Commit Graph

33 Commits

Author SHA1 Message Date
datafoo
533ff8546b nixos/mosquitto: leverage systemd credentials
Use systemd credentials for all variations of user passwords.
Password files do not need special permissions anymore.
2023-07-24 11:37:30 +02:00
pennae
0a6e6cf7e6 nixos/manual: render module chapters with nixos-render-docs
this converts meta.doc into an md pointer, not an xml pointer. since we
no longer need xml for manual chapters we can also remove support for
manual chapters from md-to-db.sh

since pandoc converts smart quotes to docbook quote elements and our
nixos-render-docs does not we lose this distinction in the rendered
output. that's probably not that bad, our stylesheet didn't make use of
this anyway (and pre-23.05 versions of the chapters didn't use quote
elements either).

also updates the nixpkgs manual to clarify that option docs support all
extensions (although it doesn't support headings at all, so heading
anchors don't work by extension).
2023-01-27 20:07:34 +01:00
pennae
53fc887582 nixos/manual: move "edit the MD file" comments to generated XML 2023-01-10 12:34:37 +01:00
pennae
bf92eaebe4 nixos/manual: generate module chapters with md-to-db.sh 2023-01-10 10:32:00 +01:00
figsoda
6bb0dbf91f nixos: fix typos 2022-12-17 19:31:14 -05:00
pennae
15372dc4d4 nixos/mosquitto: clarify hashedPassword generation
unfortunately we cannot use other tools (like mkpasswd) instead of
mosquitto_passwd because mosquitto is incompatible with the standard
crypt format.
2022-10-28 17:39:30 +02:00
pennae
ef176dcf7e nixos/*: automatically convert option descriptions
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running

    nix-doc-munge nixos/**/*.nix
    nix-doc-munge --import nixos/**/*.nix

the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
2022-08-31 16:32:53 +02:00
pennae
2e751c0772 treewide: automatically md-convert option descriptions
the conversion procedure is simple:

 - find all things that look like options, ie calls to either `mkOption`
   or `lib.mkOption` that take an attrset. remember the attrset as the
   option
 - for all options, find a `description` attribute who's value is not a
   call to `mdDoc` or `lib.mdDoc`
 - textually convert the entire value of the attribute to MD with a few
   simple regexes (the set from mdize-module.sh)
 - if the change produced a change in the manual output, discard
 - if the change kept the manual unchanged, add some text to the
   description to make sure we've actually found an option. if the
   manual changes this time, keep the converted description

this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
2022-07-30 15:16:34 +02:00
pennae
320aa2a791 treewide: attempt at markdown option docs 2022-06-12 12:44:38 +02:00
pennae
c1115d37ff nixos/mosquitto: fix attribute path display in assertions 2022-05-15 10:33:38 +02:00
pennae
2145dbc4fc nixos/mosquitto: add missing listener option bind_interface
we expose it under settings instead of at the listener toplevel because
mosquitto seems to pick the addresses it will listen on
nondeterministically from the set of addresses configured on the
interface being bound to. encouraging its use by putting it into the
toplevel options for a listener seems inadvisable.
2022-05-15 10:33:38 +02:00
datafoo
1d3f0903a8 nixos/mosquitto: add package option 2022-01-19 15:59:53 +01:00
pennae
dc101d9fef nixos/mosquitto: wait for network-online.target, not network.target
network.target is reached earlier, but with much fewer services
available. DNS is likely to be not functional before
network-online.target, so waiting for that seems better for that reason
alone. the existing backends for network-online.target all seem to do
reasonable things (wait until all links are in *some* stable state), so
we shouldn't lose anything from waiting.
2022-01-17 20:58:50 +01:00
pennae
0343045a92 nixos/mosquitto: add module documentation 2021-10-28 08:44:32 +02:00
pennae
d09952fea8 nixos/mosquitto: restore passwordless system feature
during the rewrite the checkPasswords=false feature of the old module
was lost. restore it, and with it systems that allow any client to use
any username.
2021-10-24 19:38:51 +02:00
pennae
56d0b5cd6a nixos/mosquitto: rewrite the module
mosquitto needs a lot of attention concerning its config because it doesn't
parse it very well, often ignoring trailing parts of lines, duplicated config
keys, or just looking back way further in the file to associated config keys
with previously defined items than might be expected.

this replaces the mosquitto module completely. we now have a hierarchical config
that flattens out to the mosquitto format (hopefully) without introducing spooky
action at a distance.
2021-10-22 16:06:55 -04:00
Naïm Favier
2ddc335e6f
nixos/doc: clean up defaults and examples 2021-10-04 12:47:20 +02:00
Martin Weinelt
a2d1d16af8
nixos/mosquitto: Migrate away from bind_address/port config keys
Fixes these two deprecation warnings, by moving away from these options
towards a simple listener configuration.

