Unverified Commit 72eff9fe authored by github-actions[bot]'s avatar github-actions[bot] Committed by GitHub
Browse files

Merge master into staging-next

parents e1394695 2c9e9de1

nixos/doc/manual/release-notes/rl-2311.section.md

+4 −0
Original line number Diff line number Diff line
@@ -177,6 +177,8 @@ 


- The `html-proofer` package has been updated from major version 3 to major version 5, which includes [breaking changes](https://github.com/gjtorikian/html-proofer/blob/v5.0.8/UPGRADING.md).



- `kratos` has been updated from 0.10.1 to the first stable version 1.0.0, please read the [0.10.1 to 0.11.0](https://github.com/ory/kratos/releases/tag/v0.11.0), [0.11.0 to 0.11.1](https://github.com/ory/kratos/releases/tag/v0.11.1), [0.11.1 to 0.13.0](https://github.com/ory/kratos/releases/tag/v0.13.0) and [0.13.0 to 1.0.0](https://github.com/ory/kratos/releases/tag/v1.0.0) upgrade guides. The most notable breaking change is the introduction of one-time passwords (`code`) and update of the default recovery strategy from `link` to `code`.



## Other Notable Changes {#sec-release-23.11-notable-changes}



- The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.
@@ -245,6 +247,8 @@ The module update takes care of the new config syntax and the data itself (user 
- `networking.nftables` is no longer flushing all rulesets on every reload.

  Use `networking.nftables.flushRuleset = true;` to get back the old behaviour.



- The `cawbird` package is dropped from nixpkgs, as it got broken by the Twitter API closing down and has been abandoned upstream.



## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals}



- The use of `sourceRoot = "source";`, `sourceRoot = "source/subdir";`, and similar lines in package derivations using the default `unpackPhase` is deprecated as it requires `unpackPhase` to always produce a directory named "source". Use `sourceRoot = src.name`, `sourceRoot = "${src.name}/subdir";`, or `setSourceRoot = "sourceRoot=$(echo */subdir)";` or similar instead.

nixos/lib/testing/driver.nix

+6 −1
Original line number Diff line number Diff line
@@ -175,7 +175,12 @@ in 
  };



  config = {

    _module.args.hostPkgs = config.hostPkgs;

    _module.args = {

      hostPkgs =

        # Comment is in nixos/modules/misc/nixpkgs.nix

        lib.mkOverride lib.modules.defaultOverridePriority

          config.hostPkgs.__splicedPackages;

    };



    driver = withChecks driver;

nixos/modules/module-list.nix

+1 −0
Original line number Diff line number Diff line
@@ -163,6 +163,7 @@ 
  ./programs/direnv.nix

  ./programs/dmrconfig.nix

  ./programs/droidcam.nix

  ./programs/ecryptfs.nix

  ./programs/environment.nix

  ./programs/evince.nix

  ./programs/extra-container.nix

nixos/modules/programs/ecryptfs.nix

0 → 100644
+31 −0
Original line number Diff line number Diff line 
{ config, lib, pkgs, ... }:



with lib;



let

  cfg = config.programs.ecryptfs;



in {

  options.programs.ecryptfs = {

    enable = mkEnableOption (lib.mdDoc "ecryptfs setuid mount wrappers");

  };



  config = mkIf cfg.enable {

    security.wrappers = {



      "mount.ecryptfs_private" = {

        setuid = true;

        owner = "root";

        group = "root";

        source = "${lib.getBin pkgs.ecryptfs}/bin/mount.ecryptfs_private";

      };

      "umount.ecryptfs_private" = {

        setuid = true;

        owner = "root";

        group = "root";

        source = "${lib.getBin pkgs.ecryptfs}/bin/umount.ecryptfs_private";

      };



    };

  };

}

nixos/modules/services/networking/dae.nix

+145 −25
Original line number Diff line number Diff line 
{ config, pkgs, lib, ... }:

{ config, lib, pkgs, ... }:



let

  cfg = config.services.dae;

  assets = cfg.assets;

  genAssetsDrv = paths: pkgs.symlinkJoin {

    name = "dae-assets";

    inherit paths;

  };

in

{

  meta.maintainers = with lib.maintainers; [ pokon548 ];

  meta.maintainers = with lib.maintainers; [ pokon548 oluceps ];



  options = {

    services.dae = with lib;{

      enable = mkEnableOption

        (mdDoc "A Linux high-performance transparent proxy solution based on eBPF");



      package = mkPackageOptionMD pkgs "dae" { };



      assets = mkOption {

        type = with types;(listOf path);

        default = with pkgs; [ v2ray-geoip v2ray-domain-list-community ];

        defaultText = literalExpression "with pkgs; [ v2ray-geoip v2ray-domain-list-community ]";

        description = mdDoc ''

          Assets required to run dae.

