treewide/nixos: remove `with lib;` part 10 (#369233)

+7 -10

nixos/modules/services/search/manticore.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 12 9 cfg = config.services.manticore; ··· 14 11 15 12 toSphinx = 16 13 { 17 - mkKeyValue ? generators.mkKeyValueDefault { } "=", 14 + mkKeyValue ? lib.generators.mkKeyValueDefault { } "=", 18 15 listsAsDuplicateKeys ? true, 19 16 }: 20 17 attrsOfAttrs: ··· 22 19 # map function to string for each key val 23 20 mapAttrsToStringsSep = 24 21 sep: mapFn: attrs: 25 - concatStringsSep sep (mapAttrsToList mapFn attrs); 22 + lib.concatStringsSep sep (lib.mapAttrsToList mapFn attrs); 26 23 mkSection = 27 24 sectName: sectValues: 28 25 '' ··· 46 43 options = { 47 44 services.manticore = { 48 45 49 - enable = mkEnableOption "Manticoresearch"; 46 + enable = lib.mkEnableOption "Manticoresearch"; 50 47 51 - settings = mkOption { 48 + settings = lib.mkOption { 52 49 default = { 53 50 searchd = { 54 51 listen = [ ··· 67 64 <https://manual.manticoresearch.com/Server%20settings> 68 65 for more information. 69 66 ''; 70 - type = types.submodule { 67 + type = lib.types.submodule { 71 68 freeformType = format.type; 72 69 }; 73 - example = literalExpression '' 70 + example = lib.literalExpression '' 74 71 { 75 72 searchd = { 76 73 listen = [ ··· 90 87 }; 91 88 }; 92 89 93 - config = mkIf cfg.enable { 90 + config = lib.mkIf cfg.enable { 94 91 95 92 systemd = { 96 93 packages = [ pkgs.manticoresearch ];

+22 -25

nixos/modules/services/search/meilisearch.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.meilisearch; 12 9 13 10 in 14 11 { 15 12 16 - meta.maintainers = with maintainers; [ 13 + meta.maintainers = with lib.maintainers; [ 17 14 Br1ght0ne 18 15 happysalada 19 16 ]; ··· 22 19 ###### interface 23 20 24 21 options.services.meilisearch = { 25 - enable = mkEnableOption "MeiliSearch - a RESTful search API"; 22 + enable = lib.mkEnableOption "MeiliSearch - a RESTful search API"; 26 23 27 - package = mkPackageOption pkgs "meilisearch" { 24 + package = lib.mkPackageOption pkgs "meilisearch" { 28 25 extraDescription = '' 29 26 Use this if you require specific features to be enabled. The default package has no features. 30 27 ''; 31 28 }; 32 29 33 - listenAddress = mkOption { 30 + listenAddress = lib.mkOption { 34 31 description = "MeiliSearch listen address."; 35 32 default = "127.0.0.1"; 36 - type = types.str; 33 + type = lib.types.str; 37 34 }; 38 35 39 - listenPort = mkOption { 36 + listenPort = lib.mkOption { 40 37 description = "MeiliSearch port to listen on."; 41 38 default = 7700; 42 - type = types.port; 39 + type = lib.types.port; 43 40 }; 44 41 45 - environment = mkOption { 42 + environment = lib.mkOption { 46 43 description = "Defines the running environment of MeiliSearch."; 47 44 default = "development"; 48 - type = types.enum [ 45 + type = lib.types.enum [ 49 46 "development" 50 47 "production" 51 48 ]; 52 49 }; 53 50 54 51 # TODO change this to LoadCredentials once possible 55 - masterKeyEnvironmentFile = mkOption { 52 + masterKeyEnvironmentFile = lib.mkOption { 56 53 description = '' 57 54 Path to file which contains the master key. 58 55 By doing so, all routes will be protected and will require a key to be accessed. ··· 61 58 MEILI_MASTER_KEY=my_secret_key 62 59 ''; 63 60 default = null; 64 - type = with types; nullOr path; 61 + type = with lib.types; nullOr path; 65 62 }; 66 63 67 - noAnalytics = mkOption { 64 + noAnalytics = lib.mkOption { 68 65 description = '' 69 66 Deactivates analytics. 70 67 Analytics allow MeiliSearch to know how many users are using MeiliSearch, ··· 72 69 This process is entirely anonymous. 73 70 ''; 74 71 default = true; 75 - type = types.bool; 72 + type = lib.types.bool; 76 73 }; 77 74 78 - logLevel = mkOption { 75 + logLevel = lib.mkOption { 79 76 description = '' 80 77 Defines how much detail should be present in MeiliSearch's logs. 81 78 MeiliSearch currently supports four log levels, listed in order of increasing verbosity: ··· 86 83 Useful when diagnosing issues and debugging 87 84 ''; 88 85 default = "INFO"; 89 - type = types.str; 86 + type = lib.types.str; 90 87 }; 91 88 92 - maxIndexSize = mkOption { 89 + maxIndexSize = lib.mkOption { 93 90 description = '' 94 91 Sets the maximum size of the index. 95 92 Value must be given in bytes or explicitly stating a base unit. ··· 97 94 Default is 100 GiB 98 95 ''; 99 96 default = "107374182400"; 100 - type = types.str; 97 + type = lib.types.str; 101 98 }; 102 99 103 - payloadSizeLimit = mkOption { 100 + payloadSizeLimit = lib.mkOption { 104 101 description = '' 105 102 Sets the maximum size of accepted JSON payloads. 106 103 Value must be given in bytes or explicitly stating a base unit. ··· 108 105 Default is ~ 100 MB 109 106 ''; 110 107 default = "104857600"; 111 - type = types.str; 108 + type = lib.types.str; 112 109 }; 113 110 114 111 }; 115 112 116 113 ###### implementation 117 114 118 - config = mkIf cfg.enable { 115 + config = lib.mkIf cfg.enable { 119 116 120 117 # used to restore dumps 121 118 environment.systemPackages = [ cfg.package ]; ··· 127 124 environment = { 128 125 MEILI_DB_PATH = "/var/lib/meilisearch"; 129 126 MEILI_HTTP_ADDR = "${cfg.listenAddress}:${toString cfg.listenPort}"; 130 - MEILI_NO_ANALYTICS = boolToString cfg.noAnalytics; 127 + MEILI_NO_ANALYTICS = lib.boolToString cfg.noAnalytics; 131 128 MEILI_ENV = cfg.environment; 132 129 MEILI_DUMP_DIR = "/var/lib/meilisearch/dumps"; 133 130 MEILI_LOG_LEVEL = cfg.logLevel; ··· 137 134 ExecStart = "${cfg.package}/bin/meilisearch"; 138 135 DynamicUser = true; 139 136 StateDirectory = "meilisearch"; 140 - EnvironmentFile = mkIf (cfg.masterKeyEnvironmentFile != null) cfg.masterKeyEnvironmentFile; 137 + EnvironmentFile = lib.mkIf (cfg.masterKeyEnvironmentFile != null) cfg.masterKeyEnvironmentFile; 141 138 }; 142 139 }; 143 140 };

+6 -9

nixos/modules/services/search/opensearch.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.opensearch; 12 9 ··· 28 25 { 29 26 30 27 options.services.opensearch = { 31 - enable = mkEnableOption "OpenSearch"; 28 + enable = lib.mkEnableOption "OpenSearch"; 32 29 33 30 package = lib.mkPackageOption pkgs "OpenSearch" { 34 31 default = [ "opensearch" ]; ··· 113 110 rootLogger.level = info 114 111 rootLogger.appenderRef.console.ref = console 115 112 ''; 116 - type = types.str; 113 + type = lib.types.str; 117 114 }; 118 115 119 116 dataDir = lib.mkOption { 120 117 type = lib.types.path; 121 118 default = "/var/lib/opensearch"; 122 - apply = converge (removeSuffix "/"); 119 + apply = lib.converge (lib.removeSuffix "/"); 123 120 description = '' 124 121 Data directory for OpenSearch. If you change this, you need to 125 122 manually create the directory. You also need to create the ··· 173 170 }; 174 171 }; 175 172 176 - config = mkIf cfg.enable { 173 + config = lib.mkIf cfg.enable { 177 174 systemd.services.opensearch = { 178 175 description = "OpenSearch Daemon"; 179 176 wantedBy = [ "multi-user.target" ]; ··· 194 191 set -o errexit -o pipefail -o nounset -o errtrace 195 192 shopt -s inherit_errexit 196 193 '' 197 - + (optionalString (!config.boot.isContainer) '' 194 + + (lib.optionalString (!config.boot.isContainer) '' 198 195 # Only set vm.max_map_count if lower than ES required minimum 199 196 # This avoids conflict if configured via boot.kernel.sysctl 200 197 if [ $(${pkgs.procps}/bin/sysctl -n vm.max_map_count) -lt 262144 ]; then ··· 268 265 TimeoutStartSec = "infinity"; 269 266 DynamicUser = usingDefaultUserAndGroup && usingDefaultDataDir; 270 267 } 271 - // (optionalAttrs (usingDefaultDataDir) { 268 + // (lib.optionalAttrs (usingDefaultDataDir) { 272 269 StateDirectory = "opensearch"; 273 270 StateDirectoryMode = "0700"; 274 271 });

+34 -36

nixos/modules/services/search/qdrant.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 7 let 10 8 11 9 cfg = config.services.qdrant; ··· 17 15 18 16 options = { 19 17 services.qdrant = { 20 - enable = mkEnableOption "Vector Search Engine for the next generation of AI applications"; 18 + enable = lib.mkEnableOption "Vector Search Engine for the next generation of AI applications"; 21 19 22 - settings = mkOption { 20 + settings = lib.mkOption { 23 21 description = '' 24 22 Configuration for Qdrant 25 23 Refer to <https://github.com/qdrant/qdrant/blob/master/config/config.yaml> for details on supported values. ··· 43 41 telemetry_disabled = true; 44 42 }; 45 43 46 - defaultText = literalExpression '' 44 + defaultText = lib.literalExpression '' 47 45 { 48 46 storage = { 49 47 storage_path = "/var/lib/qdrant/storage"; ··· 64 62 }; 65 63 }; 66 64 67 - config = mkIf cfg.enable { 65 + config = lib.mkIf cfg.enable { 68 66 services.qdrant.settings = { 69 - service.static_content_dir = mkDefault pkgs.qdrant-web-ui; 70 - storage.storage_path = mkDefault "/var/lib/qdrant/storage"; 71 - storage.snapshots_path = mkDefault "/var/lib/qdrant/snapshots"; 67 + service.static_content_dir = lib.mkDefault pkgs.qdrant-web-ui; 68 + storage.storage_path = lib.mkDefault "/var/lib/qdrant/storage"; 69 + storage.snapshots_path = lib.mkDefault "/var/lib/qdrant/snapshots"; 72 70 # The following default values are the same as in the default config, 73 71 # they are just written here for convenience. 74 - storage.on_disk_payload = mkDefault true; 75 - storage.wal.wal_capacity_mb = mkDefault 32; 76 - storage.wal.wal_segments_ahead = mkDefault 0; 77 - storage.performance.max_search_threads = mkDefault 0; 78 - storage.performance.max_optimization_threads = mkDefault 1; 79 - storage.optimizers.deleted_threshold = mkDefault 0.2; 80 - storage.optimizers.vacuum_min_vector_number = mkDefault 1000; 81 - storage.optimizers.default_segment_number = mkDefault 0; 82 - storage.optimizers.max_segment_size_kb = mkDefault null; 83 - storage.optimizers.memmap_threshold_kb = mkDefault null; 84 - storage.optimizers.indexing_threshold_kb = mkDefault 20000; 85 - storage.optimizers.flush_interval_sec = mkDefault 5; 86 - storage.optimizers.max_optimization_threads = mkDefault 1; 87 - storage.hnsw_index.m = mkDefault 16; 88 - storage.hnsw_index.ef_construct = mkDefault 100; 89 - storage.hnsw_index.full_scan_threshold_kb = mkDefault 10000; 90 - storage.hnsw_index.max_indexing_threads = mkDefault 0; 91 - storage.hnsw_index.on_disk = mkDefault false; 92 - storage.hnsw_index.payload_m = mkDefault null; 93 - service.max_request_size_mb = mkDefault 32; 94 - service.max_workers = mkDefault 0; 95 - service.http_port = mkDefault 6333; 96 - service.grpc_port = mkDefault 6334; 97 - service.enable_cors = mkDefault true; 98 - cluster.enabled = mkDefault false; 72 + storage.on_disk_payload = lib.mkDefault true; 73 + storage.wal.wal_capacity_mb = lib.mkDefault 32; 74 + storage.wal.wal_segments_ahead = lib.mkDefault 0; 75 + storage.performance.max_search_threads = lib.mkDefault 0; 76 + storage.performance.max_optimization_threads = lib.mkDefault 1; 77 + storage.optimizers.deleted_threshold = lib.mkDefault 0.2; 78 + storage.optimizers.vacuum_min_vector_number = lib.mkDefault 1000; 79 + storage.optimizers.default_segment_number = lib.mkDefault 0; 80 + storage.optimizers.max_segment_size_kb = lib.mkDefault null; 81 + storage.optimizers.memmap_threshold_kb = lib.mkDefault null; 82 + storage.optimizers.indexing_threshold_kb = lib.mkDefault 20000; 83 + storage.optimizers.flush_interval_sec = lib.mkDefault 5; 84 + storage.optimizers.max_optimization_threads = lib.mkDefault 1; 85 + storage.hnsw_index.m = lib.mkDefault 16; 86 + storage.hnsw_index.ef_construct = lib.mkDefault 100; 87 + storage.hnsw_index.full_scan_threshold_kb = lib.mkDefault 10000; 88 + storage.hnsw_index.max_indexing_threads = lib.mkDefault 0; 89 + storage.hnsw_index.on_disk = lib.mkDefault false; 90 + storage.hnsw_index.payload_m = lib.mkDefault null; 91 + service.max_request_size_mb = lib.mkDefault 32; 92 + service.max_workers = lib.mkDefault 0; 93 + service.http_port = lib.mkDefault 6333; 94 + service.grpc_port = lib.mkDefault 6334; 95 + service.enable_cors = lib.mkDefault true; 96 + cluster.enabled = lib.mkDefault false; 99 97 # the following have been altered for security 100 - service.host = mkDefault "127.0.0.1"; 101 - telemetry_disabled = mkDefault true; 98 + service.host = lib.mkDefault "127.0.0.1"; 99 + telemetry_disabled = lib.mkDefault true; 102 100 }; 103 101 104 102 systemd.services.qdrant = {

+5 -8

nixos/modules/services/search/quickwit.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.quickwit; 12 9 ··· 19 16 { 20 17 21 18 options.services.quickwit = { 22 - enable = mkEnableOption "Quickwit"; 19 + enable = lib.mkEnableOption "Quickwit"; 23 20 24 21 package = lib.mkPackageOption pkgs "Quickwit" { 25 22 default = [ "quickwit" ]; ··· 83 80 dataDir = lib.mkOption { 84 81 type = lib.types.path; 85 82 default = "/var/lib/quickwit"; 86 - apply = converge (removeSuffix "/"); 83 + apply = lib.converge (lib.removeSuffix "/"); 87 84 description = '' 88 85 Data directory for Quickwit. If you change this, you need to 89 86 manually create the directory. You also need to create the ··· 130 127 }; 131 128 }; 132 129 133 - config = mkIf cfg.enable { 130 + config = lib.mkIf cfg.enable { 134 131 systemd.services.quickwit = { 135 132 description = "Quickwit"; 136 133 wantedBy = [ "multi-user.target" ]; ··· 143 140 { 144 141 ExecStart = '' 145 142 ${cfg.package}/bin/quickwit run --config ${quickwitYml} \ 146 - ${escapeShellArgs cfg.extraFlags} 143 + ${lib.escapeShellArgs cfg.extraFlags} 147 144 ''; 148 145 User = cfg.user; 149 146 Group = cfg.group; ··· 186 183 "@chown" 187 184 ]; 188 185 } 189 - // (optionalAttrs (usingDefaultDataDir) { 186 + // (lib.optionalAttrs (usingDefaultDataDir) { 190 187 StateDirectory = "quickwit"; 191 188 StateDirectoryMode = "0700"; 192 189 });

+34 -37

nixos/modules/services/security/certmgr.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.certmgr; 12 9 13 - specs = mapAttrsToList (n: v: rec { 10 + specs = lib.mapAttrsToList (n: v: rec { 14 11 name = n + ".json"; 15 - path = if isAttrs v then pkgs.writeText name (builtins.toJSON v) else v; 12 + path = if lib.isAttrs v then pkgs.writeText name (builtins.toJSON v) else v; 16 13 }) cfg.specs; 17 14 18 15 allSpecs = pkgs.linkFarm "certmgr.d" specs; ··· 29 26 ); 30 27 31 28 specPaths = map dirOf ( 32 - concatMap ( 29 + lib.concatMap ( 33 30 spec: 34 - if isAttrs spec then 35 - collect isString (filterAttrsRecursive (n: v: isAttrs v || n == "path") spec) 31 + if lib.isAttrs spec then 32 + lib.collect lib.isString (lib.filterAttrsRecursive (n: v: lib.isAttrs v || n == "path") spec) 36 33 else 37 34 [ spec ] 38 - ) (attrValues cfg.specs) 35 + ) (lib.attrValues cfg.specs) 39 36 ); 40 37 41 38 preStart = '' 42 - ${concatStringsSep " \\\n" ([ "mkdir -p" ] ++ map escapeShellArg specPaths)} 39 + ${lib.concatStringsSep " \\\n" ([ "mkdir -p" ] ++ map lib.escapeShellArg specPaths)} 43 40 ${cfg.package}/bin/certmgr -f ${certmgrYaml} check 44 41 ''; 45 42 in 46 43 { 47 44 options.services.certmgr = { 48 - enable = mkEnableOption "certmgr"; 45 + enable = lib.mkEnableOption "certmgr"; 49 46 50 - package = mkPackageOption pkgs "certmgr" { }; 47 + package = lib.mkPackageOption pkgs "certmgr" { }; 51 48 52 - defaultRemote = mkOption { 53 - type = types.str; 49 + defaultRemote = lib.mkOption { 50 + type = lib.types.str; 54 51 default = "127.0.0.1:8888"; 55 52 description = "The default CA host:port to use."; 56 53 }; 57 54 58 - validMin = mkOption { 55 + validMin = lib.mkOption { 59 56 default = "72h"; 60 - type = types.str; 57 + type = lib.types.str; 61 58 description = "The interval before a certificate expires to start attempting to renew it."; 62 59 }; 63 60 64 - renewInterval = mkOption { 61 + renewInterval = lib.mkOption { 65 62 default = "30m"; 66 - type = types.str; 63 + type = lib.types.str; 67 64 description = "How often to check certificate expirations and how often to update the cert_next_expires metric."; 68 65 }; 69 66 70 - metricsAddress = mkOption { 67 + metricsAddress = lib.mkOption { 71 68 default = "127.0.0.1"; 72 - type = types.str; 69 + type = lib.types.str; 73 70 description = "The address for the Prometheus HTTP endpoint."; 74 71 }; 75 72 76 - metricsPort = mkOption { 73 + metricsPort = lib.mkOption { 77 74 default = 9488; 78 - type = types.ints.u16; 75 + type = lib.types.ints.u16; 79 76 description = "The port for the Prometheus HTTP endpoint."; 80 77 }; 81 78 82 - specs = mkOption { 79 + specs = lib.mkOption { 83 80 default = { }; 84 - example = literalExpression '' 81 + example = lib.literalExpression '' 85 82 { 86 83 exampleCert = 87 84 let ··· 119 116 } 120 117 ''; 121 118 type = 122 - with types; 119 + with lib.types; 123 120 attrsOf ( 124 121 either path (submodule { 125 122 options = { 126 - service = mkOption { 123 + service = lib.mkOption { 127 124 type = nullOr str; 128 125 default = null; 129 126 description = "The service on which to perform \<action\> after fetching."; 130 127 }; 131 128 132 - action = mkOption { 129 + action = lib.mkOption { 133 130 type = addCheck str ( 134 131 x: 135 132 cfg.svcManager == "command" ··· 144 141 }; 145 142 146 143 # These ought all to be specified according to certmgr spec def. 147 - authority = mkOption { 144 + authority = lib.mkOption { 148 145 type = attrs; 149 146 description = "certmgr spec authority object."; 150 147 }; 151 148 152 - certificate = mkOption { 149 + certificate = lib.mkOption { 153 150 type = nullOr attrs; 154 151 description = "certmgr spec certificate object."; 155 152 }; 156 153 157 - private_key = mkOption { 154 + private_key = lib.mkOption { 158 155 type = nullOr attrs; 159 156 description = "certmgr spec private_key object."; 160 157 }; 161 158 162 - request = mkOption { 159 + request = lib.mkOption { 163 160 type = nullOr attrs; 164 161 description = "certmgr spec request object."; 165 162 }; ··· 173 170 ''; 174 171 }; 175 172 176 - svcManager = mkOption { 173 + svcManager = lib.mkOption { 177 174 default = "systemd"; 178 - type = types.enum [ 175 + type = lib.types.enum [ 179 176 "circus" 180 177 "command" 181 178 "dummy" ··· 193 190 194 191 }; 195 192 196 - config = mkIf cfg.enable { 193 + config = lib.mkIf cfg.enable { 197 194 assertions = [ 198 195 { 199 196 assertion = cfg.specs != { }; ··· 201 198 } 202 199 { 203 200 assertion = 204 - !any (hasAttrByPath [ 201 + !lib.any (lib.hasAttrByPath [ 205 202 "authority" 206 203 "auth_key" 207 - ]) (attrValues cfg.specs); 204 + ]) (lib.attrValues cfg.specs); 208 205 message = '' 209 206 Inline services.certmgr.specs are added to the Nix store rendering them world readable. 210 207 Specify paths as specs, if you want to use include auth_key - or use the auth_key_file option." ··· 214 211 215 212 systemd.services.certmgr = { 216 213 description = "certmgr"; 217 - path = mkIf (cfg.svcManager == "command") [ pkgs.bash ]; 214 + path = lib.mkIf (cfg.svcManager == "command") [ pkgs.bash ]; 218 215 wants = [ "network-online.target" ]; 219 216 after = [ "network-online.target" ]; 220 217 wantedBy = [ "multi-user.target" ];

