| Commit message (Collapse) | Author | Age |
|\
| |
| | |
nixos/initrd-ssh: switch from Dropbear to OpenSSH
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Dropbear lags behind OpenSSH significantly in both support for modern
key formats like `ssh-ed25519`, let alone the recently-introduced
U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched
my `authorizedKeys` over to it and promptly locked myself out of my
server's initrd SSH, breaking reboots), as well as security features
like multiprocess isolation. Using the same SSH daemon for stage-1 and
the main system ensures key formats will always remain compatible, as
well as more conveniently allowing the sharing of configuration and
host keys.
The main reason to use Dropbear over OpenSSH would be initrd space
concerns, but NixOS initrds are already large (17 MiB currently on my
server), and the size difference between the two isn't huge (the test's
initrd goes from 9.7 MiB to 12 MiB with this change). If the size is
still a problem, then it would be easy to shrink sshd down to a few
hundred kilobytes by using an initrd-specific build that uses musl and
disables things like Kerberos support.
This passes the test and works on my server, but more rigorous testing
and review from people who use initrd SSH would be appreciated!
|
|\ \
| | |
| | | |
nixos/quorum: init
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
While our ETag patch works pretty fine if it comes to serving data off
store paths, it unfortunately broke something that might be a bit more
common, namely when using regexes to extract path components of
location directives for example.
Recently, @devhell has reported a bug with a nginx location directive
like this:
location ~^/\~([a-z0-9_]+)(/.*)?$" {
alias /home/$1/public_html$2;
}
While this might look harmless at first glance, it does however cause
issues with our ETag patch. The alias directive gets broken up by nginx
like this:
*2 http script copy: "/home/"
*2 http script capture: "foo"
*2 http script copy: "/public_html/"
*2 http script capture: "bar.txt"
In our patch however, we use realpath(3) to get the canonicalised path
from ngx_http_core_loc_conf_s.root, which returns the *configured* value
from the root or alias directive. So in the example above, realpath(3)
boils down to the following syscalls:
lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/home/$1", 0x7ffd08da6f60) = -1 ENOENT (No such file or directory)
During my review[1] of the initial patch, I didn't actually notice that
what we're doing here is returning NGX_ERROR if the realpath(3) call
fails, which in turn causes an HTTP 500 error.
Since our patch actually made the canonicalisation (and thus additional
syscalls) necessary, we really shouldn't introduce an additional error
so let's - at least for now - silently skip return value if realpath(3)
has failed.
However since we're using the unaltered root from the config we have
another issue, consider this root:
/nix/store/...-abcde/$1
Calling realpath(3) on this path will fail (except if there's a file
called "$1" of course), so even this fix is not enough because it
results in the ETag not being set to the store path hash.
While this is very ugly and we should fix this very soon, it's not as
serious as getting HTTP 500 errors for serving static files.
I added a small NixOS VM test, which uses the example above as a
regression test.
It seems that my memory is failing these days, since apparently I *knew*
about this issue since digging for existing issues in nixpkgs, I found
this similar pull request which I even reviewed:
https://github.com/NixOS/nixpkgs/pull/66532
However, since the comments weren't addressed and the author hasn't
responded to the pull request, I decided to keep this very commit and do
a follow-up pull request.
[1]: https://github.com/NixOS/nixpkgs/pull/48337
Signed-off-by: aszlig <aszlig@nix.build>
Reported-by: @devhell
Acked-by: @7c6f434c
Acked-by: @yorickvP
Merges: https://github.com/NixOS/nixpkgs/pull/80671
Fixes: https://github.com/NixOS/nixpkgs/pull/66532
|
| | |
| | |
| | |
| | | |
perl-based VM tests are deprecated.
|
| | |
| | |
| | |
| | |
| | | |
Now has tests for 3.4, 3.6, 4.0. Has some duplication, but it appears to
work on my machine.
|
|\ \ \
| | | |
| | | | |
nixos gerrit module
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Co-authored-by: edef <edef@edef.eu>
Co-authored-by: Florian Klink <flokli@flokli.de>
|
| |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | | |
The nixos-manual service was removed in #83199 but we missed the check
in this test which prevents the "tested" job from succeeding [0][1].
[0]: https://hydra.nixos.org/build/115472896
[1]: https://hydra.nixos.org/build/115472896/nixlog/94/tail
|
|\ \ \
| |/ /
|/| | |
nixos/mysql: fix service so it works with mysql80 package
|
| |/ |
|
|/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
systemd-networkd
This mirrors the behaviour of systemd - It's udev that parses `.link`
files, not `systemd-networkd`.
