commit ff2d12d11defd4077fe2733861fa15984999f061 · pyrox.dev/nixpkgs

nixos/doc/manual/release-notes/rl-2505.section.md

···

       551
        
       

     

       552
        
       - hddfancontrol has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes.

     

       553
        
       

     

       0
        
       
     

       0
        
       
     

       554
        
       - The Home Assistant module has new options {option}`services.home-assistant.blueprints.automation`, `services.home-assistant.blueprints.script`, and {option}`services.home-assistant.blueprints.template` that allow for the declarative installation of [blueprints](https://www.home-assistant.io/docs/blueprint/) into the appropriate configuration directories.

     

       555
        
       

     

       556
        
       - For matrix homeserver Synapse we are now following the upstream recommendation to enable jemalloc as the memory allocator by default.

···

       551
        
       

     

       552
        
       - hddfancontrol has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes.

     

       553
        
       

     

       554
       +
       - `services.cloudflared` now uses a dynamic user, and its `user` and `group` options have been removed. If the user or group is still necessary, they can be created manually.

     

       555
       +
       

     

       556
        
       - The Home Assistant module has new options {option}`services.home-assistant.blueprints.automation`, `services.home-assistant.blueprints.script`, and {option}`services.home-assistant.blueprints.template` that allow for the declarative installation of [blueprints](https://www.home-assistant.io/docs/blueprint/) into the appropriate configuration directories.

     

       557
        
       

     

       558
        
       - For matrix homeserver Synapse we are now following the upstream recommendation to enable jemalloc as the memory allocator by default.

+61 -30

nixos/modules/services/networking/cloudflared.nix

···

       7
        
       let

     

       8
        
         cfg = config.services.cloudflared;

     

       9
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
         originRequest = {

     

       11
        
           connectTimeout = lib.mkOption {

     

       12
        
             type = with lib.types; nullOr str;

     
···

       144
        
         };

     

       145
        
       in

     

       146
        
       {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       147
        
         options.services.cloudflared = {

     

       0
        
       
     

       0
        
       
     

       148
        
           enable = lib.mkEnableOption "Cloudflare Tunnel client daemon (formerly Argo Tunnel)";

     

       149
        
       

     

       150
       -
           user = lib.mkOption {

     

       151
       -
             type = lib.types.str;

     

       152
       -
             default = "cloudflared";

     

       153
       -
             description = "User account under which Cloudflared runs.";

     

       154
       -
           };

     

       155
       -
       

     

       156
       -
           group = lib.mkOption {

     

       157
       -
             type = lib.types.str;

     

       158
       -
             default = "cloudflared";

     

       159
       -
             description = "Group under which cloudflared runs.";

     

       160
       -
           };

     

       161
       -
       

     

       162
        
           package = lib.mkPackageOption pkgs "cloudflared" { };

     

       163
        
       

     

       164
        
           tunnels = lib.mkOption {

     
···

       170
        
                 { name, ... }:

     

       171
        
                 {

     

       172
        
                   options = {

     

       173
       -
                     inherit originRequest;

     

       174
        
       

     

       175
        
                     credentialsFile = lib.mkOption {

     

       176
       -
                       type = lib.types.str;

     

       177
        
                       description = ''

     

       178
        
                         Credential file.

     

       179
        
       

     
···

       273
        
         };

     

       274
        
       

     

       275
        
         config = lib.mkIf cfg.enable {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       276
        
           systemd.targets = lib.mapAttrs' (

     

       277
        
             name: tunnel:

     

       278
        
             lib.nameValuePair "cloudflared-tunnel-${name}" {

     
···

       303
        
       

     

       304
        
               fullConfig = filterConfig {

     

       305
        
                 tunnel = name;

     

       306
       -
                 "credentials-file" = tunnel.credentialsFile;

     

       307
        
                 warp-routing = filterConfig tunnel.warp-routing;

     

       308
        
                 originRequest = filterConfig tunnel.originRequest;

     

       309
        
                 ingress =

     
···

       322
        
               };

     

       323
        
       

     

       324
        
               mkConfigFile = pkgs.writeText "cloudflared.yml" (builtins.toJSON fullConfig);

     

       0
        
       
     

       325
        
             in

     

       326
       -
             lib.nameValuePair "cloudflared-tunnel-${name}" ({

     

       327
        
               after = [

     

       328
        
                 "network.target"

     

       329
        
                 "network-online.target"

     
···

       334
        
               ];

     

       335
        
               wantedBy = [ "multi-user.target" ];

     

       336
        
               serviceConfig = {

     

       337
       -
                 User = cfg.user;

     

       338
       -
                 Group = cfg.group;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       339
        
                 ExecStart = "${cfg.package}/bin/cloudflared tunnel --config=${mkConfigFile} --no-autoupdate run";

     

       340
        
                 Restart = "on-failure";

     

       0
        
       
     

       341
        
               };

     

       342
       -
             })

     

       343
       -
           ) config.services.cloudflared.tunnels;

     

       344
        
       

     

       345
       -
           users.users = lib.mkIf (cfg.user == "cloudflared") {

     

       346
       -
             cloudflared = {

     

       347
       -
               group = cfg.group;

     

       348
       -
               isSystemUser = true;

     

       349
       -
             };

     

       350
       -
           };

     

       351
       -
       

     

       352
       -
           users.groups = lib.mkIf (cfg.group == "cloudflared") {

     

       353
       -
             cloudflared = { };

     

       354
       -
           };

     

       355
        
         };

     

       356
        
       

     

       357
        
         meta.maintainers = with lib.maintainers; [

···

       7
        
       let

     

       8
        
         cfg = config.services.cloudflared;

     

       9
        
       

     

       10
       +
         certificateFile = lib.mkOption {

     

       11
       +
           type = with lib.types; nullOr path;

     

       12
       +
           description = ''

     

       13
       +
             Cert.pem file.

