movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-19 08:31:01 +03:00
Code Activity
350377 commits 164 branches 129 tags 7.4 GiB
Commit graph

25546 commits

Author SHA1 Message Date
midchildan
bd8132ac62
noto-fonts-cjk: add missing serif font 
Fixes #99940
 2022-01-17 02:04:02 +09:00
Winter
2104608642 nixos/borgbackup: allow empty archive base name 2022-01-16 10:41:04 -05:00
github-actions[bot]
0173b359a6
Merge master into staging-next 2022-01-16 12:01:11 +00:00
Kim Lindberger
cdd600c430
Merge pull request #154193 from abbradar/keycloak-changes 
keycloak: 15.1.0 -> 16.1.0 + module improvements
 2022-01-16 11:27:29 +01:00
Nikolay Amiantov
97a0cf62f0 keycloak service: allow to set empty frontend URL 
This together with extraConfig:

{
  "subsystem=undertow"."server=default-server"."http-listener=default"."proxy-address-forwarding" = true;
  "subsystem=undertow"."server=default-server"."https-listener=https"."proxy-address-forwarding" = true;
}

Allows to run Keycloak behind a reverse proxy that provides
X-Forwarded-* headers.
 2022-01-16 11:41:50 +03:00
Nikolay Amiantov
84f70eefd1 keycloak service: add themes support 
Custom themes can be packaged and then added using `themes` config
attribute.
 2022-01-16 11:41:50 +03:00
Nikolay Amiantov
a42abe27c0 keycloak service: use 'attrsOf anything' for extraConfig 2022-01-16 11:25:44 +03:00
Nikolay Amiantov
827267a27f keycloak service: update HTTPS configuration 
Keycloak 16.1.0 uses different way to configure HTTPS.
This requires us to order commands correctly, otherwise linked
objects will fail.
 2022-01-16 11:25:44 +03:00
Nikolay Amiantov
3c7e78cc6a keycloak service: ordering for CLI script 
Allow update commands in the script to be ordered using `mkOrder`.
If we encounter ordered sub-objects we sort them by priority.

To implement this we now explicitly pass current node in `recurse`,
which also allows us to clean up edge case for top-level node.

Also refactor `recurse` to avoid passing result text argument; we
weren't tail recursive before anyway.
 2022-01-16 11:25:44 +03:00
Jörg Thalheim
d4846c4526
Merge pull request #155075 from Mic92/ddclient 
nixos/ddclient: don't chown secrets until dynamicuser issue is resolved
 2022-01-16 06:23:28 +00:00
github-actions[bot]
122cae786e
Merge master into staging-next 2022-01-16 06:01:16 +00:00
Martin Weinelt
369db3b2f3
mailpile, nixos/mailpile: drop 
Still actively developed and yet stuck on python2. Also marked as
vulnerable and their issue tracker contains yet another security issue
reported in 2021/10 that the upstream hasn't acknowledged yet.

Mind blown.

Closes: #135543, #97274, #97275
 2022-01-16 02:36:20 +01:00
Martin Weinelt
84926ba4c8
Merge pull request #155167 from piegamesde/rename-resort 2022-01-16 02:34:28 +01:00
Anderson Torres
ce6fd0d857
Merge pull request #154051 from starcraft66/polymc 
polymc: init at 1.0.4

polymc substitutes multimc.
 2022-01-15 22:18:26 -03:00
piegames
1f71224fe8 nixos/modules/rename: Sort alphabetically 
This was a mess previously
 2022-01-16 02:11:06 +01:00
Bernardo Meurer
4fa2647449
Merge pull request #154994 from mweinelt/kernel-disable-unpriv-ebpf 
linux: enable BPF_UNPRIV_DEFAULT_OFF on 5.10 and later
 2022-01-16 00:46:51 +00:00
Bernardo Meurer
7b0e7dcb39
Merge pull request #155142 from rapenne-s/thermald_no_net 
thermald: disable network access
 2022-01-16 00:36:11 +00:00
github-actions[bot]
f8fb795136
Merge master into staging-next 2022-01-16 00:01:52 +00:00
Jan Tojnar
5cd5fb71bc
Merge pull request #150980 from ncfavier/gdm-test 
nixosTests.gnome: add autologin delay to catch GDM failures
 2022-01-16 00:24:03 +01:00
Tristan Gosselin-Hane
155f315319 multimc: document replacement 2022-01-15 18:09:27 -05:00
Martin Weinelt
3ee206291a
linux: enable BPF_UNPRIV_DEFAULT_OFF between 5.10 and 5.15 
Disable unprivileged access to BPF syscalls to prevent denial of service
and privilege escalation via

a) potential speculative execution side-channel-attacks on unmitigated
hardware[0]

or

b) unvalidated memory access in ringbuffer helper functions[1].

