AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

remove old patches

Browse Source
This commit is contained in:
Dmitriy Kholkin 2025-02-12 21:56:01 +03:00
parent 14a0a355ed
commit 7422e7a335
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
7 changed files with 1 additions and 766 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
flake.nix
View File

@ -175,14 +175,11 @@
shared-patches = patchesPath [ ];
unstable-patches = shared-patches ++ patchesPath [
"366250.patch"
# "netbird-24.11.patch"
"onlyoffice.patch"
# "zen-kernels.patch"
];
stable-patches = shared-patches ++ patchesPath [
# "netbird-24.05.patch"
];
stable-patches = shared-patches ++ patchesPath [];
in {
customModules = builtins.listToAttrs (findModules ./modules);
customProfiles = builtins.listToAttrs (findModules ./profiles);

61
patches/353833.patch
View File

@ -1,61 +0,0 @@
From bdfa0f011297b749d18954e76c8eb36309e3808d Mon Sep 17 00:00:00 2001
From: benaryorg <binary@benary.org>
Date: Tue, 5 Nov 2024 13:22:10 +0000
Subject: [PATCH] python3Packages.pywebview: build fix for tests
Fixes #353686
Basically the *tests/run.sh* used upstream has a few rough edges and this replaces it with a smoother version.
An issue was also opened on the upstream project to maybe get this smoothed out generally.
Story time for those who are curious.
Basically upstream uses this as a script to call for the CI pipeline where [the builds seem to run smoothly in appveyor](https://ci.appveyor.com/project/r0x0r/pywebview/builds/50791017).
However the general structure of the script iterates over the files, which in earlier versions had been done by collecting the list of tests via pytest itself, which replaced the earliest implementation which was a file hard-coding all the tests to run.
The latter had the benefit of being able to disable tests by commenting them out on our end, however the new version, at least for our purpose, is just a more complicated version of running pytest against the entire thing.
We can't just use plain pytest however (which'd presumably be supported by nixpkgs infra already) because we still need to shove the Qt and xvfb-run shims in between.
So with running pytest as a single command we are now (with this commit) able to specifically disable tests that we know to be flakey using regular pytest means.
With the Qt wrapper function passing extra args to *makeWrapper* we can use the extra flags to pass everything we need, and with the env invocation we avoid polluting the build environment so that the *checkPhase* itself doesn't change the output.
Now on to the actual failing tests, apparently those happened to be related to relative paths which use an internal HTTP server to be served (for absolute paths this is optional), and getting rid of the cwd shenanigans which were required by the upstream version of the script (since it globbed on the current directory) means that somehow pytest now runs these tests without changing directory in a subprocess so the asset used for testing is properly accessible (before this change one could "fix" the tests by changing to an absolute path in the tests).
Signed-off-by: benaryorg <binary@benary.org>
---
.../python-modules/pywebview/default.nix | 24 ++++++++-----------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/pkgs/development/python-modules/pywebview/default.nix b/pkgs/development/python-modules/pywebview/default.nix
index 96b1213ca5140..6346c96c62fcc 100644
--- a/pkgs/development/python-modules/pywebview/default.nix
+++ b/pkgs/development/python-modules/pywebview/default.nix
@@ -50,21 +50,17 @@ buildPythonPackage rec {
];
checkPhase = ''
- # Cannot create directory /homeless-shelter/.... Error: FILE_ERROR_ACCESS_DENIED
- export HOME=$TMPDIR
- # QStandardPaths: XDG_RUNTIME_DIR not set
- export XDG_RUNTIME_DIR=$HOME/xdg-runtime-dir
+ # a Qt wrapper is required to run the Qt backend
+ # since the upstream script does not have a way to disable tests individually pytest is used directly instead
+ makeQtWrapper "$(command -v pytest)" tests/run.sh \
+ --set PYWEBVIEW_LOG debug \
+ --add-flags "--deselect tests/test_js_api.py::test_concurrent"
- pushd tests
- substituteInPlace run.sh \
- --replace "PYTHONPATH=.." "PYTHONPATH=$PYTHONPATH" \
- --replace "pywebviewtest test_js_api.py::test_concurrent ''${PYTEST_OPTIONS}" "# skip flaky test_js_api.py::test_concurrent"
-
- patchShebangs run.sh
- wrapQtApp run.sh
-
- xvfb-run -s '-screen 0 800x600x24' ./run.sh
- popd
+ # HOME and XDG directories are required for the tests
+ env \
+ HOME=$TMPDIR \
+ XDG_RUNTIME_DIR=$TMPDIR/xdg-runtime-dir \
+ xvfb-run -s '-screen 0 800x600x24' tests/run.sh
'';
pythonImportsCheck = [ "webview" ];

