As of systemd/systemd@e908434458,
systemd-networkd now automatically configures routes to addresses
specified in AllowedIPs unless explicitly disabled with
"RouteTable=off".
As a novice to using this module, I found the existing description to be
quite misleading. It does not at all disable pulling from the registry,
it just loads some image archive that may or may not be related to the
container you're specifying. I had thought there was extra magic behind
this option, but it's just a `docker load`. You need foreknowledge of
the contents of the archive so that whatever it contained is actually
used to run the container.
I've reworded the description to hopefully make this behavior clearer.
This bug is so obscure and unlikely that I was honestly not able to
properly write a test for it. What happens is that we are calling
handleModifiedUnit() with $unitsToStart=\%unitsToRestart. We do this to
make sure that the unit is stopped before it's started again which is
not possible by regular means because the stop phase is already done
when calling the activation script.
recordUnit() still gets $startListFile, however which is the wrong file.
The bug would be triggered if an activation script requests a service
restart for a service that has `stopIfChanged = true` and
switch-to-configuration is killed before the restart phase was run. If
the script is run again, but the activation script is not requesting
more restarts, the unit would be started instead of restarted.
We spent a whole afternoon debugging this, because upstream has very
bad software quality and the error messages were incredibly
misleading.
So let’s document it for the sanity of other people.
Btw, I think the implementation of our module is pretty brittle,
especially the part about diffing tokens to check whether they
changed. We should rather just request a new builder registration
every time, it’s not that much overhead, and always set `replace` so
it is idempotent.
Some systems should not be rebooted at just any time. If the upgrade process takes too long, for instance because of a
slow internet connection, or if the upgrade service is ran during production hours, we want to allow to define a window
outside of which a reboot will not be performed.
The system will then reboot on the next run of the upgrade service which finishes inside the reboot window.
E.g. we can run the update service twice per week, once during the night and once during the day, but reboots are only
allowed during the night. By doing so, a system that is usually shut down during the night will still receive updates
and systems that are turned on 24/7 can be rebooted outside of production hours.
Co-authored-by: Silvan Mosberger <github@infinisil.com>
zsh-autosuggestions supports having fallback strategies expressed
through the ZSH_AUTOSUGGEST_STRATEGY array. For example,
`ZSH_AUTOSUGGEST_STRATEGY=(history completion)`. We should also support
this.
Currently, default options for media-session are empty, making it harder
to adapt them without fully overwriting them. This commit sets these
defaults to the content of the JSON files provided with media-session.
For systems without internet connections, it doesn't make sense to
require the existence of an /etc/resolv.conf file to disable
resolvconf, so let's expose networking.resolveconf.enable as a public
option that can be set to false.
When initializing a system (e.g. first boot / livecd) we have no good
reference source for time. systemd-timesyncd however would revert back
to its configured fallback time (in our case 01.01.1980). Since we
probably don't want to hardcode a specific date as fallback we are now
using the current system time (wherever that might have come from) to
initialize the reference clock file.
The only systems that might be remotely affected by this change are
machines that have highly unreliable RTCs or those where the battery
that backs the RTC is running empty.
Historically these systems always had a tough time with anything time
related and likely required manual intervention.
For stateless systems (those that wipe / between reboots or our
installer CDs) this has the consequence that time will always be reset
to whatever the system comes up with on boot. This is likely the correct
time coming from an RTC. No harm done here the situation is likely
unchanged for them.
For stateful systems (those that retain the / partition across reboots)
there shouldn't be a change at all. They'll provide an initial clock
value once on their lifetime (during first boot / after installation).
From then onwards systemd-timesyncd will update the file with the newer
fallback time (that will be picked up on the next boot).
This adds an option `services.taskserver.openFirewall` to allow the user
to choose whether or not the firewall port should be opened for the
service. This is no longer the case by default.
See also https://github.com/NixOS/nixpkgs/issues/19504.
In issue #157787 @martined wrote:
Trying to use confinement on packages providing their systemd units
with systemd.packages, for example mpd, fails with the following
error:
system-units> ln: failed to create symbolic link
'/nix/store/...-system-units/mpd.service': File exists
This is because systemd-confinement and mpd both provide a mpd.service
file through systemd.packages. (mpd got updated that way recently to
use upstream's service file)
To address this, we now place the unit file containing the bind-mounted
paths of the Nix closure into a drop-in directory instead of using the
name of a unit file directly.
