Merge master into staging-next (2e41989f) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2605.section.md

+2 −0

Original line number	Diff line number	Diff line
		@@ -14,6 +14,8 @@
		designed to run on affordable, low-power devices. Available as [services.meshtasticd]
		(#opt-services.meshtasticd.enable).

		- [Goupile](https://goupile.org/en), an open-source design tool for secure forms including Clinical Report Forms (eCRF). Available as [services.goupile](#opt-services.goupile.enable).

		- [knot-resolver](https://www.knot-resolver.cz/) in version 6. Available as `services.knot-resolver`. A module for knot-resolver 5 was already available as `services.kresd`.

		- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as `services.immichframe`.

nixos/modules/module-list.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -1651,6 +1651,7 @@
		./services/web-apps/goatcounter.nix
		./services/web-apps/gotify-server.nix
		./services/web-apps/gotosocial.nix
		./services/web-apps/goupile.nix
		./services/web-apps/grav.nix
		./services/web-apps/grocy.nix
		./services/web-apps/guacamole-client.nix

nixos/modules/services/networking/nftables.nix

+2 −3

Original line number	Diff line number	Diff line
		@@ -298,7 +298,6 @@ in
		let
		enabledTables = lib.filterAttrs (_: table: table.enable) cfg.tables;
		deletionsScript = pkgs.writeScript "nftables-deletions" ''
		#! ${pkgs.nftables}/bin/nft -f
		${
		if cfg.flushRuleset then
		"flush ruleset"
		@@ -313,9 +312,9 @@ in
		${cfg.extraDeletions}
		'';
		deletionsScriptVar = "/var/lib/nftables/deletions.nft";
		makeDeletions = "${pkgs.nftables}/bin/nft -f ${deletionsScriptVar}";
		ensureDeletions = pkgs.writeShellScript "nftables-ensure-deletions" ''
		touch ${deletionsScriptVar}
		chmod +x ${deletionsScriptVar}
		'';
		saveDeletionsScript = pkgs.writeShellScript "nftables-save-deletions" ''
		cp ${deletionsScript} ${deletionsScriptVar}
		@@ -380,7 +379,7 @@ in
		saveDeletionsScript
		];
		ExecStop = [
		deletionsScriptVar
		makeDeletions
		cleanupDeletionsScript
		];
		StateDirectory = "nftables";

nixos/modules/services/web-apps/goupile.nix

0 → 100644

+147 −0

Original line number	Diff line number	Diff line
		{
		lib,
		pkgs,
		config,
		...
		}:
		let
		cfg = config.services.goupile;
		settingsFormat = pkgs.formats.ini { };
		in
		{
		options.services.goupile = {
		enable = lib.mkEnableOption "Goupile server";
		package = lib.mkPackageOption pkgs "goupile" { };

		enableSandbox = lib.mkOption {
		type = lib.types.bool;
		default = true;
		description = "Enable the sandbox option.";
		};

		settings = lib.mkOption {
		type = lib.types.submodule {
		freeformType = settingsFormat.type;
		options = {
		HTTP.Port = lib.mkOption {
		type = lib.types.port;
		default = 8889;
		description = "The port goupile runs on";
		};
		Data.RootDirectory = lib.mkOption {
		type = lib.types.str;
		default = "/var/lib/goupile";
		description = "Goupile's data directory.";
		};
		};
		};
		default = { }; # default will be lost for submodules if overriden
		example = lib.literalExpression ''
		{
		HTTP.Port = 8888;
		}
		'';
		description = ''
		The options for `systemd.services.goupile` in ini format.

		The configuration options available can be found here
		https://github.com/Koromix/rygel/blob/goupile/3.11.1/src/goupile/server/admin.cc#L41
		'';
		};

		configFile = lib.mkOption {
		type = lib.types.path;
		description = ''
		The configuration file to be passed to goupile server.

		By default the configuration file is created from `services.goupile.settings`.
		'';
		};

		hostName = lib.mkOption {
		type = lib.types.str;
		default = "goupile";
		description = "Nginx service name for goupile service.";
		};
		};
		config = lib.mkIf cfg.enable (
		lib.mkMerge [
		{
		services.nginx = {
		enable = lib.mkDefault true;
		virtualHosts.${cfg.hostName} = {
		locations."/".proxyPass = "http://${cfg.hostName}:${builtins.toString cfg.settings.HTTP.Port}";
		};
		};
		}
		{
		services.goupile.configFile = settingsFormat.generate "goupile.ini" cfg.settings;
		}
		{
		systemd.services.goupile = {
		wants = [ "network-online.target" ];
		after = [ "network-online.target" ];
		wantedBy = [ "multi-user.target" ];

		documentation = [ "https://goupile.org/en" ];
		description = "Goupile eCRF";

		serviceConfig = {
		ExecStart = ''
		${lib.getExe cfg.package} \
		${lib.optionalString cfg.enableSandbox "--sandbox"} \
		-C ${cfg.configFile}
		'';

		DynamicUser = true;

		RuntimeDirectory = "goupile";
		RuntimeDirectoryPreserve = "yes";
		StateDirectory = "goupile";
		UMask = 0077;
		WorkingDirectory = "%S/goupile";

		SystemCallArchitectures = "native";
		SystemCallFilter = [
		"~@privileged"
		"~@resources"
		"~@obsolete"
		"~@mount"
		"@system-service"
		"@file-system"
		"@basic-io"
		"@clock"
		];

		ProtectHome = true;
		PrivateUsers = true;
		PrivateDevices = true;
		ProtectKernelLogs = true;
		ProtectControlGroups = true;
		ProtectKernelModules = true;

		CapabilityBoundingSet = [
		"CAP_SYS_PTRACE"
		"CAP_CHOWN"
		"CAP_DAC_OVERRIDE"
		"CAP_FOWNER"
		"CAP_KILL" # Required for child process management
		"CAP_NET_BIND_SERVICE"
		"CAP_SETGID"
		"CAP_SETUID"
		"CAP_SYS_CHROOT"
		"CAP_SYS_RESOURCE"
		];

		Restart = "always";
		RestartSec = 20;
		TimeoutStopSec = 30;
		LimitNOFILE = 4096;
		};
		};
		}
		]
		);

		meta.maintainers = lib.teams.ngi.members;
		}

nixos/tests/all-tests.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -690,6 +690,7 @@ in
		gotenberg = runTest ./gotenberg.nix;
		gotify-server = runTest ./gotify-server.nix;
		gotosocial = runTest ./web-apps/gotosocial.nix;
		goupile = runTest ./web-apps/goupile;
		grafana = handleTest ./grafana { };
		graphite = runTest ./graphite.nix;
		grav = runTest ./web-apps/grav.nix;