+51 -54

nixos/modules/services/security/cfssl.nix

··· 5 5 pkgs, 6 6 ... 7 7 }: 8 - 9 - with lib; 10 - 11 8 let 12 9 cfg = config.services.cfssl; 13 10 in 14 11 { 15 12 options.services.cfssl = { 16 - enable = mkEnableOption "the CFSSL CA api-server"; 13 + enable = lib.mkEnableOption "the CFSSL CA api-server"; 17 14 18 - dataDir = mkOption { 15 + dataDir = lib.mkOption { 19 16 default = "/var/lib/cfssl"; 20 - type = types.path; 17 + type = lib.types.path; 21 18 description = '' 22 19 The work directory for CFSSL. 23 20 ··· 30 27 ''; 31 28 }; 32 29 33 - address = mkOption { 30 + address = lib.mkOption { 34 31 default = "127.0.0.1"; 35 - type = types.str; 32 + type = lib.types.str; 36 33 description = "Address to bind."; 37 34 }; 38 35 39 - port = mkOption { 36 + port = lib.mkOption { 40 37 default = 8888; 41 - type = types.port; 38 + type = lib.types.port; 42 39 description = "Port to bind."; 43 40 }; 44 41 45 - ca = mkOption { 46 - defaultText = literalExpression ''"''${cfg.dataDir}/ca.pem"''; 47 - type = types.str; 42 + ca = lib.mkOption { 43 + defaultText = lib.literalExpression ''"''${cfg.dataDir}/ca.pem"''; 44 + type = lib.types.str; 48 45 description = "CA used to sign the new certificate -- accepts '[file:]fname' or 'env:varname'."; 49 46 }; 50 47 51 - caKey = mkOption { 52 - defaultText = literalExpression ''"file:''${cfg.dataDir}/ca-key.pem"''; 53 - type = types.str; 48 + caKey = lib.mkOption { 49 + defaultText = lib.literalExpression ''"file:''${cfg.dataDir}/ca-key.pem"''; 50 + type = lib.types.str; 54 51 description = "CA private key -- accepts '[file:]fname' or 'env:varname'."; 55 52 }; 56 53 57 - caBundle = mkOption { 54 + caBundle = lib.mkOption { 58 55 default = null; 59 - type = types.nullOr types.path; 56 + type = lib.types.nullOr lib.types.path; 60 57 description = "Path to root certificate store."; 61 58 }; 62 59 63 - intBundle = mkOption { 60 + intBundle = lib.mkOption { 64 61 default = null; 65 - type = types.nullOr types.path; 62 + type = lib.types.nullOr lib.types.path; 66 63 description = "Path to intermediate certificate store."; 67 64 }; 68 65 69 - intDir = mkOption { 66 + intDir = lib.mkOption { 70 67 default = null; 71 - type = types.nullOr types.path; 68 + type = lib.types.nullOr lib.types.path; 72 69 description = "Intermediates directory."; 73 70 }; 74 71 75 - metadata = mkOption { 72 + metadata = lib.mkOption { 76 73 default = null; 77 - type = types.nullOr types.path; 74 + type = lib.types.nullOr lib.types.path; 78 75 description = '' 79 76 Metadata file for root certificate presence. 80 77 The content of the file is a json dictionary (k,v): each key k is ··· 83 80 ''; 84 81 }; 85 82 86 - remote = mkOption { 83 + remote = lib.mkOption { 87 84 default = null; 88 - type = types.nullOr types.str; 85 + type = lib.types.nullOr lib.types.str; 89 86 description = "Remote CFSSL server."; 90 87 }; 91 88 92 - configFile = mkOption { 89 + configFile = lib.mkOption { 93 90 default = null; 94 - type = types.nullOr types.str; 91 + type = lib.types.nullOr lib.types.str; 95 92 description = "Path to configuration file. Do not put this in nix-store as it might contain secrets."; 96 93 }; 97 94 98 - responder = mkOption { 95 + responder = lib.mkOption { 99 96 default = null; 100 - type = types.nullOr types.path; 97 + type = lib.types.nullOr lib.types.path; 101 98 description = "Certificate for OCSP responder."; 102 99 }; 103 100 104 - responderKey = mkOption { 101 + responderKey = lib.mkOption { 105 102 default = null; 106 - type = types.nullOr types.str; 103 + type = lib.types.nullOr lib.types.str; 107 104 description = "Private key for OCSP responder certificate. Do not put this in nix-store."; 108 105 }; 109 106 110 - tlsKey = mkOption { 107 + tlsKey = lib.mkOption { 111 108 default = null; 112 - type = types.nullOr types.str; 109 + type = lib.types.nullOr lib.types.str; 113 110 description = "Other endpoint's CA private key. Do not put this in nix-store."; 114 111 }; 115 112 116 - tlsCert = mkOption { 113 + tlsCert = lib.mkOption { 117 114 default = null; 118 - type = types.nullOr types.path; 115 + type = lib.types.nullOr lib.types.path; 119 116 description = "Other endpoint's CA to set up TLS protocol."; 120 117 }; 121 118 122 - mutualTlsCa = mkOption { 119 + mutualTlsCa = lib.mkOption { 123 120 default = null; 124 - type = types.nullOr types.path; 121 + type = lib.types.nullOr lib.types.path; 125 122 description = "Mutual TLS - require clients be signed by this CA."; 126 123 }; 127 124 128 - mutualTlsCn = mkOption { 125 + mutualTlsCn = lib.mkOption { 129 126 default = null; 130 - type = types.nullOr types.str; 127 + type = lib.types.nullOr lib.types.str; 131 128 description = "Mutual TLS - regex for whitelist of allowed client CNs."; 132 129 }; 133 130 134 - tlsRemoteCa = mkOption { 131 + tlsRemoteCa = lib.mkOption { 135 132 default = null; 136 - type = types.nullOr types.path; 133 + type = lib.types.nullOr lib.types.path; 137 134 description = "CAs to trust for remote TLS requests."; 138 135 }; 139 136 140 - mutualTlsClientCert = mkOption { 137 + mutualTlsClientCert = lib.mkOption { 141 138 default = null; 142 - type = types.nullOr types.path; 139 + type = lib.types.nullOr lib.types.path; 143 140 description = "Mutual TLS - client certificate to call remote instance requiring client certs."; 144 141 }; 145 142 146 - mutualTlsClientKey = mkOption { 143 + mutualTlsClientKey = lib.mkOption { 147 144 default = null; 148 - type = types.nullOr types.path; 145 + type = lib.types.nullOr lib.types.path; 149 146 description = "Mutual TLS - client key to call remote instance requiring client certs. Do not put this in nix-store."; 150 147 }; 151 148 152 - dbConfig = mkOption { 149 + dbConfig = lib.mkOption { 153 150 default = null; 154 - type = types.nullOr types.path; 151 + type = lib.types.nullOr lib.types.path; 155 152 description = "Certificate db configuration file. Path must be writeable."; 156 153 }; 157 154 158 - logLevel = mkOption { 155 + logLevel = lib.mkOption { 159 156 default = 1; 160 - type = types.enum [ 157 + type = lib.types.enum [ 161 158 0 162 159 1 163 160 2 ··· 169 166 }; 170 167 }; 171 168 172 - config = mkIf cfg.enable { 169 + config = lib.mkIf cfg.enable { 173 170 users.groups.cfssl = { 174 171 gid = config.ids.gids.cfssl; 175 172 }; ··· 223 220 (opt "loglevel" (toString logLevel)) 224 221 ]; 225 222 } 226 - (mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) { 223 + (lib.mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) { 227 224 StateDirectory = baseNameOf cfg.dataDir; 228 225 StateDirectoryMode = 700; 229 226 }) ··· 231 228 }; 232 229 233 230 services.cfssl = { 234 - ca = mkDefault "${cfg.dataDir}/ca.pem"; 235 - caKey = mkDefault "${cfg.dataDir}/ca-key.pem"; 231 + ca = lib.mkDefault "${cfg.dataDir}/ca.pem"; 232 + caKey = lib.mkDefault "${cfg.dataDir}/ca-key.pem"; 236 233 }; 237 234 }; 238 235 }

+45 -46

nixos/modules/services/security/clamav.nix

··· 1 1 { config, lib, pkgs, ... }: 2 - with lib; 3 2 let 4 3 clamavUser = "clamav"; 5 4 stateDir = "/var/lib/clamav"; 6 5 clamavGroup = clamavUser; 7 6 cfg = config.services.clamav; 8 7 9 - toKeyValue = generators.toKeyValue { 10 - mkKeyValue = generators.mkKeyValueDefault { } " "; 8 + toKeyValue = lib.generators.toKeyValue { 9 + mkKeyValue = lib.generators.mkKeyValueDefault { } " "; 11 10 listsAsDuplicateKeys = true; 12 11 }; 13 12 ··· 19 18 in 20 19 { 21 20 imports = [ 22 - (mkRemovedOptionModule [ "services" "clamav" "updater" "config" ] "Use services.clamav.updater.settings instead.") 23 - (mkRemovedOptionModule [ "services" "clamav" "updater" "extraConfig" ] "Use services.clamav.updater.settings instead.") 24 - (mkRemovedOptionModule [ "services" "clamav" "daemon" "extraConfig" ] "Use services.clamav.daemon.settings instead.") 21 + (lib.mkRemovedOptionModule [ "services" "clamav" "updater" "config" ] "Use services.clamav.updater.settings instead.") 22 + (lib.mkRemovedOptionModule [ "services" "clamav" "updater" "extraConfig" ] "Use services.clamav.updater.settings instead.") 23 + (lib.mkRemovedOptionModule [ "services" "clamav" "daemon" "extraConfig" ] "Use services.clamav.daemon.settings instead.") 25 24 ]; 26 25 27 26 options = { 28 27 services.clamav = { 29 - package = mkPackageOption pkgs "clamav" { }; 28 + package = lib.mkPackageOption pkgs "clamav" { }; 30 29 daemon = { 31 - enable = mkEnableOption "ClamAV clamd daemon"; 30 + enable = lib.mkEnableOption "ClamAV clamd daemon"; 32 31 33 - settings = mkOption { 34 - type = with types; attrsOf (oneOf [ bool int str (listOf str) ]); 32 + settings = lib.mkOption { 33 + type = with lib.types; attrsOf (oneOf [ bool int str (listOf str) ]); 35 34 default = { }; 36 35 description = '' 37 36 ClamAV configuration. Refer to <https://linux.die.net/man/5/clamd.conf>, ··· 40 39 }; 41 40 }; 42 41 updater = { 43 - enable = mkEnableOption "ClamAV freshclam updater"; 42 + enable = lib.mkEnableOption "ClamAV freshclam updater"; 44 43 45 - frequency = mkOption { 46 - type = types.int; 44 + frequency = lib.mkOption { 45 + type = lib.types.int; 47 46 default = 12; 48 47 description = '' 49 48 Number of database checks per day. 50 49 ''; 51 50 }; 52 51 53 - interval = mkOption { 54 - type = types.str; 52 + interval = lib.mkOption { 53 + type = lib.types.str; 55 54 default = "hourly"; 56 55 description = '' 57 56 How often freshclam is invoked. See systemd.time(7) for more ··· 59 58 ''; 60 59 }; 61 60 62 - settings = mkOption { 63 - type = with types; attrsOf (oneOf [ bool int str (listOf str) ]); 61 + settings = lib.mkOption { 62 + type = with lib.types; attrsOf (oneOf [ bool int str (listOf str) ]); 64 63 default = { }; 65 64 description = '' 66 65 freshclam configuration. Refer to <https://linux.die.net/man/5/freshclam.conf>, ··· 69 68 }; 70 69 }; 71 70 fangfrisch = { 72 - enable = mkEnableOption "ClamAV fangfrisch updater"; 71 + enable = lib.mkEnableOption "ClamAV fangfrisch updater"; 73 72 74 - interval = mkOption { 75 - type = types.str; 73 + interval = lib.mkOption { 74 + type = lib.types.str; 76 75 default = "hourly"; 77 76 description = '' 78 77 How often freshclam is invoked. See systemd.time(7) for more ··· 80 79 ''; 81 80 }; 82 81 83 - settings = mkOption { 82 + settings = lib.mkOption { 84 83 type = lib.types.submodule { 85 - freeformType = with types; attrsOf (attrsOf (oneOf [ str int bool ])); 84 + freeformType = with lib.types; attrsOf (attrsOf (oneOf [ str int bool ])); 86 85 }; 87 86 default = { }; 88 87 example = { ··· 100 99 }; 101 100 102 101 scanner = { 103 - enable = mkEnableOption "ClamAV scanner"; 102 + enable = lib.mkEnableOption "ClamAV scanner"; 104 103 105 - interval = mkOption { 106 - type = types.str; 104 + interval = lib.mkOption { 105 + type = lib.types.str; 107 106 default = "*-*-* 04:00:00"; 108 107 description = '' 109 108 How often clamdscan is invoked. See systemd.time(7) for more ··· 112 111 ''; 113 112 }; 114 113 115 - scanDirectories = mkOption { 116 - type = with types; listOf str; 114 + scanDirectories = lib.mkOption { 115 + type = with lib.types; listOf str; 117 116 default = [ "/home" "/var/lib" "/tmp" "/etc" "/var/tmp" ]; 118 117 description = '' 119 118 List of directories to scan. ··· 124 123 }; 125 124 }; 126 125 127 - config = mkIf (cfg.updater.enable || cfg.daemon.enable) { 126 + config = lib.mkIf (cfg.updater.enable || cfg.daemon.enable) { 128 127 environment.systemPackages = [ cfg.package ]; 129 128 130 129 users.users.${clamavUser} = { ··· 153 152 }; 154 153 155 154 services.clamav.fangfrisch.settings = { 156 - DEFAULT.db_url = mkDefault "sqlite:////var/lib/clamav/fangfrisch_db.sqlite"; 157 - DEFAULT.local_directory = mkDefault stateDir; 158 - DEFAULT.log_level = mkDefault "INFO"; 159 - urlhaus.enabled = mkDefault "yes"; 160 - urlhaus.max_size = mkDefault "2MB"; 161 - sanesecurity.enabled = mkDefault "yes"; 155 + DEFAULT.db_url = lib.mkDefault "sqlite:////var/lib/clamav/fangfrisch_db.sqlite"; 156 + DEFAULT.local_directory = lib.mkDefault stateDir; 157 + DEFAULT.log_level = lib.mkDefault "INFO"; 158 + urlhaus.enabled = lib.mkDefault "yes"; 159 + urlhaus.max_size = lib.mkDefault "2MB"; 160 + sanesecurity.enabled = lib.mkDefault "yes"; 162 161 }; 163 162 164 163 environment.etc."clamav/freshclam.conf".source = freshclamConfigFile; ··· 168 167 description = "ClamAV Antivirus Slice"; 169 168 }; 170 169 171 - systemd.services.clamav-daemon = mkIf cfg.daemon.enable { 170 + systemd.services.clamav-daemon = lib.mkIf cfg.daemon.enable { 172 171 description = "ClamAV daemon (clamd)"; 173 - after = optionals cfg.updater.enable [ "clamav-freshclam.service" ]; 174 - wants = optionals cfg.updater.enable [ "clamav-freshclam.service" ]; 172 + after = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ]; 173 + wants = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ]; 175 174 wantedBy = [ "multi-user.target" ]; 176 175 restartTriggers = [ clamdConfigFile ]; 177 176 ··· 189 188 }; 190 189 }; 191 190 192 - systemd.timers.clamav-freshclam = mkIf cfg.updater.enable { 191 + systemd.timers.clamav-freshclam = lib.mkIf cfg.updater.enable { 193 192 description = "Timer for ClamAV virus database updater (freshclam)"; 194 193 wantedBy = [ "timers.target" ]; 195 194 timerConfig = { ··· 198 197 }; 199 198 }; 200 199 201 - systemd.services.clamav-freshclam = mkIf cfg.updater.enable { 200 + systemd.services.clamav-freshclam = lib.mkIf cfg.updater.enable { 202 201 description = "ClamAV virus database updater (freshclam)"; 203 202 restartTriggers = [ freshclamConfigFile ]; 204 203 requires = [ "network-online.target" ]; ··· 217 216 }; 218 217 }; 219 218 220 - systemd.services.clamav-fangfrisch-init = mkIf cfg.fangfrisch.enable { 219 + systemd.services.clamav-fangfrisch-init = lib.mkIf cfg.fangfrisch.enable { 221 220 wantedBy = [ "multi-user.target" ]; 222 221 # if the sqlite file can be found assume the database has already been initialised 223 222 script = '' ··· 239 238 }; 240 239 }; 241 240 242 - systemd.timers.clamav-fangfrisch = mkIf cfg.fangfrisch.enable { 241 + systemd.timers.clamav-fangfrisch = lib.mkIf cfg.fangfrisch.enable { 243 242 description = "Timer for ClamAV virus database updater (fangfrisch)"; 244 243 wantedBy = [ "timers.target" ]; 245 244 timerConfig = { ··· 248 247 }; 249 248 }; 250 249 251 - systemd.services.clamav-fangfrisch = mkIf cfg.fangfrisch.enable { 250 + systemd.services.clamav-fangfrisch = lib.mkIf cfg.fangfrisch.enable { 252 251 description = "ClamAV virus database updater (fangfrisch)"; 253 252 restartTriggers = [ fangfrischConfigFile ]; 254 253 requires = [ "network-online.target" ]; ··· 266 265 }; 267 266 }; 268 267 269 - systemd.timers.clamdscan = mkIf cfg.scanner.enable { 268 + systemd.timers.clamdscan = lib.mkIf cfg.scanner.enable { 270 269 description = "Timer for ClamAV virus scanner"; 271 270 wantedBy = [ "timers.target" ]; 272 271 timerConfig = { ··· 275 274 }; 276 275 }; 277 276 278 - systemd.services.clamdscan = mkIf cfg.scanner.enable { 277 + systemd.services.clamdscan = lib.mkIf cfg.scanner.enable { 279 278 description = "ClamAV virus scanner"; 280 - after = optionals cfg.updater.enable [ "clamav-freshclam.service" ]; 281 - wants = optionals cfg.updater.enable [ "clamav-freshclam.service" ]; 279 + after = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ]; 280 + wants = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ]; 282 281 283 282 serviceConfig = { 284 283 Type = "oneshot";

+18 -21

nixos/modules/services/security/endlessh-go.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.endlessh-go; 12 9 in 13 10 { 14 11 options.services.endlessh-go = { 15 - enable = mkEnableOption "endlessh-go service"; 12 + enable = lib.mkEnableOption "endlessh-go service"; 16 13 17 - package = mkPackageOption pkgs "endlessh-go" { }; 14 + package = lib.mkPackageOption pkgs "endlessh-go" { }; 18 15 19 - listenAddress = mkOption { 20 - type = types.str; 16 + listenAddress = lib.mkOption { 17 + type = lib.types.str; 21 18 default = "0.0.0.0"; 22 19 example = "[::]"; 23 20 description = '' ··· 25 22 ''; 26 23 }; 27 24 28 - port = mkOption { 29 - type = types.port; 25 + port = lib.mkOption { 26 + type = lib.types.port; 30 27 default = 2222; 31 28 example = 22; 32 29 description = '' ··· 38 35 }; 39 36 40 37 prometheus = { 41 - enable = mkEnableOption "Prometheus integration"; 38 + enable = lib.mkEnableOption "Prometheus integration"; 42 39 43 - listenAddress = mkOption { 44 - type = types.str; 40 + listenAddress = lib.mkOption { 41 + type = lib.types.str; 45 42 default = "0.0.0.0"; 46 43 example = "[::]"; 47 44 description = '' ··· 50 47 ''; 51 48 }; 52 49 53 - port = mkOption { 54 - type = types.port; 50 + port = lib.mkOption { 51 + type = lib.types.port; 55 52 default = 2112; 56 53 example = 9119; 57 54 description = '' ··· 61 58 }; 62 59 }; 63 60 64 - extraOptions = mkOption { 65 - type = with types; listOf str; 61 + extraOptions = lib.mkOption { 62 + type = with lib.types; listOf str; 66 63 default = [ ]; 67 64 example = [ 68 65 "-conn_type=tcp4" ··· 73 70 ''; 74 71 }; 75 72 76 - openFirewall = mkOption { 77 - type = types.bool; 73 + openFirewall = lib.mkOption { 74 + type = lib.types.bool; 78 75 default = false; 79 76 description = '' 80 77 Whether to open a firewall port for the SSH listener. ··· 82 79 }; 83 80 }; 84 81 85 - config = mkIf cfg.enable { 82 + config = lib.mkIf cfg.enable { 86 83 systemd.services.endlessh-go = { 87 84 description = "SSH tarpit"; 88 85 requires = [ "network.target" ]; ··· 90 87 serviceConfig = 91 88 let 92 89 needsPrivileges = cfg.port < 1024 || cfg.prometheus.port < 1024; 93 - capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; 90 + capabilities = [ "" ] ++ lib.optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; 94 91 rootDirectory = "/run/endlessh-go"; 95 92 in 96 93 { ··· 155 152 networking.firewall.allowedTCPPorts = with cfg; optionals openFirewall [ port ]; 156 153 }; 157 154 158 - meta.maintainers = with maintainers; [ azahi ]; 155 + meta.maintainers = with lib.maintainers; [ azahi ]; 159 156 }

+10 -13

nixos/modules/services/security/endlessh.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.endlessh; 12 9 in 13 10 { 14 11 options.services.endlessh = { 15 - enable = mkEnableOption "endlessh service"; 12 + enable = lib.mkEnableOption "endlessh service"; 16 13 17 - port = mkOption { 18 - type = types.port; 14 + port = lib.mkOption { 15 + type = lib.types.port; 19 16 default = 2222; 20 17 example = 22; 21 18 description = '' ··· 26 23 ''; 27 24 }; 28 25 29 - extraOptions = mkOption { 30 - type = with types; listOf str; 26 + extraOptions = lib.mkOption { 27 + type = with lib.types; listOf str; 31 28 default = [ ]; 32 29 example = [ 33 30 "-6" ··· 39 36 ''; 40 37 }; 41 38 42 - openFirewall = mkOption { 43 - type = types.bool; 39 + openFirewall = lib.mkOption { 40 + type = lib.types.bool; 44 41 default = false; 45 42 description = '' 46 43 Whether to open a firewall port for the SSH listener. ··· 48 45 }; 49 46 }; 50 47 51 - config = mkIf cfg.enable { 48 + config = lib.mkIf cfg.enable { 52 49 systemd.services.endlessh = { 53 50 description = "SSH tarpit"; 54 51 requires = [ "network.target" ]; ··· 56 53 serviceConfig = 57 54 let 58 55 needsPrivileges = cfg.port < 1024; 59 - capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; 56 + capabilities = [ "" ] ++ lib.optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; 60 57 rootDirectory = "/run/endlessh"; 61 58 in 62 59 { ··· 115 112 networking.firewall.allowedTCPPorts = with cfg; optionals openFirewall [ port ]; 116 113 }; 117 114 118 - meta.maintainers = with maintainers; [ azahi ]; 115 + meta.maintainers = with lib.maintainers; [ azahi ]; 119 116 }

