Make sure we get curl into the system, since when the tlsrpt rua is an
HTTP URL we need to be able to deliver to that.
(cherry picked from commit e030814446)
Calling to sendmail without AF_NETLINK causes:
> sendmail: fatal: inet_addr_local[getifaddrs]: getifaddrs: Address family not supported by protocol
and without AF_INET/AF_INET6:
> sendmail: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
> sendmail: warning: inet_protocols: disabling IPv4 name/address support: Address family not supported by protocol
Move the configurePostfix option one level up, since it now also
reconfigures the reportd systemd unit.
(cherry picked from commit b438f32b2a)
This is the best indicator we have about whether to use a local resolver.
In the meantime I'm lobbying upstream to read /etc/resolv.conf.
(cherry picked from commit b201963951)
Same as with other services giving postfix access, this needs to happen
for the postfix user. Adding supplementary group permissions to the
systemd unit does not propagate to child processes that ultimately call
the unix domain socket.
(cherry picked from commit e48d12554c)
Reloading was insufficient for changing the dns resolver address, so we
make config changes a restart trigger instead.
(cherry picked from commit e57363be15)
This fixes postfix' membership in the postfix-tlspol group, since
memberships in a dynamically allocated group don't seem to work out.
Additionally this fixes a typo in the systemd hardening and the test now
prints the results of systemd-analyze security.
(cherry picked from commit df0eb78b31)
Fixes the group membership for postfix processes in the postfix-tlspol
group.
Makes the postfix.service start up after postfix-tlspol.service, because
it depends on it for the TLS policy lookups.
(cherry picked from commit 64e7fad038)
`config.services.postgresql.package` is now only available when the
PostgreSQL module is actually enabled. If we're not using the local
database, we'll need to fallback to the latest postgresql version, since
we don't know about the remote version.
(cherry picked from commit e780b064a8)
Stalwart 0.11.0 changed the `config.resource.spam-filter` and
`config.resource.webadmin` keys to be `spam-filter.resource` and
`webadmin.resource` respectively. The NixOS has been updated
accordingly, but unfortunately it has mistakenly used
`config.spam-filter.resource` and `config.webadmin.resource`, which are
incorrect and do not do anything.
This commit changes the default configuration to use the correct keys.
Note that due to infinite recursion, the `optionalAttrs` has been
replaced with `mkIf`.
Additionally, some tests were added to catch this regression in the
future.
Fixes#411351
(cherry picked from commit b7ab1fa981)
Services utilising postsrsd need to connect to it via a Unix socket.
While the path to that socket is static as of now, the discoverability
of that path suffers from the lack of module documentation and a
scattered definition of the individual path components over at least
three lines, even when reading the module source.
By exposing the socket path as a readOnly NixOS option, that value shows
up in the options overview and can be re-used in other parts of NixOS
config.
qcluster won't be happy if it's started before the database migrations
have been run.
12:25:47 [Q] ERROR Failed to pull task from broker
Traceback (most recent call last):
File "/nix/store/w5ndmidmkiy02vvgl7cxx1fkzc1pichg-python3-3.12.9-env/lib/python3.12/site-packages/django/db/backends/utils.py", line 89, in _execute
return self.cursor.execute(sql, params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/w5ndmidmkiy02vvgl7cxx1fkzc1pichg-python3-3.12.9-env/lib/python3.12/site-packages/django/db/backends/sqlite3/base.py", line 328, in execute
return super().execute(query, params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
sqlite3.OperationalError: no such table: django_q_ormq
Upstream has archived the OpenSMTPD-extras repository with 82c49af (add
deprecation notice, 2024-10-22). Instead, it has created a set of
repositories, each containing one of the tables. The old tables aren't
compatible anymore with recent OpenSMTPD versions due to changed
protocols. Other extras, like the queues, don't have an alternative to
the best of my knowledge.
Furthermore, opensmtpd-extras doesn't even build anymore, furthermore
indicating that there aren't any users of this package. Remove the
"opensmtpd-extras" package and raise errors pointing to the new
standalone tables.
Add a release note.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:
- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`
Co-authored-by: Shelvacu <git@shelvacu.com>
