JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

portunus: remove libxcrypt-legacy usage

Browse Source
This commit is contained in:
Stefan Majewsky 2024-06-01 10:28:21 +02:00
parent fc2390fa15
commit d11d18df30
3 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -30,6 +30,15 @@
for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured
data and the filesystem for blobs). data and the filesystem for blobs).
- The `portunus` package and service do not support weak password hashes anymore.
If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing.
Then, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all existing user accounts to strong password hashes.
If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:
```nix
services.portunus.package = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; };
services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
```
## Other Notable Changes {#sec-release-24.11-notable-changes} ## Other Notable Changes {#sec-release-24.11-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

5
nixos/modules/services/misc/portunus.nix
View File

@ -115,10 +115,7 @@ in
ldap = { ldap = {
package = mkOption { package = mkOption {
type = types.package; type = types.package;
# needs openldap built with a libxcrypt that support crypt sha256 until users have had time to migrate to newer hashes default = pkgs.openldap;
# Ref: <https://github.com/majewsky/portunus/issues/2>
# TODO: remove in NixOS 24.11 (cf. same note on pkgs/servers/portunus/default.nix)
default = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
defaultText = lib.literalExpression "pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }"; defaultText = lib.literalExpression "pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }";
description = "The OpenLDAP package to use."; description = "The OpenLDAP package to use.";
}; };

4
pkgs/servers/portunus/default.nix
View File

@ -1,7 +1,7 @@
{ lib { lib
, buildGoModule , buildGoModule
, fetchFromGitHub , fetchFromGitHub
, libxcrypt-legacy # TODO: switch to libxcrypt for NixOS 24.11 (cf. same note on nixos/modules/services/misc/portunus.nix) , libxcrypt
}: }:
buildGoModule rec { buildGoModule rec {
@ -15,7 +15,7 @@ buildGoModule rec {
sha256 = "sha256-+pMMIutj+OWKZmOYH5NuA4a7aS5CD+33vAEC9bJmyfM="; sha256 = "sha256-+pMMIutj+OWKZmOYH5NuA4a7aS5CD+33vAEC9bJmyfM=";
}; };
buildInputs = [ libxcrypt-legacy ]; buildInputs = [ libxcrypt ];
vendorHash = null; vendorHash = null;