Merge release-25.11 into staging-next-25.11

Author: nixpkgs-ci[bot]

nixos/modules/services/misc/flaresolverr.nix

@@ -46,13 +46,77 @@ in
         RestartSec = 5;
         Type = "simple";
         DynamicUser = true;
+        UMask = "0077";
         RuntimeDirectory = "flaresolverr";
         WorkingDirectory = "/run/flaresolverr";
         ExecStart = lib.getExe cfg.package;
         TimeoutStopSec = 30;
+
+        # Systemd hardening
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictRealtime = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = [
+          "net"
+          "pid"
+          "user"
+        ];
+        CapabilityBoundingSet = [
+          "~CAP_BLOCK_SUSPEND"
+          "~CAP_BPF"
+          "~CAP_CHOWN"
+          "~CAP_IPC_LOCK"
+          "~CAP_MKNOD"
+          "~CAP_NET_ADMIN"
+          "~CAP_NET_RAW"
+          "~CAP_PERFMON"
+          "~CAP_SYSLOG"
+          "~CAP_SYS_ADMIN"
+          "~CAP_SYS_BOOT"
+          "~CAP_SYS_MODULE"
+          "~CAP_SYS_PACCT"
+          "~CAP_SYS_PTRACE"
+          "~CAP_SYS_TIME"
+          "~CAP_WAKE_ALARM"
+        ];
+        SystemCallFilter = [
+          "~@chown"
+          "~@clock"
+          "~@cpu-emulation"
+          "~@debug"
+          "~@keyring"
+          "~@memlock"
+          "~@module"
+          "~@obsolete"
+          "~@pkey"
+          "~@raw-io"
+          "~@reboot"
+          "~@setuid"
+          "~@swap"
+          "~@timer"
+        ];
+        SystemCallErrorNumber = "EPERM";
+        SystemCallArchitectures = "native";
       };
     };
 
     networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; };
   };
+
+  meta.maintainers = with lib.maintainers; [ diogotcorreia ];
 }

nixos/modules/services/system/nix-daemon.nix

@@ -62,6 +62,102 @@ in
       ];
     })
     (lib.mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")
+    {
+      # Unprivileged Nix daemon
+      config = lib.mkIf (cfg.daemonUser != "root") {
+        assertions = [
+          {
+            message = ''
+              The Nix daemon cannot run as the root group when not running as the root user.
+            '';
+            assertion = cfg.daemonGroup != "root";
+          }
+          {
+            message = ''
+              Nix must have the `local-overlay-store` experimental feature when not running as the root user.
+            '';
+            assertion = lib.elem "local-overlay-store" cfg.settings.experimental-features;
+          }
+          {
+            message = ''
+              Nix must have the `auto-allocate-uids` experimental feature when not running as the root user.
+            '';
+            assertion = lib.elem "auto-allocate-uids" cfg.settings.experimental-features;
+          }
+        ];
+
+        nix.settings = {
+          sandbox = true;
+
+          auto-allocate-uids = true;
+
+          # No such group would exist within the sandbox, so chowning to it would fail
+          build-users-group = "";
+
+          # Default settings from Nix, we need to specify them here to use them in nix code though
+          start-id = lib.mkDefault (832 * 1024 * 1024);
+          id-count = lib.mkDefault (128 * 65536);
+        };
+
+        systemd.services.nix-daemon = {
+          # Nix assumes it should use `daemon` if it isn't root, so we have to set `NIX_REMOTE` anyway
+          environment.NIX_REMOTE = "local?use-roots-daemon=true";
+          serviceConfig = {
+            User = cfg.daemonUser;
+            Group = cfg.daemonGroup;
+
+            # Empty string needed to disable old Exec
+            ExecStart = [
+              ""
+              "${nixPackage}/libexec/nix-nswrapper ${toString cfg.settings.start-id} ${toString cfg.settings.id-count} ${nixPackage}/bin/nix-daemon --daemon"
+            ];
+          };
+        };
+
+        # We can't remount rw while unprivileged
+        boot.nixStoreMountOpts = [
+          "nodev"
+          "nosuid"
+        ];
+
+        users.users."${cfg.daemonUser}" = {
+          subUidRanges = [
+            {
+              startUid = cfg.settings.start-id;
+              count = cfg.settings.id-count;
+            }
+          ];
+          subGidRanges = [
+            {
+              startGid = cfg.settings.start-id;
+              count = cfg.settings.id-count;
+            }
+          ];
+        };
+
+        systemd.tmpfiles.rules = [
+          "d /nix/store                   0755 ${config.nix.daemonUser} ${config.nix.daemonGroup} - -"
+          "Z /nix/var                     0755 ${config.nix.daemonUser} ${config.nix.daemonGroup} - -"
+          "d /nix/var/nix/builds          0755 ${config.nix.daemonUser} ${config.nix.daemonGroup} 7d -"
+          "d /nix/var/nix/daemon-socket   0755 ${config.nix.daemonUser} ${config.nix.daemonGroup} - -"
+          "d /nix/var/nix/gc-roots-socket 0755 ${config.nix.daemonUser} ${config.nix.daemonGroup} - -"
+        ];
+
+        systemd.services.nix-roots-daemon = {
+          serviceConfig.ExecStart = "${config.nix.package.out}/bin/nix --extra-experimental-features nix-command store roots-daemon";
+        };
+        systemd.sockets.nix-roots-daemon = {
+          wantedBy = [
+            "nix-daemon.service"
+          ];
+          listenStreams = [ "/nix/var/nix/gc-roots-socket/socket" ];
+          unitConfig = {
+            ConditionPathIsReadWrite = "/nix/var/nix/gc-roots-socket";
+            RequiresMountsFor = "/nix/store";
+          };
+        };
+      };
+    }
   ];
 