22
patches/354243.patch
View File

@ -1,22 +0,0 @@
From d08e25d8683ebe341d2fed24523d7604793f3414 Mon Sep 17 00:00:00 2001
From: Kira Bruneau <kira.bruneau@pm.me>
Date: Thu, 7 Nov 2024 09:36:11 -0500
Subject: [PATCH] geoclue: fix placing updateScript in passthru
---
pkgs/development/libraries/geoclue/default.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix
index d30c0b411796d..2b1e203c78089 100644
--- a/pkgs/development/libraries/geoclue/default.nix
+++ b/pkgs/development/libraries/geoclue/default.nix
@@ -94,7 +94,7 @@ stdenv.mkDerivation (finalAttrs: {
patchShebangs demo/install-file.py
'';
- updateScript = nix-update-script {};
+ passthru.updateScript = nix-update-script {};
meta = with lib; {
broken = stdenv.hostPlatform.isDarwin && withDemoAgent;

47
patches/366250.patch
View File

@ -1,47 +0,0 @@
From 477814140bcda31e08798ce9dc5ac8f55872d64c Mon Sep 17 00:00:00 2001
From: Petr Portnov <mrjarviscraft+nix@gmail.com>
Date: Wed, 18 Dec 2024 21:07:51 +0300
Subject: [PATCH] anydesk: add missing dependencies
---
pkgs/by-name/an/anydesk/package.nix | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/pkgs/by-name/an/anydesk/package.nix b/pkgs/by-name/an/anydesk/package.nix
index 00f6c2354a45f..ceb25c775d6c8 100644
--- a/pkgs/by-name/an/anydesk/package.nix
+++ b/pkgs/by-name/an/anydesk/package.nix
@@ -11,7 +11,10 @@
gdk-pixbuf,
glib,
gnome2,
- gtk2,
+ gtk3,
+ dbus,
+ harfbuzz,
+ libz,
libGLU,
libGL,
pango,
@@ -48,7 +51,10 @@ stdenv.mkDerivation (finalAttrs: {
cairo
gdk-pixbuf
glib
- gtk2
+ gtk3
+ dbus
+ harfbuzz
+ libz
stdenv.cc.cc
pango
gnome2.gtkglext
@@ -123,7 +129,8 @@ stdenv.mkDerivation (finalAttrs: {
lsb-release
pciutils
]
- }
+ } \
+ --prefix GDK_BACKEND : x11
'';
passthru = {

13
patches/fix-nix-2.19.patch
View File

@ -1,13 +0,0 @@
diff --git a/src/libutil/current-process.cc b/src/libutil/current-process.cc
index 352a6a0..7435f58 100644
--- a/src/libutil/current-process.cc
+++ b/src/libutil/current-process.cc
@@ -35,6 +35,8 @@ unsigned int getMaxCPU()
auto cpuMax = readFile(cpuFile);
auto cpuMaxParts = tokenizeString<std::vector<std::string>>(cpuMax, " \n");
+ if (cpuMaxParts.size() != 2)
+ return 0;
auto quota = cpuMaxParts[0];
auto period = cpuMaxParts[1];
if (quota != "max")

