The module option type `nonEmptyStr` was introduced in commit
a3c5f0cba8
The hylafax module previously simply used
`addCheck str (s: s!="")` to prevent empty option strings,
but the new type is more thorough as
it also catches space-only strings.
If a secret path is a subset of a second secret path, there's a risk
that its secret is substituted for the matching part of the second
path. To prevent this, use the sha256 of the paths as placeholder
string instead.
I think calling i2pd directly in `ExecStart` is much nicer than having an extra shell script for no reason. It's also easier to see what's going on when looking at the generated systemd unit file.
* make slurmd depend on network target to ensure basic networking
is available on startup. This fixes behaviour
where slurmd fails with "error: get_addr_info: getaddrinfo() failed".
* Use tmpfiles.d to ensure spool directory exists on start up.
Fail scripts on pipeline errors and propagate subshell errors.
If an error occurs in a subshell, including while trying to read a
secret file, we want that error to propagate to the main shell
context. That means we have to set the `inherit_errexit` option, which
allows errors from subshells to propagate to the outer shell. Also,
the subshell cannot run as part of another command, such as `export`,
since that will simply ignore the subshell exit status and only
respect `export`s exit status; first assigning the value to a variable
and then exporting it solves issue.
* nixos/nftables: Allow use with iptables
Since iptables and nftables do not actually conflict with each other, there's no real reason to artificially prevent people from combining them.
In fact, this practice is known to cause issues like #88643, which is fixed by this commit.
users.users.*.createHome makes home only owner-readable.
This breaks nginx reading static assets from nextcloud's home,
after a nixos-rebuild that did not restart nextcloud-setup.
Closes#112639
When no devices are given the exporter tries to autodiscover available
disks. The previous DevicePolicy was however preventing the exporter
from accessing any device at all, since only explicitly mentioned ones
were allowed.
This commit adds an allow rule for several device classes that I could
find on my machines, that gets set when no devices are explicitly
configured.
There is an existing problem with nvme devices, that expose a character
device at `/dev/nvme0`, and a (namespaced) block device at
`/dev/nvme0n1`. The character device does not come with permissions that
we could give to the exporter without further impacting the hardening.
crw------- 1 root root 247, 0 27. Jan 03:10 /dev/nvme0
brw-rw---- 1 root disk 259, 0 27. Jan 03:10 /dev/nvme0n1
The autodiscovery only finds the character device, which the exporter
unfortunately does not have access to.
However a simple udev rule can be used to resolve this:
services.udev.extraRules = ''
SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk"
'';
Unfortunately I'm not fully aware of the security implications this
change carries and we should question upstream (systemd) why they did
not include such a rule.
The disk group has no members on any of my machines.
❯ getent group disk
disk❌6:
* fix MTP support on KDE Plasma and Dolphin
* Update pkgs/applications/kde/kio-extras.nix
Co-authored-by: ElXreno <elxreno@gmail.com>
Co-authored-by: Peter Hoeg <peter@hoeg.com>
Co-authored-by: ElXreno <elxreno@gmail.com>
The `nix.*` options, apart from options for setting up the
daemon itself, currently provide a lot of setting mappings
for the Nix daemon configuration. The scope of the mapping yields
convience, but the line where an option is considered essential
is blurry. For instance, the `extra-sandbox-paths` mapping is
provided without its primary consumer, and the corresponding
`sandbox-paths` option is also not mapped.
The current system increases the maintenance burden as maintainers have to
closely follow upstream changes. In this case, there are two state versions
of Nix which have to be maintained collectively, with different options
avaliable.
This commit aims to following the standard outlined in RFC 42[1] to
implement a structural setting pattern. The Nix configuration is encoded
at its core as key-value pairs which maps nicely to attribute sets, making
it feasible to express in the Nix language itself. Some existing options are
kept such as `buildMachines` and `registry` which present a simplified interface
to managing the respective settings. The interface is exposed as `nix.settings`.
