From 11fa179533f0b4328647072092acd838f5313757 Mon Sep 17 00:00:00 2001 From: Stefan Frijters Date: Fri, 3 Feb 2023 11:11:43 +0100 Subject: nixos/postfix: restrict inet_protocols to ipv4 when ipv6 is disabled In the previous state, postfix would still try to use IPv6 addresses, even when it is disabled in the global networking config. Cf. https://www.postfix.org/postconf.5.html: With Postfix 2.8 and earlier the default is "ipv4". For backwards compatibility with these releases, the Postfix 2.9 and later upgrade procedure appends an explicit "inet_protocols = ipv4" setting to main.cf when no explicit setting is present. This compatibility workaround will be phased out as IPv6 deployment becomes more common. inet_protocols = ipv4 inet_protocols = all (DEFAULT) inet_protocols = ipv6 inet_protocols = ipv4, ipv6 So setting it to 'all' conditionally does not help, as we are now on version 3.x. --- nixos/modules/services/mail/postfix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index d01734d61e87..852340c05aa7 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -809,7 +809,7 @@ in // optionalAttrs (cfg.relayHost != "") { relayhost = if cfg.lookupMX then "${cfg.relayHost}:${toString cfg.relayPort}" else "[${cfg.relayHost}]:${toString cfg.relayPort}"; } - // optionalAttrs config.networking.enableIPv6 { inet_protocols = mkDefault "all"; } + // optionalAttrs (!config.networking.enableIPv6) { inet_protocols = mkDefault "ipv4"; } // optionalAttrs (cfg.networks != null) { mynetworks = cfg.networks; } // optionalAttrs (cfg.networksStyle != "") { mynetworks_style = cfg.networksStyle; } // optionalAttrs (cfg.hostname != "") { myhostname = cfg.hostname; } -- cgit 1.4.1 From 5210ddc7017ea62d987bc646e9106793d6e1ae57 Mon Sep 17 00:00:00 2001 From: Lily Foster Date: Thu, 23 Feb 2023 13:23:15 -0500 Subject: nixos/systemd-initrd: allow overriding initrdBin with extraBin Being able to override `boot.initrd.systemd.initrdBin` with `boot.initrd.systemd.extraBin` is a desirable behavior, so this PR changes the `ln -s` command to `ln -sf` to force link even if the file already exists. --- nixos/modules/system/boot/systemd/initrd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 70edc13dc0fa..fb435b24db21 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -118,7 +118,7 @@ let name = "initrd-bin-env"; paths = map getBin cfg.initrdBin; pathsToLink = ["/bin" "/sbin"]; - postBuild = concatStringsSep "\n" (mapAttrsToList (n: v: "ln -s '${v}' $out/bin/'${n}'") cfg.extraBin); + postBuild = concatStringsSep "\n" (mapAttrsToList (n: v: "ln -sf '${v}' $out/bin/'${n}'") cfg.extraBin); }; initialRamdisk = pkgs.makeInitrdNG { -- cgit 1.4.1 From 47782b16c5024cf775230ae0a659fab20b2a6efe Mon Sep 17 00:00:00 2001 From: Arthur Outhenin-Chalandre Date: Fri, 24 Feb 2023 13:52:21 +0100 Subject: protonmail-bridge: 2.3.0 -> 3.0.18 Update protonmail-bridge to v3. This also rename the CLI executable from protonmail-bridge to bridge to be more in line with upstream naming. Co-authored-by: James Landrein Signed-off-by: Arthur Outhenin-Chalandre --- nixos/doc/manual/release-notes/rl-2305.section.md | 4 +++ .../networking/protonmail-bridge/default.nix | 41 +++++++++++++--------- 2 files changed, 28 insertions(+), 17 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 8af1753bb781..6290924a65a1 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -107,6 +107,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The [services.wordpress.sites.<name>.plugins](#opt-services.wordpress.sites._name_.plugins) and [services.wordpress.sites.