Commit Graph

661 Commits

Author SHA1 Message Date
Bjørn Forsman
a29010fe79 nixos: improve many 'enable' descriptions 2024-04-09 07:10:17 +02:00
Maximilian Bosch
5142b7afa8
nixos/postgresql: turn settings into a submodule
The main idea behind that was to be able to do more sophisticated
merging for stuff that goes into `postgresql.conf`:
`shared_preload_libraries` is a comma-separated list in a `types.str`
and thus not mergeable. With this change, the option accepts both a
comma-separated string xor a list of strings.

This can be implemented rather quick using `coercedTo` +
freeform modules. The interface still behaves equally, but it allows to
merge declarations for this option together.

One side-effect was that I had to change the `attrsOf (oneOf ...)` part into
a submodule to allow declaring options for certain things. While at it,
I decided to move `log_line_prefix` and `port` into this structure as
well.
2024-03-30 14:23:05 +01:00
Janne Heß
fcc95ff817 treewide: Fix all Nix ASTs in all markdown files
This allows for correct highlighting and maybe future automatic
formatting. The AST was verified to work with nixfmt only.
2024-03-28 09:28:12 +01:00
Janne Heß
bc77c7a973 treewide: Mark Nix blocks in markdown as Nix
This should help us with highlighting and future formatting.
2024-03-28 09:28:12 +01:00
Wolfgang Walther
4b6bce5c31
postgresql: refactor to remove "this" argument
This was proposed by abbradar in #150801, but left out of the follow up PR
#221851 by Ma27 to reduce the size of the diff. Compared to the initial
proposal this includes the callPackage call in the recursion, which avoids
breaking the withJIT/withoutJIT helpers.

In terms of nixpkgs, this is a pure refactor, no derivations change. However,
this makes downstream expressions like the following possible:

  (postgresql.override { jitSupport = true; }).pkgs.postgis

This would have not worked before without passing another "this" argument,
which is error prone as can be seen in this example:

  https://github.com/PostgREST/postgrest/pull/3222/files
2024-03-15 21:11:09 +01:00
Wolfgang Walther
14b3ea2789
postgresql: refactor to pass jitSupport/llvm via scope instead of passthru
This makes it less error-prone to use the llvm package in extensions, because
it will always match the package used by the postgresql derivation itself.

Previously, you could've accidentally used llvm instead of postgresql.llvm
with a different result.
2024-03-15 21:11:09 +01:00
emilylange
08c37ba899 nixos/lldap: set service UMask=0027 and StateDirectoryMode=0750
While `/var/lib/lldap` isn't technically accessible by unprivileged
users thanks to `DynamicUser=true`, a user might prefer and change it to
`DynamicUser=false`.

There is currently also a PR open that intends to make `DynamicUser`
configurable via module option.

As such, `jwt_secret_file`, if bootstrapped by the service start
procedure, might be rendered world-readable due to its permissions
(`0644/-rw-r--r--`) defaulting to the service's umask (`022`) and
`/var/lib/lldap` to `0755/drwxr-xr-x` due to `StateDirectoryMode=0755`.

This would usually be fixed by using `(umask 027; openssl ...)` instead
of just `openssl ...`.

However, it was found that another file (`users.db`), this time
bootstrapped by `lldap` itself, also had insufficient permissions
(`0644/-rw-r--r--`) inherited by the global umask and would be left
world-readable as well.

Due to this, we instead change the service's to `027`.

And to lower the impact for already bootstrapped files on existing
instances like `users.db`, set `StateDirectoryMode=0750`.
2024-03-11 17:34:29 +01:00
emilylange
61a651e362 nixos/lldap: bootstrap jwt_secret if not provided
If not provided, lldap defaults to `secretjwtsecret` as value which is
hardcoded in the code base.

