pyrox.dev
+7
-10
nixos/modules/services/search/manticore.nix
+7
-10
nixos/modules/services/search/manticore.nix
··················
··················
+22
-25
nixos/modules/services/search/meilisearch.nix
+22
-25
nixos/modules/services/search/meilisearch.nix
···························
···························+EnvironmentFile = lib.mkIf (cfg.masterKeyEnvironmentFile != null) cfg.masterKeyEnvironmentFile;
+6
-9
nixos/modules/services/search/opensearch.nix
+6
-9
nixos/modules/services/search/opensearch.nix
··················
··················
+34
-36
nixos/modules/services/search/qdrant.nix
+34
-36
nixos/modules/services/search/qdrant.nix
······Refer to <https://github.com/qdrant/qdrant/blob/master/config/config.yaml> for details on supported values.······
······Refer to <https://github.com/qdrant/qdrant/blob/master/config/config.yaml> for details on supported values.······
+5
-8
nixos/modules/services/search/quickwit.nix
+5
-8
nixos/modules/services/search/quickwit.nix
··················
··················
+34
-37
nixos/modules/services/security/certmgr.nix
+34
-37
nixos/modules/services/security/certmgr.nix
······description = "How often to check certificate expirations and how often to update the cert_next_expires metric.";··················
······description = "How often to check certificate expirations and how often to update the cert_next_expires metric.";··················
+51
-54
nixos/modules/services/security/cfssl.nix
+51
-54
nixos/modules/services/security/cfssl.nix
·········description = "Path to configuration file. Do not put this in nix-store as it might contain secrets.";description = "Mutual TLS - client certificate to call remote instance requiring client certs.";description = "Mutual TLS - client key to call remote instance requiring client certs. Do not put this in nix-store.";·········
·········description = "Path to configuration file. Do not put this in nix-store as it might contain secrets.";description = "Mutual TLS - client certificate to call remote instance requiring client certs.";description = "Mutual TLS - client key to call remote instance requiring client certs. Do not put this in nix-store.";·········
+45
-46
nixos/modules/services/security/clamav.nix
+45
-46
nixos/modules/services/security/clamav.nix
······-(mkRemovedOptionModule [ "services" "clamav" "updater" "config" ] "Use services.clamav.updater.settings instead.")-(mkRemovedOptionModule [ "services" "clamav" "updater" "extraConfig" ] "Use services.clamav.updater.settings instead.")-(mkRemovedOptionModule [ "services" "clamav" "daemon" "extraConfig" ] "Use services.clamav.daemon.settings instead.")················································
······+(lib.mkRemovedOptionModule [ "services" "clamav" "updater" "config" ] "Use services.clamav.updater.settings instead.")+(lib.mkRemovedOptionModule [ "services" "clamav" "updater" "extraConfig" ] "Use services.clamav.updater.settings instead.")+(lib.mkRemovedOptionModule [ "services" "clamav" "daemon" "extraConfig" ] "Use services.clamav.daemon.settings instead.")················································
+18
-21
nixos/modules/services/security/endlessh-go.nix
+18
-21
nixos/modules/services/security/endlessh-go.nix
···························
···························
+10
-13
nixos/modules/services/security/endlessh.nix
+10
-13
nixos/modules/services/security/endlessh.nix
··················
··················
+74
-77
nixos/modules/services/security/fail2ban.nix
+74
-77
nixos/modules/services/security/fail2ban.nix
······"The extra default configuration can now be set using `services.fail2ban.jails.DEFAULT.settings`."······description = "The firewall package used by fail2ban service. Defaults to the package for your firewall (iptables or nftables).";···default = if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport";-defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"'';···default = if config.networking.nftables.enable then "nftables-allports" else "iptables-allports";-defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"'';shorewall, etc) for "allports" jails. It is used to define action_* variables. Can be overridden······"bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)"bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,······"bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding···························-ignoreip = ''127.0.0.1/8 ${optionalString config.networking.enableIPv6 "::1"} ${concatStringsSep " " cfg.ignoreIP}'';···
······"The extra default configuration can now be set using `services.fail2ban.jails.DEFAULT.settings`."······description = "The firewall package used by fail2ban service. Defaults to the package for your firewall (iptables or nftables).";···default = if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport";+defaultText = lib.literalExpression ''if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"'';···default = if config.networking.nftables.enable then "nftables-allports" else "iptables-allports";+defaultText = lib.literalExpression ''if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"'';shorewall, etc) for "allports" jails. It is used to define action_* variables. Can be overridden······"bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)"bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,······"bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding·····················+warnings = lib.mkIf (!config.networking.firewall.enable && !config.networking.nftables.enable) [······+ignoreip = ''127.0.0.1/8 ${lib.optionalString config.networking.enableIPv6 "::1"} ${lib.concatStringsSep " " cfg.ignoreIP}'';···
