Loading nixos/modules/services/networking/envoy.nix +34 −17 Original line number Diff line number Diff line Loading @@ -6,18 +6,29 @@ let cfg = config.services.envoy; format = pkgs.formats.json { }; conf = format.generate "envoy.json" cfg.settings; validateConfig = file: validateConfig = required: file: pkgs.runCommand "validate-envoy-conf" { } '' ${pkgs.envoy}/bin/envoy --log-level error --mode validate -c "${file}" ${cfg.package}/bin/envoy --log-level error --mode validate -c "${file}" ${lib.optionalString (!required) "|| true"} cp "${file}" "$out" ''; in { options.services.envoy = { enable = mkEnableOption (lib.mdDoc "Envoy reverse proxy"); package = mkPackageOptionMD pkgs "envoy" { }; requireValidConfig = mkOption { type = types.bool; default = true; description = lib.mdDoc '' Whether a failure during config validation at build time is fatal. When the config can't be checked during build time, for example when it includes other files, disable this option. ''; }; settings = mkOption { type = format.type; default = { }; Loading Loading @@ -46,38 +57,44 @@ in }; config = mkIf cfg.enable { environment.systemPackages = [ pkgs.envoy ]; environment.systemPackages = [ cfg.package ]; systemd.services.envoy = { description = "Envoy reverse proxy"; after = [ "network-online.target" ]; requires = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.envoy}/bin/envoy -c ${validateConfig conf}"; DynamicUser = true; ExecStart = "${cfg.package}/bin/envoy -c ${validateConfig cfg.requireValidConfig conf}"; CacheDirectory = [ "envoy" ]; LogsDirectory = [ "envoy" ]; Restart = "no"; CacheDirectory = "envoy"; LogsDirectory = "envoy"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_XDP"; SystemCallArchitectures = "native"; # Hardening AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; DeviceAllow = [ "" ]; DevicePolicy = "closed"; DynamicUser = true; LockPersonality = true; RestrictNamespaces = true; RestrictRealtime = true; PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE MemoryDenyWriteExecute = false; # at least wasmr needs WX permission PrivateDevices = true; PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "ptraceable"; ProtectHostname = true; ProtectSystem = "strict"; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" "AF_XDP" ]; RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; UMask = "0066"; SystemCallFilter = "~@clock @module @mount @reboot @swap @obsolete @cpu-emulation"; }; }; }; Loading nixos/modules/services/networking/hostapd.nix +3 −1 Original line number Diff line number Diff line Loading @@ -20,6 +20,8 @@ let ssid=${cfg.ssid} hw_mode=${cfg.hwMode} channel=${toString cfg.channel} ieee80211n=1 ieee80211ac=1 ${optionalString (cfg.countryCode != null) "country_code=${cfg.countryCode}"} ${optionalString (cfg.countryCode != null) "ieee80211d=1"} Loading @@ -34,6 +36,7 @@ let ${optionalString cfg.wpa '' wpa=2 wpa_pairwise=CCMP wpa_passphrase=${cfg.wpaPassphrase} ''} ${optionalString cfg.noScan "noscan=1"} Loading Loading @@ -66,7 +69,6 @@ in }; interface = mkOption { default = ""; example = "wlp2s0"; type = types.str; description = lib.mdDoc '' Loading nixos/modules/services/security/yubikey-agent.nix +3 −0 Original line number Diff line number Diff line Loading @@ -57,6 +57,9 @@ in ]; }; # Yubikey-agent expects pcsd to be running in order to function. services.pcscd.enable = true; environment.extraInit = '' if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock" Loading nixos/tests/envoy.nix +28 −7 Original line number Diff line number Diff line Loading @@ -13,7 +13,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { socket_address = { protocol = "TCP"; address = "127.0.0.1"; port_value = 9901; port_value = 80; }; }; }; Loading @@ -22,12 +22,33 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { clusters = []; }; }; specialisation = { withoutConfigValidation.configuration = { ... }: { services.envoy = { requireValidConfig = false; settings.admin.access_log_path = lib.mkForce "/var/log/envoy/access.log"; }; }; }; }; testScript = '' testScript = { nodes, ... }: let specialisations = "${nodes.machine.system.build.toplevel}/specialisation"; in '' machine.start() with subtest("envoy.service starts and responds with ready"): machine.wait_for_unit("envoy.service") machine.wait_for_open_port(80) machine.wait_until_succeeds("curl -fsS localhost:80/ready") with subtest("envoy.service works with config path not available at eval time"): machine.succeed('${specialisations}/withoutConfigValidation/bin/switch-to-configuration test') machine.wait_for_unit("envoy.service") machine.wait_for_open_port(9901) machine.wait_until_succeeds("curl -fsS localhost:9901/ready") machine.wait_for_open_port(80) machine.wait_until_succeeds("curl -fsS localhost:80/ready") machine.succeed('test -f /var/log/envoy/access.log') ''; }) pkgs/applications/audio/gtkcord4/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -19,13 +19,13 @@ buildGoModule rec { pname = "gtkcord4"; version = "0.0.8"; version = "0.0.9"; src = fetchFromGitHub { owner = "diamondburned"; repo = pname; rev = "v${version}"; hash = "sha256-aJRVk9KFCJbIFInkg5BCJ6ygBlDCFF53WXO9qyACFus="; hash = "sha256-55mS+hrhLLRkhgih5lvdM9Xka+WKg2iliFm6TYF6n3w="; }; nativeBuildInputs = [ Loading Loading @@ -61,7 +61,7 @@ buildGoModule rec { install -D -m 444 internal/icons/png/logo.png $out/share/icons/hicolor/256x256/apps/gtkcord4.png ''; vendorHash = "sha256-usnlaOqyMd8rdnFpuCqfaCES8bPaB+NbdL4pFybKJbM="; vendorHash = "sha256-IQpokMeo46vZIdVA1F7JILXCN9bUqTMOCa/SQ0JSjaM="; meta = with lib; { description = "GTK4 Discord client in Go, attempt #4."; Loading Loading
nixos/modules/services/networking/envoy.nix +34 −17 Original line number Diff line number Diff line Loading @@ -6,18 +6,29 @@ let cfg = config.services.envoy; format = pkgs.formats.json { }; conf = format.generate "envoy.json" cfg.settings; validateConfig = file: validateConfig = required: file: pkgs.runCommand "validate-envoy-conf" { } '' ${pkgs.envoy}/bin/envoy --log-level error --mode validate -c "${file}" ${cfg.package}/bin/envoy --log-level error --mode validate -c "${file}" ${lib.optionalString (!required) "|| true"} cp "${file}" "$out" ''; in { options.services.envoy = { enable = mkEnableOption (lib.mdDoc "Envoy reverse proxy"); package = mkPackageOptionMD pkgs "envoy" { }; requireValidConfig = mkOption { type = types.bool; default = true; description = lib.mdDoc '' Whether a failure during config validation at build time is fatal. When the config can't be checked during build time, for example when it includes other files, disable this option. ''; }; settings = mkOption { type = format.type; default = { }; Loading Loading @@ -46,38 +57,44 @@ in }; config = mkIf cfg.enable { environment.systemPackages = [ pkgs.envoy ]; environment.systemPackages = [ cfg.package ]; systemd.services.envoy = { description = "Envoy reverse proxy"; after = [ "network-online.target" ]; requires = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.envoy}/bin/envoy -c ${validateConfig conf}"; DynamicUser = true; ExecStart = "${cfg.package}/bin/envoy -c ${validateConfig cfg.requireValidConfig conf}"; CacheDirectory = [ "envoy" ]; LogsDirectory = [ "envoy" ]; Restart = "no"; CacheDirectory = "envoy"; LogsDirectory = "envoy"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_XDP"; SystemCallArchitectures = "native"; # Hardening AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; DeviceAllow = [ "" ]; DevicePolicy = "closed"; DynamicUser = true; LockPersonality = true; RestrictNamespaces = true; RestrictRealtime = true; PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE MemoryDenyWriteExecute = false; # at least wasmr needs WX permission PrivateDevices = true; PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "ptraceable"; ProtectHostname = true; ProtectSystem = "strict"; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" "AF_XDP" ]; RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; UMask = "0066"; SystemCallFilter = "~@clock @module @mount @reboot @swap @obsolete @cpu-emulation"; }; }; }; Loading