See https://github.com/lldap/lldap/blob/v0.5.0/server/src/infra/configuration.rs#L76-L77

This is really bad, because it is trivially easy to generate an admin
access token/cookie as attacker, if a `jwt_secret` is known.
2024-03-11 17:34:29 +01:00
Weijia Wang
4acc19b18c
Merge pull request #291581 from Luflosi/nixos/memcached/clarify-setting
nixos/memcached: clarify behaviour of `enableUnixSocket`
2024-03-08 10:25:10 +01:00
Maximilian Bosch
3c8f4e06e6
Merge pull request #287602 from Ma27/drop-postgres-ensurePermissions
nixos/postgresql: drop ensurePermissions option
2024-03-07 19:50:44 +00:00
Luflosi
a982176a71
nixos/memcached: clarify behaviour of enableUnixSocket
Let's make it clear that enabling this option will disable listening on an IP address and port.
2024-02-26 15:29:55 +01:00
Sandro
30f71249a8
Merge pull request #285866 from 999eagle/feat/pgbouncer-systemd 2024-02-19 14:42:01 +01:00
Sophie Tauchert
f6278d4f6a
nixos/pgbouncer: fix openFirewall option 2024-02-15 21:42:27 +01:00
Sophie Tauchert
b89cd583ae
nixos/pgbouncer: only depend on postgresql.service when enabled and use notify
See also the upstream service file: e6ce619785/etc/pgbouncer.service
2024-02-15 21:42:27 +01:00
Maximilian Bosch
d363f52625
nixos/postgresql: drop ensurePermissions option
...effectively what was planned already in #266270, but it was too late
because the branches were restricted and didn't allow any breaking
changes anymore.

It also suffers from the same issue that we already had when discussing
this the last time[1] when `ensureDBOwnership` was ultimately introduced
as band-aid fix: newly created users don't get CREATE permission on
the `public` schema anymore (since psql 15), even with `ALL PRIVILEGES`.

If one's use-case is more sophisticated than having a single owner, it's
questionable anyways if this module is the correct tool since
permissions aren't dropped on a change to this option or a removal which
is pretty surprising in the context of NixOS.

[1] https://github.com/NixOS/nixpkgs/pull/266270
2024-02-12 21:10:33 +01:00
Josh Hoffer
b445085c22 nixos/mysql: Use notify service type for MySQL >= 8.0 2024-02-11 15:41:25 -08:00
Josh Hoffer
e553e37abf nixos/mysql: remove MySQL fixed 30 second timeout
Removed hard coded timeout in postScript, allow using
more general systemd TimeoutStartSec instead.
2024-02-11 15:41:25 -08:00
Weijia Wang
7ece427021
Merge pull request #279268 from superherointj/etcd-fix-firewall-startup
nixos/etcd: fixes etcd failing to start at boot and add openFirewall option
2024-02-05 00:37:09 +01:00
Weijia Wang
e2fb30fabc
Merge pull request #239785 from milibopp/neo4j-5.9.0
neo4j: 4.4.11 -> 5.9.0
2024-02-05 00:21:21 +01:00
superherointj
cbe8e0c980 nixos/etcd: fix etcd category from misc to databases 2024-01-26 16:40:11 -03:00
a-n-n-a-l-e-e
18cc181b9b
Merge pull request #279511 from DanielSidhion/tigerbeetle-service
nixos/tigerbeetle: init module
2024-01-23 23:13:54 -08:00
DS
fdf411fb36 nixos/tigerbeetle: init module 2024-01-19 13:19:27 -08:00
Peder Bergebakken Sundt
c3f2d4a319
Merge pull request #267327 from bbenno/fix/nixos-firebird
nixos/firebird: fix coerce error
2024-01-19 22:12:47 +01:00
Jade Lovelace
6c5ab28fce nixos: fix a bunch of services missing dep on network-online.target
This was done by generating a truly hilarious configuration:

