The GIT_PROJECT_ROOT directory is now created at runtime instead of
being assembled at build time.
This fixes ownership issues which prevented those repositories to be
read by users other than root. This also avoids creating symlinks in
the nix store pointing to the outside.
The `openssh` and `openssh_hpn` packages are now built without
the Kerberos support by default in an effort to reduce the attack surface.
The Kerberos support is likely used only by a fraction of the total users
(I'm guessing mainly users integrating SSH in an Active Directory env) so
dropping it should not impact too many users. It should also be noted that
the Kerberos/GSSAPI auth is disabled by default in the configuration.
`opensshWithKerberos` and `openssh_hpnWithKerberos` are added in order
to provide an easy migration path for users needing this support.
The `openssh_gssapi` package is kept untouched.
Without this change, the systemd unit will be marked as ready even though BIND has not finished starting yet.
This causes other units that depend on BIND to start even though BIND is not ready yet.
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900788: "Bind9 will daemonize itself _when it is ready_."
Also modify the NixOS test. With this change, waiting for the unit alone will ensure that BIND is ready to accept queries. I would have expected to see the test failing without this commit but with the `machine.wait_for_open_port(53)` line removed but I found this to not be the case most of the time. This is probably the case because the situation is inherently racy and on my machine BIND happens to start in time most of the time.
# Motivation
So far it was not possible to configure sshd to allow password authentication only for a specific user. This is because in the generated config a `Match User xxx` section would be required before the global `PasswordAuthentication` is defined, as otherwise the global option always takes precedence.
The same problem occurs with multiple other options under `settings`.
# Done
This PR fixes that issue for all settings by simply allowing them to be overridden with `null`, which leads to a removal of that setting from the config.
The user can then correctly configure user specific settings using extraConfig, like this:
```
Match User user1
PasswordAuthentication yes
Match all
PasswordAuthentication no
```
This patch is about removing `wireguardPeerConfig`,
`dhcpServerStaticLeaseConfig` - a.k.a. the
AbstractSingletonProxyFactoryBean of nixpkgs - and friends.
As a former colleague said
> worst abstraction ever
I second that. I've written enough networkd config for NixOS systems so
far to have a strong dislike. In fact, these don't even make sense:
`netdevs.wireguardPeers._.wireguardPeerConfig` will be rendered into
the key `[WireGuardPeer]` and every key from `wireguardPeerConfig` is in
there. Since it's INI, there's no place where sections on the same level
as wireguardPeerConfig fit into. Hence, get rid of it all.
For the transition, using the old way is still allowed, but gives a
warning. I think we could drop this after one release.
The tests of rosenpass and systemd-networkd-dhcpserver-static-leases
were broken on the rev before, hence they were updated, but are still
not building.
Add missing http:// scheme. Without it pixiecore logs this and never
contacts the API server:
[DHCP] Couldn't get bootspec for [REDACTED_MAC_ADDR]: Get "localhost:8080/v1/boot/[REDACTED_MAC_ADDR]": unsupported protocol scheme "localhost"
Motivation: Allow the sshd package to be built differently to the ssh
package (programs.ssh.package). For example, build sshd(1) without
openssl, but built ssh(1) with OpenSSL support.
Set the default to be programs.ssh.package, to preserve compatibility.
Yall won't miss me. The packages I leave orphaned are trivially updated as dependents need the new versions.
But passively endorsing the direction this organization and its leadership is something I can't do.
To those who still have faith in turning this around, you da real MVP 🖖
In the replacement arg of gsub() the & symbol is a special character
that need to be escaped. To avoid this, and further issues due to the
variable name possibly being interpreted as a regex, we do a normal
substring replacement.
This fixes issues #279803.
If allowAuxiliaryImperativeNetworks is enabled, the wpa_supplicant
daemon complains fails to start if /etc/wpa_supplicant.conf does not
exist. As this can be created using wpa_cli (or similar) later, it
shouldn't matter, so let's create an empty one.
This fixes issues #157537, #299466.
It should be curl -L (follow redirects), not curl -l (FTP directory
listing option). I know because it's my mistake.
Fixes: d4b989cafc ("nixos/deconz: delay signalling service readiness until it's actually up")
