staging-nixos merge for 2026-01-23 (#483049) (228e3869) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2605.section.md

+6 −0

Original line number	Diff line number	Diff line
		@@ -38,6 +38,10 @@

		- [Dawarich](https://dawarich.app/), a self-hostable location history tracker. Available as [services.dawarich](#opt-services.dawarich.enable).

		- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux.

		- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy.

		- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as `services.udp-over-tcp`.

		- [Komodo Periphery](https://github.com/moghtech/komodo), a multi-server Docker and Git deployment agent by Komodo. Available as [services.komodo-periphery](#opt-services.komodo-periphery.enable).
		@@ -52,6 +56,8 @@

		- `services.tandoor-recipes` now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).

		- The packages `iw` and `wirelesstools` (`iwconfig`, `iwlist`, etc.) are no longer installed implicitly if wireless networking has been enabled.

		- `services.kubernetes.addons.dns.coredns` has been renamed to `services.kubernetes.addons.dns.corednsImage` and now expects a
		package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with dockerTools.buildImage is used, instead
		of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:

nixos/modules/module-list.nix

+2 −0

Original line number	Diff line number	Diff line
		@@ -878,6 +878,7 @@
		./services/misc/languagetool.nix
		./services/misc/leaps.nix
		./services/misc/lifecycled.nix
		./services/misc/linux-enable-ir-emitter.nix
		./services/misc/litellm.nix
		./services/misc/llama-cpp.nix
		./services/misc/local-content-share.nix
		@@ -1489,6 +1490,7 @@
		./services/security/hockeypuck.nix
		./services/security/hologram-agent.nix
		./services/security/hologram-server.nix
		./services/security/howdy
		./services/security/infnoise.nix
		./services/security/intune.nix
		./services/security/jitterentropy-rngd.nix

nixos/modules/security/pam.nix

+50 −0

Original line number	Diff line number	Diff line
		@@ -322,6 +322,28 @@ let
		'';
		};

		howdy = {
		enable = lib.mkOption {
		default = config.security.pam.howdy.enable;
		defaultText = lib.literalExpression "config.security.pam.howdy.enable";
		type = lib.types.bool;
		description = ''
		Whether to enable the Howdy PAM module.

		If set, users can be authenticated using Howdy, the Windows
		Hello™-style facial authentication service.
		'';
		};
		control = lib.mkOption {
		default = config.security.pam.howdy.control;
		defaultText = lib.literalExpression "config.security.pam.howdy.control";
		type = lib.types.str;
		description = ''
		This option sets the PAM "control" used for this module.
		'';
		};
		};

		oathAuth = lib.mkOption {
		default = config.security.pam.oath.enable;
		defaultText = lib.literalExpression "config.security.pam.oath.enable";
		@@ -951,6 +973,12 @@ let
		control = "sufficient";
		modulePath = "${config.services.fprintd.package}/lib/security/pam_fprintd.so";
		}
		{
		name = "howdy";
		enable = cfg.howdy.enable;
		control = cfg.howdy.control;
		modulePath = "${config.services.howdy.package}/lib/security/pam_howdy.so";
		}
		]
		++
		# Modules in this block require having the password set in PAM_AUTHTOK.
		@@ -1797,6 +1825,28 @@ in
		};
		};

		security.pam.howdy = {
		enable = lib.mkOption {
		default = config.services.howdy.enable;
		defaultText = lib.literalExpression "config.services.howdy.enable";
		type = lib.types.bool;
		description = ''
		Whether to enable the Howdy PAM module.

		If set, users can be authenticated using Howdy, the Windows
		Hello™-style facial authentication service.
		'';
		};
		control = lib.mkOption {
		default = config.services.howdy.control;
		defaultText = lib.literalExpression "config.services.howdy.control";
		type = lib.types.str;
		description = ''
		This option sets the PAM "control" used for this module.
		'';
		};
		};

		security.pam.krb5 = {
		enable = lib.mkOption {
		default = config.security.krb5.enable;

nixos/modules/services/misc/linux-enable-ir-emitter.nix

0 → 100644

+71 −0

Original line number	Diff line number	Diff line
		{
		config,
		lib,
		pkgs,
		...
		}:
		let
		cfg = config.services.linux-enable-ir-emitter;
		in
		{
		options = {
		services.linux-enable-ir-emitter = {
		enable = lib.mkEnableOption "" // {
		description = ''
		Whether to enable IR emitter hardware. Designed to be used with the
		Howdy facial authentication. After enabling the service, configure
		the emitter with `sudo linux-enable-ir-emitter configure`.
		'';
		};

		package = lib.mkPackageOption pkgs "linux-enable-ir-emitter" { } // {
		description = ''
		Package to use for the Linux Enable IR Emitter service.
		'';
		};

		device = lib.mkOption {
		type = lib.types.str;
		default = "video2";
		description = ''
		IR camera device to depend on. For example, for `/dev/video2`
		the value would be `video2`. Find this with the command
		{command}`realpath /dev/v4l/by-path/<generated-driver-name>`.
		'';
		};
		};
		};

		config = lib.mkIf cfg.enable {
		environment.systemPackages = [ cfg.package ];

