| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From systemd 243 release note[1]:
This release enables unprivileged programs (i.e. requiring neither
setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
by turning on the "net.ipv4.ping_group_range" sysctl of the Linux
kernel for the whole UNIX group range, i.e. all processes.
So this wrapper is not needed any more.
See also [2] and [3].
This patch also removes:
- apparmor profiles in NixOS for ping itself and the wrapped one
- other references for the wrapped ping
[1]: https://github.com/systemd/systemd/blob/8e2d9d40b33bc8e8f5d3479fb075d3fab32a4184/NEWS#L6457-L6464
[2]: https://github.com/systemd/systemd/pull/13141
[3]: https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
|
| | |
|
| |\
| |
| | |
nixos/synapse: add support for workers, cleanup
|
| | |
| |
| |
| | |
services.matrix-synapse.workers
|
| | |
| |
| |
| | |
Co-authored-by: Daniel Olsen <daniel.olsen99@gmail.com>
|
| | |
| |
| |
| | |
Co-authored-by: Daniel Olsen <daniel.olsen99@gmail.com>
|
| |/ |
|
| | |
|
| | |
|
| |\
| |
| | |
discourse: update 3.1.0.beta4 -> 3.1.0
|
| | | |
|
| |\ \
| | |
| | | |
anbox: always use postmarket OS images
|
| | | | |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
nixos/adguardhome: Fix openFirewall
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When not setting `settings` and setting `openFirewall = true`
evaluation would fail because it tries to access `settings.bind_port`
while `settings == null`
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
nixos/forgejo: fork from nixos/gitea (split)
close https://github.com/NixOS/nixpkgs/issues/244866
|
| | | | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Clarify that the monochrome font is not included, per #221181.
The new name is also coherent with the name of the font,
according to `fontconfig`: Noto Color Emoji.
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
postgresqlPackages.postgis: 3.3.3 -> 3.4.0
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
Changelog: https://git.osgeo.org/gitea/postgis/postgis/raw/tag/3.4.0/NEWS
|
| | | | | | | |
|
| | | | | | | |
|
| | |_|_|/ /
|/| | | | |
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
nixos/security/wrappers: simplifications and a fix for #98863 (respin of #199599)
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Note that this regression test checks only s[gu]id wrappers. The issue
for capability wrappers is not fixed yet.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Before this change it was crucial that nonprivileged users are unable to
create hardlinks to SUID wrappers, lest they be able to provide a
different `.real` file alongside. That was ensured by not providing a
location writable to them in the /run/wrappers tmpfs, (unless
disabled) by the fs.protected_hardlinks=1 sysctl, and by the explicit
own-path check in the wrapper. After this change, ensuring
that property is no longer important, and the check is most likely
redundant.
The simplification of expectations of the wrapper will make it
easier to remove some of the assertions in the wrapper (which currently
cause the wrapper to fail in no_new_privs environments, instead of
executing the target with non-elevated privileges).
Note that wrappers had to be copied (not symlinked) into /run/wrappers
due to the SUID/capability bits, and they couldn't be hard/softlinks of
each other due to those bits potentially differing. Thus, this change
doesn't increase the amount of memory used by /run/wrappers.
This change removes part of the test that is obsoleted by the removal of
`.real` files.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Wrappers generate pieces of apparmor policies for inclusion, which are
used only in a single place in nixpkgs, for `ping`. They are built only
if apparmor is enabled.
This change causes the test to test:
- that the apparmor includes can be generated,
- that `ping` works with apparmor enabled (as the only policy that
references these includes).
Ideally there would be some other NixOS test that verifies that `ping`
specifically works. Sadly, there isn't one.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
fixes #232505
Implements the new option `security.acme.maxConcurrentRenewals` to limit
the number of certificate generation (or renewal) jobs that can run in
parallel. This avoids overloading the system resources with many
certificates or running into acme registry rate limits and network
timeouts.
Architecture considerations:
- simplicity, lightweight: Concerns have been voiced about making this
already rather complex module even more convoluted. Additionally,
locking solutions shall not significantly increase performance and
footprint of individual job runs.
To accomodate these concerns, this solution is implemented purely in
Nix, bash, and using the light-weight `flock` util. To reduce
complexity, jobs are already assigned their lockfile slot at system
build time instead of dynamic locking and retrying. This comes at the
cost of not always maxing out the permitted concurrency at runtime.
- no stale locks: Limiting concurrency via locking mechanism is usually
approached with semaphores. Unfortunately, both SysV as well as
POSIX-Semaphores are *not* released when the process currently locking
them is SIGKILLed. This poses the danger of stale locks staying around
and certificate renewal being blocked from running altogether.
`flock` locks though are released when the process holding the file
descriptor of the lock file is KILLed or terminated.
- lockfile generation: Lock files could either be created at build time
in the Nix store or at script runtime in a idempotent manner.
While the latter would be simpler to achieve, we might exceed the number
of permitted concurrent runs during a system switch: Already running
jobs are still locked on the existing lock files, while jobs started
after the system switch will acquire locks on freshly created files,
not being blocked by the still running services.
For this reason, locks are generated and managed at runtime in the
shared state directory `/var/lib/locks/`.
nixos/security/acme: move locks to /run
also, move over permission and directory management to systemd-tmpfiles
nixos/security/acme: fix some linter remarks in my code
there are some remarks left for existing code, not touching that
nixos/security/acme: redesign script locking flow
- get rid of subshell
- provide function for wrapping scripts in a locked environment
nixos/acme: improve visibility of blocking on locks
nixos/acme: add smoke test for concurrency limitation
heavily inspired by m1cr0man
nixos/acme: release notes entry on new concurrency limits
nixos/acme: cleanup, clarifications
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
firefox-esr-102-unwrapped: remove
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The Firefox ESR 102.0 series has reached its end of life.
Removes package and test and references to them.
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
and use in test
|
| | |_|_|_|/ /
|/| | | | | |
|
| | |/ / / /
|/| | | |
| | | | |
| | | | |
| | | | | |
Co-Authored-By: Minijackson <minijackson@riseup.net>
Co-Authored-By: summersamara <summersamara@proton.me>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
akkoma: 3.9.3 → 3.10.4
|
| | | |_|_|/
| |/| | | |
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
dae,nixos/dae: 0.2.4 -> 0.3.0
|
| | | | | | | |
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
anbox: unbreak
|
| | |/ / / / / |
|
| | | | | | | |
|
| | |/ / / /
|/| | | | |
|
| | | | | | |
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
nixosTests.custom-ca: resolve out of memory situations
|
| | |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
They are easily observable on hydra. E.g. on the latest eval
https://hydra.nixos.org/build/233893887
https://hydra.nixos.org/build/233900101
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
lxd: Add VM image and server support for QEMU VMs
|
| | | |_|/ /
| |/| | | |
|
| | |/ / /
|/| | | |
|
| |\ \ \ \
| | | | |
| | | | | |
nixos/systemd-user: call systemd-tmpfiles during activation
|