Legacy configurations are mapped to their corresponding options under `nix.settings`
for backwards compatibility.
Various options settings in other nixos modules and relevant tests have been
updated to use structural setting for consistency.
The generation and validation of the configration file has been modified to
use `writeTextFile` instead of `runCommand` for clarity. Note that validation
is now mandatory as strict checking of options has been pushed down to the
derivation level due to freeformType consuming unmatched options. Furthermore,
validation can not occur when cross-compiling due to current limitations.
A new option `publicHostKey` was added to the `buildMachines`
submodule corresponding to the base64 encoded public host key settings
exposed in the builder syntax. The build machine generation was subsequently
rewritten to use `concatStringsSep` for better performance by grouping
concatenations.
[1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
Required as visible in the lightdm tests:
> Error updating user /org/freedesktop/Accounts/User1001: GDBus.Error:org.freedesktop.Accounts.Error.PermissionDenied: Not authorized: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.PolicyKit1 was not provided by any .service files
Empty parantheses are not supported in regular expressions on
Darwin/macOS. The old regular expression produces an error during
evaluation. This commit fixes that.
Nix‘s `builtins.match` works with extend POSIX regular expressions. The
specification for these regular expression states[^1] that the result
for a left paranthesis immediately followed by a right paranthesis
outside of a bracket expression is undefined.
[^1]: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_04_03
Tor waits ShutdownWaitLength seconds (30s by default) before actually shutting down. Since the systemd timeout is also set to 30 seconds, this results in a race condition that ends up killing Tor most of the time on my machine during shutdown.
To fix this, add the ShutdownWaitLength setting and tell systemd to wait 30 seconds more than that.
Arch Linux also has `TimeoutSec` set to 60 seconds: 6df716fe19/trunk/tor.service.
`register_new_matrix_user` is a script provided by the matrix-synapse
package to create a new matrix user on the command line.
This commit provides a wrapper around `register_new_matrix_user` that
automatically passes the url (and `registration_shared_secret`, if
present) as CLI arguments.
- regenerate everything
- hardcode to build with node 14 (upstream doesn't support 16 yet)
- remove optional deps to make things build without python2
- set HOME in service environment to prevent crashing
Changes in node-*.nix are autogenerated.
Update the example config to show a working example for xmonad 0.17.0, which
added an argument to the `launch` function and adjusted the location of the
recompiled binary.
Since release 1.18.4, the ModemManager daemon no longer automatically
performs the FCC unlock procedure by default. The user must, under their
own responsibility, enable the automatic FCC unlock as shipped by
ModemManager.
Webclient only allows serving a web directory under /_matrix/client
This only incentivizes running the client under the same domain as the homeserver.
Which is not recommended due to CORS.
Add a new type, inheriting 'types.str' but checking whether the value
doesn't contain any newline characters.
The motivation comes from a problem with the
'users.users.${u}.openssh.authorizedKeys' option.
It is easy to unintentionally insert a newline character at the end of a
string, or even in the middle, for example:
restricted_ssh_keys = command: keys:
let
prefix = ''
command="${command}",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding
'';
in map (key: "${prefix} ${key}") keys;
The 'prefix' string ends with a newline, which ends up in the middle of
a key entry after a few manipulations.
This is problematic because the key file is built by concatenating all
the keys with 'concatStringsSep "\n"', with result in two entries for
the faulty key:
''
command="...",options...
MY_KEY
''
This is hard to debug and might be dangerous. This is now caught at
build time.
This commit introduces a new option
`services.nextcloud.nginx.recommendedHttpHeaders` that can be used to
optionally disable serving recommended HTTP Response Headers in nginx.
This is especially useful if some headers are already configured
elsewhere to be served in nginx and thus result in duplicate headers.
Resolves#120223
The `extraConfig` parameter only handles text - it doesn't support
arbitrary secrets and, with the way it's processed in the setup
script, it's very easy to accidentally unescape the echoed string and
run shell commands / feed garbage to bash.
