| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | | | | | | | | | | | | |
| | | | | | | | | | | | | |
| | | | | | | | | | | | | |
| | | | | | | | | | | | | | |
Follows what amazon images does.
|
| | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | |
| | | | | | | | | | | | | |
| | | | | | | | | | | | | |
| | | | | | | | | | | | | |
| | | | | | | | | | | | | | |
Add image configuration for Oracle Cloud Infrastructure and scripts to
build and upload the image as a Custom Image.
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \
| |_|_|_|_|_|_|_|_|/ / / / /
|/| | | | | | | | | | | | | |
nixos/knot: allow full configuration by nix values
|
| | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | |
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
nixos/typesense: disable MemoryDenyWriteExecute which is needed since 0.25.1
|
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | |
| | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
also adjust default state directory mode to allow typesense group
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
nixos/switch-to-configuration: Mount improvements and a lot more test cases
|
| | | | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
Also adds a huge test for fstab handling
|
| | | | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | | | |
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
nixos/mbpfan: adjust defaults
|
| | | | | | | | | | | | | | | | | | |
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | |
nixos/matrix-synapse: wait for network-online.target
|
| | | |_|_|_|_|_|_|_|_|/ / / / / / /
| |/| | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
While network.target only guarantees that network devices have been
created the `network-online.target` allows delaying service startup
until after a configurable network state has been reached.
This should resolve spurious failures, e.g. when synapse tries to load
the discovery information for its OIDC provider from a remote host.
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | |
nixos/{sudo,-rs}: revert sudo-rs, make own module
|
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | |
As it's now called sudo-rs and also remove breaking changes for sudo
|
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | |
This is just a quick fix based on pname,
as I have no idea how to use slicing in the module
We should instead use slicing to get the package for the host
|
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | |
As the module was renamed, we need to use the new one
|
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | |
Removes 2>/dev/null which re-adds stderr output breaking execute
|
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | |
adds a new sudo-rs module that contains sudo-rs changes removed from sudo module
|
| | | |_|_|_|_|/ / / / / / / / / / /
| |/| | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
#253876)
This reverts the module changes that were added
by the addition of sudo-rs (merge 922926cfbc08f3e4065b51a41ebf613e59888015) from the sudo module.
Individual commits reverted:
* 409d29ca7373 2023-08-31 | [nicoo] nixos/sudo: Split up `configFile` into individual sections
* 454151375d62 2023-09-04 | [nicoo] nixos/sudo: Don't include empty sections
* 8742134c8053 2023-09-04 | [nicoo] nixos/sudo: Only keep SSH_AUTH_SOCK if used for authentication
* f5aadb56bed0 2023-09-07 | [nicoo] nixos/sudo: Refactor option definitions
* 8b9e867ac83f 2023-09-07 | [nicoo] nixos/sudo: Refactor checks for Todd C. Miller's implemetation
* 3a95964fd5ba 2023-09-07 | [nicoo] nixos/sudo: Drop useless `lib.` qualifiers
* b1eab8ca53dc 2023-09-07 | [nicoo] nixos/sudo: Handle `root`'s default rule through `extraRules`
* 717e51a140d6 2023-09-07 | [nicoo] nixos/sudo: Make the default rules' options configurable
* c11da3911787 2023-09-07 | [nicoo] nixos/sudo: Drop the sudoers comment for `extraRules`
* f0107b4f63a7 2023-09-07 | [nicoo] nixos/sudo: Check syntax using the configured package
* 914bf5836974 2023-09-07 | [nicoo] nixos/{sudo, terminfo}: Adjust defaults for compatibility with `sudo-rs`
* f66eb0df3b23 2023-09-07 | [nicoo] nixos/sudo: Only wrap `sudoedit` when using Miller's sudo
* d63eb55e81ad 2023-09-13 | [nicoo] nixos/sudo: Generate `sudo-i` PAM config for interactive use of `sudo-rs`
* d8d0b8019ff3 2023-09-13 | [nicoo] nixos/sudo: Add myself as maintainer (nbraud/nixos/sudo-rs)
|
| | |_|_|_|_|/ / / / / / / / / / /
|/| | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
Co-authored-by: digital <didev@dinid.net>
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
| |_|/ / / / / / / / / / / / / /
|/| | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
environment.systemPackages can include any package, which means it can
be a top-level store path that is not a derivation and thus will not
have a name attribute - their name is extracted from the path instead.
