From adc7388930fa0ec64373edd35c4e84d9de56a1c7 Mon Sep 17 00:00:00 2001 From: Martin Milata Date: Sat, 21 Mar 2020 03:58:37 +0100 Subject: [PATCH 1/3] sympa: 6.2.52 -> 6.2.54 --- pkgs/servers/mail/sympa/default.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkgs/servers/mail/sympa/default.nix b/pkgs/servers/mail/sympa/default.nix index 46cbcc61f94c..df1d826594e4 100644 --- a/pkgs/servers/mail/sympa/default.nix +++ b/pkgs/servers/mail/sympa/default.nix @@ -1,5 +1,4 @@ -{ stdenv, perl, fetchFromGitHub, autoreconfHook -}: +{ stdenv, perl, fetchFromGitHub, autoreconfHook, nixosTests }: let dataDir = "/var/lib/sympa"; @@ -64,13 +63,13 @@ let in stdenv.mkDerivation rec { pname = "sympa"; - version = "6.2.52"; + version = "6.2.54"; src = fetchFromGitHub { owner = "sympa-community"; repo = pname; rev = version; - sha256 = "071kx6ryifs2f6fhfky9g297frzp5584kn444af1vb2imzydsbnh"; + sha256 = "07wfvr8rrg7pwkl2zglrdri7n42rl9gwrjbaffb8m37wq67s7fca"; }; configureFlags = [ @@ -106,6 +105,10 @@ stdenv.mkDerivation rec { rm -rf "$TMP/bin" ''; + passthru.tests = { + inherit (nixosTests) sympa; + }; + meta = with stdenv.lib; { description = "Open source mailing list manager"; homepage = "https://www.sympa.org"; From 8f632b404f225d70867d5e916c4a5c8be17f8852 Mon Sep 17 00:00:00 2001 From: Martin Milata Date: Sat, 21 Mar 2020 13:55:53 +0100 Subject: [PATCH 2/3] sympa: build with --enable-fhs Update module accordingly. --- nixos/modules/services/mail/sympa.nix | 10 +++++----- pkgs/servers/mail/sympa/default.nix | 1 + 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/mail/sympa.nix b/nixos/modules/services/mail/sympa.nix index c3ae9d4255b0..7b9c37aba208 100644 --- a/nixos/modules/services/mail/sympa.nix +++ b/nixos/modules/services/mail/sympa.nix @@ -415,7 +415,7 @@ in # force-copy static_content so it's up to date with package # set permissions for wwsympa which needs write access (...) "R ${dataDir}/static_content - - - - -" - "C ${dataDir}/static_content 0711 ${user} ${group} - ${pkg}/static_content" + "C ${dataDir}/static_content 0711 ${user} ${group} - ${pkg}/var/lib/sympa/static_content" "e ${dataDir}/static_content/* 0711 ${user} ${group} - -" "d /run/sympa 0755 ${user} ${group} - -" @@ -497,7 +497,7 @@ in -F ${toString cfg.web.fcgiProcs} \ -P /run/sympa/wwsympa.pid \ -s /run/sympa/wwsympa.socket \ - -- ${pkg}/bin/wwsympa.fcgi + -- ${pkg}/lib/sympa/cgi/wwsympa.fcgi ''; } // commonServiceConfig; @@ -518,7 +518,7 @@ in fastcgi_split_path_info ^(${loc})(.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME ${pkg}/bin/wwsympa.fcgi; + fastcgi_param SCRIPT_FILENAME ${pkg}/lib/sympa/cgi/wwsympa.fcgi; ''; }) // { "/static-sympa/".alias = "${dataDir}/static_content/"; @@ -550,7 +550,7 @@ in args = [ "flags=hqRu" "user=${user}" - "argv=${pkg}/bin/queue" + "argv=${pkg}/libexec/queue" "\${nexthop}" ]; }; @@ -562,7 +562,7 @@ in args = [ "flags=hqRu" "user=${user}" - "argv=${pkg}/bin/bouncequeue" + "argv=${pkg}/libexec/bouncequeue" "\${nexthop}" ]; }; diff --git a/pkgs/servers/mail/sympa/default.nix b/pkgs/servers/mail/sympa/default.nix index df1d826594e4..c5c9b4400494 100644 --- a/pkgs/servers/mail/sympa/default.nix +++ b/pkgs/servers/mail/sympa/default.nix @@ -73,6 +73,7 @@ stdenv.mkDerivation rec { }; configureFlags = [ + "--enable-fhs" "--without-initdir" "--without-unitsdir" "--without-smrshdir" From fdc36e2c89759db3bbf9d5fe2648c31b7988dbca Mon Sep 17 00:00:00 2001 From: Martin Milata Date: Tue, 24 Mar 2020 02:35:39 +0100 Subject: [PATCH 3/3] nixos/sympa: fix outgoing messaging Because ProtectKernelModules implies NoNewPrivileges, postfix's sendmail executable, which is setgid, wasn't able to send mail. --- nixos/modules/services/mail/sympa.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/nixos/modules/services/mail/sympa.nix b/nixos/modules/services/mail/sympa.nix index 7b9c37aba208..0cad09927b2f 100644 --- a/nixos/modules/services/mail/sympa.nix +++ b/nixos/modules/services/mail/sympa.nix @@ -25,8 +25,6 @@ let StateDirectory = "sympa"; ProtectHome = true; ProtectSystem = "full"; - ProtectKernelTunables = true; - ProtectKernelModules = true; ProtectControlGroups = true; };