Merge master into staging-nixos (e1bd5e9e) · Commits · nix / nixpkgs

doc/languages-frameworks/neovim.section.md

+19 −0

Original line number	Diff line number	Diff line
		@@ -115,6 +115,25 @@ patch those plugins but expose the necessary configuration under
		`PLUGIN.passthru.initLua` for neovim plugins. For instance, the `unicode-vim` plugin
		needs the path towards a unicode database so we expose the following snippet `vim.g.Unicode_data_directory="${self.unicode-vim}/autoload/unicode"` under `vimPlugins.unicode-vim.passthru.initLua`.

		### Plugin license overrides {#neovim-plugin-license-overrides}

		Generated Vim and Neovim plugins get their `meta.license` from GitHub license metadata when possible.
		Some upstream repositories do not expose a license file that GitHub can detect, or only mention the license in a README.
		In those cases, add a manual `meta.license` override in [overrides.nix](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/overrides.nix).

		For example, if upstream documents that a plugin uses the Vim license but GitHub does not detect it:

		```nix
		{
		foo-nvim = super.foo-nvim.overrideAttrs (old: {
		meta = old.meta // {
		# README says this plugin is distributed under the Vim license.
		license = lib.licenses.vim;
		};
		});
		}
		```

		## LuaRocks based plugins {#neovim-luarocks-based-plugins}

		In order to automatically handle plugin dependencies, several Neovim plugins

doc/redirects.json

+3 −0

Original line number	Diff line number	Diff line
		@@ -4483,6 +4483,9 @@
		"index.html#neovim-plugin-required-snippet",
		"index.html#vim-plugin-required-snippet"
		],
		"neovim-plugin-license-overrides": [
		"index.html#neovim-plugin-license-overrides"
		],
		"updating-plugins-in-nixpkgs": [
		"index.html#updating-plugins-in-nixpkgs"
		],

nixos/modules/services/home-automation/esphome.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -145,6 +145,7 @@ in
		RuntimeDirectoryMode = "0750";
		EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
		ReadWritePaths = [ stateDir ];
		ExecPaths = [ stateDir ];

		# Hardening
		CapabilityBoundingSet = "";

nixos/modules/services/security/spire/agent-tpm.nix

0 → 100644

+34 −0

Original line number	Diff line number	Diff line
		{
		lib,
		pkgs,
		config,
		...
		}:
		let
		cfg = config.services.spire.agent;
		in
		{
		options.services.spire.agent.settings.plugins.NodeAttestor.tpm = lib.mkOption {
		default = null;
		description = "TPM 2.0 node attestation plugin. When set, automatically enables security.tpm2 and grants the spire-agent user access to the TPM device.";
		type = lib.types.nullOr (
		lib.types.submodule {
		freeformType = (pkgs.formats.hcl1 { }).type;
		options.plugin_cmd = lib.mkOption {
		type = lib.types.str;
		default = lib.getExe' pkgs.spire-tpm-plugin "tpm_attestor_agent";
		defaultText = lib.literalExpression ''lib.getExe' pkgs.spire-tpm-plugin "tpm_attestor_agent"'';
		description = "Path to the TPM attestor agent plugin binary.";
		};
		}
		);
		};

		config = lib.mkIf (cfg.enable && cfg.settings.plugins.NodeAttestor.tpm != null) {
		security.tpm2.enable = true;

		systemd.services.spire-agent.serviceConfig.SupplementaryGroups = [
		config.security.tpm2.tssGroup
		];
		};
		}

nixos/modules/services/security/spire/agent.nix

+52 −9

Original line number	Diff line number	Diff line
		@@ -26,28 +26,38 @@ in
		agent = {
		trust_domain = lib.mkOption {
		type = lib.types.str;
		description = "The trust domain that this agent belongs to";
		description = "The trust domain that this agent belongs to (should be no more than 255 characters)";
		example = "example.com";
		};
		data_dir = lib.mkOption {
		type = lib.types.str;
		default = "$STATE_DIRECTORY";
		description = "The directory where the SPIRE agent stores its data";
		description = "A directory the agent can use for its runtime data";
		};
		server_address = lib.mkOption {
		type = lib.types.str;
		description = "The address of the SPIRE server";
		description = "DNS name or IP address of the SPIRE server";
		example = "server.example.com";
		};
		server_port = lib.mkOption {
		type = lib.types.port;
		default = 8081;
		description = "The port on which the SPIRE server is listening";
		description = "Port number of the SPIRE server";
		};
		socket_path = lib.mkOption {
		type = lib.types.path;
		default = "/run/spire/agent/public/api.sock";
		description = "The path to the SPIRE agent socket";
		description = "Location to bind the SPIRE Agent API socket (Unix only)";
		};
		join_token = lib.mkOption {
		type = lib.types.nullOr lib.types.str;
		default = null;
		description = "An optional token which has been generated by the SPIRE server";
		};
		join_token_file = lib.mkOption {
		type = lib.types.nullOr lib.types.str;
		default = null;
		description = "Path to a file containing an optional join token which has been generated by the SPIRE server";
		};
		};
		plugins = lib.mkOption {
		@@ -55,8 +65,39 @@ in
		Built-in plugin types can be found at [the plugin types documentation](https://spiffe.io/docs/latest/deploying/spire_agent/#plugin-types).
		See [plugin configuration](https://spiffe.io/docs/latest/deploying/spire_agent/#plugin-configuration) for options and how to configure external plugins.
		'';
		# TODO: We can probably enforce some of these constraints with a submodule
		type = format.type;
		type = lib.types.submodule {
		freeformType = format.type;
		options.NodeAttestor = lib.mkOption {
		default = { };
		description = ''
		Gathers information used to attest the agent's identity to the server. Generally paired with a server plugin of the same type.
		'';
		type = lib.types.submodule {
		freeformType = format.type;
		options.join_token = lib.mkOption {
		default = null;
		description = ''
		The `join_token` is responsible for attesting the agent's identity using a one-time-use pre-shared key.

		Must be used in conjunction with the server-side `join_token` plugin.
		'';
		type = lib.types.nullOr (
		lib.types.submodule {
		freeformType = format.type;
		options.plugin_data = lib.mkOption {
		type = lib.types.submodule { };
		default = { };
		description = ''
		As a special case for node attestors, the join token itself is configured by a CLI flag (`-joinToken`)
		or by configuring `join_token` in the agent's main config body.
		'';
		};
		}
		);
		};
		};
		};
		};
		example = {
		KeyManager.memory.plugin_data = { };
		NodeAttestor.join_token.plugin_data = { };
		@@ -71,7 +112,7 @@ in
		configFile = lib.mkOption {
		type = lib.types.path;
		defaultText = "Config file generated from services.spire.agent.settings";
		default = format.generate "agent.conf" cfg.settings;
		default = format.generate "agent.conf" (lib.filterAttrsRecursive (_: v: v != null) cfg.settings);
		description = ''
		Path to the SPIRE agent configuration file. See [the documentation](https://spiffe.io/docs/latest/deploying/spire_agent/) for more information.
		'';
		@@ -80,10 +121,12 @@ in
		expandEnv = lib.mkOption {
		type = lib.types.bool;
		default = true;
		description = "Expand environment variables in SPIRE config file";
		description = "Expand environment $VARIABLES in the config file";
		};

		};
		imports = [ ./agent-tpm.nix ];

		config = lib.mkIf cfg.enable {
		environment.systemPackages = [ cfg.package ];