nixos/modules/services/networking/hostapd.nix +3 −1 Original line number Diff line number Diff line Loading @@ -20,6 +20,8 @@ let ssid=${cfg.ssid} hw_mode=${cfg.hwMode} channel=${toString cfg.channel} ieee80211n=1 ieee80211ac=1 ${optionalString (cfg.countryCode != null) "country_code=${cfg.countryCode}"} ${optionalString (cfg.countryCode != null) "ieee80211d=1"} Loading @@ -34,6 +36,7 @@ let ${optionalString cfg.wpa '' wpa=2 wpa_pairwise=CCMP wpa_passphrase=${cfg.wpaPassphrase} ''} ${optionalString cfg.noScan "noscan=1"} Loading Loading @@ -66,7 +69,6 @@ in }; interface = mkOption { default = ""; example = "wlp2s0"; type = types.str; description = lib.mdDoc '' Loading
nixos/modules/services/security/yubikey-agent.nix +3 −0 Original line number Diff line number Diff line Loading @@ -57,6 +57,9 @@ in ]; }; # Yubikey-agent expects pcsd to be running in order to function. services.pcscd.enable = true; environment.extraInit = '' if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock" Loading
nixos/tests/envoy.nix +28 −7 Original line number Diff line number Diff line Loading @@ -13,7 +13,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { socket_address = { protocol = "TCP"; address = "127.0.0.1"; port_value = 9901; port_value = 80; }; }; }; Loading @@ -22,12 +22,33 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { clusters = []; }; }; specialisation = { withoutConfigValidation.configuration = { ... }: { services.envoy = { requireValidConfig = false; settings.admin.access_log_path = lib.mkForce "/var/log/envoy/access.log"; }; }; }; }; testScript = '' testScript = { nodes, ... }: let specialisations = "${nodes.machine.system.build.toplevel}/specialisation"; in '' machine.start() with subtest("envoy.service starts and responds with ready"): machine.wait_for_unit("envoy.service") machine.wait_for_open_port(80) machine.wait_until_succeeds("curl -fsS localhost:80/ready") with subtest("envoy.service works with config path not available at eval time"): machine.succeed('${specialisations}/withoutConfigValidation/bin/switch-to-configuration test') machine.wait_for_unit("envoy.service") machine.wait_for_open_port(9901) machine.wait_until_succeeds("curl -fsS localhost:9901/ready") machine.wait_for_open_port(80) machine.wait_until_succeeds("curl -fsS localhost:80/ready") machine.succeed('test -f /var/log/envoy/access.log') ''; })
pkgs/applications/audio/gtkcord4/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -19,13 +19,13 @@ buildGoModule rec { pname = "gtkcord4"; version = "0.0.8"; version = "0.0.9"; src = fetchFromGitHub { owner = "diamondburned"; repo = pname; rev = "v${version}"; hash = "sha256-aJRVk9KFCJbIFInkg5BCJ6ygBlDCFF53WXO9qyACFus="; hash = "sha256-55mS+hrhLLRkhgih5lvdM9Xka+WKg2iliFm6TYF6n3w="; }; nativeBuildInputs = [ Loading Loading @@ -61,7 +61,7 @@ buildGoModule rec { install -D -m 444 internal/icons/png/logo.png $out/share/icons/hicolor/256x256/apps/gtkcord4.png ''; vendorHash = "sha256-usnlaOqyMd8rdnFpuCqfaCES8bPaB+NbdL4pFybKJbM="; vendorHash = "sha256-IQpokMeo46vZIdVA1F7JILXCN9bUqTMOCa/SQ0JSjaM="; meta = with lib; { description = "GTK4 Discord client in Go, attempt #4."; Loading
![github-actions[bot]'s avatar](https://secure.gravatar.com/avatar/e7cd911927c7d1acf6281b69d385990d8fadcd26871048bbcdbff2e88da7f607?s=48&d=identicon "github-actions[bot]")