   ###### interface
@@ -88,6 +184,24 @@ in
         '';
       };
 
+      daemonUser = lib.mkOption {
+        type = lib.types.str;
+        default = "root";
+        description = ''
+          User to use to run the Nix daemon.
+          If this is not "root" then the Nix daemon will set several settings to preserve functionality.
+          When setting this option, you must also set `nix.daemonGroup`.
+        '';
+      };
+
+      daemonGroup = lib.mkOption {
+        type = lib.types.str;
+        default = "root";
+        description = ''
+          Group to use to run the Nix daemon.
+        '';
+      };
+
       daemonCPUSchedPolicy = lib.mkOption {
         type = lib.types.enum [
           "other"
@@ -192,15 +306,18 @@ in
 
     systemd.packages = [ nixPackage ];
 
-    systemd.tmpfiles.packages = [ nixPackage ];
+    # The upstream Nix tmpfiles.d file assumes the daemon runs as root
+    systemd.tmpfiles.packages = lib.mkIf (cfg.daemonUser == "root") [ nixPackage ];
 
     systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ];
 
     systemd.services.nix-daemon = {
       path = [
         nixPackage
         config.programs.ssh.package
-      ];
+      ]
+      # For running "newuidmap"
+      ++ lib.optional (cfg.daemonUser != "root") "/run/wrappers";
 
       environment =
         cfg.envVars

nixos/tests/flaresolverr.nix

@@ -1,7 +1,7 @@
 { lib, ... }:
 {
   name = "flaresolverr";
-  meta.maintainers = [ ];
+  meta.maintainers = with lib.maintainers; [ diogotcorreia ];
 
   nodes.machine =
     { pkgs, ... }:

nixos/tests/matrix/continuwuity.nix

@@ -1,6 +1,8 @@
 { lib, ... }:
 let
   name = "continuwuity";
+  user = "alice";
+  pass = "my-secret-password";
 in
 {
   inherit name;
@@ -12,8 +14,7 @@ in
         settings.global = {
           server_name = name;
           address = [ "0.0.0.0" ];
-          allow_registration = true;
-          yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
+          admin_execute = [ "users create ${user} ${pass}" ];
         };
         extraEnvironment.RUST_BACKTRACE = "yes";
       };
@@ -30,13 +31,10 @@ in
 
             async def main() -> None:
                 # Connect to continuwuity
-                client = nio.AsyncClient("http://continuwuity:6167", "alice")
-
-                # Register as user alice
-                response = await client.register("alice", "my-secret-password")
+                client = nio.AsyncClient("http://continuwuity:6167", "${user}")
 
                 # Log in as user alice
-                response = await client.login("my-secret-password")
+                response = await client.login("${pass}")
 
                 # Create a new room
                 response = await client.room_create(federate=False)

nixos/tests/rancher/multi-node.nix

@@ -218,11 +218,6 @@ in
       # wait for the agent to show up
       server.wait_until_succeeds("kubectl get node agent")
 
-      ${lib.optionalString (rancherDistro == "k3s") ''
-        for m in machines:
-            m.succeed("k3s check-config")
-      ''}
-
       server.succeed("kubectl cluster-info")
       # Also wait for our service account to show up; it takes a sec
       server.wait_until_succeeds("kubectl get serviceaccount default")

nixos/tests/rancher/single-node.nix

@@ -84,9 +84,6 @@ in
       machine.wait_for_unit("${serviceName}")
       machine.succeed("kubectl cluster-info")
       machine.fail("sudo -u noprivs kubectl cluster-info")
-      ${lib.optionalString (rancherDistro == "k3s") ''
-        machine.succeed("k3s check-config")
-      ''}
 
       # Also wait for our service account to show up; it takes a sec
       machine.wait_until_succeeds("kubectl get serviceaccount default")