Merge remote-tracking branch 'origin/master' into staging-next

NixOS · Dec 21, 2024 · 48fcb81 · 48fcb81
2 parents afb270b + 8ddbc44
commit 48fcb81
Show file tree

Hide file tree

Showing 116 changed files with 1,631 additions and 8,901 deletions.
diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml
@@ -81,6 +81,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [ attrs, get-merge-commit ]
     strategy:
+      fail-fast: false
       matrix:
         system: ${{ fromJSON(needs.attrs.outputs.systems) }}
     steps:

diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
@@ -2222,6 +2222,12 @@
     githubId = 354741;
     name = "Austin Butler";
   };
+  automathis = {
+    name = "AutoMathïs";
+    email = "[email protected]";
+    github = "MathisFederico";
+    githubId = 60117466;
+  };
   autophagy = {
     email = "[email protected]";
     github = "autophagy";
@@ -12352,6 +12358,12 @@
     githubId = 11614750;
     name = "Alexander Sharov";
   };
+  kvik = {
+    email = "[email protected]";
+    github = "okvik";
+    githubId = 58425080;
+    name = "Viktor Pocedulić";
+  };
   kwaa = {
     name = "藍+85CD";
     email = "[email protected]";
@@ -13591,6 +13603,13 @@
     githubId = 1809783;
     name = "Marco Maggesi";
   };
+  magneticflux- = {
+    email = "[email protected]";
+    github = "magneticflux-";
+    githubId = 9124288;
+    name = "Mitchell Skaggs";
+    keys = [ { fingerprint = "CA2A 3324 43A7 BD99 8FCE  DFC4 4EB0 FECB 84AE 8967"; } ];
+  };
   magnetophon = {
     email = "[email protected]";
     github = "magnetophon";
@@ -15812,6 +15831,12 @@
     githubId = 3747396;
     name = "Nathan Isom";
   };
+  negatethis = {
+    email = "[email protected]";
+    github = "negatethis";
+    githubId = 26014535;
+    name = "Negate This";
+  };
   neilmayhew = {
     email = "[email protected]";
     github = "neilmayhew";

diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -165,6 +165,12 @@
   ```
   This changed follows a deprecation period of one year started in NixOS 24.05 (see [PR #283818](https://github.com/NixOS/nixpkgs/pull/283818)).
 
+- The values of `services.borgbackup.jobs.*.extraArgs` and other `extra*Args` options are now represented as Bash arrays. If these arguments were modified using `services.borgbackup.jobs.*.preHook`, they will need to be adjusted to append to these arrays, i.e.
+  ```diff
+  -extraCreateArgs="$extraCreateArgs --exclude /some/path"
+  +extraCreateArgs+=("--exclude" "/some/path")
+  ```
+
 - `nodePackages.ganache` has been removed, as the package has been deprecated by upstream.
 
 - `virtualisation.azure.agent` option provided by `azure-agent.nix` is replaced by `services.waagent`, and will be removed in a future release.
@@ -223,6 +229,8 @@
 - `zf` was updated to 0.10.2, which includes breaking changes from the [0.10.0 release](https://github.com/natecraddock/zf/releases/tag/0.10.0).
   `zf` no longer does Unicode normalization of the input and no longer supports terminal escape sequences in the `ZF_PROMPT` environment variable.
 
+- `programs.clash-verge.tunMode` was deprecated and removed because now service mode is neccessary to start program. Without `programs.clash-verge.enable`, clash-verge-rev will refuse to start.
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Other Notable Changes {#sec-release-25.05-notable-changes}

diff --git a/nixos/modules/programs/clash-verge.nix b/nixos/modules/programs/clash-verge.nix
@@ -6,6 +6,11 @@
 }:
 
 {
+  imports = [
+    (lib.mkRemovedOptionModule [ "programs" "clash-verge" "tunMode" ] ''
+      The tunMode will work with service mode which is enabled by default.
+    '')
+  ];
   options.programs.clash-verge = {
     enable = lib.mkEnableOption "Clash Verge";
     package = lib.mkOption {
@@ -15,10 +20,10 @@
         clash-verge-rev and clash-nyanpasu, both are forks of
         the original clash-verge project.
       '';
-      example = "pkgs.clash-verge-rev";
+      default = pkgs.clash-verge-rev;
+      defaultText = lib.literalExpression "pkgs.clash-verge-rev";
     };
     autoStart = lib.mkEnableOption "Clash Verge auto launch";
-    tunMode = lib.mkEnableOption "Clash Verge TUN mode";
   };
 
   config =
@@ -37,13 +42,19 @@
         ))
       ];
 
-      security.wrappers.clash-verge = lib.mkIf cfg.tunMode {
-        owner = "root";
-        group = "root";
-        capabilities = "cap_net_bind_service,cap_net_admin=+ep";
-        source = "${lib.getExe cfg.package}";
+      systemd.services.clash-verge = {
+        enable = true;
+        description = "Clash Verge Service Mode";
+        serviceConfig = {
+          ExecStart = "${cfg.package}/bin/clash-verge-service";
+          Restart = "on-failure";
+        };
+        wantedBy = [ "multi-user.target" ];
       };
     };
 
-  meta.maintainers = with lib.maintainers; [ zendo ];
+  meta.maintainers = with lib.maintainers; [
+    bot-wxt1221
+    Guanran928
+  ];
 }
diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix
@@ -20,8 +20,19 @@ let
     lib.concatStringsSep " "
       (lib.mapAttrsToList (x: y: "--keep-${x}=${toString y}") cfg.prune.keep);
 
+  mkExtraArgs = cfg:
+    # Create BASH arrays of extra args
+    lib.concatLines
+      (lib.mapAttrsToList (name: values: ''
+        ${name}=(${values})
+      '')
+  { inherit (cfg) extraArgs extraInitArgs extraCreateArgs extraPruneArgs extraCompactArgs; });
+
   mkBackupScript = name: cfg: pkgs.writeShellScript "${name}-script" (''
     set -e
+
+    ${mkExtraArgs cfg}
+
     on_exit()
     {
       exitStatus=$?
@@ -46,35 +57,35 @@ let
     ${cfg.preHook}
   '' + lib.optionalString cfg.doInit ''
     # Run borg init if the repo doesn't exist yet
-    if ! borgWrapper list $extraArgs > /dev/null; then
-      borgWrapper init $extraArgs \
+    if ! borgWrapper list "''${extraArgs[@]}" > /dev/null; then
+      borgWrapper init "''${extraArgs[@]}" \
         --encryption ${cfg.encryption.mode} \
-        $extraInitArgs
+        "''${extraInitArgs[@]}"
       ${cfg.postInit}
     fi
   '' + ''
     (
       set -o pipefail
       ${lib.optionalString (cfg.dumpCommand != null) ''${lib.escapeShellArg cfg.dumpCommand} | \''}
-      borgWrapper create $extraArgs \
+      borgWrapper create "''${extraArgs[@]}" \
         --compression ${cfg.compression} \
         --exclude-from ${mkExcludeFile cfg} \
         --patterns-from ${mkPatternsFile cfg} \
-        $extraCreateArgs \
+        "''${extraCreateArgs[@]}" \
         "::$archiveName$archiveSuffix" \
         ${if cfg.paths == null then "-" else lib.escapeShellArgs cfg.paths}
     )
   '' + lib.optionalString cfg.appendFailedSuffix ''
-    borgWrapper rename $extraArgs \
+    borgWrapper rename "''${extraArgs[@]}" \
       "::$archiveName$archiveSuffix" "$archiveName"
   '' + ''
     ${cfg.postCreate}
   '' + lib.optionalString (cfg.prune.keep != { }) ''
-    borgWrapper prune $extraArgs \
