Merge master into haskell-updates

maintainers/maintainer-list.nix

@@ -1234,6 +1234,12 @@
     githubId = 37040543;
     name = "Wroclaw";
   };
+  amuckstot30 = {
+    email = "amuckstot30@tutanota.com";
+    github = "amuckstot30";
+    githubId = 157274630;
+    name = "amuckstot30";
+  };
   amyipdev = {
     email = "amy@amyip.net";
     github = "amyipdev";
@@ -2938,6 +2944,14 @@
     githubId = 3229981;
     name = "Duncan Fairbanks";
   };
+  BonusPlay = {
+    name = "Bonus";
+    email = "nixos@bonusplay.pl";
+    matrix = "@bonus:bonusplay.pl";
+    github = "BonusPlay";
+    githubId = 8405359;
+    keys = [ { fingerprint = "8279 6487 A4CA 2A28 E8B3  3CD6 C7F9 9743 6A20 4683"; } ];
+  };
   booklearner = {
     name = "booklearner";
     email = "booklearner@proton.me";
@@ -5597,6 +5611,12 @@
     name = "Misha Gusarov";
     keys = [ { fingerprint = "A8DF 1326 9E5D 9A38 E57C  FAC2 9D20 F650 3E33 8888"; } ];
   };
+  dottybot = {
+    name = "Scala Organization (dottybot)";
+    email = "dottybot@groupes.epfl.ch";
+    github = "dottybot";
+    githubId = 12519979;
+  };
   dpaetzel = {
     email = "david.paetzel@posteo.de";
     github = "dpaetzel";
@@ -8237,6 +8257,12 @@
     githubId = 1742172;
     name = "Hamish Hutchings";
   };
+  hamzaremmal = {
+    email = "hamza.remmal@epfl.ch";
+    github = "hamzaremmal";
+    githubId = 56235032;
+    name = "Hamza Remmal";
+  };
   hanemile = {
     email = "mail@emile.space";
     github = "HanEmile";
@@ -14759,6 +14785,13 @@
     githubId = 818502;
     name = "Nathan Yong";
   };
+  natsukagami = {
+    email = "natsukagami@gmail.com";
+    github = "natsukagami";
+    githubId = 9061737;
+    name = "Natsu Kagami";
+    keys = [ { fingerprint = "5581 26DC 886F E14D 501D  B0F2 D6AD 7B57 A992 460C"; } ];
+  };
   natsukium = {
     email = "nixpkgs@natsukium.com";
     github = "natsukium";

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -73,6 +73,8 @@
 
 - [Goatcounter](https://www.goatcounter.com/), Easy web analytics. No tracking of personal data. Available as [services.goatcounter](options.html#opt-services.goatcocunter.enable).
 
+- [Privatebin](https://github.com/PrivateBin/PrivateBin/), A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as [services.privatebin](#opt-services.privatebin.enable)
+
 - [UWSM](https://github.com/Vladimir-csp/uwsm), a wayland session manager to wrap Wayland Compositors into useful systemd units such as `graphical-session.target`. Available as [programs.uwsm](#opt-programs.uwsm.enable).
 
 - [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI
@@ -331,6 +333,15 @@
   a static `user` and `group`. The `writablePaths` option has been removed and
   the models directory is now always exempt from sandboxing.
 
+- The `gns3-server` service now runs under the `gns3` system user
+  instead of a dynamically created one via `DynamicUser`.
+  The use of SUID wrappers is incompatible with SystemD's `DynamicUser` setting,
+  and GNS3 requires calling ubridge through its SUID wrapper to function properly.
+  This change requires to manually move the following directories:
+    * from `/var/lib/private/gns3` to `/var/lib/gns3`
+    * from `/var/log/private/gns3` to `/var/log/gns3`
+  and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).
+
 - Legacy package `stalwart-mail_0_6` was dropped, please note the
   [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
   before changing the package to `pkgs.stalwart-mail` in

nixos/modules/config/nix-flakes.nix

@@ -72,7 +72,7 @@ in
                   type = "path";
                   path = config.flake.outPath;
                 } // filterAttrs
-                  (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
+                  (n: _: n == "lastModified" || n == "rev" || n == "narHash")
                   config.flake
               ));
             };

nixos/modules/module-list.nix

@@ -1489,6 +1489,7 @@
   ./services/web-apps/powerdns-admin.nix
   ./services/web-apps/pretalx.nix
   ./services/web-apps/pretix.nix
+  ./services/web-apps/privatebin.nix
   ./services/web-apps/prosody-filer.nix
   ./services/web-apps/rimgo.nix
   ./services/web-apps/rutorrent.nix

nixos/modules/profiles/macos-builder.nix

@@ -196,14 +196,8 @@ in
       # To prevent gratuitous rebuilds on each change to Nixpkgs
       nixos.revision = null;
 