603
patches/netbird-24.05.patch
View File

@ -1,603 +0,0 @@
diff --git a/nixos/modules/services/networking/netbird.nix b/nixos/modules/services/networking/netbird.nix
index 7add37789..0160a8964 100644
--- a/nixos/modules/services/networking/netbird.nix
+++ b/nixos/modules/services/networking/netbird.nix
@@ -1,73 +1,155 @@
-{
- config,
- lib,
- pkgs,
- ...
+{ config
+, lib
+, pkgs
+, ...
}:
let
inherit (lib)
- attrNames
+ attrValues
+ concatLists
+ concatStringsSep
+ escapeShellArgs
+ filterAttrs
getExe
literalExpression
maintainers
+ makeBinPath
mapAttrs'
+ mapAttrsToList
mkDefault
- mkEnableOption
mkIf
mkMerge
mkOption
+ mkOptionDefault
mkPackageOption
+ mkRemovedOptionModule
nameValuePair
optional
+ optionalString
+ toShellVars
+ versionAtLeast
versionOlder
;
inherit (lib.types)
attrsOf
+ bool
+ enum
+ package
port
str
submodule
;
- kernel = config.boot.kernelPackages;
+ inherit (config.boot) kernelPackages;
+ inherit (config.boot.kernelPackages) kernel;
cfg = config.services.netbird;
+
+ toClientList = fn: map fn (attrValues cfg.clients);
+ toClientAttrs = fn: mapAttrs' (_: fn) cfg.clients;
+
+ hardenedClients = filterAttrs (_: client: client.hardened) cfg.clients;
+ toHardenedClientList = fn: map fn (attrValues hardenedClients);
+ toHardenedClientAttrs = fn: mapAttrs' (_: fn) hardenedClients;
+
+ nixosConfig = config;
in
{
meta.maintainers = with maintainers; [
misuzu
- thubrecht
+ nazarewk
];
meta.doc = ./netbird.md;
+ imports = [
+ (mkRemovedOptionModule [ "services" "netbird" "tunnels" ]
+ "The option `services.netbird.tunnels` has been renamed to `services.netbird.clients`")
+ ];
+
options.services.netbird = {
- enable = mkEnableOption "Netbird daemon";
+ enable = mkOption {
+ type = bool;
+ default = false;
+ description = ''
+ Enables backwards compatible Netbird client service.
+
+ This is strictly equivalent to:
+
+ ```nix
+ services.netbird.clients.wt0 = {
+ port = 51820;
+ name = "netbird";
+ interface = "wt0";
+ hardened = false;
+ };
+ ```
+ '';
+ };
package = mkPackageOption pkgs "netbird" { };
- tunnels = mkOption {
+ ui.enable = mkOption {
+ type = bool;
+ default = config.services.displayManager.sessionPackages != [ ] || config.services.xserver.enable;
+ defaultText = literalExpression ''
+ config.services.displayManager.sessionPackages != [ ] || config.services.xserver.enable
+ '';
+ description = ''
+ Controls presence `netbird-ui` wrappers, defaults to presence of graphical sessions.
+ '';
+ };
+ ui.package = mkPackageOption pkgs "netbird-ui" { };
+
+ clients = mkOption {
type = attrsOf (
submodule (
{ name, config, ... }:
+ let client = config; in
{
options = {
port = mkOption {
type = port;
- default = 51820;
+ example = literalExpression "51820";
description = ''
- Port for the ${name} netbird interface.
+ Port the Netbird client listens on.
'';
};
+ name = mkOption {
+ type = str;
+ default = name;
+ description = ''
+ Primary name for use (as a suffix) in:
+ - systemd service name,
+ - hardened user name and group,
+ - [systemd `*Directory=`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#RuntimeDirectory=) names,
+ - desktop application identification,
+ '';
+ };
+
+ interface = mkOption {
+ type = str;
+ default = "nb-${client.name}";
+ description = ''
+ Name of the network interface managed by this client.
+ '';
+ apply = iface:
+ lib.throwIfNot (builtins.stringLength iface <= 15) "Network interface name must be 15 characters or less"
+ iface;
+ };
+
environment = mkOption {
type = attrsOf str;
defaultText = literalExpression ''
{
- NB_CONFIG = "/var/lib/''${stateDir}/config.json";
- NB_LOG_FILE = "console";
- NB_WIREGUARD_PORT = builtins.toString port;
- NB_INTERFACE_NAME = name;
