diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2021-09-14 00:01:23 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-09-14 00:01:23 +0000 |
| commit | 1db0c42d5acb49e382a6dcb6369446617deeb27f (patch) | |
| tree | 3cf837befaa8d41c151fec24c29153d3d66ee2b0 | |
| parent | ce44d09c853508f505a6ba84e4127f3cca768988 (diff) | |
| parent | 3d1fe451d422aaa9d8b2234bb19776b771a25b06 (diff) | |
| download | nixpkgs-1db0c42d5acb49e382a6dcb6369446617deeb27f.tar nixpkgs-1db0c42d5acb49e382a6dcb6369446617deeb27f.tar.gz nixpkgs-1db0c42d5acb49e382a6dcb6369446617deeb27f.tar.bz2 nixpkgs-1db0c42d5acb49e382a6dcb6369446617deeb27f.tar.lz nixpkgs-1db0c42d5acb49e382a6dcb6369446617deeb27f.tar.xz nixpkgs-1db0c42d5acb49e382a6dcb6369446617deeb27f.tar.zst nixpkgs-1db0c42d5acb49e382a6dcb6369446617deeb27f.zip | |
Merge master into staging-next
57 files changed, 278 insertions, 81 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 2b3689f1d42..7a0406662b7 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -369,6 +369,33 @@ Superuser created successfully. </listitem> <listitem> <para> + <link xlink:href="options.html#opt-users.users._name_.group">users.users.<name>.group</link> + no longer defaults to <literal>nogroup</literal>, which was + insecure. Out-of-tree modules are likely to require + adaptation: instead of + </para> + <programlisting language="bash"> +{ + users.users.foo = { + isSystemUser = true; + }; +} +</programlisting> + <para> + also create a group for your user: + </para> + <programlisting language="bash"> +{ + users.users.foo = { + isSystemUser = true; + group = "foo"; + }; + users.groups.foo = {}; +} +</programlisting> + </listitem> + <listitem> + <para> <literal>services.geoip-updater</literal> was broken and has been replaced by <link xlink:href="options.html#opt-services.geoipupdate.enable">services.geoipupdate</link>. diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 2490284fcda..0ff62983b05 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -136,6 +136,25 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable - The `erigon` ethereum node has moved it's database location in `2021-08-03`, users upgrading must manually move their chaindata (see [release notes](https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03)). +- [users.users.<name>.group](options.html#opt-users.users._name_.group) no longer defaults to `nogroup`, which was insecure. Out-of-tree modules are likely to require adaptation: instead of + ```nix + { + users.users.foo = { + isSystemUser = true; + }; + } + ``` + also create a group for your user: + ```nix + { + users.users.foo = { + isSystemUser = true; + group = "foo"; + }; + users.groups.foo = {}; + } + ``` + - `services.geoip-updater` was broken and has been replaced by [services.geoipupdate](options.html#opt-services.geoipupdate.enable). - PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release. diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index d88162558e6..8e2db9107a1 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -123,7 +123,7 @@ let group = mkOption { type = types.str; apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x; - default = "nogroup"; + default = ""; description = "The user's primary group."; }; @@ -640,6 +640,16 @@ in { Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set. ''; } + { + assertion = user.group != ""; + message = '' + users.users.${user.name}.group is unset. This used to default to + nogroup, but this is unsafe. For example you can create a group + for this user with: + users.users.${user.name}.group = "${user.name}"; + users.groups.${user.name} = {}; + ''; + } ] )); diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 02ae1390ce8..30cd8615acf 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -83,14 +83,14 @@ in #fourstore = 42; # dropped in 20.03 #fourstorehttp = 43; # dropped in 20.03 virtuoso = 44; - rtkit = 45; + #rtkit = 45; # dynamically allocated 2021-09-03 dovecot2 = 46; dovenull2 = 47; prayer = 49; mpd = 50; clamav = 51; fprot = 52; - bind = 53; + # bind = 53; #dynamically allocated as of 2021-09-03 wwwrun = 54; #adm = 55; # unused spamd = 56; @@ -134,13 +134,13 @@ in firebird = 95; #keys = 96; # unused #haproxy = 97; # dynamically allocated as of 2020-03-11 - mongodb = 98; + #mongodb = 98; #dynamically allocated as of 2021-09-03 #openldap = 99; # dynamically allocated as of PR#94610 #users = 100; # unused cgminer = 101; munin = 102; logcheck = 103; - nix-ssh = 104; + #nix-ssh = 104; #dynamically allocated as of 2021-09-03 dictd = 105; couchdb = 106; #searx = 107; # dynamically allocated as of 2020-10-27 @@ -149,9 +149,9 @@ in systemd-journal-gateway = 110; #notbit = 111; # unused