> The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true.
> The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead.

Fixes: #120860
2021-05-01 19:46:48 +02:00
Martin Weinelt
33e867620e
nixos/mosquitto: harden systemd unit
It can still network, it can only access the ssl related files if ssl is
enabled.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                  0.1

→ Overall exposure level for mosquitto.service: 1.1 OK 🙂
2021-05-01 19:46:48 +02:00
Sandro
a390213f85
Merge pull request #85133 from snicket2100/mosquitto-service-sandboxing
mosquitto: systemd service sandboxing
2020-11-27 18:53:36 +01:00
Felix Tenley
542f75079b nixos/mosquitto: add passwordFile and hashedPasswordFile options 2020-10-25 10:53:38 +01:00
snicket2100
2b0ee787dd mosquitto: systemd service sandboxing
running the service in a sandbox. read-only root file system,
with tmpfs mounted in /tmp, hidden /root and /home,
temporary /dev. the only writeable path is the data directory,
which according to my experiments is enough for the service
to work correctly.
2020-04-13 10:46:56 +02:00
Silvan Mosberger
478e7184f8
nixos/modules: Remove all usages of types.string
And replace them with a more appropriate type

Also fix up some minor module problems along the way
2019-08-31 18:19:00 +02:00
Aaron Andersen
4a11ce7f26
cleanup redundant text in modules utilizing mkEnableOption
Closes #59911
2019-04-20 14:44:02 +02:00
Peter Hoeg
0e40b7bfc2 mosquitto (nixos): notify systemd when started 2019-03-01 18:54:24 +08:00
Florian Klink
fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Florian Baumann
7e76b127cd
Multiple users with hashedPassword is broken in mosquitto
If you have more than 1 User with hasedPassword Option set it generates 

```
rm -f /var/lib/mosquitto/passwd
touch /var/lib/mosquitto/passwd
echo 'user1:$6$xxx' > /var/lib/mosquitto/passwd
echo 'user2:$6$xxx' > /var/lib/mosquitto/passwd
```

Which ends up in only having 1 user.
2018-02-08 22:46:06 +01:00
Joachim F
ed250d8093
Merge pull request #27131 from richardlarocque/mosquitto_pw
mosquitto: Explicitly configure password file
2018-01-13 12:02:45 +00:00
Richard Larocque
b27d8c5d0a nixos/mosquitto: Fix instructions for password gen
Fixes https://github.com/NixOS/nixpkgs/issues/27996.

Updates instructions for generating hashes passwords for use in a
Mosquitto password file.  Using `mosquitto_passwd` to generate these
hashes is a little less convenient, but the results are more likely to
be compatible with the mosquitto daemon.

As far as I can tell, the hashes generated with `mkpassd` did not work
as intended.  But this may have been hidden by another bug:
https://github.com/NixOS/nixpkgs/issues/27130.
2017-08-06 15:54:36 -07:00
Richard Larocque
66b07e41e6 nixos/mosquitto: Add checkPasswords option
Related to https://github.com/NixOS/nixpkgs/issues/27130.

Adds an option to NixOS configuration option to have Mosquitto use the
password file that it generates.  When this option is false the
Mosquitto server will accept login attempts with any username and any
password.  This option defaults to false because this matches the
behavior of the service prior to the introduction of this option.

When the `services.mosquitto.checkPasswords` is true, the server will
only accept valid usernames and passwords.
2017-08-06 15:31:37 -07:00
Franz Pletz
3ab45f4b36
treewide: use boolToString function 2017-04-11 18:18:53 +02:00
Franz Pletz
9536169074
nixos/treewide: remove boolean examples for options
They contain no useful information and increase the length of the
autogenerated options documentation.

See discussion in #18816.
2017-03-17 23:36:19 +01:00
Hans-Harro Horn
77f2c305b6 mosquitto service: init
Initial Mosquitto MQTT Broker service file.
2016-05-24 10:49:03 +02:00