This option allows adding the build closure of the system to its
runtime closure, enabling fully-offline rebuilds (as long as no new
packages are added).
Otherwise the `minio.service` service will fail either:
* with a message that the EnvironmentFile does not exist
* or silently with potentially stale credentials
Guest operating systems inside VMs or containers can't update the host CPU's microcode for obvious security reasons, so setting the `hardware.cpu.*.updateMicrocode` options is pointless.
This patch fixes two issues:
1. The file in which environment variables are set is inconsistent.
- This file sets them in zprofile when programs.zsh.enable is not
set.
- Zsh module sets them in zshenv when programs.zsh.enable is set.
2. Setting environment variables in zprofile overrides what users set
in .zshenv. See these[1] home-manager[2] issues[3].
/etc/profile is also changed to /etc/set-environment. Here is a
comparison:
Using /etc/profile:
- Pros
- config.environment.shellInit is sourced in all zsh
- Cons
- config.environment.loginShellInit is also sourced in non-login zsh
- config.programs.bash.shellInit is also sourced in all zsh
- config.programs.bash.loginShellInit is also sourced in all zsh
Using /etc/set-environment:
- Pros
- config.programs.bash.shellInit is not sourced in any zsh
- config.programs.bash.loginShellInit is not sourced in any zsh
- Cons
- config.environment.shellInit is not sourced in any zsh
- config.environment.loginShellInit is not sourced in any zsh
[1]: https://github.com/nix-community/home-manager/issues/2751#issuecomment-1048682643
[2]: https://github.com/nix-community/home-manager/issues/2991
[3]: https://github.com/nix-community/home-manager/issues/3681#issuecomment-1436054233
Updates the warnings message for statefully set up passwords, now that
weak algorithms have been removed from our libxcrypt package.
Additionall we now add proper validation for hashing schemes used in
`hashedPassword`.
Neither will prevent a rebuiild, but instead issue a warning, that this
requires immediate remediation, or else users will be unable to login.
Reuses the crypt scheme ids as provided by the libxcrypt package.
Effectively removes support for the following hashing algorithms
as announced in the NixOS 22.11 release notes:
- bcrypt_x ($2x$)
- sha256crypt ($5$)
- sha1crypt ($sha1$)
- sunmd5 ($md5$)
- md5crypt ($1$)
- nt ($3$)
- bdiscrypt (_)
- bigcrypt (:)
- descrypt (:)
And exposes the crypt scheme ids for enabled algorithms, so they can be
reused for validation in the users-groups module.
The module was allowing specific chown syscalls, which is brittle because
there are several and different ones are used by glibc on different
architectures. For example, fchownat was already added to the allowlist for
aarch64, while on armv6l chrony crashes because chown32 is not in the
allowlist.
systemd provides the @chown syscall set, which includes all the chown
syscalls and avoids this brittleness. I believe the syscalls would all be
equivalent from an attacker's perspective, so there is unlikely to be any
security impact.
