Commit bef20b38 authored by Frederik Rietdijk's avatar Frederik Rietdijk
Browse files

Merge master into staging-next

parents 16287a8c d35735ae

maintainers/maintainer-list.nix

+10 −0
Original line number Diff line number Diff line
@@ -7266,6 +7266,16 @@ 
    githubId = 2770647;

    name = "Simon Vandel Sillesen";

  };

  siriobalmelli = {

    email = "sirio@b-ad.ch";

    github = "siriobalmelli";

    githubId = 23038812;

    name = "Sirio Balmelli";

    keys = [{

      longkeyid = "ed25519/0xF72C4A887F9A24CA";

      fingerprint = "B234 EFD4 2B42 FE81 EE4D  7627 F72C 4A88 7F9A 24CA";

    }];

  };

  sivteck = {

    email = "sivaram1992@gmail.com";

    github = "sivteck";

maintainers/scripts/debian-patches.sh

+1 −1
Original line number Diff line number Diff line
@@ -2,7 +2,7 @@ 


# Download patches from debian project

# Usage $0 debian-patches.txt debian-patches.nix

# An example input and output files can be found in applications/graphics/xara/

# An example input and output files can be found in tools/graphics/plotutils



DEB_URL=https://sources.debian.org/data/main

declare -a deb_patches

nixos/modules/module-list.nix

+1 −0
Original line number Diff line number Diff line
@@ -831,6 +831,7 @@ 
  ./services/web-apps/atlassian/crowd.nix

  ./services/web-apps/atlassian/jira.nix

  ./services/web-apps/codimd.nix

  ./services/web-apps/convos.nix

  ./services/web-apps/cryptpad.nix

  ./services/web-apps/documize.nix

  ./services/web-apps/dokuwiki.nix

nixos/modules/services/networking/sslh.nix

+13 −5
Original line number Diff line number Diff line
@@ -15,7 +15,11 @@ let 


    listen:

    (

      { host: "${cfg.listenAddress}"; port: "${toString cfg.port}"; }

      ${

        concatMapStringsSep ",\n"

        (addr: ''{ host: "${addr}"; port: "${toString cfg.port}"; }'')

        cfg.listenAddresses

      }

    );



    ${cfg.appendConfig}
@@ -33,6 +37,10 @@ let 
  '';

in

{

  imports = [

    (mkRenamedOptionModule [ "services" "sslh" "listenAddress" ] [ "services" "sslh" "listenAddresses" ])

  ];



  options = {

    services.sslh = {

      enable = mkEnableOption "sslh";
@@ -55,10 +63,10 @@ in 
        description = "Will the services behind sslh (Apache, sshd and so on) see the external IP and ports as if the external world connected directly to them";

      };



      listenAddress = mkOption {

        type = types.str;

        default = "0.0.0.0";

        description = "Listening address or hostname.";

      listenAddresses = mkOption {

        type = types.coercedTo types.str singleton (types.listOf types.str);

        default = [ "0.0.0.0" "[::]" ];

        description = "Listening addresses or hostnames.";

      };



      port = mkOption {

nixos/modules/services/web-apps/convos.nix

0 → 100644
+72 −0
Original line number Diff line number Diff line 
{ config, lib, pkgs, ... }:



with lib;



let

  cfg = config.services.convos;

in

{

  options.services.convos = {

    enable = mkEnableOption "Convos";

    listenPort = mkOption {

      type = types.port;

      default = 3000;

      example = 8080;

      description = "Port the web interface should listen on";

    };

    listenAddress = mkOption {

      type = types.str;

      default = "*";

      example = "127.0.0.1";

      description = "Address or host the web interface should listen on";

    };

    reverseProxy = mkOption {

      type = types.bool;

      default = false;

      description = ''

        Enables reverse proxy support. This will allow Convos to automatically

        pick up the <literal>X-Forwarded-For</literal> and

        <literal>X-Request-Base</literal> HTTP headers set in your reverse proxy

        web server. Note that enabling this option without a reverse proxy in

        front will be a security issue.

      '';

    };

  };

  config = mkIf cfg.enable {

    systemd.services.convos = {

      description = "Convos Service";

      wantedBy = [ "multi-user.target" ];

      after = [ "networking.target" ];

      environment = {

        CONVOS_HOME = "%S/convos";

        CONVOS_REVERSE_PROXY = if cfg.reverseProxy then "1" else "0";

        MOJO_LISTEN = "http://${toString cfg.listenAddress}:${toString cfg.listenPort}";

      };

      serviceConfig = {

        ExecStart = "${pkgs.convos}/bin/convos daemon";

        Restart = "on-failure";

        StateDirectory = "convos";

        WorkingDirectory = "%S/convos";

        DynamicUser = true;

        MemoryDenyWriteExecute = true;

        ProtectHome = true;

        ProtectClock = true;

        ProtectHostname = true;

        ProtectKernelTunables = true;

        ProtectKernelModules = true;

        ProtectKernelLogs = true;

        ProtectControlGroups = true;

        PrivateDevices = true;

        PrivateMounts = true;

        PrivateUsers = true;

        LockPersonality = true;

        RestrictRealtime = true;

        RestrictNamespaces = true;

        RestrictAddressFamilies = [ "AF_INET" "AF_INET6"];

        SystemCallFilter = "@system-service";

        SystemCallArchitectures = "native";

        CapabilityBoundingSet = "";

      };

    };

  };

}