`uwsgi_pass` uses the uwsgi protocol instead of the HTTP protocol
(that's what `proxy_pass` is for). Also, the source IP is already
derived from the REMOTE_ADDR param that's specified by the uwsgi
defaults from nginx, similarily to how it's done for fcgi.
Hence, removing that since it seems not necessary (and perhaps even
wrong).
If the user has specified a custom data_dir or meta_dir, this results in
garage service failing with read-only filesystem error since the service
runs with DynamicUser by default.
Caddy hostnames can begin with http:// to disable automatic HTTPS.
The default value for services.caddy.<host>.logFormat puts the hostname
in the log filename, resulting in a broken path. Similarly, multiple
space-separated host names would not work before.
Since version 2.9.0 (commit 7c52e7a), caddy fails to start if it cannot
open the log file. This caused NixOS test failures (e.g.,
nixosTests.dokuwiki).
It's hard to put the sourcing of ./.attrs.sh into all builder
consistently - mistakes will happen. Thus, load structured attrs once in
make-derivation and then source the remaining builder on top.
This should fix quite a few builders with structured attributes in
principle. Most importantly it helps substitute / substituteAll, which
are required for bootstrap on some platforms.
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
Relax dependency with certs that are validated via DNS challenge since
we know the HTTP server is not required for that validation.
This allows marking the server's service as depending on the cert.
Relax dependency with certs that are validated via DNS challenge since
we know the HTTP server is not required for that validation.
This allows marking the server's service as depending on the cert.
Relax dependency with certs that are validated via DNS challenge since
we know the HTTP server is not required for that validation.
This allows marking the server's service as depending on the cert.
Previously the cgi-user option in stargazer was broken in this module
because stargazer didn't have CAP_SETUID and CAP_SETGID. cgi-user tells
stargazer to run cgi processes as a different user. I added an option
allowCgiUser that give stargazer these capabilities when enabled. I made
this an option because access to those syscalls greatly increases the
damage a RCE bug in stargazer could do. So they should only be enabled
if needed.
This package was marked as vulnerable in
<https://github.com/NixOS/nixpkgs/pull/255959>, almost a year ago and
over a year after the project was archived upstream. The package and
module are unusable without bypassing a security warning in 23.05,
23.11, and 24.05.
Given that the package is intended as an organizer for
potentially‐untrusted media files, the vulnerability is critical and
leads to remote code execution, and there is basically no prospect
of upstream releasing a fix, remove the package and module entirely
for 24.11.
The default in the previous option documentation was incorrect,
resulting in the UNIX socket to be unreachable except by root by
default.
This fixes the documentation and requires consumers to set values
explicitly for the socket's owning user and group.
This adds migration instructions for the removed global shared instance
configuration of fcgiwrap.
Adding those explicit messages to the previous options requires moving
the newly defined options from `services.fcgiwrap.*` to
`services.fcgiwrap.instances.*` due to an option namespace clash.
`mkRenamedOptionModule` was not used because the previous options do
not directly map to the new ones. In particular, `user` and `group`
were described as setting the socket's permission, but were actually
setting the process' running user.
Co-authored-by: Minijackson <minijackson@riseup.net>
This adds a few options to properly set the ownership and permissions
on UNIX local sockets, set to private by default.
Previously, the created UNIX local sockets could be used by any local
user. This was especially problematic when fcgiwrap is running as root
(the default).
Since we're already introducing some backward-incompatible change in
the previous commit, let's make the options more tidy, also preparing
for the introduction of more options.
This also fixes the documentation of the user and group options which
are applying to the service's running user, not the socket.
This allows configuring and starting independent instances of the
fgciwrap service, each with their own settings and running user,
instead of having to share a global one.
I could not use `mkRenamedOptionModule` on the previous options
because the aliases conflict with `attrsOf submodule` now defined at
`services.fcgiwrap`. This makes this change not backward compatible.
The default for this value depends on `config.networking.domain`, which is typed as `types.nullOr types.str` in nixos/modules/tasks/network-interfaces.nix
As a result, the default for `services.bluemap.host` either has to be `types.nullOr types.str`, or we need to drop the default.
Based on PR feedback, this commit drops the default and requires configuration through the `services.bluemap.host` option.
While this is a breaking change, since the module is a month old, there should be very few users so far.
Use the `cfg.package.version` (string) instead of the entire package so
users don't see `error: value is a set while a string was expected`
instead of the intended assertion message.