     

       14
       +
       

     

       15
       +
             See [Cert.pem](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-terms/#certpem).

     

       16
       +
           '';

     

       17
       +
           default = null;

     

       18
       +
         };

     

       19
       +
       

     

       20
        
         originRequest = {

     

       21
        
           connectTimeout = lib.mkOption {

     

       22
        
             type = with lib.types; nullOr str;

     
···

       154
        
         };

     

       155
        
       in

     

       156
        
       {

     

       157
       +
         imports = [

     

       158
       +
           (lib.mkRemovedOptionModule

     

       159
       +
             [

     

       160
       +
               "services"

     

       161
       +
               "cloudflared"

     

       162
       +
               "user"

     

       163
       +
             ]

     

       164
       +
             ''

     

       165
       +
               Cloudflared now uses a dynamic user, and this option no longer has any effect.

     

       166
       +
       

     

       167
       +
               If the user is still necessary, please define it manually using users.users.cloudflared.

     

       168
       +
             ''

     

       169
       +
           )

     

       170
       +
       

     

       171
       +
           (lib.mkRemovedOptionModule

     

       172
       +
             [

     

       173
       +
               "services"

     

       174
       +
               "cloudflared"

     

       175
       +
               "group"

     

       176
       +
             ]

     

       177
       +
             ''

     

       178
       +
               Cloudflared now uses a dynamic user, and this option no longer has any effect.

     

       179
       +
       

     

       180
       +
               If the group is still necessary, please define it manually using users.groups.cloudflared.

     

       181
       +
             ''

     

       182
       +
           )

     

       183
       +
         ];

     

       184
       +
       

     

       185
        
         options.services.cloudflared = {

     

       186
       +
           inherit certificateFile;

     

       187
       +
       

     

       188
        
           enable = lib.mkEnableOption "Cloudflare Tunnel client daemon (formerly Argo Tunnel)";

     

       189
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       190
        
           package = lib.mkPackageOption pkgs "cloudflared" { };

     

       191
        
       

     

       192
        
           tunnels = lib.mkOption {

     
···

       198
        
                 { name, ... }:

     

       199
        
                 {

     

       200
        
                   options = {

     

       201
       +
                     inherit certificateFile originRequest;

     

       202
        
       

     

       203
        
                     credentialsFile = lib.mkOption {

     

       204
       +
                       type = lib.types.path;

     

       205
        
                       description = ''

     

       206
        
                         Credential file.

     

       207
        
       

     
···

       301
        
         };

     

       302
        
       

     

       303
        
         config = lib.mkIf cfg.enable {

     

       304
       +
           assertions = lib.mapAttrsToList (name: tunnel: {

     

       305
       +
             assertion =

     

       306
       +
               tunnel.ingress == { } || (cfg.certificateFile != null || tunnel.certificateFile != null);

     

       307
       +
             message = "Cloudflare Tunnel ${name} has a declarative configuration, but no certificate file was defined.";

     

       308
       +
           }) cfg.tunnels;

     

       309
       +
       

     

       310
        
           systemd.targets = lib.mapAttrs' (

     

       311
        
             name: tunnel:

     

       312
        
             lib.nameValuePair "cloudflared-tunnel-${name}" {

     
···

       337
        
       

     

       338
        
               fullConfig = filterConfig {

     

       339
        
                 tunnel = name;

     

       340
       +
                 credentials-file = "/run/credentials/cloudflared-tunnel-${name}.service/credentials.json";

     

       341
        
                 warp-routing = filterConfig tunnel.warp-routing;

     

       342
        
                 originRequest = filterConfig tunnel.originRequest;

     

       343
        
                 ingress =

     
···

       356
        
               };

     

       357
        
       

     

       358
        
               mkConfigFile = pkgs.writeText "cloudflared.yml" (builtins.toJSON fullConfig);

     

       359
       +
               certFile = if (tunnel.certificateFile != null) then tunnel.certificateFile else cfg.certificateFile;

     

       360
        
             in

     

       361
       +
             lib.nameValuePair "cloudflared-tunnel-${name}" {

     

       362
        
               after = [

     

       363
        
                 "network.target"

     

       364
        
                 "network-online.target"

     
···

       369
        
               ];

     

       370
        
               wantedBy = [ "multi-user.target" ];

     

       371
        
               serviceConfig = {

     

       372
       +
                 RuntimeDirectory = "cloudflared-tunnel-${name}";

     

       373
       +
                 RuntimeDirectoryMode = "0400";

     

       374
       +
                 LoadCredential = [

     

       375
       +
                   "credentials.json:${tunnel.credentialsFile}"

     

       376
       +
                 ] ++ (lib.optional (certFile != null) "cert.pem:certFile");

     

       377
       +
       

     

       378
        
                 ExecStart = "${cfg.package}/bin/cloudflared tunnel --config=${mkConfigFile} --no-autoupdate run";

     

       379
        
                 Restart = "on-failure";

     

       380
       +
                 DynamicUser = true;

     

       381
        
               };

     

       0
        
       
     

       0
        
       
     

       382
        
       

     

       383
       +
               environment.TUNNEL_ORIGIN_CERT = lib.mkIf (certFile != null) ''%d/cert.pem'';

     

       384
       +
             }

     

       385
       +
           ) config.services.cloudflared.tunnels;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       386
        
         };

     

       387
        
       

     

       388
        
         meta.maintainers = with lib.maintainers; [