Loading maintainers/maintainer-list.nix +8 −0 Original line number Diff line number Diff line Loading @@ -2944,6 +2944,14 @@ githubId = 3229981; name = "Duncan Fairbanks"; }; BonusPlay = { name = "Bonus"; email = "nixos@bonusplay.pl"; matrix = "@bonus:bonusplay.pl"; github = "BonusPlay"; githubId = 8405359; keys = [ { fingerprint = "8279 6487 A4CA 2A28 E8B3 3CD6 C7F9 9743 6A20 4683"; } ]; }; booklearner = { name = "booklearner"; email = "booklearner@proton.me"; Loading nixos/doc/manual/release-notes/rl-2411.section.md +9 −0 Original line number Diff line number Diff line Loading @@ -338,6 +338,15 @@ a static `user` and `group`. The `writablePaths` option has been removed and the models directory is now always exempt from sandboxing. - The `gns3-server` service now runs under the `gns3` system user instead of a dynamically created one via `DynamicUser`. The use of SUID wrappers is incompatible with SystemD's `DynamicUser` setting, and GNS3 requires calling ubridge through its SUID wrapper to function properly. This change requires to manually move the following directories: * from `/var/lib/private/gns3` to `/var/lib/gns3` * from `/var/log/private/gns3` to `/var/log/gns3` and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`). - Legacy package `stalwart-mail_0_6` was dropped, please note the [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md) before changing the package to `pkgs.stalwart-mail` in Loading nixos/modules/config/nix-flakes.nix +1 −1 Original line number Diff line number Diff line Loading @@ -72,7 +72,7 @@ in type = "path"; path = config.flake.outPath; } // filterAttrs (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") (n: _: n == "lastModified" || n == "rev" || n == "narHash") config.flake )); }; Loading nixos/modules/services/misc/redmine.nix +7 −1 Original line number Diff line number Diff line Loading @@ -74,6 +74,12 @@ in description = "Group under which Redmine is ran."; }; address = mkOption { type = types.str; default = "0.0.0.0"; description = "IP address Redmine should bind to."; }; port = mkOption { type = types.port; default = 3000; Loading Loading @@ -429,7 +435,7 @@ in Group = cfg.group; TimeoutSec = "300"; WorkingDirectory = "${cfg.package}/share/redmine"; ExecStart="${bundle} exec rails server -u webrick -e production -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'"; ExecStart="${bundle} exec rails server -u webrick -e production -b ${toString cfg.address} -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'"; }; }; Loading nixos/modules/services/networking/gns3-server.nix +25 −7 Original line number Diff line number Diff line Loading @@ -129,8 +129,15 @@ in { } ]; users.groups.gns3 = { }; users.groups.ubridge = lib.mkIf cfg.ubridge.enable { }; users.users.gns3 = { group = "gns3"; isSystemUser = true; }; security.wrappers.ubridge = lib.mkIf cfg.ubridge.enable { capabilities = "cap_net_raw,cap_net_admin=eip"; group = "ubridge"; Loading @@ -150,7 +157,7 @@ in { }; } (lib.mkIf (cfg.ubridge.enable) { Server.ubridge_path = lib.mkDefault (lib.getExe cfg.ubridge.package); Server.ubridge_path = lib.mkDefault "/run/wrappers/bin/ubridge"; }) (lib.mkIf (cfg.auth.enable) { Server = { Loading Loading @@ -206,7 +213,6 @@ in { serviceConfig = { ConfigurationDirectory = "gns3"; ConfigurationDirectoryMode = "0750"; DynamicUser = true; Environment = "HOME=%S/gns3"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecStart = "${lib.getExe cfg.package} ${commandArgs}"; Loading @@ -227,14 +233,27 @@ in { User = "gns3"; WorkingDirectory = "%S/gns3"; # Required for ubridge integration to work # # GNS3 needs to run SUID binaries (ubridge) # but NoNewPrivileges breaks execution of SUID binaries DynamicUser = false; NoNewPrivileges = false; RestrictSUIDSGID = false; PrivateUsers = false; # Hardening DeviceAllow = lib.optional flags.enableLibvirtd "/dev/kvm"; DeviceAllow = [ # ubridge needs access to tun/tap devices "/dev/net/tap rw" "/dev/net/tun rw" ] ++ lib.optionals flags.enableLibvirtd [ "/dev/kvm" ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateTmp = true; PrivateUsers = true; # Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat # ProcSubset = "pid"; ProtectClock = true; Loading @@ -255,8 +274,7 @@ in { ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; UMask = "0077"; UMask = "0022"; }; }; }; Loading Loading