+10
-13
nixos/modules/services/security/fprintd.nix
+10
-13
nixos/modules/services/security/fprintd.nix
······-defaultText = literalExpression "if config.services.fprintd.tod.enable then pkgs.fprintd-tod else pkgs.fprintd";·········
······+defaultText = lib.literalExpression "if config.services.fprintd.tod.enable then pkgs.fprintd-tod else pkgs.fprintd";·········
+23
-27
nixos/modules/services/security/haka.nix
+23
-27
nixos/modules/services/security/haka.nix
···············
···············
+4
-7
nixos/modules/services/security/haveged.nix
+4
-7
nixos/modules/services/security/haveged.nix
·········# https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service
·········# https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service
+7
-10
nixos/modules/services/security/hologram-agent.nix
+7
-10
nixos/modules/services/security/hologram-agent.nix
·········
·········
+31
-34
nixos/modules/services/security/hologram-server.nix
+31
-34
nixos/modules/services/security/hologram-server.nix
······
······
+5
-8
nixos/modules/services/security/infnoise.nix
+5
-8
nixos/modules/services/security/infnoise.nix
···SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service"
···SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service"
+4
-7
nixos/modules/services/security/munge.nix
+4
-7
nixos/modules/services/security/munge.nix
·········
·········
+5
-8
nixos/modules/services/security/nginx-sso.nix
+5
-8
nixos/modules/services/security/nginx-sso.nix
······
······
+39
-40
nixos/modules/services/security/opensnitch.nix
+39
-40
nixos/modules/services/security/opensnitch.nix
·································# pkg.opensnitch is referred to elsewhere in the module so we don't need to worry about it being garbage collected···"${pkgs.opensnitch}/bin/opensnitchd --config-file ${format.generate "default-config.json" cfg.settings}"···--not \( ${concatMapStringsSep " -o " ({ local, ... }: "-name '${baseNameOf local}*'") rules} \) \
·································# pkg.opensnitch is referred to elsewhere in the module so we don't need to worry about it being garbage collected···"${pkgs.opensnitch}/bin/opensnitchd --config-file ${format.generate "default-config.json" cfg.settings}"···
+4
-7
nixos/modules/services/security/pass-secret-service.nix
+4
-7
nixos/modules/services/security/pass-secret-service.nix
···
···
+53
-52
nixos/modules/services/security/physlock.nix
+53
-52
nixos/modules/services/security/physlock.nix
··················-++ optional (cfg.lockOn.hibernate || cfg.lockOn.suspend) "systemd-suspend-then-hibernate.service"-ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.muteKernelMessages "m"}${optionalString cfg.disableSysRq "s"}${
··················+ExecStart = "${pkgs.physlock}/bin/physlock -d${lib.optionalString cfg.muteKernelMessages "m"}${lib.optionalString cfg.disableSysRq "s"}${
+15
-18
nixos/modules/services/security/sks.nix
+15
-18
nixos/modules/services/security/sks.nix
··················
··················
+25
-28
nixos/modules/services/security/sshguard.nix
+25
-28
nixos/modules/services/security/sshguard.nix
·········Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.···············
·········Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.···············
+2
-5
nixos/modules/services/security/sslmate-agent.nix
+2
-5
nixos/modules/services/security/sslmate-agent.nix
······-enable = mkEnableOption "sslmate-agent, a daemon for managing SSL/TLS certificates on a server";
······+enable = lib.mkEnableOption "sslmate-agent, a daemon for managing SSL/TLS certificates on a server";
+9
-10
nixos/modules/services/security/tang.nix
+9
-10
nixos/modules/services/security/tang.nix
·········
·········
+145
-140
nixos/modules/services/security/tor.nix
+145
-140
nixos/modules/services/security/tor.nix
····································-(mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.")-(mkRenamedOptionModule [ "services" "tor" "relay" "port" ] [ "services" "tor" "settings" "ORPort" ])·························································options.ClientPreferIPv6DirPort = optionBool "ClientPreferIPv6DirPort"; # default is null and like "auto"options.ClientPreferIPv6ORPort = optionBool "ClientPreferIPv6ORPort"; # default is null and like "auto"·································
·····························································································options.ClientPreferIPv6DirPort = optionBool "ClientPreferIPv6DirPort"; # default is null and like "auto"options.ClientPreferIPv6ORPort = optionBool "ClientPreferIPv6ORPort"; # default is null and like "auto"·································
+9
-10
nixos/modules/services/security/torify.nix
+9
-10
nixos/modules/services/security/torify.nix
···············
···············
+19
-22
nixos/modules/services/security/torsocks.nix
+19
-22
nixos/modules/services/security/torsocks.nix
······-defaultText = literalExpression "config.services.tor.enable && config.services.tor.client.enable";··················environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ];
······+defaultText = lib.literalExpression "config.services.tor.enable && config.services.tor.client.enable";··················environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ];
+32
-34
nixos/modules/services/security/usbguard.nix
+32
-34
nixos/modules/services/security/usbguard.nix
··········································(lib.concatStrings (map (g: "subject.isInGroup(\"${g}\") || ") cfg.IPCAllowedGroups)) + "false";···"The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d."