To fix this, implement a new option, `config`, which instead takes a
typed attribute set, generates the `.env` file in nix and does
arbitrary secret replacement. This option is then used to provide the
configuration for all other options which change the `.env` file.
When upgrading bookstack, if something in the cache conflicts with the
new installation, the artisan commands might fail. To solve this, make
the cache lifetime bound to the setup service. This also removes the
`cacheDir` option, since the path is now handled automatically by
systemd.
Commit 9a5b5d9fe8 added Haskell
dependencies (GHC and packages) to the xmonad binary's environment even
if xmonad had been preconfigured (via the "config" option). The intent
was to enable one-off recompiling using a local config file (e.g.
~/.config/xmonad/xmonad.hs), so the user can get quick feedback while
developing their config.
While this works, it may not be a common use-case, and it requires some
careful crafting in xmonad.hs itself. On top of that, it significantly
increases the size of the closure.
Given all that, commit b69d9d3c23 removed
GHC and packages from the binary's environment.
But there are still those among us who want to be able to recompile from
a preconfigured xmonad, so let's provide a way to opt-into configured
recompilation.
network.target is reached earlier, but with much fewer services
available. DNS is likely to be not functional before
network-online.target, so waiting for that seems better for that reason
alone. the existing backends for network-online.target all seem to do
reasonable things (wait until all links are in *some* stable state), so
we shouldn't lose anything from waiting.
Instead of referencing all library functions through `lib.` and
builtins through `builtins.` at every invocation, inherit them into
the appropriate scope.
The module option type `nonEmptyStr` was introduced in commit
a3c5f0cba8
The tsm modules previously simply used
`strMatching ".+"` to prevent empty option strings,
but the new type is more thorough as
it also catches space-only strings.
This enables some systemd sandboxing
options for the `tsm-backup.service`.
Those settings have been determined by expermentation.
This commit tries hard to protect the filesystem from
write access, but not to hide anything from read access,
so users can backup all files they choose to backup.
An exception are API filesystems (`/dev`, `/proc`, `/sys`):
As their "files" are not stored on persistent storage,
they are sandboxed away as much as possible.
Note that the service still has to run with root
privileges to reach files with limited access permissions.
The obvious alternative to use a dedicated user account and
the `CAP_DAC_READ_SEARCH` capability to permit system-wide
read access while blocking write access does not work.
Experiments have shown that `dsmc` verifies access permissions
for each file before attempting to open it for reading.
Hence `dsmc` refuses to copy files where the file permission
mode blocks read access -- even if process capabilities
would allow it to proceed irrespective of permissions.
Use systemd's LoadCredential mechanism to make the secret files
available to the service.
This gets rid of the privileged part of the ExecPreStart script which
only served to copy these files and assign the correct
permissions. There's been issues with this approach when used in
combination with DynamicUser, where sometimes the user isn't created
before the ExecPreStart script runs, causing the error
install: invalid user ‘keycloak’
This should fix that issue.
Unfortunately, all of the ExecPreStart script had to be moved to
ExecStart, since credentials aren't provided to ExecPreStart. See
https://github.com/systemd/systemd/issues/19604.
This together with extraConfig:
{
"subsystem=undertow"."server=default-server"."http-listener=default"."proxy-address-forwarding" = true;
"subsystem=undertow"."server=default-server"."https-listener=https"."proxy-address-forwarding" = true;
}
Allows to run Keycloak behind a reverse proxy that provides
X-Forwarded-* headers.
Allow update commands in the script to be ordered using `mkOrder`.
If we encounter ordered sub-objects we sort them by priority.
To implement this we now explicitly pass current node in `recurse`,
which also allows us to clean up edge case for top-level node.
Also refactor `recurse` to avoid passing result text argument; we
weren't tail recursive before anyway.