aerospike = 111; - ngircd = 112; + #ngircd = 112; #dynamically allocated as of 2021-09-03 #btsync = 113; # unused - minecraft = 114; + #minecraft = 114; #dynamically allocated as of 2021-09-03 vault = 115; rippled = 116; murmur = 117; @@ -169,19 +169,19 @@ in mopidy = 130; #docker = 131; # unused gdm = 132; - dhcpd = 133; + #dhcpd = 133; # dynamically allocated as of 2021-09-03 siproxd = 134; mlmmj = 135; - neo4j = 136; + #neo4j = 136;# dynamically allocated as of 2021-09-03 riemann = 137; riemanndash = 138; - radvd = 139; - zookeeper = 140; - dnsmasq = 141; + #radvd = 139;# dynamically allocated as of 2021-09-03 + #zookeeper = 140;# dynamically allocated as of 2021-09-03 + #dnsmasq = 141;# dynamically allocated as of 2021-09-03 #uhub = 142; # unused yandexdisk = 143; mxisd = 144; # was once collectd - consul = 145; + #consul = 145;# dynamically allocated as of 2021-09-03 mailpile = 146; redmine = 147; #seeks = 148; # removed 2020-06-21 @@ -192,7 +192,7 @@ in systemd-resolve = 153; systemd-timesync = 154; liquidsoap = 155; - etcd = 156; + #etcd = 156;# dynamically allocated as of 2021-09-03 hbase = 158; opentsdb = 159; scollector = 160; @@ -204,7 +204,7 @@ in tox-bootstrapd = 166; cadvisor = 167; nylon = 168; - apache-kafka = 169; + #apache-kafka = 169;# dynamically allocated as of 2021-09-03 #panamax = 170; # unused exim = 172; #fleet = 173; # unused @@ -241,7 +241,7 @@ in gateone = 207; namecoin = 208; #lxd = 210; # unused - kibana = 211; + #kibana = 211;# dynamically allocated as of 2021-09-03 xtreemfs = 212; calibre-server = 213; heapster = 214; @@ -264,7 +264,7 @@ in avahi-autoipd = 231; nntp-proxy = 232; mjpg-streamer = 233; - radicale = 234; + #radicale = 234;# dynamically allocated as of 2021-09-03 hydra-queue-runner = 235; hydra-www = 236; syncthing = 237; @@ -272,14 +272,14 @@ in taskd = 240; # factorio = 241; # DynamicUser = true # emby = 242; # unusued, removed 2019-05-01 - graylog = 243; + #graylog = 243;# dynamically allocated as of 2021-09-03 sniproxy = 244; nzbget = 245; mosquitto = 246; toxvpn = 247; # squeezelite = 248; # DynamicUser = true turnserver = 249; - smokeping = 250; + #smokeping = 250;# dynamically allocated as of 2021-09-03 gocd-agent = 251; gocd-server = 252; terraria = 253; @@ -554,7 +554,7 @@ in #shout = 206; #unused gateone = 207; namecoin = 208; - lxd = 210; # unused + #lxd = 210; # unused #kibana = 211; xtreemfs = 212; calibre-server = 213; @@ -573,7 +573,7 @@ in cfdyndns = 227; pdnsd = 229; octoprint = 230; - radicale = 234; + #radicale = 234;# dynamically allocated as of 2021-09-03 syncthing = 237; caddy = 239; taskd = 240; @@ -585,7 +585,7 @@ in #toxvpn = 247; # unused #squeezelite = 248; #unused turnserver = 249; - smokeping = 250; + #smokeping = 250;# dynamically allocated as of 2021-09-03 gocd-agent = 251; gocd-server = 252; terraria = 253; diff --git a/nixos/modules/security/rtkit.nix b/nixos/modules/security/rtkit.nix index a7b27cbcf21..ad8746808e8 100644 --- a/nixos/modules/security/rtkit.nix +++ b/nixos/modules/security/rtkit.nix @@ -35,9 +35,12 @@ with lib; services.dbus.packages = [ pkgs.rtkit ]; users.users.rtkit = - { uid = config.ids.uids.rtkit; + { + isSystemUser = true; + group = "rtkit"; description = "RealtimeKit daemon"; }; + users.groups.rtkit = {}; }; diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index ccbc7726392..c4174286fc0 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -169,6 +169,7 @@ let (map (mkAuthorizedKey cfg false) cfg.authorizedKeys ++ map (mkAuthorizedKey cfg true) cfg.authorizedKeysAppendOnly); useDefaultShell = true; + group = cfg.group; isSystemUser = true; }; groups.${cfg.group} = { }; diff --git a/nixos/modules/services/databases/influxdb.nix b/nixos/modules/services/databases/influxdb.nix index dd5d69b1147..3b8c00929ba 100644 --- a/nixos/modules/services/databases/influxdb.nix +++ b/nixos/modules/services/databases/influxdb.nix @@ -185,6 +185,7 @@ in users.users = optionalAttrs (cfg.user == "influxdb") { influxdb = { uid = config.ids.uids.influxdb; + group = "influxdb"; description = "Influxdb daemon user"; }; }; diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index ca7b20eb049..1c06937e2f3 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -67,7 +67,9 @@ in users.users = optionalAttrs (cfg.user == "memcached") { memcached.description = "Memcached server user"; memcached.isSystemUser = true; + memcached.group = "memcached"; }; + users.groups = optionalAttrs (cfg.user == "memcached") { memcached = {}; }; environment.systemPackages = [ memcached ]; diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix index db1e5fedf50..5121e0415db 100644 --- a/nixos/modules/services/databases/mongodb.nix +++ b/nixos/modules/services/databases/mongodb.nix @@ -123,9 +123,11 @@ in users.users.mongodb = mkIf (cfg.user == "mongodb") { name = "mongodb"; - uid = config.ids.uids.mongodb; + isSystemUser = true; + group = "mongodb"; description = "MongoDB server user"; }; + users.groups.mongodb = mkIf (cfg.user == "mongodb") {}; environment.systemPackages = [ mongodb ]; diff --git a/nixos/modules/services/databases/neo4j.nix b/nixos/modules/services/databases/neo4j.nix index 53760bb24c4..2a30923538d 100644 --- a/nixos/modules/services/databases/neo4j.nix +++ b/nixos/modules/services/databases/neo4j.nix @@ -651,10 +651,12 @@ in { environment.systemPackages = [ cfg.package ]; users.users.neo4j = { - uid = config.ids.uids.neo4j; + isSystemUser = true; + group = "neo4j"; description = "Neo4j daemon user"; home = cfg.directories.home; }; + users.groups.neo4j = {}; }; meta = { diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 8873f6d00e0..1b9358c81a1 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -246,6 +246,7 @@ in { users.users.redis = { description = "Redis database user"; + group = "redis"; isSystemUser = true; }; users.groups.redis = {}; diff --git a/nixos/modules/services/games/minecraft-server.nix b/nixos/modules/services/games/minecraft-server.nix index eb9288fca58..458e57fef84 100644 --- a/nixos/modules/services/games/minecraft-server.nix +++ b/nixos/modules/services/games/minecraft-server.nix @@ -167,8 +167,10 @@ in { description = "Minecraft server service user"; home = cfg.dataDir; createHome = true; - uid = config.ids.uids.minecraft; + isSystemUser = true; + group = "minecraft"; }; + users.groups.minecraft = {}; systemd.services.minecraft-server = { description = "Minecraft Server Service"; diff --git a/nixos/modules/services/logging/graylog.nix b/nixos/modules/services/logging/graylog.nix index af70d27fcf9..5e20a10f249 100644 --- a/nixos/modules/services/logging/graylog.nix +++ b/nixos/modules/services/logging/graylog.nix @@ -128,10 +128,12 @@ in users.users = mkIf (cfg.user == "graylog") { graylog = { - uid = config.ids.uids.graylog; + isSystemUser = true; + group = "graylog"; description = "Graylog server daemon user"; }; }; + users.groups = mkIf (cfg.user == "graylog") {}; systemd.tmpfiles.rules = [ "d '${cfg.messageJournalDir}' - ${cfg.user} - - -" diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index 490f6c5a5c0..c1ce515750b 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -165,10 +165,12 @@ in { users.users.airsonic = { description = "Airsonic service user"; + group = "airsonic"; name = cfg.user; home = cfg.home; createHome = true; isSystemUser = true; }; + users.groups.airsonic = {}; }; } diff --git a/nixos/modules/services/misc/apache-kafka.nix b/nixos/modules/services/misc/apache-kafka.nix index 69dfadfe54e..8bc307311a4 100644 --- a/nixos/modules/services/misc/apache-kafka.nix +++ b/nixos/modules/services/misc/apache-kafka.nix @@ -120,10 +120,12 @@ in { environment.systemPackages = [cfg.package]; users.users.apache-kafka = { - uid = config.ids.uids.apache-kafka; + isSystemUser = true; + group = "apache-kafka"; description = "Apache Kafka daemon user"; home = head cfg.logDirs; }; + users.groups.apache-kafka = {}; systemd.tmpfiles.rules = map (logDir: "d '${logDir}' 0700 apache-kafka - - -") cfg.logDirs; diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix index e212f581c28..cb68a29c530 100644 --- a/nixos/modules/services/misc/docker-registry.nix +++ b/nixos/modules/services/misc/docker-registry.nix @@ -151,7 +151,9 @@ in { home = cfg.storagePath; } else {}) // { + group = "docker-registry"; isSystemUser = true; }; + users.groups.docker-registry = {}; }; } diff --git a/nixos/modules/services/misc/etcd.nix b/nixos/modules/services/misc/etcd.nix index eb266f043eb..2b667fab6b0 100644 --- a/nixos/modules/services/misc/etcd.nix +++ b/nixos/modules/services/misc/etcd.nix @@ -187,9 +187,11 @@ in { environment.systemPackages = [ pkgs.etcd ]; users.users.etcd = { - uid = config.ids.uids.etcd; + isSystemUser = true; + group = "etcd"; description = "Etcd daemon user"; home = cfg.dataDir; }; + users.groups.etcd = {}; }; } diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix index 1764c6d7964..d5c64fdb264 100644 --- a/nixos/modules/services/misc/nix-ssh-serve.nix +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -44,9 +44,11 @@ in { users.users.nix-ssh = { description = "Nix SSH store user"; - uid = config.ids.uids.nix-ssh; + isSystemUser = true; + group = "nix-ssh"; useDefaultShell = true; }; + users.groups.nix-ssh = {}; services.openssh.enable = true; diff --git a/nixos/modules/services/misc/zookeeper.nix b/nixos/modules/services/misc/zookeeper.nix