3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

1334 commits

Author SHA1 Message Date
talyz 8f16b16291
gitlab: Make sure the FOSS version isn't identified as EE 2021-06-09 17:50:45 +02:00
Sandro c6a306d19e
Merge pull request #125810 from ElXreno/package-bees-0.6.5 2021-06-09 12:47:33 +02:00
tomberek 157aee00a5
nixos/sourcehut: init (#113244)
* nixos/sourcehut: init

* sourcehut: default nginx setup

* sourcehut: documentation

* sourcehut: re-structure settings

* sourcehut: tests

* nixos/sourcehut: adopt StateDirectory

* Apply suggestions from code review

Co-authored-by: Aaron Andersen <aaron@fosslib.net>
Co-authored-by: Thibaut Marty <github@thibautmarty.fr>
Co-authored-by: malte-v <34393802+malte-v@users.noreply.github.com>

* nixos/sourcehut: PR suggestions

* nixos/sourcehut: malte-v patch

* nixos/sourcehut: add base virtualhost

* nixos/sourcehut: remove superfluous key

* nixos/sourcehut: use default from cfg

* nixos/sourcehut: use originBase for logs

* nixos/sourcehut: use toPythonApplication in systemPackages

* nixos/sourcehut: directly use ExecStart

* nixos/sourcehut: update docs

Co-authored-by: Aaron Andersen <aaron@fosslib.net>
Co-authored-by: Thibaut Marty <github@thibautmarty.fr>
Co-authored-by: malte-v <34393802+malte-v@users.noreply.github.com>
2021-06-05 14:42:51 -04:00
ElXreno 7b9df38982
bees: 0.6.3 -> 0.6.5
Change-Id: I1866eab9c348d9c10219290ecba698121a32d128
2021-06-05 17:39:12 +03:00
ElXreno a3fa2cf7c2
bees: nixpkgs-fmt
Change-Id: If4e9431dad00ffade3316cf22235d8d44d12d149
2021-06-05 17:39:12 +03:00
talyz f5f8341c76
nixos/geoipupdate: Replace the old geoip-updater module
Our old bespoke GeoIP updater doesn't seem to be working
anymore. Instead of trying to fix it, replace it with the official
updater from MaxMind.
2021-06-03 20:57:25 +02:00
pmenke 9e0ed182aa
sdrplay: init at 3.07.1
this adds support for software defined radio (SDR) devices by SDRplay.
SDRplay provides an unfree binary library and api-service as well
as a MIT licensed adapter library for SoapySDR for integration
with many popular SDR applications.
2021-05-28 15:40:04 +02:00
regnat 113823669b Revert "nixos/nix-daemon: fix sandbox-paths option"
This reverts commit aeeee447bc.
2021-05-24 10:51:02 +02:00
Maximilian Bosch 278bcdce1f
Merge pull request #123941 from mweinelt/matrix-synapse
nixos/matrix-synapse: protect created files
2021-05-22 22:20:16 +02:00
Martin Weinelt 79e675444c
nixos/matrix-synapse: protect created files
Enforce UMask on the systemd unit to restrict the permissions of files
created. Especially the homeserver signing key should not be world
readable, and media is served through synapse itself, so no other user
needs access to these files.

Use a prestart chmod to fixup the permissions on the signing key.
2021-05-22 20:30:49 +02:00
Vika aeeee447bc
nixos/nix-daemon: fix sandbox-paths option
In newer versions of Nix (at least on 2.4pre20201102_550e11f) the
`extra-` prefix for config options received a special meaning and the
option `extra-sandbox-paths` isn't recognized anymore. This commit fixes
it.

It doesn't cause a behavior change when using older versions of Nix but
does cause an extra newline to appear in the config, thus changing the
hash.
2021-05-22 05:14:56 +00:00
Martin Weinelt 446c97f96f
Merge pull request #123355 from Ma27/bump-matrix-synapse 2021-05-19 18:12:14 +02:00
talyz 7842e89bfc
nixos/gitlab: Use replace-secret to avoid leaking secrets
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
2021-05-19 09:32:12 +02:00
Maximilian Bosch 2addab5fd6
nixos/matrix-synapse: room_invite_state_types was deprecated and room_prejoin_state is used now
See https://github.com/matrix-org/synapse/blob/release-v1.34.0/UPGRADE.rst#upgrading-to-v1340
2021-05-17 13:45:28 +02:00
Jörg Thalheim b900661f6e
Merge pull request #122825 from Izorkin/update-duplicates-systemcallfilters
treewide: remove duplicates SystemCallFilters
2021-05-17 12:06:06 +01:00
Sandro 700942d2a5
Merge pull request #121119 from SuperSandro2000/remove-gnidorah
treewide: remove gnidorah
2021-05-17 02:42:24 +02:00
Izorkin feebe402f5
treewide: remove duplicates SystemCallFilters 2021-05-13 15:44:56 +03:00
Robert Schütz 7217b2d85e
Merge pull request #121785 from dotlambda/dendrite-rename
matrix-dendrite: rename to dendrite
2021-05-10 23:30:12 +02:00
Joe DeVivo bf92d0ec37 nixos/ssm-agent: conf files written to /etc
ssm-agent expects files in /etc/amazon/ssm. The pkg substitutes a location in
the nix store for those default files, but if we ever want to adjust this
configuration on NixOS, we'd need the ability to modify that file.