Fixes: CVE-2021-4204, CVE-2022-23222

[0] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
[1] https://www.openwall.com/lists/oss-security/2022/01/13/1
 2022-01-15 23:44:19 +01:00
Maximilian Bosch
0a223c8d50
Merge pull request #154818 from qowoz/ecc-ignore 
nixos/tests/systemd-networkd-vrf: move disabled check inline
 2022-01-15 23:22:56 +01:00
Solene Rapenne
f3516813d8 thermald: disable network access 
Use systemd PrivateNetwork feature to prevent thermald daemon to have
network capabilities.
 2022-01-15 19:33:06 +01:00
github-actions[bot]
ed9751296d
Merge master into staging-next 2022-01-15 18:01:07 +00:00
Jonas Heinrich
75d417c267
nixos/dokuwiki: Drop deprecated old interface (#152676) 2022-01-16 02:38:20 +09:00
Jörg Thalheim
e91ed60026
Merge pull request #154805 from Lassulus/ergochat 
ergochat: init at 2.9.1 (+ module/test)
 2022-01-15 12:15:46 +00:00
github-actions[bot]
6d8719a23d
Merge master into staging-next 2022-01-15 12:01:13 +00:00
Ninjatrappeur
b47203b28f
Merge pull request #155039 from andir/prosody-security 2022-01-15 10:13:33 +01:00
0x4A6F
3cbdd13b11
Merge pull request #151364 from matthiasbeyer/add-timetagger 
Add timetagger
 2022-01-15 09:52:21 +01:00
Matthias Beyer
65aaf4e22d Add timetagger to release notes 
Why the f*** would anyone ever add generated stuff to a git repository,
where the sources for the generated stuff AND the scripts to generate
them are in the repository?

Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
 2022-01-15 09:08:52 +01:00
Matthias Beyer
1f10b0434f timetagger: Make enable option with mkOption 
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
 2022-01-15 09:07:54 +01:00
Matthias Beyer
a24dc8d2ef timetagger: Use default value for package option 
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
Suggested-by: Aaron Andersen <aaron@fosslib.net>
 2022-01-15 09:07:52 +01:00
Matthias Beyer
f3eaf66882 Add service module for timetagger 
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
 2022-01-15 09:07:52 +01:00
Jörg Thalheim
63971d1fda nixos/ddclient: don't chown secrets until dynamicuser issue is resolved 
revert if https://github.com/NixOS/nixpkgs/pull/154928 or a similar fix gets applied
 2022-01-15 07:21:05 +01:00
github-actions[bot]
2e421aaac4
Merge master into staging-next 2022-01-15 00:01:36 +00:00
Jonathan Ringer
87502df43b
nixos/systemd-boot: fix error output 2022-01-14 15:42:19 -08:00
Michael Weiss
297cb6514f
Merge pull request #153741 from primeos/nixos-tests-tinywl 
nixos/tests/tinywl: init
 2022-01-14 23:45:54 +01:00
lassulus
6b55249a5d nixos/tests/ergochat: init 2022-01-14 23:33:23 +01:00
lassulus
eaf8890a6c nixos/ergochat: init 2022-01-14 23:33:23 +01:00
Andreas Rammhold
4369bebd9a
nixos/tests: remove broken prosody-mysql test 
The test has been broken for some time and the test errors are
non-obvious. None of the current maintainers know how to fix it so it is
better to get rid of it then to keep a continously failing test.
 2022-01-14 22:26:16 +01:00
Robert Hensing
8a552994d8 nixos/build-vm.nix: Fix docs eval 
Quick fix. Might be possible to provide `extendModules`?
 2022-01-14 19:17:11 +01:00
github-actions[bot]
d5e672b839
Merge master into staging-next 2022-01-14 18:01:18 +00:00
Robert Hensing
2bf5958169
Merge pull request #151082 from hercules-ci/nixos-cleanup-vmWithBootLoader 
nixos: turn vmWithBootLoader into option (`nixos-rebuild build-vm`)
 2022-01-14 18:49:27 +01:00
rnhmjoj
2eed89bbe1
nixos/wireless: implement opportunistic WPA3 
It turns out it's actually possible to fall back to WPA2 in case the
authentication fails with WPA3. This was suggested to me in the hostapd
mailing list: add another network block with only WPA2 and lower
priority, for each network with WPA3. For clients with missing/broken
WPA3, wpa_supplicant will:

1. try the network block with higher priority first
2. fail and temporarily disable the network block
3. try the fallback network block and connect

This takes a little more time (still <5s) because wpa_supplicant
retries a couple times before disabling the network block, but it allows
old client to gracefully fall back to WPA2 on mixed WPA2/WPA3 networks.

To avoid downgrade attacks, clients with proper WPA3 should disable
this; in the future we may want to disable this option by default.
 2022-01-14 10:54:01 +01:00
Dmitry Kalinkin
a56da82f7a
Merge branch 'master' into staging-next 
Conflicts:
	pkgs/development/python-modules/restfly/default.nix
 2022-01-13 21:39:05 -05:00
CRTified
cbbabaddf9 nixos/adguardhome: Fix #154775 by checking for settings 2022-01-14 01:54:41 +01:00
piegames
d9172e7a1a fixup! nixos/heisenbridge: Improve hardening 2022-01-13 23:33:23 +01:00
Jörg Thalheim
dfdf225a98
Merge pull request #154550 from veehaitch/sgx-compat-udev 
nixos/intel-sgx: add option for Intel SGX DCAP compatibility
 2022-01-13 14:55:08 +00:00
piegames
4b165e7675 nixos/heisenbridge: Fix/improve enable option description 
See https://github.com/NixOS/nixpkgs/pull/154831#discussion_r783858597 for context
 2022-01-13 13:28:31 +01:00
piegames
854a65fd47 nixos/heisenbridge: Improve hardening 
Systemd score is "1.6 OK 🙂"
 2022-01-13 13:28:03 +01:00