The k3s update script filters the assets of a
corresponding release for airgap images archives
and provides these as passthru attributes of the
k3s derivation. We use zstd archives, as these
offer the best compression ratios and decompression
speed. Furthermore, the `airgapImages` passthru
provides the images archive that matches the host
platform architecture, however, this only works
for aarch64 and x86_64. In addition, a txt file
listing all container images of a release is made
available via a passthru attribute. The airgap
images archives can be combined nicely with the
`services.k3s.images` option, e.g. to pre-provision
k3s nodes for environments without Internet
connectivity.
The docker-tools test, where this originates, was not run on aarch64-linux, but this is an artifact of its age more so than anything else.
Co-authored-by: Ivan Trubach <mr.trubach@icloud.com>
This is a full rewrite independent of the previously removed cryptpad
module, managing cryptpad's config in RFC0042 along with a shiny test.
Upstream cryptpad provides two nginx configs, with many optimizations
and complex settings; this uses the easier variant for now but
improvements (e.g. serving blocks and js files directly through nginx)
should be possible with a bit of work and care about http headers.
the /checkup page of cryptpad passes all tests except HSTS, we don't
seem to have any nginx config with HSTS enabled in nixpkgs so leave this
as is for now.
Co-authored-by: Pol Dellaiera <pol.dellaiera@protonmail.com>
Co-authored-by: Michael Smith <shmitty@protonmail.com>
On Linux we cannot feasbibly generate users statically because we need
to take care to not change or re-use UIDs over the lifetime of a machine
(i.e. over multiple generations). This means we need the context of the
running machine.
Thus, stop creating users statically and instead generate them at
runtime irrespective of mutableUsers.
When /etc is immutable, the password files (e.g. /etc/passwd etc.) are
created in a separate directory (/var/lib/nixos/etc). /etc will be
pre-populated with symlinks to this separate directory.
Immutable users are now implemented by bind-mounting the password files
read-only onto themselves and only briefly re-mounting them writable to
re-execute sysusers. The biggest limitation of this design is that you
now need to manually unmount this bind mount to change passwords because
sysusers cannot change passwords for you. This shouldn't be too much of
an issue because system users should only rarely need to change their
passwords.
