It currently says that everything will be backward compatible between lego and simp-le certificates, but it’s not.
(cherry picked from commit 21c4a33cee)
According to my analysis the last critical fix went into v5.4.23, I have
confirmed this by running WebGL over night and haven't seen a single
i915 GPU hang. Lets remove the notes from the release notes.
(cherry picked from commit da764d22ce)
This is an backward incompatible change from upstream dhcpcd [0], as
this could have easily locked me out of my box.
As dhcpcd doesn't allow to use only a blacklist (denyinterfaces in
dhcpcd.conf) of devices and use all remaining devices, while explicitly
allowing some interfaces like bridges, I think the best option would be
to not change anything about it and just educate the users here about
that edge case and how to solve it.
[0] https://roy.marples.name/archives/dhcpcd-discuss/0002621.html
(cherry picked from commit eeeb2bf803)
Also removed `pkgs.hydra-flakes` since flake-support has been merged
into master[1]. Because of that, `pkgs.hydra-unstable` is now compiled
against `pkgs.nixFlakes` and currently requires a patch since Hydra's
master doesn't compile[2] atm.
[1] https://github.com/NixOS/hydra/pull/730
[2] https://github.com/NixOS/hydra/pull/732
Some changes might require manual migration steps:
"Due to changes to the way in which Gollum handles filenames, you may
have to change some links in your wiki when migrating from gollum 4.x.
See the release notes [0] for more details. You may find the
bin/gollum-migrate-tags script helpful to accomplish this. Also see the
--lenient-tag-lookup option for making tag lookup backwards compatible
with 4.x, though note that this will decrease performance on large wikis
with many tags." (source: [1])
[0]: https://github.com/gollum/gollum/wiki/5.0-release-notes
[1]: https://github.com/gollum/gollum/blob/v5.0.0/HISTORY.md
So now we have only packages for human interaction in php.packages and
only extensions in php.extensions. With this php.packages.exts have
been merged into the same attribute set as all the other extensions to
make it flat and nice.
The nextcloud module have been updated to reflect this change as well
as the documentation.
Upgrades Hydra to the latest master/flake branch. To perform this
upgrade, it's needed to do a non-trivial db-migration which provides a
massive performance-improvement[1].
The basic ideas behind multi-step upgrades of services between NixOS versions
have been gathered already[2]. For further context it's recommended to
read this first.
Basically, the following steps are needed:
* Upgrade to a non-breaking version of Hydra with the db-changes
(columns are still nullable here). If `system.stateVersion` is set to
something older than 20.03, the package will be selected
automatically, otherwise `pkgs.hydra-migration` needs to be used.
* Run `hydra-backfill-ids` on the server.
* Deploy either `pkgs.hydra-unstable` (for Hydra master) or
`pkgs.hydra-flakes` (for flakes-support) to activate the optimization.
The steps are also documented in the release-notes and in the module
using `warnings`.
`pkgs.hydra` has been removed as latest Hydra doesn't compile with
`pkgs.nixStable` and to ensure a graceful migration using the newly
introduced packages.
To verify the approach, a simple vm-test has been added which verifies
the migration steps.
[1] https://github.com/NixOS/hydra/pull/711
[2] https://github.com/NixOS/nixpkgs/pull/82353#issuecomment-598269471
It's impossible to move two major-versions forward when upgrading
Nextcloud. This is an issue when comming from 19.09 (using Nextcloud 16)
and trying to upgrade to 20.03 (using Nextcloud 18 by default).
This patch implements the measurements discussed in #82056 and #82353 to
improve the update process and to circumvent similar issues in the
future:
* `pkgs.nextcloud` has been removed in favor of versioned attributes
(currently `pkgs.nextcloud17` and `pkgs.nextcloud18`). With that
approach we can safely backport major-releases in the future to
simplify those upgrade-paths and we can select one of the
major-releases as default depending on the configuration (helpful to
decide whether e.g. `pkgs.nextcloud17` or `pkgs.nextcloud18` should be
used on 20.03 and `master` atm).
* If `system.stateVersion` is older than `20.03`, `nextcloud17` will be
used (which is one major-release behind v16 from 19.09). When using a
package older than the latest major-release available (currently v18),
the evaluation will cause a warning which describes the issue and
suggests next steps.