Still actively developed and yet stuck on python2. Also marked as
vulnerable and their issue tracker contains yet another security issue
reported in 2021/10 that the upstream hasn't acknowledged yet.
Mind blown.
Closes: #135543, #97274, #97275
It turns out it's actually possible to fall back to WPA2 in case the
authentication fails with WPA3. This was suggested to me in the hostapd
mailing list: add another network block with only WPA2 and lower
priority, for each network with WPA3. For clients with missing/broken
WPA3, wpa_supplicant will:
1. try the network block with higher priority first
2. fail and temporarily disable the network block
3. try the fallback network block and connect
This takes a little more time (still <5s) because wpa_supplicant
retries a couple times before disabling the network block, but it allows
old client to gracefully fall back to WPA2 on mixed WPA2/WPA3 networks.
To avoid downgrade attacks, clients with proper WPA3 should disable
this; in the future we may want to disable this option by default.
The Intel SGX DCAP driver makes the SGX application enclave device and
the SGX provisioning enclave available below the path `/dev/sgx/`. Since
Linux 5.11, a derivation of the DCAP driver is part of the kernel and
available through the X86_SGX config option; NixOS enables this option
by default.
In contrast to the out-of-tree DCAP driver, the in-tree SGX driver uses
a flat hierarchy for the SGX devices resulting in the paths
`/dev/sgx_enclave` for the application enclave device and
`/dev/sgx_provison` for the provisioning enclave device.
As of this commit, even the latest version of the Intel SGX PSW
libraries still tries to open the (legacy) DCAP paths only. This means
that SGX software currently cannot find the required SGX devices even if
the system actually supports SGX through the in-tree driver. Intel wants
to change this behavior in an upcoming release of intel/linux-sgx.
Having said that, SGX software assuming the SGX devices below
`/dev/sgx/` will prevail. Therefore, this commit introduces the NixOS
configuration option `hardware.cpu.intel.sgx.enableDcapCompat` which
creates the necessary symlinks to support existing SGX software. The
option defaults to true as it is currently the only way to support SGX
software. Also, enabling the SGX AESM service enables the option.
The permissions of the devices `/dev/sgx_enclave` and
`/dev/sgx_provison` remain the same, i.e., are not affected regardless
of having the new option enabled or not.
This option makes the complete netdata configuration directory available for
modification. The default configuration is merged with changes
defined in the configDir option.
Co-authored-by: Michael Raitza <spacefrogg-github@meterriblecrew.net>
During working on #150837 I discovered that `google-oslogin` test
started failing, and so did some of my development machines. Turns out
it was because nscd doesn't start by default; rather it's wanted by
NSS lookup targets, which are not always fired up.
To quote from section on systemd.special(7) on `nss-user-lookup.target`:
> All services which provide parts of the user/group database should be
> ordered before this target, and pull it in.
Following this advice and comparing our unit to official `sssd.service`
unit (which is a similar service), we now pull NSS lookup targets from
the service, while starting it with `multi-user.target`.
This is a useful utility for monitoring network performance over time
using a combination of MTR and Prometheus. Also adding a service definition.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Alternative solution to PR #152443.
This fixes authentication failures to WPA3 networks (issue #151729)
by enabling protected management frames.
Note: old client without 802.11w support will still fail.
When startWhenNeeded is enabled, a brute force attack on sshd will cause
systemd to shut down the socket, locking out all SSH access to the machine.
Setting TriggerLimitIntervalSec to 0 disables this behavior.
In https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/merge_requests/153
the user target names for GSD components has been renamed for example
from `gsd-a11y-settings.target` to `org.gnome.SettingsDaemon.A11ySettings.target`,
and nowadays `gsd-*.target` are just symbolic links of `/dev/null` and will be
removed in the future.
At the same time, as mentioned in d27212d466,
we are adding `systemd.user.targets.<name>.wants` stuff here only because
systemd.packages doesn't pick the .wants directories. Nowadays those GSD components
are managed in `/etc/systemd/user/gnome-session@gnome.target.d/gnome.session.conf`
so it should be safe to remove them.
