Merge master into staging-next (df5a154f) · Commits · nix / nixpkgs

maintainers/maintainer-list.nix

+6 −0

Original line number	Diff line number	Diff line
		@@ -17189,6 +17189,12 @@
		githubId = 7820716;
		name = "orthros";
		};
		osbm = {
		email = "osmanfbayram@gmail.com";
		github = "osbm";
		githubId = 74963545;
		name = "Osman Bayram";
		};
		osener = {
		email = "ozan@ozansener.com";
		github = "ozanmakes";

nixos/doc/manual/release-notes/rl-2505.section.md

+4 −0

Original line number	Diff line number	Diff line
		@@ -69,6 +69,8 @@

		- [crab-hole](https://github.com/LuckyTurtleDev/crab-hole), a cross platform Pi-hole clone written in Rust using hickory-dns/trust-dns. Available as [services.crab-hole](#opt-services.crab-hole.enable).

		- [zwave-js-ui](https://zwave-js.github.io/zwave-js-ui/), a full featured Z-Wave Control Panel and MQTT Gateway. Available as [services.zwave-js-ui](#opt-services.zwave-js-ui.enable).

		- [Amazon CloudWatch Agent](https://github.com/aws/amazon-cloudwatch-agent), the official telemetry collector for AWS CloudWatch and AWS X-Ray. Available as [services.amazon-cloudwatch-agent](options.html#opt-services.amazon-cloudwatch-agent.enable).

		- [Bat](https://github.com/sharkdp/bat), a {manpage}`cat(1)` clone with wings. Available as [programs.bat](options.html#opt-programs.bat).
		@@ -115,6 +117,8 @@

		<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

		- `ast-grep` remove `sg` command to prevent conflict with `sg` command from shadow-utils. If you need legacy sg command compatibility with old code, you can use `ast-grep.override { enableLegacySg = true; }`

		- `binwalk` was updated to 3.1.0, which has been rewritten in rust. The python module is no longer available.
		See the release notes of [3.1.0](https://github.com/ReFirmLabs/binwalk/releases/tag/v3.1.0) for more information.

nixos/modules/module-list.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -668,6 +668,7 @@
		./services/home-automation/wyoming/satellite.nix
		./services/home-automation/zigbee2mqtt.nix
		./services/home-automation/zwave-js.nix
		./services/home-automation/zwave-js-ui.nix
		./services/logging/SystemdJournal2Gelf.nix
		./services/logging/awstats.nix
		./services/logging/filebeat.nix

nixos/modules/services/home-automation/zwave-js-ui.nix

0 → 100644

+120 −0

Original line number	Diff line number	Diff line
		{
		config,
		lib,
		pkgs,
		...
		}:
		let
		inherit (lib)
		getExe
		mkIf
		mkEnableOption
		mkOption
		mkPackageOption
		types
		;
		cfg = config.services.zwave-js-ui;
		in
		{
		options.services.zwave-js-ui = {
		enable = mkEnableOption "zwave-js-ui";

		package = mkPackageOption pkgs "zwave-js-ui" { };

		serialPort = mkOption {
		type = types.path;
		description = ''
		Serial port for the Z-Wave controller.

		Only used to grant permissions to the device; must be additionally configured in the application
		'';
		example = "/dev/serial/by-id/usb-example";
		};

		settings = mkOption {
		type = types.submodule {
		freeformType =
		with types;
		attrsOf (
		nullOr (oneOf [
		str
		path
		package
		])
		);

		options = {
		STORE_DIR = mkOption {
		type = types.str;
		default = "%S/zwave-js-ui";
		visible = false;
		readOnly = true;
		};

		ZWAVEJS_EXTERNAL_CONFIG = mkOption {
		type = types.str;
		default = "%S/zwave-js-ui/.config-db";
		visible = false;
		readOnly = true;
		};
		};
		};

		description = ''
		Extra environment variables passed to the zwave-js-ui process.

		Check <https://zwave-js.github.io/zwave-js-ui/#/guide/env-vars> for possible options
		'';
		example = {
		HOST = "::";
		PORT = "8091";
		};
		};
		};
		config = mkIf cfg.enable {
		systemd.services.zwave-js-ui = {
		environment = cfg.settings;
		wantedBy = [ "multi-user.target" ];
		serviceConfig = {
		ExecStart = getExe cfg.package;
		RuntimeDirectory = "zwave-js-ui";
		StateDirectory = "zwave-js-ui";
		RootDirectory = "%t/zwave-js-ui";
		BindReadOnlyPaths = [
		"/nix/store"
		];
		DeviceAllow = [ cfg.serialPort ];
		DynamicUser = true;
		SupplementaryGroups = [ "dialout" ];
		CapabilityBoundingSet = [ "" ];
		RestrictAddressFamilies = "AF_INET AF_INET6";
		DevicePolicy = "closed";
		LockPersonality = true;
		MemoryDenyWriteExecute = false;
		NoNewPrivileges = true;
		PrivateUsers = true;
		PrivateTmp = true;
		ProtectClock = true;
		ProtectControlGroups = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernalTunables = true;
		ProtectProc = "invisible";
		ProcSubset = "pid";
		RemoveIPC = true;
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = [
		"@system-service @pkey"
		"~@privileged @resources"
		];
		UMask = "0077";
		};
		};
		};
		meta.maintainers = with lib.maintainers; [ cdombroski ];
		}

nixos/modules/services/networking/headscale.nix

+0 −10

Original line number	Diff line number	Diff line
		@@ -559,16 +559,6 @@ in

		config = lib.mkIf cfg.enable {
		assertions = [
		{
		# This is stricter than it needs to be but is exactly what upstream does:
		# https://github.com/kradalby/headscale/blob/adc084f20f843d7963c999764fa83939668d2d2c/hscontrol/types/config.go#L799
		assertion =
		with cfg.settings;
		dns.use_username_in_magic_dns or false
		\|\| dns.base_domain == ""
		\|\| !lib.hasInfix dns.base_domain server_url;
		message = "server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.";
		}
		{
		assertion = with cfg.settings; dns.magic_dns -> dns.base_domain != "";
		message = "dns.base_domain must be set when using MagicDNS";

Admin message