Merge master into staging-nixos (9d9f4117) · Commits · nix / nixpkgs

ci/eval/outpaths.nix

+4 −2

Original line number	Diff line number	Diff line
		@@ -70,7 +70,9 @@ let

		nixosJobs = import (path + "/nixos/release.nix") {
		inherit attrNamesOnly;
		supportedSystems = if systems == null then [ builtins.currentSystem ] else systems;
		supportedSystems = lib.filter (lib.hasSuffix "-linux") (
		if systems == null then [ builtins.currentSystem ] else systems
		);
		};

		recurseIntoAttrs = attrs: attrs // { recurseForDerivations = true; };
		@@ -104,6 +106,6 @@ in
		tweak (
		(removeAttrs nixpkgsJobs blacklist)
		// {
		nixosTests.simple = nixosJobs.tests.simple;
		nixosTests = lib.filterAttrs (name: _: name == "simple") nixosJobs.tests;
		}
		)

maintainers/maintainer-list.nix

+7 −0

Original line number	Diff line number	Diff line
		@@ -12399,6 +12399,13 @@
		githubId = 2881268;
		name = "John Hollowell";
		};
		jhult = {
		email = "Jonathan@JonathanHult.com";
		github = "jhult";
		githubId = 9849069;
		name = "Jonathan Hult";
		keys = [ { fingerprint = "DEE7 054C 5D43 ABEA C0F9 8BE4 3512 C8F8 2E2F 2A16"; } ];
		};
		jiegec = {
		name = "Jiajie Chen";
		email = "c@jia.je";

nixos/doc/manual/development/settings-options.section.md

+8 −0

Original line number	Diff line number	Diff line
		@@ -207,6 +207,14 @@ have a predefined type and string generator already declared under
		you will want to either use an alternative validator
		or set `doCheck = false` in the format options.

		`pkgs.formats.hcl1` { }

		: A function taking an empty attribute set (for future extensibility)
		and returning a set with HCL1 JSON-specific attributes `type` and
		`generate` as specified [below](#pkgs-formats-result). The output
		is JSON formatted according to HCL1's canonical representation,
		where nested attribute sets are wrapped in arrays.

		`pkgs.formats.libconfig` { `generator` ? `<derivation>`, `validator` ? `<derivation>` }

		: A function taking an attribute set with values

nixos/modules/module-list.nix

+2 −0

Original line number	Diff line number	Diff line
		@@ -1515,6 +1515,8 @@
		./services/security/reaction.nix
		./services/security/shibboleth-sp.nix
		./services/security/sks.nix
		./services/security/spire/agent.nix
		./services/security/spire/server.nix
		./services/security/ssh-agent-switcher.nix
		./services/security/sshguard.nix
		./services/security/sslmate-agent.nix

nixos/modules/services/security/spire/agent.nix

0 → 100644

+123 −0

Original line number	Diff line number	Diff line
		{
		lib,
		pkgs,
		config,
		...
		}:
		let
		format = pkgs.formats.hcl1 { };
		cfg = config.services.spire.agent;
		in
		{
		meta.maintainers = [ lib.maintainers.arianvp ];

		options.services.spire.agent = {
		enable = lib.mkEnableOption "SPIRE agent";

		package = lib.mkPackageOption pkgs "spire" { };

		settings = lib.mkOption {
		description = ''
		SPIRE Agent configuration file options. See [the documentation](https://spiffe.io/docs/latest/deploying/spire_agent/) for all available options.
		'';
		type = lib.types.submodule {
		freeformType = format.type;
		options = {
		agent = {
		trust_domain = lib.mkOption {
		type = lib.types.str;
		description = "The trust domain that this agent belongs to";
		example = "example.com";
		};
		data_dir = lib.mkOption {
		type = lib.types.str;
		default = "$STATE_DIRECTORY";
		description = "The directory where the SPIRE agent stores its data";
		};
		server_address = lib.mkOption {
		type = lib.types.str;
		description = "The address of the SPIRE server";
		example = "server.example.com";
		};
		server_port = lib.mkOption {
		type = lib.types.port;
		default = 8081;
		description = "The port on which the SPIRE server is listening";
		};
		socket_path = lib.mkOption {
		type = lib.types.path;
		default = "/run/spire/agent/public/api.sock";
		description = "The path to the SPIRE agent socket";
		};
		};
		plugins = lib.mkOption {
		description = ''
		Built-in plugin types can be found at [the plugin types documentation](https://spiffe.io/docs/latest/deploying/spire_agent/#plugin-types).
		See [plugin configuration](https://spiffe.io/docs/latest/deploying/spire_agent/#plugin-configuration) for options and how to configure external plugins.
		'';
		# TODO: We can probably enforce some of these constraints with a submodule
		type = format.type;
		example = {
		KeyManager.memory.plugin_data = { };
		NodeAttestor.join_token.plugin_data = { };
		WorkloadAttestor.systemd.plugin_data = { };
		WorkloadAttestor.unix.plugin_data = { };
		};
		};
		};
		};
		};

		configFile = lib.mkOption {
		type = lib.types.path;
		defaultText = "Config file generated from services.spire.agent.settings";
		default = format.generate "agent.conf" cfg.settings;
		description = ''
		Path to the SPIRE agent configuration file. See [the documentation](https://spiffe.io/docs/latest/deploying/spire_agent/) for more information.
		'';
		};

		expandEnv = lib.mkOption {
		type = lib.types.bool;
		default = true;
		description = "Expand environment variables in SPIRE config file";
		};

		};
		config = lib.mkIf cfg.enable {
		environment.systemPackages = [ cfg.package ];

		# TODO: Switch to DynamicUser once https://github.com/NixOS/nixpkgs/issues/299476 lands
		users.users.spire-agent = {
		isSystemUser = true;
		group = "spire-agent";
		};
		users.groups.spire-agent = { };

		systemd.services.spire-agent = {
		wantedBy = [ "multi-user.target" ];
		description = "SPIRE agent";
		serviceConfig = {
		ExecStart =
		"${lib.getExe' cfg.package "spire-agent"} run "
		+ lib.cli.toCommandLineShellGNU { } {
		inherit (cfg) expandEnv;
		config = cfg.configFile;
		};
		Restart = "on-failure";
		StateDirectory = "spire/agent";
		StateDirectoryMode = "0700";
		RuntimeDirectory = "spire/agent";

		# TODO: Switch to DynamicUser once https://github.com/NixOS/nixpkgs/issues/299476 lands
		# Without it, the systemd plugin can not talk to dbus
		# DynamicUser = true;
		User = "spire-agent";
		Group = "spire-agent";
		UMask = "0027";

		# TODO: Hardening
		};
		};
		};
		}

Admin message