Part of #438800.
The OWASP recommentation[1] is:
> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.
[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
(cherry picked from commit c129255508)
Part of #438800.
The OWASP recommentation[1] is:
> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.
Hence, we turn this off, diverging from the upstream defaults here. An
upstream issue has been opened[2].
[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
[2] https://github.com/grafana/grafana/issues/110369
(cherry picked from commit 409107d2f5)
This was causing issues on newer versions of MariaDB (breaking
NixOS tests) like:
```
Error 1064 (42000): You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version
for the right syntax to use near '%2Cutf8' at line 1
```
Since this is simply a fallback character set and all supported versions
of MariaDB support utf8mb4, delete the fallback.
This change should be fully compatible with existing deployments.
(cherry picked from commit 6cc8a8cdb5)
The new `\restrict` migitation creates random keys in the dump file by
default, which breaks a before/after test for the backup module. By
making the restrict key reproducible, the test passes again.
(cherry picked from commit 87e1134406)
Changed the service type from forking to notify,
which should gives a better indication of when the service is ready.
Changed the preStart into an ExecStart,
in order for upstream's NotifyAccess=main to work.
Added Restart=on-abnormal for better service stability.
(cherry picked from commit 9867229696)
Before this change, the THIRDPARTY_EXTENSIONS_PATH would end up with a
double-slash in the path, which was breaking FreshRSS's is_valid_path
detection.
(cherry picked from commit 637fc36529)
nixos/qbittorrent: add default serverConfig & fix test
Migrate to runTest
Replace lib.optional with lib.optionals
nixos/qbittorrent: update release notes to 2511
(cherry picked from commit 84d174e312)
Make sure we get curl into the system, since when the tlsrpt rua is an
HTTP URL we need to be able to deliver to that.
(cherry picked from commit e030814446)
Calling to sendmail without AF_NETLINK causes:
> sendmail: fatal: inet_addr_local[getifaddrs]: getifaddrs: Address family not supported by protocol
and without AF_INET/AF_INET6:
> sendmail: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
> sendmail: warning: inet_protocols: disabling IPv4 name/address support: Address family not supported by protocol
Move the configurePostfix option one level up, since it now also
reconfigures the reportd systemd unit.
(cherry picked from commit b438f32b2a)
This is the best indicator we have about whether to use a local resolver.
In the meantime I'm lobbying upstream to read /etc/resolv.conf.
(cherry picked from commit b201963951)
Upstream stores the model cache in the config directory, which is
unnecessarily messy. The cache directory is still the correct place for
these, since they can be pruned and redownloaded, we just don't want it
to happen on every restart.
Fixes: #427714
(cherry picked from commit cb4fd4e3ca)
Fixes all code blocks with "nix" language in markdown files for syntax
errors to be able to run nixfmt in the next step.
(cherry picked from commit 6c47e7d5da)
Same as with other services giving postfix access, this needs to happen
for the postfix user. Adding supplementary group permissions to the
systemd unit does not propagate to child processes that ultimately call
the unix domain socket.
(cherry picked from commit e48d12554c)
Plasma 6 requires the `qtsensors` package to be installed in order
for autorotation to work correctly. Simply enabling the IIO module
is not sufficient, although it's also required. Both are required
for autorotation to work correctly.
(cherry picked from commit 864ffcd1e1)
Otherwise, the systemd service will reliably fail on a clean boot, as
invidious-router needs a set-up network connection before starting.
(cherry picked from commit fab364e89b)
Reloading was insufficient for changing the dns resolver address, so we
make config changes a restart trigger instead.
(cherry picked from commit e57363be15)
In 623664e84f this part was refactored,
however network.target does not make sense in wantedBy and must be part of after.
(cherry picked from commit bcc1b762e9)
It's not clear how to use this command in other systemd units, this
section gives a recommendation.
I realized that there's no explicit mention of `nextcloud-occ` in the
first place, so I wrote some introductory sentences as well.
(cherry picked from commit 5a6f0a43ae)
Since 25.05 dbtype no longer defaults to sqlite and this yields an error
that is understandable enough but not easy to properly address.
Add an assert that is more explicit.
Before:
```
error: The option `nodes.nextcloud.services.nextcloud.config.dbtype' was accessed but has no value defined. Try setting the option.
```
After:
```
error:
Failed assertions:
- `services.nextcloud.config.dbtype` must be set explicitly (pgsql, mysql, or sqlite)
Before 25.05, it used to default to sqlite but that is not recommended by upstream.
Either set it to sqlite as it used to be, or convert to another type as described
in the official db conversion page:
https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/db_conversion.html
```
Link: https://github.com/NixOS/nixpkgs/pull/369242#issuecomment-3036296243
(cherry picked from commit 78a20758e0)
This, and commits to k3s and util-linux close#409339.
The util-linux.withPatches API was a temporary hack for the 25.05
release to fix Kubernetes, and is going away.
While we're at it, we should use util-linuxMinimal because we do not
need things such as systemd support for kubelet initialization.
(cherry picked from commit 949e299d24)
See https://discourse.nixos.org/t/i-cannot-for-the-life-of-me-find-the-package-that-has-pg-config/66244/4
I decided against doing this in its own nixpkgs manual: the line
to draw is quite blurry already (e.g. we have documented our package
removal policy in here as well) and having to check two manuals for a
single subsystem feels pretty annoying to me.
The relevant part - where to find pg_config - is written at the top. I
decided to give a bit more context about the way our packaging works
since I realized a few times now that I don't remember all the details
about the problems we had in the past and having to look up individual
commit messages for that isn't very productive.
(cherry picked from commit e031c5ff6b)
This fixes postfix' membership in the postfix-tlspol group, since
memberships in a dynamically allocated group don't seem to work out.
Additionally this fixes a typo in the systemd hardening and the test now
prints the results of systemd-analyze security.
(cherry picked from commit df0eb78b31)
Fixes the group membership for postfix processes in the postfix-tlspol
group.
Makes the postfix.service start up after postfix-tlspol.service, because
it depends on it for the TLS policy lookups.
(cherry picked from commit 64e7fad038)