+74 -77

nixos/modules/services/security/fail2ban.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.fail2ban; 12 9 13 10 settingsFormat = pkgs.formats.keyValue { }; 14 11 15 12 configFormat = pkgs.formats.ini { 16 - mkKeyValue = generators.mkKeyValueDefault { } " = "; 13 + mkKeyValue = lib.generators.mkKeyValueDefault { } " = "; 17 14 }; 18 15 19 16 mkJailConfig = 20 17 name: attrs: 21 - optionalAttrs (name != "DEFAULT") { inherit (attrs) enabled; } 22 - // optionalAttrs (attrs.filter != null) { 23 - filter = if (builtins.isString filter) then filter else name; 18 + lib.optionalAttrs (name != "DEFAULT") { inherit (attrs) enabled; } 19 + // lib.optionalAttrs (attrs.filter != null) { 20 + filter = if (builtins.isString lib.filter) then lib.filter else name; 24 21 } 25 22 // attrs.settings; 26 23 27 24 mkFilter = 28 25 name: attrs: 29 - nameValuePair "fail2ban/filter.d/${name}.conf" { 26 + lib.nameValuePair "fail2ban/filter.d/${name}.conf" { 30 27 source = configFormat.generate "filter.d/${name}.conf" attrs.filter; 31 28 }; 32 29 33 30 fail2banConf = configFormat.generate "fail2ban.local" cfg.daemonSettings; 34 31 35 - strJails = filterAttrs (_: builtins.isString) cfg.jails; 36 - attrsJails = filterAttrs (_: builtins.isAttrs) cfg.jails; 32 + strJails = lib.filterAttrs (_: builtins.isString) cfg.jails; 33 + attrsJails = lib.filterAttrs (_: builtins.isAttrs) cfg.jails; 37 34 38 35 jailConf = 39 36 let 40 37 configFile = configFormat.generate "jail.local" ( 41 - { INCLUDES.before = "paths-nixos.conf"; } // (mapAttrs mkJailConfig attrsJails) 38 + { INCLUDES.before = "paths-nixos.conf"; } // (lib.mapAttrs mkJailConfig attrsJails) 42 39 ); 43 - extraConfig = concatStringsSep "\n" ( 44 - attrValues ( 45 - mapAttrs ( 40 + extraConfig = lib.concatStringsSep "\n" ( 41 + lib.attrValues ( 42 + lib.mapAttrs ( 46 43 name: def: 47 - optionalString (def != "") '' 44 + lib.optionalString (def != "") '' 48 45 [${name}] 49 46 ${def} 50 47 '' ··· 74 71 { 75 72 76 73 imports = [ 77 - (mkRemovedOptionModule [ 74 + (lib.mkRemovedOptionModule [ 78 75 "services" 79 76 "fail2ban" 80 77 "daemonConfig" 81 78 ] "The daemon is now configured through the attribute set `services.fail2ban.daemonSettings`.") 82 - (mkRemovedOptionModule [ "services" "fail2ban" "extraSettings" ] 79 + (lib.mkRemovedOptionModule [ "services" "fail2ban" "extraSettings" ] 83 80 "The extra default configuration can now be set using `services.fail2ban.jails.DEFAULT.settings`." 84 81 ) 85 82 ]; ··· 88 85 89 86 options = { 90 87 services.fail2ban = { 91 - enable = mkOption { 88 + enable = lib.mkOption { 92 89 default = false; 93 - type = types.bool; 90 + type = lib.types.bool; 94 91 description = '' 95 92 Whether to enable the fail2ban service. 96 93 ··· 99 96 ''; 100 97 }; 101 98 102 - package = mkPackageOption pkgs "fail2ban" { 99 + package = lib.mkPackageOption pkgs "fail2ban" { 103 100 example = "fail2ban_0_11"; 104 101 }; 105 102 106 - packageFirewall = mkOption { 103 + packageFirewall = lib.mkOption { 107 104 default = config.networking.firewall.package; 108 - defaultText = literalExpression "config.networking.firewall.package"; 109 - type = types.package; 105 + defaultText = lib.literalExpression "config.networking.firewall.package"; 106 + type = lib.types.package; 110 107 description = "The firewall package used by fail2ban service. Defaults to the package for your firewall (iptables or nftables)."; 111 108 }; 112 109 113 - extraPackages = mkOption { 110 + extraPackages = lib.mkOption { 114 111 default = [ ]; 115 - type = types.listOf types.package; 112 + type = lib.types.listOf lib.types.package; 116 113 example = lib.literalExpression "[ pkgs.ipset ]"; 117 114 description = '' 118 115 Extra packages to be made available to the fail2ban service. The example contains ··· 120 117 ''; 121 118 }; 122 119 123 - bantime = mkOption { 120 + bantime = lib.mkOption { 124 121 default = "10m"; 125 - type = types.str; 122 + type = lib.types.str; 126 123 example = "1h"; 127 124 description = "Number of seconds that a host is banned."; 128 125 }; 129 126 130 - maxretry = mkOption { 127 + maxretry = lib.mkOption { 131 128 default = 3; 132 - type = types.ints.unsigned; 129 + type = lib.types.ints.unsigned; 133 130 description = "Number of failures before a host gets banned."; 134 131 }; 135 132 136 - banaction = mkOption { 133 + banaction = lib.mkOption { 137 134 default = if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"; 138 - defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"''; 139 - type = types.str; 135 + defaultText = lib.literalExpression ''if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"''; 136 + type = lib.types.str; 140 137 description = '' 141 138 Default banning action (e.g. iptables, iptables-new, iptables-multiport, 142 139 iptables-ipset-proto6-allports, shorewall, etc). It is used to ··· 145 142 ''; 146 143 }; 147 144 148 - banaction-allports = mkOption { 145 + banaction-allports = lib.mkOption { 149 146 default = if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"; 150 - defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"''; 151 - type = types.str; 147 + defaultText = lib.literalExpression ''if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"''; 148 + type = lib.types.str; 152 149 description = '' 153 150 Default banning action (e.g. iptables, iptables-new, iptables-multiport, 154 151 shorewall, etc) for "allports" jails. It is used to define action_* variables. Can be overridden ··· 156 153 ''; 157 154 }; 158 155 159 - bantime-increment.enable = mkOption { 156 + bantime-increment.enable = lib.mkOption { 160 157 default = false; 161 - type = types.bool; 158 + type = lib.types.bool; 162 159 description = '' 163 160 "bantime.increment" allows to use database for searching of previously banned ip's to increase 164 161 a default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32 ... 165 162 ''; 166 163 }; 167 164 168 - bantime-increment.rndtime = mkOption { 165 + bantime-increment.rndtime = lib.mkOption { 169 166 default = null; 170 - type = types.nullOr types.str; 167 + type = lib.types.nullOr lib.types.str; 171 168 example = "8m"; 172 169 description = '' 173 170 "bantime.rndtime" is the max number of seconds using for mixing with random time ··· 175 172 ''; 176 173 }; 177 174 178 - bantime-increment.maxtime = mkOption { 175 + bantime-increment.maxtime = lib.mkOption { 179 176 default = null; 180 - type = types.nullOr types.str; 177 + type = lib.types.nullOr lib.types.str; 181 178 example = "48h"; 182 179 description = '' 183 180 "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further) 184 181 ''; 185 182 }; 186 183 187 - bantime-increment.factor = mkOption { 184 + bantime-increment.factor = lib.mkOption { 188 185 default = null; 189 - type = types.nullOr types.str; 186 + type = lib.types.nullOr lib.types.str; 190 187 example = "4"; 191 188 description = '' 192 189 "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, ··· 194 191 ''; 195 192 }; 196 193 197 - bantime-increment.formula = mkOption { 194 + bantime-increment.formula = lib.mkOption { 198 195 default = null; 199 - type = types.nullOr types.str; 196 + type = lib.types.nullOr lib.types.str; 200 197 example = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; 201 198 description = '' 202 199 "bantime.formula" used by default to calculate next value of ban time, default value below, ··· 204 201 ''; 205 202 }; 206 203 207 - bantime-increment.multipliers = mkOption { 204 + bantime-increment.multipliers = lib.mkOption { 208 205 default = null; 209 - type = types.nullOr types.str; 206 + type = lib.types.nullOr lib.types.str; 210 207 example = "1 2 4 8 16 32 64"; 211 208 description = '' 212 209 "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding ··· 216 213 ''; 217 214 }; 218 215 219 - bantime-increment.overalljails = mkOption { 216 + bantime-increment.overalljails = lib.mkOption { 220 217 default = null; 221 - type = types.nullOr types.bool; 218 + type = lib.types.nullOr lib.types.bool; 222 219 example = true; 223 220 description = '' 224 221 "bantime.overalljails" (if true) specifies the search of IP in the database will be executed ··· 226 223 ''; 227 224 }; 228 225 229 - ignoreIP = mkOption { 226 + ignoreIP = lib.mkOption { 230 227 default = [ ]; 231 - type = types.listOf types.str; 228 + type = lib.types.listOf lib.types.str; 232 229 example = [ 233 230 "192.168.0.0/16" 234 231 "2001:DB8::42" ··· 239 236 ''; 240 237 }; 241 238 242 - daemonSettings = mkOption { 239 + daemonSettings = lib.mkOption { 243 240 inherit (configFormat) type; 244 241 245 - defaultText = literalExpression '' 242 + defaultText = lib.literalExpression '' 246 243 { 247 244 Definition = { 248 245 logtarget = "SYSLOG"; ··· 258 255 ''; 259 256 }; 260 257 261 - jails = mkOption { 258 + jails = lib.mkOption { 262 259 default = { }; 263 - example = literalExpression '' 260 + example = lib.literalExpression '' 264 261 { 265 262 apache-nohome-iptables = { 266 263 settings = { ··· 287 284 }; 288 285 ''; 289 286 type = 290 - with types; 287 + with lib.types; 291 288 attrsOf ( 292 289 either lines ( 293 290 submodule ( 294 291 { name, ... }: 295 292 { 296 293 options = { 297 - enabled = mkEnableOption "this jail" // { 294 + enabled = lib.mkEnableOption "this jail" // { 298 295 default = true; 299 296 readOnly = name == "DEFAULT"; 300 297 }; 301 298 302 - filter = mkOption { 299 + filter = lib.mkOption { 303 300 type = nullOr (either str configFormat.type); 304 301 305 302 default = null; 306 303 description = "Content of the filter used for this jail."; 307 304 }; 308 305 309 - settings = mkOption { 306 + settings = lib.mkOption { 310 307 inherit (settingsFormat) type; 311 308 312 309 default = { }; ··· 344 341 345 342 ###### implementation 346 343 347 - config = mkIf cfg.enable { 344 + config = lib.mkIf cfg.enable { 348 345 assertions = [ 349 346 { 350 347 assertion = cfg.bantime-increment.formula == null || cfg.bantime-increment.multipliers == null; ··· 354 351 } 355 352 ]; 356 353 357 - warnings = mkIf (!config.networking.firewall.enable && !config.networking.nftables.enable) [ 354 + warnings = lib.mkIf (!config.networking.firewall.enable && !config.networking.nftables.enable) [ 358 355 "fail2ban can not be used without a firewall" 359 356 ]; 360 357 ··· 371 368 "fail2ban/action.d".source = "${cfg.package}/etc/fail2ban/action.d/*.conf"; 372 369 "fail2ban/filter.d".source = "${cfg.package}/etc/fail2ban/filter.d/*.conf"; 373 370 } 374 - // (mapAttrs' mkFilter ( 375 - filterAttrs (_: v: v.filter != null && !builtins.isString v.filter) attrsJails 371 + // (lib.mapAttrs' mkFilter ( 372 + lib.filterAttrs (_: v: v.filter != null && !builtins.isString v.filter) attrsJails 376 373 )); 377 374 378 375 systemd.packages = [ cfg.package ]; 379 376 systemd.services.fail2ban = { 380 377 wantedBy = [ "multi-user.target" ]; 381 - partOf = optional config.networking.firewall.enable "firewall.service"; 378 + partOf = lib.optional config.networking.firewall.enable "firewall.service"; 382 379 383 380 restartTriggers = [ 384 381 fail2banConf ··· 423 420 424 421 # Defaults for the daemon settings 425 422 services.fail2ban.daemonSettings.Definition = { 426 - logtarget = mkDefault "SYSLOG"; 427 - socket = mkDefault "/run/fail2ban/fail2ban.sock"; 428 - pidfile = mkDefault "/run/fail2ban/fail2ban.pid"; 429 - dbfile = mkDefault "/var/lib/fail2ban/fail2ban.sqlite3"; 423 + logtarget = lib.mkDefault "SYSLOG"; 424 + socket = lib.mkDefault "/run/fail2ban/fail2ban.sock"; 425 + pidfile = lib.mkDefault "/run/fail2ban/fail2ban.pid"; 426 + dbfile = lib.mkDefault "/var/lib/fail2ban/fail2ban.sqlite3"; 430 427 }; 431 428 432 429 # Add some reasonable default jails. The special "DEFAULT" jail 433 430 # sets default values for all other jails. 434 - services.fail2ban.jails = mkMerge [ 431 + services.fail2ban.jails = lib.mkMerge [ 435 432 { 436 433 DEFAULT.settings = 437 - (optionalAttrs cfg.bantime-increment.enable ( 434 + (lib.optionalAttrs cfg.bantime-increment.enable ( 438 435 { 439 436 "bantime.increment" = cfg.bantime-increment.enable; 440 437 } 441 - // (mapAttrs' (name: nameValuePair "bantime.${name}") ( 442 - filterAttrs (n: v: v != null && n != "enable") cfg.bantime-increment 438 + // (lib.mapAttrs' (name: lib.nameValuePair "bantime.${name}") ( 439 + lib.filterAttrs (n: v: v != null && n != "enable") cfg.bantime-increment 443 440 )) 444 441 )) 445 442 // { 446 443 # Miscellaneous options 447 444 inherit (cfg) banaction maxretry bantime; 448 - ignoreip = ''127.0.0.1/8 ${optionalString config.networking.enableIPv6 "::1"} ${concatStringsSep " " cfg.ignoreIP}''; 445 + ignoreip = ''127.0.0.1/8 ${lib.optionalString config.networking.enableIPv6 "::1"} ${lib.concatStringsSep " " cfg.ignoreIP}''; 449 446 backend = "systemd"; 450 447 # Actions 451 448 banaction_allports = cfg.banaction-allports; ··· 453 450 } 454 451 455 452 # Block SSH if there are too many failing connection attempts. 456 - (mkIf config.services.openssh.enable { 457 - sshd.settings.port = mkDefault ( 458 - concatMapStringsSep "," builtins.toString config.services.openssh.ports 453 + (lib.mkIf config.services.openssh.enable { 454 + sshd.settings.port = lib.mkDefault ( 455 + lib.concatMapStringsSep "," builtins.toString config.services.openssh.ports 459 456 ); 460 457 }) 461 458 ]; 462 459 463 460 # Benefits from verbose sshd logging to observe failed login attempts, 464 461 # so we set that here unless the user overrode it. 465 - services.openssh.settings.LogLevel = mkDefault "VERBOSE"; 462 + services.openssh.settings.LogLevel = lib.mkDefault "VERBOSE"; 466 463 }; 467 464 }

+10 -13

nixos/modules/services/security/fprintd.nix

··· 1 1 { config, lib, pkgs, ... }: 2 - 3 - with lib; 4 - 5 2 let 6 3 7 4 cfg = config.services.fprintd; ··· 18 15 19 16 services.fprintd = { 20 17 21 - enable = mkEnableOption "fprintd daemon and PAM module for fingerprint readers handling"; 18 + enable = lib.mkEnableOption "fprintd daemon and PAM module for fingerprint readers handling"; 22 19 23 - package = mkOption { 24 - type = types.package; 20 + package = lib.mkOption { 21 + type = lib.types.package; 25 22 default = fprintdPkg; 26 - defaultText = literalExpression "if config.services.fprintd.tod.enable then pkgs.fprintd-tod else pkgs.fprintd"; 23 + defaultText = lib.literalExpression "if config.services.fprintd.tod.enable then pkgs.fprintd-tod else pkgs.fprintd"; 27 24 description = '' 28 25 fprintd package to use. 29 26 ''; ··· 31 28 32 29 tod = { 33 30 34 - enable = mkEnableOption "Touch OEM Drivers library support"; 31 + enable = lib.mkEnableOption "Touch OEM Drivers library support"; 35 32 36 - driver = mkOption { 37 - type = types.package; 38 - example = literalExpression "pkgs.libfprint-2-tod1-goodix"; 33 + driver = lib.mkOption { 34 + type = lib.types.package; 35 + example = lib.literalExpression "pkgs.libfprint-2-tod1-goodix"; 39 36 description = '' 40 37 Touch OEM Drivers (TOD) package to use. 41 38 ''; ··· 47 44 48 45 ###### implementation 49 46 50 - config = mkIf cfg.enable { 47 + config = lib.mkIf cfg.enable { 51 48 52 49 services.dbus.packages = [ cfg.package ]; 53 50 ··· 55 52 56 53 systemd.packages = [ cfg.package ]; 57 54 58 - systemd.services.fprintd.environment = mkIf cfg.tod.enable { 55 + systemd.services.fprintd.environment = lib.mkIf cfg.tod.enable { 59 56 FP_TOD_DRIVERS_DIR = "${cfg.tod.driver}${cfg.tod.driver.driverPath}"; 60 57 }; 61 58

+23 -27

nixos/modules/services/security/haka.nix

··· 1 1 # This module defines global configuration for Haka. 2 - 3 2 { 4 3 config, 5 4 lib, 6 5 pkgs, 7 6 ... 8 7 }: 9 - 10 - with lib; 11 - 12 8 let 13 9 14 10 cfg = config.services.haka; ··· 23 19 else 24 20 "${haka}/share/haka/sample/${cfg.configFile}" 25 21 } 26 - ${optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"} 22 + ${lib.optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"} 27 23 28 24 [packet] 29 - ${optionalString cfg.pcap ''module = "packet/pcap"''} 30 - ${optionalString cfg.nfqueue ''module = "packet/nqueue"''} 31 - ${optionalString cfg.dump.enable ''dump = "yes"''} 32 - ${optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''} 33 - ${optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''} 25 + ${lib.optionalString cfg.pcap ''module = "packet/pcap"''} 26 + ${lib.optionalString cfg.nfqueue ''module = "packet/nqueue"''} 27 + ${lib.optionalString cfg.dump.enable ''dump = "yes"''} 28 + ${lib.optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''} 29 + ${lib.optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''} 34 30 35 31 interfaces = "${lib.strings.concatStringsSep "," cfg.interfaces}" 36 32 ··· 62 58 63 59 services.haka = { 64 60 65 - enable = mkEnableOption "Haka"; 61 + enable = lib.mkEnableOption "Haka"; 66 62 67 - package = mkPackageOption pkgs "haka" { }; 63 + package = lib.mkPackageOption pkgs "haka" { }; 68 64 69 - configFile = mkOption { 65 + configFile = lib.mkOption { 70 66 default = "empty.lua"; 71 67 example = "/srv/haka/myfilter.lua"; 72 - type = types.str; 68 + type = lib.types.str; 73 69 description = '' 74 70 Specify which configuration file Haka uses. 75 71 It can be absolute path or a path relative to the sample directory of ··· 77 73 ''; 78 74 }; 79 75 80 - interfaces = mkOption { 76 + interfaces = lib.mkOption { 81 77 default = [ "eth0" ]; 82 78 example = [ "any" ]; 83 - type = with types; listOf str; 79 + type = with lib.types; listOf str; 84 80 description = '' 85 81 Specify which interface(s) Haka listens to. 86 82 Use 'any' to listen to all interfaces. 87 83 ''; 88 84 }; 89 85 90 - threads = mkOption { 86 + threads = lib.mkOption { 91 87 default = 0; 92 88 example = 4; 93 - type = types.int; 89 + type = lib.types.int; 94 90 description = '' 95 91 The number of threads that will be used. 96 92 All system threads are used by default. 97 93 ''; 98 94 }; 99 95 100 - pcap = mkOption { 96 + pcap = lib.mkOption { 101 97 default = true; 102 - type = types.bool; 98 + type = lib.types.bool; 103 99 description = "Whether to enable pcap"; 104 100 }; 105 101 106 - nfqueue = mkEnableOption "nfqueue"; 102 + nfqueue = lib.mkEnableOption "nfqueue"; 107 103 108 - dump.enable = mkEnableOption "dump"; 109 - dump.input = mkOption { 104 + dump.enable = lib.mkEnableOption "dump"; 105 + dump.input = lib.mkOption { 110 106 default = "/tmp/input.pcap"; 111 107 example = "/path/to/file.pcap"; 112 - type = types.path; 108 + type = lib.types.path; 113 109 description = "Path to file where incoming packets are dumped"; 114 110 }; 115 111 116 - dump.output = mkOption { 112 + dump.output = lib.mkOption { 117 113 default = "/tmp/output.pcap"; 118 114 example = "/path/to/file.pcap"; 119 - type = types.path; 115 + type = lib.types.path; 120 116 description = "Path to file where outgoing packets are dumped"; 121 117 }; 122 118 }; ··· 124 120 125 121 ###### implementation 126 122 127 - config = mkIf cfg.enable { 123 + config = lib.mkIf cfg.enable { 128 124 129 125 assertions = [ 130 126 {

+4 -7

nixos/modules/services/security/haveged.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.haveged; 12 9 ··· 20 17 21 18 services.haveged = { 22 19 23 - enable = mkEnableOption '' 20 + enable = lib.mkEnableOption '' 24 21 haveged entropy daemon, which refills /dev/random when low. 25 22 NOTE: does nothing on kernels newer than 5.6 26 23 ''; 27 24 # source for the note https://github.com/jirka-h/haveged/issues/57 28 25 29 - refill_threshold = mkOption { 30 - type = types.int; 26 + refill_threshold = lib.mkOption { 27 + type = lib.types.int; 31 28 default = 1024; 32 29 description = '' 33 30 The number of bits of available entropy beneath which ··· 39 36 40 37 }; 41 38 42 - config = mkIf cfg.enable { 39 + config = lib.mkIf cfg.enable { 43 40 44 41 # https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service 45 42 systemd.services.haveged = {

+7 -10

nixos/modules/services/security/hologram-agent.nix

··· 4 4 lib, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.hologram-agent; 12 9 ··· 19 16 { 20 17 options = { 21 18 services.hologram-agent = { 22 - enable = mkOption { 23 - type = types.bool; 19 + enable = lib.mkOption { 20 + type = lib.types.bool; 24 21 default = false; 25 22 description = "Whether to enable the Hologram agent for AWS instance credentials"; 26 23 }; 27 24 28 - dialAddress = mkOption { 29 - type = types.str; 25 + dialAddress = lib.mkOption { 26 + type = lib.types.str; 30 27 default = "localhost:3100"; 31 28 description = "Hologram server and port."; 32 29 }; 33 30 34 - httpPort = mkOption { 35 - type = types.str; 31 + httpPort = lib.mkOption { 32 + type = lib.types.str; 36 33 default = "80"; 37 34 description = "Port for metadata service to listen on."; 38 35 }; ··· 40 37 }; 41 38 }; 42 39 43 - config = mkIf cfg.enable { 40 + config = lib.mkIf cfg.enable { 44 41 boot.kernelModules = [ "dummy" ]; 45 42 46 43 networking.interfaces.dummy0.ipv4.addresses = [

+31 -34

nixos/modules/services/security/hologram-server.nix

··· 4 4 lib, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.hologram-server; 12 9 ··· 38 35 { 39 36 options = { 40 37 services.hologram-server = { 41 - enable = mkOption { 42 - type = types.bool; 38 + enable = lib.mkOption { 39 + type = lib.types.bool; 43 40 default = false; 44 41 description = "Whether to enable the Hologram server for AWS instance credentials"; 45 42 }; 46 43 47 - listenAddress = mkOption { 48 - type = types.str; 44 + listenAddress = lib.mkOption { 45 + type = lib.types.str; 49 46 default = "0.0.0.0:3100"; 50 47 description = "Address and port to listen on"; 51 48 }; 52 49 53 - ldapHost = mkOption { 54 - type = types.str; 50 + ldapHost = lib.mkOption { 51 + type = lib.types.str; 55 52 description = "Address of the LDAP server to use"; 56 53 }; 57 54 58 - ldapInsecure = mkOption { 59 - type = types.bool; 55 + ldapInsecure = lib.mkOption { 56 + type = lib.types.bool; 60 57 default = false; 61 58 description = "Whether to connect to LDAP over SSL or not"; 62 59 }; 63 60 64 - ldapUserAttr = mkOption { 65 - type = types.str; 61 + ldapUserAttr = lib.mkOption { 62 + type = lib.types.str; 66 63 default = "cn"; 67 64 description = "The LDAP attribute for usernames"; 68 65 }; 69 66 70 - ldapBaseDN = mkOption { 71 - type = types.str; 67 + ldapBaseDN = lib.mkOption { 68 + type = lib.types.str; 72 69 description = "The base DN for your Hologram users"; 73 70 }; 74 71 75 - ldapBindDN = mkOption { 76 - type = types.str; 72 + ldapBindDN = lib.mkOption { 73 + type = lib.types.str; 77 74 description = "DN of account to use to query the LDAP server"; 78 75 }; 79 76 80 - ldapBindPassword = mkOption { 81 - type = types.str; 77 + ldapBindPassword = lib.mkOption { 78 + type = lib.types.str; 82 79 description = "Password of account to use to query the LDAP server"; 83 80 }; 84 81 85 - enableLdapRoles = mkOption { 86 - type = types.bool; 82 + enableLdapRoles = lib.mkOption { 83 + type = lib.types.bool; 87 84 default = false; 88 85 description = "Whether to assign user roles based on the user's LDAP group memberships"; 89 86 }; 90 87 91 - groupClassAttr = mkOption { 92 - type = types.str; 88 + groupClassAttr = lib.mkOption { 89 + type = lib.types.str; 93 90 default = "groupOfNames"; 94 91 description = "The objectclass attribute to search for groups when enableLdapRoles is true"; 95 92 }; 96 93 97 - roleAttr = mkOption { 98 - type = types.str; 94 + roleAttr = lib.mkOption { 95 + type = lib.types.str; 99 96 default = "businessCategory"; 100 97 description = "Which LDAP group attribute to search for authorized role ARNs"; 101 98 }; 102 99 103 - awsAccount = mkOption { 104 - type = types.str; 100 + awsAccount = lib.mkOption { 101 + type = lib.types.str; 105 102 description = "AWS account number"; 106 103 }; 107 104 108 - awsDefaultRole = mkOption { 109 - type = types.str; 105 + awsDefaultRole = lib.mkOption { 106 + type = lib.types.str; 110 107 description = "AWS default role"; 111 108 }; 112 109 113 - statsAddress = mkOption { 114 - type = types.str; 110 + statsAddress = lib.mkOption { 111 + type = lib.types.str; 115 112 default = ""; 116 113 description = "Address of statsd server"; 117 114 }; 118 115 119 - cacheTimeoutSeconds = mkOption { 120 - type = types.int; 116 + cacheTimeoutSeconds = lib.mkOption { 117 + type = lib.types.int; 121 118 default = 3600; 122 119 description = "How often (in seconds) to refresh the LDAP cache"; 123 120 }; 124 121 }; 125 122 }; 126 123 127 - config = mkIf cfg.enable { 124 + config = lib.mkIf cfg.enable { 128 125 systemd.services.hologram-server = { 129 126 description = "Provide EC2 instance credentials to machines outside of EC2"; 130 127 after = [ "network.target" ];

