A secret key generated by the nixos module was misspelled, which could
possibly impact the security of session cookies.
To recover from this situation we will wipe all security keys that were
previously generated by the NixOS module, when the misspelled one is
found. This will result in all session cookies being invalidated. This
is confirmed by the wordpress documentation:
> You can change these at any point in time to invalidate all existing
> cookies. This does mean that all users will have to login again.
https://wordpress.org/support/article/editing-wp-config-php/#security-keys
Meanwhile this issue shouldn't be too grave, since the salting function
of wordpress will rely on the concatenation of both the user-provided
and automatically generated values, that are stored in the database.
> Secret keys are located in two places: in the database and in the
> wp-config.php file. The secret key in the database is randomly
> generated and will be appended to the secret keys in wp-config.php.
https://developer.wordpress.org/reference/functions/wp_salt/
Fixes: 2adb03fdae ("nixos/wordpress:
generate secrets locally")
Reported-by: Moritz Hedtke <Moritz.Hedtke@t-online.de>
(cherry picked from commit 724ed08df02546fea2ab38613d615dd47461528c)
Assert that the PostgreSQL version being deployed is the one used
upstream. Allow the user to override this assertion, since it's not
always possible or preferable to use the recommended one.
(cherry picked from commit 544adbfcab2e92c2fe5774cae67f2edf165eb97e)
As per `man systemd.path`:
> When a service unit triggered by a path unit terminates
> (regardless whether it exited successfully or failed),
> monitored paths are checked immediately again,
> **and the service accordingly restarted instantly**.
Thus the existence of the path unit made it impossible to stop the
wireguard service using e.g.
systemctl stop wireguard-wg0.service
Systemd path units are not intended for program inputs such
as private key files.
This commit simply removes this usage; the private key is still
generated by the `generateKeyServiceUnit`.
(cherry picked from commit d344dccf3dc592242f11ef993acb9ecee8d84796)
Note that it made into 2 entries, one about new options in the first section.
Another in the breaking compatibility section due to the openFirewall option
which changes the behavior.
Co-authored-by: schmittlauch <t.schmittlauch+nixos@orlives.de>
(cherry picked from commit 93a80a4390499b4204cf6836bcc6cab5debecccb)
The tests timeout on AArch64 (e.g. [0] and [1]), likely because the QEMU
option "-vga virtio" isn't supported there (unfortunately I currently
lack access to an AArch64 system with NixOS to investigate).
This also affects the test for Cage but that one is already limited to
x86_64-linux.
[0]: https://hydra.nixos.org/build/144148809
[1]: https://hydra.nixos.org/build/144103034
(cherry picked from commit abb9ea73f7b2bd8d0862be47a0a1010d7644136b)
* The options tlsKey and tlsCert require being accessible by DynamicUser at runtime, which currently requires copying the files into the matrix service state directory. Fixing this might require breaking changes. Thus the module should not be included in a stable release.
nixos/filesystems: condition mount-pstore.service on unmounted /sys/fs/pstore
(cherry picked from commit d7555732bc8bb8a2acb50fd4ecba96c825b4f21e)
Reason: activation throws an error from failing to start the unit
Enforce UMask on the systemd unit to restrict the permissions of files
created. Especially the homeserver signing key should not be world
readable, and media is served through synapse itself, so no other user
needs access to these files.
Use a prestart chmod to fixup the permissions on the signing key.
In newer versions of Nix (at least on 2.4pre20201102_550e11f) the
`extra-` prefix for config options received a special meaning and the
option `extra-sandbox-paths` isn't recognized anymore. This commit fixes
it.
It doesn't cause a behavior change when using older versions of Nix but
does cause an extra newline to appear in the config, thus changing the
hash.
Martin Weinelt
talyz
Dominik Xaver Hörl
Niklas Hambüchen
Ivan Kozik
Antoine R. Dumont (@ardumont)
Michael Weiss
Michael Lingelbach
Sandro
Maximilian Bosch
Tom Fitzhenry
regnat
Guillaume Girol
Jonathan Ringer
Ryan Mulligan
Martin Weinelt
Jan Tojnar
Maciej Krüger
Kira Bruneau
Domen Kožar
github-actions[bot]
sohalt
Vika
lassulus
Jacek Galowicz