diff options
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-1909.xml | 29 | ||||
| -rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 10 | ||||
| -rw-r--r-- | pkgs/applications/virtualization/virtualbox/default.nix | 3 | ||||
| -rw-r--r-- | pkgs/applications/virtualization/virtualbox/kernel-5.3-fix.patch | 72 | ||||
| -rw-r--r-- | pkgs/servers/dns/knot-dns/default.nix | 4 |
5 files changed, 115 insertions, 3 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 58ab7207f53..e4dcc90cdd3 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -484,6 +484,35 @@ (<literal>citrix_workspace</literal>). </para> </listitem> + <listitem> + <para> + The <literal>services.gitlab</literal> module has had its literal secret options (<option>services.gitlab.smtp.password</option>, + <option>services.gitlab.databasePassword</option>, + <option>services.gitlab.initialRootPassword</option>, + <option>services.gitlab.secrets.secret</option>, + <option>services.gitlab.secrets.db</option>, + <option>services.gitlab.secrets.otp</option> and + <option>services.gitlab.secrets.jws</option>) replaced by file-based versions (<option>services.gitlab.smtp.passwordFile</option>, + <option>services.gitlab.databasePasswordFile</option>, + <option>services.gitlab.initialRootPasswordFile</option>, + <option>services.gitlab.secrets.secretFile</option>, + <option>services.gitlab.secrets.dbFile</option>, + <option>services.gitlab.secrets.otpFile</option> and + <option>services.gitlab.secrets.jwsFile</option>). This was done so that secrets aren't stored + in the world-readable nix store, but means that for each option you'll have to create a file with + the same exact string, add "File" to the end of the option name, and change the definition to a + string pointing to the corresponding file; e.g. <literal>services.gitlab.databasePassword = "supersecurepassword"</literal> + becomes <literal>services.gitlab.databasePasswordFile = "/path/to/secret_file"</literal> where the + file <literal>secret_file</literal> contains the string <literal>supersecurepassword</literal>. + </para> + <para> + The state path (<option>services.gitlab.statePath</option>) now has the following restriction: + no parent directory can be owned by any other user than <literal>root</literal> or the user + specified in <option>services.gitlab.user</option>; i.e. if <option>services.gitlab.statePath</option> + is set to <literal>/var/lib/gitlab/state</literal>, <literal>gitlab</literal> and all parent directories + must be owned by either <literal>root</literal> or the user specified in <option>services.gitlab.user</option>. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 1e1eb0fd9a1..4c1ffead00c 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -223,7 +223,15 @@ in { statePath = mkOption { type = types.str; default = "/var/gitlab/state"; - description = "Gitlab state directory, logs are stored here."; + description = '' + Gitlab state directory. Configuration, repositories and + logs, among other things, are stored here. + + The directory will be created automatically if it doesn't + exist already. Its parent directories must be owned by + either <literal>root</literal> or the user set in + <option>services.gitlab.user</option>. + ''; }; backupPath = mkOption { diff --git a/pkgs/applications/virtualization/virtualbox/default.nix b/pkgs/applications/virtualization/virtualbox/default.nix index ac52b83e43d..633f047be5a 100644 --- a/pkgs/applications/virtualization/virtualbox/default.nix +++ b/pkgs/applications/virtualization/virtualbox/default.nix @@ -92,6 +92,9 @@ in