Commit graph

28154 commits

Author SHA1 Message Date
Maximilian Bosch 501bbad4ce
Merge pull request #182104 from mayflower/mail-exporter-secrets
nixos/prometheus-mail-exporter: support storing `passphrase` outside of the store, use umask when using envsubst
2022-07-20 20:42:14 +02:00
Maximilian Bosch 92bd77e85e
nixos/prometheus-mail-exporter: umask to avoid accidental world-readability 2022-07-20 20:29:38 +02:00
Maximilian Bosch 590e60d124
nixos/mxisd: umask to avoid accidental world-readability 2022-07-20 20:29:38 +02:00
Maximilian Bosch 81add6600c
nixos/privacyidea-ldap-proxy: umask to avoid accidental world-readability 2022-07-20 20:29:38 +02:00
Winter fa9030465e
Merge pull request #182126 from pbsds/polaris-os-24
nixos/tests/polaris: fix type check fail
2022-07-20 00:24:05 -04:00
Peder Bergebakken Sundt b81c81be13 nixos/tests/polaris: fix type check fail
This test was introduced in a PR predating typechecking, but got merged afterwards.
2022-07-19 21:12:14 +02:00
kilianar a3c5c5eec4 nixosTests.airsonic: fix failure (type error)
airsonic_is_up should return a bool, but machine.succeed returns a
string causing testScriptWithTypes to fail. This is fixed by executing
the cmd with machine.execute and checking the status code.
2022-07-19 19:05:20 +02:00
Maximilian Bosch 39c0694709
nixos/prometheus-mail-exporter: support storing passphrase outside of the store 2022-07-19 17:32:08 +02:00
github-actions[bot] cfe78489c9
Merge master into staging-next 2022-07-19 12:01:43 +00:00
Sandro bca69a4037
Merge pull request #181867 from newAM/github-runner
nixos/github-runner: fix systemd defaults for common workflows
2022-07-19 12:56:17 +02:00
Euan Kemp f158ac45ef nixos/k3s: use default cgroup-driver again
Setting `cgroup-driver=systemd` was originally necessary to match with
docker, else the kubelet would not start (#111835)

However, since then, docker support has been dropped from k3s (#177790).
As such, this option is much less necessary.

More importantly, it now seems to be actively causing issues. Due to an
upstream k3s bug, it's resulting in the kubelet and containerd having
different cgroup drivers, which seems to result in some difficult to
debug failure modes.

See
https://github.com/NixOS/nixpkgs/issues/181790#issuecomment-1188840862
for a description of this problem.

Removing this flag entirely seems reasonable to me, and it results in
k3s working again on my machine.
2022-07-19 02:52:12 -07:00
Wei Tang b0a0087d53
nixos/flannel: upgrade to etcdv3 (#180315) 2022-07-19 16:09:42 +10:00
github-actions[bot] 305e8cb7b8
Merge master into staging-next 2022-07-19 06:03:02 +00:00
Wout Mertens 3ee8d4c909
netdata module: fix ExecStartPost (#181976) 2022-07-19 06:19:18 +02:00
github-actions[bot] d64d75f2f3
Merge master into staging-next 2022-07-19 00:02:21 +00:00
Artturi 6dc4ee65f7
Merge pull request #179163 from cmm/network-setup-bindTo
nixos/network-interfaces-scripted: don't bindTo absent network-setup.service
2022-07-19 01:33:14 +03:00
Joachim F 0640ef2ccc
Merge pull request #180231 from dfithian/heartbeat
heartbeat service: specify package
2022-07-18 20:56:08 +02:00
Dan Fithian 49a5377557 heartbeat service: specify package
Other elastic services can specify the package. Now we can also do it for heartbeat.
2022-07-18 14:39:22 -04:00
github-actions[bot] 83702a6ef7
Merge master into staging-next 2022-07-18 18:01:14 +00:00
oaksoaj fc9e22fca1 yggdrasil: add group option back and remove systemd User= directive
The group configuration parameter allow to share access to yggdrasil
control socket with the users in the system. In the version we propose,
it is null by default so that only root can access the control socket,
but let user create their own group if they need.

Remove User= durective in systemd unit. Should a user with the specified
name already exist in the system, it would be used silently instead of a
dynamic user which could be a security concern.
2022-07-18 12:56:59 -05:00
oaksoaj 080774e28f yggdrasil: reenable DynamicUser
Since version 0.4 Yggdrasil works again using systemd's DynamicUser option.
This patch reenables it to improve security.

