       +
               type    = lib.types.str;

     

       49
       46
        
               default = "127.0.0.1:9050";

     

       50
       47
        
               example = "192.168.0.20:1234";

     

       51
       48
        
               description = ''

     
···

       54
       51
        
               '';

     

       55
       52
        
             };

     

       56
       53
        
       

     

       57
       57
       -
             fasterServer = mkOption {

     

       58
       58
       -
               type    = types.str;

     

       54
       54
       +
             fasterServer = lib.mkOption {

     

       55
       55
       +
               type    = lib.types.str;

     

       59
       56
        
               default = "127.0.0.1:9063";

     

       60
       57
        
               example = "192.168.0.20:1234";

     

       61
       58
        
               description = ''

     
···

       64
       61
        
               '';

     

       65
       62
        
             };

     

       66
       63
        
       

     

       67
       67
       -
             onionAddrRange = mkOption {

     

       68
       68
       -
               type    = types.str;

     

       64
       64
       +
             onionAddrRange = lib.mkOption {

     

       65
       65
       +
               type    = lib.types.str;

     

       69
       66
        
               default = "127.42.42.0/24";

     

       70
       67
        
               description = ''

     

       71
       68
        
                 Tor hidden sites do not have real IP addresses. This

     
···

       77
       74
        
               '';

     

       78
       75
        
             };

     

       79
       76
        
       

     

       80
       80
       -
             socks5Username = mkOption {

     

       81
       81
       -
               type    = types.nullOr types.str;

     

       77
       77
       +
             socks5Username = lib.mkOption {

     

       78
       78
       +
               type    = lib.types.nullOr lib.types.str;

     

       82
       79
        
               default = null;

     

       83
       80
        
               example = "bob";

     

       84
       81
        
               description = ''

     
···

       87
       84
        
               '';

     

       88
       85
        
             };

     

       89
       86
        
       

     

       90
       90
       -
             socks5Password = mkOption {

     

       91
       91
       -
               type    = types.nullOr types.str;

     

       87
       87
       +
             socks5Password = lib.mkOption {

     

       88
       88
       +
               type    = lib.types.nullOr lib.types.str;

     

       92
       89
        
               default = null;

     

       93
       90
        
               example = "sekret";

     

       94
       91
        
               description = ''

     
···

       97
       94
        
               '';

     

       98
       95
        
             };

     

       99
       96
        
       

     

       100
       100
       -
             allowInbound = mkOption {

     

       101
       101
       -
               type    = types.bool;

     

       97
       97
       +
             allowInbound = lib.mkOption {

     

       98
       98
       +
               type    = lib.types.bool;

     

       102
       99
        
               default = false;

     

       103
       100
        
               description = ''

     

       104
       101
        
                 Set Torsocks to accept inbound connections. If set to

     
···

       110
       107
        
           };

     

       111
       108
        
         };

     

       112
       109
        
       

     

       113
       113
       -
         config = mkIf cfg.enable {

     

       110
       110
       +
         config = lib.mkIf cfg.enable {

     

       114
       111
        
           environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ];

     

       115
       112
        
       

     

       116
       113
        
           environment.etc."tor/torsocks.conf" =

+32 -34

nixos/modules/services/security/usbguard.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       7
        
       let

     

       10
       8
        
         cfg = config.services.usbguard;

     

       11
       9
        
       

     

       12
       10
        
         # valid policy options

     

       13
       11
        
         policy = (

     

       14
       14
       -
           types.enum [

     

       12
       12
       +
           lib.types.enum [

     

       15
       13
        
             "allow"

     

       16
       14
        
             "block"

     

       17
       15
        
             "reject"

     
···

       30
       28
        
           PresentDevicePolicy=${cfg.presentDevicePolicy}

     

       31
       29
        
           PresentControllerPolicy=${cfg.presentControllerPolicy}

     

       32
       30
        
           InsertedDevicePolicy=${cfg.insertedDevicePolicy}

     

       33
       33
       -
           RestoreControllerDeviceState=${boolToString cfg.restoreControllerDeviceState}

     

       31
       31
       +
           RestoreControllerDeviceState=${lib.boolToString cfg.restoreControllerDeviceState}

     

       34
       32
        
           # this does not seem useful for endusers to change

     

       35
       33
        
           DeviceManagerBackend=uevent

     

       36
       36
       -
           IPCAllowedUsers=${concatStringsSep " " cfg.IPCAllowedUsers}

     

       37
       37
       -
           IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups}

     

       34
       34
       +
           IPCAllowedUsers=${lib.concatStringsSep " " cfg.IPCAllowedUsers}

     

       35
       35
       +
           IPCAllowedGroups=${lib.concatStringsSep " " cfg.IPCAllowedGroups}

     

       38
       36
        
           IPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d/

     

       39
       39
       -
           DeviceRulesWithPort=${boolToString cfg.deviceRulesWithPort}

     

       37
       37
       +
           DeviceRulesWithPort=${lib.boolToString cfg.deviceRulesWithPort}

     

       40
       38
        
           # HACK: that way audit logs still land in the journal

     

       41
       39
        
           AuditFilePath=/dev/null

     

       42
       40
        
         '';

     
···

       50
       48
        
       

     

       51
       49
        
         options = {

     

       52
       50
        
           services.usbguard = {

     

       53
       53
       -
             enable = mkEnableOption "USBGuard daemon";

     

       51
       51
       +
             enable = lib.mkEnableOption "USBGuard daemon";

     

       54
       52
        
       

     

       55
       55
       -
             package = mkPackageOption pkgs "usbguard" {

     

       53
       53
       +
             package = lib.mkPackageOption pkgs "usbguard" {

     

       56
       54
        
               extraDescription = ''

     

       57
       55
        
                 If you do not need the Qt GUI, use `pkgs.usbguard-nox` to save disk space.

     

       58
       56
        
               '';

     

       59
       57
        
             };

     

       60
       58
        
       

     

       61
       61
       -
             ruleFile = mkOption {

     

       62
       62
       -
               type = types.nullOr types.path;

     

       59
       59
       +
             ruleFile = lib.mkOption {

     

       60
       60
       +
               type = lib.types.nullOr lib.types.path;

     

       63
       61
        
               default = "/var/lib/usbguard/rules.conf";

     

       64
       62
        
               example = "/run/secrets/usbguard-rules";

     

       65
       63
        
               description = ''

     
···

       71
       69
        
               '';

     

       72
       70
        
       

     

       73
       71
        
             };

     

       74
       74
       -
             rules = mkOption {

     

       75
       75
       -
               type = types.nullOr types.lines;

     

       72
       72
       +
             rules = lib.mkOption {

     

       73
       73
       +
               type = lib.types.nullOr lib.types.lines;

     

       76
       74
        
               default = null;

     

       77
       75
        
               example = ''

     

       78
       76
        
                 allow with-interface equals { 08:*:* }

     
···

       92
       90
        
               '';

     

       93
       91
        
             };

     

       94
       92
        
       

     

       95
       95
       -
             implicitPolicyTarget = mkOption {

     

       96
       96
       -
               type = types.enum [

     

       93
       93
       +
             implicitPolicyTarget = lib.mkOption {

     

       94
       94
       +
               type = lib.types.enum [

     

       97
       95
        
                 "allow"

     

       98
       96
        
                 "block"

     

       99
       97
        
                 "reject"

     
···

       106
       104
        
               '';

     

       107
       105
        
             };

     

       108
       106
        
       

     

       109
       109
       -
             presentDevicePolicy = mkOption {

     

       107
       107
       +
             presentDevicePolicy = lib.mkOption {

     

       110
       108
        
               type = policy;

     

       111
       109
        
               default = "apply-policy";

     

       112
       110
        
               description = ''

     
···

       117
       115
        
               '';

     

       118
       116
        
             };

     

       119
       117
        
       

     

       120
       120
       -
             presentControllerPolicy = mkOption {

     

       118
       118
       +
             presentControllerPolicy = lib.mkOption {

     

       121
       119
        
               type = policy;

     

       122
       120
        
               default = "keep";

     

       123
       121
        
               description = ''

     
···

       126
       124
        
               '';

     

       127
       125
        
             };

     

       128
       126
        
       

     

       129
       129
       -
             insertedDevicePolicy = mkOption {

     

       130
       130
       -
               type = types.enum [

     

       127
       127
       +
             insertedDevicePolicy = lib.mkOption {

     

       128
       128
       +
               type = lib.types.enum [

     

       131
       129
        
                 "block"

     

       132
       130
        
                 "reject"

     

       133
       131
        
                 "apply-policy"

     
···

       139
       137
        
               '';

     

       140
       138
        
             };

     

       141
       139
        
       

     

       142
       142
       -
             restoreControllerDeviceState = mkOption {

     

       143
       143
       -
               type = types.bool;

     

       140
       140
       +
             restoreControllerDeviceState = lib.mkOption {

     

       141
       141
       +
               type = lib.types.bool;

     

       144
       142
        
               default = false;

     

       145
       143
        
               description = ''

     

       146
       144
        
                 The  USBGuard  daemon  modifies  some attributes of controller

     
···

       151
       149
        
               '';

     

       152
       150
        
             };

     

       153
       151
        
       

     

       154
       154
       -
             IPCAllowedUsers = mkOption {

     

       155
       155
       -
               type = types.listOf types.str;

     

       152
       152
       +
             IPCAllowedUsers = lib.mkOption {

     

       153
       153
       +
               type = lib.types.listOf lib.types.str;

     

       156
       154
        
               default = [ "root" ];

     

       157
       155
        
               example = [

     

       158
       156
        
                 "root"

     
···

       163
       161
        
               '';

     

       164
       162
        
             };

     

       165
       163
        
       

     

       166
       166
       -
             IPCAllowedGroups = mkOption {

     

       167
       167
       -
               type = types.listOf types.str;

     

       164
       164
       +
             IPCAllowedGroups = lib.mkOption {

     

       165
       165
       +
               type = lib.types.listOf lib.types.str;

     

       168
       166
        
               default = [ ];

     

       169
       167
        
               example = [ "wheel" ];

     

       170
       168
        
               description = ''

     
···

       173
       171
        
               '';

     

       174
       172
        
             };

     

       175
       173
        
       

     

       176
       176
       -
             deviceRulesWithPort = mkOption {

     

       177
       177
       -
               type = types.bool;

     

       174
       174
       +
             deviceRulesWithPort = lib.mkOption {

     

       175
       175
       +
               type = lib.types.bool;

     

       178
       176
        
               default = false;

     

       179
       177
        
               description = ''

     

       180
       178
        
                 Generate device specific rules including the "via-port" attribute.

     

       181
       179
        
               '';

     

       182
       180
        
             };

     

       183
       181
        
       

     

       184
       184
       -
             dbus.enable = mkEnableOption "USBGuard dbus daemon";

     

       182
       182
       +
             dbus.enable = lib.mkEnableOption "USBGuard dbus daemon";

     

       185
       183
        
           };

     

       186
       184
        
         };

     

       187
       185
        
       

     

       188
       186
        
         ###### implementation

     

       189
       187
        
       

     

       190
       190
       -
         config = mkIf cfg.enable {

     

       188
       188
       +
         config = lib.mkIf cfg.enable {

     

       191
       189
        
       

     

       192
       190
        
           environment.systemPackages = [ cfg.package ];

     

       193
       191
        
       

     
···

       239
       237
        
               };

     

       240
       238
        
             };

     

       241
       239
        
       

     

       242
       242
       -
             usbguard-dbus = mkIf cfg.dbus.enable {

     

       240
       240
       +
             usbguard-dbus = lib.mkIf cfg.dbus.enable {

     

       243
       241
        
               description = "USBGuard D-Bus Service";

     

       244
       242
        
       

     

       245
       243
        
               wantedBy = [ "multi-user.target" ];

     
···

       261
       259
        
               groupCheck =

     

       262
       260
        
                 (lib.concatStrings (map (g: "subject.isInGroup(\"${g}\") || ") cfg.IPCAllowedGroups)) + "false";

     

       263
       261
        
             in

     

       264
       264
       -
             optionalString cfg.dbus.enable ''

     

       262
       262
       +
             lib.optionalString cfg.dbus.enable ''

     

       265
       263
        
               polkit.addRule(function(action, subject) {

     

       266
       264
        
                   if ((action.id == "org.usbguard.Policy1.listRules" ||

     

       267
       265
        
                        action.id == "org.usbguard.Policy1.appendRule" ||

     
···

       278
       276
        
             '';

     

       279
       277
        
         };

     

       280
       278
        
         imports = [

     

       281
       281
       -
           (mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ]

     

       279
       279
       +
           (lib.mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ]

     

       282
       280
        
             "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d."

