Commit Graph

13581 Commits

Author SHA1 Message Date
github-actions[bot]
cfe78489c9
Merge master into staging-next 2022-07-19 12:01:43 +00:00
Sandro
bca69a4037
Merge pull request #181867 from newAM/github-runner
nixos/github-runner: fix systemd defaults for common workflows
2022-07-19 12:56:17 +02:00
Euan Kemp
f158ac45ef nixos/k3s: use default cgroup-driver again
Setting `cgroup-driver=systemd` was originally necessary to match with
docker, else the kubelet would not start (#111835)

However, since then, docker support has been dropped from k3s (#177790).
As such, this option is much less necessary.

More importantly, it now seems to be actively causing issues. Due to an
upstream k3s bug, it's resulting in the kubelet and containerd having
different cgroup drivers, which seems to result in some difficult to
debug failure modes.

See
https://github.com/NixOS/nixpkgs/issues/181790#issuecomment-1188840862
for a description of this problem.

Removing this flag entirely seems reasonable to me, and it results in
k3s working again on my machine.
2022-07-19 02:52:12 -07:00
Wei Tang
b0a0087d53
nixos/flannel: upgrade to etcdv3 (#180315) 2022-07-19 16:09:42 +10:00
github-actions[bot]
305e8cb7b8
Merge master into staging-next 2022-07-19 06:03:02 +00:00
Wout Mertens
3ee8d4c909
netdata module: fix ExecStartPost (#181976) 2022-07-19 06:19:18 +02:00
github-actions[bot]
d64d75f2f3
Merge master into staging-next 2022-07-19 00:02:21 +00:00
Joachim F
0640ef2ccc
Merge pull request #180231 from dfithian/heartbeat
heartbeat service: specify package
2022-07-18 20:56:08 +02:00
Dan Fithian
49a5377557 heartbeat service: specify package
Other elastic services can specify the package. Now we can also do it for heartbeat.
2022-07-18 14:39:22 -04:00
github-actions[bot]
83702a6ef7
Merge master into staging-next 2022-07-18 18:01:14 +00:00
oaksoaj
fc9e22fca1 yggdrasil: add group option back and remove systemd User= directive
The group configuration parameter allow to share access to yggdrasil
control socket with the users in the system. In the version we propose,
it is null by default so that only root can access the control socket,
but let user create their own group if they need.

Remove User= durective in systemd unit. Should a user with the specified
name already exist in the system, it would be used silently instead of a
dynamic user which could be a security concern.
2022-07-18 12:56:59 -05:00
oaksoaj
080774e28f yggdrasil: reenable DynamicUser
Since version 0.4 Yggdrasil works again using systemd's DynamicUser option.
This patch reenables it to improve security.

