Merge master into staging-nixos (7d3853b7) · Commits · nix / nixpkgs

maintainers/maintainer-list.nix

+9 −2

Original line number	Diff line number	Diff line
		@@ -19288,6 +19288,12 @@
		githubId = 810877;
		name = "Tom Doggett";
		};
		noderyos = {
		email = "vincent.bsod@gmail.com";
		github = "Noderyos";
		githubId = 56077132;
		name = "Noderyos";
		};
		noiioiu = {
		github = "noiioiu";
		githubId = 151288161;
		@@ -27837,10 +27843,11 @@
		githubId = 68829907;
		};
		v3rm1n0 = {
		name = "Niklas Choinowski";
		email = "niklas.choinowski@proton.me";
		name = "V3RM1N";
		email = "mail@v3rm1n.dev";
		github = "v3rm1n0";
		githubId = 57269010;
		keys = [ { fingerprint = "58E4 2840 D274 49A5 5948 78AA 85F3 7D09 1304 5718"; } ];
		};
		vaavaav = {
		name = "Pedro Peixoto";

+34 −0

Original line number	Diff line number	Diff line
		@@ -64,6 +64,40 @@ in
		EnvironmentFile = cfg.environmentFiles;
		ExecStart = "${cfg.package}/bin/Radarr -nobrowser -data='${cfg.dataDir}'";
		Restart = "on-failure";

		# Hardening
		CapabilityBoundingSet = "";
		NoNewPrivileges = true;
		ProtectHome = true;
		ProtectClock = true;
		ProtectKernelLogs = true;
		PrivateTmp = true;
		PrivateDevices = true;
		PrivateUsers = true;
		ProtectKernelTunables = true;
		ProtectKernelModules = true;
		ProtectControlGroups = true;
		RestrictSUIDSGID = true;
		RemoveIPC = true;
		UMask = "0022";
		ProtectHostname = true;
		ProtectProc = "invisible";
		RestrictAddressFamilies = [
		"AF_INET"
		"AF_INET6"
		"AF_UNIX"
		];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		LockPersonality = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = [
		"@system-service"
		"~@privileged"
		"~@debug"
		"~@mount"
		"@chown"
		];
		};
		};

+34 −0

Original line number	Diff line number	Diff line
		@@ -86,6 +86,40 @@ in
		"-data=${cfg.dataDir}"
		];
		Restart = "on-failure";

		# Hardening
		CapabilityBoundingSet = "";
		NoNewPrivileges = true;
		ProtectHome = true;
		ProtectClock = true;
		ProtectKernelLogs = true;
		PrivateTmp = true;
		PrivateDevices = true;
		PrivateUsers = true;
		ProtectKernelTunables = true;
		ProtectKernelModules = true;
		ProtectControlGroups = true;
		RestrictSUIDSGID = true;
		RemoveIPC = true;
		UMask = "0022";
		ProtectHostname = true;
		ProtectProc = "invisible";
		RestrictAddressFamilies = [
		"AF_INET"
		"AF_INET6"
		"AF_UNIX"
		];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		LockPersonality = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = [
		"@system-service"
		"~@privileged"
		"~@debug"
		"~@mount"
		"@chown"
		];
		}
		// lib.optionalAttrs (cfg.dataDir == "/var/lib/sonarr/.config/NzbDrone") {
		StateDirectory = "sonarr";

+1 −1

Original line number	Diff line number	Diff line
		@@ -25,7 +25,7 @@ makeTest {
		./common/auto-format-root-device.nix
		];

		systemd.services.backdoor.conflicts = [ "sleep.target" ];
		powerManagement.powerDownCommands = "systemctl --no-block stop backdoor.service";
		powerManagement.resumeCommands = "systemctl --no-block restart backdoor.service";

		virtualisation.emptyDiskImages = [ (2 * config.virtualisation.memorySize) ];

+2 −2

Original line number	Diff line number	Diff line
		@@ -26,13 +26,13 @@

		stdenv.mkDerivation rec {
		pname = if withGui then "elements" else "elementsd";
		version = "23.3.1";
		version = "23.3.2";

		src = fetchFromGitHub {
		owner = "ElementsProject";
		repo = "elements";
		rev = "elements-${version}";
		sha256 = "sha256-hqHKH9B6EITwZ4F+YdPJI4n3Z3EeXdPYbzRoNODlThY=";
		sha256 = "sha256-NLLM+stYOXcnAjEfXRerjvgMXM8jFSOyZhu/A0ZTnRw=";
		};

		nativeBuildInputs = [