index 1d12e81a9ec..0e5880983e4 100644 --- a/nixos/modules/services/misc/zookeeper.nix +++ b/nixos/modules/services/misc/zookeeper.nix @@ -148,9 +148,11 @@ in { }; users.users.zookeeper = { - uid = config.ids.uids.zookeeper; + isSystemUser = true; + group = "zookeeper"; description = "Zookeeper daemon user"; home = cfg.dataDir; }; + users.groups.zookeeper = {}; }; } diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix index 9213748d3c9..502afce5233 100644 --- a/nixos/modules/services/monitoring/graphite.nix +++ b/nixos/modules/services/monitoring/graphite.nix @@ -561,6 +561,7 @@ in { ) { users.users.graphite = { uid = config.ids.uids.graphite; + group = "graphite"; description = "Graphite daemon user"; home = dataDir; }; diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 561ce3eec62..e76979fa6d1 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -258,6 +258,7 @@ in { users.users = optionalAttrs (cfg.user == defaultUser) { ${defaultUser} = { + group = defaultUser; isSystemUser = true; }; }; diff --git a/nixos/modules/services/monitoring/tuptime.nix b/nixos/modules/services/monitoring/tuptime.nix index 17c5c1f56ea..de80282559a 100644 --- a/nixos/modules/services/monitoring/tuptime.nix +++ b/nixos/modules/services/monitoring/tuptime.nix @@ -36,6 +36,7 @@ in { groups._tuptime.members = [ "_tuptime" ]; users._tuptime = { isSystemUser = true; + group = "_tuptime"; description = "tuptime database owner"; }; }; diff --git a/nixos/modules/services/network-filesystems/orangefs/server.nix b/nixos/modules/services/network-filesystems/orangefs/server.nix index 8eb754fe611..8c55ccf5ffb 100644 --- a/nixos/modules/services/network-filesystems/orangefs/server.nix +++ b/nixos/modules/services/network-filesystems/orangefs/server.nix @@ -193,7 +193,10 @@ in { environment.systemPackages = [ pkgs.orangefs ]; # orangefs daemon will run as user - users.users.orangefs.isSystemUser = true; + users.users.orangefs = { + isSystemUser = true; + group = "orangfs"; + }; users.groups.orangefs = {}; # To format the file system the config file is needed. diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index 480d5a184f2..0c23fb7e40f 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -229,9 +229,11 @@ in users.users.${bindUser} = { - uid = config.ids.uids.bind; + group = bindUser; description = "BIND daemon user"; + isSystemUser = true; }; + users.groups.${bindUser} = {}; systemd.services.bind = { description = "BIND Domain Name Server"; diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index ae7998913ee..476ca738dd1 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -159,10 +159,12 @@ in users.users.consul = { description = "Consul agent daemon user"; - uid = config.ids.uids.consul; + isSystemUser = true; + group = "consul"; # The shell is needed for health checks shell = "/run/current-system/sw/bin/bash"; }; + users.groups.consul = {}; environment = { etc."consul.json".text = builtins.toJSON configOptions; diff --git a/nixos/modules/services/networking/coturn.nix b/nixos/modules/services/networking/coturn.nix index 5f7d2893ae2..12098ec6d33 100644 --- a/nixos/modules/services/networking/coturn.nix +++ b/nixos/modules/services/networking/coturn.nix @@ -311,6 +311,7 @@ in { { users.users.turnserver = { uid = config.ids.uids.turnserver; + group = "turnserver"; description = "coturn TURN server user"; }; users.groups.turnserver = diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix index 8966deac76c..54e4f900285 100644 --- a/nixos/modules/services/networking/dhcpd.nix +++ b/nixos/modules/services/networking/dhcpd.nix @@ -212,9 +212,11 @@ in users = { users.dhcpd = { - uid = config.ids.uids.dhcpd; + isSystemUser = true; + group = "dhcpd"; description = "DHCP daemon user"; }; + groups.dhcpd = {}; }; systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6; diff --git a/nixos/modules/services/networking/dnsmasq.nix b/nixos/modules/services/networking/dnsmasq.nix index 377d7bc5705..59a3ca2f28e 100644 --- a/nixos/modules/services/networking/dnsmasq.nix +++ b/nixos/modules/services/networking/dnsmasq.nix @@ -87,9 +87,11 @@ in services.dbus.packages = [ dnsmasq ]; users.users.dnsmasq = { - uid = config.ids.uids.dnsmasq; + isSystemUser = true; + group = "dnsmasq"; description = "Dnsmasq daemon user"; }; + users.groups.dnsmasq = {}; networking.resolvconf = mkIf cfg.resolveLocalQueries { useLocalResolver = mkDefault true; diff --git a/nixos/modules/services/networking/git-daemon.nix b/nixos/modules/services/networking/git-daemon.nix index 98f80dd4bc4..6be72505c21 100644 --- a/nixos/modules/services/networking/git-daemon.nix +++ b/nixos/modules/services/networking/git-daemon.nix @@ -107,6 +107,7 @@ in users.users = optionalAttrs (cfg.user == "git") { git = { uid = config.ids.uids.git; + group = "git"; description = "Git daemon user"; }; }; diff --git a/nixos/modules/services/networking/iodine.nix b/nixos/modules/services/networking/iodine.nix index 46051d7044b..f67e2d9a5e7 100644 --- a/nixos/modules/services/networking/iodine.nix +++ b/nixos/modules/services/networking/iodine.nix @@ -190,6 +190,7 @@ in users.users.