| Commit message (Collapse) | Author | Age |
|\
| |
| | |
oauth2_proxy: 3.2.0 -> 5.1.0
|
| |
| |
| |
| | |
Update to match the current flags and apply fixes to all breaking changes.
|
| | |
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | | |
This was introduced in https://github.com/NixOS/nixpkgs/commit/c801cd1a047efa51055fd04698e316ddd503fd1b
but it no longer seems necessary.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
After the recent rewrite, enabled extensions are passed to php programs
through an extra ini file by a wrapper. Since httpd uses shared module
instead of program, the wrapper did not affect it and no extensions
other than built-ins were loaded.
To fix this, we are passing the extension config another way – by adding it
to the service's generated config.
For now we are hardcoding the path to the ini file. It would be nice to add
the path to the passthru and use that once the PHP expression settles down.
|
|\ \ \
| | | |
| | | | |
installation-cd-graphical-gnome: don't run xorg default
|
| | | |
| | | |
| | | |
| | | |
| | | | |
If for some reason the Wayland session fails to start
it will just start the Xorg session.
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
nixos/virtualisation.podman: Init module
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
module
What's happening now is that both cri-o and podman are creating
/etc/containers/policy.json.
By splitting out the creation of configuration files we can make the
podman module leaner & compose better with other container software.
|
| | | | |
| | | | |
| | | | |
| | | | | |
In anticipation of the new containers module.
|
| | | | | |
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
nixos/tailscale: set a CacheDir in the systemd unit.
|
| | |_|_|/
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Fixes a bug where tailscaled drops some files into / when CacheDir
is unset.
Signed-off-by: David Anderson <dave@natulte.net>
|
|\ \ \ \ \
| |_|_|/ /
|/| | | | |
nixos/phpfpm: fix erroneous pools example
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
journald service: Increase default rate limit 1000 -> 10000.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Follows the upstream change of this default:
https://github.com/systemd/systemd/pull/8660
|
|\ \ \ \ \ \
| |_|/ / / /
|/| | | | | |
nixos/tools: adapt for renamed console options
|
| | | | | | |
|
| |_|_|/ /
|/| | | |
| | | | |
| | | | | |
Add missing type information to manually specified enable options or replace them by mkEnableOption where appropriate.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
nixos/dokuwiki: add support for multi-site, additional plugins and templates
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
`aclFile` and `usersFile` will be set to a default value if `aclUse` is
specified and aclFile is not overriden by `acl`.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Use types.str instead of types.path to exclude private information from
the derivation.
Add a warinig about the contents of acl beeing included in the nix
store.
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
If usersFile is not set, a file is created along the stateDir that can
hold the users and supports dynamically adding users using the web GUI.
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Adds support for additional plugins and templates similarly to how
wordpress.nix does it.
Plugins and templates need to be packaged as in the example.
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Enables multi-site configurations.
This break compatibility with prior configurations that expect options
for a single dokuwiki instance in `services.dokuwiki`.
|
|\ \ \ \ \ \
| |_|_|/ / /
|/| | | | |
| | | | | |
| | | | | | |
matthewbauer/use-modulesPath-for-nixos-generate-config
nixos/nixos-generate-config.pl: use modulesPath instead of <nixpkgs>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
For imports, it is better to use ‘modulesPath’ than rely on <nixpkgs>
being correctly set. Some users may not have <nixpkgs> set correctly.
In addition, when ‘pure-eval=true’, <nixpkgs> is unset.
|
|\ \ \ \ \ \
| |_|_|/ / /
|/| | | | | |
libtxc_dxtn{,_s2tc}: remove from nixpkgs + hardware.opengl options
|
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Context: discussion in https://github.com/NixOS/nixpkgs/pull/82630
Mesa has been supporting S3TC natively without requiring these libraries
since the S3TC patent expired in December 2017.
|
|\ \ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
systemd-tmpfiles will load all files in lexicographic order and ignores rules
for the same path in later files with a warning Since we apply the default rules
provided by systemd, we should load user-defines rules first so users have a
chance to override defaults.
|
| |_|_|/ /
|/| | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Tuptime: Init Package, Module and Test
|
| | | | | | |
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
nixosTests.cockroachdb: port to python
|
| | | | | | | |
|
| | | | | | | |
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
linux_*_hardened: use linux-hardened patch set
|
| | | | | | | | |
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f058a395502192c4939645df6f52ecb.
This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.
We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.
Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:
boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Upstreamed in anthraxx/linux-hardened@a712392b88b3cbc8385fd97be87a43db2ad7ecf0.
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd532551b048d97b35473c25809f7a0f.
|