Part of #438800.
The OWASP recommentation[1] is:
> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.
[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
(cherry picked from commit c129255508)
Part of #438800.
The OWASP recommentation[1] is:
> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.
Hence, we turn this off, diverging from the upstream defaults here. An
upstream issue has been opened[2].
[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
[2] https://github.com/grafana/grafana/issues/110369
(cherry picked from commit 409107d2f5)
This was causing issues on newer versions of MariaDB (breaking
NixOS tests) like:
```
Error 1064 (42000): You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version
for the right syntax to use near '%2Cutf8' at line 1
```
Since this is simply a fallback character set and all supported versions
of MariaDB support utf8mb4, delete the fallback.
This change should be fully compatible with existing deployments.
(cherry picked from commit 6cc8a8cdb5)
EOL upstream.
We only have one hardened kernel at the moment now because
LTS == latest available. This situation would've also happened before
the cleanup since 6.13/6.14 were removed in June already[1].
[1] 23b573705d
(cherry picked from commit 510532e9ae)
By the end of the month, I'll leave Flying Circus. Thanks a lot for the
journey together <3
The rootless-test for podman is something I decided to keep since I'm
using parts of the features covered in there myself.
(cherry picked from commit 201cb3e519)
The new `\restrict` migitation creates random keys in the dump file by
default, which breaks a before/after test for the backup module. By
making the restrict key reproducible, the test passes again.
(cherry picked from commit 87e1134406)
prometheus-smokeping-prober was updated to 0.10.0 in #396980
which introduced a new label `tos` in its metrics.
add it to the failing tests to make them match
the expected metric (and pass) again
you could argue that the tests are a bit too greedy with the way
they match metrics, but I actually like it that way
(cherry picked from commit 2103ba2688)
Changed the service type from forking to notify,
which should gives a better indication of when the service is ready.
Changed the preStart into an ExecStart,
in order for upstream's NotifyAccess=main to work.
Added Restart=on-abnormal for better service stability.
(cherry picked from commit 9867229696)
Before this change, the THIRDPARTY_EXTENSIONS_PATH would end up with a
double-slash in the path, which was breaking FreshRSS's is_valid_path
detection.
(cherry picked from commit 637fc36529)
Test for linking had to be removed because now the linking is more
complex and it would take too much mocking to test it.
The test in question was moved to the dashboard codebase that is
closed-source, if that helps in any way.
(cherry picked from commit a667834a5f)
nixos/qbittorrent: add default serverConfig & fix test
Migrate to runTest
Replace lib.optional with lib.optionals
nixos/qbittorrent: update release notes to 2511
(cherry picked from commit 84d174e312)
Make sure we get curl into the system, since when the tlsrpt rua is an
HTTP URL we need to be able to deliver to that.
(cherry picked from commit e030814446)
Fixes#361592.
I was able to test this change by doing the following:
1. Create a file named “test-systemd-run0.nix” that contains this Nix
expression:
let
nixpkgs = /path/to/nixpkgs;
pkgs = import nixpkgs { };
in
pkgs.testers.runNixOSTest {
name = "test-systemd-run0";
nodes.machine = {
security.polkit.enable = true;
};
testScript = ''
start_all()
machine.succeed("run0 env")
'';
}
2. Replace “/path/to/nixpkgs” with the actual path to an actual copy of
Nixpkgs.
3. Run the integration test by running this command:
nix-build <path to test-systemd-run0.nix>
(cherry picked from commit d54262911c)
Calling to sendmail without AF_NETLINK causes:
> sendmail: fatal: inet_addr_local[getifaddrs]: getifaddrs: Address family not supported by protocol
and without AF_INET/AF_INET6:
> sendmail: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
> sendmail: warning: inet_protocols: disabling IPv4 name/address support: Address family not supported by protocol
Move the configurePostfix option one level up, since it now also
reconfigures the reportd systemd unit.
(cherry picked from commit b438f32b2a)
At work we have the use-case that several people connect to a large
Linux box to run tests and debug those interactively.
All tests write their state into a global `/tmp` -- e.g. the vde1 socket
and the VMs' state. This leads to conflicts when multiple people are
doing this.
This change tries to use XDG_RUNTIME_DIR before using Python's detection
of a global temp directory: when connecting, this requires a working
user session, but then we get working directories per user. This is
preferable over doing something like `mktemp -d` per run since that
would break use-cases where you want to keep the VMs' state across
multiple sessions (`--keep-vm-state`).
(cherry picked from commit 59b4d0de90)
Resolves the installer failing on devices that include this hardware, as
broadcom_sta was marked as insecure due to being unmaintained and having
active CVE's.
This commit be reverted when/if the installer has a mechanism for allowing
insecure packages.
(cherry picked from commit 9c9f467d49)
This is the best indicator we have about whether to use a local resolver.
In the meantime I'm lobbying upstream to read /etc/resolv.conf.
(cherry picked from commit b201963951)
Upstream stores the model cache in the config directory, which is
unnecessarily messy. The cache directory is still the correct place for
these, since they can be pruned and redownloaded, we just don't want it
to happen on every restart.
