| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
| |
EOLed by upstream in 2022-02[1].
[1] https://docs.nextcloud.com/server/23/admin_manual/release_schedule.html#older-versions
|
| |
|
|
|
| |
- changed JDK version to 17 (11+ required)
- added maven build reproducibility
|
| |
|
|
|
|
|
|
|
|
|
| |
This fixes the following issues with the database provisioning script
included in the services.keycloak module:
- It lacked permission to access the DB password file specified in the
module option 'services.keycloak.database.passwordFile'.
- It prevented Keycloak from starting after the second time if the user
chose MySQL for the database.
|
| | |
|
| | |
|
| |\
| |
| | |
nixos/miniflux: no cleartext password in the store
|
| | | |
|
| |\ \ |
|
| | | | |
|
| | | | |
|
| |/ /
| |
| |
| |
| | |
path.geoip2 pointed to the nix store which is read-only. Matomo was
failing to download a geoip2 database. See #64759.
|
| |\ \
| |/
|/| |
nixos/bookstack: Make secret replacement strings more unique
|
| | |
| |
| |
| |
| |
| |
| | |
If a secret path is a subset of a second secret path, there's a risk
that its secret is substituted for the matching part of the second
path. To prevent this, use the sha256 of the paths as placeholder
string instead.
|
| |\ \
| |/
|/| |
nixos/miniflux: improve docs
|
| | | |
|
| |\ \
| | |
| | | |
plausible: 1.4.0 -> 1.4.3
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
ChangeLog: https://github.com/plausible/analytics/blob/v1.4.3/CHANGELOG.md#unreleased
Also makes the option `services.plausible.releaseCookiePath` mandatory[1]: since Elixir
1.13 the `RELEASE_COOKIE` env-var *must* be set, otherwise the startup
fails[2]. Since we drop `$out/releases/COOKIE` in the `fixupPhase` of
`mixRelease` and Elixir seems to always attempt to generate such a
file[3], I figured it's reasonable to just make it mandatory now.
Closes #155575
[1] https://nixos.org/manual/nixos/stable/options.html#opt-services.plausible.releaseCookiePath
[2] https://github.com/elixir-lang/elixir/commit/f24eb2c1ef3cfb345e9420945c57f276148c0a89 /
https://github.com/elixir-lang/elixir/issues/11114
[3] https://hexdocs.pm/mix/Mix.Tasks.Release.html, see `:cookie`
|
| | | | |
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
users.users.*.createHome makes home only owner-readable.
This breaks nginx reading static assets from nextcloud's home,
after a nixos-rebuild that did not restart nextcloud-setup.
Closes #112639
|
| |\ \
| | |
| | | |
nixos/dokuwiki: Minor code cleanup
|
| | | | |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
nixos/nextcloud: Optionally disable setting HTTP response headers
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This commit introduces a new option
`services.nextcloud.nginx.recommendedHttpHeaders` that can be used to
optionally disable serving recommended HTTP Response Headers in nginx.
This is especially useful if some headers are already configured
elsewhere to be served in nginx and thus result in duplicate headers.
Resolves #120223
|
| | |/ /
|/| | |
|
| |\ \ \
| |/ /
|/| | |
nixos/keycloak: Use LoadCredential to load secrets + module formatting
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Instead of referencing all library functions through `lib.` and
builtins through `builtins.` at every invocation, inherit them into
the appropriate scope.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use systemd's LoadCredential mechanism to make the secret files
available to the service.
This gets rid of the privileged part of the ExecPreStart script which
only served to copy these files and assign the correct
permissions. There's been issues with this approach when used in
combination with DynamicUser, where sometimes the user isn't created
before the ExecPreStart script runs, causing the error
install: invalid user ‘keycloak’
This should fix that issue.
Unfortunately, all of the ExecPreStart script had to be moved to
ExecStart, since credentials aren't provided to ExecPreStart. See
https://github.com/systemd/systemd/issues/19604.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The `extraConfig` parameter only handles text - it doesn't support
arbitrary secrets and, with the way it's processed in the setup
script, it's very easy to accidentally unescape the echoed string and
run shell commands / feed garbage to bash.
To fix this, implement a new option, `config`, which instead takes a
typed attribute set, generates the `.env` file in nix and does
arbitrary secret replacement. This option is then used to provide the
configuration for all other options which change the `.env` file.
|
| | | |
| | |
| | |
| | | |
Use the recommended defaults and remove unnecessary configuration.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
...and set a reasonable default `appURL` based on it.
This is pretty much required when configuring ACME, and useful in
general.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When upgrading bookstack, if something in the cache conflicts with the
new installation, the artisan commands might fail. To solve this, make
the cache lifetime bound to the setup service. This also removes the
`cacheDir` option, since the path is now handled automatically by
systemd.
|
| |/ / |
|
| | | |
|
| |\ \
| | |
| | | |
keycloak: 15.1.0 -> 16.1.0 + module improvements
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This together with extraConfig:
{
"subsystem=undertow"."server=default-server"."http-listener=default"."proxy-address-forwarding" = true;
"subsystem=undertow"."server=default-server"."https-listener=https"."proxy-address-forwarding" = true;
}
Allows to run Keycloak behind a reverse proxy that provides
X-Forwarded-* headers.
|
| | | |
| | |
| | |
| | |
| | | |
Custom themes can be packaged and then added using `themes` config
attribute.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Keycloak 16.1.0 uses different way to configure HTTPS.
This requires us to order commands correctly, otherwise linked
objects will fail.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Allow update commands in the script to be ordered using `mkOrder`.
If we encounter ordered sub-objects we sort them by priority.
To implement this we now explicitly pass current node in `recurse`,
which also allows us to clean up edge case for top-level node.
Also refactor `recurse` to avoid passing result text argument; we
weren't tail recursive before anyway.
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
|
| | | |
| | |
| | |
| | |
| | | |
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
Suggested-by: Aaron Andersen <aaron@fosslib.net>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Add user and group, as files stored are persistent and to be accessed by nginx or other web server.
|
| |/ / |
|
| |\ \
| | |
| | | |
nixos/bookstack: fix setup service
|
| | | | |
|