- NB_DAMEON_ADDR = "/var/run/''${stateDir}"
+ NB_CONFIG = "/var/lib/netbird-''${client.name}/config.json";
+ NB_DAEMON_ADDR = "unix:///var/run/netbird-''${client.name}/sock";
+ NB_INTERFACE_NAME = config.interface;
+ NB_LOG_FILE = mkOptionDefault "console";
+ NB_LOG_LEVEL = config.logLevel;
+ NB_SERVICE = "netbird-''${client.name}";
+ NB_WIREGUARD_PORT = toString config.port;
}
'';
description = ''
@@ -75,97 +157,361 @@ in
'';
};
- stateDir = mkOption {
- type = str;
- default = "netbird-${name}";
+ autoStart = mkOption {
+ type = bool;
+ default = true;
+ description = ''
+ Start the service with the system.
+
+ As of 2024-02-13 it is not possible to start a Netbird client daemon without immediately
+ connecting to the network, but it is [planned for a near future](https://github.com/netbirdio/netbird/projects/2#card-91718018).
+ '';
+ };
+
+ openFirewall = mkOption {
+ type = bool;
+ default = true;
+ description = ''
+ Opens up firewall `port` for communication between Netbird peers directly over LAN or public IP,
+ without using (internet-hosted) TURN servers as intermediaries.
+ '';
+ };
+
+ hardened = mkOption {
+ type = bool;
+ default = true;
description = ''
- Directory storing the netbird configuration.
+ Hardened service:
+ - runs as a dedicated user with minimal set of permissions (see caveats),
+ - restricts daemon configuration socket access to dedicated user group
+ (you can grant access to it with `users.users."<user>".extraGroups = [ "netbird-${client.name}" ]`),
+
+ Even though the local system resources access is restricted:
+ - `CAP_NET_RAW`, `CAP_NET_ADMIN` and `CAP_BPF` still give unlimited network manipulation possibilites,
+ - older kernels don't have `CAP_BPF` and use `CAP_SYS_ADMIN` instead,
+
+ Known security features that are not (yet) integrated into the module:
+ - 2024-02-14: `rosenpass` is an experimental feature configurable solely
+ through `--enable-rosenpass` flag on the `netbird up` command,
+ see [the docs](https://docs.netbird.io/how-to/enable-post-quantum-cryptography)
+ '';
+ };
+
+ logLevel = mkOption {
+ type = enum [
+ # logrus loglevels
+ "panic"
+ "fatal"
+ "error"
+ "warn"
+ "warning"
+ "info"
+ "debug"
+ "trace"
+ ];
+ default = "info";
+ description = "Log level of the Netbird daemon.";
+ };
+
+ ui.enable = mkOption {
+ type = bool;
+ default = nixosConfig.services.netbird.ui.enable;
+ defaultText = literalExpression ''config.ui.enable'';
+ description = ''
+ Controls presence of `netbird-ui` wrapper for this Netbird client.
+ '';
+ };
+
+ wrapper = mkOption {
+ type = package;
+ internal = true;
+ default =
+ let
+ makeWrapperArgs = concatLists (mapAttrsToList
+ (key: value: [ "--set-default" key value ])
+ config.environment
+ );
+ in
+ pkgs.stdenv.mkDerivation {
+ name = "${cfg.package.name}-wrapper-${client.name}";
+ meta.mainProgram = "netbird-${client.name}";
+ nativeBuildInputs = with pkgs; [ makeWrapper ];
+ phases = [ "installPhase" ];
+ installPhase = concatStringsSep "\n" [
+ ''
+ mkdir -p "$out/bin"
+ makeWrapper ${lib.getExe cfg.package} "$out/bin/netbird-${client.name}" \
+ ${escapeShellArgs makeWrapperArgs}
+ ''
+ (optionalString cfg.ui.enable ''
+ # netbird-ui doesn't support envvars
+ makeWrapper ${lib.getExe cfg.ui.package} "$out/bin/netbird-ui-${client.name}" \
+ --add-flags '--daemon-addr=${config.environment.NB_DAEMON_ADDR}'
+
+ mkdir -p "$out/share/applications"
+ substitute ${cfg.ui.package}/share/applications/netbird.desktop \
+ "$out/share/applications/netbird-${client.name}.desktop" \
+ --replace-fail 'Name=Netbird' "Name=Netbird @ netbird-${client.name}" \
+ --replace-fail '${lib.getExe cfg.ui.package}' "$out/bin/netbird-ui-${client.name}"
+ '')
+ ];
+ };
+ };
+
