Upstream dropped `sha256_generic` in e96cb9507f
Quoting from upstream:
> sha256_blocks_generic() is moved from lib/crypto/sha256-generic.c into
lib/crypto/sha256.c. It's now a static function marked with
__maybe_unused, so the compiler automatically eliminates it in any
cases where it's not used.
Co-authored-by: dramforever <dramforever@live.com>
(cherry picked from commit 7faeef0e92)
Change type of services.privoxy.settings.listen-address from str to
either str (listOf str). The latter allows providing a list which
results in multiple list-address entries in privoxy.conf.
(cherry picked from commit 9f7f75f801)
SSH key generation was split out into its own systemd service in
https://github.com/NixOS/nixpkgs/pull/372979, but dependent service
definitions weren't updated.
The `apply-ec2-data` service needs to run before SSH key generation,
as it fetches host keys defined in ec2 user data and these keys should
take priority over generating new ones. Currently, the ordering
doesn't specify which should run first of `apply-ec2-data` and
`sshd-keygen`; in practice it seems that `sshd-keygen` often wins the
race, though.
Update the dependencies so that `apply-ec2-data` always runs first.
(cherry picked from commit d9ac3ba30b)
This enables VectorChord in the database (currently) alongside
pgvecto.rs. Note that VectorChord requires pgvector, which is enabled as
well by this option.
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit fd1994a8b7)
Without this dependency, we may run into a race condition, especially in
our tests.
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit 1a24457782)
Qt5 qtwebengine will be marked insecure, so this would block the entire DE from being usable.
Epiphany seems to work as a replacement until Morph can be built with Qt6.
Content-Hub test will still need adjustment, but keeping it out of this to make future reverting easier.
(cherry picked from commit 5063462bf3)
Let's give it a try once again, now that I am back on Bcachefs
Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
(cherry picked from commit 4cd9dd4a87)
Part of #438800.
The OWASP recommentation[1] is:
> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.
[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
(cherry picked from commit c129255508)
Part of #438800.
The OWASP recommentation[1] is:
> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.
Hence, we turn this off, diverging from the upstream defaults here. An
upstream issue has been opened[2].
[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
[2] https://github.com/grafana/grafana/issues/110369
(cherry picked from commit 409107d2f5)
This was causing issues on newer versions of MariaDB (breaking
NixOS tests) like:
```
Error 1064 (42000): You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version
for the right syntax to use near '%2Cutf8' at line 1
```
Since this is simply a fallback character set and all supported versions
of MariaDB support utf8mb4, delete the fallback.
This change should be fully compatible with existing deployments.
(cherry picked from commit 6cc8a8cdb5)
The new `\restrict` migitation creates random keys in the dump file by
default, which breaks a before/after test for the backup module. By
making the restrict key reproducible, the test passes again.
(cherry picked from commit 87e1134406)
Changed the service type from forking to notify,
which should gives a better indication of when the service is ready.
Changed the preStart into an ExecStart,
in order for upstream's NotifyAccess=main to work.
Added Restart=on-abnormal for better service stability.
(cherry picked from commit 9867229696)
Before this change, the THIRDPARTY_EXTENSIONS_PATH would end up with a
double-slash in the path, which was breaking FreshRSS's is_valid_path
detection.
(cherry picked from commit 637fc36529)
nixos/qbittorrent: add default serverConfig & fix test
Migrate to runTest
Replace lib.optional with lib.optionals
nixos/qbittorrent: update release notes to 2511
(cherry picked from commit 84d174e312)
Make sure we get curl into the system, since when the tlsrpt rua is an
HTTP URL we need to be able to deliver to that.
(cherry picked from commit e030814446)
Fixes#361592.
I was able to test this change by doing the following:
1. Create a file named “test-systemd-run0.nix” that contains this Nix
expression:
let
nixpkgs = /path/to/nixpkgs;
pkgs = import nixpkgs { };
in
pkgs.testers.runNixOSTest {
name = "test-systemd-run0";
nodes.machine = {
security.polkit.enable = true;
};
testScript = ''
start_all()
machine.succeed("run0 env")
'';
}
2. Replace “/path/to/nixpkgs” with the actual path to an actual copy of
Nixpkgs.
3. Run the integration test by running this command:
nix-build <path to test-systemd-run0.nix>
(cherry picked from commit d54262911c)
Calling to sendmail without AF_NETLINK causes:
> sendmail: fatal: inet_addr_local[getifaddrs]: getifaddrs: Address family not supported by protocol
and without AF_INET/AF_INET6:
> sendmail: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
> sendmail: warning: inet_protocols: disabling IPv4 name/address support: Address family not supported by protocol
Move the configurePostfix option one level up, since it now also
reconfigures the reportd systemd unit.
(cherry picked from commit b438f32b2a)
Resolves the installer failing on devices that include this hardware, as
broadcom_sta was marked as insecure due to being unmaintained and having
active CVE's.
This commit be reverted when/if the installer has a mechanism for allowing
insecure packages.
(cherry picked from commit 9c9f467d49)
This is the best indicator we have about whether to use a local resolver.
In the meantime I'm lobbying upstream to read /etc/resolv.conf.
(cherry picked from commit b201963951)
Upstream stores the model cache in the config directory, which is
unnecessarily messy. The cache directory is still the correct place for
these, since they can be pruned and redownloaded, we just don't want it
to happen on every restart.
Fixes: #427714
(cherry picked from commit cb4fd4e3ca)
Fixes all code blocks with "nix" language in markdown files for syntax
errors to be able to run nixfmt in the next step.
(cherry picked from commit 6c47e7d5da)
Same as with other services giving postfix access, this needs to happen
for the postfix user. Adding supplementary group permissions to the
systemd unit does not propagate to child processes that ultimately call
the unix domain socket.
(cherry picked from commit e48d12554c)
Plasma 6 requires the `qtsensors` package to be installed in order
for autorotation to work correctly. Simply enabling the IIO module
is not sufficient, although it's also required. Both are required
for autorotation to work correctly.
(cherry picked from commit 864ffcd1e1)