This does come with the implication that the options set in the drop-in
directory won't apply if the main unit file is missing. In practice
however this should not happen for two reasons:
* The systemd-confinement module already sets additional options via
systemd.services and thus we should get a main unit file
* In the unlikely event that we don't get a main unit file regardless
of the previous point, the unit would be a no-op even if the options
of the drop-in directory would apply
Another thing to consider is the order in which those options are
merged, since systemd loads the files from the drop-in directory in
alphabetical order. So given that we have confinement.conf and
overrides.conf, the confinement options are loaded before the NixOS
overrides.
Since we're only setting the BindReadOnlyPaths option, the order isn't
that important since all those paths are merged anyway and we still
don't lose the ability to reset the option since overrides.conf comes
afterwards.
Fixes: https://github.com/NixOS/nixpkgs/issues/157787
Signed-off-by: aszlig <aszlig@nix.build>
This fixes the following issues with the database provisioning script
included in the services.keycloak module:
- It lacked permission to access the DB password file specified in the
module option 'services.keycloak.database.passwordFile'.
- It prevented Keycloak from starting after the second time if the user
chose MySQL for the database.
This effectively fixes the majority of all VM tests which were broken
because `/dev/vda` (or any other block device) wasn't mountable:
machine # mounting /dev/vda on /...
machine # mount: mounting /dev/vda on /mnt-root/ failed: No such device[ 2.820976] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
machine # [ 2.821757] CPU: 0 PID: 1 Comm: init Not tainted 5.10.72 #1-NixOS
machine # [ 2.821757] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
machine # [ 2.821757] Call Trace:
machine # [ 2.821757] dump_stack+0x6b/0x83
machine # [ 2.821757] panic+0x101/0x2c8
machine # [ 2.821757] do_exit.cold+0x14/0xb3
machine # [ 2.821757] do_group_exit+0x33/0xa0
machine # [ 2.821757] __x64_sys_exit_group+0x14/0x20
machine # [ 2.821757] do_syscall_64+0x33/0x40
machine # [ 2.821757] entry_SYSCALL_64_after_hwframe+0x44/0xa9
machine # [ 2.821757] RIP: 0033:0x7f67ec2800f6
machine # [ 2.821757] Code: 00 4c 8b 0d 2c 5d 11 00 eb 19 66 2e 0f 1f 84 00 00 00 00 00 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 22 f4 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e2 f7 d8 64 41 89 01 eb da 66 2e 0f 1f 84 00
machine # [ 2.821757] RSP: 002b:00007fff8f5a71d8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
machine # [ 2.821757] RAX: ffffffffffffffda RBX: 0000000000699704 RCX: 00007f67ec2800f6
machine # [ 2.821757] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
machine # [ 2.821757] RBP: 0000000000000004 R08: 00000000000000e7 R09: ffffffffffffff80
machine # [ 2.821757] R10: 00007f67ec33f3e0 R11: 0000000000000202 R12: 000000000000000b
machine # [ 2.821757] R13: 00007fff8f5a75a8 R14: 0000000000000000 R15: 00000000004fc198
machine # [ 2.821757] Kernel Offset: 0x31e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
machine # [ 2.821757] Rebooting in 1 seconds..
This happened because the kernel failed to load modules such as `ext4`
from `boot.initrd.availableKernelModules`[1] on e.g. a `mount(2)` syscall.
The problem is that `kmod` isn't linked against `libpthread.so.0`
anymore because it got merged into `libc.so.6` (however, the .so still
exists), but still needs it:
machine # newfstatat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/lib/x86_64", 0x7ffd951114c0, 0) = -1 ENOENT (No such file or directory)
machine # openat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/lib/x86_64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
machine # newfstatat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/lib/x86_64", 0x7ffd951114c0, 0) = -1 ENOENT (No such file or directory)
machine # openat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/lib/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
machine # newfstatat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/lib", 0x7ffd951114c0, 0) = -1 ENOENT (No such file or directory)
machine # openat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
machine # writev(2, [{iov_base="/nix/store/kdc9n48ksdc1a8y8w512w"..., iov_len=69}, {iov_base=": ", iov_len=2}, {iov_base="error while loading shared libra"..., iov_len=36}, {iov_base=": ", iov_len=2}, {iov_base="libpthread.so.0", iov_len=15}, {iov_base=": ", iov_len=2}, {iov_base="cy
machine # ) = 184
machine # exit_group(127) = ?
machine # +++ exited with 127 +++
machine # mount: mounting /dev/vda on /mnt-root/ failed: No such device
machine # [ 19.167180] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
machine # [ 19.167711] CPU: 0 PID: 1 Comm: init Not tainted 5.10.72 #1-NixOS
This is not a problem
* inside stage-1 because `LD_LIBRARY_PATH` points to `$out/lib` of
extra-utils where `libpthread.so.6` also exists.
