diff --git a/flake.lock b/flake.lock index 6e865c53..e55ae8b2 100644 --- a/flake.lock +++ b/flake.lock @@ -394,17 +394,17 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751792365, - "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", + "lastModified": 1751271578, + "narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", + "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable", "repo": "nixpkgs", + "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 09e4b48a..1afc8424 100644 --- a/flake.nix +++ b/flake.nix @@ -73,7 +73,7 @@ url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; inputs.nixpkgs.follows = "nixpkgs"; }; - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs/3016b4b15d13f3089db8a41ef937b13a9e33a8df"; nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/patches/422817.patch b/patches/422817.patch deleted file mode 100644 index e993f983..00000000 --- a/patches/422817.patch +++ /dev/null @@ -1,95 +0,0 @@ -diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix -index 6ebf5cf95742fb..01b9c278c6307d 100644 ---- a/nixos/modules/services/mail/dovecot.nix -+++ b/nixos/modules/services/mail/dovecot.nix -@@ -692,67 +692,23 @@ in - - environment.etc."dovecot/dovecot.conf".source = cfg.configFile; - -- systemd.services.dovecot = { -- aliases = [ "dovecot2.service" ]; -+ systemd.services.dovecot2 = { - description = "Dovecot IMAP/POP3 server"; -- documentation = [ -- "man:dovecot(1)" -- "https://doc.dovecot.org" -- ]; - - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; -- restartTriggers = [ cfg.configFile ]; -+ restartTriggers = [ -+ cfg.configFile -+ ]; - - startLimitIntervalSec = 60; # 1 min - serviceConfig = { - Type = "notify"; - ExecStart = "${dovecotPkg}/sbin/dovecot -F"; - ExecReload = "${dovecotPkg}/sbin/doveadm reload"; -- -- CapabilityBoundingSet = [ -- "CAP_CHOWN" -- "CAP_DAC_OVERRIDE" -- "CAP_FOWNER" -- "CAP_NET_BIND_SERVICE" -- "CAP_SETGID" -- "CAP_SETUID" -- "CAP_SYS_CHROOT" -- "CAP_SYS_RESOURCE" -- ]; -- LockPersonality = true; -- MemoryDenyWriteExecute = true; -- NoNewPrivileges = true; -- OOMPolicy = "continue"; -- PrivateTmp = true; -- ProcSubset = "pid"; -- ProtectClock = true; -- ProtectControlGroups = true; -- ProtectHome = lib.mkDefault false; -- ProtectHostname = true; -- ProtectKernelLogs = true; -- ProtectKernelModules = true; -- ProtectKernelTunables = true; -- ProtectProc = "invisible"; -- ProtectSystem = "full"; -- PrivateDevices = true; - Restart = "on-failure"; - RestartSec = "1s"; -- RestrictAddressFamilies = [ -- "AF_INET" -- "AF_INET6" -- "AF_UNIX" -- ]; -- RestrictNamespaces = true; -- RestrictRealtime = true; -- RestrictSUIDSGID = false; # sets sgid on maildirs - RuntimeDirectory = [ "dovecot2" ]; -- SystemCallArchitectures = "native"; -- SystemCallFilter = [ -- "@system-service @resources" -- "~@privileged" -- "@chown @setuid capset chroot" -- ]; - }; - - # When copying sieve scripts preserve the original time stamp -diff --git a/nixos/tests/dovecot.nix b/nixos/tests/dovecot.nix -index 83b3781c773d6b..3d2b8c45b12c77 100644 ---- a/nixos/tests/dovecot.nix -+++ b/nixos/tests/dovecot.nix -@@ -84,13 +84,11 @@ - - testScript = '' - machine.wait_for_unit("postfix.service") -- machine.wait_for_unit("dovecot.service") -+ machine.wait_for_unit("dovecot2.service") - machine.succeed("send-testmail") - machine.succeed("send-lda") - machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]') - machine.succeed("test-imap") - machine.succeed("test-pop") -- -- machine.log(machine.succeed("systemd-analyze security dovecot.service | grep -v ✓")) - ''; - }