Fixes: #427714
(cherry picked from commit cb4fd4e3ca)
This will allow dropping the linuxPackages_ham variant. Fedora sets
these in their default kernel, so I don't anticipate any problem with
us doing the same.
Tested building linux_5_4, linux, and linux_latest on x86_64.
(cherry picked from commit d735743b39)
Fixes all code blocks with "nix" language in markdown files for syntax
errors to be able to run nixfmt in the next step.
(cherry picked from commit 6c47e7d5da)
Same as with other services giving postfix access, this needs to happen
for the postfix user. Adding supplementary group permissions to the
systemd unit does not propagate to child processes that ultimately call
the unix domain socket.
(cherry picked from commit e48d12554c)
Plasma 6 requires the `qtsensors` package to be installed in order
for autorotation to work correctly. Simply enabling the IIO module
is not sufficient, although it's also required. Both are required
for autorotation to work correctly.
(cherry picked from commit 864ffcd1e1)
hydra-build-products is automatically updated with the right name, as
is image-info.json.
This breaks hardcoded uses of the filename, but ensures that all the
other outputs are consistent and image.filePath is correct
(cherry picked from commit 5aba7c7131)
vpc files use the extension "vhd". `make-disk-image-nix` contains a
lookup table, but does not expose that. vpc is the only format
supported by the amazon image which is affected. Format and extension
are the same for raw and qcow2.
(cherry picked from commit 8cbc6d6da6)
Otherwise, the systemd service will reliably fail on a clean boot, as
invidious-router needs a set-up network connection before starting.
(cherry picked from commit fab364e89b)
Reloading was insufficient for changing the dns resolver address, so we
make config changes a restart trigger instead.
(cherry picked from commit e57363be15)
In 623664e84f this part was refactored,
however network.target does not make sense in wantedBy and must be part of after.
(cherry picked from commit bcc1b762e9)
It's not clear how to use this command in other systemd units, this
section gives a recommendation.
I realized that there's no explicit mention of `nextcloud-occ` in the
first place, so I wrote some introductory sentences as well.
(cherry picked from commit 5a6f0a43ae)
Since 25.05 dbtype no longer defaults to sqlite and this yields an error
that is understandable enough but not easy to properly address.
Add an assert that is more explicit.
Before:
```
error: The option `nodes.nextcloud.services.nextcloud.config.dbtype' was accessed but has no value defined. Try setting the option.
```
After:
```
error:
Failed assertions:
- `services.nextcloud.config.dbtype` must be set explicitly (pgsql, mysql, or sqlite)
Before 25.05, it used to default to sqlite but that is not recommended by upstream.
Either set it to sqlite as it used to be, or convert to another type as described
in the official db conversion page:
https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/db_conversion.html
```
Link: https://github.com/NixOS/nixpkgs/pull/369242#issuecomment-3036296243
(cherry picked from commit 78a20758e0)
This, and commits to k3s and util-linux close#409339.
The util-linux.withPatches API was a temporary hack for the 25.05
release to fix Kubernetes, and is going away.
While we're at it, we should use util-linuxMinimal because we do not
need things such as systemd support for kubelet initialization.
(cherry picked from commit 949e299d24)
See https://discourse.nixos.org/t/i-cannot-for-the-life-of-me-find-the-package-that-has-pg-config/66244/4
I decided against doing this in its own nixpkgs manual: the line
to draw is quite blurry already (e.g. we have documented our package
removal policy in here as well) and having to check two manuals for a
single subsystem feels pretty annoying to me.
The relevant part - where to find pg_config - is written at the top. I
decided to give a bit more context about the way our packaging works
since I realized a few times now that I don't remember all the details
about the problems we had in the past and having to look up individual
commit messages for that isn't very productive.
(cherry picked from commit e031c5ff6b)
We currently bypass systemd's switch-root logic by premounting
/sysroot/run. Make sure to propagate its sub-mounts with the recursive
flag, in accordance with the default switch-root logic.
This is required for creds at /run/credentials to survive the transition
from initrd -> host.
(cherry picked from commit 7d36daa76a)
When running with a xfs root partition and using systemd for stage 1
initrd, I noticed in journalctl that fsck.xfs always failed to execute.
The issue is that it is trying to use the below sh interpreter:
`#!/nix/store/xy4jjgw87sbgwylm5kn047d9gkbhsr9x-bash-5.2p37/bin/sh -f`
but the file does not exist in the initrd image.
/nix/store/xy4jjgw87sbgwylm5kn047d9gkbhsr9x-bash-5.2p37/bin/**bash**
exists since it gets pulled in by some package, but the rest of the
directory is not being pulled in.
boot/systemd/initrd.nix mentions that xfs_progs references the sh
interpreter and seems to explicitly try to address this by adding
${pkgs.bash}/bin to storePaths, but that's the wrong bash package.
Update the `storePaths` value to pull in `pkgs.bashNonInteractive`
rather than `pkgs.bash`.
(cherry picked from commit 3332613add)
This fixes postfix' membership in the postfix-tlspol group, since
memberships in a dynamically allocated group don't seem to work out.
Additionally this fixes a typo in the systemd hardening and the test now
prints the results of systemd-analyze security.
(cherry picked from commit df0eb78b31)