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
nixos/plasma5: remove pointless setuid wrappers
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
The module for Plasma 5 contained two pointless setuid wrappers:
* kscreenlocker_greet was introduced when the kscreenlocker package
dropped kcheckpass. However, this was actually replaced by making
proper use of PAM (which finally calls its unix_chkpwd setuid binary).
kscreenlocker_greet itself was never intended to be setuid.
Fortunately, this is not exploitable, because QCoreApplication
immediately aborts if it detects setuid. The wrapper is still
incorrect and pointless, so remove it.
* start_kdeinit can optionally use setuid root or setcap
CAP_SYS_RESOURCE to reduce its OOM killer score. However, with systemd
startup, start_kdeinit does not get used at all. So in this case, the
setuid wrapper is pointless, and so is removed as well. Ideally, the
case where systemd startup is not enabled would use a capability
wrapper instead, but since systemd startup is the default in NixOS and
kinit is deprecated upstream for KF6, I don't bother any more.
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
| |_|_|/ / / / / / / / / / / / / /
|/| | | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
This exposes the banner message option in GDM. Some computing
environments have compliance requirements which include displaying a
message to the user before logon.
|
| | | | | | | | | | | | | | | | | | |
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
Co-authored-by: Florian Klink <flokli@flokli.de>
Co-authored-by: Lin Jian <me@linj.tech>
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
firewallBackend
Co-authored-by: Florian Klink <flokli@flokli.de>
Co-authored-by: Lin Jian <me@linj.tech>
|
| | | | | | | | | | | | | | | | | | |
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
| |_|_|_|_|_|_|_|_|_|_|_|_|/ / / /
|/| | | | | | | | | | | | | | | | |
nixos/matrix-synapse: refactor assertions for missing listener resources
|
| | | |_|_|_|_|_|/ / / / / / / / /
| |/| | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
While reviewing other changes related to synapse I rediscovered the
`lib.findFirst (...) (lib.last resources)` hack to find a listener
supporting the `client` resource. We decided to keep it that way for now
a while ago to avoid scope-creep on the RFC42 refactoring[1]. I wanted
to take care of that and forgot about it.
Anyways, I'm pretty sure that this is bogus: to register a user, you
need the `client` API and not a random listener which happens to be the
last one in the list. Also, you need something which serves the `client`
API to have the entire synapse<->messenger interaction working (whereas
`federation` is for synapse<->synapse).
So I decided to error out if no `client` listener is found. A listener
serving `client` can be defined in either the main synapse process or
one of its workers via `services.matrix-synapse.workers`[2].
However it's generally nicer to use assertions for that because then
it's possible to display multiple configuration errors at once and one
doesn't have to chase one `throw` after another. I decided to also error
out when using the result from `findFirst` though because module
assertions aren't thrown necessarily when you evaluate a single config
attribute, e.g. `config.environment.systemPackages` which depends on an
existing client listener because of `registerNewMatrixUser`[3].
While at it I realized that if `settings.instance_map` is wrongly
configured, e.g. by
settings.instance_map = mkForce {
/* no `main` in here */
}
an `attribute ... missing` error will be thrown while evaluating the
worker assertion.
[1] https://github.com/NixOS/nixpkgs/pull/158605#discussion_r815500487
[2] This also means that `registerNewMatrixUser` will still work if you
offload the entire `client` traffic to a worker.
[3] And getting a useful error message is way better for debugging in such a
case than `value is null while a set was expected`.
|
| | | | | | | | | | | | | | | | | |
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
nixos/virtualisation: allow configuring openssh root login on GCE
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
This commit makes the OpenSSH option `PermitRootLogin` available to be
configured by other NixOS modules when using the Google Cloud Engine
(GCE) NixOS image builder. Other options like `PasswordAuthentication`
were already configurable, so I think it makes sense to make `PermitRootLogin`
configurable as well is order to disable it completely, for example.
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ |
|
| | |/ / / / / / / / / / / / / / / /
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
While working on #192270, I noticed that only some wait_for_* helper
functions make the timeout configurable. I think we should be able to
customize it in all cases
|
| |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | |
nixos/calibre-web: add package and enableKepubify options
|
| | | | | | | | | | | | | | | | | | | |
|