In this commit we also try to pick up those new .wants directories, see also
https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/blob/41.0/plugins/meson.build#L57
Result of `cd /nix/store/iqzy2a6wn9bq9hqx7pqx0a153s5xlnwp-gnome-settings-daemon-41.0; find | grep wants`:
```
./share/systemd/user/gnome-session-x11-services-ready.target.wants
./share/systemd/user/gnome-session-x11-services-ready.target.wants/org.gnome.SettingsDaemon.XSettings.service
./share/systemd/user/gnome-session-x11-services.target.wants
./share/systemd/user/gnome-session-x11-services.target.wants/org.gnome.SettingsDaemon.XSettings.service
```
Result of `cd /nix/store/armzljlnsvc1gn0nq0bncb9lf8fy32zy-gnome-settings-daemon-3.34.0; find | grep wants`:
```
./lib/systemd/user/gnome-session-initialized.target.wants
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-a11y-settings.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-color.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-datetime.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-power.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-housekeeping.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-keyboard.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-media-keys.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-screensaver-proxy.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-sharing.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-sound.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-smartcard.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-wacom.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-print-notifications.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-rfkill.target
./lib/systemd/user/gnome-session-initialized.target.wants/gsd-wwan.target
./lib/systemd/user/gnome-session-x11-services.target.wants
./lib/systemd/user/gnome-session-x11-services.target.wants/gsd-xsettings.target
```
This never configured where SNI should log to, as it's up to the user to
provide the full sniproxy config (which can be configured to log to a
file).
This option only produced a ExecStartPre script that created the folder.
Let's use LogsDirectory to create it. In case users want to use another
directory for logs, they can override LogsDirectory or set their own
ExecStartPre script.
The systemd syntax is suprising to me, but I suppose it's worth being
compatible as people might be sharing it with other modules.
Our regexp is lenient on IPv6 address part, so this is actually
backwards compatible (i.e. you can put the scope at either place).
3a1e1f0624 adds a poststart script that
checks if ES successfully started by curling the HTTP endpoint. On nodes with a lot of data or slower disks,
this might take longer than the default systemd startup timeout of 90 seconds.
dhcpcd does not run properly with some of the hardened system mallocs
that are currently available. assert when an incompatible configuration
is detected, as a switch into such a config from eg auto-update can take
hosts offline.
tracker looks in its directory tree for executable files
to make available as subcommands. Users expect to find subcommands
from tracker-miners package but that fails as they are in different
tree. We also cannot change the lookup path since tracker-miners
also depends on a library from tracker package.
Until we can break the dependency cycle on package level:
tracker -> tracker-miners -> tracker-sparql (tracker)
we need to work around it. I chose to set an environment
variable that overrides the subcommands lookup to a tree
symlinking files from both packages in GNOME NixOS module.
https://gitlab.gnome.org/GNOME/tracker/-/issues/341
Fixes: https://github.com/NixOS/nixpkgs/issues/153378
When `privateRepos = true`, the service will not start if the `.htpasswd` does not exist.
Use `systemd-tmpfiles` to autocreate an (empty) file to ensure the service can boot
before actual `htpasswd` contents are registered.
This is safe as restic-rest-server will deny all entry if the file is empty.
link to search.nixos.org instead of pulling package metadata out of pkgs. this
lets us cache docs of a few more modules and provides easier access to package
info from the HTML manual, but makes the manpage slightly less useful since
package description are no longer rendered.
most modules can be evaluated for their documentation in a very
restricted environment that doesn't include all of nixpkgs. this
evaluation can then be cached and reused for subsequent builds, merging
only documentation that has changed into the cached set. since nixos
ships with a large number of modules of which only a few are used in any
given config this can save evaluation a huge percentage of nixos
options available in any given config.
in tests of this caching, despite having to copy most of nixos/, saves
about 80% of the time needed to build the system manual, or about two
second on the machine used for testing. build time for a full system
config shrank from 9.4s to 7.4s, while turning documentation off
entirely shortened the build to 7.1s.
