The `openssh` and `openssh_hpn` packages are now built without
the Kerberos support by default in an effort to reduce the attack surface.
The Kerberos support is likely used only by a fraction of the total users
(I'm guessing mainly users integrating SSH in an Active Directory env) so
dropping it should not impact too many users. It should also be noted that
the Kerberos/GSSAPI auth is disabled by default in the configuration.
`opensshWithKerberos` and `openssh_hpnWithKerberos` are added in order
to provide an easy migration path for users needing this support.
The `openssh_gssapi` package is kept untouched.
Add a Nixpkgs 24.05 release note entry explaining the introduction of
`systemBinPaths` argument, the prioritization of the original (FHS)
`defaultPath` values, and the deprecation of arguments `newuidmapPath`,
`newgidmapPath` and NixOS configuration option
`programs.singularity.enableFakeroot`.
This sets RocksDB as the default storage backend for `stateVersion` >=
24.11. For previous `stateVersion`s, the structured data and blobs
remain on SQLite and the filesystem respectively.
This is closer to the suggested upstream configuration for fully local
storage.
Set assertions to avoid obvious errors.
Eliminate the conflict between default CNI (`cana`) and `NetworkManager`.
Determine whether optional can be used for agent.
Add the option `cisHardening` to enable CIS Hardening.
Set kernel parameters by `boot.kernel.sysctl`.
Using `lib.escapeShellArgs` to make `ExecStart` more resilient to escaping issues.
Using a list of `str` to extra flags.
This makes `justStaticExecutables` error if the produced store path
contains references to GHC. This is almost always erroneous and due to
the generated `Paths_*` module being imported. This helps prevent
`justStaticExecutables` from producing binaries with closure sizes in
the gigabytes.
See: https://github.com/NixOS/nixpkgs/issues/164630
Co-authored-by: sternenseemann <sternenseemann@systemli.org>