* on a running system because `${pkgs.glibc}/lib` is part of kmod's
rpath.
However this is a problem inside the kernel which calls `modprobe` (in
our case `kmod`) to load modules and doesn't know about
`LD_LIBRARY_PATH`. Also, the rpath-reference was nuked.
To work around this, the kernel's `modprobe`
(i.e. `/proc/sys/kernel/modprobe`) now points to a wrapper which
explicitly declares `LD_LIBRARY_PATH`. We can't use `makeWrapper` here
because `modprobe` itself must not be renamed. Otherwise, `kmod` (which
is the link-target of `modprobe`) won't work because it expects
`argv[0] == "modprobe"` to perform modprobe's tasks.
[1] https://nixos.org/manual/nixos/stable/options.html#opt-boot.initrd.availableKernelModules
Update version to 1.4.231.
Build 231 points to a specific commit from the 1.4.x branch adding many
fixes and improvements. Since this version is an unofficial release, add
an unstable prefix to the version string in Nixpkgs.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Signed-off-by: Franz Pletz <fpletz@fnordicwalking.de>
logrotate.timer is enough for rotating logs. Enabling logrotate.service would
make the service start on every configuration switch, leading to tests failure when
logrotate is enabled.
Also update test to make sure the timer is active and runs the service
on date change.
https://github.com/ipfs/fs-repo-migrations/releases/tag/v2.0.2
This is pretty much a complete rewrite of the ipfs-migrator package.
In version 2.0.0 a major change was made to the way the migrator works. Before, there was one binary that contained every migration. Now every migration has its own binary. If fs-repo-migrations can't find a required binary in the PATH, it will download it off the internet. To prevent that, build every migration individually, symlink them all into one package and then wrap fs-repo-migrations so it finds the package with all the migrations.
The change to the IPFS NixOS module and the IPFS package is needed because without explicitly specifying a repo version to migrate to, fs-repo-migrations will query the internet to find the latest version. This fails in the sandbox, for example when testing the ipfs passthru tests.
While it may seem like the repoVersion and IPFS version are in sync and the code could be simplified, this is not the case. See https://github.com/ipfs/fs-repo-migrations#when-should-i-migrate for a table with the IPFS versions and corresponding repo versions.
Go 1.17 breaks the migrations, so use Go 1.16 instead. This is also the Go version used in their CI, see 3dc218e300/.github/workflows/test.yml (L4). See https://github.com/ipfs/fs-repo-migrations/pull/140#issuecomment-982715907 for a previous mention of this issue. The issue manifests itself when doing anything with a migration, for example `fs-repo-11-to-12 --help`:
```
panic: qtls.ClientHelloInfo doesn't match
goroutine 1 [running]:
github.com/marten-seemann/qtls-go1-15.init.0()
github.com/marten-seemann/qtls-go1-15@v0.1.1/unsafe.go:20 +0x132
```
Also add myself as a maintainer for this package.
This fixes the test failure discovered in https://github.com/NixOS/nixpkgs/pull/160914.
See https://github.com/ipfs/fs-repo-migrations/issues/148 to read some of my struggles with updating this package.
The argument parser used by snapserver behaves differntly for optional
arguments with existing defaults. In such cases, the standalone argument
name is a valid input and a following value is interpreted as a
positional argument. Therefore the argument and the value must be
provided as a single argument seperated by equals sign.
Overriding can now happen using module options, which is preferred
because it is more discoverable and doesn't require knowledge of
overrides in the first place.
While the documentation said to set this to null, in case an imperative
config was supposed to be used, this was not possible with the typing in
place.
As `nix-daemon.service` does not make use of `ExecStop`, we prefer
to keep the socket up and available. This is important for machines
that run Nix-based services, such as automated build, test, and deploy
services, that expect the daemon socket to be available at all times.
See committed inline comment for further explanation.
Not entirely sure when it got broken this time, but when creating a VM
network with `nixos-build-vms(8)`, there are should be the following scripts:
* `$out/bin/nixos-test-driver` which drops into an interactive shell to
interactively perform test steps.
