This fixes postfix' membership in the postfix-tlspol group, since
memberships in a dynamically allocated group don't seem to work out.
Additionally this fixes a typo in the systemd hardening and the test now
prints the results of systemd-analyze security.
This option does not configure sendmail itself because it is impossible
as sendmail is an alias for many things and could mean msmtp or postfix
or exim or something else.
Instead we rely on the PROTOCOL setting as initially proposed #384582
and based on that open up the sandboxing settings because if the user
configures sendmail, they want it to work and not have to configure yet
another things.
Also makes postfix specific things conditional on postfix being enabled
as msmtp does not need them.
Also we can set SENDMAIL_PATH unconditionally as every wrapper I am
aware of uses that path.
Fixes typo in assertion: `initialPromt` -> `initialPrompt`
This typo causes the module to fail with:
```
error: A definition for option `assertions' is not of type `list of unspecified value'. Definition values:
- In `/nix/store/.../nixos/modules/services/home-automation/wyoming/faster-whisper.nix': <function>
```
The typo was introduced in the v2.5.0 update.
When running with a xfs root partition and using systemd for stage 1
initrd, I noticed in journalctl that fsck.xfs always failed to execute.
The issue is that it is trying to use the below sh interpreter:
`#!/nix/store/xy4jjgw87sbgwylm5kn047d9gkbhsr9x-bash-5.2p37/bin/sh -f`
but the file does not exist in the initrd image.
/nix/store/xy4jjgw87sbgwylm5kn047d9gkbhsr9x-bash-5.2p37/bin/**bash**
exists since it gets pulled in by some package, but the rest of the
directory is not being pulled in.
boot/systemd/initrd.nix mentions that xfs_progs references the sh
interpreter and seems to explicitly try to address this by adding
${pkgs.bash}/bin to storePaths, but that's the wrong bash package.
Update the `storePaths` value to pull in `pkgs.bashNonInteractive`
rather than `pkgs.bash`.
These derivation output one or more disk image files and metadata in
JSON, none of which seem to be good targets for patchelf, stripping
or other things that typically happen in fixupPhase.
I noticed that specifically shebang patching took a long time when
building bigger images, roughly doubling build times at times.
This might be due to a traversal of an entire disk images, dozens of
gigabytes in size while looking for interpreters.
All tests in
nix-build -A nixosTests.systemd-repart
passed, but no further testing was done yet.
Upstream changes were checked by checking out the stable31 branch of the
https://github.com/nextcloud/documentation and comparing:
git diff c1c9b0a072537544769fdd6062989a631d4fb17c admin_manual/installation/nginx-root.conf.sample
Notably, this adds the text/javascript and application/wasm mime types to the list of
gzip'ed mime types, which improves nextcloud loading in our testing.
Also adds webp support.
This will allow unlocking to take place *after* all of the devices have
been probed, as indicated by the x-systemd.wants and x-systemd.requires
options. This allows for multi-device bcachefs volumes to be reliably
unlocked.
Wine needs to listen to UDP ports 40k to 50k. Winbox can
use these ports to discover and connect.
Signed-off-by: Armin Mahdilou <Armin.Mahdilou@gmail.com>
Upstream, intentionally or not, no longer appends the EFI image
with a .pad section for us to hook the rest of the UKI to. This
simply dehardcodes .pad from the awk script, instead using the
very last section in the binary. (Currently .reloc)
Co-authored-by: Yaroslav Bolyukin <iam@lach.pw>
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
