diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 4b02d32ae074..b66e4d82db71 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -376,6 +376,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - The Matrix homeserver [Synapse](https://element-hq.github.io/synapse/) module now supports configuring UNIX domain socket [listeners](#opt-services.matrix-synapse.settings.listeners) through the `path` option. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets. +- The initrd ssh daemon module got a new option to add authorized keys via a list of files using `boot.initrd.network.ssh.authorizedKeyFiles`. + - Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles. The `nimPackages` and `nim2Packages` sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information. diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index 61e61f32bc5e..43da2496d16c 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -93,6 +93,21 @@ in defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys"; description = lib.mdDoc '' Authorized keys for the root user on initrd. + You can combine the `authorizedKeys` and `authorizedKeyFiles` options. + ''; + example = [ + "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host" + "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar" + ]; + }; + + authorizedKeyFiles = mkOption { + type = types.listOf types.path; + default = config.users.users.root.openssh.authorizedKeys.keyFiles; + defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keyFiles"; + description = lib.mdDoc '' + Authorized keys taken from files for the root user on initrd. + You can combine the `authorizedKeyFiles` and `authorizedKeys` options. ''; }; @@ -152,7 +167,7 @@ in in mkIf enabled { assertions = [ { - assertion = cfg.authorizedKeys != []; + assertion = cfg.authorizedKeys != [] || cfg.authorizedKeyFiles != []; message = "You should specify at least one authorized key for initrd SSH"; } @@ -206,6 +221,9 @@ in ${concatStrings (map (key: '' echo ${escapeShellArg key} >> /root/.ssh/authorized_keys '') cfg.authorizedKeys)} + ${concatStrings (map (keyFile: '' + cat ${keyFile} >> /root/.ssh/authorized_keys + '') cfg.authorizedKeyFiles)} ${flip concatMapStrings cfg.hostKeys (path: '' # keys from Nix store are world-readable, which sshd doesn't like @@ -236,9 +254,13 @@ in users.root.shell = mkIf (config.boot.initrd.network.ssh.shell != null) config.boot.initrd.network.ssh.shell; - contents."/etc/ssh/authorized_keys.d/root".text = - concatStringsSep "\n" config.boot.initrd.network.ssh.authorizedKeys; - contents."/etc/ssh/sshd_config".text = sshdConfig; + contents = { + "/etc/ssh/sshd_config".text = sshdConfig; + "/etc/ssh/authorized_keys.d/root".text = + concatStringsSep "\n" ( + config.boot.initrd.network.ssh.authorizedKeys ++ + (map (file: lib.fileContents file) config.boot.initrd.network.ssh.authorizedKeyFiles)); + }; storePaths = ["${package}/bin/sshd"]; services.sshd = { diff --git a/pkgs/applications/graphics/pureref/default.nix b/pkgs/applications/graphics/pureref/default.nix index 5a0774a09f43..825ea4c51e19 100644 --- a/pkgs/applications/graphics/pureref/default.nix +++ b/pkgs/applications/graphics/pureref/default.nix @@ -1,14 +1,16 @@ -{ lib, appimageTools, requireFile }: +{ lib, appimageTools, runCommand, curl, gnugrep, cacert }: appimageTools.wrapType1 rec { pname = "pureref"; version = "1.11.1"; - src = requireFile { - name = "PureRef-${version}_x64.Appimage"; - sha256 = "05naywdgykqrsgc3xybskr418cyvbx7vqs994yv9w8zf98gxvbvm"; - url = "https://www.pureref.com/download.php"; - }; + src = runCommand "PureRef-${version}_x64.Appimage" { + nativeBuildInputs = [ curl gnugrep cacert ]; + outputHash = "sha256-da/dH0ruI562JylpvE9f2zMUSJ56+T7Y0xlP/xr3yhY="; + } '' + key="$(curl "https://www.pureref.com/download.php" --silent | grep '%3D%3D' | cut -d '"' -f2)" + curl "https://www.pureref.com/files/build.php?build=LINUX64.Appimage&version=${version}&downloadKey=$key" --output $out + ''; extraInstallCommands = '' mv $out/bin/${pname}-${version} $out/bin/${pname} diff --git a/pkgs/by-name/pg/pgmoneta/package.nix b/pkgs/by-name/pg/pgmoneta/package.nix index ee9ac2bbeefa..c56243fe8920 100644 --- a/pkgs/by-name/pg/pgmoneta/package.nix +++ b/pkgs/by-name/pg/pgmoneta/package.nix @@ -19,13 +19,13 @@ stdenv.mkDerivation rec { pname = "pgmoneta"; - version = "0.9.0"; + version = "0.10.0"; src = fetchFromGitHub { owner = "pgmoneta"; repo = "pgmoneta"; rev = version; - hash = "sha256-KVweAsmAQGUkBAxR7gPJe6mygfG7xApvJFRiCbSFq9E="; + hash = "sha256-wNBomyyr078Twzg7fuu3et1NUxpb+vqIbsnpmF73t18="; }; nativeBuildInputs = [ diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix index d8261beb1764..25043ac7ff0a 100644 --- a/pkgs/os-specific/linux/kernel/zen-kernels.nix +++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix @@ -4,16 +4,16 @@ let # comments with variant added for update script # ./update-zen.py zen zenVariant = { - version = "6.8"; #zen - suffix = "zen1"; #zen - sha256 = "19rsi8747xw5lsq4pwizq2va6inmwrywgy8b5f2ppcd6ny0whn1i"; #zen + version = "6.8.2"; #zen + suffix = "zen2"; #zen + sha256 = "0v8y7d7mn0y5g8bbw2nm89a7jsvdwfjg6d3zqyga9mpr16xpsssa"; #zen isLqx = false; }; # ./update-zen.py lqx lqxVariant = { - version = "6.7.9"; #lqx + version = "6.7.11"; #lqx suffix = "lqx1"; #lqx - sha256 = "0hhkn2098h69l8slz5f0krkckf3qm7hmh5z233j341jpc0qv8p6b"; #lqx + sha256 = "180a39qrpldq4y2gn12pynhk62w46bzqi7zgciawznxyp8rr673x"; #lqx isLqx = true; }; zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // {