Update inputs to fix OpenSSH CVE-2024-6387

2025-12-25 05:36:59 +01:00 · 2024-07-02 18:16:26 +02:00 · 2024-07-02 18:16:26 +02:00 · 053fd23097
commit 053fd23097
parent 781d6dcfac
8 changed files with 118 additions and 120 deletions
--- a/modules/gitlab-runner.nix
+++ b/modules/gitlab-runner.nix
@ -1,9 +1,7 @@
 { config, lib, pkgs, ... }:
 with lib;
-let
-  cfg = config.custom.services.gitlab-runner;
-in
-{
+let cfg = config.custom.services.gitlab-runner;
+in {
  options.custom.services.gitlab-runner = {
    enable = mkEnableOption "gitlab-runner";
  };
@ -35,58 +33,52 @@ in
        };
      };

-      config =
-        let
-          hostConfig = config;
-        in
-        args@{ config, ... }: {
+      config = let hostConfig = config;
+      in args@{ config, ... }: {

-          nix = {
-            package = pkgs.nixUnstable;
-            extraOptions = ''
-              experimental-features = nix-command flakes
-            '';
-          };
-
-          environment.systemPackages = with pkgs; [
-            git
-            htop
-            nload
-          ];
-
-          users.groups.gitlab-runner = { };
-          users.users.gitlab-runner = {
-            isSystemUser = true;
-            group = config.users.groups.gitlab-runner.name;
-          };
-
-          programs.ssh.extraConfig = ''
-            StrictHostKeyChecking=no
-            UserKnownHostsFile=/dev/null
+        nix = {
+          package = pkgs.nixVersions.latest;
+          extraOptions = ''
+            experimental-features = nix-command flakes
          '';
+        };

-          services = {
-            openssh.enable = true;
-            gitlab-runner = {
-              enable = true;
-              services = {
-                shell = {
-                  registrationConfigFile = hostConfig.sops.secrets.runnerRegistrationConfig.path;
-                  executor = "shell";
-                  tagList = [ "nix" ];
-                };
+        environment.systemPackages = with pkgs; [ git htop nload ];
+
+        users.groups.gitlab-runner = { };
+        users.users.gitlab-runner = {
+          isSystemUser = true;
+          group = config.users.groups.gitlab-runner.name;
+        };
+
+        programs.ssh.extraConfig = ''
+          StrictHostKeyChecking=no
+          UserKnownHostsFile=/dev/null
+        '';
+
+        services = {
+          openssh.enable = true;
+          gitlab-runner = {
+            enable = true;
+            services = {
+              shell = {
+                registrationConfigFile =
+                  hostConfig.sops.secrets.runnerRegistrationConfig.path;
+                executor = "shell";
+                tagList = [ "nix" ];
              };
            };
          };
-
-          systemd.services.gitlab-runner.serviceConfig = {
-            DynamicUser = lib.mkForce false;
-            User = config.users.users.gitlab-runner.name;
-            Group = config.users.groups.gitlab-runner.name;
-          };
-
-          system.stateVersion = "22.05";
        };
+
+        systemd.services.gitlab-runner.serviceConfig = {
+          DynamicUser = lib.mkForce false;
+          User = config.users.users.gitlab-runner.name;
+          Group = config.users.groups.gitlab-runner.name;
+        };
+
+        system.stateVersion = "22.05";
+      };
    };
  };
 }
--- a/modules/grafana.nix
+++ b/modules/grafana.nix
@ -126,10 +126,12 @@ in {
          max_chunk_age = "1h";
          chunk_target_size = 999999;
          chunk_retain_period = "30s";
-          max_transfer_retries = 0;
        };

-        limits_config = { ingestion_rate_mb = 16; };
+        limits_config = {
+          ingestion_rate_mb = 16;
+          allow_structured_metadata = false;
+        };

        schema_config = {
          configs = [{
@ -150,7 +152,6 @@ in {
              "${config.services.loki.dataDir}/boltdb-index";
            cache_location = "${config.services.loki.dataDir}/boltdb-cache";
            cache_ttl = "24h";
-            shared_store = "filesystem";
          };

          filesystem = {
@ -163,7 +164,7 @@ in {
          reject_old_samples_max_age = "168h";
        };

-        chunk_store_config = { max_look_back_period = "0s"; };
+        querier.engine.max_look_back_period = "0s";

        table_manager = {
          retention_deletes_enabled = false;
@ -172,7 +173,6 @@ in {

        compactor = {
          working_directory = "${config.services.loki.dataDir}";
-          shared_store = "filesystem";
          compactor_ring = { kvstore = { store = "inmemory"; }; };
        };

--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@ -74,11 +74,13 @@ in {
        dbpassFile = "${config.sops.secrets.nextcloudDbPassword.path}";
        adminpassFile = "${config.sops.secrets.nextcloudAdminPassword.path}";
        adminuser = "root";
-        overwriteProtocol = "https";
-        defaultPhoneRegion = "BE";
      };

-      extraOptions = { maintenance_window_start = 1; };
+      settings = {
+        overwriteProtocol = "https";
+        default_phone_region = "BE";
+        maintenance_window_start = 1;
+      };

      phpOptions = {
        short_open_tag = "Off";
--- a/modules/postgresql.nix
+++ b/modules/postgresql.nix
@ -56,7 +56,7 @@ in {
      script = ''
        set -u
        PSQL() {
-            psql --port=${toString pgsql.port} "$@"
+            psql --port=${toString pgsql.settings.port} "$@"
        }

        PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"'