${iodinedUser} = { uid = config.ids.uids.iodined; + group = "iodined"; description = "Iodine daemon user"; }; users.groups.iodined.gid = config.ids.gids.iodined; diff --git a/nixos/modules/services/networking/morty.nix b/nixos/modules/services/networking/morty.nix index e110a5c8610..c627feb527b 100644 --- a/nixos/modules/services/networking/morty.nix +++ b/nixos/modules/services/networking/morty.nix @@ -77,7 +77,9 @@ in createHome = true; home = "/var/lib/morty"; isSystemUser = true; + group = "morty"; }; + users.groups.morty = {}; systemd.services.morty = { diff --git a/nixos/modules/services/networking/ncdns.nix b/nixos/modules/services/networking/ncdns.nix index d30fe0f6f6d..c5ea5d95057 100644 --- a/nixos/modules/services/networking/ncdns.nix +++ b/nixos/modules/services/networking/ncdns.nix @@ -245,8 +245,10 @@ in users.users.ncdns = { isSystemUser = true; + group = "ncdns"; description = "ncdns daemon user"; }; + users.groups.ncdns = {}; systemd.services.ncdns = { description = "ncdns daemon"; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index c8861171dd6..ba13f575c39 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -464,6 +464,7 @@ in { users.users = { nm-openvpn = { uid = config.ids.uids.nm-openvpn; + group = "nm-openvpn"; extraGroups = [ "networkmanager" ]; }; nm-iodine = { diff --git a/nixos/modules/services/networking/ngircd.nix b/nixos/modules/services/networking/ngircd.nix index 4b2fa779592..1b631de3b02 100644 --- a/nixos/modules/services/networking/ngircd.nix +++ b/nixos/modules/services/networking/ngircd.nix @@ -52,8 +52,11 @@ in { }; users.users.ngircd = { - uid = config.ids.uids.ngircd; + isSystemUser = true; + group = "ngircd"; description = "ngircd user."; }; + users.groups.ngircd = {}; + }; } diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix index bd75083a4a7..93ab29b71e5 100644 --- a/nixos/modules/services/networking/pleroma.nix +++ b/nixos/modules/services/networking/pleroma.nix @@ -74,7 +74,7 @@ in { users."${cfg.user}" = { description = "Pleroma user"; home = cfg.stateDir; - extraGroups = [ cfg.group ]; + group = cfg.group; isSystemUser = true; }; groups."${cfg.group}" = {}; diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix index 8c632c319d3..368259b5b0b 100644 --- a/nixos/modules/services/networking/radicale.nix +++ b/nixos/modules/services/networking/radicale.nix @@ -140,9 +140,12 @@ in { environment.systemPackages = [ pkg ]; - users.users.radicale.uid = config.ids.uids.radicale; + users.users.radicale = { + isSystemUser = true; + group = "radicale"; + }; - users.groups.radicale.gid = config.ids.gids.radicale; + users.groups.radicale = {}; systemd.services.radicale = { description = "A Simple Calendar and Contact Server"; diff --git a/nixos/modules/services/networking/radvd.nix b/nixos/modules/services/networking/radvd.nix index 53fac4b7b72..6e8db55bbf0 100644 --- a/nixos/modules/services/networking/radvd.nix +++ b/nixos/modules/services/networking/radvd.nix @@ -55,9 +55,12 @@ in config = mkIf cfg.enable { users.users.radvd = - { uid = config.ids.uids.radvd; + { + isSystemUser = true; + group = "radvd"; description = "Router Advertisement Daemon User"; }; + users.groups.radvd = {}; systemd.services.radvd = { description = "IPv6 Router Advertisement Daemon"; diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index 4470c18fd53..ef411767a94 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -259,7 +259,7 @@ in user = mkOption { type = types.str; default = "smokeping"; - description = "User that runs smokeping and (optionally) thttpd"; + description = "User that runs smokeping and (optionally) thttpd. A group of the same name will be created as well."; }; webService = mkOption { type = types.bool; @@ -285,11 +285,12 @@ in users.users.${cfg.user} = { isNormalUser = false; isSystemUser = true; - uid = config.ids.uids.smokeping; + group = cfg.user; description = "smokeping daemon user"; home = smokepingHome; createHome = true; }; + users.groups.