     

       283
       281
        
           )

     

       284
       284
       -
           (mkRemovedOptionModule [

     

       282
       282
       +
           (lib.mkRemovedOptionModule [

     

       285
       283
        
             "services"

     

       286
       284
        
             "usbguard"

     

       287
       285
        
             "auditFilePath"

     

       288
       286
        
           ] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.")

     

       289
       289
       -
           (mkRenamedOptionModule

     

       287
       287
       +
           (lib.mkRenamedOptionModule

     

       290
       288
        
             [ "services" "usbguard" "implictPolicyTarget" ]

     

       291
       289
        
             [ "services" "usbguard" "implicitPolicyTarget" ]

     

       292
       290
        
           )

+17 -20

nixos/modules/services/security/vault-agent.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         format = pkgs.formats.json { };

     

       12
       9
        
         commonOptions =

     
···

       14
       11
        
             pkgName,

     

       15
       12
        
             flavour ? pkgName,

     

       16
       13
        
           }:

     

       17
       17
       -
           mkOption {

     

       14
       14
       +
           lib.mkOption {

     

       18
       15
        
             default = { };

     

       19
       16
        
             description = ''

     

       20
       17
        
               Attribute set of ${flavour} instances.

     

       21
       18
        
               Creates independent `${flavour}-''${name}.service` systemd units for each instance defined here.

     

       22
       19
        
             '';

     

       23
       20
        
             type =

     

       24
       24
       -
               with types;

     

       21
       21
       +
               with lib.types;

     

       25
       22
        
               attrsOf (

     

       26
       23
        
                 submodule (

     

       27
       24
        
                   { name, ... }:

     

       28
       25
        
                   {

     

       29
       26
        
                     options = {

     

       30
       30
       -
                       enable = mkEnableOption "this ${flavour} instance" // {

     

       27
       27
       +
                       enable = lib.mkEnableOption "this ${flavour} instance" // {

     

       31
       28
        
                         default = true;

     

       32
       29
        
                       };

     

       33
       30
        
       

     

       34
       34
       -
                       package = mkPackageOption pkgs pkgName { };

     

       31
       31
       +
                       package = lib.mkPackageOption pkgs pkgName { };

     

       35
       32
        
       

     

       36
       36
       -
                       user = mkOption {

     

       33
       33
       +
                       user = lib.mkOption {

     

       37
       34
        
                         type = types.str;

     

       38
       35
        
                         default = "root";

     

       39
       36
        
                         description = ''

     
···

       41
       38
        
                         '';

     

       42
       39
        
                       };

     

       43
       40
        
       

     

       44
       44
       -
                       group = mkOption {

     

       41
       41
       +
                       group = lib.mkOption {

     

       45
       42
        
                         type = types.str;

     

       46
       43
        
                         default = "root";

     

       47
       44
        
                         description = ''

     
···

       49
       46
        
                         '';

     

       50
       47
        
                       };

     

       51
       48
        
       

     

       52
       52
       -
                       settings = mkOption {

     

       49
       49
       +
                       settings = lib.mkOption {

     

       53
       50
        
                         type = types.submodule {

     

       54
       51
        
                           freeformType = format.type;

     

       55
       52
        
       

     

       56
       53
        
                           options = {

     

       57
       57
       -
                             pid_file = mkOption {

     

       54
       54
       +
                             pid_file = lib.mkOption {

     

       58
       55
        
                               default = "/run/${flavour}/${name}.pid";

     

       59
       56
        
                               type = types.str;

     

       60
       57
        
                               description = ''

     
···

       62
       59
        
                               '';

     

       63
       60
        
                             };

     

       64
       61
        
       

     

       65
       65
       -
                             template = mkOption {

     

       62
       62
       +
                             template = lib.mkOption {

     

       66
       63
        
                               default = null;

     

       67
       64
        
                               type = with types; nullOr (listOf (attrsOf anything));

     

       68
       65
        
                               description =

     
···

       116
       113
        
           let

     

       117
       114
        
             configFile = format.generate "${name}.json" instance.settings;

     

       118
       115
        
           in

     

       119
       119
       -
           mkIf (instance.enable) {

     

       116
       116
       +
           lib.mkIf (instance.enable) {

     

       120
       117
        
             description = "${flavour} daemon - ${name}";

     

       121
       118
        
             wantedBy = [ "multi-user.target" ];

     

       122
       119
        
             after = [ "network.target" ];

     
···

       127
       124
        
               User = instance.user;

     

       128
       125
        
               Group = instance.group;

     

       129
       126
        
               RuntimeDirectory = flavour;

     

       130
       130
       -
               ExecStart = "${getExe instance.package} ${

     

       131
       131
       -
                 optionalString ((getName instance.package) == "vault") "agent"

     

       127
       127
       +
               ExecStart = "${lib.getExe instance.package} ${

     

       128
       128
       +
                 lib.optionalString ((lib.getName instance.package) == "vault") "agent"

     

       132
       129
        
               } -config ${configFile}";

     

       133
       130
        
               ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";

     

       134
       131
        
               KillSignal = "SIGINT";

     
···

       146
       143
        
           };

     

       147
       144
        
         };

     

       148
       145
        
       

     

       149
       149
       -
         config = mkMerge (

     

       146
       146
       +
         config = lib.mkMerge (

     

       150
       147
        
           map

     

       151
       148
        
             (

     

       152
       149
        
               flavour:

     

       153
       150
        
               let

     

       154
       151
        
                 cfg = config.services.${flavour};

     

       155
       152
        
               in

     

       156
       156
       -
               mkIf (cfg.instances != { }) {

     

       157
       157
       -
                 systemd.services = mapAttrs' (

     

       153
       153
       +
               lib.mkIf (cfg.instances != { }) {

     

       154
       154
       +
                 systemd.services = lib.mapAttrs' (

     

       158
       155
        
                   name: instance:

     

       159
       159
       -
                   nameValuePair "${flavour}-${name}" (createAgentInstance {

     

       156
       156
       +
                   lib.nameValuePair "${flavour}-${name}" (createAgentInstance {

     

       160
       157
        
                     inherit name instance flavour;

     

       161
       158
        
                   })

     

       162
       159
        
                 ) cfg.instances;

     
···

       168
       165
        
             ]

     

       169
       166
        
         );

     

       170
       167
        
       

     

       171
       171
       -
         meta.maintainers = with maintainers; [

     

       168
       168
       +
         meta.maintainers = with lib.maintainers; [

     

       172
       169
        
           emilylange

     

       173
       170
        
           tcheronneau

     

       174
       171
        
         ];

+40 -41

nixos/modules/services/security/vault.nix

···

       5
       5
        
         pkgs,

     

       6
       6
        
         ...

     

       7
       7
        
       }:

     

       8
       8
       -
       

     

       9
       9
       -
       with lib;

     

       10
       10
       -
       

     

       11
       8
        
       let

     

       12
       9
        
         cfg = config.services.vault;

     

       13
       10
        
         opt = options.services.vault;

     
···

       32
       29
        
             }

     

       33
       30
        
           ''}

     

       34
       31
        
           storage "${cfg.storageBackend}" {

     

       35
       35
       -
             ${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''}

     

       36
       36
       -
             ${optionalString (cfg.storageConfig != null) cfg.storageConfig}

     

       32
       32
       +
             ${lib.optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''}

     

       33
       33
       +
             ${lib.optionalString (cfg.storageConfig != null) cfg.storageConfig}

     

       37
       34
        
           }

     

       38
       38
       -
           ${optionalString (cfg.telemetryConfig != "") ''

     

       35
       35
       +
           ${lib.optionalString (cfg.telemetryConfig != "") ''

     

       39
       36
        
             telemetry {

     

       40
       37
        
               ${cfg.telemetryConfig}

     

       41
       38
        
             }

     
···

       44
       41
        
         '';

     

       45
       42
        
       

     

       46
       43
        
         allConfigPaths = [ configFile ] ++ cfg.extraSettingsPaths;

     

       47
       47
       -
         configOptions = escapeShellArgs (

     

       44
       44
       +
         configOptions = lib.escapeShellArgs (

     

       48
       45
        
           lib.optional cfg.dev "-dev"

     

       49
       46
        
           ++ lib.optional (cfg.dev && cfg.devRootTokenID != null) "-dev-root-token-id=${cfg.devRootTokenID}"

     

       50
       50
       -
           ++ (concatMap (p: [

     

       47
       47
       +
           ++ (lib.concatMap (p: [

     

       51
       48
        
             "-config"

     

       52
       49
        
             p

     

       53
       50
        
           ]) allConfigPaths)

     
···

       58
       55
        
       {

     

       59
       56
        
         options = {

     

       60
       57
        
           services.vault = {

     

       61
       61
       -
             enable = mkEnableOption "Vault daemon";

     

       58
       58
       +
             enable = lib.mkEnableOption "Vault daemon";

     

       62
       59
        
       

     

       63
       63
       -
             package = mkPackageOption pkgs "vault" { };

     

       60
       60
       +
             package = lib.mkPackageOption pkgs "vault" { };

     

       64
       61
        
       

     

       65
       65
       -
             dev = mkOption {

     

       66
       66
       -
               type = types.bool;

     

       62
       62
       +
             dev = lib.mkOption {

     

       63
       63
       +
               type = lib.types.bool;

     

       67
       64
        
               default = false;

     

       68
       65
        
               description = ''

     

       69
       66
        
                 In this mode, Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests.

     

       70
       67
        
               '';

     

       71
       68
        
             };

     

       72
       69
        
       

     

       73
       73
       -
             devRootTokenID = mkOption {

     

       74
       74
       -
               type = types.nullOr types.str;

     

       70
       70
       +
             devRootTokenID = lib.mkOption {

     

       71
       71
       +
               type = lib.types.nullOr lib.types.str;

     

       75
       72
        
               default = null;

     

       76
       73
        
               description = ''

     

       77
       74
        
                 Initial root token. This only applies when {option}`services.vault.dev` is true

     

       78
       75
        
               '';

     

       79
       76
        
             };

     

       80
       77
        
       

     

       81
       81
       -
             address = mkOption {

     

       82
       82
       -
               type = types.str;

     

       78
       78
       +
             address = lib.mkOption {

     

       79
       79
       +
               type = lib.types.str;

     

       83
       80
        
               default = "127.0.0.1:8200";

     

       84
       81
        
               description = "The name of the ip interface to listen to";

     

       85
       82
        
             };

     

       86
       83
        
       

     

       87
       87
       -
             tlsCertFile = mkOption {

     

       88
       88
       -
               type = types.nullOr types.str;

     

       84
       84
       +
             tlsCertFile = lib.mkOption {

     

       85
       85
       +
               type = lib.types.nullOr lib.types.str;

     

       89
       86
        
               default = null;

     

       90
       87
        
               example = "/path/to/your/cert.pem";

     

       91
       88
        
               description = "TLS certificate file. TLS will be disabled unless this option is set";

     

       92
       89
        
             };

     

       93
       90
        
       

     

       94
       94
       -
             tlsKeyFile = mkOption {

     

       95
       95
       -
               type = types.nullOr types.str;

     

       91
       91
       +
             tlsKeyFile = lib.mkOption {

     

       92
       92
       +
               type = lib.types.nullOr lib.types.str;

     

       96
       93
        
               default = null;

     

       97
       94
        
               example = "/path/to/your/key.pem";

     

       98
       95
        
               description = "TLS private key file. TLS will be disabled unless this option is set";