This was originally applied in 36ef112a477034fc6d1d9170bf1bcda0140a8d1d,
but was reverted due to 1115959a8d4d73ad73341563dc8bbf52230a281e causing
evaluation errors on hydra.
|
|\
| |
| | |
Iodine: ipv6 support, updates, hardening, nixos test....
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
https://github.com/matrix-org/synapse/releases/tag/v1.10.0
https://github.com/matrix-org/synapse/releases/tag/v1.10.1
https://github.com/matrix-org/synapse/releases/tag/v1.11.0
https://github.com/matrix-org/synapse/releases/tag/v1.11.1
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
...even when networkd is disabled
This reverts commit ce78f3ac701017008aa7f1db387b871b7ae65e01, reversing
changes made to dc34da0755b3c36469965659c0ee4a1337e81c05.
I'm sorry; Hydra has been unable to evaluate, always returning
> error: unexpected EOF reading a line
and I've been unable to reproduce the problem locally. Bisecting
pointed to this merge, but I still can't see what exactly was wrong.
|
|\ \
| | |
| | | |
nixos/activation: propagate system to nested configurations
|
| | | |
|
|\ \ \
| | | |
| | | | |
nixos/systemd: apply .link even when networkd is disabled
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
systemd-networkd
This mirrors the behaviour of systemd - It's udev that parses `.link`
files, not `systemd-networkd`.
|
| | | | |
|
|\ \ \ \
| |/ / /
|/| | | |
tests: Fix signal-desktop
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This test fails due to OOM on the VM. Setting the memory of the VM to
1024 lets the test succeed.
Cc: @flokli
|
|\ \ \ \
| |/ / /
|/| | | |
tests/kubernetes: remove unreferenced variable and import from inexisting file
|
| | | | |
|
|\ \ \ \
| |/ / /
|/| | | |
buildLayeredImage: Allow empty store, no paths to add
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This is useful when buildLayeredImage is called in a generic way
that should allow simple (base) images to be built, which may not
reference any store paths.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
Before this, the test failed because rspamd did invoke the oom-killer.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- Fix misspelled option. mkRenamedOptionModule is not used because the
option hasn't really worked before.
- Add missing cfg.telemetryPath arg to ExecStart.
- Fix mkdir invocation in test.
|
|\ \ \ \
| | | | |
| | | | | |
nixos/networkd: add RoutingPolicyRules-related options
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
nixos/cage: init
|
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add a cage module to nixos. This can be used to make kiosk-style
systems that boot directly to a single application. The user (demo by
default) is automatically logged in by this service and the
program (xterm by default) is automatically started.
This is useful for some embedded, single-user systems where we want
automatic booting. To keep the system secure, the user should have
limited privileges.
Based on the service provided in the Cage wiki here:
https://github.com/Hjdskes/cage/wiki/Starting-Cage-on-boot-with-systemd
Co-Authored-By: Florian Klink <flokli@flokli.de>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
nixos/service-runner.nix: Allow quotes in commands + test
|
| | |_|/ /
| |/| | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
nixos/tests/opensmtpd: bump test (&build) timeout to 30m from 30s
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
I am not sure how this ever passed on hydra but 30s is barely enough to
pass the configure phase of opensmtpd. It is likely the package was
built as part of another jobset. Whenever it is built as part of the
test execution the timeout propagates and 30s is clearly not enough for
that.
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
nixosTests.rsyslogd: Port to python
|
| | |/ / / /
| |/| | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
* prometheus-nginx-exporter: 0.5.0 -> 0.6.0
* nixos/prometheus-nginx-exporter: update for 0.6.0
Added new option constLabels and updated virtualHost name in the
exporter's test.
|
|\ \ \ \ \ \
| |_|_|_|/ /
|/| | | | | |
nixos/stage-1: fix predictable interface names in initrd
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Depending on the network management backend being used, if the interface
configuration in stage 1 is not cleared, there might still be some old
addresses or routes from stage 1 present in stage 2 after network
configuration has finished.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This makes predictable interfaces names available as soon as possible
with udev by adding the default network link units to initrd which are read
by udev. Also adds some udev rules that are needed but which would normally
loaded from the udev store path which is not included in the initrd.
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
nixos/git-daemon: only create git user if it will be used
|
| | |/ / / /
| |/| | | | |
|
| |_|_|/ /
|/| | | | |
|