From 30036c3d109caff4a1ff8597b57f9b6953b975f5 Mon Sep 17 00:00:00 2001 From: Jonas Heinrich Date: Sat, 30 Dec 2023 18:42:40 +0100 Subject: [PATCH 1/5] nixos/initrd-ssh: Add authorizedKeyFiles option --- .../manual/release-notes/rl-2405.section.md | 2 ++ nixos/modules/system/boot/initrd-ssh.nix | 30 ++++++++++++++++--- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 8010f2ba2076..f293fb669ab2 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -261,6 +261,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - The Matrix homeserver [Synapse](https://element-hq.github.io/synapse/) module now supports configuring UNIX domain socket [listeners](#opt-services.matrix-synapse.settings.listeners) through the `path` option. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets. +- The initrd ssh daemon module got a new option to add authorized keys via a list of files using `boot.initrd.network.ssh.authorizedKeyFiles`. + - Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles. The `nimPackages` and `nim2Packages` sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information. diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index 61e61f32bc5e..43da2496d16c 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -93,6 +93,21 @@ in defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys"; description = lib.mdDoc '' Authorized keys for the root user on initrd. + You can combine the `authorizedKeys` and `authorizedKeyFiles` options. + ''; + example = [ + "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host" + "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar" + ]; + }; + + authorizedKeyFiles = mkOption { + type = types.listOf types.path; + default = config.users.users.root.openssh.authorizedKeys.keyFiles; + defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keyFiles"; + description = lib.mdDoc '' + Authorized keys taken from files for the root user on initrd. + You can combine the `authorizedKeyFiles` and `authorizedKeys` options. ''; }; @@ -152,7 +167,7 @@ in in mkIf enabled { assertions = [ { - assertion = cfg.authorizedKeys != []; + assertion = cfg.authorizedKeys != [] || cfg.authorizedKeyFiles != []; message = "You should specify at least one authorized key for initrd SSH"; } @@ -206,6 +221,9 @@ in ${concatStrings (map (key: '' echo ${escapeShellArg key} >> /root/.ssh/authorized_keys '') cfg.authorizedKeys)} + ${concatStrings (map (keyFile: '' + cat ${keyFile} >> /root/.ssh/authorized_keys + '') cfg.authorizedKeyFiles)} ${flip concatMapStrings cfg.hostKeys (path: '' # keys from Nix store are world-readable, which sshd doesn't like @@ -236,9 +254,13 @@ in users.root.shell = mkIf (config.boot.initrd.network.ssh.shell != null) config.boot.initrd.network.ssh.shell; - contents."/etc/ssh/authorized_keys.d/root".text = - concatStringsSep "\n" config.boot.initrd.network.ssh.authorizedKeys; - contents."/etc/ssh/sshd_config".text = sshdConfig; + contents = { + "/etc/ssh/sshd_config".text = sshdConfig; + "/etc/ssh/authorized_keys.d/root".text = + concatStringsSep "\n" ( + config.boot.initrd.network.ssh.authorizedKeys ++ + (map (file: lib.fileContents file) config.boot.initrd.network.ssh.authorizedKeyFiles)); + }; storePaths = ["${package}/bin/sshd"]; services.sshd = { From d3f916b237e5ee4f2c515dab667ebfd6d0559bd9 Mon Sep 17 00:00:00 2001 From: Gabriel Fontes Date: Tue, 28 Nov 2023 13:20:23 -0300 Subject: [PATCH 2/5] pureref: download source automatically Mentioned in https://github.com/NixOS/nixpkgs/issues/250520 --- pkgs/applications/graphics/pureref/default.