     

       99
       96
        
             };

     

       100
       97
        
       

     

       101
       101
       -
             listenerExtraConfig = mkOption {

     

       102
       102
       -
               type = types.lines;

     

       98
       98
       +
             listenerExtraConfig = lib.mkOption {

     

       99
       99
       +
               type = lib.types.lines;

     

       103
       100
        
               default = ''

     

       104
       101
        
                 tls_min_version = "tls12"

     

       105
       102
        
               '';

     

       106
       103
        
               description = "Extra text appended to the listener section.";

     

       107
       104
        
             };

     

       108
       105
        
       

     

       109
       109
       -
             storageBackend = mkOption {

     

       110
       110
       -
               type = types.enum [

     

       106
       106
       +
             storageBackend = lib.mkOption {

     

       107
       107
       +
               type = lib.types.enum [

     

       111
       108
        
                 "inmem"

     

       112
       109
        
                 "file"

     

       113
       110
        
                 "consul"

     
···

       127
       124
        
               description = "The name of the type of storage backend";

     

       128
       125
        
             };

     

       129
       126
        
       

     

       130
       130
       -
             storagePath = mkOption {

     

       131
       131
       -
               type = types.nullOr types.path;

     

       127
       127
       +
             storagePath = lib.mkOption {

     

       128
       128
       +
               type = lib.types.nullOr lib.types.path;

     

       132
       129
        
               default =

     

       133
       130
        
                 if cfg.storageBackend == "file" || cfg.storageBackend == "raft" then "/var/lib/vault" else null;

     

       134
       134
       -
               defaultText = literalExpression ''

     

       131
       131
       +
               defaultText = lib.literalExpression ''

     

       135
       132
        
                 if config.${opt.storageBackend} == "file" || cfg.storageBackend == "raft"

     

       136
       133
        
                 then "/var/lib/vault"

     

       137
       134
        
                 else null

     
···

       139
       136
        
               description = "Data directory for file backend";

     

       140
       137
        
             };

     

       141
       138
        
       

     

       142
       142
       -
             storageConfig = mkOption {

     

       143
       143
       -
               type = types.nullOr types.lines;

     

       139
       139
       +
             storageConfig = lib.mkOption {

     

       140
       140
       +
               type = lib.types.nullOr lib.types.lines;

     

       144
       141
        
               default = null;

     

       145
       142
        
               description = ''

     

       146
       143
        
                 HCL configuration to insert in the storageBackend section.

     
···

       152
       149
        
               '';

     

       153
       150
        
             };

     

       154
       151
        
       

     

       155
       155
       -
             telemetryConfig = mkOption {

     

       156
       156
       -
               type = types.lines;

     

       152
       152
       +
             telemetryConfig = lib.mkOption {

     

       153
       153
       +
               type = lib.types.lines;

     

       157
       154
        
               default = "";

     

       158
       155
        
               description = "Telemetry configuration";

     

       159
       156
        
             };

     

       160
       157
        
       

     

       161
       161
       -
             extraConfig = mkOption {

     

       162
       162
       -
               type = types.lines;

     

       158
       158
       +
             extraConfig = lib.mkOption {

     

       159
       159
       +
               type = lib.types.lines;

     

       163
       160
        
               default = "";

     

       164
       161
        
               description = "Extra text appended to {file}`vault.hcl`.";

     

       165
       162
        
             };

     

       166
       163
        
       

     

       167
       167
       -
             extraSettingsPaths = mkOption {

     

       168
       168
       -
               type = types.listOf types.path;

     

       164
       164
       +
             extraSettingsPaths = lib.mkOption {

     

       165
       165
       +
               type = lib.types.listOf lib.types.path;

     

       169
       166
        
               default = [ ];

     

       170
       167
        
               description = ''

     

       171
       168
        
                 Configuration files to load besides the immutable one defined by the NixOS module.

     
···

       196
       193
        
           };

     

       197
       194
        
         };

     

       198
       195
        
       

     

       199
       199
       -
         config = mkIf cfg.enable {

     

       196
       196
       +
         config = lib.mkIf cfg.enable {

     

       200
       197
        
           assertions = [

     

       201
       198
        
             {

     

       202
       199
        
               assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null);

     
···

       219
       216
        
           };

     

       220
       217
        
           users.groups.vault.gid = config.ids.gids.vault;

     

       221
       218
        
       

     

       222
       222
       -
           systemd.tmpfiles.rules = optional (

     

       219
       219
       +
           systemd.tmpfiles.rules = lib.optional (

     

       223
       220
        
             cfg.storagePath != null

     

       224
       221
        
           ) "d '${cfg.storagePath}' 0700 vault vault - -";

     

       225
       222
        
       

     
···

       227
       224
        
             description = "Vault server daemon";

     

       228
       225
        
       

     

       229
       226
        
             wantedBy = [ "multi-user.target" ];

     

       230
       230
       -
             after = [

     

       231
       231
       -
               "network.target"

     

       232
       232
       -
             ] ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";

     

       227
       227
       +
             after =

     

       228
       228
       +
               [

     

       229
       229
       +
                 "network.target"

     

       230
       230
       +
               ]

     

       231
       231
       +
               ++ lib.optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";

     

       233
       232
        
       

     

       234
       233
        
             restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.

     

       235
       234
        
       

     
···

       255
       254
        
               Restart = "on-failure";

     

       256
       255
        
             };

     

       257
       256
        
       

     

       258
       258
       -
             unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath;

     

       257
       257
       +
             unitConfig.RequiresMountsFor = lib.optional (cfg.storagePath != null) cfg.storagePath;

     

       259
       258
        
           };

     

       260
       259
        
         };

     

       261
       260

+11 -13

nixos/modules/services/security/yubikey-agent.nix

···

       1
       1
        
       # Global configuration for yubikey-agent.

     

       2
       2
       -
       

     

       3
       2
        
       {

     

       4
       3
        
         config,

     

       5
       4
        
         lib,

     

       6
       5
        
         pkgs,

     

       7
       6
        
         ...

     

       8
       7
        
       }:

     

       9
       9
       -
       

     

       10
       10
       -
       with lib;

     

       11
       11
       -
       

     

       12
       8
        
       let

     

       13
       9
        
         cfg = config.services.yubikey-agent;

     

       14
       10
        
       in

     

       15
       11
        
       {

     

       16
       12
        
         ###### interface

     

       17
       13
        
       

     

       18
       18
       -
         meta.maintainers = with maintainers; [

     

       14
       14
       +
         meta.maintainers = with lib.maintainers; [

     

       19
       15
        
           philandstuff

     

       20
       16
        
           rawkode

     

       21
       17
        
         ];

     
···

       23
       19
        
         options = {

     

       24
       20
        
       

     

       25
       21
        
           services.yubikey-agent = {

     

       26
       26
       -
             enable = mkOption {

     

       27
       27
       -
               type = types.bool;

     

       22
       22
       +
             enable = lib.mkOption {

     

       23
       23
       +
               type = lib.types.bool;

     

       28
       24
        
               default = false;

     

       29
       25
        
               description = ''

     

       30
       26
        
                 Whether to start yubikey-agent when you log in.  Also sets

     
···

       35
       31
        
               '';

     

       36
       32
        
             };

     

       37
       33
        
       

     

       38
       38
       -
             package = mkPackageOption pkgs "yubikey-agent" { };

     

       34
       34
       +
             package = lib.mkPackageOption pkgs "yubikey-agent" { };

     

       39
       35
        
           };

     

       40
       36
        
         };

     

       41
       37
        
       

     

       42
       42
       -
         config = mkIf cfg.enable {

     

       38
       38
       +
         config = lib.mkIf cfg.enable {

     

       43
       39
        
           environment.systemPackages = [ cfg.package ];

     

       44
       40
        
           systemd.packages = [ cfg.package ];

     

       45
       41
        
       

     

       46
       42
        
           # This overrides the systemd user unit shipped with the

     

       47
       43
        
           # yubikey-agent package

     

       48
       48
       -
           systemd.user.services.yubikey-agent = mkIf (config.programs.gnupg.agent.pinentryPackage != null) {

     

       49
       49
       -
             path = [ config.programs.gnupg.agent.pinentryPackage ];

     

       50
       50
       -
             wantedBy = [ "default.target" ];

     

       51
       51
       -
           };

     

       44
       44
       +
           systemd.user.services.yubikey-agent =

     

       45
       45
       +
             lib.mkIf (config.programs.gnupg.agent.pinentryPackage != null)

     

       46
       46
       +
               {

     

       47
       47
       +
                 path = [ config.programs.gnupg.agent.pinentryPackage ];

     

       48
       48
       +
                 wantedBy = [ "default.target" ];

     

       49
       49
       +
               };

     

       52
       50
        
       

     

       53
       51
        
           # Yubikey-agent expects pcsd to be running in order to function.

     

       54
       52
        
           services.pcscd.enable = true;

+4 -7

nixos/modules/services/system/automatic-timezoned.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.automatic-timezoned;

     

       12
       9
        
       in

     

       13
       10
        
       {

     

       14
       11
        
         options = {

     

       15
       12
        
           services.automatic-timezoned = {

     

       16
       16
       -
             enable = mkOption {

     

       17
       17
       -
               type = types.bool;

     

       13
       13
       +
             enable = lib.mkOption {

     

       14
       14
       +
               type = lib.types.bool;

     

       18
       15
        
               default = false;

     

       19
       16
        
               description = ''

     

       20
       17
        
                 Enable `automatic-timezoned`, simple daemon for keeping the system

     
···

       28
       25
        
                 to make the choice deliberate. An error will be presented otherwise.

     

       29
       26
        
               '';

     

       30
       27
        
             };

     

       31
       31
       -
             package = mkPackageOption pkgs "automatic-timezoned" { };

     

       28
       28
       +
             package = lib.mkPackageOption pkgs "automatic-timezoned" { };

     

       32
       29
        
           };

     

       33
       30
        
         };

     

       34
       31
        
       

     

       35
       35
       -
         config = mkIf cfg.enable {

     

       32
       32
       +
         config = lib.mkIf cfg.enable {

     

       36
       33
        
           # This will give users an error if they have set an explicit time

     

       37
       34
        
           # zone, rather than having the service silently override it.

     

       38
       35
        
           time.timeZone = null;

+14 -17

nixos/modules/services/system/cachix-agent/default.nix

···

       4
       4
        
         lib,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.cachix-agent;

     

       12
       9
        
       in

     
···

       14
       11
        
         meta.maintainers = [ lib.maintainers.domenkozar ];

     

       15
       12
        
       

     

       16
       13
        
         options.services.cachix-agent = {

     

       17
       17
       -
           enable = mkEnableOption "Cachix Deploy Agent: https://docs.cachix.org/deploy/";

     

       14
       14
       +
           enable = lib.mkEnableOption "Cachix Deploy Agent: https://docs.cachix.org/deploy/";

     

       18
       15
        
       

     

       19
       19
       -
           name = mkOption {

     

       20
       20
       -
             type = types.str;

     

       16
       16
       +
           name = lib.mkOption {

     

       17
       17
       +
             type = lib.types.str;

     

       21
       18
        
             description = "Agent name, usually same as the hostname";

     

       22
       19
        
             default = config.networking.hostName;

     

       23
       20
        
             defaultText = "config.networking.hostName";

     

       24
       21
        
           };

     

       25
       22
        
       

     

       26
       26
       -
           verbose = mkOption {

     

       27
       27
       -
             type = types.bool;

     

       23
       23
       +
           verbose = lib.mkOption {

     

       24
       24
       +
             type = lib.types.bool;

     

       28
       25
        
             description = "Enable verbose output";

     

       29
       26
        
             default = false;

     

       30
       27
        
           };

     

       31
       28
        
       

     

       32
       32
       -
           profile = mkOption {

     

       33
       33
       -
             type = types.nullOr types.str;

     

       29
       29
       +
           profile = lib.mkOption {

     

       30
       30
       +
             type = lib.types.nullOr lib.types.str;

     

       34
       31
        
             default = null;

     

       35
       32
        
             description = "Profile name, defaults to 'system' (NixOS).";

     

       36
       33
        
           };

     

       37
       34
        
       

     

       38
       38
       -
           host = mkOption {

     

       39
       39
       -
             type = types.nullOr types.str;

     

       35
       35
       +
           host = lib.mkOption {

     

       36
       36
       +
             type = lib.types.nullOr lib.types.str;

     

       40
       37
        
             default = null;

     

       41
       38
        
             description = "Cachix uri to use.";

     

       42
       39
        
           };

     

       43
       40
        
       

     

       44
       44
       -
           package = mkPackageOption pkgs "cachix" { };

     

       41
       41
       +
           package = lib.mkPackageOption pkgs "cachix" { };

     

       45
       42
        
       

     

       46
       46
       -
           credentialsFile = mkOption {

     

       47
       47
       -
             type = types.path;

     

       43
       43
       +
           credentialsFile = lib.mkOption {

     

       44
       44
       +
             type = lib.types.path;

     

       48
       45
        
             default = "/etc/cachix-agent.token";

     

       49
       46
        
             description = ''

     

       50
       47
        
               Required file that needs to contain CACHIX_AGENT_TOKEN=...