We tested this with both persistent and non-persistent keys. Everything
seems to work fine.
2022-07-18 12:56:59 -05:00
Maximilian Bosch
179688c7c8
Merge pull request #181377 from mayflower/mxisd-secrets
nixos/mxisd: allow passing secrets
2022-07-18 15:10:49 +02:00
Maximilian Bosch
8b72dae17b
Merge pull request #181528 from Ma27/privacyidea-ldap-proxy-secrets
nixos/privacyidea: better secret-handling ldap-proxy & RFC42-style settings for ldap-proxy
2022-07-18 14:19:47 +02:00
github-actions[bot]
71fe747e70
Merge master into staging-next 2022-07-18 12:01:55 +00:00
Maximilian Bosch
949c334ea9
nixos/privacyidea-ldap-proxy: use list for EnvironmentFile for mergeability 2022-07-18 13:58:08 +02:00
Maximilian Bosch
dab3ae9d8b
Merge pull request #181715 from mayflower/jira-secret-opts
nixos/atlassian-jira: allow to store SSO password for crowd outside of the Nix store
2022-07-18 13:53:42 +02:00
Jörg Thalheim
9a020f31aa
Merge pull request #175439 from Mic92/jellyfin
nixos/jellyfin: better defaults for hardware acceleration
2022-07-18 12:51:54 +01:00
Maximilian Bosch
c2c82fbe43
nixos/mxisd: use a list for env file for mergeability 2022-07-18 13:47:09 +02:00
Vladimír Čunát
250922fd1e
Merge branch 'master' into staging-next 2022-07-18 08:29:53 +02:00
Alex Martens
c34749dd63 nixos/github-runner: fix systemd defaults for common workflows 2022-07-17 22:02:57 -07:00
Sandro
0890c4aef1
Merge pull request #168879 from aidalgol/pass-secret-service-systemd-unit 2022-07-17 16:45:27 +02:00
Bjørn Forsman
0080a93cdf nixos/jenkins-job-builder: create secret file with umask 0077
IOW, don't make it world readable.
2022-07-17 15:24:48 +02:00
Vladimír Čunát
0879ac5da6
Merge branch 'master' into staging-next 2022-07-16 20:07:05 +02:00
Maximilian Bosch
4adf26f018
nixos/privacyidea-ldap-proxy: always run envsubst
Otherwise the file doesn't exist at the expected location.
2022-07-16 14:00:46 +02:00
Kim Lindberger
d012de5b1d
Merge pull request #181401 from yayayayaka/gitlab-bump-git-to-2.35.4
nixos/gitlab: Bump git to 2.35.4
2022-07-16 13:37:16 +02:00
Maximilian Bosch
765cc35042
nixos/atlassian-jira: allow to store SSO password for crowd outside of the Nix store
The option `services.jira.sso.applicationPassword` has been replaced by
`applicationPasswordFile` that needs to be readable by the `jira`-user
or group.

The new `crowd.properties` is created on startup in `~jira` and the
secret is injected into it using `replace-secret`.
2022-07-16 13:01:29 +02:00
Bjørn Forsman
50eaf82b6f nixos/jenkins-job-builder: fix jenkins authentication
The current authentication code is broken against newer jenkins:

  jenkins-job-builder-start[1257]: Asking Jenkins to reload config
  jenkins-start[789]: 2022-07-12 14:34:31.148+0000 [id=17]        WARNING hudson.security.csrf.CrumbFilter#doFilter: Found invalid crumb 31e96e52938b51f099a61df9505a4427cb9dca7e35192216755659032a4151df. If you are calling this URL with a script, please use the API Token instead. More information: https://www.jenkins.io/redirect/crumb-cannot-be-used-for-script
  jenkins-start[789]: 2022-07-12 14:34:31.160+0000 [id=17]        WARNING hudson.security.csrf.CrumbFilter#doFilter: No valid crumb was included in request for /reload by admin. Returning 403.
  jenkins-job-builder-start[1357]: curl: (22) The requested URL returned error: 403

Fix it by using `jenkins-cli` instead of messing with `curl`.

This rewrite also prevents leaking the password in process listings. (We
could probably do it without `replace-secret`, assuming `printf` is a
shell built-in, but this implementation should be safe even with shells
not having a built-in `printf`.)

Ref https://github.com/NixOS/nixpkgs/issues/156400.
2022-07-16 12:30:41 +02:00
github-actions[bot]
fa96a4fa79
Merge master into staging-next 2022-07-16 00:02:26 +00:00
Sandro
2d0f98389f
Merge pull request #175738 from SuperSamus/plasma 2022-07-16 00:56:08 +02:00
Aaron Andersen
9b01242132
Merge pull request #131261 from bb2020/dlna
nixos/minidlna: convert to structural settings
2022-07-15 21:28:19 +02:00
github-actions[bot]
9f53d5cc15
Merge master into staging-next 2022-07-15 18:01:23 +00:00
Sandro
8e45a79ab1
Merge pull request #181579 from NixOS/netdata-module-startpost
netdata: fix post start for module
2022-07-15 16:20:55 +02:00
Sandro
475b23340b
Merge pull request #181410 from lilyinstarlight/fix/greetd-default-user
nixos/greetd: fix minor typo for default user
2022-07-15 16:12:09 +02:00
github-actions[bot]
a4622e8226
Merge master into staging-next 2022-07-15 12:01:15 +00:00
Wout Mertens
7f55ee3a53
netdata: fix post start for module 2022-07-15 09:57:13 +02:00
zowoq
e2659eea36 nixos/kubernetes: use copyToRoot instead of deprecated contents 2022-07-15 10:23:06 +10:00
Maximilian Bosch
bccaac9535
nixos/privacyidea: better secret-handling ldap-proxy & RFC42-style settings for ldap-proxy
Instead of hard-coding a single `configFile` for
`privacyidea-ldap-proxy.service` which is pretty unmergable with other
declarations it now uses a RFC42-like approach. Also to make sure that
secrets can be handled properly without ending up in the Nix store, it's
possible to inject secrets via envsubst

