3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

29326 commits

Author SHA1 Message Date
Franz Pletz 32e7482074
nixos/tests/shadow: new hashes support with libxcrypt 2022-10-09 18:09:41 +02:00
github-actions[bot] 3e675d06f5
Merge staging-next into staging 2022-10-09 12:02:02 +00:00
github-actions[bot] 8972888c55
Merge master into staging-next 2022-10-09 12:01:31 +00:00
Franz Pletz 8a86d9d4aa
Merge pull request #195190 from Ma27/coturn-replace-secret
nixos/coturn: refactor secret injection
2022-10-09 13:48:49 +02:00
Anderson Torres ff92a56f77
Merge pull request #195057 from LeSuisse/sget-init
sget: init at unstable-2022-10-04
2022-10-09 08:40:44 -03:00
Maximilian Bosch 4ece171482
Merge pull request #194738 from mayflower/pi-tokenjanitor
nixos/privacyidea: add proper support for `privacyidea-token-janitor`
2022-10-09 09:50:20 +02:00
Maximilian Bosch 4fd75277dd
nixos/coturn: refactor secret injection
The original implementation had a few issues:

* The secret was briefly leaked since it is part of the cmdline for
  `sed(1)` and on Linux `cmdline` is world-readable.
* If the secret would contain either a `,` or a `"` it would mess with
  the `sed(1)` expression itself unless you apply messy escape hacks.

To circumvent all of that, I decided to use `replace-secret` which
allows you to replace a string inside a file (in this case
`#static-auth-secret#`) with the contents of a file, i.e.
`cfg.static-auth-secret-file` without any of these issues.
2022-10-09 09:31:48 +02:00
Sandro 21469bd965
Merge pull request #191198 from Moredread/nixpkgs-paperless
nixosTests.paperless: check if /metadata/ can be accessed
2022-10-09 08:49:28 +02:00
talyz fae653deb4 nixos/gitlab: Configure ActionCable
ActionCable is used to provide realtime updates in a few places,
mainly the issue sidebar.
2022-10-09 08:12:19 +02:00
talyz 9b3ff51c77 nixos/gitlab: Set a more appropriate type for extraConfig 2022-10-09 08:12:19 +02:00
talyz 58158100f7 nixos/gitlab: Make sure docker-registry starts after cert generation 2022-10-09 08:12:19 +02:00
talyz 8e8253ddb4 nixos/gitlab: Create registry state path 2022-10-09 08:12:19 +02:00
talyz 3dedfb3fa0 nixos/gitlab: Connect to redis through a unix socket by default
This gives us slightly higher security as you have to be in the gitlab
group to connect, and possibly a (very small) performance benefit as
well.
2022-10-09 08:12:19 +02:00
talyz 843082eb3a nixos/gitlab: Add findutils to runtime dependencies
Needed for the gitlab:cleanup:orphan_job_artifact_files rake task.
2022-10-09 08:12:19 +02:00
talyz bee6e1dafa nixos/gitlab: Deduplicate runtime dependency listing 2022-10-09 08:12:19 +02:00
talyz 0211edd1ff nixos/gitlab: Add workhorse.config option 2022-10-09 08:12:19 +02:00
talyz 4df4d2a8ea genJqSecretsReplacementSnippet: Allow dots in attribute names...
...and escape quotation marks and backslashes.
2022-10-09 08:12:19 +02:00
github-actions[bot] 9104c83926
Merge staging-next into staging 2022-10-09 00:04:12 +00:00
github-actions[bot] 130aa9ca68
Merge master into staging-next 2022-10-09 00:03:29 +00:00
github-actions[bot] 50515b668c
Merge staging-next into staging 2022-10-08 18:01:40 +00:00
github-actions[bot] d2cd24fe6a
Merge master into staging-next 2022-10-08 18:01:07 +00:00
Thomas Gerbet 679cd3462f sget: init at unstable-2022-10-04
This binary was provided by the `cosign` package until now but it is in
the process of being removed, see https://github.com/sigstore/cosign/pull/2019