To make those package-selections easier, a new option to define the
package to be used for the service (namely
`services.nextcloud.package`) was introduced.
* If `pkgs.nextcloud` exists (e.g. due to an overlay which was used to
provide more recent Nextcloud versions on older NixOS-releases), an
evaluation error will be thrown by default: this is to make sure that
`services.nextcloud.package` doesn't use an older version by accident
after checking the state-version. If `pkgs.nextcloud` is added
manually, it needs to be declared explicitly in
`services.nextcloud.package`.
* The `nixos/nextcloud`-documentation contains a
"Maintainer information"-chapter which describes how to roll out new
Nextcloud releases and how to deal with old (and probably unsafe)
versions.
Closes #82056
Dropbear lags behind OpenSSH significantly in both support for modern
key formats like `ssh-ed25519`, let alone the recently-introduced
U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched
my `authorizedKeys` over to it and promptly locked myself out of my
server's initrd SSH, breaking reboots), as well as security features
like multiprocess isolation. Using the same SSH daemon for stage-1 and
the main system ensures key formats will always remain compatible, as
well as more conveniently allowing the sharing of configuration and
host keys.
The main reason to use Dropbear over OpenSSH would be initrd space
concerns, but NixOS initrds are already large (17 MiB currently on my
server), and the size difference between the two isn't huge (the test's
initrd goes from 9.7 MiB to 12 MiB with this change). If the size is
still a problem, then it would be easy to shrink sshd down to a few
hundred kilobytes by using an initrd-specific build that uses musl and
disables things like Kerberos support.
This passes the test and works on my server, but more rigorous testing
and review from people who use initrd SSH would be appreciated!
This mirrors the behaviour of systemd - It's udev that parses `.link`
files, not `systemd-networkd`.
This was originally applied in 36ef112a47,
but was reverted due to 1115959a8d causing
evaluation errors on hydra.
* Linkify all service options used in the code-examples.
* Demonstrated the use of `riot-web.override {}`.
* Moved the example how to configure a postgresql-database for
`matrix-synapse` to this document from the 20.03 release-notes.
...even when networkd is disabled
This reverts commit ce78f3ac70, reversing
changes made to dc34da0755.
I'm sorry; Hydra has been unable to evaluate, always returning
> error: unexpected EOF reading a line
and I've been unable to reproduce the problem locally. Bisecting
pointed to this merge, but I still can't see what exactly was wrong.
On servers especially, phantomjs2 pulls graphical dependencies which is unecessary.
This pathes enable the package to be linked/installed without
phantomjs2. Phantomjs2 is disabled by default since it has been deprecated in grafana https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/
In 0945178b3c we decided that Perl-based
VM tests should be deprecated and will be removed between 20.03 and
20.09. So let's switch `nixos-build-vms(8)` to python as well (which is
entirely interactive, so other scripts won't break).
In my experience, the test-driver isn't used most of the time, so this
patch is mainly supposed to get rid of the (probably misleading)
deprecation warning when running `nixos-build-vms`. Apart from that, the
interface for python's test-driver is way nicer.
XML error introduced with merge commit 4e0fea3fe2.
This was probably because of wrong conflict resolution, because the
actual change (d8e697b4fc) had the close
tag of the <para/> element, but the merge commit didn't.
Signed-off-by: aszlig <aszlig@nix.build>
Package is marked as broken for >2 years and used a fairly old
snapshot from the gcc7-branch, so I fairly doubt that this is
somewhere used (and is also pretty misleading as you don't expect a
random snapshot from gcc7 at `pkgs.gcc-snapshot`).
There are no new releases of sqldeveloper v17/v18 and I don't think that
we should keep obviously unmaintained software that interacts with
database systems.
I removed `sqldeveloper_18` and `pkgs.sqldeveloper` now points to
version 19.4. Unfortunately I had to drop darwin support as JavaFX is
required for 19.4 which is part of the `oraclejdk` which isn't packaged
for darwin yet.