··········································(lib.concatStrings (map (g: "subject.isInGroup(\"${g}\") || ") cfg.IPCAllowedGroups)) + "false";···"The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d."
+17
-20
nixos/modules/services/security/vault-agent.nix
+17
-20
nixos/modules/services/security/vault-agent.nix
···························
···························
+40
-41
nixos/modules/services/security/vault.nix
+40
-41
nixos/modules/services/security/vault.nix
·········++ lib.optional (cfg.dev && cfg.devRootTokenID != null) "-dev-root-token-id=${cfg.devRootTokenID}"···In this mode, Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests.···if cfg.storageBackend == "file" || cfg.storageBackend == "raft" then "/var/lib/vault" else null;·········assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null);······-] ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.···
·········++ lib.optional (cfg.dev && cfg.devRootTokenID != null) "-dev-root-token-id=${cfg.devRootTokenID}"···In this mode, Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests.···if cfg.storageBackend == "file" || cfg.storageBackend == "raft" then "/var/lib/vault" else null;·········assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null);······+++ lib.optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.···
+11
-13
nixos/modules/services/security/yubikey-agent.nix
+11
-13
nixos/modules/services/security/yubikey-agent.nix
·········-systemd.user.services.yubikey-agent = mkIf (config.programs.gnupg.agent.pinentryPackage != null) {
·········
+4
-7
nixos/modules/services/system/automatic-timezoned.nix
+4
-7
nixos/modules/services/system/automatic-timezoned.nix
······
······
+14
-17
nixos/modules/services/system/cachix-agent/default.nix
+14
-17
nixos/modules/services/system/cachix-agent/default.nix
············
············
+17
-20
nixos/modules/services/system/cachix-watch-store.nix
+17
-20
nixos/modules/services/system/cachix-watch-store.nix
······
······
+29
-32
nixos/modules/services/system/cloud-init.nix
+29
-32
nixos/modules/services/system/cloud-init.nix
···························
···························
+5
-8
nixos/modules/services/system/localtimed.nix
+5
-8
nixos/modules/services/system/localtimed.nix
·········
·········+geoclue2Package = lib.mkPackageOption pkgs "Geoclue2" { default = "geoclue2-with-demo-agent"; };
+31
-35
nixos/modules/services/system/nix-daemon.nix
+31
-35
nixos/modules/services/system/nix-daemon.nix
···············-(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")························
···············+(lib.mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")························
+14
-17
nixos/modules/services/system/nscd.nix
+14
-17
nixos/modules/services/system/nscd.nix
·····················
·····················
+7
-10
nixos/modules/services/system/saslauthd.nix
+7
-10
nixos/modules/services/system/saslauthd.nix
·········
·········
+3
-6
nixos/modules/services/system/uptimed.nix
+3
-6
nixos/modules/services/system/uptimed.nix
·········
·········
+43
-46
nixos/modules/services/torrent/deluge.nix
+43
-46
nixos/modules/services/torrent/deluge.nix
····································-allowedTCPPortRanges = singleton (listToRange (cfg.config.listen_ports or listenPortsDefault));-allowedUDPPortRanges = singleton (listToRange (cfg.config.listen_ports or listenPortsDefault));···
····································+allowedTCPPortRanges = lib.singleton (listToRange (cfg.config.listen_ports or listenPortsDefault));+allowedUDPPortRanges = lib.singleton (listToRange (cfg.config.listen_ports or listenPortsDefault));···
+16
-19
nixos/modules/services/torrent/flexget.nix
+16
-19
nixos/modules/services/torrent/flexget.nix
···description = "When to perform a {command}`flexget` run. See {command}`man 7 systemd.time` for the format.";description = "When true, execute the runs via the flexget-runner.timer. If false, you have to specify the settings yourself in the YML file.";······
···description = "When to perform a {command}`flexget` run. See {command}`man 7 systemd.time` for the format.";description = "When true, execute the runs via the flexget-runner.timer. If false, you have to specify the settings yourself in the YML file.";······
+23
-26
nixos/modules/services/torrent/magnetico.nix
+23
-26
nixos/modules/services/torrent/magnetico.nix
······························
······························
+4
-6
nixos/modules/services/torrent/opentracker.nix
+4
-6
nixos/modules/services/torrent/opentracker.nix
···
···
+8
-11
nixos/modules/services/torrent/peerflix.nix
+8
-11
nixos/modules/services/torrent/peerflix.nix
······
······