<name>.themes](#opt-services.wordpress.sites._name_.themes) options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name. +- `protonmail-bridge` package has been updated to v3.0 and the CLI executable is now named bridge instead of protonmail-bridge to be more in line with upstream. + - Nebula now runs as a system user and group created for each nebula network, using the `CAP_NET_ADMIN` ambient capability on launch rather than starting as root. Ensure that any files each Nebula instance needs to access are owned by the correct user and group, by default `nebula-${networkName}`. - In `mastodon` it is now necessary to specify location of file with `PostgreSQL` database password. In `services.mastodon.database.passwordFile` parameter default value `/var/lib/mastodon/secrets/db-password` has been changed to `null`. @@ -247,6 +249,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream. +- `protonmail-bridge` package has been updated to v3.0 and the CLI executable is now named bridge instead of protonmail-bridge to be more in line with upstream. + - The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting. - [Xastir](https://xastir.org/index.php/Main_Page) can now access AX.25 interfaces via the `libax25` package. diff --git a/pkgs/applications/networking/protonmail-bridge/default.nix b/pkgs/applications/networking/protonmail-bridge/default.nix index bdf75f6440e2..5dc7779e12e9 100644 --- a/pkgs/applications/networking/protonmail-bridge/default.nix +++ b/pkgs/applications/networking/protonmail-bridge/default.nix @@ -2,44 +2,51 @@ buildGoModule rec { pname = "protonmail-bridge"; - version = "2.3.0"; + version = "3.0.18"; src = fetchFromGitHub { owner = "ProtonMail"; repo = "proton-bridge"; - rev = "br-${version}"; - sha256 = "sha256-7p+Q6/BphE/dxNQe+gfcIty6TAWHUcPpvSJWfmf4OQg="; + rev = "v${version}"; + hash = "sha256-0gQnMhjwW2NEJwafqndStQ33dIu82lW6ntXFRCpbmm4="; }; - vendorSha256 = "sha256-dhrn6xQ0IJzBYeO6ko2PUCO+idopC2An0ylqCnx5jKg="; + vendorHash = "sha256-lHMcVcaoBwjE2ikEZPeZexC5XvhkAtvHnDci7UAa4vg="; nativeBuildInputs = [ pkg-config ]; buildInputs = [ libsecret ]; - buildPhase = '' - runHook preBuild + proxyVendor = true; # Bridge uses some C headers so we have to enable proxyVendor + preBuild = '' patchShebangs ./utils/ - make BUILD_TIME= -j$NIX_BUILD_CORES build-nogui - - runHook postBuild + (cd ./utils/ && ./credits.sh bridge) ''; - installPhase = '' - runHook preInstall - - install -Dm555 proton-bridge $out/bin/protonmail-bridge - - runHook postInstall + ldflags = + let constants = "github.com/ProtonMail/proton-bridge/v3/internal/constants"; in + [ + "-X ${constants}.Version=${version}" + "-X ${constants}.Revision=${src.rev}" + "-X ${constants}.buildTime=unknown" + "-X ${constants}.FullAppName=ProtonMailBridge" # Should be "Proton Mail Bridge", but quoting doesn't seems to work in nix's ldflags + ]; + + subPackages = [ + "cmd/Desktop-Bridge" + ]; + + postInstall = '' + mv $out/bin/Desktop-Bridge $out/bin/bridge # The cli is named like that in the upstream repo ''; meta = with lib; { homepage = "https://github.com/ProtonMail/proton-bridge"; - changelog = "https://github.com/ProtonMail/proton-bridge/blob/master/Changelog.md"; + changelog = "https://github.com/ProtonMail/proton-bridge/blob/${src.rev}/Changelog.md"; downloadPage = "https://github.com/ProtonMail/proton-bridge/releases"; license = licenses.gpl3Plus; - maintainers = with maintainers; [ lightdiscord ]; + maintainers = with maintainers; [ mrfreezeex ]; description = "Use your ProtonMail account with your local e-mail