rg 'services\.[^.]+\.enable\t' opts-tags | cut -f1 > allonconfig.nix

The following were not tested due to other evaluation errors. They
should probably be manually audited.
services.amule
services.castopod
services.ceph
services.chatgpt-retrieval-plugin
services.clamsmtp
services.clight
services.dante
services.dex
services.discourse
services.dwm-status
services.engelsystem
services.foundationdb
services.frigate
services.frp
services.grocy
services.guacamole-client
services.hedgedoc
services.home-assistant
services.honk
services.imaginary
services.jitsi-meet
services.kerberos_server
services.limesurvey
services.mastodon
services.mediawiki
services.mobilizon
services.moodle
services.mosquitto
services.nextcloud
services.nullmailer
services.patroni
services.pfix-srsd
services.pgpkeyserver-lite
services.postfixadmin
services.roundcube
services.schleuder
services.self-deploy
services.slskd
services.spacecookie
services.statsd
services.step-ca
services.sympa
services.tsmBackup
services.vdirsyncer
services.vikunja
services.yandex-disk
services.zabbixWeb
2024-01-19 00:11:34 -08:00
Nick Cao
1840316647
Merge pull request #272556 from SuperSandro2000/influxdb-restart
nixos/influxdb: restart on failure
2024-01-14 14:25:21 -05:00
Emilia Bopp
5f6b7a35d6 neo4j: 4.4.11 -> 5.9.0 2024-01-05 18:20:24 +01:00
Luflosi
f88af99311
nixos/aerospike: use NixOS option instead of custom script
Since 2c5abd89c7 setting the option `boot.kernel.sysctl."net.core.rmem_max"` no longer has any downsides compared to what was previously used. Since 439350753e the same is also true for `boot.kernel.sysctl."net.core.wmem_max"`.
2023-12-28 17:41:59 +01:00
Thomas Gerbet
a9da4c2260
Merge pull request #257504 from SuperSandro2000/postgres-doc
nixos/postgresql: point doc link to current like all others
2023-12-15 00:43:13 +01:00
Sandro Jäckel
4fe5824fc7
nixos/postgresql: take extraPlugins packageset from package option
This allows to reuse the extraPlugins option in other context's for
example an upgrade script.
2023-12-08 14:58:18 +01:00
Sandro Jäckel
c8e61256e6
nixos/influxdb: restart on failure 2023-12-06 23:17:29 +01:00
h7x4
79d3d59f58
treewide: replace mkPackageOptionMD with mkPackageOption 2023-11-30 19:03:14 +01:00
Weijia Wang
feeae486de
Merge pull request #261702 from h7x4/replace-mkoption-with-mkpackageoption
treewide: use `mkPackageOption`
2023-11-30 02:49:30 +01:00
Mario Rodas
3dba8d6fdb
Merge pull request #268634 from tie/redis-restrict-address-families
nixos/redis: loosen systemd address family restrictions
2023-11-27 20:06:29 -05:00
h7x4
0a37316d6c
treewide: use mkPackageOption
This commit replaces a lot of usages of `mkOption` with the package
type, to be `mkPackageOption`, in order to reduce the amount of code.
2023-11-27 01:28:36 +01:00
Sandro Jäckel
515ce669bc
nixos/postgresql: point doc link to current like all others 2023-11-20 14:44:23 +01:00
Sandro
809f926017
nixos/postgresql: fix mentioned settings in ensurePermissions warnings 2023-11-20 14:42:57 +01:00
Ivan Trubach
5c898bec57 nixos/redis: loosen systemd address family restrictions
Do not assume that port and unixSocket are the only options that affect
address families used by Redis. There are other options, e.g. tls-port,
and also clustered setup that are not covered by the declarative
configuration. Instead of trying to selectively restrict unused address
families based on the configuration, limit address families to IP and
Unix sockets and let users lib.mkForce a stricter sandboxing is needed.

See also
https://docs.redis.com/latest/rs/networking/port-configurations/
2023-11-20 07:11:34 +03:00
Ryan Lahfa
ccfe07c316
Merge pull request #266270 from Ma27/postgresql-ownership-15 2023-11-17 18:02:17 +01:00
Herwig Hochleitner
e7c7d97167
nixos/postgresql: document psql 15 changes (#267238)
* nixos/postgresql: document psql 15 changes

