diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2022-10-29 12:01:19 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-29 12:01:19 +0000 |
commit | 18b25cbb99caf0528af12d41479fc68a56def472 (patch) | |
tree | a4dad4e12e3c94230eaf0fa6f3b04008180efa82 /nixos | |
parent | 44c2105bdae26fa7d2f1a8642fe3b8a25e2390fb (diff) | |
parent | e9e2dd56ab7d0fbf258ea3fa43f8eff081383eb7 (diff) | |
download | nixpkgs-18b25cbb99caf0528af12d41479fc68a56def472.tar nixpkgs-18b25cbb99caf0528af12d41479fc68a56def472.tar.gz nixpkgs-18b25cbb99caf0528af12d41479fc68a56def472.tar.bz2 nixpkgs-18b25cbb99caf0528af12d41479fc68a56def472.tar.lz nixpkgs-18b25cbb99caf0528af12d41479fc68a56def472.tar.xz nixpkgs-18b25cbb99caf0528af12d41479fc68a56def472.tar.zst nixpkgs-18b25cbb99caf0528af12d41479fc68a56def472.zip |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2211.section.xml | 12 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2211.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/security/acme/default.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/logging/journalwatch.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/matrix/appservice-discord.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/matrix/mautrix-telegram.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/misc/geoipupdate.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/misc/mx-puppet-discord.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/misc/rmfakecloud.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/parsedmarc.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/ttys/getty.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/bookstack.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/discourse.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/keycloak.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/snipe-it.nix | 2 | ||||
-rw-r--r-- | nixos/modules/tasks/filesystems/zfs.nix | 13 |
16 files changed, 44 insertions, 17 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 5de4080e5c2..f6cf4b50c3b 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -876,6 +876,18 @@ </listitem> <listitem> <para> + ZFS module will not allow hibernation by default, this is a + safety measure to prevent data loss cases like the ones + described at + <link xlink:href="https://github.com/openzfs/zfs/issues/260">OpenZFS/260</link> + and + <link xlink:href="https://github.com/openzfs/zfs/issues/12842">OpenZFS/12842</link>. + Use the <literal>boot.zfs.allowHibernation</literal> option to + configure this behaviour. + </para> + </listitem> + <listitem> + <para> The Redis module now disables RDB persistence when <literal>services.redis.servers.<name>.save = []</literal> instead of using the Redis default. diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 374d7bd83fa..8f2430fb34b 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -273,6 +273,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`. +- ZFS module will not allow hibernation by default, this is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842). Use the `boot.zfs.allowHibernation` option to configure this behaviour. + - The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default. - Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance. diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index 1c4a88954b6..4e163901b08 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -26,8 +26,8 @@ let Type = "oneshot"; User = user; Group = mkDefault "acme"; - UMask = 0022; - StateDirectoryMode = 750; + UMask = "0022"; + StateDirectoryMode = "750"; ProtectSystem = "strict"; ReadWritePaths = [ "/var/lib/acme" @@ -85,7 +85,7 @@ let serviceConfig = commonServiceConfig // { StateDirectory = "acme/.minica"; BindPaths = "/var/lib/acme/.minica:/tmp/ca"; - UMask = 0077; + UMask = "0077"; }; # Working directory will be /tmp @@ -243,7 +243,7 @@ let serviceConfig = commonServiceConfig // { Group = data.group; - UMask = 0027; + UMask = "0027"; StateDirectory = "acme/${cert}"; diff --git a/nixos/modules/services/logging/journalwatch.nix b/nixos/modules/services/logging/journalwatch.nix index a315da3ea0e..55e2d600ee4 100644 --- a/nixos/modules/services/logging/journalwatch.nix +++ b/nixos/modules/services/logging/journalwatch.nix @@ -239,7 +239,7 @@ in { Type = "oneshot"; # requires a relative directory name to create beneath /var/lib StateDirectory = user; - StateDirectoryMode = 0750; + StateDirectoryMode = "0750"; ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail"; # lowest CPU and IO priority, but both still in best-effort class to prevent starvation Nice=19; diff --git a/nixos/modules/services/matrix/appservice-discord.nix b/nixos/modules/services/matrix/appservice-discord.nix index 89b4bc98f49..15f0f0cc0cd 100644 --- a/nixos/modules/services/matrix/appservice-discord.nix +++ b/nixos/modules/services/matrix/appservice-discord.nix @@ -137,7 +137,7 @@ in { PrivateTmp = true; WorkingDirectory = appDir; StateDirectory = baseNameOf dataDir; - UMask = 0027; + UMask = "0027"; EnvironmentFile = cfg.environmentFile; ExecStart = '' diff --git a/nixos/modules/services/matrix/mautrix-telegram.nix b/nixos/modules/services/matrix/mautrix-telegram.nix index be220e05a52..8dda365a791 100644 --- a/nixos/modules/services/matrix/mautrix-telegram.nix +++ b/nixos/modules/services/matrix/mautrix-telegram.nix @@ -162,7 +162,7 @@ in { PrivateTmp = true; WorkingDirectory = pkgs.mautrix-telegram; # necessary for the database migration scripts to be found StateDirectory = baseNameOf dataDir; - UMask = 0027; + UMask = "0027"; EnvironmentFile = cfg.environmentFile; ExecStart = '' diff --git a/nixos/modules/services/misc/geoipupdate.nix b/nixos/modules/services/misc/geoipupdate.nix index ad80d489243..27c1157e9a8 100644 --- a/nixos/modules/services/misc/geoipupdate.nix +++ b/nixos/modules/services/misc/geoipupdate.nix @@ -183,7 +183,7 @@ in DynamicUser = true; ReadWritePaths = cfg.settings.DatabaseDirectory; RuntimeDirectory = "geoipupdate"; - RuntimeDirectoryMode = 0700; + RuntimeDirectoryMode = "0700"; CapabilityBoundingSet = ""; PrivateDevices = true; PrivateMounts = true; diff --git a/nixos/modules/services/misc/mx-puppet-discord.nix b/nixos/modules/services/misc/mx-puppet-discord.nix index 33a6c8f26a9..36c9f8b122e 100644 --- a/nixos/modules/services/misc/mx-puppet-discord.nix +++ b/nixos/modules/services/misc/mx-puppet-discord.nix @@ -107,7 +107,7 @@ in { PrivateTmp = true; WorkingDirectory = pkgs.mx-puppet-discord; StateDirectory = baseNameOf dataDir; - UMask = 0027; + UMask = "0027"; ExecStart = '' ${pkgs.mx-puppet-discord}/bin/mx-puppet-discord \ diff --git a/nixos/modules/services/misc/rmfakecloud.nix b/nixos/modules/services/misc/rmfakecloud.nix index 25857c173b6..1cdfdeceabc 100644 --- a/nixos/modules/services/misc/rmfakecloud.nix +++ b/nixos/modules/services/misc/rmfakecloud.nix @@ -138,7 +138,7 @@ in { SystemCallArchitectures = "native"; WorkingDirectory = serviceDataDir; StateDirectory = baseNameOf serviceDataDir; - UMask = 0027; + UMask = "0027"; }; }; }; diff --git a/nixos/modules/services/monitoring/parsedmarc.nix b/nixos/modules/services/monitoring/parsedmarc.nix index 7618414d904..3540d91fc9f 100644 --- a/nixos/modules/services/monitoring/parsedmarc.nix +++ b/nixos/modules/services/monitoring/parsedmarc.nix @@ -494,7 +494,7 @@ in Group = "parsedmarc"; DynamicUser = true; RuntimeDirectory = "parsedmarc"; - RuntimeDirectoryMode = 0700; + RuntimeDirectoryMode = "0700"; CapabilityBoundingSet = ""; PrivateDevices = true; PrivateMounts = true; diff --git a/nixos/modules/services/ttys/getty.nix b/nixos/modules/services/ttys/getty.nix index aec65903cec..22ae9c27e5b 100644 --- a/nixos/modules/services/ttys/getty.nix +++ b/nixos/modules/services/ttys/getty.nix @@ -146,7 +146,7 @@ in enable = mkDefault config.boot.isContainer; }; - environment.etc.issue = + environment.etc.issue = mkDefault { # Friendly greeting on the virtual consoles. source = pkgs.writeText "issue" '' diff --git a/nixos/modules/services/web-apps/bookstack.nix b/nixos/modules/services/web-apps/bookstack.nix index 3fbccf54008..eeef7772776 100644 --- a/nixos/modules/services/web-apps/bookstack.nix +++ b/nixos/modules/services/web-apps/bookstack.nix @@ -372,7 +372,7 @@ in { User = user; WorkingDirectory = "${bookstack}"; RuntimeDirectory = "bookstack/cache"; - RuntimeDirectoryMode = 0700; + RuntimeDirectoryMode = "0700"; }; path = [ pkgs.replace-secret ]; script = diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 66b22ec87db..9ad451f31f7 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -798,13 +798,13 @@ in "public" "sockets" ]; - RuntimeDirectoryMode = 0750; + RuntimeDirectoryMode = "0750"; StateDirectory = map (p: "discourse/" + p) [ "uploads" "backups" "tmp" ]; - StateDirectoryMode = 0750; + StateDirectoryMode = "0750"; LogsDirectory = "discourse"; TimeoutSec = "infinity"; Restart = "on-failure"; diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index da53d4ea76f..521cf778a36 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -616,7 +616,7 @@ in Group = "keycloak"; DynamicUser = true; RuntimeDirectory = "keycloak"; - RuntimeDirectoryMode = 0700; + RuntimeDirectoryMode = "0700"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; }; script = '' diff --git a/nixos/modules/services/web-apps/snipe-it.nix b/nixos/modules/services/web-apps/snipe-it.nix index 802d67cdb8e..e0d2eb8c6ab 100644 --- a/nixos/modules/services/web-apps/snipe-it.nix +++ b/nixos/modules/services/web-apps/snipe-it.nix @@ -394,7 +394,7 @@ in { User = user; WorkingDirectory = snipe-it; RuntimeDirectory = "snipe-it/cache"; - RuntimeDirectoryMode = 0700; + RuntimeDirectoryMode = "0700"; }; path = [ pkgs.replace-secret ]; script = diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 96222f3b4f6..4b4f4cc801a 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -226,6 +226,15 @@ in ''; }; + allowHibernation = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Allow hibernation support, this may be a unsafe option depending on your + setup. Make sure to NOT use Swap on ZFS. + ''; + }; + extraPools = mkOption { type = types.listOf types.str; default = []; @@ -498,6 +507,10 @@ in boot = { kernelModules = [ "zfs" ]; + # https://github.com/openzfs/zfs/issues/260 + # https://github.com/openzfs/zfs/issues/12842 + # https://github.com/NixOS/nixpkgs/issues/106093 + kernelParams = lib.optionals (!config.boot.zfs.allowHibernation) [ "nohibernate" ]; extraModulePackages = [ (if config.boot.zfs.enableUnstable then |