It was brought up that the restricted file-system access breaks
tablespaces[1]. I'd argue that this is the desired behavior, the whole
point of the hardening is the lock the service down and I don't consider
tablespaces common enough to elevate privileges again. Especially since
the workaround is trivial as shown in the diff.
For completeness sake, this adds the necessary `ReadWritePaths` change
to the postgresql section of the manual.
This also adds a small correction about the state of
`ensurePermissions`.
[1] https://github.com/NixOS/nixpkgs/pull/344925#issuecomment-2521188907
(cherry picked from commit 51a6938a44)
nixos/rtkit: mention pipewire in docstring
I don't know the reason for rtkit only getting enabled by
hardware.pulseaudio.enable and not services.pipewire.enable, as they
both use it to get real-time priority, but we can at least help users by
mentioning pipewire in the rtkit option.
(cherry picked from commit 886de305c8)
Co-authored-by: Bjørn Forsman <bjorn.forsman@gmail.com>
As it helps making deps easier to discover - as we don't currently
render submodule options in the module correctly - and is arguably
more technical correct: When using nixos-install to install nixos
into a chroot in i.e. /mnt, there's no gurantee that /mnt/dev exists
before the specialfs phase ran.
(cherry picked from commit df8e6f7487)
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \
--argstr baseRev 0128fbb0a5
result/bin/apply-formatting $NIXPKGS_PATH
`/var/cache`, `/var/lib`, and `/var/spool` all have 0755 permissions by
default, so should probably be created as such in this script.
See #357447 for discussion.
(cherry picked from commit 7389d32232)
ShellCheck reports the following:
> SC2174 (warning): When used with -p, -m only applies to the deepest
> directory.
Avoid this warning by splitting `mkdir -m MODE -p DIR` into
`(umask MASK && mkdir -p DIR)`.
(cherry picked from commit bfe7bb410f)
otherwise results in 502 bad gateway errors with some clients (which send a lot of cookies?)
Change-Id: I9aadedb7acde0388f060dbb82ccd8788f41ff0e6
(cherry picked from commit 4d8e8de0d9)
The current default configuration, automatic channel selection with
the HT40- capability, is explicitly disallowed by an assertion in this
module.
This is a result of recent change to default to automatic channel
selection in 1047f0a6bf.
(cherry picked from commit 8a97d662dd)
Some github actions that use `bash` expect interactive features to be available. One such action is the [use-nix-shell](https://github.com/rrbutani/use-nix-shell-action) action. I couldn't find a way to override this even with `cfg.extraPackages`, due to the way the path is ordered.
(cherry picked from commit 8c39875ae3)
FRR intends for non-root users to connect to the VTY sockets if they
are members of the frrvty group, however this is not possible if
non-root/non-frr users cannot access the runtime directory. The
sockets used by the FRR daemons for internal IPC are also created in
the runtime directory, however these are created with appropriately
restrictive permissions to prevent interference.
(cherry picked from commit f014b0d415)