Sometimes it is preferable to configure forwarding only for bind
instead of relying on direct lookups.
This patch makes it possible to configure the forward setting to
either "first" (the default) or "only".
One use case for Mattermost configuration is doing a "mostly
mutable" configuration where NixOS module options take priority
over Mattermost's config JSON.
Add a preferNixConfig option that prefers configured Nix options
over what's configured in Mattermost config if mutableConfig is set.
Remove the reliance on readFile (it's flake incompatible) and use
jq instead.
Merge Mattermost configs together on Mattermost startup, depending
on configured module options.
Write tests for mutable, mostly mutable, and immutable configurations.
Before this fix, if the listenAddress is set to something else than 127.0.0.1,
the service fails to detect that Elasticsearch has properly started and stop.
this set almost certainly shouldn't be touched by users, nor listed in
the manual. make it internal and use it only through the option path to
make clear that this should not be modified.
Other services such as minecraft-server and plex allow configuration of
the dataDir option, allowing the files stored by each service to be in a
custom location.
Co-authored-by: Aaron Andersen <aaron@fosslib.net>
Does not set MemoryDenyWriteExecute as OpenJDK need to mark memory page as
executable. Does not set ProcSubset as /proc/cpuinfo and /proc/meminfo
are needed.
This commit introduces `services.adguardhome.settings` and
`services.adguardhome.mutableSettings`.
The first option allows declarative configuration of
AdGuard Home, while the second one controls whether changes
made in the web interface are kept between service restarts.
Co-authored-by: Aaron Andersen <aaron@fosslib.net>
It breaks something inside of influxdb2, which results in flurry of errors like these:
> ts=2021-12-21T18:19:35.513910Z lvl=info msg="Write failed" log_id=0YZYwvV0000 service=storage-engine service=write shard=50 error="[shard 50] unlinkat ./L1-00000055.tsi: read-only file system"
I believe this is somehow caused by a mount namespace that systemd creates for
the service, but I didn't investigate this deeper.
Fix a typo in the kea-dhcp-ddns-server unit definition, and add a
KEA_LOCKFILE_DIR environment variable without which kea daemons try to
access a lockfile under /var/run/kea path, which is prevented by
systemd's ProtectSystem (or one of the other Protect*) mechanism.
kea-dhcp-ddns-server doesn't react to updates from dhcp4 server at all
without it.
- Added defaultText for all inheritable options.
- Add docs on using new defaults option to configure
DNS validation for all domains.
- Update DNS docs to show using a service to configure
rfc2136 instead of manual steps.
Allows configuring many default settings for certificates,
all of which can still be overridden on a per-cert basis.
Some options have been moved into .defaults from security.acme,
namely email, server, validMinDays and renewInterval. These
changes will not break existing configurations thanks to
mkChangedOptionModule.
With this, it is also now possible to configure DNS-01 with
web servers whose virtualHosts utilise enableACME. The only
requirement is you set `acmeRoot = null` for each vhost.
The test suite has been revamped to cover these additions
and also to generally make it easier to maintain. Test config
for apache and nginx has been fully standardised, and it
is now much easier to add a new web server if it follows
the same configuration patterns as those two. I have also
optimised the use of switch-to-configuration which should
speed up testing.
One of the valid values for the fan speed is "level disengaged",
however, it is represented as "level disengage" and does not match
what thinkfan expects.