${cfg.user} = {}; systemd.services.smokeping = { wantedBy = [ "multi-user.target"]; serviceConfig = { diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 225aee51605..192533e52de 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -401,9 +401,12 @@ in config = mkIf cfg.enable { users.users.sshd = - { isSystemUser = true; + { + isSystemUser = true; + group = "sshd"; description = "SSH privilege separation user"; }; + users.groups.sshd = {}; services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server"; diff --git a/nixos/modules/services/networking/tinydns.nix b/nixos/modules/services/networking/tinydns.nix index 79507b2ebcd..2c44ad49296 100644 --- a/nixos/modules/services/networking/tinydns.nix +++ b/nixos/modules/services/networking/tinydns.nix @@ -32,7 +32,11 @@ with lib; config = mkIf config.services.tinydns.enable { environment.systemPackages = [ pkgs.djbdns ]; - users.users.tinydns.isSystemUser = true; + users.users.tinydns = { + isSystemUser = true; + group = "tinydns"; + }; + users.groups.tinydns = {}; systemd.services.tinydns = { description = "djbdns tinydns server"; diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index 37f6651ec4c..9bb0191ee46 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -58,7 +58,9 @@ in security.pam.services.atd = {}; users.users.atd = - { uid = config.ids.uids.atd; + { + uid = config.ids.uids.atd; + group = "atd"; description = "atd user"; home = "/var/empty"; }; diff --git a/nixos/modules/services/search/kibana.nix b/nixos/modules/services/search/kibana.nix index 2beb265ee5d..b3093abfa5c 100644 --- a/nixos/modules/services/search/kibana.nix +++ b/nixos/modules/services/search/kibana.nix @@ -199,10 +199,12 @@ in { environment.systemPackages = [ cfg.package ]; users.users.kibana = { - uid = config.ids.uids.kibana; + isSystemUser = true; description = "Kibana service user"; home = cfg.dataDir; createHome = true; + group = "kibana"; }; + users.groups.kibana = {}; }; } diff --git a/nixos/modules/services/security/hockeypuck.nix b/nixos/modules/services/security/hockeypuck.nix index 686634c8add..2e98624bb2e 100644 --- a/nixos/modules/services/security/hockeypuck.nix +++ b/nixos/modules/services/security/hockeypuck.nix @@ -82,8 +82,10 @@ in { users.users.hockeypuck = { isSystemUser = true; + group = "hockeypuck"; description = "Hockeypuck user"; }; + users.groups.hockeypuck = {}; systemd.services.hockeypuck = { description = "Hockeypuck OpenPGP Key Server"; diff --git a/nixos/modules/services/torrent/magnetico.nix b/nixos/modules/services/torrent/magnetico.nix index 7465c10e002..ada6f9b1e3a 100644 --- a/nixos/modules/services/torrent/magnetico.nix +++ b/nixos/modules/services/torrent/magnetico.nix @@ -172,8 +172,10 @@ in { users.users.magnetico = { description = "Magnetico daemons user"; + group = "magnetico"; isSystemUser = true; }; + users.groups.magnetico = {}; systemd.services.magneticod = { description = "Magnetico DHT crawler"; diff --git a/nixos/modules/services/torrent/peerflix.nix b/nixos/modules/services/torrent/peerflix.nix index a74f6598432..3e5f80960dc 100644 --- a/nixos/modules/services/torrent/peerflix.nix +++ b/nixos/modules/services/torrent/peerflix.nix @@ -60,6 +60,10 @@ in { }; }; - users.users.peerflix.uid = config.ids.uids.peerflix; + users.users.peerflix = { + isSystemUser = true; + group = "peerflix"; + }; + users.groups.peerflix = {}; }; } diff --git a/nixos/modules/services/web-apps/node-red.nix b/nixos/modules/services/web-apps/node-red.nix index 4f6850ace21..400790576d6 100644 --- a/nixos/modules/services/web-apps/node-red.nix +++ b/nixos/modules/services/web-apps/node-red.nix @@ -114,6 +114,7 @@ in users.users = optionalAttrs (cfg.user == defaultUser) { ${defaultUser} = { isSystemUser = true; + group = defaultUser; }; }; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 934c57f8391..6671592202f 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -1056,10 +1056,19 @@ in services.dbus.enable = true; - users.users.systemd-coredump.uid = config.ids.uids.systemd-coredump; - users.users.systemd-network.uid = config.ids.uids.systemd-network; + users.users.systemd-coredump = { + uid = config.ids.uids.systemd-coredump; + group = "systemd-coredump"; + }; + users.users.systemd-network = { + uid = config.ids.uids.systemd-network; + group = "systemd-network"; + }; users.groups.systemd-network.gid = config.ids.gids.systemd-network; - users.users.systemd-resolve.uid = config.ids.uids.systemd-resolve; + users.users.systemd-resolve = { + uid = config.ids.uids.systemd-resolve; + group = "systemd-resolve"; + }; users.groups.systemd-resolve.gid = config.ids.gids.systemd-resolve; # Target for ‘charon send-keys’ to hook into. diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index cde29f7bf59..6732e244369 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -158,7 +158,7 @@ in { }; }; - users.groups.lxd.gid = config.ids.gids.lxd; + users.groups.lxd = {}; users.users.root = { subUidRanges = [ { startUid = 1000000; count = 65536; } ]; diff --git a/nixos/tests/unbound.nix b/nixos/tests/unbound.nix index 58a717f98a1..576287a9fe5 100644 --- a/nixos/tests/unbound.nix +++ b/nixos/tests/unbound.nix @@ -145,13 +145,22 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: # user that is permitted to access the unix socket someuser = { isSystemUser = true; + group = "someuser"; extraGroups = [ config.users.users.unbound.group ]; }; # user that is not permitted to access the unix socket - unauthorizeduser = { isSystemUser = true; }; + unauthorizeduser = { + isSystemUser = true; + group = "unauthorizeduser"; + }; + + }; + users.groups = { + someuser = {}; + unauthorizeduser = {}; }; # Used for testing configuration reloading diff --git a/pkgs/applications/graphics/lightburn/default.nix b/pkgs/applications/graphics/lightburn/default.nix index 5775ba2a527..c5d09f61277 100644 --- a/pkgs/applications/graphics/lightburn/default.nix +++ b/pkgs/applications/graphics/lightburn/default.nix @@ -6,7 +6,7 @@ stdenv.mkDerivation rec { pname = "lightburn"; - version = "1.0.00"; + version = "1.0.01"; nativeBuildInputs = [ p7zip @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://github.com/LightBurnSoftware/deployment/releases/download/${version}/LightBurn-Linux64-v${version}.7z"; - sha256 = "sha256-jNqLykVQjer2lps1gnw4fd2FH+ZQrzqQILAsl4Z5Hqk="; + sha256 = "sha256-UnTZcZjR8edHGflThkiu6OeWJU9x/bH/Ml/CRwWYgFU="; }; buildInputs = [ diff --git a/pkgs/applications/networking/browsers/firefox/common.nix b/pkgs/applications/networking/browsers/firefox/common.nix index fdd4dbb9b1d..9f2566d07d6 100644 --- a/pkgs/applications/networking/browsers/firefox/common.nix +++ b/pkgs/applications/networking/browsers/firefox/common.nix @@ -155,6 +155,23 @@ buildStdenv.mkDerivation ({ sha256 = "0qc62di5823r7ly2lxkclzj9rhg2z7ms81igz44nv0fzv3dszdab"; }) + # These fix Firefox on sway and other non-Gnome wayland WMs. They should be + # removed whenever the following two patches make it onto a release: + # 1. https://hg.mozilla.org/mozilla-central/rev/51c13987d1b8 + # 2. https://hg.mozilla.org/integration/autoland/rev/3b856ecc00e4 + # This will probably happen in the next point release, but let's be careful + # and double check whether it's working on sway on the next v bump. + ++ lib.optionals (lib.versionAtLeast version "92") [ + (fetchpatch { + url = "https://hg.mozilla.org/integration/autoland/raw-rev/3b856ecc00e4"; + sha256 = "sha256-d8IRJD6ELC3ZgEs1ES/gy2kTNu/ivoUkUNGMEUoq8r8="; + }) + (fetchpatch { + url = "https://hg.mozilla.org/mozilla-central/raw-rev/51c13987d1b8"; + sha256 = "sha256-C2jcoWLuxW0Ic+Mbh3UpEzxTKZInljqVdcuA9WjspoA="; + }) + ] + ++ patches; diff --git a/pkgs/applications/networking/instant-messengers/slack/default.nix b/pkgs/applications/networking/instant-messengers/slack/default.nix index 61a859e331e..a98d7a386fb 100644 --- a/pkgs/applications/networking/instant-messengers/slack/default.nix +++ b/pkgs/applications/networking/instant-messengers/slack/default.nix @@ -147,6 +147,8 @@ let dontPatchELF = true; installPhase = '' + runHook preInstall + # The deb file contains a setuid binary, so 'dpkg -x' doesn't work here dpkg --fsys-tarfile $src | tar --extract rm -rf usr/share/lintian @@ -172,6 +174,8 @@ let substituteInPlace $out/share/applications/slack.desktop \ --replace /usr/bin/ $out/bin/ \ --replace /usr/share/ $out/share/ + + runHook postInstall ''; }; @@ -185,9 +189,11 @@ let sourceRoot = "Slack.app"; installPhase = '' + runHook preInstall mkdir -p $out/Applications/Slack.app cp -R . $out/Applications/Slack.app /usr/bin/defaults write com.tinyspeck.slackmacgap SlackNoAutoUpdates -bool YES + runHook postInstall ''; }; in diff --git a/pkgs/build-support/fetchzip/default.nix b/pkgs/build-support/fetchzip/default.nix index b174c252fc0..af38537737e 100644 --- a/pkgs/build-support/fetchzip/default.nix +++ b/pkgs/build-support/fetchzip/default.nix @@ -40,6 +40,7 @@ in { renamed="$TMPDIR/${tmpFilename}" mv "$downloadedFile" "$renamed" unpackFile "$renamed" + chmod -R +w "$unpackDir" '' + (if stripRoot then '' if [ $(ls "$unpackDir" | wc -l) != 1 ]; then diff --git a/pkgs/development/python-modules/dpath/default.nix b/pkgs/development/python-modules/dpath/default.nix index bfbeeaea007..c9f3d5be6d4 100644 --- a/pkgs/development/python-modules/dpath/default.nix +++ b/pkgs/development/python-modules/dpath/default.nix @@ -10,13 +10,13 @@ buildPythonPackage rec { pname = "dpath"; - version = "2.0.4"; + version = "2.0.5"; disabled = isPy27; # uses python3 imports src = fetchPypi { inherit pname version; - sha256 = "0qjaa4sjw0m4b91mm18074wpkhir3xx7s87qwckmzpfb165gk837"; + sha256 = "0kk7wl15r305496q13ka4r6n2r13j99rrrpy2b4575j704dk4x7g"; }; # use pytest as nosetests hangs diff --git a/pkgs/development/tools/misc/arcanist/default.nix b/pkgs/development/tools/misc/arcanist/default.nix index a5a9d724a79..94e230e6a12 100644 --- a/pkgs/development/tools/misc/arcanist/default.nix +++ b/pkgs/development/tools/misc/arcanist/default.nix @@ -3,6 +3,7 @@ , flex , php , lib, stdenv +, installShellFiles }: # Make a custom wrapper. If `wrapProgram` is used, arcanist thinks .arc-wrapped is being @@ -29,7 +30,10 @@ stdenv.mkDerivation { rev = "2565cc7b4d1dbce6bc7a5b3c4e72ae94be4712fe"; sha256 = "0jiv4aj4m5750dqw9r8hizjkwiyxk4cg4grkr63sllsa2dpiibxw"; }; - buildInputs = [ bison flex php ]; + + buildInputs = [ php ]; + + nativeBuildInputs = [ bison flex installShellFiles ]; postPatch = lib.optionalString stdenv.isAarch64 '' substituteInPlace support/xhpast/Makefile \ @@ -37,18 +41,26 @@ stdenv.mkDerivation { ''; buildPhase = '' - make cleanall -C support/xhpast - make xhpast -C support/xhpast + runHook preBuild + make cleanall -C support/xhpast $makeFlags "''${makeFlagsArray[@]}" -j $NIX_BUILD_CORES + make xhpast -C support/xhpast $makeFlags "''${makeFlagsArray[@]}" -j $NIX_BUILD_CORES + runHook postBuild ''; installPhase = '' + runHook preInstall mkdir -p $out/bin $out/libexec - make install -C support/xhpast - make cleanall -C support/xhpast + make install -C support/xhpast $makeFlags "''${makeFlagsArray[@]}" -j $NIX_BUILD_CORES + make cleanall -C support/xhpast $makeFlags "''${makeFlagsArray[@]}" -j $NIX_BUILD_CORES cp -R . $out/libexec/arcanist ${makeArcWrapper "arc"} ${makeArcWrapper "phage"} + + $out/bin/arc shell-complete --generate -- + installShellCompletion --cmd arc --bash $out/libexec/arcanist/support/shell/rules/bash-rules.sh + installShellCompletion --cmd phage --bash $out/libexec/arcanist/support/shell/rules/bash-rules.sh + runHook postInstall ''; doInstallCheck = true; diff --git a/pkgs/misc/emulators/melonDS/default.nix b/pkgs/misc/emulators/melonDS/default.nix index a53d2bfc339..bd3bffde54f 100644 --- a/pkgs/misc/emulators/melonDS/default.nix +++ b/pkgs/misc/emulators/melonDS/default.nix @@ -2,40 +2,41 @@ , fetchFromGitHub , mkDerivation , cmake -, pkg-config -, SDL2 -, qtbase +, epoxy +, libarchive , libpcap , libslirp -, wrapGAppsHook +, pkg-config +, qtbase +, SDL2 }: mkDerivation rec { pname = "melonDS"; - version = "0.9.1"; + version = "0.9.3"; src = fetchFromGitHub { owner = "Arisotura"; repo = pname; rev = version; - sha256 = "sha256-bvi0Y+zwfEcsZMNxoH85hxwIGn0UIYlg/ZaE6yJ7vlo="; + sha256 = "1v8a060gbpx7rdkk2w4hym361l2wip7yjjn8wny1gfsa273k3zy5"; }; - nativeBuildInputs = [ cmake pkg-config wrapGAppsHook ]; + nativeBuildInputs = [ cmake pkg-config ]; buildInputs = [ - SDL2 - qtbase + epoxy + libarchive libpcap libslirp + qtbase + SDL2 ]; - cmakeFlags = [ "-UUNIX_PORTABLE" ]; - meta = with lib; { homepage = "http://melonds.kuribo64.net/"; description = "Work in progress Nintendo DS emulator"; license = licenses.gpl3Plus; - maintainers = with maintainers; [ artemist benley shamilton ]; + maintainers = with maintainers; [ artemist benley shamilton xfix ]; platforms = platforms.linux; }; } diff --git a/pkgs/servers/misc/navidrome/default.nix b/pkgs/servers/misc/navidrome/default.nix index 15c424394f2..f81a2c4d9ab 100644 --- a/pkgs/servers/misc/navidrome/default.nix +++ b/pkgs/servers/misc/navidrome/default.nix @@ -1,20 +1,26 @@ -{ lib, stdenv, fetchurl, ffmpeg, ffmpegSupport ? true, makeWrapper, nixosTests }: +{ lib, stdenv, pkgs, fetchurl, ffmpeg, ffmpegSupport ? true, makeWrapper, nixosTests }: with lib; stdenv.mkDerivation rec { pname = "navidrome"; - version = "0.44.1"; + version = "0.45.1"; - src = fetchurl { + + src = fetchurl (if pkgs.system == "x86_64-linux" + then { url = "https://github.com/deluan/navidrome/releases/download/v${version}/navidrome_${version}_Linux_x86_64.tar.gz"; - sha256 = "sha256-2lnj6aNLPeLwxgyRUQFOQJDsOSMu9Banez8RMMQs74Y="; - }; + sha256 = "sha256-TZcXq51sKoeLPmcRpv4VILDmS6dsS7lxlJzTDH0tEWM="; + } + else { + url = "https://github.com/deluan/navidrome/releases/download/v${version}/navidrome_${version}_Linux_arm64.tar.gz"; + sha256 = "sha256-Va0DSmemj8hsaywoP6WKo/x+QQzSNwHCpU4VWs5lpbI="; + }); nativeBuildInputs = [ makeWrapper ]; unpackPhase = '' - tar xvf $src navidrome + tar xvf $src navidrome ''; installPhase = '' @@ -37,7 +43,7 @@ stdenv.mkDerivation rec { description = "Navidrome Music Server and Streamer compatible with Subsonic/Airsonic"; homepage = "https://www.navidrome.org/"; license = licenses.gpl3Only; - platforms = [ "x86_64-linux" ]; + platforms = [ "x86_64-linux" "aarch64-linux" ]; maintainers = with maintainers; [ aciceri ]; }; } |