| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
brltty: 6.1 -> 6.3; nixos/brltty: use upstream units
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Upstream has been providing a very thoroughly designed set of systemd units,
udev and polkit rules. With these the brltty daemon is activated
asynchronously via udev, runs as a dedicated user with runtime and state
directories set up using systemd-tmpfiles.
This is much better than the current unit, which runs a single instance
as root and pulls in systemd-udev-settle to wait for the hardware.
|
| |\ \
| | |
| | | |
installer images: Add available modules to stage-1 on ARM platforms
|
| | | |
| | |
| | |
| | |
| | | |
This ensures that SD images and UEFI installers don't drift in
compatibility with regards to early initrd.
|
| | | |
| | |
| | |
| | | |
Namely, early KMS on raspberry pi
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
While it's being brought in implicitly by the other analogix driver,
let's be explicit, in case things change.
|
| | | |
| | |
| | |
| | | |
But not exclusive to rockchip
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
This is used on some allwinner platforms, and is a weak dependency for
USB to work.
|
| | | |
| | |
| | |
| | | |
Namely, this is used by the pinebook's display
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
set a group and user for the service
remove default null config
it's required, now it throws an error pointing to the option
set myself (module author) as maintainer
|
| | | |
| | |
| | |
| | | |
and set myself (module author) as maintainer
|
| |\ \ \
| | | |
| | | | |
nixos/network: allow configuring tempaddr for undeclared interfaces
|
| | | | | |
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | | |
spidermonkey_1_8_5: drop
|
| | | | | | |
|
| | | | | | |
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
nixos/hercules-ci-agent: updates
|
| | | | | | | |
|
| | | | | | | |
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
It will be run after startup.
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
GNOME 40 added support for it in Control Center.
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
It has been retired
https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/353
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | | |
|
| |\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
lib/modules: pass specialArgs to modules
|
| | | | | | | | | |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
been enabled
|
| |\ \ \ \ \ \ \ \ |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf
component to enumerate network interfaces via netlink. Since discovery
is all over the place lets allow AF_NETLINK unconditionally.
It also relies on pyroute2 now, which additionally tries to access files
in /proc/net, so we relax ProtectProc a bit by default as well.
This leaves us with these options unsecured:
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✗ PrivateDevices= Service potentially has access to hardware devices 0.2
✗ PrivateUsers= Service has access to other users 0.2
✗ SystemCallFilter=~@resources System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed) 0.2
✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ SupplementaryGroups= Service runs with supplementary groups 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1
→ Overall exposure level for home-assistant.service: 1.6 OK 🙂
|
| |\ \ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | | |
netdata: 1.29.3 -> 1.30.1
|
| | | | | | | | | | | |
|
| | | |/ / / / / / /
| |/| | | | | | | |
|
| |\ \ \ \ \ \ \ \ \
| |_|/ / / / / / /
|/| | | | | | | | |
wpa_supplicant: allow both imperative and declarative networks
|
| | | | | | | | | | |
|
| | | | | | | | | | |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
For a while now it's possible to specify an additional config file in
`wpa_supplicant`[1]. In contrast to the file specified via `-c` this was
supposed to be used for immutable settings and not e.g. additional
networks.
However I'm a little bit unhappy about the fact that one has to choose
between a fully imperative setup and a fully declarative one where the
one would have to write credentials for e.g. WPA2-enterprise networks
into the store.
The primary problem with the current state of `wpa_supplicant` is that
if the `SAVE_CONFIG` command is invoked (e.g. via `wpa_cli`), all known
networks will be written to `/etc/wpa_supplicant.conf` and thus all
declarative networks would get out of sync with the declarative
settings.
To work around this, I had to change the following things:
* The `networking.wireless`-module now uses `-I` for declarative config,
so the user-controlled mode can be used along with the
`networks`-option.
* I added an `ro`-field to the `ssid`-struct in the
`wpa_supplicant`-sources. This will be set to `1` for each network
specified in the config passed via `-I`.
Whenever config is written to the disk, those networks will be
skipped, so changes to declarative networks are only temporary.
[1] https://w1.fi/cgit/hostap/commit/wpa_supplicant?id=e6304cad47251e88d073553042f1ea7805a858d1
|
| | |_|/ / / / / /
|/| | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
libbrotli wasn't listed as a dependency for the AppArmor profile of the transmission-daemon binary.
As a result, transmission wouldn't run and would fail, logging this audit message to dmesg:
audit[11595]: AVC apparmor=DENIED operation=open profile=/nix/store/08i1rmakmnpwyxpvp0sfc5hcm106am7w-transmission-3.00/bin/transmission-daemon name=/proc/11595/environ pid=11595 comm=transmission-da requested_mask=r denied_mask=r fsuid=70 ouid=70
|
| |\ \ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | | |
nixos/tests/sway: init
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
This adds a basic test for Sway. Because Sway is an important part of
the Wayland ecosystem, is stable, and has few dependencies this test
should also be suitable for testing core packages it depends on (e.g.
wayland, wayland-protocols, wlroots, xwayland, mesa, libglvnd, libdrm,
and soon libseat).
The test is modeled after the suggested way of using Sway, i.e. logging
in via a virtual console (tty1) and copying the configuration from
/etc/sway/config (we replace Mod4 (the GNU/Tux key - you've replaced
that evil logo, right? :D) with Mod1 (Alt key) because QEMU monitor's
sendkey command doesn't support the former).
The shell aliases are used to make the sendkey log output shorter.
Co-authored-by: Patrick Hilhorst <git@hilhorst.be>
|
| |\ \ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | | |
Recursive type deprecation
|
| | | | | | | | | | | |
|