NixOS
diff --git a/‎ci/OWNERS‎
Lines changed: 3 additions & 0 deletions b/‎ci/OWNERS‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎maintainers/maintainer-list.nix‎
Lines changed: 11 additions & 6 deletions b/‎maintainers/maintainer-list.nix‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎nixos/doc/manual/release-notes/rl-2505.section.md‎
Lines changed: 2 additions & 0 deletions b/‎nixos/doc/manual/release-notes/rl-2505.section.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎nixos/modules/module-list.nix‎
Lines changed: 1 addition & 0 deletions b/‎nixos/modules/module-list.nix‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎nixos/modules/security/krb5/krb5-conf-format.nix‎
Lines changed: 26 additions & 9 deletions b/‎nixos/modules/security/krb5/krb5-conf-format.nix‎
Lines changed: 26 additions & 9 deletions
diff --git a/‎nixos/modules/services/databases/postgresql.nix‎
Lines changed: 120 additions & 10 deletions b/‎nixos/modules/services/databases/postgresql.nix‎
Lines changed: 120 additions & 10 deletions
diff --git a/‎nixos/modules/services/system/kerberos/default.nix‎
Lines changed: 11 additions & 0 deletions b/‎nixos/modules/services/system/kerberos/default.nix‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎nixos/modules/services/system/kerberos/mit.nix‎
Lines changed: 2 additions & 1 deletion b/‎nixos/modules/services/system/kerberos/mit.nix‎
Lines changed: 2 additions & 1 deletion
@@ -129,6 +129,9 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 # Systemd-boot
 /nixos/modules/system/boot/loader/systemd-boot      @JulienMalka
 
+# Limine
+/nixos/modules/system/boot/loader/limine        @lzcunt @phip1611 @programmerlexi
+
 # Images and installer media
 /nixos/modules/profiles/installation-device.nix @ElvishJerricco
 /nixos/modules/installer/cd-dvd/                @ElvishJerricco
 
@@ -3570,6 +3570,12 @@
     githubId = 32319131;
     name = "Brett L";
   };
+  bubblepipe = {
+    email = "[email protected]";
+    github = "bubblepipe";
+    githubId = 30717258;
+    name = "bubblepipe";
+  };
   buckley310 = {
     email = "[email protected]";
     matrix = "@buckley310:matrix.org";
@@ -8487,12 +8493,6 @@
     githubId = 34658064;
     name = "Grace Dinh";
   };
-  gebner = {
-    email = "[email protected]";
-    github = "gebner";
-    githubId = 313929;
-    name = "Gabriel Ebner";
-  };
   geluk = {
     email = "[email protected]";
     github = "geluk";
@@ -19070,6 +19070,11 @@
     githubId = 74465;
     name = "James Fargher";
   };
+  programmerlexi = {
+    name = "programmerlexi";
+    github = "programmerlexi";
+    githubId = 60185691;
+  };
   progrm_jarvis = {
     email = "[email protected]";
     github = "JarvisCraft";
 
@@ -183,6 +183,8 @@
 
 - [Rebuilderd](https://github.com/kpcyrd/rebuilderd) an independent verification of binary packages - Reproducible Builds. Available as [services.rebuilderd](#opt-services.rebuilderd.enable).
 
+- [Limine](https://github.com/limine-bootloader/limine) a modern, advanced, portable, multiprotocol bootloader and boot manager. Available as [boot.loader.limine](#opt-boot.loader.limine.enable)
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-release-25.05-incompatibilities}
 
@@ -1719,6 +1719,7 @@
   ./system/boot/loader/grub/memtest.nix
   ./system/boot/loader/external/external.nix
   ./system/boot/loader/init-script/init-script.nix
+  ./system/boot/loader/limine/limine.nix
   ./system/boot/loader/loader.nix
   ./system/boot/loader/systemd-boot/systemd-boot.nix
   ./system/boot/luksroot.nix
 
@@ -61,16 +61,33 @@ rec {
             description = "Which principal the rule applies to";
           };
           access = mkOption {
-            type = either (listOf (enum [
-              "add"
-              "cpw"
-              "delete"
-              "get"
-              "list"
-              "modify"
-            ])) (enum [ "all" ]);
+            type = coercedTo str singleton (
+              listOf (enum [
+                "all"
+                "add"
+                "cpw"
+                "delete"
+                "get-keys"
+                "get"
+                "list"
+                "modify"
+              ])
+            );
             default = "all";
-            description = "The changes the principal is allowed to make.";
+            description = ''
+              The changes the principal is allowed to make.
+
+              :::{.important}
+              The "all" permission does not imply the "get-keys" permission. This
+              is consistent with the behavior of both MIT Kerberos and Heimdal.
+              :::
+
+              :::{.warning}
+              Value "all" is allowed as a list member only if it appears alone
+              or accompanied by "get-keys". Any other combination involving
+              "all" will raise an exception.
+              :::
+            '';
           };
           target = mkOption {
             type = str;
 
@@ -14,8 +14,11 @@ let
     const
     elem
     escapeShellArgs
+    filter
     filterAttrs
+    getAttr
     getName
+    hasPrefix
     isString
     literalExpression
     mapAttrs
@@ -31,6 +34,8 @@ let
     mkRemovedOptionModule
     mkRenamedOptionModule
     optionalString
+    pipe
+    sortProperties
     types
     versionAtLeast
     warn
@@ -124,6 +129,100 @@ in
         '';
       };
 
