These options are a good start for sandboxing the service. It's planned
to set `ProtectSystem` to `strict` instead of `full`, but that requires
specific directories to be configured as writable. It's also planned to
filter system calls. However, that requires more testing but it
shouldn't prevent us from applying these options for now and add others
later.
In my tests, Redmine only bound to an IPv4 address and Unix socket,
which is why I restricted the address families to these both.
The command `systemd-analyze security redmine.service` reports an
overall exposure level of 2.9 with this patch.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
previously if you set the "user" option and did not create a group
account with the same name the module would create a service that would
fail to start.
with this change:
- the module is more explicit about this behaviour
- you can configure the group directly, so that you're not forced to a
particular user/group structure
- you can read the group name used by the redis service. this is useful
for giving other services permission to use the redis socket.
The rss-bridge service changes introduced in f2201789fe
resp. https://github.com/NixOS/nixpkgs/pull/223148 removes the need for
the package patch. This commit removes the patch to ease updating and
maintenance.
Relevant service functionality was also removed (e.g. the setting of
RSSBRIDGE_DATA).
The explicit definition of FileCache.path so users can easily see its
default value and change it, requires to use a freeformType to let users
freely add potentially upcoming config options. This type is restricted
to ini types (although we coerce them to environment variables).
This however makes the list of enabled_bridges impossible. That was
fixed by explicitly introducing this option with a type allowing lists.
The default value however should be unset, which is expressed as `null`,
which further spurred a change in the environment variable generation to
ignore null values (instead of coercing them to an empty string).
A breaking change note was added to highlight this change. A check that
warns users of the not-application of their existing config file is
not easily possible, as people could have only added or changed the
config.ini.php file on the file system without changing a nix variable.
allowing multiple definitions of that option to be merged, because:
- their order should be irrelevant
- it might make sense to declare multiples of them at different locations
dnsmasq dhcp-leasefile defaults to /var/lib/dnsmasq/dnsmasq.leases, so
use that as the default for the exporter too. Curiously, the example was
using the working path, so this patch simply swaps "example" and
"default" values.
This will fix the conflict when another DE using the full `xdg-desktop-portal-gtk` is enabled simultaneously with GNOME.
There will not be conflicts at runtime since the portals have been configured by `gnome-session` in `xdg.portal.configPackages` for a while now.
There will be minimal effect on system closure as all the extra x-d-p dependencies are also used by GNOME platform.
This will fix the conflict when another DE using the full `xdg-desktop-portal-gtk` is enabled simultaneously with Deepin.
Currently, our Deepin uses `gtk` as the preferred default implementation for all portals so presumably the duplicate portals should not have been disabled anyway.
The added closure size should be negligible, as most of the packages are probably also used by Deepin transitively.
This will fix the conflict when another DE using the full `xdg-desktop-portal-gtk` is enabled simultaneously with Cinnamon.
There will no longer be conflicts at runtime since the portals are now configured by `cinnamon-common` in `xdg.portal.configPackages`.
The added closure size should be negligible, as most of the packages are also used by Cinnamon.
I have no idea what this escape sequence even is, but it breaks the nix parser with cryptic errors if not used in a comment.
A friend let me know MacOS is prone to input weird spaces, not sure if that is the source.
Candidates were located and created with:
chr="$(echo -e '\xc2\xa0')"; rg -F "$chr" -l | xe sd -F "$chr" " "
There are some examples left, most being example output from `tree` in various markdown documents, some patches which we can't really touch, and `pkgs/tools/nix/nixos-render-docs/src/tests/test_commonmark.py` which I'm not sure if should be addressed
In order to not expose Redmine over all interfaces, allow configuring an
IP address it should bind to. Listen to 0.0.0.0 by default.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
This only ever worked for the session, not for the greeter. Writing the information out to a file should be more consistent.
To make sure that this works, and continues working, for the greeter & session, also add a new VM test.
The majority of users these days will install NixOS on SSD/NVME based
storage. Enabling fstrim ensures that the TRIM operation on this type of
storage is run at least once a week. This will improve performance and
life time of said devices. This also works in virtual machines as
formats such as qcow2 or vmdk support TRIM.
Ubuntu has a similar systemd timer also for quite a while enabled by
default.
Enabling this service will not increase the dependency closure as
util-linux is already part of the base system.
