The Nix-provided `nix-daemon.socket` file has a
> ConditionPathIsReadWrite=/nix/var/nix/daemon-socket/socket
line, to skip that unit if /nix/var/nix/daemon-socket/socket is
read-only (which is the case in some nixos-containers with that folder
bind-ro-mounted from the host).
In these cases, the unit was skipped.
Systemd 250 (rightfully) started to also skip in these cases:
> [ 237.187747] systemd[1]: Nix Daemon Socket was skipped because of a failed condition check (ConditionPathIsReadWrite=/nix/var/nix/daemon-socket).
However, systemd < 250 didn't skip if /nix/var/nix/daemon-socket/socket
didn't /exist at all/, and we were relying on this bug in the case for
fresh NixOS systems, to have /nix/var/nix/daemon-socket/socket created
initially.
Move the creation of that folder to systemd-tmpfiles, by shipping an
appropriate file in `${nixPackage}/lib/tmpfiles.d/nix-daemon.conf`
(NixOS/nix#6285).
In the meantime, set a systemd tmpfiles rule manually in NixOS.
This has been tested to still work with read-only bind-mounted
/nix/var/nix/daemon-socket/socket in containers, it'll keep them
read-only ;-)
For now at least. I expect someone will find a working type later.
It's incorrect and was causing bad issues. Example test case:
nix-instantiate nixos/release.nix -A tests.xfce.x86_64-linux --dry-run
This is a partial revert of commit b2d803c from PR #162271.
Add an exception to the `paperless-ng-server` service's
`SystemCallFilter` as the `mbind` syscall is needed when consuming a
document while having a classification model present.
Since b9cfbcafdf, the lack of hexdump in
the closure lead to the generation of empty cookie files. This empty
cookie file is making pleroma to crash at startup now we correctly
read it.
We introduce a migration forcing these empty cookies to be
re-generated to something not empty.
We inject the release cookie path to the pleroma derivation in order
to wrap pleroma_ctl with it. Doing this allows us to remove the
systemd-injected RELEASE_COOKIE path, which was sadly
buggy (RELEASE_COOKIE should point to the *content* of the cookie, not
the file containing it).
We take advantage of this to factor out the cookie path.
Now, one can just use `networking.networkmanager.plugins = lib.mkForce [];`
if they want to get rid of the plug-ins.
Co-authored-by: lassulus <lassulus@lassul.us>
Fixes race conditions like this:
> systemd[1]: Started prometheus-kea-exporter.service.
> kea-exporter[927]: Listening on http://0.0.0.0:9547
> kea-exporter[927]: Socket at /run/kea/dhcp4.sock does not exist. Is Kea running?
> systemd[1]: prometheus-kea-exporter.service: Main process exited, code=exited, status=1/FAILURE
If `services.tor.client.enable` is set to false (the default), the `SOCKSPort` option is not added to the torrc file but since Tor defaults to listening on port 9050 when the option is not specified, the tor client is not actually disabled. To fix this, simply set `SOCKSPort` to 0, which disables the client.
Use `mkForce` to prevent potentially two different `SOCKSPort` options in the torrc file, with one of them being 0 as this would cause Tor to fail to start. When `services.tor.client.enable` is set to false, this should always be disabled.
When `services.resolved.enable` is set to true, the file /etc/resolv.conf becomes a symlink to /etc/static/resolv.conf, which is a symlink to /run/systemd/resolve/stub-resolv.conf. Without this commit, tor does not have access to this file thanks to systemd confinement. This results in the following warning when tor starts:
```
[warn] Unable to stat resolver configuration in '/etc/resolv.conf': No such file or directory
[warn] Could not read your DNS config from '/etc/resolv.conf' - please investigate your DNS configuration. This is possibly a problem. Meanwhile, falling back to local DNS at 127.0.0.1.
```
To fix this, simply allow read-only access to the file when resolved is in use.
According to https://github.com/NixOS/nixpkgs/pull/161818#discussion_r824820462, the symlink may also point to /run/systemd/resolve/resolv.conf, so allow that as well.
Without this fix, evaluating a NixOS configuration with Tomcat enabled and the
default settings results in the following evaluation error:
Failed assertions:
- users.users.tomcat.group is unset. This used to default to
nogroup, but this is unsafe. For example you can create a group
for this user with:
users.users.tomcat.group = "tomcat";
users.groups.tomcat = {};
We spent a whole afternoon debugging this, because upstream has very
bad software quality and the error messages were incredibly
misleading.
