This meant that pkgs.lix.passthru.tests.misc never evaluated.
It should be noted that it seems like completely different test
infrastructure is in use on master (25.11), or maybe it is just that the
same test got renamed to nix-misc. Either way, this is busted.
Since `connectionStringFile` reads the file and puts it into the
invocation of the exporter, it's part of the cmdline and thus
effectively world-readable.
Added a new `connectionEnvFile` which is supposed to be an environment
file of the form
PGBOUNCER_EXPORTER_CONNECTION_STRING=...
that will be added to the systemd service. The exporter will read the
connection string from that value.
(cherry picked from commit 862ecd674f)
* Syncthing: implemented folder type
* Syncthing: fix syntax (via @johnhamelink )
This commit should be rebased/squashed into the previous one if ofborg cleares it!
Co-authored-by: John Hamelink <me@johnhame.link>
---------
Co-authored-by: John Hamelink <me@johnhame.link>
(cherry picked from commit ed1b6699c0)
We need ping to be in PATH of the service otherwise it can't ping. This commit
adds it, conditional on one of the inputs being a ping task.
(cherry picked from commit 934a337a13)
Signed-off-by: benaryorg <binary@benary.org>
(cherry picked from commit 0cd631e61f)
The cherry-pick required
-addresses = [ { Address = "${ip}/128"; } ];
+addresses = [ { addressConfig.Address = "${ip}/128"; } ];
to account for the fact that the test was written for master commit
c4fd7cf16d nixos/networkd: get rid of *Config attributes in lists
which is not in this branch.
provision # [ 8.223448] (kanidmd)[819]: kanidm.service: Failed to set up mount namespacing: /ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/ofborg-evaluator-1/nixos/tests/common/acme/server:
No such file or directory
(cherry picked from commit b93f6e4acd)
Implementation is now compatible with the option's .type already defined.
This allows us to pass `config.users.users.<user>.hashedPassword` even if this is null (the default).
Before:
true => access
false => no access
hash => access via password
null => eval error
After:
true => access
false => no access
hash => access via password
null => no access
(cherry picked from commit b33bf6b99a)
Importing PATH into the systemd environment is done by default in
Hyprland v0.41.2+ (https://github.com/hyprwm/Hyprland/pull/6640)
We soft deprecate this option here for versions >= 0.41.2.
(cherry picked from commit ff0738b736)
Set PATH order correctly for systemd user services (see NixOS/nixpkgs#320734
Signed-off-by: Reputable2722 <153411261+Reputable2772@users.noreply.github.com>
(cherry picked from commit dc423d5c69)
This commit:
- Adds wlr-portal override of wayland-session module (enabled by default)
- Disable it for hyprland module
(cherry picked from commit 0b0b7cefcc)
This adds a security assertion when using the global instance of
fcgiwrap, which is vulnerable to a local privilege escalation.
This is in addition to the current evaluation warning, and is more in
line with being loud with security issues, similarly to with vulnerable
packages.
The evaluation failure can nevertheless be bypassed by setting:
`services.fcgiwrap.allowGlobalInstanceLocalPrivilegeEscalation = true`.
Windows with BitLocker and TPM enabled doesn't support boot chaining.
This option activates a special experimental mode in systemd-boot that
tries to detect such systems and, if detected and selected by the user
at the boot menu, set the BootNext EFI variable to it before resetting.
(cherry picked from commit a68b81c429)
Rebuilding images multiple times on the small channels is too expensive
and makes them slower than they could be. Consuming the image from the
full release channel is probably good enough.
(cherry picked from commit 9426d90c67)
this patch adds the `services.flatpak.package` option to
allow overriding the package added by this module to
`environment.systemPackages` and the likes.
This is useful in scenarios where applications call the
flatpak binary to query information like writable directories
and there is a custom package returning different results
from the vanilla binary.
See https://github.com/crabdancing/nixpak-flatpak-wrapper
(cherry picked from commit af69223f46)
This adds options to set the users and groups as which cgit instances
run, allowing the use of an unprivileged user instead of root.
"root" is kept as the default user to avoid breaking existing setups,
but a warning is shown in that case to alert the user.
Backport of:
commit 4f2da6c9c1
nixos/fcgiwrap: add option migration instruction errors
(partial: move to instances)
commit 3d10deb7a5
nixos/cgit: fix GIT_PROJECT_ROOT ownership
commit 2d8626bf0a
nixos/cgit: configurable user instead of root
commit c5dc3e2034
nixos/fcgiwrap: adapt consumer modules and tests
commit 8101ae41f8
nixos/fcgiwrap: adapt consumer modules and tests
commit bf2ad6f48c
nixos/fcgiwrap: adapt consumer modules and tests
This makes the CGI part of smokeping run as the unprivileged
"smokeping" user like the rest of the service (instead of root).
This also sets proper permissions for the fcgiwrap control socket.
Backport of:
commit 4f2da6c9c1
nixos/fcgiwrap: add option migration instruction errors
(partial: move to instances)
commit c5dc3e2034
nixos/fcgiwrap: adapt consumer modules and tests
commit 8101ae41f8
nixos/fcgiwrap: adapt consumer modules and tests
commit bf2ad6f48c
nixos/fcgiwrap: adapt consumer modules and tests
This deprecates the use of the global shared instance of fcgiwrap,
due to its security issues (running as root by default, actually
insecure control socket, allowing local remote escalation privileges,
with no fix due to the multiple consumers).
A warning is added to encourage users to migrate to properly isolated
instances (`services.fcgiwrap.instances.*`).
This backports the options `services.fcgiwrap.instances.*`,
allowing to configure isolated instances of fcgiwrap,
as an alternative to the global shared one.
This prepares the deprecation of the latter.
Backport of:
commit efc7aebda7
nixos/fcgiwrap: require explicit owner for UNIX sockets
commit 4f2da6c9c1
nixos/fcgiwrap: add option migration instruction errors
(partial: move to instances)
commit 51b246a1ac
nixos/fcgiwrap: do not run as root by default
commit 81f72015f0
nixos/fcgiwrap: add unix socket owner, private by default
commit 289c1585c2
nixos/fcgiwrap: limit prefork type to positives
commit 3955eaf450
nixos/fcgiwrap: improve readability of CLI args
commit 022289f2fa
nixos/fcgiwrap: group options logically, fix doc
commit 41419ca288
nixos/fcgiwrap: refactor for multiple instances
It has started to take 10 minutes to get a match, and we open the starter more than once.
Let's just drop this check, ydotool helps alot with getting it open more reliably.
(cherry picked from commit 6e42f74cf9)
24.x is no longer maintained as of February 1, 2024[1].
It did not (yet?) receive a fix for CVE-2024-41110.
According to [1] 25.x will be the next LTS version, use that version to
reduce risk of possible breakage.
[1] https://github.com/moby/moby/pull/46772#discussion_r1686464084
We may want to clear NIX_PATH when channels are disabled, or maybe
it has to be a separate option.
This is just very frustrating to me.
(cherry picked from commit 3f76dcea93)
Warnings and descriptions for `virtualisation.docker.enableNvidia` and
`virtualisation.podman.enableNvidia` point erroneously to set
`virtualisation.containers.cdi.dynamic.nvidia.enable`. This NixOS
option has been deprecated and the recommended NixOS option is
`hardware.nvidia-container-toolkit.enable`.
(cherry picked from commit 3d2a21eddf)
This commit switches gitaly's git package from `pkgs.git` to the bundled
`git` package in order to maintain compatibility with the supported git
release by gitaly.
(cherry picked from commit feeb53a430)