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/pkgs/applications/graphics/pureref/default.nix b/pkgs/applications/graphics/pureref/default.nix index 5a0774a09f43..825ea4c51e19 100644 --- a/pkgs/applications/graphics/pureref/default.nix +++ b/pkgs/applications/graphics/pureref/default.nix @@ -1,14 +1,16 @@ -{ lib, appimageTools, requireFile }: +{ lib, appimageTools, runCommand, curl, gnugrep, cacert }: appimageTools.wrapType1 rec { pname = "pureref"; version = "1.11.1"; - src = requireFile { - name = "PureRef-${version}_x64.Appimage"; - sha256 = "05naywdgykqrsgc3xybskr418cyvbx7vqs994yv9w8zf98gxvbvm"; - url = "https://www.pureref.com/download.php"; - }; + src = runCommand "PureRef-${version}_x64.Appimage" { + nativeBuildInputs = [ curl gnugrep cacert ]; + outputHash = "sha256-da/dH0ruI562JylpvE9f2zMUSJ56+T7Y0xlP/xr3yhY="; + } '' + key="$(curl "https://www.pureref.com/download.php" --silent | grep '%3D%3D' | cut -d '"' -f2)" + curl "https://www.pureref.com/files/build.php?build=LINUX64.Appimage&version=${version}&downloadKey=$key" --output $out + ''; extraInstallCommands = '' mv $out/bin/${pname}-${version} $out/bin/${pname} From 0d86c16ff087a7e1d3b860bbf1134b02965d84b2 Mon Sep 17 00:00:00 2001 From: JerrySM64 <42114389+JerrySM64@users.noreply.github.com> Date: Thu, 28 Mar 2024 21:57:34 +0100 Subject: [PATCH 3/5] linuxKernel.kernels.linux_zen: 6.8-zen1 -> 6.8.2-zen2 --- pkgs/os-specific/linux/kernel/zen-kernels.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix index d8261beb1764..dfee80ea19df 100644 --- a/pkgs/os-specific/linux/kernel/zen-kernels.nix +++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix @@ -4,9 +4,9 @@ let # comments with variant added for update script # ./update-zen.py zen zenVariant = { - version = "6.8"; #zen - suffix = "zen1"; #zen - sha256 = "19rsi8747xw5lsq4pwizq2va6inmwrywgy8b5f2ppcd6ny0whn1i"; #zen + version = "6.8.2"; #zen + suffix = "zen2"; #zen + sha256 = "0v8y7d7mn0y5g8bbw2nm89a7jsvdwfjg6d3zqyga9mpr16xpsssa"; #zen isLqx = false; }; # ./update-zen.py lqx From a60c7cff874bccffe28a0ec420ce4ed914b65b16 Mon Sep 17 00:00:00 2001 From: JerrySM64 <42114389+JerrySM64@users.noreply.github.com> Date: Thu, 28 Mar 2024 21:58:41 +0100 Subject: [PATCH 4/5] linuxKernel.kernels.linux_lqx: 6.7.9-lqx1 -> 6.7.11-lqx1 --- pkgs/os-specific/linux/kernel/zen-kernels.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix index dfee80ea19df..25043ac7ff0a 100644 --- a/pkgs/os-specific/linux/kernel/zen-kernels.nix +++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix @@ -11,9 +11,9 @@ let }; # ./update-zen.py lqx lqxVariant = { - version = "6.7.9"; #lqx + version = "6.7.11"; #lqx suffix = "lqx1"; #lqx - sha256 = "0hhkn2098h69l8slz5f0krkckf3qm7hmh5z233j341jpc0qv8p6b"; #lqx + sha256 = "180a39qrpldq4y2gn12pynhk62w46bzqi7zgciawznxyp8rr673x"; #lqx isLqx = true; }; zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // { From e9c98c68d37ea1de7e776ea6b0ea154da1e4ccdc Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 29 Mar 2024 01:46:06 +0000 Subject: [PATCH 5/5] pgmoneta: 0.9.0 -> 0.10.0 --- pkgs/by-name/pg/pgmoneta/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/pg/pgmoneta/package.nix b/pkgs/by-name/pg/pgmoneta/package.nix index ee9ac2bbeefa..c56243fe8920 100644 --- a/pkgs/by-name/pg/pgmoneta/package.nix +++ b/pkgs/by-name/pg/pgmoneta/package.nix @@ -19,13 +19,13 @@ stdenv.mkDerivation rec { pname = "pgmoneta"; - version = "0.9.0"; + version = "0.10.0"; src = fetchFromGitHub { owner = "pgmoneta"; repo = "pgmoneta"; rev = version; - hash = "sha256-KVweAsmAQGUkBAxR7gPJe6mygfG7xApvJFRiCbSFq9E="; + hash = "sha256-wNBomyyr078Twzg7fuu3et1NUxpb+vqIbsnpmF73t18="; }; nativeBuildInputs = [