     
···

       52
       49
        
           };

     

       53
       50
        
         };

     

       54
       51
        
       

     

       55
       55
       -
         config = mkIf cfg.enable {

     

       52
       52
       +
         config = lib.mkIf cfg.enable {

     

       56
       53
        
           systemd.services.cachix-agent = {

     

       57
       54
        
             description = "Cachix Deploy Agent";

     

       58
       55
        
             wants = [ "network-online.target" ];

     
···

       76
       73
        
                 ${cfg.package}/bin/cachix ${lib.optionalString cfg.verbose "--verbose"} ${

     

       77
       74
        
                   lib.optionalString (cfg.host != null) "--host ${cfg.host}"

     

       78
       75
        
                 } \

     

       79
       79
       -
                   deploy agent ${cfg.name} ${optionalString (cfg.profile != null) cfg.profile}

     

       76
       76
       +
                   deploy agent ${cfg.name} ${lib.optionalString (cfg.profile != null) cfg.profile}

     

       80
       77
        
               '';

     

       81
       78
        
             };

     

       82
       79
        
           };

+17 -20

nixos/modules/services/system/cachix-watch-store.nix

···

       4
       4
        
         lib,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.cachix-watch-store;

     

       12
       9
        
       in

     
···

       17
       14
        
         ];

     

       18
       15
        
       

     

       19
       16
        
         options.services.cachix-watch-store = {

     

       20
       20
       -
           enable = mkEnableOption "Cachix Watch Store: https://docs.cachix.org";

     

       17
       17
       +
           enable = lib.mkEnableOption "Cachix Watch Store: https://docs.cachix.org";

     

       21
       18
        
       

     

       22
       22
       -
           cacheName = mkOption {

     

       23
       23
       -
             type = types.str;

     

       19
       19
       +
           cacheName = lib.mkOption {

     

       20
       20
       +
             type = lib.types.str;

     

       24
       21
        
             description = "Cachix binary cache name";

     

       25
       22
        
           };

     

       26
       23
        
       

     

       27
       27
       -
           cachixTokenFile = mkOption {

     

       28
       28
       -
             type = types.path;

     

       24
       24
       +
           cachixTokenFile = lib.mkOption {

     

       25
       25
       +
             type = lib.types.path;

     

       29
       26
        
             description = ''

     

       30
       27
        
               Required file that needs to contain the cachix auth token.

     

       31
       28
        
             '';

     

       32
       29
        
           };

     

       33
       30
        
       

     

       34
       34
       -
           signingKeyFile = mkOption {

     

       35
       35
       -
             type = types.nullOr types.path;

     

       31
       31
       +
           signingKeyFile = lib.mkOption {

     

       32
       32
       +
             type = lib.types.nullOr lib.types.path;

     

       36
       33
        
             description = ''

     

       37
       34
        
               Optional file containing a self-managed signing key to sign uploaded store paths.

     

       38
       35
        
             '';

     

       39
       36
        
             default = null;

     

       40
       37
        
           };

     

       41
       38
        
       

     

       42
       42
       -
           compressionLevel = mkOption {

     

       43
       43
       -
             type = types.nullOr types.int;

     

       39
       39
       +
           compressionLevel = lib.mkOption {

     

       40
       40
       +
             type = lib.types.nullOr lib.types.int;

     

       44
       41
        
             description = "The compression level for ZSTD compression (between 0 and 16)";

     

       45
       42
        
             default = null;

     

       46
       43
        
           };

     

       47
       44
        
       

     

       48
       48
       -
           jobs = mkOption {

     

       49
       49
       -
             type = types.nullOr types.int;

     

       45
       45
       +
           jobs = lib.mkOption {

     

       46
       46
       +
             type = lib.types.nullOr lib.types.int;

     

       50
       47
        
             description = "Number of threads used for pushing store paths";

     

       51
       48
        
             default = null;

     

       52
       49
        
           };

     

       53
       50
        
       

     

       54
       54
       -
           host = mkOption {

     

       55
       55
       -
             type = types.nullOr types.str;

     

       51
       51
       +
           host = lib.mkOption {

     

       52
       52
       +
             type = lib.types.nullOr lib.types.str;

     

       56
       53
        
             default = null;

     

       57
       54
        
             description = "Cachix host to connect to";

     

       58
       55
        
           };

     

       59
       56
        
       

     

       60
       60
       -
           verbose = mkOption {

     

       61
       61
       -
             type = types.bool;

     

       57
       57
       +
           verbose = lib.mkOption {

     

       58
       58
       +
             type = lib.types.bool;

     

       62
       59
        
             description = "Enable verbose output";

     

       63
       60
        
             default = false;

     

       64
       61
        
           };

     

       65
       62
        
       

     

       66
       66
       -
           package = mkPackageOption pkgs "cachix" { };

     

       63
       63
       +
           package = lib.mkPackageOption pkgs "cachix" { };

     

       67
       64
        
         };

     

       68
       65
        
       

     

       69
       69
       -
         config = mkIf cfg.enable {

     

       66
       66
       +
         config = lib.mkIf cfg.enable {

     

       70
       67
        
           systemd.services.cachix-watch-store-agent = {

     

       71
       68
        
             description = "Cachix watch store Agent";

     

       72
       69
        
             wants = [ "network-online.target" ];

+29 -32

nixos/modules/services/system/cloud-init.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.cloud-init;

     

       12
       9
        
         path =

     
···

       31
       28
        
       {

     

       32
       29
        
         options = {

     

       33
       30
        
           services.cloud-init = {

     

       34
       34
       -
             enable = mkOption {

     

       35
       35
       -
               type = types.bool;

     

       31
       31
       +
             enable = lib.mkOption {

     

       32
       32
       +
               type = lib.types.bool;

     

       36
       33
        
               default = false;

     

       37
       34
        
               description = ''

     

       38
       35
        
                 Enable the cloud-init service. This services reads

     
···

       50
       47
        
               '';

     

       51
       48
        
             };

     

       52
       49
        
       

     

       53
       53
       -
             btrfs.enable = mkOption {

     

       54
       54
       -
               type = types.bool;

     

       50
       50
       +
             btrfs.enable = lib.mkOption {

     

       51
       51
       +
               type = lib.types.bool;

     

       55
       52
        
               default = hasFs "btrfs";

     

       56
       56
       -
               defaultText = literalExpression ''hasFs "btrfs"'';

     

       53
       53
       +
               defaultText = lib.literalExpression ''hasFs "btrfs"'';

     

       57
       54
        
               description = ''

     

       58
       55
        
                 Allow the cloud-init service to operate `btrfs` filesystem.

     

       59
       56
        
               '';

     

       60
       57
        
             };

     

       61
       58
        
       

     

       62
       62
       -
             ext4.enable = mkOption {

     

       63
       63
       -
               type = types.bool;

     

       59
       59
       +
             ext4.enable = lib.mkOption {

     

       60
       60
       +
               type = lib.types.bool;

     

       64
       61
        
               default = hasFs "ext4";

     

       65
       65
       -
               defaultText = literalExpression ''hasFs "ext4"'';

     

       62
       62
       +
               defaultText = lib.literalExpression ''hasFs "ext4"'';

     

       66
       63
        
               description = ''

     

       67
       64
        
                 Allow the cloud-init service to operate `ext4` filesystem.

     

       68
       65
        
               '';

     

       69
       66
        
             };

     

       70
       67
        
       

     

       71
       71
       -
             xfs.enable = mkOption {

     

       72
       72
       -
               type = types.bool;

     

       68
       68
       +
             xfs.enable = lib.mkOption {

     

       69
       69
       +
               type = lib.types.bool;

     

       73
       70
        
               default = hasFs "xfs";

     

       74
       74
       -
               defaultText = literalExpression ''hasFs "xfs"'';

     

       71
       71
       +
               defaultText = lib.literalExpression ''hasFs "xfs"'';

     

       75
       72
        
               description = ''

     

       76
       73
        
                 Allow the cloud-init service to operate `xfs` filesystem.

     

       77
       74
        
               '';

     

       78
       75
        
             };

     

       79
       76
        
       

     

       80
       80
       -
             network.enable = mkOption {

     

       81
       81
       -
               type = types.bool;

     

       77
       77
       +
             network.enable = lib.mkOption {

     

       78
       78
       +
               type = lib.types.bool;

     

       82
       79
        
               default = false;

     

       83
       80
        
               description = ''

     

       84
       81
        
                 Allow the cloud-init service to configure network interfaces

     
···

       86
       83
        
               '';

     

       87
       84
        
             };

     

       88
       85
        
       

     

       89
       89
       -
             extraPackages = mkOption {

     

       90
       90
       -
               type = types.listOf types.package;

     

       86
       86
       +
             extraPackages = lib.mkOption {

     

       87
       87
       +
               type = lib.types.listOf lib.types.package;

     

       91
       88
        
               default = [ ];

     

       92
       89
        
               description = ''

     

       93
       90
        
                 List of additional packages to be available within cloud-init jobs.

     

       94
       91
        
               '';

     

       95
       92
        
             };

     

       96
       93
        
       

     

       97
       97
       -
             settings = mkOption {

     

       94
       94
       +
             settings = lib.mkOption {

     

       98
       95
        
               description = ''

     

       99
       96
        
                 Structured cloud-init configuration.

     

       100
       97
        
               '';

     

       101
       101
       -
               type = types.submodule {

     

       98
       98
       +
               type = lib.types.submodule {

     

       102
       99
        
                 freeformType = settingsFormat.type;

     

       103
       100
        
               };

     

       104
       101
        
               default = { };

     

       105
       102
        
             };

     

       106
       103
        
       

     

       107
       107
       -
             config = mkOption {

     

       108
       108
       -
               type = types.str;

     

       104
       104
       +
             config = lib.mkOption {

     

       105
       105
       +
               type = lib.types.str;

     

       109
       106
        
               default = "";

     

       110
       107
        
               description = ''

     

       111
       108
        
                 raw cloud-init configuration.