In case only filesystems that are not supported by fstrim are used, the
overhead is negelible as fstrim run in less than a second once a week.
The previous hardening change restricted the unit too much, breaking
legitimate functionality of logrotate.
Unfortunately this was not covered by our NixOS test.
Also, all URLs in package and module comments are updated.
At the time of this writing, the "Update History" page
(release notes) for tsm-client >=8.1.19 does not list any
"APARs" ("Authorized Program Analysis Reports") for 8.1.24.0.
Running the migrations in a systemd execStartPre was a mistake. The
migrations can be pretty long to run and easily time-out.
Moving this to a proper oneshot service solves this issue and makes
this fits better the systemd execution model. We can now easily filter
the migrations logs.
These can be either an integer or a range.
Range options are necessary for `FREE_LIMIT` to take effect when used in
conjunction with `TIMELINE_LIMIT_*`.
It is currently tied to `services.avahi.enable` which might not be
desirable.
With this change it is possible to disable the service with
`services.printing.browsed.enable = false`
Factor out part of the provisioning script into a
wait-until-service-is-ready script, and put it unconditionally in
front of ExecStartPost=, so that services that depend on influxdb2 are
not started until influxdb2 responds to requests.
Fixes https://github.com/NixOS/nixpkgs/issues/317017 ("Scrutiny tries to start before influxdb has started")
The package has been updated to 0.4 which will result in an auto-migration of the config. This updates our config to match the new expected format. Assertions have been added to warn users that they need to migrate their configuration.
In preparation for the deprecation of `stdenv.isX`.
These shorthands are not conducive to cross-compilation because they
hide the platforms.
Darwin might get cross-compilation for which the continued usage of `stdenv.isDarwin` will get in the way
One example of why this is bad and especially affects compiler packages
https://www.github.com/NixOS/nixpkgs/pull/343059
There are too many files to go through manually but a treewide should
get users thinking when they see a `hostPlatform.isX` in a place where it
doesn't make sense.
```
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv.is" "stdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv'.is" "stdenv'.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "clangStdenv.is" "clangStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "gccStdenv.is" "gccStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenvNoCC.is" "stdenvNoCC.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "inherit (stdenv) is" "inherit (stdenv.hostPlatform) is"
fd --type f "\.nix" | xargs sd --fixed-strings "buildStdenv.is" "buildStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "effectiveStdenv.is" "effectiveStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "originalStdenv.is" "originalStdenv.hostPlatform.is"
```
This will ensure that all requirements are met when the
nvidia-container-toolkit is enabled in order to generate the CDI specs
for the machine.
Also, if `config.virtualisation.docker.rootless.enable` is true,
automatically enable the CDI feature if the Docker version > 25 for
the rootless installation.
I'm maintaining the associated packages. So it makes sense to add myself
to their modules as well.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
The 1.x iteration of globalprotect-openconnect is no longer being
developed. Remove related components from nixpkgs.
Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com>
smartctl_exporter already runs with SupplementaryGroups "disk", which
gives full access to SATA drives, but NVMe devices are owned by
root:root, resulting in no access:
[...] msg="Smartctl open device: /dev/nvme0 failed: Permission denied"
This patch introduces a "smartctl-exporter-access" supplementary
group, and an udev rule with setfacl to give the exporter access to NVMe
drives, without changing the base root:root ownership.
Fixes https://github.com/NixOS/nixpkgs/issues/210041
Only restart `systemd-udevd.service` if udev rules in `/etc/udev/rules`
actually changed. The paths of `services.udev.packages` may change
frequently but the resulting udev rules built by `udevRulesFor`
likely change less often.
This has the added benefit of not adding `services.udev.packages` to
the system closure if they are only used for their udev rules
(issue #308937).
This reverts commit 89eb93dc3f.
It broken setups where /etc/wpa_supplicant.conf is configured
imperatively and reloading of the service on configuration changes.
We mistakenly used a non-existing nginx variable for the X-Forwarded-Proto causing
the well-known redirect to return erroneous Location headers like:
Location: ://dav.example/dav
instead of the correct:
Location: https://dav.example/dav
Follow up to #342584.
Similarly to that PR, it is surprising that software which was installed by the user isn't available to a script run over ssm by default.
When executing commands with ssm, users will now have more predictable access to baked-in software instead of an extremely bare-minimum set currently there.