+ # see https://github.com/netbirdio/netbird/blob/88747e3e0191abc64f1e8c7ecc65e5e50a1527fd/client/internal/config.go#L49-L82
+ config = mkOption {
+ type = (pkgs.formats.json { }).type;
+ defaultText = literalExpression ''
+ {
+ DisableAutoConnect = !config.autoStart;
+ WgIface = config.interface;
+ WgPort = config.port;
+ }
+ '';
+ description = ''
+ Additional configuration that exists before the first start and
+ later overrides the existing values in `config.json`.
+
+ It is mostly helpful to manage configuration ignored/not yet implemented
+ outside of `netbird up` invocation.
+
+ WARNING: this is not an upstream feature, it could break in the future
+ (by having lower priority) after upstream implements an equivalent.
+
+ It is implemented as a `preStart` script which overrides `config.json`
+ with content of `/etc/netbird-${client.name}/config.d/*.json` files.
+ This option manages specifically `50-nixos.json` file.
+
+ Consult [the source code](https://github.com/netbirdio/netbird/blob/88747e3e0191abc64f1e8c7ecc65e5e50a1527fd/client/internal/config.go#L49-L82)
+ or inspect existing file for a complete list of available configurations.
'';
};
};
- config.environment = builtins.mapAttrs (_: mkDefault) {
- NB_CONFIG = "/var/lib/${config.stateDir}/config.json";
- NB_LOG_FILE = "console";
- NB_WIREGUARD_PORT = builtins.toString config.port;
- NB_INTERFACE_NAME = name;
- NB_DAEMON_ADDR = "unix:///var/run/${config.stateDir}/sock";
+ config.environment = {
+ NB_CONFIG = "/var/lib/netbird-${client.name}/config.json";
+ NB_DAEMON_ADDR = "unix:///var/run/netbird-${client.name}/sock";
+ NB_INTERFACE_NAME = config.interface;
+ NB_LOG_FILE = mkOptionDefault "console";
+ NB_LOG_LEVEL = config.logLevel;
+ NB_SERVICE = "netbird-${client.name}";
+ NB_WIREGUARD_PORT = toString config.port;
+ };
+
+ config.config = {
+ DisableAutoConnect = !config.autoStart;
+ WgIface = config.interface;
+ WgPort = config.port;
};
}
)
);
default = { };
description = ''
- Attribute set of Netbird tunnels, each one will spawn a daemon listening on ...
+ Attribute set of Netbird client daemons, by default each one will:
+
+ 1. be manageable using dedicated tooling:
+ - `netbird-<name>` script,
+ - `Netbird - netbird-<name>` graphical interface when appropriate (see `ui.enable`),
+ 2. run as a `netbird-<name>.service`,
+ 3. listen for incoming remote connections on the port `51820` (`openFirewall` by default),
+ 4. manage the `netbird-<name>` wireguard interface,
+ 5. use the `/var/lib/netbird-<name>/config.json` configuration file,
+ 6. override `/var/lib/netbird-<name>/config.json` with values from `/etc/netbird-<name>/config.d/*.json`,
+ 7. (`hardened`) be locally manageable by `netbird-<name>` system group,
+
+ With following caveats:
+
+ - multiple daemons will interfere with each other's DNS resolution of `netbird.cloud`, but
+ should remain fully operational otherwise.
+ Setting up custom (non-conflicting) DNS zone is currently possible only when self-hosting.
+ '';
+ example = lib.literalExpression ''
+ {
+ services.netbird.clients.wt0.port = 51820;
+ services.netbird.clients.personal.port = 51821;
+ services.netbird.clients.work1.port = 51822;
+ }
'';
};
};
config = mkMerge [
- (mkIf cfg.enable {
- # For backwards compatibility
- services.netbird.tunnels.wt0.stateDir = "netbird";
- })
+ (mkIf cfg.enable (
+ let name = "wt0"; client = cfg.clients."${name}"; in {
+ services.netbird.clients."${name}" = {
+ port = mkDefault 51820;
+ name = mkDefault "netbird";
+ interface = mkDefault "wt0";
+ hardened = mkDefault false;
+ };
- (mkIf (cfg.tunnels != { }) {
- boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;
+ environment.systemPackages = [
+ (lib.hiPrio (pkgs.runCommand "${client.name}-as-default" { } ''