When accessing the Audit log, I get an HTTP 502 when the frontend
requests `/audit` and I get the following error in my `nginx`-log:
Dec 20 22:12:48 ldap nginx[336]: 2021/12/20 22:12:48 [error] 336#336: *8421 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 10.237.0.1, server: _, request: "GET /audit/?action=**&action_detail=**&administrator=**&client=**&date=**&duration=**&info=**&page=1&page_size=10&policies=**&privacyidea_server=**&realm=**&resolver=**&serial=**&sortorder=desc&startdate=**&success=**&tokentype=**&user=** HTTP/1.1", upstream: "uwsgi://unix:/run/privacyidea/socket:", host: "ldap.ist.nicht-so.sexy", referrer: "https://ldap.ist.nicht-so.sexy/"
This is because of an "invalid request block size"-error according to
`journalctl -u privacyidea.service`:
Dec 20 22:12:48 ldap uwsgi[10721]: invalid request block size: 4245 (max 4096)...skip
Increasing the buffer to 8192 fixes the problem for me.
openFirewall is the much more common name for an option with this
effect. since the default was `true` all along, renaming it doesn't hurt
much and only improves consistency with other modules.
- Add the migrations directory to the package
- Add postgres support to the package
- Add a service for powerdns-admin
Co-authored-by: Zhaofeng Li <hello@zhaofeng.li>
Snapserver expects the arguments `--tcp.bind_to_address` and
`--http.bind_to_address` instead of the `--tcp.address` (and http
equivalent) versions.
This caused the process to listen on `0.0.0.0` (for TCP and HTTP
sockets) regardless of the configuration value. It also never listend on
the IPv6 address `::` as our module system made the user believe.
This commit fixes the above issue and ensures that (at least for the TCP
socket) that our default `::` does indeed allow connections via IPv6
(to localhost aka ::1).
* elk7: 7.11.1 -> 7.16.1
* nixosTests.elk: Improve reliability and compatibility with ELK 7.x
- Use comparisons in jq instead of grepping
- Match for `.hits.total.value` if version >= 7, otherwise it always
passes
- Make curl fail if requests fails
* nixos/filebeat: Add initial module and test
Filebeat is an open source file harvester, mostly used to fetch logs
files and feed them into logstash.
This module can be used instead of journalbeat if used with
`filebeat7` and configured with the `journald` input.
* python3Packages.parsedmarc.tests: Fix breakage
- Don't use the deprecated elasticsearch7-oss package
- Improve jq query robustness and add tracing
* rl-2205: Note the addition of the filebeat service
* elk6: 6.8.3 -> 6.8.21
The latest version includes a fix for CVE-2021-44228.
* nixos/journalbeat: Add a loose dependency on elasticsearch
Avoid unnecssary back-off when elasticsearch is running on the same
host.
* It's IMHO a slight overkill to deploy an additional container even if
it's never supposed to be running. Also, the currently suggested
approach wouldn't use the default state-directory for the new version.
* Explain the structure of the state-directories and where the
version-numbers are actually coming from.
* Mention `./analyze_new_cluster.sh` & `./delete_old_cluster.sh`.
unfortunately we don't have a good way to represent defaults that
reference other values of the current submodule, so we just use the
relative path of the referenced value and assume that the submodule was
declared as `rec`.
instead of keeping a defaultConfig value around, set that value as the
default of the option and explicitly use the option default instead.
this also allows us to write a defaultText that makes sense and is in
proximity to the definition of the default.
some options have default that are best described in prose, such as
defaults that depend on the system stateVersion, defaults that are
derivations specific to the surrounding context, or those where the
expression is much longer and harder to understand than a simple text
snippet.
escape interpolations in descriptions where possible, replace them with
sufficiently descriptive text elsewhere. also expand cfg.* paths in
descriptions.
adds defaultText for all options that use `cfg.*` values in their
defaults, but only for interpolations with no extra processing (other
than toString where necessary)
the kubernetes modules cross-reference their config using an additional shortcut
binding `top = config.services.kubernetes`, expand those to defaultText like
`cfg` previously.
This reverts commit 6af3d13bec.