        '';

      };



      assetsPath = mkOption {

        type = types.str;

        default = "${genAssetsDrv assets}/share/v2ray";

        defaultText = literalExpression ''

          (symlinkJoin {

              name = "dae-assets";

              paths = assets;

          })/share/v2ray

        '';

        description = mdDoc ''

          The path which contains geolocation database.

          This option will override `assets`.

        '';

      };



      openFirewall = mkOption {

        type = with types; submodule {

          options = {

    services.dae = {

      enable = lib.options.mkEnableOption (lib.mdDoc "the dae service");

      package = lib.mkPackageOptionMD pkgs "dae" { };

            enable = mkEnableOption "enable";

            port = mkOption {

              type = types.int;

              description = ''

                Port to be opened. Consist with field `tproxy_port` in config file.

              '';

            };

          };

        };

        default = {

          enable = true;

          port = 12345;

        };

        defaultText = literalExpression ''

          {

            enable = true;

            port = 12345;

          }

        '';

        description = mdDoc ''

          Open the firewall port.

        '';

      };



      configFile = mkOption {

        type = types.path;

        default = "/etc/dae/config.dae";

        example = "/path/to/your/config.dae";

        description = mdDoc ''

          The path of dae config file, end with `.dae`.

        '';

      };



  config = lib.mkIf config.services.dae.enable {

    networking.firewall.allowedTCPPorts = [ 12345 ];

    networking.firewall.allowedUDPPorts = [ 12345 ];

      config = mkOption {

        type = types.str;

        default = ''

          global{}

          routing{}

        '';

        description = mdDoc ''

          Config text for dae.



    systemd.services.dae = {

      unitConfig = {

        Description = "dae Service";

        Documentation = "https://github.com/daeuniverse/dae";

        After = [ "network-online.target" "systemd-sysctl.service" ];

        Wants = [ "network-online.target" ];

          See <https://github.com/daeuniverse/dae/blob/main/example.dae>.

        '';

      };



      serviceConfig = {

        User = "root";

        ExecStartPre = "${lib.getExe cfg.package} validate -c /etc/dae/config.dae";

        ExecStart = "${lib.getExe cfg.package} run --disable-timestamp -c /etc/dae/config.dae";

        ExecReload = "${lib.getExe cfg.package} reload $MAINPID";

        LimitNPROC = 512;

        LimitNOFILE = 1048576;

        Restart = "on-abnormal";

        Type = "notify";

      disableTxChecksumIpGeneric =

        mkEnableOption (mdDoc "See <https://github.com/daeuniverse/dae/issues/43>");



    };

  };



  config = lib.mkIf cfg.enable



    {

      environment.systemPackages = [ cfg.package ];

      systemd.packages = [ cfg.package ];



      environment.etc."dae/config.dae" = {

        mode = "0400";

        source = pkgs.writeText "config.dae" cfg.config;

      };



      networking = lib.mkIf cfg.openFirewall.enable {

        firewall =

          let portToOpen = cfg.openFirewall.port;

          in

          {

            allowedTCPPorts = [ portToOpen ];

            allowedUDPPorts = [ portToOpen ];

          };

      };



      systemd.services.dae =

        let

          daeBin = lib.getExe cfg.package;

          TxChecksumIpGenericWorkaround = with lib;(getExe pkgs.writeShellApplication {

            name = "disable-tx-checksum-ip-generic";

            text = with pkgs; ''

              iface=$(${iproute2}/bin/ip route | ${lib.getExe gawk} '/default/ {print $5}')

              ${lib.getExe ethtool} -K "$iface" tx-checksum-ip-generic off

            '';

          });

        in

        {

          wantedBy = [ "multi-user.target" ];

          serviceConfig = {

            ExecStartPre = [ "" "${daeBin} validate -c ${cfg.configFile}" ]

              ++ (with lib; optional cfg.disableTxChecksumIpGeneric TxChecksumIpGenericWorkaround);

            ExecStart = [ "" "${daeBin} run --disable-timestamp -c ${cfg.configFile}" ];

            Environment = "DAE_LOCATION_ASSET=${cfg.assetsPath}";

          };

        };



      assertions = [

        {

          assertion = lib.pathExists (toString (genAssetsDrv cfg.assets) + "/share/v2ray");

          message = ''

            Packages in `assets` has no preset paths included.

            Please set `assetsPath` instead.

          '';

        }



        {

          assertion = !((config.services.dae.config != "global{}\nrouting{}\n")

            && (config.services.dae.configFile != "/etc/dae/config.dae"));

          message = ''

            Option `config` and `configFile` could not be set

            at the same time.

          '';

        }

      ];

    };

}