+ mkdir -p "$out/bin"
+ for binary in netbird ${optionalString cfg.ui.enable "netbird-ui"} ; do
+ ln -s "${client.wrapper}/bin/$binary-${client.name}" "$out/bin/$binary"
+ done
+ ''))
+ ];
+ }
+ ))
+ {
+ boot.extraModulePackages = optional
+ (cfg.clients != { } && (versionOlder kernel.version "5.6"))
+ kernelPackages.wireguard;
- environment.systemPackages = [ cfg.package ];
+ environment.systemPackages =
+ toClientList (client: client.wrapper)
+ # omitted due to https://github.com/netbirdio/netbird/issues/1562
+ #++ optional (cfg.clients != { }) cfg.package
+ # omitted due to https://github.com/netbirdio/netbird/issues/1581
+ #++ optional (cfg.clients != { } && cfg.ui.enable) cfg.ui.package
+ ;
- networking.dhcpcd.denyInterfaces = attrNames cfg.tunnels;
+ networking.dhcpcd.denyInterfaces = toClientList (client: client.interface);
+ networking.networkmanager.unmanaged = toClientList (client: "interface-name:${client.interface}");
- systemd.network.networks = mkIf config.networking.useNetworkd (
- mapAttrs'
- (
- name: _:
- nameValuePair "50-netbird-${name}" {
- matchConfig = {
- Name = name;
- };
- linkConfig = {
- Unmanaged = true;
- ActivationPolicy = "manual";
- };
- }
- )
- cfg.tunnels
- );
+ networking.firewall.allowedUDPPorts = concatLists (toClientList (client: optional client.openFirewall client.port));
- systemd.services =
- mapAttrs'
- (
- name:
- { environment, stateDir, ... }:
- nameValuePair "netbird-${name}" {
- description = "A WireGuard-based mesh network that connects your devices into a single private network";
+ systemd.network.networks = mkIf config.networking.useNetworkd (toClientAttrs (client:
+ nameValuePair "50-netbird-${client.interface}" {
+ matchConfig = {
+ Name = client.interface;
+ };
+ linkConfig = {
+ Unmanaged = true;
+ ActivationPolicy = "manual";
+ };
+ }
+ ));
- documentation = [ "https://netbird.io/docs/" ];
+ environment.etc = toClientAttrs (client: nameValuePair "netbird-${client.name}/config.d/50-nixos.json" {
+ text = builtins.toJSON client.config;
+ mode = "0444";
+ });
- after = [ "network.target" ];
- wantedBy = [ "multi-user.target" ];
+ systemd.services = toClientAttrs (client: nameValuePair "netbird-${client.name}" {
+ description = "A WireGuard-based mesh network that connects your devices into a single private network";
- path = with pkgs; [ openresolv ];
+ documentation = [ "https://netbird.io/docs/" ];
- inherit environment;
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
- serviceConfig = {
- ExecStart = "${getExe cfg.package} service run";
- Restart = "always";
- RuntimeDirectory = stateDir;
- StateDirectory = stateDir;
- StateDirectoryMode = "0700";
- WorkingDirectory = "/var/lib/${stateDir}";
- };
+ path = optional (!config.services.resolved.enable) pkgs.openresolv;
- unitConfig = {
- StartLimitInterval = 5;
- StartLimitBurst = 10;
- };
+ serviceConfig = {
+ ExecStart = "${getExe client.wrapper} service run";
+ Restart = "always";
+
+ RuntimeDirectory = "netbird-${client.name}";
+ RuntimeDirectoryMode = mkDefault "0755";
+ ConfigurationDirectory = "netbird-${client.name}";
+ StateDirectory = "netbird-${client.name}";
+ StateDirectoryMode = "0700";
+
+ WorkingDirectory = "/var/lib/netbird-${client.name}";
+ };
+
+ unitConfig = {
+ StartLimitInterval = 5;
+ StartLimitBurst = 10;
+ };
+
+ stopIfChanged = false;
+ });
+ }
+ # Hardening section
+ (mkIf (hardenedClients != { }) {
+ users.groups = toHardenedClientAttrs (client: nameValuePair "netbird-${client.name}" { });
+ users.users = toHardenedClientAttrs (client: nameValuePair "netbird-${client.name}" {
+ isSystemUser = true;
+ home = "/var/lib/netbird-${client.name}";
+ group = "netbird-${client.name}";