So let’s document it for the sanity of other people.
Btw, I think the implementation of our module is pretty brittle,
especially the part about diffing tokens to check whether they
changed. We should rather just request a new builder registration
every time, it’s not that much overhead, and always set `replace` so
it is idempotent.
Currently, default options for media-session are empty, making it harder
to adapt them without fully overwriting them. This commit sets these
defaults to the content of the JSON files provided with media-session.
This adds an option `services.taskserver.openFirewall` to allow the user
to choose whether or not the firewall port should be opened for the
service. This is no longer the case by default.
See also https://github.com/NixOS/nixpkgs/issues/19504.
This fixes the following issues with the database provisioning script
included in the services.keycloak module:
- It lacked permission to access the DB password file specified in the
module option 'services.keycloak.database.passwordFile'.
- It prevented Keycloak from starting after the second time if the user
chose MySQL for the database.
Update version to 1.4.231.
Build 231 points to a specific commit from the 1.4.x branch adding many
fixes and improvements. Since this version is an unofficial release, add
an unstable prefix to the version string in Nixpkgs.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Signed-off-by: Franz Pletz <fpletz@fnordicwalking.de>
logrotate.timer is enough for rotating logs. Enabling logrotate.service would
make the service start on every configuration switch, leading to tests failure when
logrotate is enabled.
Also update test to make sure the timer is active and runs the service
on date change.
https://github.com/ipfs/fs-repo-migrations/releases/tag/v2.0.2
This is pretty much a complete rewrite of the ipfs-migrator package.
In version 2.0.0 a major change was made to the way the migrator works. Before, there was one binary that contained every migration. Now every migration has its own binary. If fs-repo-migrations can't find a required binary in the PATH, it will download it off the internet. To prevent that, build every migration individually, symlink them all into one package and then wrap fs-repo-migrations so it finds the package with all the migrations.
The change to the IPFS NixOS module and the IPFS package is needed because without explicitly specifying a repo version to migrate to, fs-repo-migrations will query the internet to find the latest version. This fails in the sandbox, for example when testing the ipfs passthru tests.
While it may seem like the repoVersion and IPFS version are in sync and the code could be simplified, this is not the case. See https://github.com/ipfs/fs-repo-migrations#when-should-i-migrate for a table with the IPFS versions and corresponding repo versions.
Go 1.17 breaks the migrations, so use Go 1.16 instead. This is also the Go version used in their CI, see 3dc218e300/.github/workflows/test.yml (L4). See https://github.com/ipfs/fs-repo-migrations/pull/140#issuecomment-982715907 for a previous mention of this issue. The issue manifests itself when doing anything with a migration, for example `fs-repo-11-to-12 --help`:
```
panic: qtls.ClientHelloInfo doesn't match
goroutine 1 [running]:
github.com/marten-seemann/qtls-go1-15.init.0()
github.com/marten-seemann/qtls-go1-15@v0.1.1/unsafe.go:20 +0x132
```
Also add myself as a maintainer for this package.
This fixes the test failure discovered in https://github.com/NixOS/nixpkgs/pull/160914.
See https://github.com/ipfs/fs-repo-migrations/issues/148 to read some of my struggles with updating this package.
The argument parser used by snapserver behaves differntly for optional
arguments with existing defaults. In such cases, the standalone argument
name is a valid input and a following value is interpreted as a
positional argument. Therefore the argument and the value must be
provided as a single argument seperated by equals sign.
Overriding can now happen using module options, which is preferred
because it is more discoverable and doesn't require knowledge of
overrides in the first place.
While the documentation said to set this to null, in case an imperative
config was supposed to be used, this was not possible with the typing in
place.
As `nix-daemon.service` does not make use of `ExecStop`, we prefer
to keep the socket up and available. This is important for machines
that run Nix-based services, such as automated build, test, and deploy
services, that expect the daemon socket to be available at all times.
See committed inline comment for further explanation.
New ntopng version supports running as specified user. Create a separate
user for ntopng with a separate Redis instance.
Separate instance is only used for new `system.stateVersion`s to avoid
breaking existing setups. To configure that we add two new options,
`redis.address` and `redis.createInstance`. They can also be used to
specify your own Redis address.
fixes#158802
Sets the mysql backup systemd service type to "oneshot" to ensure the
service is marked as started after the backup script fully proceeds. This
allows to reliably depend on completing of this service by other services.