     
···

       118
       115
        
       

     

       119
       116
        
         };

     

       120
       117
        
       

     

       121
       121
       -
         config = mkIf cfg.enable {

     

       118
       118
       +
         config = lib.mkIf cfg.enable {

     

       122
       119
        
           services.cloud-init.settings = {

     

       123
       123
       -
             system_info = mkDefault {

     

       120
       120
       +
             system_info = lib.mkDefault {

     

       124
       121
        
               distro = "nixos";

     

       125
       122
        
               network = {

     

       126
       123
        
                 renderers = [ "networkd" ];

     

       127
       124
        
               };

     

       128
       125
        
             };

     

       129
       126
        
       

     

       130
       130
       -
             users = mkDefault [ "root" ];

     

       131
       131
       -
             disable_root = mkDefault false;

     

       132
       132
       -
             preserve_hostname = mkDefault false;

     

       127
       127
       +
             users = lib.mkDefault [ "root" ];

     

       128
       128
       +
             disable_root = lib.mkDefault false;

     

       129
       129
       +
             preserve_hostname = lib.mkDefault false;

     

       133
       130
        
       

     

       134
       134
       -
             cloud_init_modules = mkDefault [

     

       131
       131
       +
             cloud_init_modules = lib.mkDefault [

     

       135
       132
        
               "migrator"

     

       136
       133
        
               "seed_random"

     

       137
       134
        
               "bootcmd"

     
···

       145
       142
        
               "users-groups"

     

       146
       143
        
             ];

     

       147
       144
        
       

     

       148
       148
       -
             cloud_config_modules = mkDefault [

     

       145
       145
       +
             cloud_config_modules = lib.mkDefault [

     

       149
       146
        
               "disk_setup"

     

       150
       147
        
               "mounts"

     

       151
       148
        
               "ssh-import-id"

     
···

       156
       153
        
               "ssh"

     

       157
       154
        
             ];

     

       158
       155
        
       

     

       159
       159
       -
             cloud_final_modules = mkDefault [

     

       156
       156
       +
             cloud_final_modules = lib.mkDefault [

     

       160
       157
        
               "rightscale_userdata"

     

       161
       158
        
               "scripts-vendor"

     

       162
       159
        
               "scripts-per-once"

     
···

       174
       171
        
           environment.etc."cloud/cloud.cfg" =

     

       175
       172
        
             if cfg.config == "" then { source = cfgfile; } else { text = cfg.config; };

     

       176
       173
        
       

     

       177
       177
       -
           systemd.network.enable = mkIf cfg.network.enable true;

     

       174
       174
       +
           systemd.network.enable = lib.mkIf cfg.network.enable true;

     

       178
       175
        
       

     

       179
       176
        
           systemd.services.cloud-init-local = {

     

       180
       177
        
             description = "Initial cloud-init job (pre-networking)";

     
···

       272
       269
        
           };

     

       273
       270
        
         };

     

       274
       271
        
       

     

       275
       275
       -
         meta.maintainers = [ maintainers.zimbatm ];

     

       272
       272
       +
         meta.maintainers = [ lib.maintainers.zimbatm ];

     

       276
       273
        
       }

+5 -8

nixos/modules/services/system/localtimed.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.localtimed;

     

       12
       9
        
       in

     
···

       15
       12
        
       

     

       16
       13
        
         options = {

     

       17
       14
        
           services.localtimed = {

     

       18
       18
       -
             enable = mkOption {

     

       19
       19
       -
               type = types.bool;

     

       15
       15
       +
             enable = lib.mkOption {

     

       16
       16
       +
               type = lib.types.bool;

     

       20
       17
        
               default = false;

     

       21
       18
        
               description = ''

     

       22
       19
        
                 Enable `localtimed`, a simple daemon for keeping the

     
···

       29
       26
        
                 to make the choice deliberate. An error will be presented otherwise.

     

       30
       27
        
               '';

     

       31
       28
        
             };

     

       32
       32
       -
             package = mkPackageOption pkgs "localtime" { };

     

       33
       33
       -
             geoclue2Package = mkPackageOption pkgs "Geoclue2" { default = "geoclue2-with-demo-agent"; };

     

       29
       29
       +
             package = lib.mkPackageOption pkgs "localtime" { };

     

       30
       30
       +
             geoclue2Package = lib.mkPackageOption pkgs "Geoclue2" { default = "geoclue2-with-demo-agent"; };

     

       34
       31
        
           };

     

       35
       32
        
         };

     

       36
       33
        
       

     

       37
       37
       -
         config = mkIf cfg.enable {

     

       34
       34
       +
         config = lib.mkIf cfg.enable {

     

       38
       35
        
           # This will give users an error if they have set an explicit time

     

       39
       36
        
           # zone, rather than having the service silently override it.

     

       40
       37
        
           time.timeZone = null;

+31 -35

nixos/modules/services/system/nix-daemon.nix

···

       1
       1
        
       /*

     

       2
       2
        
         Declares what makes the nix-daemon work on systemd.

     

       3
       3
       -
       

     

       4
       3
        
         See also

     

       5
       4
        
          - nixos/modules/config/nix.nix: the nix.conf

     

       6
       5
        
          - nixos/modules/config/nix-remote-build.nix: the nix.conf

     
···

       11
       10
        
         pkgs,

     

       12
       11
        
         ...

     

       13
       12
        
       }:

     

       14
       14
       -
       

     

       15
       15
       -
       with lib;

     

       16
       16
       -
       

     

       17
       13
        
       let

     

       18
       14
        
       

     

       19
       15
        
         cfg = config.nix;

     

       20
       16
        
       

     

       21
       17
        
         nixPackage = cfg.package.out;

     

       22
       18
        
       

     

       23
       23
       -
         isNixAtLeast = versionAtLeast (getVersion nixPackage);

     

       19
       19
       +
         isNixAtLeast = lib.versionAtLeast (lib.getVersion nixPackage);

     

       24
       20
        
       

     

       25
       21
        
         makeNixBuildUser = nr: {

     

       26
       22
        
           name = "nixbld${toString nr}";

     
···

       39
       35
        
           };

     

       40
       36
        
         };

     

       41
       37
        
       

     

       42
       42
       -
         nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers));

     

       38
       38
       +
         nixbldUsers = lib.listToAttrs (map makeNixBuildUser (lib.range 1 cfg.nrBuildUsers));

     

       43
       39
        
       

     

       44
       40
        
       in

     

       45
       41
        
       

     

       46
       42
        
       {

     

       47
       43
        
         imports = [

     

       48
       48
       -
           (mkRenamedOptionModuleWith {

     

       44
       44
       +
           (lib.mkRenamedOptionModuleWith {

     

       49
       45
        
             sinceRelease = 2205;

     

       50
       46
        
             from = [

     

       51
       47
        
               "nix"

     
···

       56
       52
        
               "daemonIOSchedPriority"

     

       57
       53
        
             ];

     

       58
       54
        
           })

     

       59
       59
       -
           (mkRenamedOptionModuleWith {

     

       55
       55
       +
           (lib.mkRenamedOptionModuleWith {

     

       60
       56
        
             sinceRelease = 2211;

     

       61
       57
        
             from = [

     

       62
       58
        
               "nix"

     
···

       67
       63
        
               "readOnlyNixStore"

     

       68
       64
        
             ];

     

       69
       65
        
           })

     

       70
       70
       -
           (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")

     

       66
       66
       +
           (lib.mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")

     

       71
       67
        
         ];

     

       72
       68
        
       

     

       73
       69
        
         ###### interface

     
···

       76
       72
        
       

     

       77
       73
        
           nix = {

     

       78
       74
        
       

     

       79
       79
       -
             enable = mkOption {

     

       80
       80
       -
               type = types.bool;

     

       75
       75
       +
             enable = lib.mkOption {

     

       76
       76
       +
               type = lib.types.bool;

     

       81
       77
        
               default = true;

     

       82
       78
        
               description = ''

     

       83
       79
        
                 Whether to enable Nix.

     
···

       85
       81
        
               '';

     

       86
       82
        
             };

     

       87
       83
        
       

     

       88
       88
       -
             package = mkOption {

     

       89
       89
       -
               type = types.package;

     

       84
       84
       +
             package = lib.mkOption {

     

       85
       85
       +
               type = lib.types.package;

     

       90
       86
        
               default = pkgs.nix;

     

       91
       91
       -
               defaultText = literalExpression "pkgs.nix";

     

       87
       87
       +
               defaultText = lib.literalExpression "pkgs.nix";

     

       92
       88
        
               description = ''

     

       93
       89
        
                 This option specifies the Nix package instance to use throughout the system.

     

       94
       90
        
               '';

     

       95
       91
        
             };

     

       96
       92
        
       

     

       97
       97
       -
             daemonCPUSchedPolicy = mkOption {

     

       98
       98
       -
               type = types.enum [

     

       93
       93
       +
             daemonCPUSchedPolicy = lib.mkOption {

     

       94
       94
       +
               type = lib.types.enum [

     

       99
       95
        
                 "other"

     

       100
       96
        
                 "batch"

     

       101
       97
        
                 "idle"

     
···

       128
       124
        
               '';

     

       129
       125
        
             };

     

       130
       126
        
       

     

       131
       131
       -
             daemonIOSchedClass = mkOption {

     

       132
       132
       -
               type = types.enum [

     

       127
       127
       +
             daemonIOSchedClass = lib.mkOption {

     

       128
       128
       +
               type = lib.types.enum [

     

       133
       129
        
                 "best-effort"

     

       134
       130
        
                 "idle"

     

       135
       131
        
               ];

     
···

       154
       150
        
               '';

     

       155
       151
        
             };

     

       156
       152
        
       

     

       157
       157
       -
             daemonIOSchedPriority = mkOption {

     

       158
       158
       -
               type = types.int;

     

       153
       153
       +
             daemonIOSchedPriority = lib.mkOption {

     

       154
       154
       +
               type = lib.types.int;

     

       159
       155
        
               default = 4;

     

       160
       156
        
               example = 1;

     

       161
       157
        
               description = ''

     
···

       168
       164
        
             };

     

       169
       165
        
       

     

       170
       166
        
             # Environment variables for running Nix.

     

       171
       171
       -
             envVars = mkOption {

     

       172
       172
       -
               type = types.attrs;

     

       167
       167
       +
             envVars = lib.mkOption {

     

       168
       168
       +
               type = lib.types.attrs;

     

       173
       169
        
               internal = true;

     

       174
       170
        
               default = { };

     

       175
       171
        
               description = "Environment variables used by Nix.";

     

       176
       172
        
             };

     

       177
       173
        
       

     

       178
       178
       -
             nrBuildUsers = mkOption {

     

       179
       179
       -
               type = types.int;

     

       174
       174
       +
             nrBuildUsers = lib.mkOption {

     

       175
       175
       +
               type = lib.types.int;

     

       180
       176
        
               description = ''

     

       181
       177
        
                 Number of `nixbld` user accounts created to

     

       182
       178
        
                 perform secure concurrent builds.  If you receive an error

     
···

       189
       185
        
       

     

       190
       186
        
         ###### implementation

     

       191
       187
        
       

     

       192
       192
       -
         config = mkIf cfg.enable {

     

       188
       188
       +
         config = lib.mkIf cfg.enable {

     

       193
       189
        
           environment.systemPackages = [

     

       194
       190
        
             nixPackage

     

       195
       191
        
             pkgs.nix-info

     

       196
       196
       -
           ] ++ optional (config.programs.bash.completion.enable) pkgs.nix-bash-completions;

     

       192
       192
       +
           ] ++ lib.optional (config.programs.bash.completion.enable) pkgs.nix-bash-completions;

     

       197
       193
        
       

     

       198
       194
        
           systemd.packages = [ nixPackage ];

     

       199
       195
        
       

     

       200
       200
       -
           systemd.tmpfiles = mkMerge [

     

       201
       201
       -
             (mkIf (isNixAtLeast "2.8") {

     

       196
       196
       +
           systemd.tmpfiles = lib.mkMerge [

     

       197
       197
       +
             (lib.mkIf (isNixAtLeast "2.8") {

     

       202
       198
        
               packages = [ nixPackage ];

     

       203
       199
        
             })

     

       204
       204
       -
             (mkIf (!isNixAtLeast "2.8") {

     

       200
       200
       +
             (lib.mkIf (!isNixAtLeast "2.8") {

     

       205
       201
        
               rules = [

     

       206
       202
        
                 "d /nix/var/nix/daemon-socket 0755 root root - -"

     

       207
       203
        
               ];

     
···

       215
       211
        
               nixPackage

     

       216
       212
        
               pkgs.util-linux

     

       217
       213
        
               config.programs.ssh.package

     

       218
       218
       -
             ] ++ optionals cfg.distributedBuilds [ pkgs.gzip ];

     

       214
       214
       +
             ] ++ lib.optionals cfg.distributedBuilds [ pkgs.gzip ];

     