For further information please refer to the release notes:
https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/sqldev-relnotes-194-5908846.html
This module allows root autoLogin, so we would break that for users, but
they shouldn't be using it anyways. This gives the impression like auto
is some special display manager, when it's just lightdm and special pam
rules to allow root autoLogin. It was created for NixOS's testing
so I believe this is where it belongs.
Will be unsupported within the lifespan of 20.03. Also there aren't any
known issues that require this version as workaround, so a removal
should be fairly safe.
As of 2020-01-09, way-cooler is officially dead:
http://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html
hence, remove the package and the module.
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
docs/release-notes: remove way-cooler
way-cooler: show warnings about removal
Apply suggestions from code review
Co-Authored-By: worldofpeace <worldofpeace@protonmail.ch>
way-cooler: add suggestion by @Infinisil
Deperecates the interfaces option which was used to generate a host:port
list whereas the port was always hardcoded to 53. This unifies the
listen configuration for plain and TLS sockets and allows to specify a
port without an address for wildcard binds.
This makes ~2.5x speed up of an empty container instantiate, hence reduces
rebuild time of system with many declarative containers.
Note that this doesn't affect production systems much, becaseu those most
likely already include `minimal.nix` profile.
The upstream session files display managers use have no concept of sessions being composed from
desktop manager and window manager. To be able to set upstream session files as default
session, we need a single option. Having two different ways to set default session would be confusing,
though, so we decided to deprecate the old method.
We also created separate script for each session, just like we already had a separate desktop
file for each one, and started using displayManager.sessionPackages mechanism to make the
session handling more uniform.
Fixes https://github.com/NixOS/nixpkgs/issues/75075.
To summarize the report in the aforementioned issue, at a glance,
it's a different default than what upstream polkit has. Apparently
for 8+ years polkit defaults admin identities as members of
the wheel group [0]. This assumption would be appropriate on NixOS, where
every member of group 'wheel' is necessarily privileged.
[0]: 763faf434b
This cuts down the dependency tree on some rust builds where a crate not
just exposes a binary but also a library. `$out/lib` contained a bunch
of extra support files that among other information carry linker flags
(including the full path to link-time dependencies). Worst case this led
to some binary outputs depending on the full build closure of rust
crates.
Moving all the `$out/lib` files to `$lib/lib` solves this nicely.
`lib` might be a bit weird here as they are most of the time just rlib
files (rust libraries). Those are essential only required during
compilation but they can also be shared objects (like with traditional
C-style packages). Which is why I went with `lib` for the new output.
One of the caveats we are running into here is that we do not (always)
know ahead of time of a crate produces just a library or just a binary.
Cargo allows for some ambiguity regarding whether or not a crate
provides one, two, … binaries and libraries as it's outputs. Ideally we
would be able to rely on the `crateType` entirely but so far that isn't
the case. More work on that area might show how difficult that actually
is.
This is a more sane default since we do not magically (without opt-in)
pull in binaries from `~/bin`. That is not really an expected behavior
for many users. Users that still want that behavior can now just flip
that switch.
osquery was marked as broken since April.
If somebody steps up to fix it, we can always revive it from the
histroy, but there's not much value in shipping completely broken things
in current master.
cc @ma27
The package set is not maintained. It is also not used by most of the
BEAM community. Removing it to allow a more useful set of tools fit to
the BEAM community in Nixpkgs.
Before, we very carefully unapplied and reapplied `set -u` so the rest
of Nixpkgs could continue to not fail on undefined variables. Let's rip
off the band-aid.
Just maching all network interfaces caused many breakages, see #18962
and #71106.
We already don't support the global networking.useDHCP,
networking.defaultGateway(6) options if networking.useNetworkd is
enabled, but direct users to configure the per-device
networking.interfaces.<name?>.… options.
Even though the release obviously already happened, I think it might
still make sense to add a short note about the attributes not being
supported any longer (and going forward).
(cherry picked from commit 7163d3a9df)
(cherry picked from commit a64b8c3c19)
This option was removed because allowing (multiple) regular users to
override host entries affecting the whole system opens up a huge attack
vector. There seem to be very rare cases where this might be useful.
Consider setting system-wide host entries using networking.hosts,
provide them via the DNS server in your network, or use
networking.networkmanager.appendNameservers to point your system to
another (local) nameserver to set those entries.