Since it might be removed during the 22.11 cycle we drop it
preventively. This will make possible security backports easier if we
need them.
2022-10-08 19:58:11 +02:00
Jörg Thalheim b4bb571fa0 iwd: remove myself as maintainer 2022-10-08 16:50:37 +02:00
Artturi f9f82fdb05
Merge pull request #194941 from Artturin/libxml2strict 2022-10-08 17:46:42 +03:00
Florian Klink 1780768449
Merge pull request #194684 from oxalica/fix/systemd-oomd-test
nixos/tests/systemd-oomd: fix and follows upstream tests
2022-10-08 16:09:45 +02:00
github-actions[bot] cdfb8a30a4
Merge staging-next into staging 2022-10-08 12:02:12 +00:00
Robert Scott 68138bfb28 nixosTests.spark: give worker node 2G of memory
test currently failing due to OOM
2022-10-08 11:55:51 +01:00
Vladimír Čunát 6565abc264
Merge branch 'master' into staging-next 2022-10-08 10:20:07 +02:00
Nick Cao 309ea5a1af nixos/udev: allow marking firmware as not compressible 2022-10-07 19:40:58 +00:00
Bernardo Meurer 34c73b3fb6
Merge pull request #194391 from guibou/fast_haskell_ghc_with_packages 2022-10-07 14:31:25 -03:00
Artturin 09226fffcf nixosOptionsDoc: buildInputs -> nativeBuildInputs
to make strictDepsByDefault work
2022-10-07 19:26:22 +03:00
Janne Heß 73d9371886
Merge pull request #194395 from helsinki-systems/upd/openssh
[staging] openssh: 9.0p1 -> 9.1p1
2022-10-07 18:21:21 +02:00
Guillaume Bouchard a2cd604de9 nixos/doc: add release-notes entries for lib.closePropagation changes 2022-10-07 18:04:17 +02:00
Christian Kögler aff16d8bc8
Merge pull request #190052 from JasonWoof/acme-example
nixos/doc: fix acme dns-01 example
2022-10-07 12:53:15 +02:00
Alexander Bantyev 99cc02fe98
Merge pull request #193694 from cab404/fwupd-remote-list
nixos.fwupd: add remote list option
2022-10-07 14:23:19 +04:00
Mario Rodas 405db07799
Merge pull request #167047 from helsinki-systems/drop/postgresql10
postgresql: remove 10.x
2022-10-06 21:32:46 -05:00
Edward Tjörnhammar a72e138b78 nixos/jfs: correct broken toplevel reference 2022-10-06 19:26:13 +00:00
github-actions[bot] 0b4912d905
Merge staging-next into staging 2022-10-06 18:03:42 +00:00
github-actions[bot] c5f0d725df
Merge master into staging-next 2022-10-06 18:03:10 +00:00
Lucas Savva 49c0fd7d60 nixos/acme: Disable lego renew sleeping
Lego has a built-in mechanism for sleeping for a random amount
of time before renewing a certificate. In our environment this
is not only unnecessary (as our systemd timer takes care of it)
but also unwanted since it slows down the execution of the
systemd service encompassing it, thus also slowing down the
start up of any services its depending on.

Also added FixedRandomDelay to the timer for more predictability.
2022-10-06 10:30:24 -04:00
Lucas Savva 657ecbca0e nixos/acme: Make account creds check more robust
Fixes #190493

Check if an actual key file exists. This does not
completely cover the work accountHash does to ensure
that a new account is registered when account
related options are changed.
2022-10-06 10:30:24 -04:00
Lucas Savva 39796cad46 nixos/acme: Fix cert renewal with built in webserver
Fixes #191794

Lego threw a permission denied error binding to port 80.
AmbientCapabilities with CAP_NET_BIND_SERVICE was required.
Also added a test for this.
2022-10-06 10:30:24 -04:00
Sandro 2fca262fa0
Merge pull request #194271 from andersk/teleport-10 2022-10-06 15:36:47 +02:00
pennae 3826e303c6 nixos/firefox-syncserver: remove extra add_header
syncstorage-rs sets this header starting with 0.12.3.
2022-10-06 14:48:53 +02:00
pennae f97c9d60e4 nixos/firefox-syncserver: proxyPass singleNode to 127.0.0.1
syncstorage-rs does not listen on ::1 unless explicitly configured.
2022-10-06 14:48:53 +02:00
pennae 8dc30e9e98 nixos/firefox-syncserver: set default for oauth verifier threads
the 0.12.1 update introduced a static thread pool for verifying oauth
tokens. set a reasonable default for self-hosted setups (10 threads).
2022-10-06 14:48:53 +02:00
github-actions[bot] 7dc2d52e3b
Merge staging-next into staging 2022-10-06 12:02:07 +00:00
github-actions[bot] 8d6fbd7341
Merge master into staging-next 2022-10-06 12:01:31 +00:00
Maximilian Bosch 15914eba85
nixos/privacyidea: fix manual build 2022-10-06 13:50:31 +02:00
Maximilian Bosch ecaf6aed02
nixos/privacyidea: add proper support for privacyidea-token-janitor
`privacyidea-token-janitor`[1] is a tool which helps to automate
maintenance of tokens. This is helpful to identify e.g. orphaned tokens,
i.e. tokens of users that were removed or tokens that were unused for a
longer period of time and apply actions to them (e.g. `disable` or
`delete`).

This patch adds two new things:

* A wrapper for `privacyidea-token-janitor` to make sure it's executable
  from CLI. To achieve this, it does a `sudo(8)` into the
  `privacyidea`-user and sets up the environment to make sure the
  configuration file can be found. With that, administrators can
  directly invoke it from the CLI without additional steps.

* An optional service is added which performs automatic cleanups of
  orphaned and/or unassigned tokens. Yes, the tool can do way more
  stuff, but I figured it's reasonable to have an automatic way to clean
  up tokens of users who were removed from the PI instance. Additional
  automation steps should probably be implemented in additional
  services (and are perhaps too custom to add them to this module).

[1] https://privacyidea.readthedocs.io/en/v3.7/workflows_and_tools/tools/index.html
2022-10-06 11:43:20 +02:00