       219
       215
        
       

     

       220
       216
        
             environment =

     

       221
       217
        
               cfg.envVars

     
···

       274
       270
        
           # Set up the environment variables for running Nix.

     

       275
       271
        
           environment.sessionVariables = cfg.envVars;

     

       276
       272
        
       

     

       277
       277
       -
           nix.nrBuildUsers = mkDefault (

     

       273
       273
       +
           nix.nrBuildUsers = lib.mkDefault (

     

       278
       274
        
             if cfg.settings.auto-allocate-uids or false then

     

       279
       275
        
               0

     

       280
       276
        
             else

     

       281
       281
       -
               max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)

     

       277
       277
       +
               lib.max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs)

     

       282
       278
        
           );

     

       283
       279
        
       

     

       284
       280
        
           users.users = nixbldUsers;

     

       285
       281
        
       

     

       286
       286
       -
           services.displayManager.hiddenUsers = attrNames nixbldUsers;

     

       282
       282
       +
           services.displayManager.hiddenUsers = lib.attrNames nixbldUsers;

     

       287
       283
        
       

     

       288
       284
        
           # Legacy configuration conversion.

     

       289
       289
       -
           nix.settings = mkMerge [

     

       290
       290
       -
             (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })

     

       285
       285
       +
           nix.settings = lib.mkMerge [

     

       286
       286
       +
             (lib.mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; })

     

       291
       287
        
           ];

     

       292
       288
        
       

     

       293
       289
        
         };

+14 -17

nixos/modules/services/system/nscd.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
       

     

       12
       9
        
         nssModulesPath = config.system.nssModules.path;

     
···

       22
       19
        
       

     

       23
       20
        
           services.nscd = {

     

       24
       21
        
       

     

       25
       25
       -
             enable = mkOption {

     

       26
       26
       -
               type = types.bool;

     

       22
       22
       +
             enable = lib.mkOption {

     

       23
       23
       +
               type = lib.types.bool;

     

       27
       24
        
               default = true;

     

       28
       25
        
               description = ''

     

       29
       26
        
                 Whether to enable the Name Service Cache Daemon.

     
···

       32
       29
        
               '';

     

       33
       30
        
             };

     

       34
       31
        
       

     

       35
       35
       -
             enableNsncd = mkOption {

     

       36
       36
       -
               type = types.bool;

     

       32
       32
       +
             enableNsncd = lib.mkOption {

     

       33
       33
       +
               type = lib.types.bool;

     

       37
       34
        
               default = true;

     

       38
       35
        
               description = ''

     

       39
       36
        
                 Whether to use nsncd instead of nscd from glibc.

     
···

       42
       39
        
               '';

     

       43
       40
        
             };

     

       44
       41
        
       

     

       45
       45
       -
             user = mkOption {

     

       46
       46
       -
               type = types.str;

     

       42
       42
       +
             user = lib.mkOption {

     

       43
       43
       +
               type = lib.types.str;

     

       47
       44
        
               default = "nscd";

     

       48
       45
        
               description = ''

     

       49
       46
        
                 User account under which nscd runs.

     

       50
       47
        
               '';

     

       51
       48
        
             };

     

       52
       49
        
       

     

       53
       53
       -
             group = mkOption {

     

       54
       54
       -
               type = types.str;

     

       50
       50
       +
             group = lib.mkOption {

     

       51
       51
       +
               type = lib.types.str;

     

       55
       52
        
               default = "nscd";

     

       56
       53
        
               description = ''

     

       57
       54
        
                 User group under which nscd runs.

     

       58
       55
        
               '';

     

       59
       56
        
             };

     

       60
       57
        
       

     

       61
       61
       -
             config = mkOption {

     

       62
       62
       -
               type = types.lines;

     

       58
       58
       +
             config = lib.mkOption {

     

       59
       59
       +
               type = lib.types.lines;

     

       63
       60
        
               default = builtins.readFile ./nscd.conf;

     

       64
       61
        
               description = ''

     

       65
       62
        
                 Configuration to use for Name Service Cache Daemon.

     
···

       67
       64
        
               '';

     

       68
       65
        
             };

     

       69
       66
        
       

     

       70
       70
       -
             package = mkOption {

     

       71
       71
       -
               type = types.package;

     

       67
       67
       +
             package = lib.mkOption {

     

       68
       68
       +
               type = lib.types.package;

     

       72
       69
        
               default =

     

       73
       70
        
                 if pkgs.stdenv.hostPlatform.libc == "glibc" then pkgs.stdenv.cc.libc.bin else pkgs.glibc.bin;

     

       74
       71
        
               defaultText = lib.literalExpression ''

     
···

       88
       85
        
       

     

       89
       86
        
         ###### implementation

     

       90
       87
        
       

     

       91
       91
       -
         config = mkIf cfg.enable {

     

       88
       88
       +
         config = lib.mkIf cfg.enable {

     

       92
       89
        
           environment.etc."nscd.conf".text = cfg.config;

     

       93
       90
        
       

     

       94
       91
        
           users.users.${cfg.user} = {

     
···

       125
       122
        
                 config.environment.etc."nsswitch.conf".source

     

       126
       123
        
                 config.environment.etc."nscd.conf".source

     

       127
       124
        
               ]

     

       128
       128
       -
               ++ optionals config.users.mysql.enable [

     

       125
       125
       +
               ++ lib.optionals config.users.mysql.enable [

     

       129
       126
        
                 config.environment.etc."libnss-mysql.cfg".source

     

       130
       127
        
                 config.environment.etc."libnss-mysql-root.cfg".source

     

       131
       128
        
               ]

+7 -10

nixos/modules/services/system/saslauthd.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
       

     

       12
       9
        
         cfg = config.services.saslauthd;

     
···

       21
       18
        
       

     

       22
       19
        
           services.saslauthd = {

     

       23
       20
        
       

     

       24
       24
       -
             enable = mkEnableOption "saslauthd, the Cyrus SASL authentication daemon";

     

       21
       21
       +
             enable = lib.mkEnableOption "saslauthd, the Cyrus SASL authentication daemon";

     

       25
       22
        
       

     

       26
       26
       -
             package = mkPackageOption pkgs [ "cyrus_sasl" "bin" ] { };

     

       23
       23
       +
             package = lib.mkPackageOption pkgs [ "cyrus_sasl" "bin" ] { };

     

       27
       24
        
       

     

       28
       28
       -
             mechanism = mkOption {

     

       29
       29
       -
               type = types.str;

     

       25
       25
       +
             mechanism = lib.mkOption {

     

       26
       26
       +
               type = lib.types.str;

     

       30
       27
        
               default = "pam";

     

       31
       28
        
               description = "Auth mechanism to use";

     

       32
       29
        
             };

     

       33
       30
        
       

     

       34
       34
       -
             config = mkOption {

     

       35
       35
       -
               type = types.lines;

     

       31
       31
       +
             config = lib.mkOption {

     

       32
       32
       +
               type = lib.types.lines;

     

       36
       33
        
               default = "";

     

       37
       34
        
               description = "Configuration to use for Cyrus SASL authentication daemon.";

     

       38
       35
        
             };

     
···

       43
       40
        
       

     

       44
       41
        
         ###### implementation

     

       45
       42
        
       

     

       46
       46
       -
         config = mkIf cfg.enable {

     

       43
       43
       +
         config = lib.mkIf cfg.enable {

     

       47
       44
        
       

     

       48
       45
        
           systemd.services.saslauthd = {

     

       49
       46
        
             description = "Cyrus SASL authentication daemon";

+3 -6

nixos/modules/services/system/uptimed.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.uptimed;

     

       12
       9
        
         stateDir = "/var/lib/uptimed";

     
···

       14
       11
        
       {

     

       15
       12
        
         options = {

     

       16
       13
        
           services.uptimed = {

     

       17
       17
       -
             enable = mkOption {

     

       18
       18
       -
               type = types.bool;

     

       14
       14
       +
             enable = lib.mkOption {

     

       15
       15
       +
               type = lib.types.bool;

     

       19
       16
        
               default = false;

     

       20
       17
        
               description = ''

     

       21
       18
        
                 Enable `uptimed`, allowing you to track

     
···

       25
       22
        
           };

     

       26
       23
        
         };

     

       27
       24
        
       

     

       28
       28
       -
         config = mkIf cfg.enable {

     

       25
       25
       +
         config = lib.mkIf cfg.enable {

     

       29
       26
        
       

     

       30
       27
        
           environment.systemPackages = [ pkgs.uptimed ];

     

       31
       28

+43 -46

nixos/modules/services/torrent/deluge.nix

···

       1
       1
        
       { config, lib, pkgs, ... }:

     

       2
       2
       -
       

     

       3
       3
       -
       with lib;

     

       4
       4
       -
       

     

       5
       2
        
       let

     

       6
       3
        
         cfg = config.services.deluge;

     

       7
       4
        
         cfg_web = config.services.deluge.web;

     

       8
       8
       -
         isDeluge1 = versionOlder cfg.package.version "2.0.0";

     

       5
       5
       +
         isDeluge1 = lib.versionOlder cfg.package.version "2.0.0";

     

       9
       6
        
       

     

       10
       7
        
         openFilesLimit = 4096;

     

       11
       8
        
         listenPortsDefault = [ 6881 6889 ];

     

       12
       9
        
       

     

       13
       13
       -
         listToRange = x: { from = elemAt x 0; to = elemAt x 1; };

     

       10
       10
       +
         listToRange = x: { from = lib.elemAt x 0; to = lib.elemAt x 1; };

     

       14
       11
        
       

     

       15
       12
        
         configDir = "${cfg.dataDir}/.config/deluge";

     

       16
       13
        
         configFile = pkgs.writeText "core.conf" (builtins.toJSON cfg.config);

     
···

       37
       34
        
         options = {

     

       38
       35
        
           services = {

     

       39
       36
        
             deluge = {

     

       40
       40
       -
               enable = mkEnableOption "Deluge daemon";

     

       37
       37
       +
               enable = lib.mkEnableOption "Deluge daemon";

     

       41
       38
        
       

     

       42
       42
       -
               openFilesLimit = mkOption {

     

       39
       39
       +
               openFilesLimit = lib.mkOption {

     

       43
       40
        
                 default = openFilesLimit;

     

       44
       44
       -
                 type = types.either types.int types.str;

     

       41
       41
       +
                 type = lib.types.either lib.types.int lib.types.str;

     

       45
       42
        
                 description = ''

     

       46
       43
        
                   Number of files to allow deluged to open.

     

       47
       44
        
                 '';

     

       48
       45
        
               };

     

       49
       46
        
       

     

       50
       50
       -
               config = mkOption {

     

       51
       51
       -
                 type = types.attrs;

     

       47
       47
       +
               config = lib.mkOption {

     

       48
       48
       +
                 type = lib.types.attrs;

     

       52
       49
        
                 default = {};

     

       53
       53
       -
                 example = literalExpression ''

     

       50
       50
       +
                 example = lib.literalExpression ''

     

       54
       51
        
                   {

     

       55
       52
        
                     download_location = "/srv/torrents/";

     

       56
       53
        
                     max_upload_speed = "1000.0";

     
···

       70
       67
        
                 '';

     

       71
       68
        
               };

     

       72
       69
        
       

     

       73
       73
       -
               declarative = mkOption {

     

       74
       74
       -
                 type = types.bool;

     

       70
       70
       +
               declarative = lib.mkOption {

     

       71
       71
       +
                 type = lib.types.bool;

     

       75
       72
        
                 default = false;

     

       76
       73
        
                 description = ''

     

       77
       74
        
                   Whether to use a declarative deluge configuration.