* `$out/bin/nixos-run-vms` which non-interactively starts the VMs from
the network so that one can manually play around in the VM.
The latter also starts an interactive shell for a while now which means
that it does the exact same thing as `nixos-test-driver` which is not
its purpose.
The live image is primarily used for installation so we should make
link to manual as well as other useful tools front and center,
instead of having them buried in the app drawer.
The default GNOME apps can still be found there when the ISO
is used for demonstration purposes.
New ntopng version supports running as specified user. Create a separate
user for ntopng with a separate Redis instance.
Separate instance is only used for new `system.stateVersion`s to avoid
breaking existing setups. To configure that we add two new options,
`redis.address` and `redis.createInstance`. They can also be used to
specify your own Redis address.
fixes#158802
Sets the mysql backup systemd service type to "oneshot" to ensure the
service is marked as started after the backup script fully proceeds. This
allows to reliably depend on completing of this service by other services.
systemd needs this so special characters (like the ones in wireguard
units that appear because they are part of base64) can be escaped using
the \x syntax.
Root of the issue is that `glob()` handles the backslash internally
which is obviously not what we want here.
Also add a test case and fix some perlcritic issues in the subroutine.
Database provisioning was shown to be racy since adding a recorder test
using PostgreSQL. There is no harm in waiting for these services,
because if they're not available they will be ignored.
It simply should not be required to override the package for such a
common use case, especially since the module usually adds another
override on top to inherit extraComponents.
After this change users with non-declarative configs need to set
`services.home-assistant.config` to an `null`, or their
`configuration.yaml` will be overwritten.
The reason for this is that with rfc42 style defaults the config
attribute set will never be empty by default.
If people take the time to setup network-online.target correctly we
should wait for it. If they don't it's basically the same as
network.target anyway, so no harm done.
Over time I've seen multiple integrations that have dealt badly with
missing network connectivity at startup, this should alleviate further
pains.
The given example is now closer to a sane default people will want to
start with. It also displays the existance of extraComponents, a feature
that will receive more usage with home-assistant warning about
components that have completely migrated away from YAML configuration.
--port and --address have both been deprecated and are nonfunctional
starting with kubernetes 1.23. Use --secure-port and --bind-address
instead. This means that users can no longer rely on the insecure port
for anything, so update the release notes accordingly.
The `substituters` option in `nix.settings` uses the order
of the substituters listed to define priority. Prior to https://github.com/NixOS/nixpkgs/pull/139075,
the corresponding option `binaryCaches` is declared in the `nix` namespace,
which is guaranteed to be merged last. However, the order of merging isn't
guaranteed in submodules. This cause definitions to be appended to the default
value instead of prepended, breaking backwards compatibility as reported in https://github.com/NixOS/nixpkgs/issues/158356.
The way this is addressed in the module system is with order priorities via
`mkOrder` and sorting definitions before merging. This PR restores the previous
behavior by setting a higher priority to the substituters option defined internally,
thus all definitions with default priority will be merged before it. This was chosen because
the `mkRenamedOption` function does not preserve order priority so users using legacy options do not have
precise control on placement.
This change should suffice for simple configuration, but further revision to the module system
is needed for to make various `mk*` functions aware of order priorities.
logrotate global options only affect rules following them - as such,
services.logrotate.extraConfig being added last makes the option only
useful for adding new paths but not for setting global options (e.g.
'dateext' so all logs are rotate with a date suffix).
Moving this first solves this problem, and we can then use this instead
of default paths config to append missingok/notifempty.
wtmp and btmp are created by systemd, so the rules are more appropriate there.
They can be disabled explicitly with something like
services.ogrotate.paths = {
"/var/log/btmp".enable = false;
"/var/log/wtmp".enable = false;
};
if required.
In #139075, mandatoryFeatures was removed from the generated
supportedFeatures, which breaks backward compatibility and is
different from what the description of supportedFeatures says.
Addresses #16545. Allows for user defined environment variables that
hold paths to wordlists. This is to allow for easy access to wordlists
for users and scripts, (in other distributions a convenient wordlist is
typically found in /usr/share/dict/words or similar). The default
wordlist is the one found in scowl, for no other reason than that's the
one that was mentioned in the linked issue.
It is possible to specify multiple environment variables as well. This
is for users who need multiple wordlists (such as multilingual users).