+5 -8

nixos/modules/services/security/infnoise.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.infnoise; 12 9 in 13 10 { 14 11 options = { 15 12 services.infnoise = { 16 - enable = mkEnableOption "the Infinite Noise TRNG driver"; 13 + enable = lib.mkEnableOption "the Infinite Noise TRNG driver"; 17 14 18 - fillDevRandom = mkOption { 15 + fillDevRandom = lib.mkOption { 19 16 description = '' 20 17 Whether to run the infnoise driver as a daemon to refill /dev/random. 21 18 22 19 If disabled, you can use the `infnoise` command-line tool to 23 20 manually obtain randomness. 24 21 ''; 25 - type = types.bool; 22 + type = lib.types.bool; 26 23 default = true; 27 24 }; 28 25 }; 29 26 }; 30 27 31 - config = mkIf cfg.enable { 28 + config = lib.mkIf cfg.enable { 32 29 environment.systemPackages = [ pkgs.infnoise ]; 33 30 34 31 services.udev.extraRules = '' 35 32 SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service" 36 33 ''; 37 34 38 - systemd.services.infnoise = mkIf cfg.fillDevRandom { 35 + systemd.services.infnoise = lib.mkIf cfg.fillDevRandom { 39 36 description = "Infinite Noise TRNG driver"; 40 37 41 38 bindsTo = [ "dev-infnoise.device" ];

+4 -7

nixos/modules/services/security/munge.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 12 9 cfg = config.services.munge; ··· 20 17 options = { 21 18 22 19 services.munge = { 23 - enable = mkEnableOption "munge service"; 20 + enable = lib.mkEnableOption "munge service"; 24 21 25 - password = mkOption { 22 + password = lib.mkOption { 26 23 default = "/etc/munge/munge.key"; 27 - type = types.path; 24 + type = lib.types.path; 28 25 description = '' 29 26 The path to a daemon's secret key. 30 27 ''; ··· 36 33 37 34 ###### implementation 38 35 39 - config = mkIf cfg.enable { 36 + config = lib.mkIf cfg.enable { 40 37 41 38 environment.systemPackages = [ pkgs.munge ]; 42 39

+5 -8

nixos/modules/services/security/nginx-sso.nix

··· 1 1 { config, lib, pkgs, utils, ... }: 2 - 3 - with lib; 4 - 5 2 let 6 3 cfg = config.services.nginx.sso; 7 4 format = pkgs.formats.yaml { }; 8 5 configPath = "/var/lib/nginx-sso/config.yaml"; 9 6 in { 10 7 options.services.nginx.sso = { 11 - enable = mkEnableOption "nginx-sso service"; 8 + enable = lib.mkEnableOption "nginx-sso service"; 12 9 13 - package = mkPackageOption pkgs "nginx-sso" { }; 10 + package = lib.mkPackageOption pkgs "nginx-sso" { }; 14 11 15 - configuration = mkOption { 12 + configuration = lib.mkOption { 16 13 type = format.type; 17 14 default = {}; 18 - example = literalExpression '' 15 + example = lib.literalExpression '' 19 16 { 20 17 listen = { addr = "127.0.0.1"; port = 8080; }; 21 18 ··· 48 45 }; 49 46 }; 50 47 51 - config = mkIf cfg.enable { 48 + config = lib.mkIf cfg.enable { 52 49 systemd.services.nginx-sso = { 53 50 description = "Nginx SSO Backend"; 54 51 after = [ "network.target" ];

+39 -40

nixos/modules/services/security/opensnitch.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.opensnitch; 12 9 format = pkgs.formats.json { }; 13 10 14 - predefinedRules = flip mapAttrs cfg.rules ( 11 + predefinedRules = lib.flip lib.mapAttrs cfg.rules ( 15 12 name: cfg: { 16 13 file = pkgs.writeText "rule" (builtins.toJSON cfg); 17 14 } ··· 21 18 { 22 19 options = { 23 20 services.opensnitch = { 24 - enable = mkEnableOption "Opensnitch application firewall"; 21 + enable = lib.mkEnableOption "Opensnitch application firewall"; 25 22 26 - rules = mkOption { 23 + rules = lib.mkOption { 27 24 default = { }; 28 - example = literalExpression '' 25 + example = lib.literalExpression '' 29 26 { 30 27 "tor" = { 31 28 "name" = "tor"; ··· 50 47 for available options. 51 48 ''; 52 49 53 - type = types.submodule { 50 + type = lib.types.submodule { 54 51 freeformType = format.type; 55 52 }; 56 53 }; 57 54 58 - settings = mkOption { 59 - type = types.submodule { 55 + settings = lib.mkOption { 56 + type = lib.types.submodule { 60 57 freeformType = format.type; 61 58 62 59 options = { 63 60 Server = { 64 61 65 - Address = mkOption { 66 - type = types.str; 62 + Address = lib.mkOption { 63 + type = lib.types.str; 67 64 description = '' 68 65 Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is 69 66 mandatory) or TCP socket (192.168.1.100:50051). 70 67 ''; 71 68 }; 72 69 73 - LogFile = mkOption { 74 - type = types.path; 70 + LogFile = lib.mkOption { 71 + type = lib.types.path; 75 72 description = '' 76 73 File to write logs to (use /dev/stdout to write logs to standard 77 74 output). ··· 80 77 81 78 }; 82 79 83 - DefaultAction = mkOption { 84 - type = types.enum [ 80 + DefaultAction = lib.mkOption { 81 + type = lib.types.enum [ 85 82 "allow" 86 83 "deny" 87 84 ]; ··· 91 88 ''; 92 89 }; 93 90 94 - InterceptUnknown = mkOption { 95 - type = types.bool; 91 + InterceptUnknown = lib.mkOption { 92 + type = lib.types.bool; 96 93 description = '' 97 94 Whether to intercept spare connections. 98 95 ''; 99 96 }; 100 97 101 - ProcMonitorMethod = mkOption { 102 - type = types.enum [ 98 + ProcMonitorMethod = lib.mkOption { 99 + type = lib.types.enum [ 103 100 "ebpf" 104 101 "proc" 105 102 "ftrace" ··· 110 107 ''; 111 108 }; 112 109 113 - LogLevel = mkOption { 114 - type = types.enum [ 110 + LogLevel = lib.mkOption { 111 + type = lib.types.enum [ 115 112 0 116 113 1 117 114 2 ··· 124 121 ''; 125 122 }; 126 123 127 - Firewall = mkOption { 128 - type = types.enum [ 124 + Firewall = lib.mkOption { 125 + type = lib.types.enum [ 129 126 "iptables" 130 127 "nftables" 131 128 ]; ··· 136 133 137 134 Stats = { 138 135 139 - MaxEvents = mkOption { 140 - type = types.int; 136 + MaxEvents = lib.mkOption { 137 + type = lib.types.int; 141 138 description = '' 142 139 Max events to send to the GUI. 143 140 ''; 144 141 }; 145 142 146 - MaxStats = mkOption { 147 - type = types.int; 143 + MaxStats = lib.mkOption { 144 + type = lib.types.int; 148 145 description = '' 149 146 Max stats per item to keep in backlog. 150 147 ''; ··· 152 149 153 150 }; 154 151 155 - Ebpf.ModulesPath = mkOption { 156 - type = types.path; 152 + Ebpf.ModulesPath = lib.mkOption { 153 + type = lib.types.path; 157 154 default = 158 155 if cfg.settings.ProcMonitorMethod == "ebpf" then 159 156 "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd" 160 157 else 161 158 null; 162 - defaultText = literalExpression '' 159 + defaultText = lib.literalExpression '' 163 160 if cfg.settings.ProcMonitorMethod == "ebpf" then 164 161 "\\$\\{config.boot.kernelPackages.opensnitch-ebpf\\}/etc/opensnitchd" 165 162 else null; ··· 170 167 ''; 171 168 }; 172 169 173 - Rules.Path = mkOption { 174 - type = types.path; 170 + Rules.Path = lib.mkOption { 171 + type = lib.types.path; 175 172 default = "/var/lib/opensnitch/rules"; 176 173 description = '' 177 174 Path to the directory where firewall rules can be found and will ··· 189 186 }; 190 187 }; 191 188 192 - config = mkIf cfg.enable { 189 + config = lib.mkIf cfg.enable { 193 190 194 191 # pkg.opensnitch is referred to elsewhere in the module so we don't need to worry about it being garbage collected 195 - services.opensnitch.settings = mapAttrs (_: v: mkDefault v) ( 192 + services.opensnitch.settings = lib.mapAttrs (_: v: lib.mkDefault v) ( 196 193 builtins.fromJSON ( 197 194 builtins.unsafeDiscardStringContext ( 198 195 builtins.readFile "${pkgs.opensnitch}/etc/opensnitchd/default-config.json" ··· 210 207 "${pkgs.opensnitch}/bin/opensnitchd --config-file ${format.generate "default-config.json" cfg.settings}" 211 208 ]; 212 209 }; 213 - preStart = mkIf (cfg.rules != { }) ( 210 + preStart = lib.mkIf (cfg.rules != { }) ( 214 211 let 215 - rules = flip mapAttrsToList predefinedRules ( 212 + rules = lib.flip lib.mapAttrsToList predefinedRules ( 216 213 file: content: { 217 214 inherit (content) file; 218 215 local = "${cfg.settings.Rules.Path}/${file}.json"; ··· 225 222 # declared in `cfg.rules` (i.e. all networks that were "removed" from 226 223 # `cfg.rules`). 227 224 find ${cfg.settings.Rules.Path} -type l -lname '${builtins.storeDir}/*' ${ 228 - optionalString (rules != { }) '' 229 - -not $ ${concatMapStringsSep " -o " ({ local, ... }: "-name '${baseNameOf local}*'") rules} $ \ 225 + lib.optionalString (rules != { }) '' 226 + -not $ ${ 227 + lib.concatMapStringsSep " -o " ({ local, ... }: "-name '${baseNameOf local}*'") rules 228 + } $ \ 230 229 '' 231 230 } -delete 232 - ${concatMapStrings ( 231 + ${lib.concatMapStrings ( 233 232 { file, local }: 234 233 '' 235 234 ln -sf '${file}' "${local}"

+4 -7

nixos/modules/services/security/pass-secret-service.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.passSecretService; 12 9 in 13 10 { 14 11 options.services.passSecretService = { 15 - enable = mkEnableOption "pass secret service"; 12 + enable = lib.mkEnableOption "pass secret service"; 16 13 17 - package = mkPackageOption pkgs "pass-secret-service" { 14 + package = lib.mkPackageOption pkgs "pass-secret-service" { 18 15 example = "pass-secret-service.override { python3 = pkgs.python310 }"; 19 16 }; 20 17 }; 21 18 22 - config = mkIf cfg.enable { 19 + config = lib.mkIf cfg.enable { 23 20 systemd.packages = [ cfg.package ]; 24 21 services.dbus.packages = [ cfg.package ]; 25 22 }; 26 23 27 - meta.maintainers = with maintainers; [ aidalgol ]; 24 + meta.maintainers = with lib.maintainers; [ aidalgol ]; 28 25 }

+53 -52

nixos/modules/services/security/physlock.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.physlock; 12 9 in ··· 19 16 20 17 services.physlock = { 21 18 22 - enable = mkOption { 23 - type = types.bool; 19 + enable = lib.mkOption { 20 + type = lib.types.bool; 24 21 default = false; 25 22 description = '' 26 23 Whether to enable the {command}`physlock` screen locking mechanism. ··· 35 32 ''; 36 33 }; 37 34 38 - allowAnyUser = mkOption { 39 - type = types.bool; 35 + allowAnyUser = lib.mkOption { 36 + type = lib.types.bool; 40 37 default = false; 41 38 description = '' 42 39 Whether to allow any user to lock the screen. This will install a ··· 46 43 ''; 47 44 }; 48 45 49 - disableSysRq = mkOption { 50 - type = types.bool; 46 + disableSysRq = lib.mkOption { 47 + type = lib.types.bool; 51 48 default = true; 52 49 description = '' 53 50 Whether to disable SysRq when locked with physlock. 54 51 ''; 55 52 }; 56 53 57 - lockMessage = mkOption { 58 - type = types.str; 54 + lockMessage = lib.mkOption { 55 + type = lib.types.str; 59 56 default = ""; 60 57 description = '' 61 58 Message to show on physlock login terminal. 62 59 ''; 63 60 }; 64 61 65 - muteKernelMessages = mkOption { 66 - type = types.bool; 62 + muteKernelMessages = lib.mkOption { 63 + type = lib.types.bool; 67 64 default = false; 68 65 description = '' 69 66 Disable kernel messages on console while physlock is running. ··· 72 69 73 70 lockOn = { 74 71 75 - suspend = mkOption { 76 - type = types.bool; 72 + suspend = lib.mkOption { 73 + type = lib.types.bool; 77 74 default = true; 78 75 description = '' 79 76 Whether to lock screen with physlock just before suspend. 80 77 ''; 81 78 }; 82 79 83 - hibernate = mkOption { 84 - type = types.bool; 80 + hibernate = lib.mkOption { 81 + type = lib.types.bool; 85 82 default = true; 86 83 description = '' 87 84 Whether to lock screen with physlock just before hibernate. 88 85 ''; 89 86 }; 90 87 91 - extraTargets = mkOption { 92 - type = types.listOf types.str; 88 + extraTargets = lib.mkOption { 89 + type = lib.types.listOf lib.types.str; 93 90 default = [ ]; 94 91 example = [ "display-manager.service" ]; 95 92 description = '' ··· 110 107 111 108 ###### implementation 112 109 113 - config = mkIf cfg.enable (mkMerge [ 114 - { 110 + config = lib.mkIf cfg.enable ( 111 + lib.mkMerge [ 112 + { 115 113 116 - # for physlock -l and physlock -L 117 - environment.systemPackages = [ pkgs.physlock ]; 114 + # for physlock -l and physlock -L 115 + environment.systemPackages = [ pkgs.physlock ]; 118 116 119 - systemd.services.physlock = { 120 - enable = true; 121 - description = "Physlock"; 122 - wantedBy = 123 - optional cfg.lockOn.suspend "suspend.target" 124 - ++ optional cfg.lockOn.hibernate "hibernate.target" 125 - ++ cfg.lockOn.extraTargets; 126 - before = 127 - optional cfg.lockOn.suspend "systemd-suspend.service" 128 - ++ optional cfg.lockOn.hibernate "systemd-hibernate.service" 129 - ++ optional (cfg.lockOn.hibernate || cfg.lockOn.suspend) "systemd-suspend-then-hibernate.service" 130 - ++ cfg.lockOn.extraTargets; 131 - serviceConfig = { 132 - Type = "forking"; 133 - ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.muteKernelMessages "m"}${optionalString cfg.disableSysRq "s"}${ 134 - optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\"" 135 - }"; 117 + systemd.services.physlock = { 118 + enable = true; 119 + description = "Physlock"; 120 + wantedBy = 121 + lib.optional cfg.lockOn.suspend "suspend.target" 122 + ++ lib.optional cfg.lockOn.hibernate "hibernate.target" 123 + ++ cfg.lockOn.extraTargets; 124 + before = 125 + lib.optional cfg.lockOn.suspend "systemd-suspend.service" 126 + ++ lib.optional cfg.lockOn.hibernate "systemd-hibernate.service" 127 + ++ lib.optional ( 128 + cfg.lockOn.hibernate || cfg.lockOn.suspend 129 + ) "systemd-suspend-then-hibernate.service" 130 + ++ cfg.lockOn.extraTargets; 131 + serviceConfig = { 132 + Type = "forking"; 133 + ExecStart = "${pkgs.physlock}/bin/physlock -d${lib.optionalString cfg.muteKernelMessages "m"}${lib.optionalString cfg.disableSysRq "s"}${ 134 + lib.optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\"" 135 + }"; 136 + }; 136 137 }; 137 - }; 138 138 139 - security.pam.services.physlock = { }; 139 + security.pam.services.physlock = { }; 140 140 141 - } 141 + } 142 142 143 - (mkIf cfg.allowAnyUser { 143 + (lib.mkIf cfg.allowAnyUser { 144 144 145 - security.wrappers.physlock = { 146 - setuid = true; 147 - owner = "root"; 148 - group = "root"; 149 - source = "${pkgs.physlock}/bin/physlock"; 150 - }; 145 + security.wrappers.physlock = { 146 + setuid = true; 147 + owner = "root"; 148 + group = "root"; 149 + source = "${pkgs.physlock}/bin/physlock"; 150 + }; 151 151 152 - }) 153 - ]); 152 + }) 153 + ] 154 + ); 154 155 155 156 }

+15 -18

nixos/modules/services/security/sks.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.sks; 12 9 sksPkg = cfg.package; ··· 16 13 17 14 in 18 15 { 19 - meta.maintainers = with maintainers; [ 16 + meta.maintainers = with lib.maintainers; [ 20 17 calbrecht 21 18 jcumming 22 19 ]; ··· 25 22 26 23 services.sks = { 27 24 28 - enable = mkEnableOption '' 25 + enable = lib.mkEnableOption '' 29 26 SKS (synchronizing key server for OpenPGP) and start the database 30 27 server. You need to create "''${dataDir}/dump/*.gpg" for the initial 31 28 import''; 32 29 33 - package = mkPackageOption pkgs "sks" { }; 30 + package = lib.mkPackageOption pkgs "sks" { }; 34 31 35 - dataDir = mkOption { 36 - type = types.path; 32 + dataDir = lib.mkOption { 33 + type = lib.types.path; 37 34 default = "/var/db/sks"; 38 35 example = "/var/lib/sks"; 39 36 # TODO: The default might change to "/var/lib/sks" as this is more ··· 46 43 ''; 47 44 }; 48 45 49 - extraDbConfig = mkOption { 50 - type = types.str; 46 + extraDbConfig = lib.mkOption { 47 + type = lib.types.str; 51 48 default = ""; 52 49 description = '' 53 50 Set contents of the files "KDB/DB_CONFIG" and "PTree/DB_CONFIG" within ··· 60 57 ''; 61 58 }; 62 59 63 - hkpAddress = mkOption { 60 + hkpAddress = lib.mkOption { 64 61 default = [ 65 62 "127.0.0.1" 66 63 "::1" 67 64 ]; 68 - type = types.listOf types.str; 65 + type = lib.types.listOf lib.types.str; 69 66 description = '' 70 67 Domain names, IPv4 and/or IPv6 addresses to listen on for HKP 71 68 requests. 72 69 ''; 73 70 }; 74 71 75 - hkpPort = mkOption { 72 + hkpPort = lib.mkOption { 76 73 default = 11371; 77 - type = types.ints.u16; 74 + type = lib.types.ints.u16; 78 75 description = "HKP port to listen on."; 79 76 }; 80 77 81 - webroot = mkOption { 82 - type = types.nullOr types.path; 78 + webroot = lib.mkOption { 79 + type = lib.types.nullOr lib.types.path; 83 80 default = "${sksPkg.webSamples}/OpenPKG"; 84 - defaultText = literalExpression ''"''${package.webSamples}/OpenPKG"''; 81 + defaultText = lib.literalExpression ''"''${package.webSamples}/OpenPKG"''; 85 82 description = '' 86 83 Source directory (will be symlinked, if not null) for the files the 87 84 built-in webserver should serve. SKS (''${pkgs.sks.webSamples}) ··· 96 93 }; 97 94 }; 98 95 99 - config = mkIf cfg.enable { 96 + config = lib.mkIf cfg.enable { 100 97 101 98 users = { 102 99 users.sks = {

+25 -28

nixos/modules/services/security/sshguard.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.sshguard; 12 9 ··· 19 16 "-o cat" 20 17 "-n1" 21 18 ] 22 - ++ (map (name: "-t ${escapeShellArg name}") cfg.services) 19 + ++ (map (name: "-t ${lib.escapeShellArg name}") cfg.services) 23 20 ); 24 21 backend = if config.networking.nftables.enable then "sshg-fw-nft-sets" else "sshg-fw-ipset"; 25 22 in ··· 36 33 options = { 37 34 38 35 services.sshguard = { 39 - enable = mkOption { 36 + enable = lib.mkOption { 40 37 default = false; 41 - type = types.bool; 38 + type = lib.types.bool; 42 39 description = "Whether to enable the sshguard service."; 43 40 }; 44 41 45 - attack_threshold = mkOption { 42 + attack_threshold = lib.mkOption { 46 43 default = 30; 47 - type = types.int; 44 + type = lib.types.int; 48 45 description = '' 49 46 Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10. 50 47 ''; 51 48 }; 52 49 53 - blacklist_threshold = mkOption { 50 + blacklist_threshold = lib.mkOption { 54 51 default = null; 55 52 example = 120; 56 - type = types.nullOr types.int; 53 + type = lib.types.nullOr lib.types.int; 57 54 description = '' 58 55 Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. 59 56 ''; 60 57 }; 61 58 62 - blacklist_file = mkOption { 59 + blacklist_file = lib.mkOption { 63 60 default = "/var/lib/sshguard/blacklist.db"; 64 - type = types.path; 61 + type = lib.types.path; 65 62 description = '' 66 63 Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. 67 64 ''; 68 65 }; 69 66 70 - blocktime = mkOption { 67 + blocktime = lib.mkOption { 71 68 default = 120; 72 - type = types.int; 69 + type = lib.types.int; 73 70 description = '' 74 71 Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5. 75 72 ··· 77 74 ''; 78 75 }; 79 76 80 - detection_time = mkOption { 77 + detection_time = lib.mkOption { 81 78 default = 1800; 82 - type = types.int; 79 + type = lib.types.int; 83 80 description = '' 84 81 Remember potential attackers for up to detection_time seconds before resetting their score. 85 82 ''; 86 83 }; 87 84 88 - whitelist = mkOption { 85 + whitelist = lib.mkOption { 89 86 default = [ ]; 90 87 example = [ 91 88 "198.51.100.56" 92 89 "198.51.100.2" 93 90 ]; 94 - type = types.listOf types.str; 91 + type = lib.types.listOf lib.types.str; 95 92 description = '' 96 93 Whitelist a list of addresses, hostnames, or address blocks. 97 94 ''; 98 95 }; 99 96 100 - services = mkOption { 97 + services = lib.mkOption { 101 98 default = [ "sshd" ]; 102 99 example = [ 103 100 "sshd" 104 101 "exim" 105 102 ]; 106 - type = types.listOf types.str; 103 + type = lib.types.listOf lib.types.str; 107 104 description = '' 108 105 Systemd services sshguard should receive logs of. 109 106 ''; ··· 113 110 114 111 ###### implementation 115 112 116 - config = mkIf cfg.enable { 113 + config = lib.mkIf cfg.enable { 117 114 118 115 environment.etc."sshguard.conf".source = configFile; 119 116 ··· 122 119 123 120 wantedBy = [ "multi-user.target" ]; 124 121 after = [ "network.target" ]; 125 - partOf = optional config.networking.firewall.enable "firewall.service"; 122 + partOf = lib.optional config.networking.firewall.enable "firewall.service"; 126 123 127 124 restartTriggers = [ configFile ]; 128 125 ··· 149 146 # of the ipsets. So instead, we create both the ipsets and 150 147 # firewall rules before sshguard starts. 151 148 preStart = 152 - optionalString config.networking.firewall.enable '' 149 + lib.optionalString config.networking.firewall.enable '' 153 150 ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet 154 151 ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP 155 152 '' 156 - + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' 153 + + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' 157 154 ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 158 155 ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP 159 156 ''; 160 157 161 158 postStop = 162 - optionalString config.networking.firewall.enable '' 159 + lib.optionalString config.networking.firewall.enable '' 163 160 ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP 164 161 ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 165 162 '' 166 - + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' 163 + + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' 167 164 ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP 168 165 ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6 169 166 ''; ··· 179 176 "-a ${toString cfg.attack_threshold}" 180 177 "-p ${toString cfg.blocktime}" 181 178 "-s ${toString cfg.detection_time}" 182 - (optionalString ( 179 + (lib.optionalString ( 183 180 cfg.blacklist_threshold != null 184 181 ) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}") 185 182 ] 186 - ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist) 183 + ++ (map (name: "-w ${lib.escapeShellArg name}") cfg.whitelist) 187 184 ); 188 185 in 189 186 "${pkgs.sshguard}/bin/sshguard ${args}";

+2 -5

nixos/modules/services/security/sslmate-agent.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.sslmate-agent; 12 9 ··· 16 13 17 14 options = { 18 15 services.sslmate-agent = { 19 - enable = mkEnableOption "sslmate-agent, a daemon for managing SSL/TLS certificates on a server"; 16 + enable = lib.mkEnableOption "sslmate-agent, a daemon for managing SSL/TLS certificates on a server"; 20 17 }; 21 18 }; 22 19 23 - config = mkIf cfg.enable { 20 + config = lib.mkIf cfg.enable { 24 21 environment.systemPackages = with pkgs; [ sslmate-agent ]; 25 22 26 23 systemd = {