Reported by @arcnmx
(https://github.com/NixOS/nixpkgs/pull/148179#issuecomment-987197656):
Does this not completely break the service? It doesn't change the
owner to the same as the ddclient server (which is somewhat difficult
due to it being a DynamicUser), so this now makes the service
completely unusable because the config is only readable by its owner,
root:
ddclient[871397]: WARNING: file /run/ddclient/ddclient.conf: Cannot open file '/run/ddclient/ddclient.conf'. (Permission denied)
Given that the RuntimeDirectory was only readable by the ddclient
service, the warning this PR fixes was spurious and not indicative of
an actual information leak. I'm not sure of what a quick fix would be
due to DynamicUser, but would at least request a revert of this so the
service can work again?
Instead of patching the path to /public in Discourse's sources, make
the nginx configuration refer to the symlink in the discourse
package which points to the real path.
When there is a mismatch between the path nginx serves and the path
Discourse thinks it serves, we can run into issues like files not
being served - at least when sendfile requests from the ruby app are
processed by nginx. The issue I ran into most recently is that backup
downloads don't work.
Since Discourse refers to the public directory relative to the Rails
root in many places, it's much easier to just sync this path to the
nginx configuration than trying to patch all occurrences in the
sources. This should hopefully mean less potential for breakage in
future Discourse releases, too.
While upgrading my NixOS system I was greeted by this error:
error:
Failed assertions:
- users.users.collectd.group is unset. This used to default to
nogroup, but this is unsafe. For example you can create a group
for this user with:
users.users.collectd.group = "collectd";
users.groups.collectd = {};
Let's fix it.
Otherwise, `postfix_up{path="/var/lib/postfix/queue/public/showq"}` will
always be `0` indicating an postfix outage because this is a unix domain
socket that cannot be connected to:
2021/12/03 14:50:46 Failed to scrape showq socket: dial unix /var/lib/postfix/queue/public/showq: socket: address family not supported by protocol
Also, add support for updating plugins which keep gem versions in
files at the root of the repo (discourse-prometheus) and replace the
`up-plugin.sh` script with a README file pointing to the plugin
packaging documentation.
This commit changes how we deal with the current token, i.e., the token
which may exist from a previous runner registration, and the configured
token, i.e., the path set for the respective NixOS configuration option.
Until now, we copied the configured and the current token (if any) to
the runtime directory to compare them. The path of the current token may
reference a file which is only accessible to specific users (even only
root). Therefore, we ran the copying of credentials with elevated
privileges by prefixing the `ExecStartPre=` script with a `+` (see
systemd.service(5)). In this script, we also changed the owner of the
files to the service user. Apparently, however, the user/group pair
sometimes did not exist because we use `DynamicUser=`.
To address this issue, we no longer change the owner of the file.
Instead, we change the file permissions to 0666 to allow the runner
configuration script (runs with full sandboxing) to read-write the file.
Due to the current permissions of the runtime directory (0755), this
would expose the token. Therefore, we process the tokens in the state
directory, which is only accessible to the service user.
If a new token file exists in the state directory, the configuration
script should trigger a new runner registration. Afterward, it deletes
the new token file. The token is still available using the path of the
current token which is inaccessible within the service's sandbox.
Previously the extraComponents added to an overriden package would not
have been considered in hardening measures enforced by the module.
Home Assistant is warning the user about component definitions having
moved away from YAML, so using an override to include support for a
component might become the better way moving forward.
dhdpcd 9 support privilege separation with a dedicated user and seccomp
filtering. this has been enabled for a while in other distributions as
well.
if the dhcpcd module is not used and the _dhcpcd user/group isn't
definied otherwise dhcpcd will fall back to not using privsep.
by @erictapen:
- Removed note about testing and moved it to passthru.tests
- Removed patch, as it is probably the same as
56b2bb17d2ec67e1f93950944211f6cf8c40e0fb, wich landed in upstream.
other changes:
- changed PIDFile in the module, since dhcpcd 9 changed the location