-      stateVersion = lib.mkDefault (throw ''
-        The macOS linux builder should not need a stateVersion to be set, but a module
-        has accessed stateVersion nonetheless.
-        Please inspect the trace of the following command to figure out which module
-        has a dependency on stateVersion.
-
-          nix-instantiate --attr darwin.linux-builder --show-trace
-      '');
+      # to be updated by module maintainers, see nixpkgs#325610
+      stateVersion = "24.05";
     };
 
     users.users."${user}" = {

nixos/modules/programs/tsm-client.nix

@@ -22,7 +22,7 @@ let
   serverOptions = { name, config, ... }: {
     freeformType = attrsOf (either scalarType (listOf scalarType));
     # Client system-options file directives are explained here:
-    # https://www.ibm.com/docs/en/storage-protect/8.1.23?topic=commands-processing-options
+    # https://www.ibm.com/docs/en/storage-protect/8.1.24?topic=commands-processing-options
     options.servername = mkOption {
       type = servernameType;
       default = name;

nixos/modules/security/isolate.nix

@@ -125,7 +125,7 @@ in
     };
 
     systemd.slices.isolate = {
-      description = "Isolate sandbox slice";
+      description = "Isolate Sandbox Slice";
     };
 
     meta.maintainers = with maintainers; [ virchau13 ];

nixos/modules/services/backup/bacula.nix

@@ -657,7 +657,7 @@ in {
 
   config = mkIf (fd_cfg.enable || sd_cfg.enable || dir_cfg.enable) {
     systemd.slices.system-bacula = {
-      description = "Bacula Slice";
+      description = "Bacula Backup System Slice";
       documentation = [ "man:bacula(8)" "https://www.bacula.org/" ];
     };
 

nixos/modules/services/backup/tsm.nix

@@ -90,7 +90,7 @@ in
       environment.HOME = "/var/lib/tsm-backup";
       serviceConfig = {
         # for exit status description see
-        # https://www.ibm.com/docs/en/storage-protect/8.1.23?topic=clients-client-return-codes
+        # https://www.ibm.com/docs/en/storage-protect/8.1.24?topic=clients-client-return-codes
         SuccessExitStatus = "4 8";
         # The `-se` option must come after the command.
         # The `-optfile` option suppresses a `dsm.opt`-not-found warning.

nixos/modules/services/continuous-integration/hydra/default.nix

@@ -311,7 +311,7 @@ in
     ];
 
     systemd.slices.system-hydra = {
-      description = "Hydra Slice";
+      description = "Hydra CI Server Slice";
       documentation = [ "file://${cfg.package}/share/doc/hydra/index.html" "https://nixos.org/hydra/manual/" ];
     };
 

nixos/modules/services/development/athens.nix

@@ -168,7 +168,7 @@ in
       type = lib.types.package;
       default = pkgs.go;
       defaultText = lib.literalExpression "pkgs.go";
-      example = "pkgs.go_1_21";
+      example = "pkgs.go_1_23";
       description = ''
         The Go package used by Athens at runtime.
 

nixos/modules/services/misc/paperless.nix

@@ -234,7 +234,7 @@ in
     services.redis.servers.paperless.enable = mkIf enableRedis true;
 
     systemd.slices.system-paperless = {
-      description = "Paperless slice";
+      description = "Paperless Document Management System Slice";
       documentation = [ "https://docs.paperless-ngx.com" ];
     };
 

nixos/modules/services/misc/redmine.nix

@@ -74,6 +74,12 @@ in
         description = "Group under which Redmine is ran.";
       };
 