+9 -10

nixos/modules/services/security/tang.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - with lib; 8 7 let 9 8 cfg = config.services.tang; 10 9 in 11 10 { 12 11 options.services.tang = { 13 - enable = mkEnableOption "tang"; 12 + enable = lib.mkEnableOption "tang"; 14 13 15 - package = mkOption { 16 - type = types.package; 14 + package = lib.mkOption { 15 + type = lib.types.package; 17 16 default = pkgs.tang; 18 - defaultText = literalExpression "pkgs.tang"; 17 + defaultText = lib.literalExpression "pkgs.tang"; 19 18 description = "The tang package to use."; 20 19 }; 21 20 22 - listenStream = mkOption { 23 - type = with types; listOf str; 21 + listenStream = lib.mkOption { 22 + type = with lib.types; listOf str; 24 23 default = [ "7654" ]; 25 24 example = [ 26 25 "198.168.100.1:7654" ··· 33 32 ''; 34 33 }; 35 34 36 - ipAddressAllow = mkOption { 35 + ipAddressAllow = lib.mkOption { 37 36 example = [ "192.168.1.0/24" ]; 38 - type = types.listOf types.str; 37 + type = lib.types.listOf lib.types.str; 39 38 description = '' 40 39 Whitelist a list of address prefixes. 41 40 Preferably, internal addresses should be used. ··· 43 42 }; 44 43 45 44 }; 46 - config = mkIf cfg.enable { 45 + config = lib.mkIf cfg.enable { 47 46 environment.systemPackages = [ cfg.package ]; 48 47 49 48 systemd.services."tangd@" = {

+145 -140

nixos/modules/services/security/tor.nix

··· 5 5 pkgs, 6 6 ... 7 7 }: 8 - 9 8 with builtins; 10 - with lib; 11 - 12 9 let 13 10 cfg = config.services.tor; 14 11 opt = options.services.tor; ··· 44 41 ]); 45 42 optionBool = 46 43 optionName: 47 - mkOption { 48 - type = with types; nullOr bool; 44 + lib.mkOption { 45 + type = with lib.types; nullOr bool; 49 46 default = null; 50 47 description = (descriptionGeneric optionName); 51 48 }; 52 49 optionInt = 53 50 optionName: 54 - mkOption { 55 - type = with types; nullOr int; 51 + lib.mkOption { 52 + type = with lib.types; nullOr int; 56 53 default = null; 57 54 description = (descriptionGeneric optionName); 58 55 }; 59 56 optionString = 60 57 optionName: 61 - mkOption { 62 - type = with types; nullOr str; 58 + lib.mkOption { 59 + type = with lib.types; nullOr str; 63 60 default = null; 64 61 description = (descriptionGeneric optionName); 65 62 }; 66 63 optionStrings = 67 64 optionName: 68 - mkOption { 69 - type = with types; listOf str; 65 + lib.mkOption { 66 + type = with lib.types; listOf str; 70 67 default = [ ]; 71 68 description = (descriptionGeneric optionName); 72 69 }; 73 - optionAddress = mkOption { 70 + optionAddress = lib.mkOption { 74 71 type = with types; nullOr str; 75 72 default = null; 76 73 example = "0.0.0.0"; ··· 78 75 IPv4 or IPv6 (if between brackets) address. 79 76 ''; 80 77 }; 81 - optionUnix = mkOption { 78 + optionUnix = lib.mkOption { 82 79 type = with types; nullOr path; 83 80 default = null; 84 81 description = '' 85 82 Unix domain socket path to use. 86 83 ''; 87 84 }; 88 - optionPort = mkOption { 85 + optionPort = lib.mkOption { 89 86 type = 90 87 with types; 91 88 nullOr (oneOf [ ··· 96 93 }; 97 94 optionPorts = 98 95 optionName: 99 - mkOption { 100 - type = with types; listOf port; 96 + lib.mkOption { 97 + type = with lib.types; listOf port; 101 98 default = [ ]; 102 99 description = (descriptionGeneric optionName); 103 100 }; 104 101 optionIsolablePort = 105 - with types; 102 + with lib.types; 106 103 oneOf [ 107 104 port 108 105 (enum [ "auto" ]) ··· 114 111 addr = optionAddress; 115 112 port = optionPort; 116 113 flags = optionFlags; 117 - SessionGroup = mkOption { 114 + SessionGroup = lib.mkOption { 118 115 type = nullOr int; 119 116 default = null; 120 117 }; 121 118 } 122 - // genAttrs isolateFlags ( 119 + // lib.genAttrs isolateFlags ( 123 120 name: 124 - mkOption { 121 + lib.mkOption { 125 122 type = types.bool; 126 123 default = false; 127 124 } ··· 136 133 ]; 137 134 optionIsolablePorts = 138 135 optionName: 139 - mkOption { 136 + lib.mkOption { 140 137 default = [ ]; 141 - type = with types; either optionIsolablePort (listOf optionIsolablePort); 138 + type = with lib.types; either optionIsolablePort (listOf optionIsolablePort); 142 139 description = (descriptionGeneric optionName); 143 140 }; 144 141 isolateFlags = [ ··· 171 168 "WorldWritable" 172 169 ] ++ isolateFlags; 173 170 in 174 - with types; 171 + with lib.types; 175 172 oneOf [ 176 173 port 177 174 (submodule ( ··· 183 180 addr = optionAddress; 184 181 port = optionPort; 185 182 flags = optionFlags; 186 - SessionGroup = mkOption { 183 + SessionGroup = lib.mkOption { 187 184 type = nullOr int; 188 185 default = null; 189 186 }; 190 187 } 191 - // genAttrs flags ( 188 + // lib.genAttrs flags ( 192 189 name: 193 - mkOption { 190 + lib.mkOption { 194 191 type = types.bool; 195 192 default = false; 196 193 } 197 194 ); 198 - config = mkIf doConfig { 195 + config = lib.mkIf doConfig { 199 196 # Only add flags in SOCKSPort to avoid duplicates 200 197 flags = 201 198 filter (name: config.${name} == true) flags ··· 204 201 } 205 202 )) 206 203 ]; 207 - optionFlags = mkOption { 204 + optionFlags = lib.mkOption { 208 205 type = with types; listOf str; 209 206 default = [ ]; 210 207 }; 211 208 optionORPort = 212 209 optionName: 213 - mkOption { 210 + lib.mkOption { 214 211 default = [ ]; 215 212 example = 443; 216 213 type = 217 - with types; 214 + with lib.types; 218 215 oneOf [ 219 216 port 220 217 (enum [ "auto" ]) ··· 238 235 port = optionPort; 239 236 flags = optionFlags; 240 237 } 241 - // genAttrs flags ( 238 + // lib.genAttrs flags ( 242 239 name: 243 - mkOption { 240 + lib.mkOption { 244 241 type = types.bool; 245 242 default = false; 246 243 } ··· 256 253 }; 257 254 optionBandwidth = 258 255 optionName: 259 - mkOption { 260 - type = with types; nullOr (either int str); 256 + lib.mkOption { 257 + type = with lib.types; nullOr (either int str); 261 258 default = null; 262 259 description = (descriptionGeneric optionName); 263 260 }; 264 261 optionPath = 265 262 optionName: 266 - mkOption { 267 - type = with types; nullOr path; 263 + lib.mkOption { 264 + type = with lib.types; nullOr path; 268 265 default = null; 269 266 description = (descriptionGeneric optionName); 270 267 }; ··· 323 320 in 324 321 { 325 322 imports = [ 326 - (mkRenamedOptionModule 323 + (lib.mkRenamedOptionModule 327 324 [ "services" "tor" "client" "dns" "automapHostsSuffixes" ] 328 325 [ "services" "tor" "settings" "AutomapHostsSuffixes" ] 329 326 ) 330 - (mkRemovedOptionModule [ 327 + (lib.mkRemovedOptionModule [ 331 328 "services" 332 329 "tor" 333 330 "client" 334 331 "dns" 335 332 "isolationOptions" 336 333 ] "Use services.tor.settings.DNSPort instead.") 337 - (mkRemovedOptionModule [ 334 + (lib.mkRemovedOptionModule [ 338 335 "services" 339 336 "tor" 340 337 "client" 341 338 "dns" 342 339 "listenAddress" 343 340 ] "Use services.tor.settings.DNSPort instead.") 344 - (mkRemovedOptionModule [ 341 + (lib.mkRemovedOptionModule [ 345 342 "services" 346 343 "tor" 347 344 "client" 348 345 "privoxy" 349 346 "enable" 350 347 ] "Use services.privoxy.enable and services.privoxy.enableTor instead.") 351 - (mkRemovedOptionModule [ 348 + (lib.mkRemovedOptionModule [ 352 349 "services" 353 350 "tor" 354 351 "client" 355 352 "socksIsolationOptions" 356 353 ] "Use services.tor.settings.SOCKSPort instead.") 357 - (mkRemovedOptionModule [ 354 + (lib.mkRemovedOptionModule [ 358 355 "services" 359 356 "tor" 360 357 "client" 361 358 "socksListenAddressFaster" 362 359 ] "Use services.tor.settings.SOCKSPort instead.") 363 - (mkRenamedOptionModule 360 + (lib.mkRenamedOptionModule 364 361 [ "services" "tor" "client" "socksPolicy" ] 365 362 [ "services" "tor" "settings" "SocksPolicy" ] 366 363 ) 367 - (mkRemovedOptionModule [ 364 + (lib.mkRemovedOptionModule [ 368 365 "services" 369 366 "tor" 370 367 "client" 371 368 "transparentProxy" 372 369 "isolationOptions" 373 370 ] "Use services.tor.settings.TransPort instead.") 374 - (mkRemovedOptionModule [ 371 + (lib.mkRemovedOptionModule [ 375 372 "services" 376 373 "tor" 377 374 "client" 378 375 "transparentProxy" 379 376 "listenAddress" 380 377 ] "Use services.tor.settings.TransPort instead.") 381 - (mkRenamedOptionModule 378 + (lib.mkRenamedOptionModule 382 379 [ "services" "tor" "controlPort" ] 383 380 [ "services" "tor" "settings" "ControlPort" ] 384 381 ) 385 - (mkRemovedOptionModule [ 382 + (lib.mkRemovedOptionModule [ 386 383 "services" 387 384 "tor" 388 385 "extraConfig" 389 386 ] "Please use services.tor.settings instead.") 390 - (mkRenamedOptionModule 387 + (lib.mkRenamedOptionModule 391 388 [ "services" "tor" "hiddenServices" ] 392 389 [ "services" "tor" "relay" "onionServices" ] 393 390 ) 394 - (mkRenamedOptionModule 391 + (lib.mkRenamedOptionModule 395 392 [ "services" "tor" "relay" "accountingMax" ] 396 393 [ "services" "tor" "settings" "AccountingMax" ] 397 394 ) 398 - (mkRenamedOptionModule 395 + (lib.mkRenamedOptionModule 399 396 [ "services" "tor" "relay" "accountingStart" ] 400 397 [ "services" "tor" "settings" "AccountingStart" ] 401 398 ) 402 - (mkRenamedOptionModule 399 + (lib.mkRenamedOptionModule 403 400 [ "services" "tor" "relay" "address" ] 404 401 [ "services" "tor" "settings" "Address" ] 405 402 ) 406 - (mkRenamedOptionModule 403 + (lib.mkRenamedOptionModule 407 404 [ "services" "tor" "relay" "bandwidthBurst" ] 408 405 [ "services" "tor" "settings" "BandwidthBurst" ] 409 406 ) 410 - (mkRenamedOptionModule 407 + (lib.mkRenamedOptionModule 411 408 [ "services" "tor" "relay" "bandwidthRate" ] 412 409 [ "services" "tor" "settings" "BandwidthRate" ] 413 410 ) 414 - (mkRenamedOptionModule 411 + (lib.mkRenamedOptionModule 415 412 [ "services" "tor" "relay" "bridgeTransports" ] 416 413 [ "services" "tor" "settings" "ServerTransportPlugin" "transports" ] 417 414 ) 418 - (mkRenamedOptionModule 415 + (lib.mkRenamedOptionModule 419 416 [ "services" "tor" "relay" "contactInfo" ] 420 417 [ "services" "tor" "settings" "ContactInfo" ] 421 418 ) 422 - (mkRenamedOptionModule 419 + (lib.mkRenamedOptionModule 423 420 [ "services" "tor" "relay" "exitPolicy" ] 424 421 [ "services" "tor" "settings" "ExitPolicy" ] 425 422 ) 426 - (mkRemovedOptionModule [ 423 + (lib.mkRemovedOptionModule [ 427 424 "services" 428 425 "tor" 429 426 "relay" 430 427 "isBridge" 431 428 ] "Use services.tor.relay.role instead.") 432 - (mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.") 433 - (mkRenamedOptionModule 429 + (lib.mkRemovedOptionModule [ 430 + "services" 431 + "tor" 432 + "relay" 433 + "isExit" 434 + ] "Use services.tor.relay.role instead.") 435 + (lib.mkRenamedOptionModule 434 436 [ "services" "tor" "relay" "nickname" ] 435 437 [ "services" "tor" "settings" "Nickname" ] 436 438 ) 437 - (mkRenamedOptionModule [ "services" "tor" "relay" "port" ] [ "services" "tor" "settings" "ORPort" ]) 438 - (mkRenamedOptionModule 439 + (lib.mkRenamedOptionModule 440 + [ "services" "tor" "relay" "port" ] 441 + [ "services" "tor" "settings" "ORPort" ] 442 + ) 443 + (lib.mkRenamedOptionModule 439 444 [ "services" "tor" "relay" "portSpec" ] 440 445 [ "services" "tor" "settings" "ORPort" ] 441 446 ) ··· 443 448 444 449 options = { 445 450 services.tor = { 446 - enable = mkEnableOption '' 451 + enable = lib.mkEnableOption '' 447 452 Tor daemon. 448 453 By default, the daemon is run without 449 454 relay, exit, bridge or client connectivity''; 450 455 451 - openFirewall = mkEnableOption "opening of the relay port(s) in the firewall"; 456 + openFirewall = lib.mkEnableOption "opening of the relay port(s) in the firewall"; 452 457 453 - package = mkPackageOption pkgs "tor" { }; 458 + package = lib.mkPackageOption pkgs "tor" { }; 454 459 455 460 enableGeoIP = 456 - mkEnableOption '' 461 + lib.mkEnableOption '' 457 462 use of GeoIP databases. 458 463 Disabling this will disable by-country statistics for bridges and relays 459 464 and some client and third-party software functionality'' ··· 461 466 default = true; 462 467 }; 463 468 464 - controlSocket.enable = mkEnableOption '' 469 + controlSocket.enable = lib.mkEnableOption '' 465 470 control socket, 466 471 created in `${runDir}/control`''; 467 472 468 473 client = { 469 - enable = mkEnableOption '' 474 + enable = lib.mkEnableOption '' 470 475 the routing of application connections. 471 476 You might want to disable this if you plan running a dedicated Tor relay''; 472 477 473 - transparentProxy.enable = mkEnableOption "transparent proxy"; 474 - dns.enable = mkEnableOption "DNS resolver"; 478 + transparentProxy.enable = lib.mkEnableOption "transparent proxy"; 479 + dns.enable = lib.mkEnableOption "DNS resolver"; 475 480 476 - socksListenAddress = mkOption { 481 + socksListenAddress = lib.mkOption { 477 482 type = optionSOCKSPort false; 478 483 default = { 479 484 addr = "127.0.0.1"; ··· 491 496 ''; 492 497 }; 493 498 494 - onionServices = mkOption { 499 + onionServices = lib.mkOption { 495 500 description = (descriptionGeneric "HiddenServiceDir"); 496 501 default = { }; 497 502 example = { ··· 499 504 clientAuthorizations = [ "/run/keys/tor/alice.prv.x25519" ]; 500 505 }; 501 506 }; 502 - type = types.attrsOf ( 503 - types.submodule ( 507 + type = lib.types.attrsOf ( 508 + lib.types.submodule ( 504 509 { name, config, ... }: 505 510 { 506 - options.clientAuthorizations = mkOption { 511 + options.clientAuthorizations = lib.mkOption { 507 512 description = '' 508 513 Clients' authorizations for a v3 onion service, 509 514 as a list of files containing each one private key, in the format: ··· 512 517 ``` 513 518 ${descriptionGeneric "_client_authorization"} 514 519 ''; 515 - type = with types; listOf path; 520 + type = with lib.types; listOf path; 516 521 default = [ ]; 517 522 example = [ "/run/keys/tor/alice.prv.x25519" ]; 518 523 }; ··· 523 528 }; 524 529 525 530 relay = { 526 - enable = mkEnableOption "tor relaying" // { 531 + enable = lib.mkEnableOption "tor relaying" // { 527 532 description = '' 528 533 Whether to enable relaying of Tor traffic for others. 529 534 ··· 538 543 ''; 539 544 }; 540 545 541 - role = mkOption { 542 - type = types.enum [ 546 + role = lib.mkOption { 547 + type = lib.types.enum [ 543 548 "exit" 544 549 "relay" 545 550 "bridge" ··· 629 634 ''; 630 635 }; 631 636 632 - onionServices = mkOption { 637 + onionServices = lib.mkOption { 633 638 description = (descriptionGeneric "HiddenServiceDir"); 634 639 default = { }; 635 640 example = { ··· 640 645 ]; 641 646 }; 642 647 }; 643 - type = types.attrsOf ( 644 - types.submodule ( 648 + type = lib.types.attrsOf ( 649 + lib.types.submodule ( 645 650 { name, config, ... }: 646 651 { 647 - options.path = mkOption { 648 - type = types.path; 652 + options.path = lib.mkOption { 653 + type = lib.types.path; 649 654 description = '' 650 655 Path where to store the data files of the hidden service. 651 656 If the {option}`secretKey` is null ··· 653 658 otherwise to `${runDir}/onion/$onion`. 654 659 ''; 655 660 }; 656 - options.secretKey = mkOption { 657 - type = with types; nullOr path; 661 + options.secretKey = lib.mkOption { 662 + type = with lib.types; nullOr path; 658 663 default = null; 659 664 example = "/run/keys/tor/onion/expyuzz4wqqyqhjn/hs_ed25519_secret_key"; 660 665 description = '' ··· 665 670 from this file if they do not exist. 666 671 ''; 667 672 }; 668 - options.authorizeClient = mkOption { 673 + options.authorizeClient = lib.mkOption { 669 674 description = (descriptionGeneric "HiddenServiceAuthorizeClient"); 670 675 default = null; 671 - type = types.nullOr ( 672 - types.submodule ( 676 + type = lib.types.nullOr ( 677 + lib.types.submodule ( 673 678 { ... }: 674 679 { 675 680 options = { 676 - authType = mkOption { 677 - type = types.enum [ 681 + authType = lib.mkOption { 682 + type = lib.types.enum [ 678 683 "basic" 679 684 "stealth" 680 685 ]; ··· 684 689 that also hides service activity from unauthorized clients. 685 690 ''; 686 691 }; 687 - clientNames = mkOption { 688 - type = with types; nonEmptyListOf (strMatching "[A-Za-z0-9+-_]+"); 692 + clientNames = lib.mkOption { 693 + type = with lib.types; nonEmptyListOf (strMatching "[A-Za-z0-9+-_]+"); 689 694 description = '' 690 695 Only clients that are listed here are authorized to access the hidden service. 691 696 Generated authorization data can be found in {file}`${stateDir}/onion/$name/hostname`. ··· 698 703 ) 699 704 ); 700 705 }; 701 - options.authorizedClients = mkOption { 706 + options.authorizedClients = lib.mkOption { 702 707 description = '' 703 708 Authorized clients for a v3 onion service, 704 709 as a list of public key, in the format: ··· 707 712 ``` 708 713 ${descriptionGeneric "_client_authorization"} 709 714 ''; 710 - type = with types; listOf str; 715 + type = with lib.types; listOf str; 711 716 default = [ ]; 712 717 example = [ "descriptor:x25519:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ]; 713 718 }; 714 - options.map = mkOption { 719 + options.map = lib.mkOption { 715 720 description = (descriptionGeneric "HiddenServicePort"); 716 721 type = 717 - with types; 722 + with lib.types; 718 723 listOf (oneOf [ 719 724 port 720 725 (submodule ( ··· 722 727 { 723 728 options = { 724 729 port = optionPort; 725 - target = mkOption { 730 + target = lib.mkOption { 726 731 default = null; 727 732 type = nullOr ( 728 733 submodule ( ··· 752 757 v 753 758 ); 754 759 }; 755 - options.version = mkOption { 760 + options.version = lib.mkOption { 756 761 description = (descriptionGeneric "HiddenServiceVersion"); 757 762 type = 758 - with types; 763 + with lib.types; 759 764 nullOr (enum [ 760 765 2 761 766 3 762 767 ]); 763 768 default = null; 764 769 }; 765 - options.settings = mkOption { 770 + options.settings = lib.mkOption { 766 771 description = '' 767 772 Settings of the onion service. 768 773 ${descriptionGeneric "_hidden_service_options"} 769 774 ''; 770 775 default = { }; 771 - type = types.submodule { 776 + type = lib.types.submodule { 772 777 freeformType = 773 - with types; 778 + with lib.types; 774 779 (attrsOf ( 775 780 nullOr (oneOf [ 776 781 str ··· 784 789 }; 785 790 options.HiddenServiceAllowUnknownPorts = optionBool "HiddenServiceAllowUnknownPorts"; 786 791 options.HiddenServiceDirGroupReadable = optionBool "HiddenServiceDirGroupReadable"; 787 - options.HiddenServiceExportCircuitID = mkOption { 792 + options.HiddenServiceExportCircuitID = lib.mkOption { 788 793 description = (descriptionGeneric "HiddenServiceExportCircuitID"); 789 - type = with types; nullOr (enum [ "haproxy" ]); 794 + type = with lib.types; nullOr (enum [ "haproxy" ]); 790 795 default = null; 791 796 }; 792 - options.HiddenServiceMaxStreams = mkOption { 797 + options.HiddenServiceMaxStreams = lib.mkOption { 793 798 description = (descriptionGeneric "HiddenServiceMaxStreams"); 794 - type = with types; nullOr (ints.between 0 65535); 799 + type = with lib.types; nullOr (ints.between 0 65535); 795 800 default = null; 796 801 }; 797 802 options.HiddenServiceMaxStreamsCloseCircuit = optionBool "HiddenServiceMaxStreamsCloseCircuit"; 798 - options.HiddenServiceNumIntroductionPoints = mkOption { 803 + options.HiddenServiceNumIntroductionPoints = lib.mkOption { 799 804 description = (descriptionGeneric "HiddenServiceNumIntroductionPoints"); 800 - type = with types; nullOr (ints.between 0 20); 805 + type = with lib.types; nullOr (ints.between 0 20); 801 806 default = null; 802 807 }; 803 808 options.HiddenServiceSingleHopMode = optionBool "HiddenServiceSingleHopMode"; ··· 822 827 }; 823 828 }; 824 829 825 - settings = mkOption { 830 + settings = lib.mkOption { 826 831 description = '' 827 832 See [torrc manual](https://2019.www.torproject.org/docs/tor-manual.html.en) 828 833 for documentation. 829 834 ''; 830 835 default = { }; 831 - type = types.submodule { 836 + type = lib.types.submodule { 832 837 freeformType = 833 - with types; 838 + with lib.types; 834 839 (attrsOf ( 835 840 nullOr (oneOf [ 836 841 str ··· 872 877 options.CellStatistics = optionBool "CellStatistics"; 873 878 options.ClientAutoIPv6ORPort = optionBool "ClientAutoIPv6ORPort"; 874 879 options.ClientDNSRejectInternalAddresses = optionBool "ClientDNSRejectInternalAddresses"; 875 - options.ClientOnionAuthDir = mkOption { 880 + options.ClientOnionAuthDir = lib.mkOption { 876 881 description = (descriptionGeneric "ClientOnionAuthDir"); 877 882 default = null; 878 - type = with types; nullOr path; 883 + type = with lib.types; nullOr path; 879 884 }; 880 885 options.ClientPreferIPv6DirPort = optionBool "ClientPreferIPv6DirPort"; # default is null and like "auto" 881 886 options.ClientPreferIPv6ORPort = optionBool "ClientPreferIPv6ORPort"; # default is null and like "auto" ··· 885 890 options.ConnDirectionStatistics = optionBool "ConnDirectionStatistics"; 886 891 options.ConstrainedSockets = optionBool "ConstrainedSockets"; 887 892 options.ContactInfo = optionString "ContactInfo"; 888 - options.ControlPort = mkOption rec { 893 + options.ControlPort = lib.mkOption rec { 889 894 description = (descriptionGeneric "ControlPort"); 890 895 default = [ ]; 891 896 example = [ { port = 9051; } ]; 892 897 type = 893 - with types; 898 + with lib.types; 894 899 oneOf [ 895 900 port 896 901 (enum [ "auto" ]) ··· 914 919 addr = optionAddress; 915 920 port = optionPort; 916 921 } 917 - // genAttrs flags ( 922 + // lib.genAttrs flags ( 918 923 name: 919 - mkOption { 924 + lib.mkOption { 920 925 type = types.bool; 921 926 default = false; 922 927 } ··· 946 951 options.DormantOnFirstStartup = optionBool "DormantOnFirstStartup"; 947 952 options.DormantTimeoutDisabledByIdleStreams = optionBool "DormantTimeoutDisabledByIdleStreams"; 948 953 options.DirCache = optionBool "DirCache"; 949 - options.DirPolicy = mkOption { 954 + options.DirPolicy = lib.mkOption { 950 955 description = (descriptionGeneric "DirPolicy"); 951 - type = with types; listOf str; 956 + type = with lib.types; listOf str; 952 957 default = [ ]; 953 958 example = [ "accept *:*" ]; 954 959 }; ··· 973 978 options.ExitPolicyRejectPrivate = optionBool "ExitPolicyRejectPrivate"; 974 979 options.ExitPortStatistics = optionBool "ExitPortStatistics"; 975 980 options.ExitRelay = optionBool "ExitRelay"; # default is null and like "auto" 976 - options.ExtORPort = mkOption { 981 + options.ExtORPort = lib.mkOption { 977 982 description = (descriptionGeneric "ExtORPort"); 978 983 default = null; 979 984 type = 980 - with types; 985 + with lib.types; 981 986 nullOr (oneOf [ 982 987 port 983 988 (enum [ "auto" ]) ··· 1009 1014 options.GeoIPFile = optionPath "GeoIPFile"; 1010 1015 options.GeoIPv6File = optionPath "GeoIPv6File"; 1011 1016 options.GuardfractionFile = optionPath "GuardfractionFile"; 1012 - options.HidServAuth = mkOption { 1017 + options.HidServAuth = lib.mkOption { 1013 1018 description = (descriptionGeneric "HidServAuth"); 1014 1019 default = [ ]; 1015 1020 type = 1016 - with types; 1021 + with lib.types; 1017 1022 listOf (oneOf [ 1018 1023 (submodule { 1019 1024 options = { 1020 - onion = mkOption { 1025 + onion = lib.mkOption { 1021 1026 type = strMatching "[a-z2-7]{16}\\.onion"; 1022 1027 description = "Onion address."; 1023 1028 example = "xxxxxxxxxxxxxxxx.onion"; 1024 1029 }; 1025 - auth = mkOption { 1030 + auth = lib.mkOption { 1026 1031 type = strMatching "[A-Za-z0-9+/]{22}"; 1027 1032 description = "Authentication cookie."; 1028 1033 }; ··· 1062 1067 options.PidFile = optionPath "PidFile"; 1063 1068 options.ProtocolWarnings = optionBool "ProtocolWarnings"; 1064 1069 options.PublishHidServDescriptors = optionBool "PublishHidServDescriptors"; 1065 - options.PublishServerDescriptor = mkOption { 1070 + options.PublishServerDescriptor = lib.mkOption { 1066 1071 description = (descriptionGeneric "PublishServerDescriptor"); 1067 1072 type = 1068 - with types; 1073 + with lib.types; 1069 1074 nullOr (enum [ 1070 1075 false 1071 1076 true ··· 1091 1096 options.ServerDNSRandomizeCase = optionBool "ServerDNSRandomizeCase"; 1092 1097 options.ServerDNSResolvConfFile = optionPath "ServerDNSResolvConfFile"; 1093 1098 options.ServerDNSSearchDomains = optionBool "ServerDNSSearchDomains"; 1094 - options.ServerTransportPlugin = mkOption { 1099 + options.ServerTransportPlugin = lib.mkOption { 1095 1100 description = (descriptionGeneric "ServerTransportPlugin"); 1096 1101 default = null; 1097 1102 type = 1098 - with types; 1103 + with lib.types; 1099 1104 nullOr ( 1100 1105 submodule ( 1101 1106 { ... }: 1102 1107 { 1103 1108 options = { 1104 - transports = mkOption { 1109 + transports = lib.mkOption { 1105 1110 description = "List of pluggable transports."; 1106 1111 type = listOf str; 1107 1112 example = [ ··· 1111 1116 "scramblesuit" 1112 1117 ]; 1113 1118 }; 1114 - exec = mkOption { 1119 + exec = lib.mkOption { 1115 1120 type = types.str; 1116 1121 description = "Command of pluggable transport."; 1117 1122 }; ··· 1120 1125 ) 1121 1126 ); 1122 1127 }; 1123 - options.ShutdownWaitLength = mkOption { 1124 - type = types.int; 1128 + options.ShutdownWaitLength = lib.mkOption { 1129 + type = lib.types.int; 1125 1130 default = 30; 1126 1131 description = (descriptionGeneric "ShutdownWaitLength"); 1127 1132 }; 1128 1133 options.SocksPolicy = optionStrings "SocksPolicy" // { 1129 1134 example = [ "accept *:*" ]; 1130 1135 }; 1131 - options.SOCKSPort = mkOption { 1136 + options.SOCKSPort = lib.mkOption { 1132 1137 description = (descriptionGeneric "SOCKSPort"); 1133 1138 default = lib.optionals cfg.settings.HiddenServiceNonAnonymousMode [ { port = 0; } ]; 1134 - defaultText = literalExpression '' 1139 + defaultText = lib.literalExpression '' 1135 1140 if config.${opt.settings}.HiddenServiceNonAnonymousMode == true 1136 1141 then [ { port = 0; } ] 1137 1142 else [ ] 1138 1143 ''; 1139 1144 example = [ { port = 9090; } ]; 1140 - type = types.listOf (optionSOCKSPort true); 1145 + type = lib.types.listOf (optionSOCKSPort true); 1141 1146 }; 1142 1147 options.TestingTorNetwork = optionBool "TestingTorNetwork"; 1143 1148 options.TransPort = optionIsolablePorts "TransPort"; 1144 - options.TransProxyType = mkOption { 1149 + options.TransProxyType = lib.mkOption { 1145 1150 description = (descriptionGeneric "TransProxyType"); 1146 1151 type = 1147 - with types; 1152 + with lib.types; 1148 1153 nullOr (enum [ 1149 1154 "default" 1150 1155 "TPROXY" ··· 1168 1173 }; 1169 1174 }; 1170 1175 1171 - config = mkIf cfg.enable { 1176 + config = lib.mkIf cfg.enable { 1172 1177 # Not sure if `cfg.relay.role == "private-bridge"` helps as tor 1173 1178 # sends a lot of stats 1174 1179 warnings = ··· 1295 1300 )) 1296 1301 ]; 1297 1302 1298 - networking.firewall = mkIf cfg.openFirewall { 1303 + networking.firewall = lib.mkIf cfg.openFirewall { 1299 1304 allowedTCPPorts = 1300 1305 concatMap 1301 1306 (