This solves the dependency cycle in gcr alternatively so there won't be
two gnupg store paths in a standard NixOS system which has udisks2 enabled
by default.
NixOS users are expected to use the gpg-agent user service to pull in the
appropriate pinentry flavour or install it on their systemPackages and set
it in their local gnupg agent config instead.
Co-authored-by: Florian Klink <flokli@flokli.de>
This solves the dependency cycle in gcr alternatively so there won't be
two gnupg store paths in a standard NixOS system which has udisks2 enabled
by default.
NixOS users are expected to use the gpg-agent user service to pull in the
appropriate pinentry flavour or install it on their systemPackages and set
it in their local gnupg agent config instead.
Co-authored-by: Florian Klink <flokli@flokli.de>
The state path now, since the transition from initialization in
preStart to using systemd-tmpfiles, has the following restriction: no
parent directory can be owned by any other user than root or the user
specified in services.gitlab.user. This is a potentially breaking
change and the cause of the error isn't immediately obvious, so
document it both in the release notes and statePath description.
This plugin is fairly outdated and depends on python2 libraries that
don't receive any updates either (xmpppy for instance[1]).
[1] https://pypi.org/project/xmpppy/
* remove kinetic
* release note
* add johanot as maintainer
nixos/ceph: create option for mgr_module_path
- since the upstream default is no longer correct in v14
* fix module, default location for libexec has changed
* ceph: fix test
The redis module currently fails to start up, most likely due to running
a chown as non-root in preStart.
While at it, I hardcoded it to use systemd's StateDirectory and
DynamicUser to manage directory permissions, removed the unused
appendOnlyFilename option, and the pidFile option.
We properly tell redis now it's daemonized, and it'll use notify support
to signal readiness.
It currently lacks an emoji font-family which means it has to be
disabled for them to function [0]. Additionally it's fallen out of
necessity to ship custom font rendering settings (as far as I'm aware
of).
[0]: https://github.com/NixOS/nixpkgs/pull/67215
* nixos/acme: Fix ordering of cert requests
When subsequent certificates would be added, they would
not wake up nginx correctly due to target units only being triggered
once. We now added more fine-grained systemd dependencies to make sure
nginx always is aware of new certificates and doesn't restart too early
resulting in a crash.
Furthermore, the acme module has been refactored. Mostly to get
rid of the deprecated PermissionStartOnly systemd options which were
deprecated. Below is a summary of changes made.
* Use SERVICE_RESULT to determine status
This was added in systemd v232. we don't have to keep track
of the EXITCODE ourselves anymore.
* Add regression test for requesting mutliple domains
* Deprecate 'directory' option
We now use systemd's StateDirectory option to manage
create and permissions of the acme state directory.
* The webroot is created using a systemd.tmpfiles.rules rule
instead of the preStart script.
* Depend on certs directly
By getting rid of the target units, we make sure ordering
is correct in the case that you add new certs after already
having deployed some.
Reason it broke before: acme-certificates.target would
be in active state, and if you then add a new cert, it
would still be active and hence nginx would restart
without even requesting a new cert. Not good! We
make the dependencies more fine-grained now. this should fix that
* Remove activationDelay option
It complicated the code a lot, and is rather arbitrary. What if
your activation script takes more than activationDelay seconds?
Instead, one should use systemd dependencies to make sure some
action happens before setting the certificate live.
e.g. If you want to wait until your cert is published in DNS DANE /
TLSA, you could create a unit that blocks until it appears in DNS:
```
RequiredBy=acme-${cert}.service
After=acme-${cert}.service
ExecStart=publish-wait-for-dns-script
```
The `keys.target` is used to indicate whether all NixOps keys were
successfully uploaded on an unattended reboot. However this can cause
startup issues e.g. with NixOS containers (see #67265) and can block
boots even though this might not be needed (e.g. with a dovecot2
instance running that doesn't need any of the NixOps keys).
As described in the NixOps manual[1], dependencies to keys should be
defined like this now:
``` nix
{
systemd.services.myservice = {
after = [ "secret-key.service" ];
wants = [ "secret-key.service" ];
};
}
```
However I'd leave the issue open until it's discussed whether or not to
keep `keys.target` in `nixpkgs`.