This change to the nixos module writes copies of the default files from the nix
store to /etc/amazon/ssm. Future versions can add config, but right now this
would allow users to at least write out a text value to
environment.etc."amazon/ssm/amazon-ssm-agent.json".text to provide
their own config.
2021-05-10 13:16:41 -07:00
Sander van der Burg 77295e7e6b nixos/disnix: configure the remote client by default, if multi-user mode has been enabled 2021-05-06 19:33:02 +02:00
Martin Weinelt 24adc01e2e
nixos/home-assistant: allow netlink sockets and /proc/net inspection
Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf
component to enumerate network interfaces via netlink. Since discovery
is all over the place lets allow AF_NETLINK unconditionally.

It also relies on pyroute2 now, which additionally tries to access files
in /proc/net, so we relax ProtectProc a bit by default as well.

This leaves us with these options unsecured:

✗ PrivateNetwork=                                             Service has access to the host's network                                                                 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                                                    0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                                       0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                                         0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                                       0.2
✗ PrivateUsers=                                               Service has access to other users                                                                        0.2
✗ SystemCallFilter=~@resources                                System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed)      0.2
✗ RestrictAddressFamilies=~AF_NETLINK                         Service may allocate netlink sockets                                                                     0.1
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                                            0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                                                   0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                                       0.1
✗ ProcSubset=                                                 Service has full access to non-process /proc files (/proc subset=)                                       0.1

→ Overall exposure level for home-assistant.service: 1.6 OK 🙂
2021-05-06 16:55:53 +02:00
Robert Schütz f82c6fdfd5 nixos/matrix-dendrite: rename to dendrite 2021-05-05 12:38:02 +02:00
Robert Schütz 007cab9644 matrix-dendrite: rename to dendrite
No other distro calls it matrix-dendrite:
https://repology.org/project/matrix-dendrite
2021-05-05 12:37:04 +02:00
Robert Hensing ce93c98ce2
Merge pull request #99132 from Infinisil/recursive-type-deprecation
Recursive type deprecation
2021-05-05 11:13:37 +02:00
Silvan Mosberger 0a377f11a5 nixos/treewide: Remove usages of deprecated types.string 2021-05-05 03:31:41 +02:00
Luke Granger-Brown 62f675eff6
Merge pull request #121558 from sumnerevans/fix-airsonic-service
airsonic: force use of jre8
2021-05-03 20:43:00 +01:00
Silvan Mosberger 0111666954
Merge pull request #109561 from mjlbach/init_matrix_dendrite
matrix-dendrite: init at 0.3.11
2021-05-03 20:16:27 +02:00
Michael Lingelbach ff43bbe53e matrix-dendrite: add nixos module 2021-05-03 10:12:24 -07:00
Martin Weinelt d23610ae65
Merge pull request #121209 from mweinelt/pinnwand 2021-05-03 18:24:45 +02:00
Sumner Evans 6dde6bf3bf
airsonic: force use of jre8 2021-05-03 09:41:04 -06:00
Martin Weinelt fda2ff4edc
nixos/pinnwand: add reaper systemd unit/timer
The reap function culls expired pastes outside of the process serving
the pastes. Previously the database could accumulate a large number of
pastes and while they were expired they would not be deleted unless
accessed from the frontend.
2021-05-03 16:52:05 +02:00
Martin Weinelt ac4b47f823
nixos/pinnwand: improve settings behaviour
Individual settings would previously overwrite the whole config, but
now individual values can be overwritten.

Fix missing slash to make the database path an absolute path per
https://docs.sqlalchemy.org/en/14/core/engines.html#sqlite.

Drop preferred_lexers, it's not set to anything meaningful anyway.
2021-05-03 15:18:12 +02:00
Martin Weinelt f41349d30d
nixos/home-assistant: Restart systemd unit on restart service
Home-assistant through its `--runner` commandline flag supports sending
exit code 100 when the `homeassistant.restart` service is called.

With `RestartForceExitStatus` we can listen for that specific exit code
and restart the whole systemd unit, providing an actual clean restart
with fresh processes. Additional treat exit code 100 as a successful
termination.
2021-05-03 00:21:25 +02:00
Martin Weinelt 7d09d7f571
nixos/home-assistant: harden systemd service
This is what is still exposed, and it should still allow things to work
as usual.