+9 -10

nixos/modules/services/security/torify.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - with lib; 8 7 let 9 8 10 9 cfg = config.services.tor; ··· 29 28 30 29 services.tor.tsocks = { 31 30 32 - enable = mkOption { 33 - type = types.bool; 31 + enable = lib.mkOption { 32 + type = lib.types.bool; 34 33 default = false; 35 34 description = '' 36 35 Whether to build tsocks wrapper script to relay application traffic via Tor. ··· 45 44 ''; 46 45 }; 47 46 48 - server = mkOption { 49 - type = types.str; 47 + server = lib.mkOption { 48 + type = lib.types.str; 50 49 default = "localhost:9050"; 51 50 example = "192.168.0.20"; 52 51 description = '' ··· 54 53 ''; 55 54 }; 56 55 57 - config = mkOption { 58 - type = types.lines; 56 + config = lib.mkOption { 57 + type = lib.types.lines; 59 58 default = ""; 60 59 description = '' 61 60 Extra configuration. Contents will be added verbatim to TSocks ··· 69 68 70 69 ###### implementation 71 70 72 - config = mkIf cfg.tsocks.enable { 71 + config = lib.mkIf cfg.tsocks.enable { 73 72 74 73 environment.systemPackages = [ torify ]; # expose it to the users 75 74 76 75 services.tor.tsocks.config = '' 77 - server = ${toString (head (splitString ":" cfg.tsocks.server))} 78 - server_port = ${toString (tail (splitString ":" cfg.tsocks.server))} 76 + server = ${toString (lib.head (lib.splitString ":" cfg.tsocks.server))} 77 + server_port = ${toString (lib.tail (lib.splitString ":" cfg.tsocks.server))} 79 78 80 79 local = 127.0.0.0/255.128.0.0 81 80 local = 127.128.0.0/255.192.0.0

+19 -22

nixos/modules/services/security/torsocks.nix

··· 1 1 { config, lib, pkgs, ... }: 2 - 3 - with lib; 4 - 5 2 let 6 3 cfg = config.services.tor.torsocks; 7 - optionalNullStr = b: v: optionalString (b != null) v; 4 + optionalNullStr = b: v: lib.optionalString (b != null) v; 8 5 9 6 configFile = server: '' 10 - TorAddress ${toString (head (splitString ":" server))} 11 - TorPort ${toString (tail (splitString ":" server))} 7 + TorAddress ${toString (lib.head (lib.splitString ":" server))} 8 + TorPort ${toString (lib.tail (lib.splitString ":" server))} 12 9 13 10 OnionAddrRange ${cfg.onionAddrRange} 14 11 ··· 34 31 { 35 32 options = { 36 33 services.tor.torsocks = { 37 - enable = mkOption { 38 - type = types.bool; 34 + enable = lib.mkOption { 35 + type = lib.types.bool; 39 36 default = config.services.tor.enable && config.services.tor.client.enable; 40 - defaultText = literalExpression "config.services.tor.enable && config.services.tor.client.enable"; 37 + defaultText = lib.literalExpression "config.services.tor.enable && config.services.tor.client.enable"; 41 38 description = '' 42 39 Whether to build `/etc/tor/torsocks.conf` 43 40 containing the specified global torsocks configuration. 44 41 ''; 45 42 }; 46 43 47 - server = mkOption { 48 - type = types.str; 44 + server = lib.mkOption { 45 + type = lib.types.str; 49 46 default = "127.0.0.1:9050"; 50 47 example = "192.168.0.20:1234"; 51 48 description = '' ··· 54 51 ''; 55 52 }; 56 53 57 - fasterServer = mkOption { 58 - type = types.str; 54 + fasterServer = lib.mkOption { 55 + type = lib.types.str; 59 56 default = "127.0.0.1:9063"; 60 57 example = "192.168.0.20:1234"; 61 58 description = '' ··· 64 61 ''; 65 62 }; 66 63 67 - onionAddrRange = mkOption { 68 - type = types.str; 64 + onionAddrRange = lib.mkOption { 65 + type = lib.types.str; 69 66 default = "127.42.42.0/24"; 70 67 description = '' 71 68 Tor hidden sites do not have real IP addresses. This ··· 77 74 ''; 78 75 }; 79 76 80 - socks5Username = mkOption { 81 - type = types.nullOr types.str; 77 + socks5Username = lib.mkOption { 78 + type = lib.types.nullOr lib.types.str; 82 79 default = null; 83 80 example = "bob"; 84 81 description = '' ··· 87 84 ''; 88 85 }; 89 86 90 - socks5Password = mkOption { 91 - type = types.nullOr types.str; 87 + socks5Password = lib.mkOption { 88 + type = lib.types.nullOr lib.types.str; 92 89 default = null; 93 90 example = "sekret"; 94 91 description = '' ··· 97 94 ''; 98 95 }; 99 96 100 - allowInbound = mkOption { 101 - type = types.bool; 97 + allowInbound = lib.mkOption { 98 + type = lib.types.bool; 102 99 default = false; 103 100 description = '' 104 101 Set Torsocks to accept inbound connections. If set to ··· 110 107 }; 111 108 }; 112 109 113 - config = mkIf cfg.enable { 110 + config = lib.mkIf cfg.enable { 114 111 environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ]; 115 112 116 113 environment.etc."tor/torsocks.conf" =

+32 -34

nixos/modules/services/security/usbguard.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 7 let 10 8 cfg = config.services.usbguard; 11 9 12 10 # valid policy options 13 11 policy = ( 14 - types.enum [ 12 + lib.types.enum [ 15 13 "allow" 16 14 "block" 17 15 "reject" ··· 30 28 PresentDevicePolicy=${cfg.presentDevicePolicy} 31 29 PresentControllerPolicy=${cfg.presentControllerPolicy} 32 30 InsertedDevicePolicy=${cfg.insertedDevicePolicy} 33 - RestoreControllerDeviceState=${boolToString cfg.restoreControllerDeviceState} 31 + RestoreControllerDeviceState=${lib.boolToString cfg.restoreControllerDeviceState} 34 32 # this does not seem useful for endusers to change 35 33 DeviceManagerBackend=uevent 36 - IPCAllowedUsers=${concatStringsSep " " cfg.IPCAllowedUsers} 37 - IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups} 34 + IPCAllowedUsers=${lib.concatStringsSep " " cfg.IPCAllowedUsers} 35 + IPCAllowedGroups=${lib.concatStringsSep " " cfg.IPCAllowedGroups} 38 36 IPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d/ 39 - DeviceRulesWithPort=${boolToString cfg.deviceRulesWithPort} 37 + DeviceRulesWithPort=${lib.boolToString cfg.deviceRulesWithPort} 40 38 # HACK: that way audit logs still land in the journal 41 39 AuditFilePath=/dev/null 42 40 ''; ··· 50 48 51 49 options = { 52 50 services.usbguard = { 53 - enable = mkEnableOption "USBGuard daemon"; 51 + enable = lib.mkEnableOption "USBGuard daemon"; 54 52 55 - package = mkPackageOption pkgs "usbguard" { 53 + package = lib.mkPackageOption pkgs "usbguard" { 56 54 extraDescription = '' 57 55 If you do not need the Qt GUI, use `pkgs.usbguard-nox` to save disk space. 58 56 ''; 59 57 }; 60 58 61 - ruleFile = mkOption { 62 - type = types.nullOr types.path; 59 + ruleFile = lib.mkOption { 60 + type = lib.types.nullOr lib.types.path; 63 61 default = "/var/lib/usbguard/rules.conf"; 64 62 example = "/run/secrets/usbguard-rules"; 65 63 description = '' ··· 71 69 ''; 72 70 73 71 }; 74 - rules = mkOption { 75 - type = types.nullOr types.lines; 72 + rules = lib.mkOption { 73 + type = lib.types.nullOr lib.types.lines; 76 74 default = null; 77 75 example = '' 78 76 allow with-interface equals { 08:*:* } ··· 92 90 ''; 93 91 }; 94 92 95 - implicitPolicyTarget = mkOption { 96 - type = types.enum [ 93 + implicitPolicyTarget = lib.mkOption { 94 + type = lib.types.enum [ 97 95 "allow" 98 96 "block" 99 97 "reject" ··· 106 104 ''; 107 105 }; 108 106 109 - presentDevicePolicy = mkOption { 107 + presentDevicePolicy = lib.mkOption { 110 108 type = policy; 111 109 default = "apply-policy"; 112 110 description = '' ··· 117 115 ''; 118 116 }; 119 117 120 - presentControllerPolicy = mkOption { 118 + presentControllerPolicy = lib.mkOption { 121 119 type = policy; 122 120 default = "keep"; 123 121 description = '' ··· 126 124 ''; 127 125 }; 128 126 129 - insertedDevicePolicy = mkOption { 130 - type = types.enum [ 127 + insertedDevicePolicy = lib.mkOption { 128 + type = lib.types.enum [ 131 129 "block" 132 130 "reject" 133 131 "apply-policy" ··· 139 137 ''; 140 138 }; 141 139 142 - restoreControllerDeviceState = mkOption { 143 - type = types.bool; 140 + restoreControllerDeviceState = lib.mkOption { 141 + type = lib.types.bool; 144 142 default = false; 145 143 description = '' 146 144 The USBGuard daemon modifies some attributes of controller ··· 151 149 ''; 152 150 }; 153 151 154 - IPCAllowedUsers = mkOption { 155 - type = types.listOf types.str; 152 + IPCAllowedUsers = lib.mkOption { 153 + type = lib.types.listOf lib.types.str; 156 154 default = [ "root" ]; 157 155 example = [ 158 156 "root" ··· 163 161 ''; 164 162 }; 165 163 166 - IPCAllowedGroups = mkOption { 167 - type = types.listOf types.str; 164 + IPCAllowedGroups = lib.mkOption { 165 + type = lib.types.listOf lib.types.str; 168 166 default = [ ]; 169 167 example = [ "wheel" ]; 170 168 description = '' ··· 173 171 ''; 174 172 }; 175 173 176 - deviceRulesWithPort = mkOption { 177 - type = types.bool; 174 + deviceRulesWithPort = lib.mkOption { 175 + type = lib.types.bool; 178 176 default = false; 179 177 description = '' 180 178 Generate device specific rules including the "via-port" attribute. 181 179 ''; 182 180 }; 183 181 184 - dbus.enable = mkEnableOption "USBGuard dbus daemon"; 182 + dbus.enable = lib.mkEnableOption "USBGuard dbus daemon"; 185 183 }; 186 184 }; 187 185 188 186 ###### implementation 189 187 190 - config = mkIf cfg.enable { 188 + config = lib.mkIf cfg.enable { 191 189 192 190 environment.systemPackages = [ cfg.package ]; 193 191 ··· 239 237 }; 240 238 }; 241 239 242 - usbguard-dbus = mkIf cfg.dbus.enable { 240 + usbguard-dbus = lib.mkIf cfg.dbus.enable { 243 241 description = "USBGuard D-Bus Service"; 244 242 245 243 wantedBy = [ "multi-user.target" ]; ··· 261 259 groupCheck = 262 260 (lib.concatStrings (map (g: "subject.isInGroup(\"${g}\") || ") cfg.IPCAllowedGroups)) + "false"; 263 261 in 264 - optionalString cfg.dbus.enable '' 262 + lib.optionalString cfg.dbus.enable '' 265 263 polkit.addRule(function(action, subject) { 266 264 if ((action.id == "org.usbguard.Policy1.listRules" || 267 265 action.id == "org.usbguard.Policy1.appendRule" || ··· 278 276 ''; 279 277 }; 280 278 imports = [ 281 - (mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] 279 + (lib.mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] 282 280 "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d." 283 281 ) 284 - (mkRemovedOptionModule [ 282 + (lib.mkRemovedOptionModule [ 285 283 "services" 286 284 "usbguard" 287 285 "auditFilePath" 288 286 ] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.") 289 - (mkRenamedOptionModule 287 + (lib.mkRenamedOptionModule 290 288 [ "services" "usbguard" "implictPolicyTarget" ] 291 289 [ "services" "usbguard" "implicitPolicyTarget" ] 292 290 )

+17 -20

nixos/modules/services/security/vault-agent.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 format = pkgs.formats.json { }; 12 9 commonOptions = ··· 14 11 pkgName, 15 12 flavour ? pkgName, 16 13 }: 17 - mkOption { 14 + lib.mkOption { 18 15 default = { }; 19 16 description = '' 20 17 Attribute set of ${flavour} instances. 21 18 Creates independent `${flavour}-''${name}.service` systemd units for each instance defined here. 22 19 ''; 23 20 type = 24 - with types; 21 + with lib.types; 25 22 attrsOf ( 26 23 submodule ( 27 24 { name, ... }: 28 25 { 29 26 options = { 30 - enable = mkEnableOption "this ${flavour} instance" // { 27 + enable = lib.mkEnableOption "this ${flavour} instance" // { 31 28 default = true; 32 29 }; 33 30 34 - package = mkPackageOption pkgs pkgName { }; 31 + package = lib.mkPackageOption pkgs pkgName { }; 35 32 36 - user = mkOption { 33 + user = lib.mkOption { 37 34 type = types.str; 38 35 default = "root"; 39 36 description = '' ··· 41 38 ''; 42 39 }; 43 40 44 - group = mkOption { 41 + group = lib.mkOption { 45 42 type = types.str; 46 43 default = "root"; 47 44 description = '' ··· 49 46 ''; 50 47 }; 51 48 52 - settings = mkOption { 49 + settings = lib.mkOption { 53 50 type = types.submodule { 54 51 freeformType = format.type; 55 52 56 53 options = { 57 - pid_file = mkOption { 54 + pid_file = lib.mkOption { 58 55 default = "/run/${flavour}/${name}.pid"; 59 56 type = types.str; 60 57 description = '' ··· 62 59 ''; 63 60 }; 64 61 65 - template = mkOption { 62 + template = lib.mkOption { 66 63 default = null; 67 64 type = with types; nullOr (listOf (attrsOf anything)); 68 65 description = ··· 116 113 let 117 114 configFile = format.generate "${name}.json" instance.settings; 118 115 in 119 - mkIf (instance.enable) { 116 + lib.mkIf (instance.enable) { 120 117 description = "${flavour} daemon - ${name}"; 121 118 wantedBy = [ "multi-user.target" ]; 122 119 after = [ "network.target" ]; ··· 127 124 User = instance.user; 128 125 Group = instance.group; 129 126 RuntimeDirectory = flavour; 130 - ExecStart = "${getExe instance.package} ${ 131 - optionalString ((getName instance.package) == "vault") "agent" 127 + ExecStart = "${lib.getExe instance.package} ${ 128 + lib.optionalString ((lib.getName instance.package) == "vault") "agent" 132 129 } -config ${configFile}"; 133 130 ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; 134 131 KillSignal = "SIGINT"; ··· 146 143 }; 147 144 }; 148 145 149 - config = mkMerge ( 146 + config = lib.mkMerge ( 150 147 map 151 148 ( 152 149 flavour: 153 150 let 154 151 cfg = config.services.${flavour}; 155 152 in 156 - mkIf (cfg.instances != { }) { 157 - systemd.services = mapAttrs' ( 153 + lib.mkIf (cfg.instances != { }) { 154 + systemd.services = lib.mapAttrs' ( 158 155 name: instance: 159 - nameValuePair "${flavour}-${name}" (createAgentInstance { 156 + lib.nameValuePair "${flavour}-${name}" (createAgentInstance { 160 157 inherit name instance flavour; 161 158 }) 162 159 ) cfg.instances; ··· 168 165 ] 169 166 ); 170 167 171 - meta.maintainers = with maintainers; [ 168 + meta.maintainers = with lib.maintainers; [ 172 169 emilylange 173 170 tcheronneau 174 171 ];