[1] https://nixos.org/nixops/manual/#idm140737322342384
systemd provides two sysctl snippets, 50-coredump.conf and
50-default.conf.
These enable:
- Loose reverse path filtering
- Source route filtering
- `fq_codel` as a packet scheduler (this helps to fight bufferbloat)
This also configures the kernel to pass coredumps to `systemd-coredump`.
These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`,
and overridden via `boot.kernel.sysctl`
(which will place the parameters in `/etc/sysctl.d/60-nixos.conf`.
Let's start using these, like other distros already do for quite some
time, and remove those duplicate `boot.kernel.sysctl` options we
previously did set.
In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.
sysctl.d(5) recommends prefixing all filenames in /etc/sysctl.d with a
two-digit number and a dash, to simplify the ordering of the files.
Some packages provide custom files, often with "50-" prefix.
To ensure user-supplied configuration takes precedence over the one
specified via `boot.kernel.sysctl`, prefix the file generated there with
"60-".
There's many reason why it is and is going to
continue to be difficult to do this:
1. All display-managers (excluding slim) default PAM rules
disallow root auto login.
2. We can't use wayland
3. We have to use system-wide pulseaudio
4. It could break applications in the session.
This happened to dolphin in plasma5
in the past.
This is a growing technical debt, let's just use
passwordless sudo.
ibus-qt has not seen a release in 5 years and is only relevant for Qt
4.x, which is becoming more and more rare. Using my current laptop as a
data point, ibus-qt is the only dependency left that drags in qt-4.8.7.
One of the main problems of the Nextcloud module is that it's currently
not possible to alter e.g. database configuration after the initial
setup as it's written by their imperative installer to a file.
After some research[1] it turned out that it's possible to override all values
with an additional config file. The documentation has been
slightly updated to remain up-to-date, but the warnings should
remain there as the imperative configuration is still used and may cause
unwanted side-effects.
Also simplified the postgresql test which uses `ensure{Databases,Users}` to
configure the database.
Fixes #49783
[1] https://github.com/NixOS/nixpkgs/issues/49783#issuecomment-483063922
This was supposed to go through a pull request
Revert "nodePackages: Regenerate node packages for nodejs 10 & 12"
This reverts commit 6a17bdf397.
Revert "nodejs-8_x: Drop package"
This reverts commit e06c97b71d.
PHP 7.1 is currently on life support, as in only recieving security related patches.
This will only continue until: 2019-12-01
This date are in the middle of the 19.09 lifecycle. So it would be
nice to not have it in the 19.09 stable release. Dropping it now would
also result in less maintanance in updating them.
The death dates can be seen on following links:
- https://endoflife.date/php
- https://php.net/supported-versions.php
- https://en.wikipedia.org/wiki/PHP#Release_history
The autoLuks module is not really compatible with the updated systemd
version anymore. We started dropping NixOS specific patches that caused
unwanted side effects that we had to work around otherwise.
This change points users towards the relevant PR and spits out a bit of
information on how to deal with the situation.
Somewhen between systemd v239 and v242 upstream decided to no longer run
a few system services with `DyanmicUser=1` but failed to provide a
migration path for all the state those services left behind.
For the case of systemd-timesync the state has to be moved from
/var/lib/private/systemd/timesync to /var/lib/systemd/timesync if
/var/lib/systemd/timesync is currently a symlink.
We only do this if the stateVersion is still below 19.09 to avoid
starting to have an ever growing activation script for (then) ancient
systemd migrations that are no longer required.
See https://github.com/systemd/systemd/issues/12131 for details about
the missing migration path and related discussion.
mysql already has its socket path hardcoded to to
/run/mysqld/mysqld.sock.
There's not much value in making the pidDir configurable, which also
points to /run/mysqld by default.
We only seem to use `services.mysql.pidDir` in the wordpress startup
script, to wait for mysql to boot up, but we can also simply wait on the
(hardcoded) socket location too.
A much nicer way to accomplish that would be to properly describe a
dependency on mysqld.service. This however is not easily doable, due to
how the apache-httpd module was designed.