stdenv.mkDerivation { }) ++ [ ./qtx11extras.patch + # Kernel 5.3 fix, should be fixed with VirtualBox 6.0.14 + # https://www.virtualbox.org/ticket/18911 + ./kernel-5.3-fix.patch ]; postPatch = '' diff --git a/pkgs/applications/virtualization/virtualbox/kernel-5.3-fix.patch b/pkgs/applications/virtualization/virtualbox/kernel-5.3-fix.patch new file mode 100644 index 00000000000..ba9c7c941db --- /dev/null +++ b/pkgs/applications/virtualization/virtualbox/kernel-5.3-fix.patch @@ -0,0 +1,72 @@ +--- a/src/VBox/HostDrivers/VBoxNetFlt/linux/VBoxNetFlt-linux.c ++++ b/src/VBox/HostDrivers/VBoxNetFlt/linux/VBoxNetFlt-linux.c +@@ -2123,7 +2123,9 @@ + #endif + if (in_dev != NULL) + { +- for_ifa(in_dev) { ++ struct in_ifaddr *ifa; ++ ++ for (ifa = in_dev->ifa_list; ifa; ifa = ifa->ifa_next) { + if (VBOX_IPV4_IS_LOOPBACK(ifa->ifa_address)) + return NOTIFY_OK; + +@@ -2137,7 +2139,7 @@ + + pThis->pSwitchPort->pfnNotifyHostAddress(pThis->pSwitchPort, + /* :fAdded */ true, kIntNetAddrType_IPv4, &ifa->ifa_address); +- } endfor_ifa(in_dev); ++ } + } + + /* +--- a/src/VBox/Runtime/r0drv/linux/mp-r0drv-linux.c ++++ a/src/VBox/Runtime/r0drv/linux/mp-r0drv-linux.c +@@ -283,12 +283,15 @@ + if (RTCpuSetCount(&OnlineSet) > 1) + { + /* Fire the function on all other CPUs without waiting for completion. */ +-# if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) ++# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0) ++ smp_call_function(rtmpLinuxAllWrapper, &Args, 0 /* wait */); ++# elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) + int rc = smp_call_function(rtmpLinuxAllWrapper, &Args, 0 /* wait */); ++ Assert(!rc); NOREF(rc); + # else + int rc = smp_call_function(rtmpLinuxAllWrapper, &Args, 0 /* retry */, 0 /* wait */); +-# endif + Assert(!rc); NOREF(rc); ++# endif + } + #endif + +@@ -326,7 +329,6 @@ + { + #ifdef CONFIG_SMP + IPRT_LINUX_SAVE_EFL_AC(); +- int rc; + RTMPARGS Args; + + RTTHREADPREEMPTSTATE PreemptState = RTTHREADPREEMPTSTATE_INITIALIZER; +@@ -337,14 +339,17 @@ + Args.cHits = 0; + + RTThreadPreemptDisable(&PreemptState); +-# if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) +- rc = smp_call_function(rtmpLinuxWrapper, &Args, 1 /* wait */); ++# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0) ++ smp_call_function(rtmpLinuxWrapper, &Args, 1 /* wait */); ++# elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) ++ int rc = smp_call_function(rtmpLinuxWrapper, &Args, 1 /* wait */); ++ Assert(rc == 0); NOREF(rc); + # else /* older kernels */ +- rc = smp_call_function(rtmpLinuxWrapper, &Args, 0 /* retry */, 1 /* wait */); ++ int rc = smp_call_function(rtmpLinuxWrapper, &Args, 0 /* retry */, 1 /* wait */); ++ Assert(rc == 0); NOREF(rc); + # endif /* older kernels */ + RTThreadPreemptRestore(&PreemptState); + +- Assert(rc == 0); NOREF(rc); + IPRT_LINUX_RESTORE_EFL_AC(); + #else + RT_NOREF(pfnWorker, pvUser1, pvUser2); diff --git a/pkgs/servers/dns/knot-dns/default.nix b/pkgs/servers/dns/knot-dns/default.nix index 8191bf5acbf..ad1bb26a54d 100644 --- a/pkgs/servers/dns/knot-dns/default.nix +++ b/pkgs/servers/dns/knot-dns/default.nix @@ -7,11 +7,11 @@ let inherit (stdenv.lib) optional optionals; in # Note: ATM only the libraries have been tested in nixpkgs. stdenv.mkDerivation rec { pname = "knot-dns"; - version = "2.8.3"; + version = "2.8.4"; src = fetchurl { url = "https://secure.nic.cz/files/knot-dns/knot-${version}.tar.xz"; - sha256 = "8a62d81e5cf3df938f469b60ed4e46d9161007c2b89fbf7ae07525fa68368bad"; + sha256 = "541e7e43503765c91405c5797b3838103bb656154712e69b3f959c6ab0e700a9"; }; outputs = [ "bin" "out" "dev" ]; |