+40 -41

nixos/modules/services/security/vault.nix

··· 5 5 pkgs, 6 6 ... 7 7 }: 8 - 9 - with lib; 10 - 11 8 let 12 9 cfg = config.services.vault; 13 10 opt = options.services.vault; ··· 32 29 } 33 30 ''} 34 31 storage "${cfg.storageBackend}" { 35 - ${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''} 36 - ${optionalString (cfg.storageConfig != null) cfg.storageConfig} 32 + ${lib.optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''} 33 + ${lib.optionalString (cfg.storageConfig != null) cfg.storageConfig} 37 34 } 38 - ${optionalString (cfg.telemetryConfig != "") '' 35 + ${lib.optionalString (cfg.telemetryConfig != "") '' 39 36 telemetry { 40 37 ${cfg.telemetryConfig} 41 38 } ··· 44 41 ''; 45 42 46 43 allConfigPaths = [ configFile ] ++ cfg.extraSettingsPaths; 47 - configOptions = escapeShellArgs ( 44 + configOptions = lib.escapeShellArgs ( 48 45 lib.optional cfg.dev "-dev" 49 46 ++ lib.optional (cfg.dev && cfg.devRootTokenID != null) "-dev-root-token-id=${cfg.devRootTokenID}" 50 - ++ (concatMap (p: [ 47 + ++ (lib.concatMap (p: [ 51 48 "-config" 52 49 p 53 50 ]) allConfigPaths) ··· 58 55 { 59 56 options = { 60 57 services.vault = { 61 - enable = mkEnableOption "Vault daemon"; 58 + enable = lib.mkEnableOption "Vault daemon"; 62 59 63 - package = mkPackageOption pkgs "vault" { }; 60 + package = lib.mkPackageOption pkgs "vault" { }; 64 61 65 - dev = mkOption { 66 - type = types.bool; 62 + dev = lib.mkOption { 63 + type = lib.types.bool; 67 64 default = false; 68 65 description = '' 69 66 In this mode, Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests. 70 67 ''; 71 68 }; 72 69 73 - devRootTokenID = mkOption { 74 - type = types.nullOr types.str; 70 + devRootTokenID = lib.mkOption { 71 + type = lib.types.nullOr lib.types.str; 75 72 default = null; 76 73 description = '' 77 74 Initial root token. This only applies when {option}`services.vault.dev` is true 78 75 ''; 79 76 }; 80 77 81 - address = mkOption { 82 - type = types.str; 78 + address = lib.mkOption { 79 + type = lib.types.str; 83 80 default = "127.0.0.1:8200"; 84 81 description = "The name of the ip interface to listen to"; 85 82 }; 86 83 87 - tlsCertFile = mkOption { 88 - type = types.nullOr types.str; 84 + tlsCertFile = lib.mkOption { 85 + type = lib.types.nullOr lib.types.str; 89 86 default = null; 90 87 example = "/path/to/your/cert.pem"; 91 88 description = "TLS certificate file. TLS will be disabled unless this option is set"; 92 89 }; 93 90 94 - tlsKeyFile = mkOption { 95 - type = types.nullOr types.str; 91 + tlsKeyFile = lib.mkOption { 92 + type = lib.types.nullOr lib.types.str; 96 93 default = null; 97 94 example = "/path/to/your/key.pem"; 98 95 description = "TLS private key file. TLS will be disabled unless this option is set"; 99 96 }; 100 97 101 - listenerExtraConfig = mkOption { 102 - type = types.lines; 98 + listenerExtraConfig = lib.mkOption { 99 + type = lib.types.lines; 103 100 default = '' 104 101 tls_min_version = "tls12" 105 102 ''; 106 103 description = "Extra text appended to the listener section."; 107 104 }; 108 105 109 - storageBackend = mkOption { 110 - type = types.enum [ 106 + storageBackend = lib.mkOption { 107 + type = lib.types.enum [ 111 108 "inmem" 112 109 "file" 113 110 "consul" ··· 127 124 description = "The name of the type of storage backend"; 128 125 }; 129 126 130 - storagePath = mkOption { 131 - type = types.nullOr types.path; 127 + storagePath = lib.mkOption { 128 + type = lib.types.nullOr lib.types.path; 132 129 default = 133 130 if cfg.storageBackend == "file" || cfg.storageBackend == "raft" then "/var/lib/vault" else null; 134 - defaultText = literalExpression '' 131 + defaultText = lib.literalExpression '' 135 132 if config.${opt.storageBackend} == "file" || cfg.storageBackend == "raft" 136 133 then "/var/lib/vault" 137 134 else null ··· 139 136 description = "Data directory for file backend"; 140 137 }; 141 138 142 - storageConfig = mkOption { 143 - type = types.nullOr types.lines; 139 + storageConfig = lib.mkOption { 140 + type = lib.types.nullOr lib.types.lines; 144 141 default = null; 145 142 description = '' 146 143 HCL configuration to insert in the storageBackend section. ··· 152 149 ''; 153 150 }; 154 151 155 - telemetryConfig = mkOption { 156 - type = types.lines; 152 + telemetryConfig = lib.mkOption { 153 + type = lib.types.lines; 157 154 default = ""; 158 155 description = "Telemetry configuration"; 159 156 }; 160 157 161 - extraConfig = mkOption { 162 - type = types.lines; 158 + extraConfig = lib.mkOption { 159 + type = lib.types.lines; 163 160 default = ""; 164 161 description = "Extra text appended to {file}`vault.hcl`."; 165 162 }; 166 163 167 - extraSettingsPaths = mkOption { 168 - type = types.listOf types.path; 164 + extraSettingsPaths = lib.mkOption { 165 + type = lib.types.listOf lib.types.path; 169 166 default = [ ]; 170 167 description = '' 171 168 Configuration files to load besides the immutable one defined by the NixOS module. ··· 196 193 }; 197 194 }; 198 195 199 - config = mkIf cfg.enable { 196 + config = lib.mkIf cfg.enable { 200 197 assertions = [ 201 198 { 202 199 assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null); ··· 219 216 }; 220 217 users.groups.vault.gid = config.ids.gids.vault; 221 218 222 - systemd.tmpfiles.rules = optional ( 219 + systemd.tmpfiles.rules = lib.optional ( 223 220 cfg.storagePath != null 224 221 ) "d '${cfg.storagePath}' 0700 vault vault - -"; 225 222 ··· 227 224 description = "Vault server daemon"; 228 225 229 226 wantedBy = [ "multi-user.target" ]; 230 - after = [ 231 - "network.target" 232 - ] ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; 227 + after = 228 + [ 229 + "network.target" 230 + ] 231 + ++ lib.optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; 233 232 234 233 restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients. 235 234 ··· 255 254 Restart = "on-failure"; 256 255 }; 257 256 258 - unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath; 257 + unitConfig.RequiresMountsFor = lib.optional (cfg.storagePath != null) cfg.storagePath; 259 258 }; 260 259 }; 261 260

+11 -13

nixos/modules/services/security/yubikey-agent.nix

··· 1 1 # Global configuration for yubikey-agent. 2 - 3 2 { 4 3 config, 5 4 lib, 6 5 pkgs, 7 6 ... 8 7 }: 9 - 10 - with lib; 11 - 12 8 let 13 9 cfg = config.services.yubikey-agent; 14 10 in 15 11 { 16 12 ###### interface 17 13 18 - meta.maintainers = with maintainers; [ 14 + meta.maintainers = with lib.maintainers; [ 19 15 philandstuff 20 16 rawkode 21 17 ]; ··· 23 19 options = { 24 20 25 21 services.yubikey-agent = { 26 - enable = mkOption { 27 - type = types.bool; 22 + enable = lib.mkOption { 23 + type = lib.types.bool; 28 24 default = false; 29 25 description = '' 30 26 Whether to start yubikey-agent when you log in. Also sets ··· 35 31 ''; 36 32 }; 37 33 38 - package = mkPackageOption pkgs "yubikey-agent" { }; 34 + package = lib.mkPackageOption pkgs "yubikey-agent" { }; 39 35 }; 40 36 }; 41 37 42 - config = mkIf cfg.enable { 38 + config = lib.mkIf cfg.enable { 43 39 environment.systemPackages = [ cfg.package ]; 44 40 systemd.packages = [ cfg.package ]; 45 41 46 42 # This overrides the systemd user unit shipped with the 47 43 # yubikey-agent package 48 - systemd.user.services.yubikey-agent = mkIf (config.programs.gnupg.agent.pinentryPackage != null) { 49 - path = [ config.programs.gnupg.agent.pinentryPackage ]; 50 - wantedBy = [ "default.target" ]; 51 - }; 44 + systemd.user.services.yubikey-agent = 45 + lib.mkIf (config.programs.gnupg.agent.pinentryPackage != null) 46 + { 47 + path = [ config.programs.gnupg.agent.pinentryPackage ]; 48 + wantedBy = [ "default.target" ]; 49 + }; 52 50 53 51 # Yubikey-agent expects pcsd to be running in order to function. 54 52 services.pcscd.enable = true;

+4 -7

nixos/modules/services/system/automatic-timezoned.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.automatic-timezoned; 12 9 in 13 10 { 14 11 options = { 15 12 services.automatic-timezoned = { 16 - enable = mkOption { 17 - type = types.bool; 13 + enable = lib.mkOption { 14 + type = lib.types.bool; 18 15 default = false; 19 16 description = '' 20 17 Enable `automatic-timezoned`, simple daemon for keeping the system ··· 28 25 to make the choice deliberate. An error will be presented otherwise. 29 26 ''; 30 27 }; 31 - package = mkPackageOption pkgs "automatic-timezoned" { }; 28 + package = lib.mkPackageOption pkgs "automatic-timezoned" { }; 32 29 }; 33 30 }; 34 31 35 - config = mkIf cfg.enable { 32 + config = lib.mkIf cfg.enable { 36 33 # This will give users an error if they have set an explicit time 37 34 # zone, rather than having the service silently override it. 38 35 time.timeZone = null;

+14 -17

nixos/modules/services/system/cachix-agent/default.nix

··· 4 4 lib, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.cachix-agent; 12 9 in ··· 14 11 meta.maintainers = [ lib.maintainers.domenkozar ]; 15 12 16 13 options.services.cachix-agent = { 17 - enable = mkEnableOption "Cachix Deploy Agent: https://docs.cachix.org/deploy/"; 14 + enable = lib.mkEnableOption "Cachix Deploy Agent: https://docs.cachix.org/deploy/"; 18 15 19 - name = mkOption { 20 - type = types.str; 16 + name = lib.mkOption { 17 + type = lib.types.str; 21 18 description = "Agent name, usually same as the hostname"; 22 19 default = config.networking.hostName; 23 20 defaultText = "config.networking.hostName"; 24 21 }; 25 22 26 - verbose = mkOption { 27 - type = types.bool; 23 + verbose = lib.mkOption { 24 + type = lib.types.bool; 28 25 description = "Enable verbose output"; 29 26 default = false; 30 27 }; 31 28 32 - profile = mkOption { 33 - type = types.nullOr types.str; 29 + profile = lib.mkOption { 30 + type = lib.types.nullOr lib.types.str; 34 31 default = null; 35 32 description = "Profile name, defaults to 'system' (NixOS)."; 36 33 }; 37 34 38 - host = mkOption { 39 - type = types.nullOr types.str; 35 + host = lib.mkOption { 36 + type = lib.types.nullOr lib.types.str; 40 37 default = null; 41 38 description = "Cachix uri to use."; 42 39 }; 43 40 44 - package = mkPackageOption pkgs "cachix" { }; 41 + package = lib.mkPackageOption pkgs "cachix" { }; 45 42 46 - credentialsFile = mkOption { 47 - type = types.path; 43 + credentialsFile = lib.mkOption { 44 + type = lib.types.path; 48 45 default = "/etc/cachix-agent.token"; 49 46 description = '' 50 47 Required file that needs to contain CACHIX_AGENT_TOKEN=... ··· 52 49 }; 53 50 }; 54 51 55 - config = mkIf cfg.enable { 52 + config = lib.mkIf cfg.enable { 56 53 systemd.services.cachix-agent = { 57 54 description = "Cachix Deploy Agent"; 58 55 wants = [ "network-online.target" ]; ··· 76 73 ${cfg.package}/bin/cachix ${lib.optionalString cfg.verbose "--verbose"} ${ 77 74 lib.optionalString (cfg.host != null) "--host ${cfg.host}" 78 75 } \ 79 - deploy agent ${cfg.name} ${optionalString (cfg.profile != null) cfg.profile} 76 + deploy agent ${cfg.name} ${lib.optionalString (cfg.profile != null) cfg.profile} 80 77 ''; 81 78 }; 82 79 };

+17 -20

nixos/modules/services/system/cachix-watch-store.nix

··· 4 4 lib, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.cachix-watch-store; 12 9 in ··· 17 14 ]; 18 15 19 16 options.services.cachix-watch-store = { 20 - enable = mkEnableOption "Cachix Watch Store: https://docs.cachix.org"; 17 + enable = lib.mkEnableOption "Cachix Watch Store: https://docs.cachix.org"; 21 18 22 - cacheName = mkOption { 23 - type = types.str; 19 + cacheName = lib.mkOption { 20 + type = lib.types.str; 24 21 description = "Cachix binary cache name"; 25 22 }; 26 23 27 - cachixTokenFile = mkOption { 28 - type = types.path; 24 + cachixTokenFile = lib.mkOption { 25 + type = lib.types.path; 29 26 description = '' 30 27 Required file that needs to contain the cachix auth token. 31 28 ''; 32 29 }; 33 30 34 - signingKeyFile = mkOption { 35 - type = types.nullOr types.path; 31 + signingKeyFile = lib.mkOption { 32 + type = lib.types.nullOr lib.types.path; 36 33 description = '' 37 34 Optional file containing a self-managed signing key to sign uploaded store paths. 38 35 ''; 39 36 default = null; 40 37 }; 41 38 42 - compressionLevel = mkOption { 43 - type = types.nullOr types.int; 39 + compressionLevel = lib.mkOption { 40 + type = lib.types.nullOr lib.types.int; 44 41 description = "The compression level for ZSTD compression (between 0 and 16)"; 45 42 default = null; 46 43 }; 47 44 48 - jobs = mkOption { 49 - type = types.nullOr types.int; 45 + jobs = lib.mkOption { 46 + type = lib.types.nullOr lib.types.int; 50 47 description = "Number of threads used for pushing store paths"; 51 48 default = null; 52 49 }; 53 50 54 - host = mkOption { 55 - type = types.nullOr types.str; 51 + host = lib.mkOption { 52 + type = lib.types.nullOr lib.types.str; 56 53 default = null; 57 54 description = "Cachix host to connect to"; 58 55 }; 59 56 60 - verbose = mkOption { 61 - type = types.bool; 57 + verbose = lib.mkOption { 58 + type = lib.types.bool; 62 59 description = "Enable verbose output"; 63 60 default = false; 64 61 }; 65 62 66 - package = mkPackageOption pkgs "cachix" { }; 63 + package = lib.mkPackageOption pkgs "cachix" { }; 67 64 }; 68 65 69 - config = mkIf cfg.enable { 66 + config = lib.mkIf cfg.enable { 70 67 systemd.services.cachix-watch-store-agent = { 71 68 description = "Cachix watch store Agent"; 72 69 wants = [ "network-online.target" ];

+29 -32

nixos/modules/services/system/cloud-init.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.cloud-init; 12 9 path = ··· 31 28 { 32 29 options = { 33 30 services.cloud-init = { 34 - enable = mkOption { 35 - type = types.bool; 31 + enable = lib.mkOption { 32 + type = lib.types.bool; 36 33 default = false; 37 34 description = '' 38 35 Enable the cloud-init service. This services reads ··· 50 47 ''; 51 48 }; 52 49 53 - btrfs.enable = mkOption { 54 - type = types.bool; 50 + btrfs.enable = lib.mkOption { 51 + type = lib.types.bool; 55 52 default = hasFs "btrfs"; 56 - defaultText = literalExpression ''hasFs "btrfs"''; 53 + defaultText = lib.literalExpression ''hasFs "btrfs"''; 57 54 description = '' 58 55 Allow the cloud-init service to operate `btrfs` filesystem. 59 56 ''; 60 57 }; 61 58 62 - ext4.enable = mkOption { 63 - type = types.bool; 59 + ext4.enable = lib.mkOption { 60 + type = lib.types.bool; 64 61 default = hasFs "ext4"; 65 - defaultText = literalExpression ''hasFs "ext4"''; 62 + defaultText = lib.literalExpression ''hasFs "ext4"''; 66 63 description = '' 67 64 Allow the cloud-init service to operate `ext4` filesystem. 68 65 ''; 69 66 }; 70 67 71 - xfs.enable = mkOption { 72 - type = types.bool; 68 + xfs.enable = lib.mkOption { 69 + type = lib.types.bool; 73 70 default = hasFs "xfs"; 74 - defaultText = literalExpression ''hasFs "xfs"''; 71 + defaultText = lib.literalExpression ''hasFs "xfs"''; 75 72 description = '' 76 73 Allow the cloud-init service to operate `xfs` filesystem. 77 74 ''; 78 75 }; 79 76 80 - network.enable = mkOption { 81 - type = types.bool; 77 + network.enable = lib.mkOption { 78 + type = lib.types.bool; 82 79 default = false; 83 80 description = '' 84 81 Allow the cloud-init service to configure network interfaces ··· 86 83 ''; 87 84 }; 88 85 89 - extraPackages = mkOption { 90 - type = types.listOf types.package; 86 + extraPackages = lib.mkOption { 87 + type = lib.types.listOf lib.types.package; 91 88 default = [ ]; 92 89 description = '' 93 90 List of additional packages to be available within cloud-init jobs. 94 91 ''; 95 92 }; 96 93 97 - settings = mkOption { 94 + settings = lib.mkOption { 98 95 description = '' 99 96 Structured cloud-init configuration. 100 97 ''; 101 - type = types.submodule { 98 + type = lib.types.submodule { 102 99 freeformType = settingsFormat.type; 103 100 }; 104 101 default = { }; 105 102 }; 106 103 107 - config = mkOption { 108 - type = types.str; 104 + config = lib.mkOption { 105 + type = lib.types.str; 109 106 default = ""; 110 107 description = '' 111 108 raw cloud-init configuration. ··· 118 115 119 116 }; 120 117 121 - config = mkIf cfg.enable { 118 + config = lib.mkIf cfg.enable { 122 119 services.cloud-init.settings = { 123 - system_info = mkDefault { 120 + system_info = lib.mkDefault { 124 121 distro = "nixos"; 125 122 network = { 126 123 renderers = [ "networkd" ]; 127 124 }; 128 125 }; 129 126 130 - users = mkDefault [ "root" ]; 131 - disable_root = mkDefault false; 132 - preserve_hostname = mkDefault false; 127 + users = lib.mkDefault [ "root" ]; 128 + disable_root = lib.mkDefault false; 129 + preserve_hostname = lib.mkDefault false; 133 130 134 - cloud_init_modules = mkDefault [ 131 + cloud_init_modules = lib.mkDefault [ 135 132 "migrator" 136 133 "seed_random" 137 134 "bootcmd" ··· 145 142 "users-groups" 146 143 ]; 147 144 148 - cloud_config_modules = mkDefault [ 145 + cloud_config_modules = lib.mkDefault [ 149 146 "disk_setup" 150 147 "mounts" 151 148 "ssh-import-id" ··· 156 153 "ssh" 157 154 ]; 158 155 159 - cloud_final_modules = mkDefault [ 156 + cloud_final_modules = lib.mkDefault [ 160 157 "rightscale_userdata" 161 158 "scripts-vendor" 162 159 "scripts-per-once" ··· 174 171 environment.etc."cloud/cloud.cfg" = 175 172 if cfg.config == "" then { source = cfgfile; } else { text = cfg.config; }; 176 173 177 - systemd.network.enable = mkIf cfg.network.enable true; 174 + systemd.network.enable = lib.mkIf cfg.network.enable true; 178 175 179 176 systemd.services.cloud-init-local = { 180 177 description = "Initial cloud-init job (pre-networking)"; ··· 272 269 }; 273 270 }; 274 271 275 - meta.maintainers = [ maintainers.zimbatm ]; 272 + meta.maintainers = [ lib.maintainers.zimbatm ]; 276 273 }

+5 -8

nixos/modules/services/system/localtimed.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.localtimed; 12 9 in ··· 15 12 16 13 options = { 17 14 services.localtimed = { 18 - enable = mkOption { 19 - type = types.bool; 15 + enable = lib.mkOption { 16 + type = lib.types.bool; 20 17 default = false; 21 18 description = '' 22 19 Enable `localtimed`, a simple daemon for keeping the ··· 29 26 to make the choice deliberate. An error will be presented otherwise. 30 27 ''; 31 28 }; 32 - package = mkPackageOption pkgs "localtime" { }; 33 - geoclue2Package = mkPackageOption pkgs "Geoclue2" { default = "geoclue2-with-demo-agent"; }; 29 + package = lib.mkPackageOption pkgs "localtime" { }; 30 + geoclue2Package = lib.mkPackageOption pkgs "Geoclue2" { default = "geoclue2-with-demo-agent"; }; 34 31 }; 35 32 }; 36 33 37 - config = mkIf cfg.enable { 34 + config = lib.mkIf cfg.enable { 38 35 # This will give users an error if they have set an explicit time 39 36 # zone, rather than having the service silently override it. 40 37 time.timeZone = null;

+31 -35

nixos/modules/services/system/nix-daemon.nix

··· 1 1 /* 2 2 Declares what makes the nix-daemon work on systemd. 3 - 4 3 See also 5 4 - nixos/modules/config/nix.nix: the nix.conf 6 5 - nixos/modules/config/nix-remote-build.nix: the nix.conf ··· 11 10 pkgs, 12 11 ... 13 12 }: 14 - 15 - with lib; 16 - 17 13 let 18 14 19 15 cfg = config.nix; 20 16 21 17 nixPackage = cfg.package.out; 22 18 23 - isNixAtLeast = versionAtLeast (getVersion nixPackage); 19 + isNixAtLeast = lib.versionAtLeast (lib.getVersion nixPackage); 24 20 25 21 makeNixBuildUser = nr: { 26 22 name = "nixbld${toString nr}"; ··· 39 35 }; 40 36 }; 41 37 42 - nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers)); 38 + nixbldUsers = lib.listToAttrs (map makeNixBuildUser (lib.range 1 cfg.nrBuildUsers)); 43 39 44 40 in 45 41 46 42 { 47 43 imports = [ 48 - (mkRenamedOptionModuleWith { 44 + (lib.mkRenamedOptionModuleWith { 49 45 sinceRelease = 2205; 50 46 from = [ 51 47 "nix" ··· 56 52 "daemonIOSchedPriority" 57 53 ]; 58 54 }) 59 - (mkRenamedOptionModuleWith { 55 + (lib.mkRenamedOptionModuleWith { 60 56 sinceRelease = 2211; 61 57 from = [ 62 58 "nix" ··· 67 63 "readOnlyNixStore" 68 64 ]; 69 65 }) 70 - (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.") 66 + (lib.mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.") 71 67 ]; 72 68 73 69 ###### interface ··· 76 72 77 73 nix = { 78 74 79 - enable = mkOption { 80 - type = types.bool; 75 + enable = lib.mkOption { 76 + type = lib.types.bool; 81 77 default = true; 82 78 description = '' 83 79 Whether to enable Nix. ··· 85 81 ''; 86 82 }; 87 83 88 - package = mkOption { 89 - type = types.package; 84 + package = lib.mkOption { 85 + type = lib.types.package; 90 86 default = pkgs.nix; 91 - defaultText = literalExpression "pkgs.nix"; 87 + defaultText = lib.literalExpression "pkgs.nix"; 92 88 description = '' 93 89 This option specifies the Nix package instance to use throughout the system. 94 90 ''; 95 91 }; 96 92 97 - daemonCPUSchedPolicy = mkOption { 98 - type = types.enum [ 93 + daemonCPUSchedPolicy = lib.mkOption { 94 + type = lib.types.enum [ 99 95 "other" 100 96 "batch" 101 97 "idle" ··· 128 124 ''; 129 125 }; 130 126 131 - daemonIOSchedClass = mkOption { 132 - type = types.enum [ 127 + daemonIOSchedClass = lib.mkOption { 128 + type = lib.types.enum [ 133 129 "best-effort" 134 130 "idle" 135 131 ]; ··· 154 150 ''; 155 151 }; 156 152 157 - daemonIOSchedPriority = mkOption { 158 - type = types.int; 153 + daemonIOSchedPriority = lib.mkOption { 154 + type = lib.types.int; 159 155 default = 4; 160 156 example = 1; 161 157 description = '' ··· 168 164 }; 169 165 170 166 # Environment variables for running Nix. 171 - envVars = mkOption { 172 - type = types.attrs; 167 + envVars = lib.mkOption { 168 + type = lib.types.attrs; 173 169 internal = true; 174 170 default = { }; 175 171 description = "Environment variables used by Nix."; 176 172 }; 177 173 178 - nrBuildUsers = mkOption { 179 - type = types.int; 174 + nrBuildUsers = lib.mkOption { 175 + type = lib.types.int; 180 176 description = '' 181 177 Number of `nixbld` user accounts created to 182 178 perform secure concurrent builds. If you receive an error ··· 189 185 190 186 ###### implementation 191 187 192 - config = mkIf cfg.enable { 188 + config = lib.mkIf cfg.enable { 193 189 environment.systemPackages = [ 194 190 nixPackage 195 191 pkgs.nix-info 196 - ] ++ optional (config.programs.bash.completion.enable) pkgs.nix-bash-completions; 192 + ] ++ lib.optional (config.programs.bash.completion.enable) pkgs.nix-bash-completions; 197 193 198 194 systemd.packages = [ nixPackage ]; 199 195 200 - systemd.tmpfiles = mkMerge [ 201 - (mkIf (isNixAtLeast "2.8") { 196 + systemd.tmpfiles = lib.mkMerge [ 197 + (lib.mkIf (isNixAtLeast "2.8") { 202 198 packages = [ nixPackage ]; 203 199 }) 204 - (mkIf (!isNixAtLeast "2.8") { 200 + (lib.mkIf (!isNixAtLeast "2.8") { 205 201 rules = [ 206 202 "d /nix/var/nix/daemon-socket 0755 root root - -" 207 203 ]; ··· 215 211 nixPackage 216 212 pkgs.util-linux 217 213 config.programs.ssh.package 218 - ] ++ optionals cfg.distributedBuilds [ pkgs.gzip ]; 214 + ] ++ lib.optionals cfg.distributedBuilds [ pkgs.gzip ]; 219 215 220 216 environment = 221 217 cfg.envVars ··· 274 270 # Set up the environment variables for running Nix. 275 271 environment.sessionVariables = cfg.envVars; 276 272 277 - nix.nrBuildUsers = mkDefault ( 273 + nix.nrBuildUsers = lib.mkDefault ( 278 274 if cfg.settings.auto-allocate-uids or false then 279 275 0 280 276 else 281 - max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs) 277 + lib.max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs) 282 278 ); 283 279 284 280 users.users = nixbldUsers; 285 281 286 - services.displayManager.hiddenUsers = attrNames nixbldUsers; 282 + services.displayManager.hiddenUsers = lib.attrNames nixbldUsers; 287 283 288 284 # Legacy configuration conversion. 289 - nix.settings = mkMerge [ 290 - (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) 285 + nix.settings = lib.mkMerge [ 286 + (lib.mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) 291 287 ]; 292 288 293 289 };

