Merge remote-tracking branch 'origin/master' into staging-next (d9610a9f) · Commits · nix / nixpkgs

maintainers/maintainer-list.nix

+0 −6

Original line number	Diff line number	Diff line
		@@ -14711,12 +14711,6 @@
		github = "nullishamy";
		githubId = 99221043;
		};
		nullx76 = {
		email = "nix@xirion.net";
		github = "NULLx76";
		githubId = 1809198;
		name = "Victor Roest";
		};
		numinit = {
		email = "me@numin.it";
		github = "numinit";

nixos/doc/manual/release-notes/rl-2411.section.md

+5 −0

Original line number	Diff line number	Diff line
		@@ -183,6 +183,8 @@

		- The `services.patroni.raft` option has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300)

		- `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments.

		## Other Notable Changes {#sec-release-24.11-notable-changes}

		<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
		@@ -201,6 +203,9 @@
		The derivation now installs "impl" headers selectively instead of by a wildcard.
		Use `imgui.src` if you just want to access the unpacked sources.

		- `security.pam.u2f` now follows RFC42.
		All module options are now settable through the freeform `.settings`.

		- Cinnamon has been updated to 6.2.
		- Following Mint 22 defaults, the Cinnamon module no longer ships geary and hexchat by default.
		- Nemo is now built with gtk-layer-shell support, note that for now it will be expected to see nemo-desktop

nixos/modules/security/pam.nix

+112 −83

Original line number	Diff line number	Diff line
		@@ -7,6 +7,13 @@ with lib;

		let

		moduleSettingsType = with types; attrsOf (nullOr (oneOf [ bool str int pathInStore ]));
		moduleSettingsDescription = ''
		Boolean values render just the key if true, and nothing if false.
		Null values are ignored.
		All other values are rendered as key-value pairs.
		'';

		mkRulesTypeOption = type: mkOption {
		# These options are experimental and subject to breaking changes without notice.
		description = ''
		@@ -71,12 +78,12 @@ let
		'';
		};
		settings = mkOption {
		type = with types; attrsOf (nullOr (oneOf [ bool str int pathInStore ]));
		type = moduleSettingsType;
		default = {};
		description = ''
		Settings to add as `module-arguments`.

		Boolean values render just the key if true, and nothing if false. Null values are ignored. All other values are rendered as key-value pairs.
		${moduleSettingsDescription}
		'';
		};
		};
		@@ -660,11 +667,7 @@ let
		(let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; args = [
		"${pkgs.opensc}/lib/opensc-pkcs11.so"
		]; })
		(let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; settings = {
		inherit (u2f) debug interactive cue origin;
		authfile = u2f.authFile;
		appid = u2f.appId;
		}; })
		(let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; inherit (u2f) settings; })
		(let ussh = config.security.pam.ussh; in { name = "ussh"; enable = config.security.pam.ussh.enable && cfg.usshAuth; control = ussh.control; modulePath = "${pkgs.pam_ussh}/lib/security/pam_ussh.so"; settings = {
		ca_file = ussh.caFile;
		authorized_principals = ussh.authorizedPrincipals;
		@@ -952,6 +955,12 @@ in
		imports = [
		(mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
		(mkRenamedOptionModule [ "security" "pam" "enableSSHAgentAuth" ] [ "security" "pam" "sshAgentAuth" "enable" ])
		(mkRenamedOptionModule [ "security" "pam" "u2f" "authFile" ] [ "security" "pam" "u2f" "settings" "authfile" ])
		(mkRenamedOptionModule [ "security" "pam" "u2f" "appId" ] [ "security" "pam" "u2f" "settings" "appid" ])
		(mkRenamedOptionModule [ "security" "pam" "u2f" "origin" ] [ "security" "pam" "u2f" "settings" "origin" ])
		(mkRenamedOptionModule [ "security" "pam" "u2f" "debug" ] [ "security" "pam" "u2f" "settings" "debug" ])
		(mkRenamedOptionModule [ "security" "pam" "u2f" "interactive" ] [ "security" "pam" "u2f" "settings" "interactive" ])
		(mkRenamedOptionModule [ "security" "pam" "u2f" "cue" ] [ "security" "pam" "u2f" "settings" "cue" ])
		];