+ });
+
+ systemd.services = toHardenedClientAttrs (client: nameValuePair "netbird-${client.name}" (mkIf client.hardened {
+ serviceConfig = {
+ RuntimeDirectoryMode = "0750";
+
+ User = "netbird-${client.name}";
+ Group = "netbird-${client.name}";
+
+ # settings implied by DynamicUser=true, without actully using it,
+ # see https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=
+ RemoveIPC = true;
+ PrivateTmp = true;
+ ProtectSystem = "strict";
+ ProtectHome = "yes";
- stopIfChanged = false;
- }
- )
- cfg.tunnels;
+ AmbientCapabilities = [
+ # see https://man7.org/linux/man-pages/man7/capabilities.7.html
+ # see https://docs.netbird.io/how-to/installation#running-net-bird-in-docker
+ #
+ # seems to work fine without CAP_SYS_ADMIN and CAP_SYS_RESOURCE
+ # CAP_NET_BIND_SERVICE could be added to allow binding on low ports, but is not required,
+ # see https://github.com/netbirdio/netbird/pull/1513
+
+ # failed creating tunnel interface wt-priv: [operation not permitted
+ "CAP_NET_ADMIN"
+ # failed to pull up wgInterface [wt-priv]: failed to create ipv4 raw socket: socket: operation not permitted
+ "CAP_NET_RAW"
+ ]
+ # required for eBPF filter, used to be subset of CAP_SYS_ADMIN
+ ++ optional (versionAtLeast kernel.version "5.8") "CAP_BPF"
+ ++ optional (versionOlder kernel.version "5.8") "CAP_SYS_ADMIN"
+ ;
+ };
+ }));
+
+ # see https://github.com/systemd/systemd/blob/17f3e91e8107b2b29fe25755651b230bbc81a514/src/resolve/org.freedesktop.resolve1.policy#L43-L43
+ security.polkit.extraConfig = mkIf config.services.resolved.enable ''
+ // systemd-resolved access for Netbird clients
+ polkit.addRule(function(action, subject) {
+ var actions = [
+ "org.freedesktop.resolve1.set-dns-servers",
+ "org.freedesktop.resolve1.set-domains",
+ ];
+ var users = ${builtins.toJSON (toHardenedClientList (client: "netbird-${client.name}"))};
+
+ if (actions.indexOf(action.id) >= 0 && users.indexOf(subject.user) >= 0 ) {
+ return polkit.Result.YES;
+ }
+ });
+ '';
})
+ # migration & temporary fixups section
+ {
+ systemd.services = toClientAttrs (client: nameValuePair "netbird-${client.name}" {
+ preStart = ''
+ set -eEuo pipefail
+ ${optionalString (client.logLevel == "trace" || client.logLevel == "debug") "set -x"}
+
+ PATH="${makeBinPath (with pkgs; [coreutils jq diffutils])}:$PATH"
+ export ${toShellVars client.environment}
+
+ # merge /etc/netbird-${client.name}/config.d' into "$NB_CONFIG"
+ {
+ test -e "$NB_CONFIG" || echo -n '{}' > "$NB_CONFIG"
+
+ # merge config.d with "$NB_CONFIG" into "$NB_CONFIG.new"
+ jq -sS 'reduce .[] as $i ({}; . * $i)' \
+ "$NB_CONFIG" \
+ /etc/netbird-${client.name}/config.d/*.json \
+ > "$NB_CONFIG.new"
+
+ echo "Comparing $NB_CONFIG with $NB_CONFIG.new ..."
+ if ! diff <(jq -S <"$NB_CONFIG") "$NB_CONFIG.new" ; then
+ echo "Updating $NB_CONFIG ..."
+ mv "$NB_CONFIG.new" "$NB_CONFIG"
+ else
+ echo "Files are the same, not doing anything."
+ rm "$NB_CONFIG.new"
+ fi
+ }
+ '';
+ });
+ }
];
}

16
patches/zfs-2.2.5.patch
View File

@ -1,16 +0,0 @@
diff --git a/pkgs/os-specific/linux/zfs/2_2.nix b/pkgs/os-specific/linux/zfs/2_2.nix
index 9e3fde0780f0..9165ab4d5d1b 100644
--- a/pkgs/os-specific/linux/zfs/2_2.nix
+++ b/pkgs/os-specific/linux/zfs/2_2.nix
@@ -15,9 +15,9 @@ callPackage ./generic.nix args {
# this attribute is the correct one for this package.
kernelModuleAttribute = "zfs_2_2";
# check the release notes for compatible kernels
- kernelCompatible = kernel.kernelOlder "6.10";
+ kernelCompatible = kernel.kernelOlder "6.11";
- latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_6;
+ latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_10;
# this package should point to the latest release.
version = "2.2.5";