* nixos/postgresql: manual heading ids

* nixos/postgresql: reword warning against initialScript

Co-authored-by: Ryan Lahfa <masterancpp@gmail.com>

* nixos/postgresql: wording PERMISSIONS -> PRIVILEGES

Co-authored-by: Ryan Lahfa <masterancpp@gmail.com>

* nixos/postgresql: document intermediate oneshot / service user method

* nixos/postgresql/docs: clarify security benefits of `ensureDBOwnership`

* nixos/postgresql/docs: service type -> serviceConfig.Type

---------

Co-authored-by: Ryan Lahfa <masterancpp@gmail.com>
2023-11-17 16:06:01 +01:00
Benno Bielmeier
0a620163b9 nixos/firebird: fix coerce error
When `services.firebird.enable` following error is thrown:
  error: cannot coerce an integer to a string

After explicitly cast the port (integer) to string the error disappears.
2023-11-13 23:49:04 +01:00
Raito Bezarius
d57926c0b6 nixos/postgresql: improve the assertions for equality of DB user and DB name
It is hard to figure out which one is offending without the database name.
2023-11-13 17:16:25 +01:00
Raito Bezarius
12797a6a39 nixos/postgresql: restore ensurePermissions and strong-deprecate it
As it is technically a breaking change, we should at least make a strong deprecation
of `ensurePermissions` and leave it in the broken state it is, for out of tree users.

We give them a 6 months notice to migrate away by doing so, which is honest.
In the meantime, we forbid usage of `ensurePermissions` inside of nixpkgs.
2023-11-13 17:16:25 +01:00
Maximilian Bosch
48459567ae nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989

First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.

The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).

After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].

So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that

* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
  `ensureUsers`. That way, the user is actually the owner and can
  perform `CREATE`.
* For such a postgres user, a database must be declared in
  `ensureDatabases`.

For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.

Regarding existing setups: there are effectively two options:

* Leave everything as-is (assuming that system user == db user == db
  name): then the DB user will automatically become the DB owner and
  everything else stays the same.

* Drop the `createDatabase = true;` declarations: nothing will change
  because a removal of `ensure*` statements is ignored, so it doesn't
  matter at all whether this option is kept after the first deploy (and
  later on you'd usually restore from backups anyways).

  The DB user isn't the owner of the DB then, but for an existing setup
  this is irrelevant because CREATE on the public schema isn't revoked
  from existing users (only not granted for new users).

[1] not really declarative though because removals of these statements
    are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
    because it IMHO falls into the category "manage the state on your
    own" (see the commit message). See also
    https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
    also add more things like collation for DBs or passwords that are
    _never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-13 17:16:25 +01:00
Anthony Roussel
e30f48be94
treewide: fix redirected and broken URLs
Using the script in maintainers/scripts/update-redirected-urls.sh
2023-11-11 10:49:01 +01:00
Maximilian Bosch
1220a4d4dd
postgresql_11: remove
As described in the release lifecycle docs from postgresql[1], v11 will
stop receiving fixes as of Nov 9 2023. This means it's EOL throughout
the entire lifetime of 23.11, so let's drop it now.

A lot of examples are also referencing postgresql_11. Where it's
sensible, use postgresql_15 as example now to avoid confusion.

This is also handy because the LLVM 16 fix for postgresql is not
available for postgresql 11 ;-)

[1] https://www.postgresql.org/support/versioning/
2023-10-30 10:41:16 +01:00
Julien Malka
5237796f2b nixos/ferretdb: fix broken link to documentation 2023-10-23 16:48:31 +00:00
github-actions[bot]
cfc75eec46
Merge master into staging-next 2023-10-20 18:00:54 +00:00
Bjørn Forsman
142074c2a8 nixos: fix bad mkEnableOption descriptions
Fix descriptions that don't account for (1) the "Whether to enable"
prefix or (2) the automatically added trailing dot.
2023-10-20 16:22:40 +01:00
Alyssa Ross
579ae9b989
Merge remote-tracking branch 'origin/master' into staging-next
Conflicts:
	pkgs/development/python-modules/cirq-core/default.nix
2023-10-16 08:49:23 +00:00
Julien Malka
c54ab7d643 nixos/ferretdb: init 2023-10-16 10:15:30 +02:00