+    borgWrapper prune "''${extraArgs[@]}" \
       ${mkKeepArgs cfg} \
       ${lib.optionalString (cfg.prune.prefix != null) "--glob-archives ${lib.escapeShellArg "${cfg.prune.prefix}*"}"} \
-      $extraPruneArgs
-    borgWrapper compact $extraArgs $extraCompactArgs
+      "''${extraPruneArgs[@]}"
+    borgWrapper compact "''${extraArgs[@]}" "''${extraCompactArgs[@]}"
     ${cfg.postPrune}
   '');
 
@@ -120,7 +131,6 @@ let
       };
       environment = {
         BORG_REPO = cfg.repo;
-        inherit (cfg) extraArgs extraInitArgs extraCreateArgs extraPruneArgs extraCompactArgs;
       } // (mkPassEnv cfg) // cfg.environment;
     };
 
@@ -236,7 +246,7 @@ let
   };
 
 in {
-  meta.maintainers = with lib.maintainers; [ dotlambda ];
+  meta.maintainers = with lib.maintainers; [ dotlambda Scrumplex ];
   meta.doc = ./borgbackup.md;
 
   ###### interface
@@ -581,7 +591,7 @@ in {
             default = "";
             example = ''
               # To add excluded paths at runtime
-              extraCreateArgs="$extraCreateArgs --exclude /some/path"
+              extraCreateArgs+=("--exclude" "/some/path")
             '';
           };
 

diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
@@ -1242,6 +1242,7 @@ in {
       enable = true;
       enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly
       package = cfg.registry.package;
+      port = cfg.registry.port;
       extraConfig = {
         auth.token = {
           realm = "http${optionalString (cfg.https == true) "s"}://${cfg.host}/jwt/auth";

diff --git a/nixos/modules/services/misc/jackett.nix b/nixos/modules/services/misc/jackett.nix
@@ -60,6 +60,55 @@ in
         Group = cfg.group;
         ExecStart = "${cfg.package}/bin/Jackett --NoUpdates --Port ${toString cfg.port} --DataFolder '${cfg.dataDir}'";
         Restart = "on-failure";
+
+        # Sandboxing
+        CapabilityBoundingSet = [
+          "CAP_NET_BIND_SERVICE"
+        ];
+        ExecPaths = [
+          "${builtins.storeDir}"
+        ];
+        LockPersonality = true;
+        NoExecPaths = [
+          "/"
+        ];
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        ReadWritePaths = [
+          "${config.users.users.${cfg.user}.home}"
+        ];
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@clock"
+          "~@cpu-emulation"
+          "~@debug"
+          "~@obsolete"
+          "~@reboot"
+          "~@module"
+          "~@mount"
+          "~@swap"
+        ];
+        UMask = "0077";
       };
     };
 

diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix
@@ -246,29 +246,68 @@ in
       };
     users.groups.${bindUser} = {};
 
+    systemd.tmpfiles.settings."bind" = lib.mkIf (cfg.directory != "/run/named") {
+      ${cfg.directory} = {
+        d = {
+          user = bindUser;
+          group = bindUser;
+          age = "-";
+        };
+      };
+    };
     systemd.services.bind = {
       description = "BIND Domain Name Server";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
 
       preStart = ''
-        mkdir -m 0755 -p /etc/bind
         if ! [ -f "/etc/bind/rndc.key" ]; then
-          ${bindPkg.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null
+          ${bindPkg.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -a -A hmac-sha256 2>/dev/null
         fi
-
-        ${pkgs.coreutils}/bin/mkdir -p /run/named
-        chown ${bindUser} /run/named
-
-        ${pkgs.coreutils}/bin/mkdir -p ${cfg.directory}
-        chown ${bindUser} ${cfg.directory}
       '';
 
       serviceConfig = {
         Type = "forking"; # Set type to forking, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900788
-        ExecStart = "${bindPkg.out}/sbin/named -u ${bindUser} ${lib.optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile}";
+        ExecStart = "${bindPkg.out}/sbin/named ${lib.optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile}";
         ExecReload = "${bindPkg.out}/sbin/rndc -k '/etc/bind/rndc.key' reload";
         ExecStop = "${bindPkg.out}/sbin/rndc -k '/etc/bind/rndc.key' stop";
+        User = bindUser;
+        RuntimeDirectory = "named";
+        RuntimeDirectoryPreserve = "yes";
+        ConfigurationDirectory = "bind";
+        ReadWritePaths = [
+          (lib.mapAttrsToList (name: config: if (lib.hasPrefix "/" config.file) then ("-${dirOf config.file}") else "") cfg.zones)
+          cfg.directory
+        ];
+        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
+        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+        # Security
+        NoNewPrivileges = true;
+        # Sandboxing
+        ProtectSystem = "strict";
+        ReadOnlyPaths = "/sys";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6 AF_NETLINK" ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RestrictNamespaces = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@mount @debug @clock @reboot @resources @privileged @obsolete acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice";
       };
 
       unitConfig.Documentation = "man:named(8)";