    {
      services.privacyidea.ldap-proxy = {
        enable = true;
        environmentFile = "/run/secrets/ldap-pw";
        settings = {
          privacyidea.instance = "privacyidea.example.org";
          service-account = {
            dn = "uid=readonly,ou=serviceaccounts,dc=example,dc=org";
            password = "$LDAP_PW";
          };
        };
      };
    }

and the following secret file (at `/run/secrets`):

    LDAP_PW=<super-secret ldap pw>

For backwards-compat the old `configFile`-option is kept, but it throws
a deprecation warning and is mutually exclusive with the
`settings`-attrset. Also, it doesn't support secrets injection with
`envsubst` & `environmentFile`.
2022-07-14 23:51:17 +02:00
github-actions[bot]
1a74c5d703
Merge master into staging-next 2022-07-14 18:01:27 +00:00
github-actions[bot]
e0608ddfd9
Merge master into haskell-updates 2022-07-14 00:15:36 +00:00
Lily Foster
6f5c1bcf7b nixos/greetd: fix minor typo for default user
It has been like this since the module was added, but it hasn't caused
problems because greetd assumes a default user of "greeter"[1] when it
isn't found anyway

[1]: d700309623/item/greetd/src/config/mod.rs (L127)
2022-07-13 18:11:16 -04:00
M. A
61e3490c1c nixos/gitlab: Bump git to 2.35.4
Resolves CVE-2022-29187
2022-07-13 21:03:46 +00:00
github-actions[bot]
00ec8bc8d3
Merge master into staging-next 2022-07-13 18:01:28 +00:00
Maximilian Bosch
d54d70f166
nixos/mxisd: allow passing secrets
Suppose you want to provide a LDAP-based directory search to your
homeserver via a service-user with a bind-password. To make sure that
this doesn't end up in the Nix store, it's now possible to set a
substitute for the bindPassword like

    services.mxisd.extraConfig.ldap.connection = {
      # host, bindDn etc.
      bindPassword = "$LDAP_BIND_PW";
    };

and write the actual secret into an environment file that's readable for
`mxisd.service` containing

    LDAP_BIND_PW=<your secret bind pw>

and the following setting in the Nix expression:

    services.mxisd.environmentFile = "/runs/ecrets/mxisd";

(cherry picked from commit aa25ce7aa1a89618e4257fd46c7d20879f54c728)
2022-07-13 19:19:17 +02:00
Domen Kožar
c46a3dc50a cachix-agent: allow restarts now that deployments are subprocesses 2022-07-13 11:40:54 -05:00
Sandro
a959a2cd26
Merge pull request #180992 from romildo/new.xdg.portal.lxqt 2022-07-13 14:15:09 +02:00
Vladimír Čunát
8169a7fce0
Merge branch 'master' into staging-next 2022-07-13 09:57:41 +02:00
José Romildo
7e30ebb2c2 nixos/lxqt: add a module for the lxqt portal 2022-07-12 17:17:39 -03:00
Sandro
78fff7ed35
Merge pull request #181197 from bjornfor/fix-ddclient-password-leak 2022-07-12 15:13:43 +02:00
github-actions[bot]
446763e8e1
Merge master into staging-next 2022-07-12 12:01:18 +00:00