		# https://github.com/EmixamPP/linux-enable-ir-emitter/blob/7e3a6527ef2efccabaeefc5a93c792628325a8db/sources/systemd/linux-enable-ir-emitter.service
		systemd.services.linux-enable-ir-emitter =
		let
		targets = [
		"suspend.target"
		"sleep.target"
		"hybrid-sleep.target"
		"hibernate.target"
		"suspend-then-hibernate.target"
		];
		in
		{
		description = "Enable the infrared emitter";
		# Added to match
		# https://github.com/EmixamPP/linux-enable-ir-emitter/blob/6.1.2/boot_service/systemd/linux-enable-ir-emitter.service
		# Prevents the program fail to detect the IR camera until a service
		# restart.
		preStart = ''
		${pkgs.kmod}/bin/modprobe uvcvideo
		sleep 1
		'';
		script = "${lib.getExe cfg.package} --verbose run";
		serviceConfig.StateDirectory = "linux-enable-ir-emitter";
		serviceConfig.LogsDirectory = "linux-enable-ir-emitter";

		wantedBy = targets ++ [ "multi-user.target" ];
		after = targets ++ [ "dev-${cfg.device}.device" ];
		};
		};
		}

nixos/modules/services/security/howdy/default.nix

0 → 100644

+122 −0

Original line number	Diff line number	Diff line
		{
		config,
		lib,
		pkgs,
		...
		}:
		let
		cfg = config.services.howdy;
		settingsType = pkgs.formats.ini { };

		default_config = {
		core = {
		detection_notice = false;
		timeout_notice = true;
		no_confirmation = false;
		suppress_unknown = false;
		abort_if_ssh = true;
		abort_if_lid_closed = true;
		disabled = false;
		use_cnn = false;
		workaround = "off";
		};

		video = {
		certainty = 3.5;
		timeout = 4;
		device_path = "/dev/video2";
		warn_no_device = true;
		max_height = 320;
		frame_width = -1;
		frame_height = -1;
		dark_threshold = 60;
		recording_plugin = "opencv";
		device_format = "v4l2";
		force_mjpeg = false;
		exposure = -1;
		device_fps = -1;
		rotate = 0;
		};

		snapshots = {
		save_failed = false;
		save_successful = false;
		};

		rubberstamps = {
		enabled = false;
		stamp_rules = "nod 5s failsafe min_distance=12";
		};

		debug = {
		end_report = false;
		verbose_stamps = false;
		gtk_stdout = false;
		};
		};
		in
		{
		options = {
		services.howdy = {
		enable = lib.mkEnableOption "" // {
		description = ''
		Whether to enable Howdy and its PAM module for face recognition. See
		`services.linux-enable-ir-emitter` for enabling the IR emitter support.

		::: {.caution}
		Howdy is not a safe alternative to unlocking with your password. It
		can be fooled using a well-printed photo.

		Do not use it as the sole authentication method for your system.
		:::

		::: {.note}
		By default, the {option}`config.services.howdy.control` option is set
		to `"required"`, meaning it will act as a second-factor authentication
		in most services. To change this, set the option to `"sufficient"`.
		:::
		'';
		};

		package = lib.mkPackageOption pkgs "howdy" { };

		control = lib.mkOption {
		type = lib.types.str;
		default = "required";
		description = ''
		PAM control flag to use for Howdy.

		Sets the {option}`security.pam.howdy.control` option.

		Refer to {manpage}`pam.conf(5)` for options.
		'';
		};

		settings = lib.mkOption {
		inherit (settingsType) type;
		default = default_config;
		description = ''
		Howdy configuration file. Refer to
		<https://github.com/boltgolt/howdy/blob/d3ab99382f88f043d15f15c1450ab69433892a1c/howdy/src/config.ini>
		for options.
		'';
		};
		};
		};

		config = lib.mkMerge [
		(lib.mkIf cfg.enable {
		environment.systemPackages = [ cfg.package ];
		environment.etc."howdy/config.ini".source = settingsType.generate "howdy-config.ini" cfg.settings;
		assertions = [
		{
		assertion = !(builtins.elem "v4l2loopback" config.boot.kernelModules);
		message = "Adding 'v4l2loopback' to `boot.kernelModules` causes Howdy to no longer work. Consider adding 'v4l2loopback' to `boot.extraModulePackages` instead.";
		}
		];
		})
		{
		services.howdy.settings = lib.mapAttrsRecursive (name: lib.mkDefault) default_config;
		}
		];
		}

Admin message