This is accomplished by comparing the hashes that the unit files
contain. By filtering for a special key `X-Reload-Triggers` in the
`[Unit]` section, we can differentiate between reloads and restarts.
Since activation scripts can request reloads of units as well, more
checking of this behaviour is implemented. If a unit is to be restarted,
it's never reloaded as well which would make no sense.
Also removes a useless subroutine and perl dependencies that are
nowadays handled by the propagated build inputs feature of
`perl.withPackages`.
The module option type `nonEmptyStr` was introduced in commit
a3c5f0cba8
The hylafax module previously simply used
`addCheck str (s: s!="")` to prevent empty option strings,
but the new type is more thorough as
it also catches space-only strings.
If a secret path is a subset of a second secret path, there's a risk
that its secret is substituted for the matching part of the second
path. To prevent this, use the sha256 of the paths as placeholder
string instead.
GDM enables Wayland on supported platforms automatically (see ${gnome.gdm}/lib/udev/rules.d/61-gdm.rules), so we removed the `gdm.nvidiaWayland` option.
You will still need `hardware.nvidia.modesetting.enable = true;` with `nvidia` driver, though.
I think calling i2pd directly in `ExecStart` is much nicer than having an extra shell script for no reason. It's also easier to see what's going on when looking at the generated systemd unit file.
* make slurmd depend on network target to ensure basic networking
is available on startup. This fixes behaviour
where slurmd fails with "error: get_addr_info: getaddrinfo() failed".
* Use tmpfiles.d to ensure spool directory exists on start up.
Fail scripts on pipeline errors and propagate subshell errors.
If an error occurs in a subshell, including while trying to read a
secret file, we want that error to propagate to the main shell
context. That means we have to set the `inherit_errexit` option, which
allows errors from subshells to propagate to the outer shell. Also,
the subshell cannot run as part of another command, such as `export`,
since that will simply ignore the subshell exit status and only
respect `export`s exit status; first assigning the value to a variable
and then exporting it solves issue.
The mount options need to be passed as a comma-separated list of options so that they
end up one a single Options line in the resulting mount unit.
The current code passed the options as a list, resulting in several Options lines in
the mount unit, all but the first of these were ignored by systemd however.
This behaviour is not clearly defined in the systemd man page.
* nixos/nftables: Allow use with iptables
Since iptables and nftables do not actually conflict with each other, there's no real reason to artificially prevent people from combining them.
In fact, this practice is known to cause issues like #88643, which is fixed by this commit.
users.users.*.createHome makes home only owner-readable.
This breaks nginx reading static assets from nextcloud's home,
after a nixos-rebuild that did not restart nextcloud-setup.
Closes#112639
When no devices are given the exporter tries to autodiscover available
disks. The previous DevicePolicy was however preventing the exporter
from accessing any device at all, since only explicitly mentioned ones
were allowed.
This commit adds an allow rule for several device classes that I could
find on my machines, that gets set when no devices are explicitly
configured.
There is an existing problem with nvme devices, that expose a character
device at `/dev/nvme0`, and a (namespaced) block device at
`/dev/nvme0n1`. The character device does not come with permissions that
we could give to the exporter without further impacting the hardening.
crw------- 1 root root 247, 0 27. Jan 03:10 /dev/nvme0
brw-rw---- 1 root disk 259, 0 27. Jan 03:10 /dev/nvme0n1
The autodiscovery only finds the character device, which the exporter
unfortunately does not have access to.
However a simple udev rule can be used to resolve this:
services.udev.extraRules = ''
SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk"
'';
Unfortunately I'm not fully aware of the security implications this
change carries and we should question upstream (systemd) why they did
not include such a rule.
The disk group has no members on any of my machines.
❯ getent group disk
disk❌6:
* fix MTP support on KDE Plasma and Dolphin
* Update pkgs/applications/kde/kio-extras.nix
Co-authored-by: ElXreno <elxreno@gmail.com>
Co-authored-by: Peter Hoeg <peter@hoeg.com>
Co-authored-by: ElXreno <elxreno@gmail.com>
The `nix.*` options, apart from options for setting up the
daemon itself, currently provide a lot of setting mappings
for the Nix daemon configuration. The scope of the mapping yields
convience, but the line where an option is considered essential
is blurry. For instance, the `extra-sandbox-paths` mapping is
provided without its primary consumer, and the corresponding
`sandbox-paths` option is also not mapped.