We tested this with both persistent and non-persistent keys. Everything
seems to work fine.
2022-07-18 12:56:59 -05:00
Maximilian Bosch 179688c7c8
Merge pull request #181377 from mayflower/mxisd-secrets
nixos/mxisd: allow passing secrets
2022-07-18 15:10:49 +02:00
Maximilian Bosch 8b72dae17b
Merge pull request #181528 from Ma27/privacyidea-ldap-proxy-secrets
nixos/privacyidea: better secret-handling ldap-proxy & RFC42-style settings for ldap-proxy
2022-07-18 14:19:47 +02:00
github-actions[bot] 71fe747e70
Merge master into staging-next 2022-07-18 12:01:55 +00:00
Maximilian Bosch 949c334ea9
nixos/privacyidea-ldap-proxy: use list for EnvironmentFile for mergeability 2022-07-18 13:58:08 +02:00
Maximilian Bosch dab3ae9d8b
Merge pull request #181715 from mayflower/jira-secret-opts
nixos/atlassian-jira: allow to store SSO password for crowd outside of the Nix store
2022-07-18 13:53:42 +02:00
Jörg Thalheim 9a020f31aa
Merge pull request #175439 from Mic92/jellyfin
nixos/jellyfin: better defaults for hardware acceleration
2022-07-18 12:51:54 +01:00
Maximilian Bosch c2c82fbe43
nixos/mxisd: use a list for env file for mergeability 2022-07-18 13:47:09 +02:00
Janne Heß 4e0f8f7f44
Merge pull request #181882 from SuperSandro2000/systemd-boot
nixos/systemd-boot: remove default log message if nothing changes
2022-07-18 10:02:43 +02:00
Vladimír Čunát 250922fd1e
Merge branch 'master' into staging-next 2022-07-18 08:29:53 +02:00
Alex Martens c34749dd63 nixos/github-runner: fix systemd defaults for common workflows 2022-07-17 22:02:57 -07:00
Winter 96728ff138
Merge pull request #181660 from anoadragon453/anoa/libuiohook_init
libuiohook: init at 1.2.2
2022-07-17 20:38:02 -04:00
Sandro 24aefd2c82
Merge pull request #177240 from Majiir/streamdeck-ui 2022-07-17 23:27:43 +02:00
Andrew Morgan 4f82bcc822 libuiohook: init at 1.2.2 2022-07-17 16:21:25 -04:00
Sandro Jäckel 4396fd615c
nixos/systemd-boot: remove default log message if nothing changes 2022-07-17 21:46:50 +02:00
Sandro 0890c4aef1
Merge pull request #168879 from aidalgol/pass-secret-service-systemd-unit 2022-07-17 16:45:27 +02:00
Bjørn Forsman 0080a93cdf nixos/jenkins-job-builder: create secret file with umask 0077
IOW, don't make it world readable.
2022-07-17 15:24:48 +02:00
Majiir Paktu 3ba735cce2 nixos/streamdeck-ui: init 2022-07-16 22:10:33 -04:00
github-actions[bot] 8df1eb061a
Merge master into staging-next 2022-07-17 00:02:14 +00:00
Sandro 04a5c30245
Merge pull request #179582 from catap/prl-tools 2022-07-17 01:41:46 +02:00
Sandro 769329f5f8
Merge pull request #172058 from midchildan/improvement/1pw-gid
nixos/_1password{,-gui}: use a static gid
2022-07-17 01:21:42 +02:00
Sivizius 5e941caa0d
nixos/cri-o: removed defaultText of internal package-option 2022-07-17 08:04:15 +10:00
Vladimír Čunát 0879ac5da6
Merge branch 'master' into staging-next 2022-07-16 20:07:05 +02:00
Maximilian Bosch 4adf26f018
nixos/privacyidea-ldap-proxy: always run envsubst
Otherwise the file doesn't exist at the expected location.
2022-07-16 14:00:46 +02:00
Kim Lindberger d012de5b1d
Merge pull request #181401 from yayayayaka/gitlab-bump-git-to-2.35.4
nixos/gitlab: Bump git to 2.35.4
2022-07-16 13:37:16 +02:00
Maximilian Bosch 765cc35042
nixos/atlassian-jira: allow to store SSO password for crowd outside of the Nix store
The option `services.jira.sso.applicationPassword` has been replaced by
`applicationPasswordFile` that needs to be readable by the `jira`-user
or group.

The new `crowd.properties` is created on startup in `~jira` and the
secret is injected into it using `replace-secret`.
2022-07-16 13:01:29 +02:00
Bjørn Forsman dbb17b39ba nixos/tests/jenkins: improve jenkins-job-builder subtest
Rely on services.jenkins-job-builder to reload the configuration instead
of doing that manually in the test.

(If this had been implemented already, it would have caught the bug
fixed by the parent commit, that services.jenkins-job-builder failed to
reload jenkins config from disk.)
2022-07-16 12:30:41 +02:00
Bjørn Forsman 50eaf82b6f nixos/jenkins-job-builder: fix jenkins authentication
The current authentication code is broken against newer jenkins:

  jenkins-job-builder-start[1257]: Asking Jenkins to reload config
  jenkins-start[789]: 2022-07-12 14:34:31.148+0000 [id=17]        WARNING hudson.security.csrf.CrumbFilter#doFilter: Found invalid crumb 31e96e52938b51f099a61df9505a4427cb9dca7e35192216755659032a4151df. If you are calling this URL with a script, please use the API Token instead. More information: https://www.jenkins.io/redirect/crumb-cannot-be-used-for-script
  jenkins-start[789]: 2022-07-12 14:34:31.160+0000 [id=17]        WARNING hudson.security.csrf.CrumbFilter#doFilter: No valid crumb was included in request for /reload by admin. Returning 403.
  jenkins-job-builder-start[1357]: curl: (22) The requested URL returned error: 403

Fix it by using `jenkins-cli` instead of messing with `curl`.

This rewrite also prevents leaking the password in process listings. (We
could probably do it without `replace-secret`, assuming `printf` is a
shell built-in, but this implementation should be safe even with shells
not having a built-in `printf`.)

Ref https://github.com/NixOS/nixpkgs/issues/156400.
2022-07-16 12:30:41 +02:00
Arian van Putten 55bd770662
Merge pull request #167514 from shimunn/pam_u2f_module
nixos/security/pam: added `origin` option to pamu2f
2022-07-16 10:56:26 +02:00
Vladimír Čunát 7fbdf335d8
Merge #180368: nixos/i18n: normalise locale names 2022-07-16 09:01:42 +02:00