client"; longDescription = '' An application that runs on your computer in the background and seamlessly encrypts -- cgit 1.4.1 From 15f1369b95d04a90fcb4ac1e5e59f2d2dfe154db Mon Sep 17 00:00:00 2001 From: Winter Date: Sat, 25 Feb 2023 22:24:56 -0500 Subject: Revert "nixos/systemd-coredump: guard static gid for systemd-coredump behind state version" This reverts commits f5483464d5726d05b6169017e6b0f64ebccc2f53 and 6b9583e5e121b26468d880bdb65302a9172fc041. Ideally, we shouldn't cause friction for users that bump `stateVersion`, and I'd consider having to switch and/or manually hardcode a UID/GID to supress the warning friction. I think it'd be more beneficial to, in this rare case of an ID being missed, just let it be until more discussion happens surrounding this overall issue. See https://github.com/NixOS/nixpkgs/pull/217785 for more context. --- nixos/modules/misc/ids.nix | 1 - nixos/modules/system/boot/systemd/coredump.nix | 4 +--- 2 files changed, 1 insertion(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 108ab5d4f318..deeed10d014b 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -510,7 +510,6 @@ in #seeks = 148; # removed 2020-06-21 prosody = 149; i2pd = 150; - systemd-coredump = 151; systemd-network = 152; systemd-resolve = 153; systemd-timesync = 154; diff --git a/nixos/modules/system/boot/systemd/coredump.nix b/nixos/modules/system/boot/systemd/coredump.nix index deaaba9bbf85..03ef00e5683c 100644 --- a/nixos/modules/system/boot/systemd/coredump.nix +++ b/nixos/modules/system/boot/systemd/coredump.nix @@ -66,9 +66,7 @@ in { uid = config.ids.uids.systemd-coredump; group = "systemd-coredump"; }; - users.groups.systemd-coredump = { - gid = mkIf (lib.versionAtLeast config.system.stateVersion "23.05") config.ids.gids.systemd-coredump; - }; + users.groups.systemd-coredump = {}; }) (mkIf (!cfg.enable) { -- cgit 1.4.1 From ee6517a915424f7d7a07f6d1fddf8fd2f5b04a2c Mon Sep 17 00:00:00 2001 From: Winter Date: Sat, 25 Feb 2023 22:26:28 -0500 Subject: Revert "nixos/polkit: guard static gid for polkituser behind state version" This reverts commit 2265160fc0b4cc9a38b392ec3b3a3fe18c2e5413 and e56db577a1f69c02e80d8bc26d514c01a2c5cc61. Ideally, we shouldn't cause friction for users that bump `stateVersion`, and I'd consider having to switch and/or manually hardcode a UID/GID to supress the warning friction. I think it'd be more beneficial to, in this rare case of an ID being missed, just let it be until more discussion happens surrounding this overall issue. See https://github.com/NixOS/nixpkgs/pull/217785 for more context. --- nixos/modules/misc/ids.nix | 2 +- nixos/modules/security/polkit.nix | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index deeed10d014b..17ea04cb4ecb 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -392,7 +392,7 @@ in tape = 25; video = 26; dialout = 27; - polkituser = 28; + #polkituser = 28; # currently unused, polkitd doesn't need a group utmp = 29; # ddclient = 30; # converted to DynamicUser = true davfs2 = 31; diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index 1b6594802277..de427ccb295b 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -113,9 +113,7 @@ in group = "polkituser"; }; - users.groups.polkituser = { - gid = mkIf (lib.versionAtLeast config.system.stateVersion "23.05") config.ids.gids.polkituser; - }; + users.groups.polkituser = {}; }; } -- cgit 1.4.1 From 43e79015bf52e90bfe2983e0f1c54e781557d79f Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Mon, 27 Feb 2023 17:56:56 +0100 Subject: nixos/tests/haproxy: stop using nixos/profiles/minimal