The current system increases the maintenance burden as maintainers have to
closely follow upstream changes. In this case, there are two state versions
of Nix which have to be maintained collectively, with different options
avaliable.
This commit aims to following the standard outlined in RFC 42[1] to
implement a structural setting pattern. The Nix configuration is encoded
at its core as key-value pairs which maps nicely to attribute sets, making
it feasible to express in the Nix language itself. Some existing options are
kept such as `buildMachines` and `registry` which present a simplified interface
to managing the respective settings. The interface is exposed as `nix.settings`.
Legacy configurations are mapped to their corresponding options under `nix.settings`
for backwards compatibility.
Various options settings in other nixos modules and relevant tests have been
updated to use structural setting for consistency.
The generation and validation of the configration file has been modified to
use `writeTextFile` instead of `runCommand` for clarity. Note that validation
is now mandatory as strict checking of options has been pushed down to the
derivation level due to freeformType consuming unmatched options. Furthermore,
validation can not occur when cross-compiling due to current limitations.
A new option `publicHostKey` was added to the `buildMachines`
submodule corresponding to the base64 encoded public host key settings
exposed in the builder syntax. The build machine generation was subsequently
rewritten to use `concatStringsSep` for better performance by grouping
concatenations.
[1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
Required as visible in the lightdm tests:
> Error updating user /org/freedesktop/Accounts/User1001: GDBus.Error:org.freedesktop.Accounts.Error.PermissionDenied: Not authorized: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.PolicyKit1 was not provided by any .service files
SUID wrappers really shouldn't be enabled by default, unless a consumer
relies on them. So in my opinion this falls upon the desktop
environments if needed or a user to explicltly enable this if wanted.
Most desktop environments and services like CUPS already enable polkit
by default, that should really be sufficient.
Empty parantheses are not supported in regular expressions on
Darwin/macOS. The old regular expression produces an error during
evaluation. This commit fixes that.
Nix‘s `builtins.match` works with extend POSIX regular expressions. The
specification for these regular expression states[^1] that the result
for a left paranthesis immediately followed by a right paranthesis
outside of a bracket expression is undefined.
[^1]: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_04_03
Currently it's rather difficult to install tmux plugins. The process involves two steps:
1. Specify the correct `pkg.tmuxPlugins` package in `environment.systemPackages`
2. Adding to the configuration file to instantiate the plugin.
This commit allows the user to specify a list of plugins under `programs.tmux.plugins`.
Update nixos/modules/programs/tmux.nix
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Tor waits ShutdownWaitLength seconds (30s by default) before actually shutting down. Since the systemd timeout is also set to 30 seconds, this results in a race condition that ends up killing Tor most of the time on my machine during shutdown.
To fix this, add the ShutdownWaitLength setting and tell systemd to wait 30 seconds more than that.
Arch Linux also has `TimeoutSec` set to 60 seconds: 6df716fe19/trunk/tor.service.
This option behaves exactly like `boot.extraModprobeConfig`, except that it also includes the generated modprobe.d file in the initrd.
Many years ago, someone tried to include the normal modprobe.d/nixos.conf file generated by `boot.extraModprobeConfig` in the initrd: 0aa2c1dc46. This file contains a reference to a directory with firmware files inside. Including firmware in the initrd made it too big, so the commit was reverted again in 4a4c051a95.
The `boot.extraModprobeConfig` option not changing the initrd caused me much confusion because I tried to set the maximum cache size for ZFS and it didn't work.
Closes https://github.com/NixOS/nixpkgs/issues/25456.
Modules that do not depend on e.g. toplevel should not have to include it just to set
things in `system.build`. As a general rule, this keeps tests simple, usage flexible
and evaluation fast. While one module is insignificant, consistency and good practices
are.
Release notes: https://github.com/swaywm/sway/releases/tag/1.7
Notable (backward incompatible) changes:
- The default terminal changed from Alacritty to foot
Known issues:
- `swaynag` will crash when Sway 1.6.1 is still running while the Nix
package (and thus `swaynag`) is already updated to version 1.7.
- The experimental Ozone/Wayland support of Electron apps will be broken
for a while. Electron version 17 should work but the Chromium fixes
haven't yet been backported to Electron version 16.
NixOS module: programs.sway.extraPackages: The "alacritty" package was
replaced with "foot".
VM test: We switched from the OpenGL ES 2.0 renderer to Pixman. The
terminal was also changed to foot but Alacritty is still used for the
XWayland test (since foot doesn't support X11).
Co-authored-by: Patrick Hilhorst <git@hilhorst.be>
`register_new_matrix_user` is a script provided by the matrix-synapse
package to create a new matrix user on the command line.
This commit provides a wrapper around `register_new_matrix_user` that
automatically passes the url (and `registration_shared_secret`, if
present) as CLI arguments.
- regenerate everything
- hardcode to build with node 14 (upstream doesn't support 16 yet)
- remove optional deps to make things build without python2
- set HOME in service environment to prevent crashing
Changes in node-*.nix are autogenerated.
Commit ca58bd0a50 broke the test networking.networkd.static. This happened because the test sets `networking.defaultGateway`. This is implemented by adding the gateway to the list of `routes` using `mkDefault`. The `routes` are then overridden by an empty list in the newly added code. Replace `mkDefault` with `id` so the two lists are merged and everything (hopefully) works as expected.
See https://github.com/NixOS/nixpkgs/pull/144590 for a more context.
LXC containers like those used by VPSAdminOS might want to install a bootloader
so passing `true` to `system.build.installBootLoader` without any priority specified,
causes a conflict for such systems with the recent `system.build` changes:
4014fb6a64
Fixes: https://github.com/NixOS/nixpkgs/issues/155839
If the Nix daemon has never been enabled (nix.enable has always been
set to false), the gcroots directory won't exist. If the Nix daemon
is later enabled, the GC roots for booted-system and current-system
will be missing, and they might end up being garbage collected. Since
it's cheap to add GC roots even if the daemon will never be enabled,
let's just always add them so we're okay in the case where the daemon
is enabled later.
- Fully get rid of `parseKeyValues` and use systemctl features for that
- Add some regex modifiers recommended by perlcritic
- Get rid of a postfix if
- Sort units when showing their status
- Clean the logic for showing what failed from `elif` to `next`
- Switch from `state` to `substate` for `auto-restart` because that's
actually where the value is stored
- Show status of units with one single systemctl call and get rid of
COLUMNS in favor of --full
- Add a test for failing units
This replaces the naive K=V unit parser with a proper INI parser from a
library and adds proper support for override files. Also adds a bunch of
comments about parsing, I hope this makes it easier to understand and
maintain in the future.
There are multiple reasons to do so, the first one is just general
correctness with is nice imo. But to get to more serious reasons (I
didn't put in all that effort for nothing) is that this is the first
step torwards more clever restart/reload handling. By using a library
like Data::Compare a future PR could replace the current way of
fingerprinting units (which is to compare store paths) by comparing the
hashes. This is more precise because units won't get restarted because
the order of the options change, comments are added, some dependency of
writeText changes, .... Also this allows us to add a feature like
`X-Reload-Triggers` so the unit can either be reloaded when these change
or restarted when everything else changes, giving module authors the
ability to have their services reloaded without having to fear that
updates are not applied because the service doesn't get restarted.
Another reason why this feature is nice is that now that the unit files
are parsed correctly (and values are just extracted from one section),
potential future rewrites can just rely on some INI library without
having to implement their own weird parser that is compatible with this
script.
This also comes with a new subroutine to handle systemd booleans because
I thought the current way of handling it was just ugly. This also allows
overriding values this script reads in an override file.
Apart from making this script more compatible with the world around it,
this also fixes two issues I saw bugging exactly 0 (zero) people. First
is that this script now supports multiple override files, also ones that
are not called override.conf and the second one is that `1` and `on` are
treated as bools by systemd but were previously not parsed as such by
switch-to-configuration.
Update the example config to show a working example for xmonad 0.17.0, which
added an argument to the `launch` function and adjusted the location of the
recompiled binary.
Since release 1.18.4, the ModemManager daemon no longer automatically
performs the FCC unlock procedure by default. The user must, under their
own responsibility, enable the automatic FCC unlock as shipped by
ModemManager.
Webclient only allows serving a web directory under /_matrix/client
This only incentivizes running the client under the same domain as the homeserver.
Which is not recommended due to CORS.
Add a new type, inheriting 'types.str' but checking whether the value
doesn't contain any newline characters.
The motivation comes from a problem with the
'users.users.${u}.openssh.authorizedKeys' option.
It is easy to unintentionally insert a newline character at the end of a
string, or even in the middle, for example:
restricted_ssh_keys = command: keys:
let
prefix = ''
command="${command}",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding
'';
in map (key: "${prefix} ${key}") keys;
The 'prefix' string ends with a newline, which ends up in the middle of
a key entry after a few manipulations.
