Merge master into staging-next (062ddd6e) · Commits · nix / nixpkgs

nixos/modules/hardware/pcmcia.nix

+3 −3

Original line number	Diff line number	Diff line
		@@ -5,7 +5,7 @@
		...
		}:
		let
		pcmciaUtils = pkgs.pcmciaUtils.overrideAttrs {
		pcmciautils = pkgs.pcmciautils.overrideAttrs {
		inherit (config.hardware.pcmcia) firmware config;
		};
		in
		@@ -48,9 +48,9 @@ in

		boot.kernelModules = [ "pcmcia" ];

		services.udev.packages = [ pcmciaUtils ];
		services.udev.packages = [ pcmciautils ];

		environment.systemPackages = [ pcmciaUtils ];
		environment.systemPackages = [ pcmciautils ];

		};

+64 −0

Original line number	Diff line number	Diff line
		@@ -46,13 +46,77 @@ in
		RestartSec = 5;
		Type = "simple";
		DynamicUser = true;
		UMask = "0077";
		RuntimeDirectory = "flaresolverr";
		WorkingDirectory = "/run/flaresolverr";
		ExecStart = lib.getExe cfg.package;
		TimeoutStopSec = 30;

		# Systemd hardening
		LockPersonality = true;
		PrivateDevices = true;
		PrivateMounts = true;
		PrivateUsers = true;
		ProtectClock = true;
		ProtectControlGroups = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectProc = "invisible";
		RestrictRealtime = true;
		RestrictAddressFamilies = [
		"AF_INET"
		"AF_INET6"
		"AF_UNIX"
		];
		RestrictNamespaces = [
		"net"
		"pid"
		"user"
		];
		CapabilityBoundingSet = [
		"~CAP_BLOCK_SUSPEND"
		"~CAP_BPF"
		"~CAP_CHOWN"
		"~CAP_IPC_LOCK"
		"~CAP_MKNOD"
		"~CAP_NET_ADMIN"
		"~CAP_NET_RAW"
		"~CAP_PERFMON"
		"~CAP_SYSLOG"
		"~CAP_SYS_ADMIN"
		"~CAP_SYS_BOOT"
		"~CAP_SYS_MODULE"
		"~CAP_SYS_PACCT"
		"~CAP_SYS_PTRACE"
		"~CAP_SYS_TIME"
		"~CAP_WAKE_ALARM"
		];
		SystemCallFilter = [
		"~@chown"
		"~@clock"
		"~@cpu-emulation"
		"~@debug"
		"~@keyring"
		"~@memlock"
		"~@module"
		"~@obsolete"
		"~@pkey"
		"~@raw-io"
		"~@reboot"
		"~@setuid"
		"~@swap"
		"~@timer"
		];
		SystemCallErrorNumber = "EPERM";
		SystemCallArchitectures = "native";
		};
		};

		networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; };
		};

		meta.maintainers = with lib.maintainers; [ diogotcorreia ];
		}

+1 −1

Original line number	Diff line number	Diff line
		{ lib, ... }:
		{
		name = "flaresolverr";
		meta.maintainers = [ ];
		meta.maintainers = with lib.maintainers; [ diogotcorreia ];

		nodes.machine =
		{ pkgs, ... }:

+0 −5

Original line number	Diff line number	Diff line
		@@ -218,11 +218,6 @@ in
		# wait for the agent to show up
		server.wait_until_succeeds("kubectl get node agent")

		${lib.optionalString (rancherDistro == "k3s") ''
		for m in machines:
		m.succeed("k3s check-config")
		''}

		server.succeed("kubectl cluster-info")
		# Also wait for our service account to show up; it takes a sec
		server.wait_until_succeeds("kubectl get serviceaccount default")

+0 −3

Original line number	Diff line number	Diff line
		@@ -84,9 +84,6 @@ in
		machine.wait_for_unit("${serviceName}")
		machine.succeed("kubectl cluster-info")
		machine.fail("sudo -u noprivs kubectl cluster-info")
		${lib.optionalString (rancherDistro == "k3s") ''
		machine.succeed("k3s check-config")
		''}

		# Also wait for our service account to show up; it takes a sec
		machine.wait_until_succeeds("kubectl get serviceaccount default")