The defaults conflicts with the defaults of `services.httpd`: ``` error: The option `nodes.machine.services.logrotate.enable' has conflicting definition values: - In `/home/thomas/Workspace/Packaging/nixpkgs/nixos/modules/profiles/minimal.nix': false - In `/home/thomas/Workspace/Packaging/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix': true Use `lib.mkForce value` or `lib.mkDefault value` to change the priority on any of these definitions. (use '--show-trace' to show detailed location information) ``` `nixos/profile/minimal` is not used in the majority of the tests and it does not seem to have a specific reason to use it for the HAProxy test. --- nixos/tests/haproxy.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'nixos') diff --git a/nixos/tests/haproxy.nix b/nixos/tests/haproxy.nix index b6ff4102fe68..555474d7f299 100644 --- a/nixos/tests/haproxy.nix +++ b/nixos/tests/haproxy.nix @@ -2,7 +2,6 @@ import ./make-test-python.nix ({ pkgs, ...}: { name = "haproxy"; nodes = { machine = { ... }: { - imports = [ ../modules/profiles/minimal.nix ]; services.haproxy = { enable = true; config = '' -- cgit 1.4.1 From 056b679c35b66515f3305921500a989b3951f1ff Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 27 Feb 2023 18:16:57 +0100 Subject: nix-fallback-paths.nix: Update to 2.13.3 --- nixos/modules/installer/tools/nix-fallback-paths.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index c9cb65dbbe5a..1058a34133b1 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,7 +1,7 @@ { - x86_64-linux = "/nix/store/lsr79q5xqd9dv97wn87x12kzax8s8i1s-nix-2.13.2"; - i686-linux = "/nix/store/wky9xjwiwzpifgk0s3f2nrg8nr67bi7x-nix-2.13.2"; - aarch64-linux = "/nix/store/v8drr3x1ia6bdr8y4vl79mlz61xynrpm-nix-2.13.2"; - x86_64-darwin = "/nix/store/1l14si31p4aw7c1gwgjy0nq55k38j9nj-nix-2.13.2"; - aarch64-darwin = "/nix/store/6x7nr1r780fgn254zhkwhih3f3i8cr45-nix-2.13.2"; + x86_64-linux = "/nix/store/mc43d38fibi94pp5crfwacl5gbslccd0-nix-2.13.3"; + i686-linux = "/nix/store/09m966pj26cgd4ihlg8ihl1106j3vih8-nix-2.13.3"; + aarch64-linux = "/nix/store/7f191d125akld27gc6jl0r13l8pl7x0h-nix-2.13.3"; + x86_64-darwin = "/nix/store/1wn9jkvi2zqfjnjgg7lnp30r2q2y8whd-nix-2.13.3"; + aarch64-darwin = "/nix/store/8w0v2mffa10chrf1h66cbvbpw86qmh85-nix-2.13.3"; } -- cgit 1.4.1 From 2af041ab44ce4b8c10b015ff3674c0852d193a75 Mon Sep 17 00:00:00 2001 From: Stefan Frijters Date: Sun, 19 Feb 2023 18:19:32 +0100 Subject: nixos/gitlab-runner: do not pull in Docker if gitlab-runner-clear-docker-cache is disabled Only create the service if the option is enabled and if any docker executors exist. --- nixos/modules/services/continuous-integration/gitlab-runner.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index 6b44d39c224e..53f39f40daa5 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -577,7 +577,7 @@ in { }; }; # Enable periodic clear-docker-cache script - systemd.services.gitlab-runner-clear-docker-cache = { + systemd.services.gitlab-runner-clear-docker-cache = mkIf (cfg.clear-docker-cache.enable && (any (s: s.executor == "docker") (attrValues cfg.services))) { description = "Prune gitlab-runner docker resources"; restartIfChanged = false; unitConfig.X-StopOnRemoval = false; @@ -590,7 +590,7 @@ in { ${pkgs.gitlab-runner}/bin/clear-docker-cache ${toString cfg.clear-docker-cache.flags} ''; - startAt = optional cfg.clear-docker-cache.enable cfg.clear-docker-cache.dates; + startAt = cfg.clear-docker-cache.dates; }; # Enable docker if `docker` executor is used in any service virtualisation.docker.enable = mkIf ( -- cgit 1.4.1