✗ PrivateNetwork=                    Service has access to the host's …      0.5
✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc…      0.3
✗ DeviceAllow=                       Service has a device ACL with som…      0.1
✗ IPAddressDeny=                     Service does not define an IP add…      0.2
✗ PrivateDevices=                    Service potentially has access to…      0.2
✗ PrivateUsers=                      Service has access to other users       0.2
✗ SystemCallFilter=~@resources       System call allow list defined fo…      0.2
✗ RootDirectory=/RootImage=          Service runs within the host's ro…      0.1
✗ SupplementaryGroups=               Service runs with supplementary g…      0.1
✗ RestrictAddressFamilies=~AF_UNIX   Service may allocate local sockets      0.1

→ Overall exposure level for home-assistant.service: 1.6 OK :-)

This can grow to as much as ~1.9 if you use one of the bluetooth or nmap
trackers or the emulated_hue component, all of which required elevated
permisssions.
2021-05-03 00:21:24 +02:00
Maximilian Bosch 040f0acccd
Merge pull request #121299 from Ma27/gitea-umask
nixos/gitea: set umask for secret creation
2021-05-02 00:06:20 +02:00
Maximilian Bosch 02c3bd2187
nixos/gitea: set umask for secret creation
This ensures that newly created secrets will have the permissions
`0640`. With this change it's ensured that no sensitive information will
be word-readable at any time.

Related to #121293.

Strictly speaking this is a breaking change since each new directory
(including data-files) aren't world-readable anymore, but actually these
shouldn't be, unless there's a good reason for it.
2021-04-30 21:39:11 +02:00
Martin Weinelt 62de527dc3
nixos/zigbee2mqtt: start maintaing the module 2021-04-30 20:40:04 +02:00
Martin Weinelt 2b61d9ea01
nixos/zigbee2mqtt: create migration path from config to settings 2021-04-30 20:39:21 +02:00
Martin Weinelt a691549f7e
nixos/zigbee2mqtt: harden systemd unit
This is what is still exposed, and it allows me to control my lamps from
within home-assistant.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                  0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                              0.1
✗ MemoryDenyWriteExecute=                                     Service may create writable executable memory mappings                              0.1

→ Overall exposure level for zigbee2mqtt.service: 1.3 OK 🙂
2021-04-30 19:42:26 +02:00
Martin Weinelt e0f1e1f7bf
nixos/zigbee2mqtt: convert to rfc42 style settings 2021-04-30 19:42:26 +02:00
Kim Lindberger fdd6ca8fce
Merge pull request #118898 from talyz/gitlab-memory-bloat
nixos/gitlab: Add options to tame GitLab's memory usage somewhat
2021-04-30 16:58:30 +02:00
Sandro a73342b7ce
Merge pull request #120637 from andreisergiu98/ombi-update 2021-04-30 12:57:15 +02:00
Sandro Jäckel ae02415ee8
treewide: remove gnidorah
due to github account removal/deletion and not other mean of contact.
2021-04-30 01:48:19 +02:00
Andrei Pampu e88bf5f13b
nixos/ombi: set ombi as system user 2021-04-29 10:52:02 +03:00
Aaron Andersen 45eb9c21ee
Merge pull request #119672 from chessai/init-duckling-service
init duckling service
2021-04-27 20:58:28 -04:00
chessai e47e2a1b9f init duckling service 2021-04-27 10:41:07 -07:00
talyz 7a67a2d1a8
gitlab: Add patch for db_key_base length bug, fix descriptions
The upstream recommended minimum length for db_key_base is 30 bytes,
which our option descriptions repeated. Recently, however, upstream
has, in many places, moved to using aes-256-gcm, which requires a key
of exactly 32 bytes. To allow for shorter keys, the upstream code pads
the key in some places. However, in many others, it just truncates the
key if it's too long, leaving it too short if it was to begin
with. This adds a patch that fixes this and updates the descriptions
to recommend a key of at least 32 characters.

See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
2021-04-27 17:49:43 +02:00
Robert Schütz e22d76fe34
Merge pull request #120520 from minijackson/jellyfin-remove-10.5
jellyfin_10_5: remove unmaintained version
2021-04-26 17:16:43 +02:00
Minijackson 2ad8aa72ae
jellyfin_10_5: remove unmaintained version
This version contains a vulnerability[1], and isn't maintained. The
original reason to have two jellyfin versions was to allow end-users to
backup the database before the layout was upgraded, but these backups
should be done periodically.

[1]: <https://nvd.nist.gov/vuln/detail/CVE-2021-21402>
2021-04-26 14:11:29 +02:00
Luke Granger-Brown ed83f6455c
Merge pull request #119443 from ambroisie/add-podgrab
Add podgrab package and module
2021-04-25 14:12:40 +01:00