+      address = mkOption {
+        type = types.str;
+        default = "0.0.0.0";
+        description = "IP address Redmine should bind to.";
+      };
+
       port = mkOption {
         type = types.port;
         default = 3000;
@@ -429,7 +435,7 @@ in
         Group = cfg.group;
         TimeoutSec = "300";
         WorkingDirectory = "${cfg.package}/share/redmine";
-        ExecStart="${bundle} exec rails server -u webrick -e production -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'";
+        ExecStart="${bundle} exec rails server -u webrick -e production -b ${toString cfg.address} -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'";
       };
 
     };

nixos/modules/services/monitoring/rustdesk-server.nix

@@ -86,7 +86,7 @@ in {
 
     systemd.slices.system-rustdesk = {
       enable = true;
-      description = "Slice designed to contain RustDesk Signal & RustDesk Relay";
+      description = "RustDesk Remote Desktop Slice";
     };
 
     systemd.targets.rustdesk = {

nixos/modules/services/network-filesystems/samba.nix

@@ -179,7 +179,7 @@ in
 
         systemd = {
           slices.system-samba = {
-            description = "Samba slice";
+            description = "Samba (SMB Networking Protocol) Slice";
           };
           targets.samba = {
             description = "Samba Server";

nixos/modules/services/networking/gns3-server.nix

@@ -129,8 +129,15 @@ in {
       }
     ];
 
+    users.groups.gns3 = { };
+
     users.groups.ubridge = lib.mkIf cfg.ubridge.enable { };
 
+    users.users.gns3 = {
+      group = "gns3";
+      isSystemUser = true;
+    };
+
     security.wrappers.ubridge = lib.mkIf cfg.ubridge.enable {
       capabilities = "cap_net_raw,cap_net_admin=eip";
       group = "ubridge";
@@ -150,7 +157,7 @@ in {
         };
       }
       (lib.mkIf (cfg.ubridge.enable) {
-        Server.ubridge_path = lib.mkDefault (lib.getExe cfg.ubridge.package);
+        Server.ubridge_path = lib.mkDefault "/run/wrappers/bin/ubridge";
       })
       (lib.mkIf (cfg.auth.enable) {
         Server = {
@@ -206,7 +213,6 @@ in {
       serviceConfig = {
         ConfigurationDirectory = "gns3";
         ConfigurationDirectoryMode = "0750";
-        DynamicUser = true;
         Environment = "HOME=%S/gns3";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
         ExecStart = "${lib.getExe cfg.package} ${commandArgs}";
@@ -227,14 +233,27 @@ in {
         User = "gns3";
         WorkingDirectory = "%S/gns3";
 
+        # Required for ubridge integration to work
+        #
+        # GNS3 needs to run SUID binaries (ubridge)
+        # but NoNewPrivileges breaks execution of SUID binaries
+        DynamicUser = false;
+        NoNewPrivileges = false;
+        RestrictSUIDSGID = false;
+        PrivateUsers = false;
+
         # Hardening
-        DeviceAllow = lib.optional flags.enableLibvirtd "/dev/kvm";
+        DeviceAllow = [
+          # ubridge needs access to tun/tap devices
+          "/dev/net/tap rw"
+          "/dev/net/tun rw"
+        ] ++ lib.optionals flags.enableLibvirtd [
+          "/dev/kvm"
+        ];
         DevicePolicy = "closed";
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
         PrivateTmp = true;
-        PrivateUsers = true;
         # Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat
         # ProcSubset = "pid";
         ProtectClock = true;
@@ -255,8 +274,7 @@ in {
         ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        UMask = "0077";
+        UMask = "0022";
       };
     };
   };

nixos/modules/services/security/clamav.nix

@@ -165,7 +165,7 @@ in
     environment.etc."clamav/clamd.conf".source = clamdConfigFile;
 
     systemd.slices.system-clamav = {
-      description = "ClamAV slice";
+      description = "ClamAV Antivirus Slice";
     };
 
     systemd.services.clamav-daemon = mkIf cfg.daemon.enable {

nixos/modules/services/web-apps/openwebrx.nix

@@ -18,7 +18,7 @@ in
         codec2
         js8call
         m17-cxx-demod
-        alsaUtils
+        alsa-utils
         netcat
       ];
       serviceConfig = {