This replaces the previous confinement settings with a more complete and
context-sensitive hardening setup.
Also exposes the current config at /etc/postsrsd.conf, which makes it
easily inspectable.
Allow a freeform configuration approach to satisfy different
configuration complexities.
Remove confinement options and make its hardening options more explicit
and removed the deprecated PermissionStartOnly= option.
This should hopefully fix errors like the following:
plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /var/empty/.spamassassin/bayes.lock.atuin.qyliss.net.398779 for /var/empty/.spamassassin/bayes.lock: No such file or directory
This reverts commit a794031c59.
With the following additions:
Allow `CAP_KILL`, so the dovecot master process may interrupt its child
processes.
Allow new privileges, so dovecot and call the setuid sendmail executable.
Allow AF_NETLINK sockets, so dovecot sieve handling can use the
getifaddrs syscall.
Finally, we now asssert, that no options are set on the legacy dovecot2
systemd unit name, to make the user aware they need to update their
overrides.
Remove the major version from the unit name and add an alias for the old
dovecot2 name.
Then restricts what the dovecot service can do, which is very interesting
given that the unit runs as root and spawns less-privileged processes
from there.
This fixes postfix' membership in the postfix-tlspol group, since
memberships in a dynamically allocated group don't seem to work out.
Additionally this fixes a typo in the systemd hardening and the test now
prints the results of systemd-analyze security.
This avoids restarting the postgresql server, when only ensureDatabases
or ensureUsers have been changed. It will also allow to properly wait
for recovery to finish later.
To wait for "postgresql is ready" in other services, we now provide a
postgresql.target.
Resolves#400018
Co-authored-by: Marcel <me@m4rc3l.de>
`config.services.postgresql.package` is now only available when the
PostgreSQL module is actually enabled. If we're not using the local
database, we'll need to fallback to the latest postgresql version, since
we don't know about the remote version.
Fixes the group membership for postfix processes in the postfix-tlspol
group.
Makes the postfix.service start up after postfix-tlspol.service, because
it depends on it for the TLS policy lookups.
There exist multiple issues with these options, for example they are not
introspectable, since the values are configured in the config part of the
module.
Also the keypair is always configured for both server and client usage,
which is really surprising. The postfix docs even advise against setting
up client certificates, if they aren't required. [1]
The replacements are the `smtpd_tls_chain_files` for server usage and
`smtp_tls_chain_files` for client usage, which are the prefered way to
configure keys and certificates since Postfix 3.4.0. [2]
[1] https://www.postfix.org/postconf.5.html#smtp_tls_cert_file
[2] https://www.postfix.org/postconf.5.html#smtpd_tls_cert_file
Stalwart 0.11.0 changed the `config.resource.spam-filter` and
`config.resource.webadmin` keys to be `spam-filter.resource` and
`webadmin.resource` respectively. The NixOS has been updated
accordingly, but unfortunately it has mistakenly used
`config.spam-filter.resource` and `config.webadmin.resource`, which are
incorrect and do not do anything.
This commit changes the default configuration to use the correct keys.
Note that due to infinite recursion, the `optionalAttrs` has been
replaced with `mkIf`.
Additionally, some tests were added to catch this regression in the
future.
Fixes#411351
Services utilising postsrsd need to connect to it via a Unix socket.
While the path to that socket is static as of now, the discoverability
of that path suffers from the lack of module documentation and a
scattered definition of the individual path components over at least
three lines, even when reading the module source.
By exposing the socket path as a readOnly NixOS option, that value shows
up in the options overview and can be re-used in other parts of NixOS
config.
qcluster won't be happy if it's started before the database migrations
have been run.
12:25:47 [Q] ERROR Failed to pull task from broker
Traceback (most recent call last):
File "/nix/store/w5ndmidmkiy02vvgl7cxx1fkzc1pichg-python3-3.12.9-env/lib/python3.12/site-packages/django/db/backends/utils.py", line 89, in _execute
return self.cursor.execute(sql, params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/w5ndmidmkiy02vvgl7cxx1fkzc1pichg-python3-3.12.9-env/lib/python3.12/site-packages/django/db/backends/sqlite3/base.py", line 328, in execute
return super().execute(query, params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
sqlite3.OperationalError: no such table: django_q_ormq
Upstream has archived the OpenSMTPD-extras repository with 82c49af (add
deprecation notice, 2024-10-22). Instead, it has created a set of
repositories, each containing one of the tables. The old tables aren't
compatible anymore with recent OpenSMTPD versions due to changed
protocols. Other extras, like the queues, don't have an alternative to
the best of my knowledge.
Furthermore, opensmtpd-extras doesn't even build anymore, furthermore
indicating that there aren't any users of this package. Remove the
"opensmtpd-extras" package and raise errors pointing to the new
standalone tables.
Add a release note.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