     
···

       83
       80
        
                 '';

     

       84
       81
        
               };

     

       85
       82
        
       

     

       86
       86
       -
               openFirewall = mkOption {

     

       83
       83
       +
               openFirewall = lib.mkOption {

     

       87
       84
        
                 default = false;

     

       88
       88
       -
                 type = types.bool;

     

       85
       85
       +
                 type = lib.types.bool;

     

       89
       86
        
                 description = ''

     

       90
       87
        
                   Whether to open the firewall for the ports in

     

       91
       88
        
                   {option}`services.deluge.config.listen_ports`. It only takes effet if

     
···

       99
       96
        
                 '';

     

       100
       97
        
               };

     

       101
       98
        
       

     

       102
       102
       -
               dataDir = mkOption {

     

       103
       103
       -
                 type = types.path;

     

       99
       99
       +
               dataDir = lib.mkOption {

     

       100
       100
       +
                 type = lib.types.path;

     

       104
       101
        
                 default = "/var/lib/deluge";

     

       105
       102
        
                 description = ''

     

       106
       103
        
                   The directory where deluge will create files.

     

       107
       104
        
                 '';

     

       108
       105
        
               };

     

       109
       106
        
       

     

       110
       110
       -
               authFile = mkOption {

     

       111
       111
       -
                 type = types.path;

     

       107
       107
       +
               authFile = lib.mkOption {

     

       108
       108
       +
                 type = lib.types.path;

     

       112
       109
        
                 example = "/run/keys/deluge-auth";

     

       113
       110
        
                 description = ''

     

       114
       111
        
                   The file managing the authentication for deluge, the format of this

     
···

       121
       118
        
                 '';

     

       122
       119
        
               };

     

       123
       120
        
       

     

       124
       124
       -
               user = mkOption {

     

       125
       125
       -
                 type = types.str;

     

       121
       121
       +
               user = lib.mkOption {

     

       122
       122
       +
                 type = lib.types.str;

     

       126
       123
        
                 default = "deluge";

     

       127
       124
        
                 description = ''

     

       128
       125
        
                   User account under which deluge runs.

     

       129
       126
        
                 '';

     

       130
       127
        
               };

     

       131
       128
        
       

     

       132
       132
       -
               group = mkOption {

     

       133
       133
       -
                 type = types.str;

     

       129
       129
       +
               group = lib.mkOption {

     

       130
       130
       +
                 type = lib.types.str;

     

       134
       131
        
                 default = "deluge";

     

       135
       132
        
                 description = ''

     

       136
       133
        
                   Group under which deluge runs.

     

       137
       134
        
                 '';

     

       138
       135
        
               };

     

       139
       136
        
       

     

       140
       140
       -
               extraPackages = mkOption {

     

       141
       141
       -
                 type = types.listOf types.package;

     

       137
       137
       +
               extraPackages = lib.mkOption {

     

       138
       138
       +
                 type = lib.types.listOf lib.types.package;

     

       142
       139
        
                 default = [];

     

       143
       140
        
                 description = ''

     

       144
       141
        
                   Extra packages available at runtime to enable Deluge's plugins. For example,

     
···

       147
       144
        
                 '';

     

       148
       145
        
               };

     

       149
       146
        
       

     

       150
       150
       -
               package = mkPackageOption pkgs "deluge-2_x" { };

     

       147
       147
       +
               package = lib.mkPackageOption pkgs "deluge-2_x" { };

     

       151
       148
        
             };

     

       152
       149
        
       

     

       153
       150
        
             deluge.web = {

     

       154
       154
       -
               enable = mkEnableOption "Deluge Web daemon";

     

       151
       151
       +
               enable = lib.mkEnableOption "Deluge Web daemon";

     

       155
       152
        
       

     

       156
       156
       -
               port = mkOption {

     

       157
       157
       -
                 type = types.port;

     

       153
       153
       +
               port = lib.mkOption {

     

       154
       154
       +
                 type = lib.types.port;

     

       158
       155
        
                 default = 8112;

     

       159
       156
        
                 description = ''

     

       160
       157
        
                   Deluge web UI port.

     

       161
       158
        
                 '';

     

       162
       159
        
               };

     

       163
       160
        
       

     

       164
       164
       -
               openFirewall = mkOption {

     

       165
       165
       -
                 type = types.bool;

     

       161
       161
       +
               openFirewall = lib.mkOption {

     

       162
       162
       +
                 type = lib.types.bool;

     

       166
       163
        
                 default = false;

     

       167
       164
        
                 description = ''

     

       168
       165
        
                   Open ports in the firewall for deluge web daemon

     
···

       172
       169
        
           };

     

       173
       170
        
         };

     

       174
       171
        
       

     

       175
       175
       -
         config = mkIf cfg.enable {

     

       172
       172
       +
         config = lib.mkIf cfg.enable {

     

       176
       173
        
       

     

       177
       177
       -
           services.deluge.package = mkDefault (

     

       178
       178
       -
             if versionAtLeast config.system.stateVersion "20.09" then

     

       174
       174
       +
           services.deluge.package = lib.mkDefault (

     

       175
       175
       +
             if lib.versionAtLeast config.system.stateVersion "20.09" then

     

       179
       176
        
               pkgs.deluge-2_x

     

       180
       177
        
             else

     

       181
       178
        
               # deluge-1_x is no longer packaged and this will resolve to an error

     
···

       201
       198
        
             "${cfg.dataDir}/.config".d = defaultConfig;

     

       202
       199
        
             "${cfg.dataDir}/.config/deluge".d = defaultConfig;

     

       203
       200
        
           }

     

       204
       204
       -
           // optionalAttrs (cfg.config ? download_location) {

     

       201
       201
       +
           // lib.optionalAttrs (cfg.config ? download_location) {

     

       205
       202
        
             ${cfg.config.download_location}.d = defaultConfig;

     

       206
       203
        
           }

     

       207
       207
       -
           // optionalAttrs (cfg.config ? torrentfiles_location) {

     

       204
       204
       +
           // lib.optionalAttrs (cfg.config ? torrentfiles_location) {

     

       208
       205
        
             ${cfg.config.torrentfiles_location}.d = defaultConfig;

     

       209
       206
        
           }

     

       210
       210
       -
           // optionalAttrs (cfg.config ? move_completed_path) {

     

       207
       207
       +
           // lib.optionalAttrs (cfg.config ? move_completed_path) {

     

       211
       208
        
             ${cfg.config.move_completed_path}.d = defaultConfig;

     

       212
       209
        
           };

     

       213
       210
        
       

     
···

       233
       230
        
             preStart = preStart;

     

       234
       231
        
           };

     

       235
       232
        
       

     

       236
       236
       -
           systemd.services.delugeweb = mkIf cfg_web.enable {

     

       233
       233
       +
           systemd.services.delugeweb = lib.mkIf cfg_web.enable {

     

       237
       234
        
             after = [ "network.target" "deluged.service"];

     

       238
       235
        
             requires = [ "deluged.service" ];

     

       239
       236
        
             description = "Deluge BitTorrent WebUI";

     
···

       242
       239
        
             serviceConfig = {

     

       243
       240
        
               ExecStart = ''

     

       244
       241
        
                 ${cfg.package}/bin/deluge-web \

     

       245
       245
       -
                   ${optionalString (!isDeluge1) "--do-not-daemonize"} \

     

       242
       242
       +
                   ${lib.optionalString (!isDeluge1) "--do-not-daemonize"} \

     

       246
       243
        
                   --config ${configDir} \

     

       247
       244
        
                   --port ${toString cfg.web.port}

     

       248
       245
        
               '';

     
···

       251
       248
        
             };

     

       252
       249
        
           };

     

       253
       250
        
       

     

       254
       254
       -
           networking.firewall = mkMerge [

     

       255
       255
       -
             (mkIf (cfg.declarative && cfg.openFirewall && !(cfg.config.random_port or true)) {

     

       256
       256
       -
               allowedTCPPortRanges = singleton (listToRange (cfg.config.listen_ports or listenPortsDefault));

     

       257
       257
       -
               allowedUDPPortRanges = singleton (listToRange (cfg.config.listen_ports or listenPortsDefault));

     

       251
       251
       +
           networking.firewall = lib.mkMerge [

     

       252
       252
       +
             (lib.mkIf (cfg.declarative && cfg.openFirewall && !(cfg.config.random_port or true)) {

     

       253
       253
       +
               allowedTCPPortRanges = lib.singleton (listToRange (cfg.config.listen_ports or listenPortsDefault));

     

       254
       254
       +
               allowedUDPPortRanges = lib.singleton (listToRange (cfg.config.listen_ports or listenPortsDefault));

     

       258
       255
        
             })

     

       259
       259
       -
             (mkIf (cfg.web.openFirewall) {

     

       256
       256
       +
             (lib.mkIf (cfg.web.openFirewall) {

     

       260
       257
        
               allowedTCPPorts = [ cfg.web.port ];

     

       261
       258
        
             })

     

       262
       259
        
           ];

     

       263
       260
        
       

     

       264
       261
        
           environment.systemPackages = [ cfg.package ];

     

       265
       262
        
       

     

       266
       266
       -
           users.users = mkIf (cfg.user == "deluge") {

     

       263
       263
       +
           users.users = lib.mkIf (cfg.user == "deluge") {

     

       267
       264
        
             deluge = {

     

       268
       265
        
               group = cfg.group;

     

       269
       266
        
               uid = config.ids.uids.deluge;

     
···

       272
       269
        
             };

     

       273
       270
        
           };

     

       274
       271
        
       

     

       275
       275
       -
           users.groups = mkIf (cfg.group == "deluge") {

     

       272
       272
       +
           users.groups = lib.mkIf (cfg.group == "deluge") {

     

       276
       273
        
             deluge = {

     

       277
       274
        
               gid = config.ids.gids.deluge;

     

       278
       275
        
             };

+16 -19

nixos/modules/services/torrent/flexget.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.flexget;

     

       12
       9
        
         pkg = cfg.package;

     

       13
       10
        
         ymlFile = pkgs.writeText "flexget.yml" ''

     

       14
       11
        
           ${cfg.config}

     

       15
       12
        
       

     

       16
       16
       -
           ${optionalString cfg.systemScheduler "schedules: no"}

     

       13
       13
       +
           ${lib.optionalString cfg.systemScheduler "schedules: no"}

     

       17
       14
        
         '';

     

       18
       15
        
         configFile = "${toString cfg.homeDir}/flexget.yml";

     

       19
       16
        
       in

     

       20
       17
        
       {

     

       21
       18
        
         options = {

     

       22
       19
        
           services.flexget = {

     

       23
       23
       -
             enable = mkEnableOption "FlexGet daemon";

     

       20
       20
       +
             enable = lib.mkEnableOption "FlexGet daemon";

     

       24
       21
        
       

     

       25
       25
       -
             package = mkPackageOption pkgs "flexget" { };

     

       22
       22
       +
             package = lib.mkPackageOption pkgs "flexget" { };

     

       26
       23
        
       

     

       27
       27
       -
             user = mkOption {

     

       24
       24
       +
             user = lib.mkOption {

     

       28
       25
        
               default = "deluge";

     

       29
       26
        
               example = "some_user";

     

       30
       30
       -
               type = types.str;

     

       27
       27
       +
               type = lib.types.str;

     

       31
       28
        
               description = "The user under which to run flexget.";

     

       32
       29
        
             };

     

       33
       30
        
       

     

       34
       34
       -
             homeDir = mkOption {

     

       31
       31
       +
             homeDir = lib.mkOption {

     

       35
       32
        
               default = "/var/lib/deluge";

     

       36
       33
        
               example = "/home/flexget";

     

       37
       37
       -
               type = types.path;

     

       34
       34
       +
               type = lib.types.path;

     

       38
       35
        
               description = "Where files live.";

     

       39
       36
        
             };

     

       40
       37
        
       

     

       41
       41
       -
             interval = mkOption {

     

       38
       38
       +
             interval = lib.mkOption {

     

       42
       39
        
               default = "10m";

     

       43
       40
        
               example = "1h";

     

       44
       44
       -
               type = types.str;

     

       41
       41
       +
               type = lib.types.str;

     

       45
       42
        
               description = "When to perform a {command}`flexget` run. See {command}`man 7 systemd.time` for the format.";

     

       46
       43
        
             };

     

       47
       44
        
       

     

       48
       48
       -
             systemScheduler = mkOption {

     

       45
       45
       +
             systemScheduler = lib.mkOption {

     