		###### interface
		@@ -1144,7 +1153,26 @@ in
		'';
		};

		authFile = mkOption {
		control = mkOption {
		default = "sufficient";
		type = types.enum [ "required" "requisite" "sufficient" "optional" ];
		description = ''
		This option sets pam "control".
		If you want to have multi factor authentication, use "required".
		If you want to use U2F device instead of regular password, use "sufficient".

		Read
		{manpage}`pam.conf(5)`
		for better understanding of this option.
		'';
		};

		settings = mkOption {
		type = types.submodule {
		freeformType = moduleSettingsType;

		options = {
		authfile = mkOption {
		default = null;
		type = with types; nullOr path;
		description = ''
		@@ -1165,7 +1193,7 @@ in
		'';
		};

		appId = mkOption {
		appid = mkOption {
		default = null;
		type = with types; nullOr str;
		description = ''
		@@ -1195,20 +1223,6 @@ in
		'';
		};

		control = mkOption {
		default = "sufficient";
		type = types.enum [ "required" "requisite" "sufficient" "optional" ];
		description = ''
		This option sets pam "control".
		If you want to have multi factor authentication, use "required".
		If you want to use U2F device instead of regular password, use "sufficient".

		Read
		{manpage}`pam.conf(5)`
		for better understanding of this option.
		'';
		};

		debug = mkOption {
		default = false;
		type = types.bool;
		@@ -1239,6 +1253,21 @@ in
		'';
		};
		};
		};
		default = { };
		example = {
		authfile = "/etc/u2f_keys";
		authpending_file = "";
		userpresence = 0;
		pinverification = 1;
		};
		description = ''
		Options to pass to the PAM module.

		${moduleSettingsDescription}
		'';
		};
		};

		security.pam.ussh = {
		enable = mkOption {

nixos/modules/services/mail/roundcube.nix

+8 −4

Original line number	Diff line number	Diff line
		@@ -93,13 +93,17 @@ in
		maxAttachmentSize = mkOption {
		type = types.int;
		default = 18;
		apply = configuredMaxAttachmentSize: "${toString (configuredMaxAttachmentSize * 1.37)}M";
		description = ''
		The maximum attachment size in MB.

		Note: Since roundcube only uses 70% of max upload values configured in php
		30% is added automatically to [](#opt-services.roundcube.maxAttachmentSize).
		[upstream issue comment]: https://github.com/roundcube/roundcubemail/issues/7979#issuecomment-808879209
		::: {.note}
		Since there is some overhead in base64 encoding applied to attachments, + 37% will be added
		to the value set in this option in order to offset the overhead. For example, setting
		`maxAttachmentSize` to `100` would result in `137M` being the real value in the configuration.
		See [upstream issue comment] for more details on the motivations behind this.
		:::
		'';
		apply = configuredMaxAttachmentSize: "${toString (configuredMaxAttachmentSize * 1.3)}M";
		};

		configureNginx = lib.mkOption {

nixos/modules/services/web-apps/nextcloud.nix

+3 −3

Original line number	Diff line number	Diff line
		@@ -91,10 +91,10 @@ let
		cd ${webroot}
		sudo=exec
		if [[ "$USER" != nextcloud ]]; then
		sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'
		sudo='exec /run/wrappers/bin/sudo -u nextcloud'
		fi
		export NEXTCLOUD_CONFIG_DIR="${datadir}/config"
		$sudo \
		$sudo ${pkgs.coreutils}/bin/env \
		NEXTCLOUD_CONFIG_DIR="${datadir}/config" \
		${phpCli} \
		occ "$@"
		'';

Admin message