maintainers/maintainer-list.nix +8 −0 Original line number Diff line number Diff line Loading @@ -2944,6 +2944,14 @@ githubId = 3229981; name = "Duncan Fairbanks"; }; BonusPlay = { name = "Bonus"; email = "nixos@bonusplay.pl"; matrix = "@bonus:bonusplay.pl"; github = "BonusPlay"; githubId = 8405359; keys = [ { fingerprint = "8279 6487 A4CA 2A28 E8B3 3CD6 C7F9 9743 6A20 4683"; } ]; }; booklearner = { name = "booklearner"; email = "booklearner@proton.me"; Loading
nixos/doc/manual/release-notes/rl-2411.section.md +9 −0 Original line number Diff line number Diff line Loading @@ -338,6 +338,15 @@ a static `user` and `group`. The `writablePaths` option has been removed and the models directory is now always exempt from sandboxing. - The `gns3-server` service now runs under the `gns3` system user instead of a dynamically created one via `DynamicUser`. The use of SUID wrappers is incompatible with SystemD's `DynamicUser` setting, and GNS3 requires calling ubridge through its SUID wrapper to function properly. This change requires to manually move the following directories: * from `/var/lib/private/gns3` to `/var/lib/gns3` * from `/var/log/private/gns3` to `/var/log/gns3` and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`). - Legacy package `stalwart-mail_0_6` was dropped, please note the [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md) before changing the package to `pkgs.stalwart-mail` in Loading
nixos/modules/config/nix-flakes.nix +1 −1 Original line number Diff line number Diff line Loading @@ -72,7 +72,7 @@ in type = "path"; path = config.flake.outPath; } // filterAttrs (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") (n: _: n == "lastModified" || n == "rev" || n == "narHash") config.flake )); }; Loading
nixos/modules/services/misc/redmine.nix +7 −1 Original line number Diff line number Diff line Loading @@ -74,6 +74,12 @@ in description = "Group under which Redmine is ran."; }; address = mkOption { type = types.str; default = "0.0.0.0"; description = "IP address Redmine should bind to."; }; port = mkOption { type = types.port; default = 3000; Loading Loading @@ -429,7 +435,7 @@ in Group = cfg.group; TimeoutSec = "300"; WorkingDirectory = "${cfg.package}/share/redmine"; ExecStart="${bundle} exec rails server -u webrick -e production -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'"; ExecStart="${bundle} exec rails server -u webrick -e production -b ${toString cfg.address} -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'"; }; }; Loading
nixos/modules/services/networking/gns3-server.nix +25 −7 Original line number Diff line number Diff line Loading @@ -129,8 +129,15 @@ in { } ]; users.groups.gns3 = { }; users.groups.ubridge = lib.mkIf cfg.ubridge.enable { }; users.users.gns3 = { group = "gns3"; isSystemUser = true; }; security.wrappers.ubridge = lib.mkIf cfg.ubridge.enable { capabilities = "cap_net_raw,cap_net_admin=eip"; group = "ubridge"; Loading @@ -150,7 +157,7 @@ in { }; } (lib.mkIf (cfg.ubridge.enable) { Server.ubridge_path = lib.mkDefault (lib.getExe cfg.ubridge.package); Server.ubridge_path = lib.mkDefault "/run/wrappers/bin/ubridge"; }) (lib.mkIf (cfg.auth.enable) { Server = { Loading Loading @@ -206,7 +213,6 @@ in { serviceConfig = { ConfigurationDirectory = "gns3"; ConfigurationDirectoryMode = "0750"; DynamicUser = true; Environment = "HOME=%S/gns3"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecStart = "${lib.getExe cfg.package} ${commandArgs}"; Loading @@ -227,14 +233,27 @@ in { User = "gns3"; WorkingDirectory = "%S/gns3"; # Required for ubridge integration to work # # GNS3 needs to run SUID binaries (ubridge) # but NoNewPrivileges breaks execution of SUID binaries DynamicUser = false; NoNewPrivileges = false; RestrictSUIDSGID = false; PrivateUsers = false; # Hardening DeviceAllow = lib.optional flags.enableLibvirtd "/dev/kvm"; DeviceAllow = [ # ubridge needs access to tun/tap devices "/dev/net/tap rw" "/dev/net/tun rw" ] ++ lib.optionals flags.enableLibvirtd [ "/dev/kvm" ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateTmp = true; PrivateUsers = true; # Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat # ProcSubset = "pid"; ProtectClock = true; Loading @@ -255,8 +274,7 @@ in { ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; UMask = "0077"; UMask = "0022"; }; }; }; Loading
![github-actions[bot]'s avatar](https://secure.gravatar.com/avatar/e7cd911927c7d1acf6281b69d385990d8fadcd26871048bbcdbff2e88da7f607?s=48&d=identicon "github-actions[bot]")