Due to undetermined hardening changes logging to syslog does not work
anymore, but we don't need it. We're running in a systemd unit so allow
logging to stdout instead.
(cherry picked from commit 269d596970)
The taskserver-init systemd unit fails to build with
systemd.enableStrictShellChecks enabled, due to using the potentially
unsafe `mkdir -m`. Fix that by moving directory creation out to
systemd.tmpfiles.
(cherry picked from commit 465ffab65d)
* nixos/opensmtpd: fix opensmtpd test
(cherry picked from commit 42c2634653)
* nixos/opensmtpd: fix opensmtpd-rspamd test
(cherry picked from commit c340fd898c)
* fix opensmtpd's sendmail, add relevant test
(cherry picked from commit fb4ff06a4b)
* nixos/opensmtpd: run nixfmt as requested by ci
(cherry picked from commit 69a8aba113)
---------
Co-authored-by: Léo Gaspard <leo@gaspard.io>
When obtaining the IP address from an interface iproute2 is missing:
"Unable to obtain information for 'bond-wan' -- missing ip or ifconfig command"
The prefix check to include iproute2 is incorrect for "usev4" and "usev6".
Currently the NixOS module checks for the "if" prefix. This prefix is
not valid with "usev4" and "usev6":
"Invalid Value for keyword 'usev4' = 'if'"
"ifv4" must be used with "usev4", and "ifv6" with "usev6".
I updated the nixos module to check for the correct prefix with "usev4"
and "usev6", and include iproute2 as necessary.
(cherry picked from commit 403dfb7c93)
script initially copied from nextcloud and run with run.php as requested by this big warning:
*******************************************************************************
NOTE: Do not run maintenance scripts directly, use maintenance/run.php instead!
Running scripts directly has been deprecated in MediaWiki 1.40.
It may not work for some (or any) scripts in the future.
*******************************************************************************
(cherry picked from commit 7c1f9a05ee)
While technically still experimental, it seems to produce less
issues than X11 at this point, and there's a weird issue with
X11 setups that we've been unable to track down that really
hurts the new user experience, so let's just go with this.
(cherry picked from commit 7a2cb2ad15)
In nixos-images for nixos-anywhere, we optimize for the smallest
possible image size because our installer is loaded into RAM.
(cherry picked from commit 0a9dd5612d)
This fixes "frequency file /var/lib/ntp/ntp.drift.TEMP: Permission denied".
Creating a directory via StateDirectory makes that directory /var/lib/ntp owned by root:root.
However, when running ntpd we change to user ntp (see ntpFlags), so the process cannot
actually use that directory.
Actually creating a home directory for the user at that location solves that problem.
(cherry picked from commit 31942f20f4)
nm-file-secret agent is a small agent that can supply secrets of
connection profiles to NetworkManager by reading the contents of
preconfigured files.
These files could be supplied e.g. by nixos-sops or any other mechanism.
(cherry picked from commit 24e0db1ba9)
This matches how `environment.gnome.excludePackages` works elsewhere,
and prevents evaluation from failing when an excluded package is not
available (e.g. by having a blocklisted license).
(cherry picked from commit 8e1ad9ba92)
This conditional was introduced in 402b5c67a8
and is supposed to check for `server.START_SSH_SERVER` but instead
checked for `START_SSH_SERVER`.
Co-Authored-By: Pyrox <pyrox@pyrox.dev>
(cherry picked from commit ecd595ef80)
It was brought up that the restricted file-system access breaks
tablespaces[1]. I'd argue that this is the desired behavior, the whole
point of the hardening is the lock the service down and I don't consider
tablespaces common enough to elevate privileges again. Especially since
the workaround is trivial as shown in the diff.
For completeness sake, this adds the necessary `ReadWritePaths` change
to the postgresql section of the manual.
This also adds a small correction about the state of
`ensurePermissions`.
[1] https://github.com/NixOS/nixpkgs/pull/344925#issuecomment-2521188907
(cherry picked from commit 51a6938a44)