This is problematic because the key file is built by concatenating all
the keys with 'concatStringsSep "\n"', with result in two entries for
the faulty key:
''
command="...",options...
MY_KEY
''
This is hard to debug and might be dangerous. This is now caught at
build time.
This commit introduces a new option
`services.nextcloud.nginx.recommendedHttpHeaders` that can be used to
optionally disable serving recommended HTTP Response Headers in nginx.
This is especially useful if some headers are already configured
elsewhere to be served in nginx and thus result in duplicate headers.
Resolves#120223
The `extraConfig` parameter only handles text - it doesn't support
arbitrary secrets and, with the way it's processed in the setup
script, it's very easy to accidentally unescape the echoed string and
run shell commands / feed garbage to bash.
To fix this, implement a new option, `config`, which instead takes a
typed attribute set, generates the `.env` file in nix and does
arbitrary secret replacement. This option is then used to provide the
configuration for all other options which change the `.env` file.
When upgrading bookstack, if something in the cache conflicts with the
new installation, the artisan commands might fail. To solve this, make
the cache lifetime bound to the setup service. This also removes the
`cacheDir` option, since the path is now handled automatically by
systemd.
Commit 9a5b5d9fe8 added Haskell
dependencies (GHC and packages) to the xmonad binary's environment even
if xmonad had been preconfigured (via the "config" option). The intent
was to enable one-off recompiling using a local config file (e.g.
~/.config/xmonad/xmonad.hs), so the user can get quick feedback while
developing their config.
While this works, it may not be a common use-case, and it requires some
careful crafting in xmonad.hs itself. On top of that, it significantly
increases the size of the closure.
Given all that, commit b69d9d3c23 removed
GHC and packages from the binary's environment.
But there are still those among us who want to be able to recompile from
a preconfigured xmonad, so let's provide a way to opt-into configured
recompilation.
network.target is reached earlier, but with much fewer services
available. DNS is likely to be not functional before
network-online.target, so waiting for that seems better for that reason
alone. the existing backends for network-online.target all seem to do
reasonable things (wait until all links are in *some* stable state), so
we shouldn't lose anything from waiting.
This removes `/run/nixos/activation-reload-list` (which we will need in
the future when reworking the reload logic) and makes
`/run/nixos/activation-restart-list` honor `restartIfChanged` and
`reloadIfChanged`. This way activation scripts don't have to bother with
choosing between reloading and restarting.
Instead of referencing all library functions through `lib.` and
builtins through `builtins.` at every invocation, inherit them into
the appropriate scope.
The module option type `nonEmptyStr` was introduced in commit
a3c5f0cba8
The tsm modules previously simply used
`strMatching ".+"` to prevent empty option strings,
but the new type is more thorough as
it also catches space-only strings.
This enables some systemd sandboxing
options for the `tsm-backup.service`.
Those settings have been determined by expermentation.
This commit tries hard to protect the filesystem from
write access, but not to hide anything from read access,
so users can backup all files they choose to backup.
An exception are API filesystems (`/dev`, `/proc`, `/sys`):
As their "files" are not stored on persistent storage,
they are sandboxed away as much as possible.
Note that the service still has to run with root
privileges to reach files with limited access permissions.
The obvious alternative to use a dedicated user account and
the `CAP_DAC_READ_SEARCH` capability to permit system-wide
read access while blocking write access does not work.
Experiments have shown that `dsmc` verifies access permissions
for each file before attempting to open it for reading.
Hence `dsmc` refuses to copy files where the file permission
mode blocks read access -- even if process capabilities
would allow it to proceed irrespective of permissions.
Use systemd's LoadCredential mechanism to make the secret files
available to the service.
This gets rid of the privileged part of the ExecPreStart script which
only served to copy these files and assign the correct
permissions. There's been issues with this approach when used in
combination with DynamicUser, where sometimes the user isn't created
before the ExecPreStart script runs, causing the error
install: invalid user ‘keycloak’
This should fix that issue.
Unfortunately, all of the ExecPreStart script had to be moved to
ExecStart, since credentials aren't provided to ExecPreStart. See
https://github.com/systemd/systemd/issues/19604.
Without this option `DefaultSearchProviderSearchURL` and
`DefaultSearchProviderSuggestURL` are really wastefull as it does not
set search engine, at least for me.
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