+      systemCallFilter = mkOption {
+        type = types.attrsOf (
+          types.coercedTo types.bool (enable: { inherit enable; }) (
+            types.submodule (
+              { name, ... }:
+              {
+                options = {
+                  enable = mkEnableOption "${name} in postgresql's syscall filter";
+                  priority = mkOption {
+                    default =
+                      if hasPrefix "@" name then
+                        500
+                      else if hasPrefix "~@" name then
+                        1000
+                      else
+                        1500;
+                    defaultText = literalExpression ''
+                      if hasPrefix "@" name then 500 else if hasPrefix "~@" name then 1000 else 1500
+                    '';
+                    type = types.int;
+                    description = ''
+                      Set the priority of the system call filter setting. Later declarations
+                      override earlier ones, e.g.
+
+                      ```ini
+                      [Service]
+                      SystemCallFilter=~read write
+                      SystemCallFilter=write
+                      ```
+
+                      results in a service where _only_ `read` is not allowed.
+
+                      The ordering in the unit file is controlled by this option: the higher
+                      the number, the later it will be added to the filterset.
+
+                      By default, depending on the prefix a priority is assigned: usually, call-groups
+                      (starting with `@`) are used to allow/deny a larger set of syscalls and later
+                      on single syscalls are configured for exceptions. Hence, syscall groups
+                      and negative groups are placed before individual syscalls by default.
+                    '';
+                  };
+                };
+              }
+            )
+          )
+        );
+        defaultText = literalExpression ''
+          {
+            "@system-service" = true;
+            "~@privileged" = true;
+            "~@resources" = true;
+          }
+        '';
+        description = ''
+          Configures the syscall filter for `postgresql.service`. The keys are
+          declarations for `SystemCallFilter` as described in {manpage}`systemd.exec(5)`.
+
+          The value is a boolean: `true` adds the attribute name to the syscall filter-set,
+          `false` doesn't. This is done to allow downstream configurations to turn off
+          restrictions made here. E.g. with
+
+          ```nix
+          {
+            services.postgresql.systemCallFilter."~@resources" = false;
+          }
+          ```
+
+          it's possible to remove the restriction on `@resources` (keep in mind that
+          `@system-service` implies `@resources`).
+
+          As described in the section for [](#opt-services.postgresql.systemCallFilter._name_.priority),
+          the ordering matters. Hence, it's also possible to specify customizations with
+
+          ```nix
+          {
+            services.postgresql.systemCallFilter = {
+              "foobar" = { enable = true; priority = 23; };
+            };
+          }
+          ```
+
+          [](#opt-services.postgresql.systemCallFilter._name_.enable) is the flag whether
+          or not it will be added to the `SystemCallFilter` of `postgresql.service`.
+
+          Settings with a higher priority are added after filter settings with a lower
+          priority. Hence, syscall groups with a higher priority can discard declarations
+          with a lower priority.
+
+          By default, syscall groups (i.e. attribute names starting with `@`) are added
+          _before_ negated groups (i.e. `~@` as prefix) _before_ syscall names
+          and negations.
+        '';
+      };
+
       checkConfig = mkOption {
         type = types.bool;
         default = true;
@@ -583,6 +682,21 @@ in
       '')
     ];
 
+    services.postgresql.systemCallFilter = mkMerge [
+      (mapAttrs (const mkDefault) {
+        "@system-service" = true;
+        "~@privileged" = true;
+        "~@resources" = true;
+      })
+      (mkIf (any extensionInstalled [ "plv8" ]) {
+        "@pkey" = true;
+      })
+      (mkIf (any extensionInstalled [ "citus" ]) {
+        "getpriority" = true;
+        "setpriority" = true;
+      })
+    ];
+
     users.users.postgres = {
       name = "postgres";
       uid = config.ids.uids.postgres;
@@ -727,16 +841,12 @@ in
           RestrictRealtime = true;
           RestrictSUIDSGID = true;
           SystemCallArchitectures = "native";
-          SystemCallFilter =
-            [
-              "@system-service"
-              "~@privileged @resources"
-            ]
-            ++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ]
-            ++ lib.optionals (any extensionInstalled [ "citus" ]) [
-              "getpriority"
-              "setpriority"
-            ];
+          SystemCallFilter = pipe cfg.systemCallFilter [
+            (mapAttrsToList (name: v: v // { inherit name; }))
+            (filter (getAttr "enable"))
+            sortProperties
+            (map (getAttr "name"))
+          ];
           UMask = if groupAccessAvailable then "0027" else "0077";
         }
         (mkIf (cfg.dataDir != "/var/lib/postgresql/${cfg.package.psqlSchema}") {
 
@@ -55,6 +55,17 @@ in
         assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
         message = "Only one realm per server is currently supported.";
       }
+      {
+        assertion =
+          let
+            inherit (builtins) attrValues elem length;
+            realms = attrValues cfg.settings.realms;
+            accesses = lib.concatMap (r: map (a: a.access) r.acl) realms;
+            property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a);
+          in
+          builtins.all property accesses;
+        message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\"";
+      }
     ];
 
     systemd.slices.system-kerberos-server = { };
 
@@ -19,10 +19,11 @@ let
     add = "a";
     cpw = "c";
     delete = "d";
+    get-keys = "e";
     get = "i";
     list = "l";
     modify = "m";
-    all = "*";
+    all = "x";
   };
 
   aclConfigs = lib.pipe cfg.settings.realms [