Database provisioning was shown to be racy since adding a recorder test
using PostgreSQL. There is no harm in waiting for these services,
because if they're not available they will be ignored.
It simply should not be required to override the package for such a
common use case, especially since the module usually adds another
override on top to inherit extraComponents.
After this change users with non-declarative configs need to set
`services.home-assistant.config` to an `null`, or their
`configuration.yaml` will be overwritten.
The reason for this is that with rfc42 style defaults the config
attribute set will never be empty by default.
If people take the time to setup network-online.target correctly we
should wait for it. If they don't it's basically the same as
network.target anyway, so no harm done.
Over time I've seen multiple integrations that have dealt badly with
missing network connectivity at startup, this should alleviate further
pains.
The given example is now closer to a sane default people will want to
start with. It also displays the existance of extraComponents, a feature
that will receive more usage with home-assistant warning about
components that have completely migrated away from YAML configuration.
--port and --address have both been deprecated and are nonfunctional
starting with kubernetes 1.23. Use --secure-port and --bind-address
instead. This means that users can no longer rely on the insecure port
for anything, so update the release notes accordingly.
The `substituters` option in `nix.settings` uses the order
of the substituters listed to define priority. Prior to https://github.com/NixOS/nixpkgs/pull/139075,
the corresponding option `binaryCaches` is declared in the `nix` namespace,
which is guaranteed to be merged last. However, the order of merging isn't
guaranteed in submodules. This cause definitions to be appended to the default
value instead of prepended, breaking backwards compatibility as reported in https://github.com/NixOS/nixpkgs/issues/158356.
The way this is addressed in the module system is with order priorities via
`mkOrder` and sorting definitions before merging. This PR restores the previous
behavior by setting a higher priority to the substituters option defined internally,
thus all definitions with default priority will be merged before it. This was chosen because
the `mkRenamedOption` function does not preserve order priority so users using legacy options do not have
precise control on placement.
This change should suffice for simple configuration, but further revision to the module system
is needed for to make various `mk*` functions aware of order priorities.
logrotate global options only affect rules following them - as such,
services.logrotate.extraConfig being added last makes the option only
useful for adding new paths but not for setting global options (e.g.
'dateext' so all logs are rotate with a date suffix).
Moving this first solves this problem, and we can then use this instead
of default paths config to append missingok/notifempty.
wtmp and btmp are created by systemd, so the rules are more appropriate there.
They can be disabled explicitly with something like
services.ogrotate.paths = {
"/var/log/btmp".enable = false;
"/var/log/wtmp".enable = false;
};
if required.
In #139075, mandatoryFeatures was removed from the generated
supportedFeatures, which breaks backward compatibility and is
different from what the description of supportedFeatures says.
The module option type `nonEmptyStr` was introduced in commit
a3c5f0cba8
The hylafax module previously simply used
`addCheck str (s: s!="")` to prevent empty option strings,
but the new type is more thorough as
it also catches space-only strings.
If a secret path is a subset of a second secret path, there's a risk
that its secret is substituted for the matching part of the second
path. To prevent this, use the sha256 of the paths as placeholder
string instead.
I think calling i2pd directly in `ExecStart` is much nicer than having an extra shell script for no reason. It's also easier to see what's going on when looking at the generated systemd unit file.
* make slurmd depend on network target to ensure basic networking
is available on startup. This fixes behaviour
where slurmd fails with "error: get_addr_info: getaddrinfo() failed".
* Use tmpfiles.d to ensure spool directory exists on start up.
Fail scripts on pipeline errors and propagate subshell errors.
If an error occurs in a subshell, including while trying to read a
secret file, we want that error to propagate to the main shell
context. That means we have to set the `inherit_errexit` option, which
allows errors from subshells to propagate to the outer shell. Also,
the subshell cannot run as part of another command, such as `export`,
since that will simply ignore the subshell exit status and only
respect `export`s exit status; first assigning the value to a variable
and then exporting it solves issue.
* nixos/nftables: Allow use with iptables
Since iptables and nftables do not actually conflict with each other, there's no real reason to artificially prevent people from combining them.
In fact, this practice is known to cause issues like #88643, which is fixed by this commit.