+14 -17

nixos/modules/services/system/nscd.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 12 9 nssModulesPath = config.system.nssModules.path; ··· 22 19 23 20 services.nscd = { 24 21 25 - enable = mkOption { 26 - type = types.bool; 22 + enable = lib.mkOption { 23 + type = lib.types.bool; 27 24 default = true; 28 25 description = '' 29 26 Whether to enable the Name Service Cache Daemon. ··· 32 29 ''; 33 30 }; 34 31 35 - enableNsncd = mkOption { 36 - type = types.bool; 32 + enableNsncd = lib.mkOption { 33 + type = lib.types.bool; 37 34 default = true; 38 35 description = '' 39 36 Whether to use nsncd instead of nscd from glibc. ··· 42 39 ''; 43 40 }; 44 41 45 - user = mkOption { 46 - type = types.str; 42 + user = lib.mkOption { 43 + type = lib.types.str; 47 44 default = "nscd"; 48 45 description = '' 49 46 User account under which nscd runs. 50 47 ''; 51 48 }; 52 49 53 - group = mkOption { 54 - type = types.str; 50 + group = lib.mkOption { 51 + type = lib.types.str; 55 52 default = "nscd"; 56 53 description = '' 57 54 User group under which nscd runs. 58 55 ''; 59 56 }; 60 57 61 - config = mkOption { 62 - type = types.lines; 58 + config = lib.mkOption { 59 + type = lib.types.lines; 63 60 default = builtins.readFile ./nscd.conf; 64 61 description = '' 65 62 Configuration to use for Name Service Cache Daemon. ··· 67 64 ''; 68 65 }; 69 66 70 - package = mkOption { 71 - type = types.package; 67 + package = lib.mkOption { 68 + type = lib.types.package; 72 69 default = 73 70 if pkgs.stdenv.hostPlatform.libc == "glibc" then pkgs.stdenv.cc.libc.bin else pkgs.glibc.bin; 74 71 defaultText = lib.literalExpression '' ··· 88 85 89 86 ###### implementation 90 87 91 - config = mkIf cfg.enable { 88 + config = lib.mkIf cfg.enable { 92 89 environment.etc."nscd.conf".text = cfg.config; 93 90 94 91 users.users.${cfg.user} = { ··· 125 122 config.environment.etc."nsswitch.conf".source 126 123 config.environment.etc."nscd.conf".source 127 124 ] 128 - ++ optionals config.users.mysql.enable [ 125 + ++ lib.optionals config.users.mysql.enable [ 129 126 config.environment.etc."libnss-mysql.cfg".source 130 127 config.environment.etc."libnss-mysql-root.cfg".source 131 128 ]

+7 -10

nixos/modules/services/system/saslauthd.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 12 9 cfg = config.services.saslauthd; ··· 21 18 22 19 services.saslauthd = { 23 20 24 - enable = mkEnableOption "saslauthd, the Cyrus SASL authentication daemon"; 21 + enable = lib.mkEnableOption "saslauthd, the Cyrus SASL authentication daemon"; 25 22 26 - package = mkPackageOption pkgs [ "cyrus_sasl" "bin" ] { }; 23 + package = lib.mkPackageOption pkgs [ "cyrus_sasl" "bin" ] { }; 27 24 28 - mechanism = mkOption { 29 - type = types.str; 25 + mechanism = lib.mkOption { 26 + type = lib.types.str; 30 27 default = "pam"; 31 28 description = "Auth mechanism to use"; 32 29 }; 33 30 34 - config = mkOption { 35 - type = types.lines; 31 + config = lib.mkOption { 32 + type = lib.types.lines; 36 33 default = ""; 37 34 description = "Configuration to use for Cyrus SASL authentication daemon."; 38 35 }; ··· 43 40 44 41 ###### implementation 45 42 46 - config = mkIf cfg.enable { 43 + config = lib.mkIf cfg.enable { 47 44 48 45 systemd.services.saslauthd = { 49 46 description = "Cyrus SASL authentication daemon";

+3 -6

nixos/modules/services/system/uptimed.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.uptimed; 12 9 stateDir = "/var/lib/uptimed"; ··· 14 11 { 15 12 options = { 16 13 services.uptimed = { 17 - enable = mkOption { 18 - type = types.bool; 14 + enable = lib.mkOption { 15 + type = lib.types.bool; 19 16 default = false; 20 17 description = '' 21 18 Enable `uptimed`, allowing you to track ··· 25 22 }; 26 23 }; 27 24 28 - config = mkIf cfg.enable { 25 + config = lib.mkIf cfg.enable { 29 26 30 27 environment.systemPackages = [ pkgs.uptimed ]; 31 28

+43 -46

nixos/modules/services/torrent/deluge.nix

··· 1 1 { config, lib, pkgs, ... }: 2 - 3 - with lib; 4 - 5 2 let 6 3 cfg = config.services.deluge; 7 4 cfg_web = config.services.deluge.web; 8 - isDeluge1 = versionOlder cfg.package.version "2.0.0"; 5 + isDeluge1 = lib.versionOlder cfg.package.version "2.0.0"; 9 6 10 7 openFilesLimit = 4096; 11 8 listenPortsDefault = [ 6881 6889 ]; 12 9 13 - listToRange = x: { from = elemAt x 0; to = elemAt x 1; }; 10 + listToRange = x: { from = lib.elemAt x 0; to = lib.elemAt x 1; }; 14 11 15 12 configDir = "${cfg.dataDir}/.config/deluge"; 16 13 configFile = pkgs.writeText "core.conf" (builtins.toJSON cfg.config); ··· 37 34 options = { 38 35 services = { 39 36 deluge = { 40 - enable = mkEnableOption "Deluge daemon"; 37 + enable = lib.mkEnableOption "Deluge daemon"; 41 38 42 - openFilesLimit = mkOption { 39 + openFilesLimit = lib.mkOption { 43 40 default = openFilesLimit; 44 - type = types.either types.int types.str; 41 + type = lib.types.either lib.types.int lib.types.str; 45 42 description = '' 46 43 Number of files to allow deluged to open. 47 44 ''; 48 45 }; 49 46 50 - config = mkOption { 51 - type = types.attrs; 47 + config = lib.mkOption { 48 + type = lib.types.attrs; 52 49 default = {}; 53 - example = literalExpression '' 50 + example = lib.literalExpression '' 54 51 { 55 52 download_location = "/srv/torrents/"; 56 53 max_upload_speed = "1000.0"; ··· 70 67 ''; 71 68 }; 72 69 73 - declarative = mkOption { 74 - type = types.bool; 70 + declarative = lib.mkOption { 71 + type = lib.types.bool; 75 72 default = false; 76 73 description = '' 77 74 Whether to use a declarative deluge configuration. ··· 83 80 ''; 84 81 }; 85 82 86 - openFirewall = mkOption { 83 + openFirewall = lib.mkOption { 87 84 default = false; 88 - type = types.bool; 85 + type = lib.types.bool; 89 86 description = '' 90 87 Whether to open the firewall for the ports in 91 88 {option}`services.deluge.config.listen_ports`. It only takes effet if ··· 99 96 ''; 100 97 }; 101 98 102 - dataDir = mkOption { 103 - type = types.path; 99 + dataDir = lib.mkOption { 100 + type = lib.types.path; 104 101 default = "/var/lib/deluge"; 105 102 description = '' 106 103 The directory where deluge will create files. 107 104 ''; 108 105 }; 109 106 110 - authFile = mkOption { 111 - type = types.path; 107 + authFile = lib.mkOption { 108 + type = lib.types.path; 112 109 example = "/run/keys/deluge-auth"; 113 110 description = '' 114 111 The file managing the authentication for deluge, the format of this ··· 121 118 ''; 122 119 }; 123 120 124 - user = mkOption { 125 - type = types.str; 121 + user = lib.mkOption { 122 + type = lib.types.str; 126 123 default = "deluge"; 127 124 description = '' 128 125 User account under which deluge runs. 129 126 ''; 130 127 }; 131 128 132 - group = mkOption { 133 - type = types.str; 129 + group = lib.mkOption { 130 + type = lib.types.str; 134 131 default = "deluge"; 135 132 description = '' 136 133 Group under which deluge runs. 137 134 ''; 138 135 }; 139 136 140 - extraPackages = mkOption { 141 - type = types.listOf types.package; 137 + extraPackages = lib.mkOption { 138 + type = lib.types.listOf lib.types.package; 142 139 default = []; 143 140 description = '' 144 141 Extra packages available at runtime to enable Deluge's plugins. For example, ··· 147 144 ''; 148 145 }; 149 146 150 - package = mkPackageOption pkgs "deluge-2_x" { }; 147 + package = lib.mkPackageOption pkgs "deluge-2_x" { }; 151 148 }; 152 149 153 150 deluge.web = { 154 - enable = mkEnableOption "Deluge Web daemon"; 151 + enable = lib.mkEnableOption "Deluge Web daemon"; 155 152 156 - port = mkOption { 157 - type = types.port; 153 + port = lib.mkOption { 154 + type = lib.types.port; 158 155 default = 8112; 159 156 description = '' 160 157 Deluge web UI port. 161 158 ''; 162 159 }; 163 160 164 - openFirewall = mkOption { 165 - type = types.bool; 161 + openFirewall = lib.mkOption { 162 + type = lib.types.bool; 166 163 default = false; 167 164 description = '' 168 165 Open ports in the firewall for deluge web daemon ··· 172 169 }; 173 170 }; 174 171 175 - config = mkIf cfg.enable { 172 + config = lib.mkIf cfg.enable { 176 173 177 - services.deluge.package = mkDefault ( 178 - if versionAtLeast config.system.stateVersion "20.09" then 174 + services.deluge.package = lib.mkDefault ( 175 + if lib.versionAtLeast config.system.stateVersion "20.09" then 179 176 pkgs.deluge-2_x 180 177 else 181 178 # deluge-1_x is no longer packaged and this will resolve to an error ··· 201 198 "${cfg.dataDir}/.config".d = defaultConfig; 202 199 "${cfg.dataDir}/.config/deluge".d = defaultConfig; 203 200 } 204 - // optionalAttrs (cfg.config ? download_location) { 201 + // lib.optionalAttrs (cfg.config ? download_location) { 205 202 ${cfg.config.download_location}.d = defaultConfig; 206 203 } 207 - // optionalAttrs (cfg.config ? torrentfiles_location) { 204 + // lib.optionalAttrs (cfg.config ? torrentfiles_location) { 208 205 ${cfg.config.torrentfiles_location}.d = defaultConfig; 209 206 } 210 - // optionalAttrs (cfg.config ? move_completed_path) { 207 + // lib.optionalAttrs (cfg.config ? move_completed_path) { 211 208 ${cfg.config.move_completed_path}.d = defaultConfig; 212 209 }; 213 210 ··· 233 230 preStart = preStart; 234 231 }; 235 232 236 - systemd.services.delugeweb = mkIf cfg_web.enable { 233 + systemd.services.delugeweb = lib.mkIf cfg_web.enable { 237 234 after = [ "network.target" "deluged.service"]; 238 235 requires = [ "deluged.service" ]; 239 236 description = "Deluge BitTorrent WebUI"; ··· 242 239 serviceConfig = { 243 240 ExecStart = '' 244 241 ${cfg.package}/bin/deluge-web \ 245 - ${optionalString (!isDeluge1) "--do-not-daemonize"} \ 242 + ${lib.optionalString (!isDeluge1) "--do-not-daemonize"} \ 246 243 --config ${configDir} \ 247 244 --port ${toString cfg.web.port} 248 245 ''; ··· 251 248 }; 252 249 }; 253 250 254 - networking.firewall = mkMerge [ 255 - (mkIf (cfg.declarative && cfg.openFirewall && !(cfg.config.random_port or true)) { 256 - allowedTCPPortRanges = singleton (listToRange (cfg.config.listen_ports or listenPortsDefault)); 257 - allowedUDPPortRanges = singleton (listToRange (cfg.config.listen_ports or listenPortsDefault)); 251 + networking.firewall = lib.mkMerge [ 252 + (lib.mkIf (cfg.declarative && cfg.openFirewall && !(cfg.config.random_port or true)) { 253 + allowedTCPPortRanges = lib.singleton (listToRange (cfg.config.listen_ports or listenPortsDefault)); 254 + allowedUDPPortRanges = lib.singleton (listToRange (cfg.config.listen_ports or listenPortsDefault)); 258 255 }) 259 - (mkIf (cfg.web.openFirewall) { 256 + (lib.mkIf (cfg.web.openFirewall) { 260 257 allowedTCPPorts = [ cfg.web.port ]; 261 258 }) 262 259 ]; 263 260 264 261 environment.systemPackages = [ cfg.package ]; 265 262 266 - users.users = mkIf (cfg.user == "deluge") { 263 + users.users = lib.mkIf (cfg.user == "deluge") { 267 264 deluge = { 268 265 group = cfg.group; 269 266 uid = config.ids.uids.deluge; ··· 272 269 }; 273 270 }; 274 271 275 - users.groups = mkIf (cfg.group == "deluge") { 272 + users.groups = lib.mkIf (cfg.group == "deluge") { 276 273 deluge = { 277 274 gid = config.ids.gids.deluge; 278 275 };

+16 -19

nixos/modules/services/torrent/flexget.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.flexget; 12 9 pkg = cfg.package; 13 10 ymlFile = pkgs.writeText "flexget.yml" '' 14 11 ${cfg.config} 15 12 16 - ${optionalString cfg.systemScheduler "schedules: no"} 13 + ${lib.optionalString cfg.systemScheduler "schedules: no"} 17 14 ''; 18 15 configFile = "${toString cfg.homeDir}/flexget.yml"; 19 16 in 20 17 { 21 18 options = { 22 19 services.flexget = { 23 - enable = mkEnableOption "FlexGet daemon"; 20 + enable = lib.mkEnableOption "FlexGet daemon"; 24 21 25 - package = mkPackageOption pkgs "flexget" { }; 22 + package = lib.mkPackageOption pkgs "flexget" { }; 26 23 27 - user = mkOption { 24 + user = lib.mkOption { 28 25 default = "deluge"; 29 26 example = "some_user"; 30 - type = types.str; 27 + type = lib.types.str; 31 28 description = "The user under which to run flexget."; 32 29 }; 33 30 34 - homeDir = mkOption { 31 + homeDir = lib.mkOption { 35 32 default = "/var/lib/deluge"; 36 33 example = "/home/flexget"; 37 - type = types.path; 34 + type = lib.types.path; 38 35 description = "Where files live."; 39 36 }; 40 37 41 - interval = mkOption { 38 + interval = lib.mkOption { 42 39 default = "10m"; 43 40 example = "1h"; 44 - type = types.str; 41 + type = lib.types.str; 45 42 description = "When to perform a {command}`flexget` run. See {command}`man 7 systemd.time` for the format."; 46 43 }; 47 44 48 - systemScheduler = mkOption { 45 + systemScheduler = lib.mkOption { 49 46 default = true; 50 47 example = false; 51 - type = types.bool; 48 + type = lib.types.bool; 52 49 description = "When true, execute the runs via the flexget-runner.timer. If false, you have to specify the settings yourself in the YML file."; 53 50 }; 54 51 55 - config = mkOption { 52 + config = lib.mkOption { 56 53 default = ""; 57 - type = types.lines; 54 + type = lib.types.lines; 58 55 description = "The YAML configuration for FlexGet."; 59 56 }; 60 57 }; 61 58 }; 62 59 63 - config = mkIf cfg.enable { 60 + config = lib.mkIf cfg.enable { 64 61 65 62 environment.systemPackages = [ pkg ]; 66 63 ··· 81 78 wantedBy = [ "multi-user.target" ]; 82 79 }; 83 80 84 - flexget-runner = mkIf cfg.systemScheduler { 81 + flexget-runner = lib.mkIf cfg.systemScheduler { 85 82 description = "FlexGet Runner"; 86 83 after = [ "flexget.service" ]; 87 84 wants = [ "flexget.service" ]; ··· 94 91 }; 95 92 }; 96 93 97 - systemd.timers.flexget-runner = mkIf cfg.systemScheduler { 94 + systemd.timers.flexget-runner = lib.mkIf cfg.systemScheduler { 98 95 description = "Run FlexGet every ${cfg.interval}"; 99 96 wantedBy = [ "timers.target" ]; 100 97 timerConfig = {

+23 -26

nixos/modules/services/torrent/magnetico.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 - 10 7 let 11 8 cfg = config.services.magnetico; 12 9 ··· 22 19 ); 23 20 24 21 # default options in magneticod/main.go 25 - dbURI = concatStrings [ 22 + dbURI = lib.concatStrings [ 26 23 "sqlite3://${dataDir}/database.sqlite3" 27 24 "?_journal_mode=WAL" 28 25 "&_busy_timeout=3000" ··· 63 60 ###### interface 64 61 65 62 options.services.magnetico = { 66 - enable = mkEnableOption "Magnetico, Bittorrent DHT crawler"; 63 + enable = lib.mkEnableOption "Magnetico, Bittorrent DHT crawler"; 67 64 68 - crawler.address = mkOption { 69 - type = types.str; 65 + crawler.address = lib.mkOption { 66 + type = lib.types.str; 70 67 default = "0.0.0.0"; 71 68 example = "1.2.3.4"; 72 69 description = '' ··· 74 71 ''; 75 72 }; 76 73 77 - crawler.port = mkOption { 78 - type = types.port; 74 + crawler.port = lib.mkOption { 75 + type = lib.types.port; 79 76 default = 0; 80 77 description = '' 81 78 Port to be used for indexing DHT nodes. ··· 84 81 ''; 85 82 }; 86 83 87 - crawler.maxNeighbors = mkOption { 88 - type = types.ints.positive; 84 + crawler.maxNeighbors = lib.mkOption { 85 + type = lib.types.ints.positive; 89 86 default = 1000; 90 87 description = '' 91 88 Maximum number of simultaneous neighbors of an indexer. ··· 95 92 ''; 96 93 }; 97 94 98 - crawler.maxLeeches = mkOption { 99 - type = types.ints.positive; 95 + crawler.maxLeeches = lib.mkOption { 96 + type = lib.types.ints.positive; 100 97 default = 200; 101 98 description = '' 102 99 Maximum number of simultaneous leeches. 103 100 ''; 104 101 }; 105 102 106 - crawler.extraOptions = mkOption { 107 - type = types.listOf types.str; 103 + crawler.extraOptions = lib.mkOption { 104 + type = lib.types.listOf lib.types.str; 108 105 default = [ ]; 109 106 description = '' 110 107 Extra command line arguments to pass to magneticod. 111 108 ''; 112 109 }; 113 110 114 - web.address = mkOption { 115 - type = types.str; 111 + web.address = lib.mkOption { 112 + type = lib.types.str; 116 113 default = "localhost"; 117 114 example = "1.2.3.4"; 118 115 description = '' ··· 120 117 ''; 121 118 }; 122 119 123 - web.port = mkOption { 124 - type = types.port; 120 + web.port = lib.mkOption { 121 + type = lib.types.port; 125 122 default = 8080; 126 123 description = '' 127 124 Port the web interface will listen to. 128 125 ''; 129 126 }; 130 127 131 - web.credentials = mkOption { 132 - type = types.attrsOf types.str; 128 + web.credentials = lib.mkOption { 129 + type = lib.types.attrsOf lib.types.str; 133 130 default = { }; 134 131 example = lib.literalExpression '' 135 132 { ··· 156 153 ''; 157 154 }; 158 155 159 - web.credentialsFile = mkOption { 160 - type = types.nullOr types.path; 156 + web.credentialsFile = lib.mkOption { 157 + type = lib.types.nullOr lib.types.path; 161 158 default = null; 162 159 description = '' 163 160 The path to the file holding the credentials to access the web ··· 174 171 ''; 175 172 }; 176 173 177 - web.extraOptions = mkOption { 178 - type = types.listOf types.str; 174 + web.extraOptions = lib.mkOption { 175 + type = lib.types.listOf lib.types.str; 179 176 default = [ ]; 180 177 description = '' 181 178 Extra command line arguments to pass to magneticow. ··· 186 183 187 184 ###### implementation 188 185 189 - config = mkIf cfg.enable { 186 + config = lib.mkIf cfg.enable { 190 187 191 188 users.users.magnetico = { 192 189 description = "Magnetico daemons user";

+4 -6

nixos/modules/services/torrent/opentracker.nix

··· 4 4 pkgs, 5 5 ... 6 6 }: 7 - 8 - with lib; 9 7 let 10 8 cfg = config.services.opentracker; 11 9 in 12 10 { 13 11 options.services.opentracker = { 14 - enable = mkEnableOption "opentracker"; 12 + enable = lib.mkEnableOption "opentracker"; 15 13 16 - package = mkPackageOption pkgs "opentracker" { }; 14 + package = lib.mkPackageOption pkgs "opentracker" { }; 17 15 18 - extraOptions = mkOption { 19 - type = types.separatedString " "; 16 + extraOptions = lib.mkOption { 17 + type = lib.types.separatedString " "; 20 18 description = '' 21 19 Configuration Arguments for opentracker 22 20 See https://erdgeist.org/arts/software/opentracker/ for all params

+8 -11

nixos/modules/services/torrent/peerflix.nix

··· 5 5 pkgs, 6 6 ... 7 7 }: 8 - 9 - with lib; 10 - 11 8 let 12 9 cfg = config.services.peerflix; 13 10 opt = options.services.peerflix; ··· 25 22 ###### interface 26 23 27 24 options.services.peerflix = { 28 - enable = mkOption { 25 + enable = lib.mkOption { 29 26 description = "Whether to enable peerflix service."; 30 27 default = false; 31 - type = types.bool; 28 + type = lib.types.bool; 32 29 }; 33 30 34 - stateDir = mkOption { 31 + stateDir = lib.mkOption { 35 32 description = "Peerflix state directory."; 36 33 default = "/var/lib/peerflix"; 37 - type = types.path; 34 + type = lib.types.path; 38 35 }; 39 36 40 - downloadDir = mkOption { 37 + downloadDir = lib.mkOption { 41 38 description = "Peerflix temporary download directory."; 42 39 default = "${cfg.stateDir}/torrents"; 43 - defaultText = literalExpression ''"''${config.${opt.stateDir}}/torrents"''; 44 - type = types.path; 40 + defaultText = lib.literalExpression ''"''${config.${opt.stateDir}}/torrents"''; 41 + type = lib.types.path; 45 42 }; 46 43 }; 47 44 48 45 ###### implementation 49 46 50 - config = mkIf cfg.enable { 47 + config = lib.mkIf cfg.enable { 51 48 systemd.tmpfiles.rules = [ 52 49 "d '${cfg.stateDir}' - peerflix - - -" 53 50 ];