Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
nixos/fwupd: Fix configuration file merging
|
|
|
|
|
|
|
|
Replace sleep statements with wait_until_succeeds
|
|
|
|
nixos/coturn: refactor secret injection
|
|
sget: init at unstable-2022-10-04
|
|
nixos/privacyidea: add proper support for `privacyidea-token-janitor`
|
|
The original implementation had a few issues:
* The secret was briefly leaked since it is part of the cmdline for
`sed(1)` and on Linux `cmdline` is world-readable.
* If the secret would contain either a `,` or a `"` it would mess with
the `sed(1)` expression itself unless you apply messy escape hacks.
To circumvent all of that, I decided to use `replace-secret` which
allows you to replace a string inside a file (in this case
`#static-auth-secret#`) with the contents of a file, i.e.
`cfg.static-auth-secret-file` without any of these issues.
|
|
nixosTests.paperless: check if /metadata/ can be accessed
|
|
ActionCable is used to provide realtime updates in a few places,
mainly the issue sidebar.
|
|
|
|
|
|
|
|
This gives us slightly higher security as you have to be in the gitlab
group to connect, and possibly a (very small) performance benefit as
well.
|
|
Needed for the gitlab:cleanup:orphan_job_artifact_files rake task.
|
|
|
|
|
|
...and escape quotation marks and backslashes.
|
|
Fixes #157157.
|
|
This binary was provided by the `cosign` package until now but it is in
the process of being removed, see https://github.com/sigstore/cosign/pull/2019
Since it might be removed during the 22.11 cycle we drop it
preventively. This will make possible security backports easier if we
need them.
|
|
|
|
nixos/tests/systemd-oomd: fix and follows upstream tests
|
|
test currently failing due to OOM
|
|
This commit fixes two bugs:
1) When starting a github-runner for the very first time, the
unconfigure script did not copy the `tokenFile` to the state
directory. This case just was not handled so far. As a result, the
runner could not configure. The unit did, however, fail even before
as the state token file is configured as inaccessible for the service
through `InaccessiblePaths=`. As the given path did not exist in the
described case, setting up the unit's namespacing failed.
2) Similarly, the `tokenFile` is also marked as not accessible to the
service user. There are, however, cases where other namespacing
options make the files inaccessible even before `InaccessiblePaths=`
kicks in; thus, they appear as non existing and cause the namespacing
to fail yet again. Prefixing the entry with a `-` causes Systemd to
ignore the entry if it cannot find it. This is the behavior we want.
I also took fixing those bugs as a chance to refactor the unconfigure
script to make it easier to follow.
|
|
|
|
nixos/doc: fix acme dns-01 example
|
|
nixos.fwupd: add remote list option
|
|
|
|
Lego has a built-in mechanism for sleeping for a random amount
of time before renewing a certificate. In our environment this
is not only unnecessary (as our systemd timer takes care of it)
but also unwanted since it slows down the execution of the
systemd service encompassing it, thus also slowing down the
start up of any services its depending on.
Also added FixedRandomDelay to the timer for more predictability.
|
|
Fixes #190493
Check if an actual key file exists. This does not
completely cover the work accountHash does to ensure
that a new account is registered when account
related options are changed.
|
|
Fixes #191794
Lego threw a permission denied error binding to port 80.
AmbientCapabilities with CAP_NET_BIND_SERVICE was required.
Also added a test for this.
|
|
|
|
syncstorage-rs sets this header starting with 0.12.3.
|
|
syncstorage-rs does not listen on ::1 unless explicitly configured.
|
|
the 0.12.1 update introduced a static thread pool for verifying oauth
tokens. set a reasonable default for self-hosted setups (10 threads).
|
|
|
|
`privacyidea-token-janitor`[1] is a tool which helps to automate
maintenance of tokens. This is helpful to identify e.g. orphaned tokens,
i.e. tokens of users that were removed or tokens that were unused for a
longer period of time and apply actions to them (e.g. `disable` or
`delete`).
This patch adds two new things:
* A wrapper for `privacyidea-token-janitor` to make sure it's executable
from CLI. To achieve this, it does a `sudo(8)` into the
`privacyidea`-user and sets up the environment to make sure the
configuration file can be found. With that, administrators can
directly invoke it from the CLI without additional steps.
* An optional service is added which performs automatic cleanups of
orphaned and/or unassigned tokens. Yes, the tool can do way more
stuff, but I figured it's reasonable to have an automatic way to clean
up tokens of users who were removed from the PI instance. Additional
automation steps should probably be implemented in additional
services (and are perhaps too custom to add them to this module).
[1] https://privacyidea.readthedocs.io/en/v3.7/workflows_and_tools/tools/index.html
|
|
dendrite: 0.9.9 -> 0.10.1
|
|
The current test triggers the kernel OOM killer and doesn't work well.
|
|
jitsi-videobridge: fix link in docs
|
|
Dropped the roletester since it doesn't exist anymore
Co-authored-by: Anders Kaseorg <andersk@mit.edu>
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
|
|
* nixos/tmate-ssh-server: init module
Co-authored-by: Aaron Andersen <aaron@fosslib.net>
|
|
|
|
nixos/systemd-stage-1: include modprobe confg in initrd
|