       49
       46
        
               default = true;

     

       50
       47
        
               example = false;

     

       51
       51
       -
               type = types.bool;

     

       48
       48
       +
               type = lib.types.bool;

     

       52
       49
        
               description = "When true, execute the runs via the flexget-runner.timer. If false, you have to specify the settings yourself in the YML file.";

     

       53
       50
        
             };

     

       54
       51
        
       

     

       55
       55
       -
             config = mkOption {

     

       52
       52
       +
             config = lib.mkOption {

     

       56
       53
        
               default = "";

     

       57
       57
       -
               type = types.lines;

     

       54
       54
       +
               type = lib.types.lines;

     

       58
       55
        
               description = "The YAML configuration for FlexGet.";

     

       59
       56
        
             };

     

       60
       57
        
           };

     

       61
       58
        
         };

     

       62
       59
        
       

     

       63
       63
       -
         config = mkIf cfg.enable {

     

       60
       60
       +
         config = lib.mkIf cfg.enable {

     

       64
       61
        
       

     

       65
       62
        
           environment.systemPackages = [ pkg ];

     

       66
       63
        
       

     
···

       81
       78
        
               wantedBy = [ "multi-user.target" ];

     

       82
       79
        
             };

     

       83
       80
        
       

     

       84
       84
       -
             flexget-runner = mkIf cfg.systemScheduler {

     

       81
       81
       +
             flexget-runner = lib.mkIf cfg.systemScheduler {

     

       85
       82
        
               description = "FlexGet Runner";

     

       86
       83
        
               after = [ "flexget.service" ];

     

       87
       84
        
               wants = [ "flexget.service" ];

     
···

       94
       91
        
             };

     

       95
       92
        
           };

     

       96
       93
        
       

     

       97
       97
       -
           systemd.timers.flexget-runner = mkIf cfg.systemScheduler {

     

       94
       94
       +
           systemd.timers.flexget-runner = lib.mkIf cfg.systemScheduler {

     

       98
       95
        
             description = "Run FlexGet every ${cfg.interval}";

     

       99
       96
        
             wantedBy = [ "timers.target" ];

     

       100
       97
        
             timerConfig = {

+23 -26

nixos/modules/services/torrent/magnetico.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       9
       -
       

     

       10
       7
        
       let

     

       11
       8
        
         cfg = config.services.magnetico;

     

       12
       9
        
       

     
···

       22
       19
        
             );

     

       23
       20
        
       

     

       24
       21
        
         # default options in magneticod/main.go

     

       25
       25
       -
         dbURI = concatStrings [

     

       22
       22
       +
         dbURI = lib.concatStrings [

     

       26
       23
        
           "sqlite3://${dataDir}/database.sqlite3"

     

       27
       24
        
           "?_journal_mode=WAL"

     

       28
       25
        
           "&_busy_timeout=3000"

     
···

       63
       60
        
         ###### interface

     

       64
       61
        
       

     

       65
       62
        
         options.services.magnetico = {

     

       66
       66
       -
           enable = mkEnableOption "Magnetico, Bittorrent DHT crawler";

     

       63
       63
       +
           enable = lib.mkEnableOption "Magnetico, Bittorrent DHT crawler";

     

       67
       64
        
       

     

       68
       68
       -
           crawler.address = mkOption {

     

       69
       69
       -
             type = types.str;

     

       65
       65
       +
           crawler.address = lib.mkOption {

     

       66
       66
       +
             type = lib.types.str;

     

       70
       67
        
             default = "0.0.0.0";

     

       71
       68
        
             example = "1.2.3.4";

     

       72
       69
        
             description = ''

     
···

       74
       71
        
             '';

     

       75
       72
        
           };

     

       76
       73
        
       

     

       77
       77
       -
           crawler.port = mkOption {

     

       78
       78
       -
             type = types.port;

     

       74
       74
       +
           crawler.port = lib.mkOption {

     

       75
       75
       +
             type = lib.types.port;

     

       79
       76
        
             default = 0;

     

       80
       77
        
             description = ''

     

       81
       78
        
               Port to be used for indexing DHT nodes.

     
···

       84
       81
        
             '';

     

       85
       82
        
           };

     

       86
       83
        
       

     

       87
       87
       -
           crawler.maxNeighbors = mkOption {

     

       88
       88
       -
             type = types.ints.positive;

     

       84
       84
       +
           crawler.maxNeighbors = lib.mkOption {

     

       85
       85
       +
             type = lib.types.ints.positive;

     

       89
       86
        
             default = 1000;

     

       90
       87
        
             description = ''

     

       91
       88
        
               Maximum number of simultaneous neighbors of an indexer.

     
···

       95
       92
        
             '';

     

       96
       93
        
           };

     

       97
       94
        
       

     

       98
       98
       -
           crawler.maxLeeches = mkOption {

     

       99
       99
       -
             type = types.ints.positive;

     

       95
       95
       +
           crawler.maxLeeches = lib.mkOption {

     

       96
       96
       +
             type = lib.types.ints.positive;

     

       100
       97
        
             default = 200;

     

       101
       98
        
             description = ''

     

       102
       99
        
               Maximum number of simultaneous leeches.

     

       103
       100
        
             '';

     

       104
       101
        
           };

     

       105
       102
        
       

     

       106
       106
       -
           crawler.extraOptions = mkOption {

     

       107
       107
       -
             type = types.listOf types.str;

     

       103
       103
       +
           crawler.extraOptions = lib.mkOption {

     

       104
       104
       +
             type = lib.types.listOf lib.types.str;

     

       108
       105
        
             default = [ ];

     

       109
       106
        
             description = ''

     

       110
       107
        
               Extra command line arguments to pass to magneticod.

     

       111
       108
        
             '';

     

       112
       109
        
           };

     

       113
       110
        
       

     

       114
       114
       -
           web.address = mkOption {

     

       115
       115
       -
             type = types.str;

     

       111
       111
       +
           web.address = lib.mkOption {

     

       112
       112
       +
             type = lib.types.str;

     

       116
       113
        
             default = "localhost";

     

       117
       114
        
             example = "1.2.3.4";

     

       118
       115
        
             description = ''

     
···

       120
       117
        
             '';

     

       121
       118
        
           };

     

       122
       119
        
       

     

       123
       123
       -
           web.port = mkOption {

     

       124
       124
       -
             type = types.port;

     

       120
       120
       +
           web.port = lib.mkOption {

     

       121
       121
       +
             type = lib.types.port;

     

       125
       122
        
             default = 8080;

     

       126
       123
        
             description = ''

     

       127
       124
        
               Port the web interface will listen to.

     

       128
       125
        
             '';

     

       129
       126
        
           };

     

       130
       127
        
       

     

       131
       131
       -
           web.credentials = mkOption {

     

       132
       132
       -
             type = types.attrsOf types.str;

     

       128
       128
       +
           web.credentials = lib.mkOption {

     

       129
       129
       +
             type = lib.types.attrsOf lib.types.str;

     

       133
       130
        
             default = { };

     

       134
       131
        
             example = lib.literalExpression ''

     

       135
       132
        
               {

     
···

       156
       153
        
             '';

     

       157
       154
        
           };

     

       158
       155
        
       

     

       159
       159
       -
           web.credentialsFile = mkOption {

     

       160
       160
       -
             type = types.nullOr types.path;

     

       156
       156
       +
           web.credentialsFile = lib.mkOption {

     

       157
       157
       +
             type = lib.types.nullOr lib.types.path;

     

       161
       158
        
             default = null;

     

       162
       159
        
             description = ''

     

       163
       160
        
               The path to the file holding the credentials to access the web

     
···

       174
       171
        
             '';

     

       175
       172
        
           };

     

       176
       173
        
       

     

       177
       177
       -
           web.extraOptions = mkOption {

     

       178
       178
       -
             type = types.listOf types.str;

     

       174
       174
       +
           web.extraOptions = lib.mkOption {

     

       175
       175
       +
             type = lib.types.listOf lib.types.str;

     

       179
       176
        
             default = [ ];

     

       180
       177
        
             description = ''

     

       181
       178
        
               Extra command line arguments to pass to magneticow.

     
···

       186
       183
        
       

     

       187
       184
        
         ###### implementation

     

       188
       185
        
       

     

       189
       189
       -
         config = mkIf cfg.enable {

     

       186
       186
       +
         config = lib.mkIf cfg.enable {

     

       190
       187
        
       

     

       191
       188
        
           users.users.magnetico = {

     

       192
       189
        
             description = "Magnetico daemons user";

+4 -6

nixos/modules/services/torrent/opentracker.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       with lib;

     

       9
       7
        
       let

     

       10
       8
        
         cfg = config.services.opentracker;

     

       11
       9
        
       in

     

       12
       10
        
       {

     

       13
       11
        
         options.services.opentracker = {

     

       14
       14
       -
           enable = mkEnableOption "opentracker";

     

       12
       12
       +
           enable = lib.mkEnableOption "opentracker";

     

       15
       13
        
       

     

       16
       16
       -
           package = mkPackageOption pkgs "opentracker" { };

     

       14
       14
       +
           package = lib.mkPackageOption pkgs "opentracker" { };

     

       17
       15
        
       

     

       18
       18
       -
           extraOptions = mkOption {

     

       19
       19
       -
             type = types.separatedString " ";

     

       16
       16
       +
           extraOptions = lib.mkOption {

     

       17
       17
       +
             type = lib.types.separatedString " ";

     

       20
       18
        
             description = ''

     

       21
       19
        
               Configuration Arguments for opentracker

     

       22
       20
        
               See https://erdgeist.org/arts/software/opentracker/ for all params

+8 -11

nixos/modules/services/torrent/peerflix.nix

···

       5
       5
        
         pkgs,

     

       6
       6
        
         ...

     

       7
       7
        
       }:

     

       8
       8
       -
       

     

       9
       9
       -
       with lib;

     

       10
       10
       -
       

     

       11
       8
        
       let

     

       12
       9
        
         cfg = config.services.peerflix;

     

       13
       10
        
         opt = options.services.peerflix;

     
···

       25
       22
        
         ###### interface

     

       26
       23
        
       

     

       27
       24
        
         options.services.peerflix = {

     

       28
       28
       -
           enable = mkOption {

     

       25
       25
       +
           enable = lib.mkOption {

     

       29
       26
        
             description = "Whether to enable peerflix service.";

     

       30
       27
        
             default = false;

     

       31
       31
       -
             type = types.bool;

     

       28
       28
       +
             type = lib.types.bool;

     

       32
       29
        
           };

     

       33
       30
        
       

     

       34
       34
       -
           stateDir = mkOption {

     

       31
       31
       +
           stateDir = lib.mkOption {

     

       35
       32
        
             description = "Peerflix state directory.";

     

       36
       33
        
             default = "/var/lib/peerflix";

     

       37
       37
       -
             type = types.path;

     

       34
       34
       +
             type = lib.types.path;

     

       38
       35
        
           };

     

       39
       36
        
       

     

       40
       40
       -
           downloadDir = mkOption {

     

       37
       37
       +
           downloadDir = lib.mkOption {

     

       41
       38
        
             description = "Peerflix temporary download directory.";

     

       42
       39
        
             default = "${cfg.stateDir}/torrents";

     

       43
       43
       -
             defaultText = literalExpression ''"''${config.${opt.stateDir}}/torrents"'';

     

       44
       44
       -
             type = types.path;

     

       40
       40
       +
             defaultText = lib.literalExpression ''"''${config.${opt.stateDir}}/torrents"'';

     

       41
       41
       +
             type = lib.types.path;

     

       45
       42
        
           };

     

       46
       43
        
         };

     

       47
       44
        
       

     

       48
       45
        
         ###### implementation

     

       49
       46
        
       

     

       50
       50
       -
         config = mkIf cfg.enable {

     

       47
       47
       +
         config = lib.mkIf cfg.enable {

     

       51
       48
        
           systemd.tmpfiles.rules = [

     

       52
       49
        
             "d '${cfg.stateDir}' - peerflix - - -"

     

       53
       50
        
           ];