As we don't need to setup data directories from ExecStartPre= scripts
anymore, which required root, but use systemd.tmpfiles.rules instead,
everything can be run as just the mysql user.
Some packages like `ibus-engines.typing-booster` require the dictionary
`fr_FR.dic` to provide proper support for the french language.
Until now the hunspell package set of nixpkgs didn't provide this
dictionary. It has been recommended to use `fr-moderne` as base and link
`fr_FR.dic` from it as done by other distros such as ArchLinux.
See https://github.com/NixOS/nixpkgs/issues/46940#issuecomment-423684570
Fixes #46940
Commit 29d7d8f44d has introduced another
section with the ID "sec-release-19.09-incompatibilities", which
subsequently causes the build to fail.
I just merged both sections and the manual is now building again.
Signed-off-by: aszlig <aszlig@nix.build>
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.
This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.
However, this process is a bit tedious, so the changes here implement
this in a more generic way.
Now if you want to chroot a systemd service, all you need to do is:
{
systemd.services.myservice = {
description = "My Shiny Service";
wantedBy = [ "multi-user.target" ];
confinement.enable = true;
serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
};
}
If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.
In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.
Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.
The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.
A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.
The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):
@samueldr:
Via pull request comment[1]:
+1 for backporting as this only enhances the feature set of nixos,
and does not (at a glance) change existing behaviours.
Via IRC:
new feature: -1, tests +1, we're at zero, self-contained, with no
global effects without actively using it, +1, I think it's good
@lheckemann:
Via pull request comment[2]:
I'm neutral on backporting. On the one hand, as @samueldr says,
this doesn't change any existing functionality. On the other hand,
it's a new feature and we're well past the feature freeze, which
AFAIU is intended so that new, potentially buggy features aren't
introduced in the "stabilisation period". It is a cool feature
though? :)
A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:
@edolstra: "I'm not against it"
@Infinisil: "+1 from me as well"
@grahamc: "IMO its up to the RMs"
So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.
I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.
[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
eb90d97009 broke nslcd, as /run/nslcd was
created/chowned as root user, while nslcd wants to do parts as nslcd
user.
This commit changes the nslcd to run with the proper uid/gid from the
start (through User= and Group=), so the RuntimeDirectory has proper
permissions, too.
In some cases, secrets are baked into nslcd's config file during startup
(so we don't want to provide it from the store).
This config file is normally hard-wired to /etc/nslcd.conf, but we don't
want to use PermissionsStartOnly anymore (#56265), and activation
scripts are ugly, so redirect /etc/nslcd.conf to /run/nslcd/nslcd.conf,
which now gets provisioned inside ExecStartPre=.
This change requires the files referenced to in
users.ldap.bind.passwordFile and users.ldap.daemon.rootpwmodpwFile to be
readable by the nslcd user (in the non-nslcd case, this was already the
case for users.ldap.bind.passwordFile)
fixes #57783
First of all, the reason I added this to the "highlights" section is
that we want users to be aware of these options, because in the end we
really want to decrease the attack surface of NixOS services and this is
a step towards improving that situation.
The reason why I'm adding this to the changelog of the NixOS 19.03
release instead of 19.09 is that it makes backporting services that use
these options easier. Doing the backport of the confinement module after
the official release would mean that it's not part of the release
announcement and potentially could fall under the radar of most users.
These options and the whole module also do not change anything in
existing services or affect other modules, so they're purely optional.
Adding this "last minute" to the 19.03 release doesn't hurt and is
probably a good preparation for the next months where we hopefully
confine as much services as we can :-)
I also have asked @samueldr and @lheckemann, whether they're okay with
the inclusion in 19.03. While so far only @samueldr has accepted the
change, we can still move the changelog entry to the NixOS 19.09 release
notes in case @lheckemann rejects it.
Signed-off-by: aszlig <aszlig@nix.build>
Compatibility with other distributions/software and expectation
of users coming from other systems should have higher priority over consistency.
In particular this fixes #51375, where the NetworkManager-wait-online.service
broke as a result of this.
This is a backwards-incompatible change and while it won't probably
affect a whole lot of users, it makes sense to give them a heads-up
anyway.
Signed-off-by: aszlig <aszlig@nix.build>
