We can perform most of the mkdir/ln/rm using systemd-tmpfiles
instead which cleans up the script.
/bin and /home are created by their activation script snippets
usbfs is deprecated and unused.
hwclock seems to be automatically executed by systemd on startup.
The mkswap to prevent hibernation cycles seems to be executed by systemd
as well since the provided regression tests succeeds.
Before this patch, services.dendrite.environmentFile is used for
secrets and environment variable substitution only happens when this
option is used.
systemd-247 provides a mechanism called LoadCredential for secrets and
it is better than environment file. See the section of Environment=
in the manual of systemd.exec for more information.
This patch always substitute environment variables, which enables the
usage of systemd LoadCredential.
* With the upgrade to waydroid to 1.2.0, dependencies that previously
were shipped in the service's path have been moved to the waydroid
package.
* Make sure /var/lib/misc exists when starting waydroid. As required
by dnsmasq
While doing kernel development with the nixos testing infrastructure, it
is useful to quickly compile the kernel on the side and boot it in the testing VM.
This patch allows overriding the kernel through the environment
variable. For example, the following:
$ NIXPKGS_QEMU_KERNEL_testvm=$LINUX_SRC/arch/x86/boot/bzImage $VM/bin/nixos-test-driver
runs testvm testing VM with the fresh kernel compiled in $LINUX_SRC.
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
GNOME Shell 42 switched an icon for the accessibility menu in the top panel
to one from gnome-control-center instead of a legacy one from adwaita-icon-theme:
https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2155
Let’s add that dependency to the systemd unit since installing it
through `environment.systemPackages` is not enough due to environment isolation.
Sendto device selection is removed in gnome-bluetooth 42.
I decide it is not worth to maintain a legacy gnome-bluetooth
package for the contract.
This should also be broken in elementary OS 7.
Browser Integration requires setgid and setuid programs, which needs to be done in the system configuration.
This is cleaner than the ad-hoc ways we have to set things up for platforms without a global configuration file.
* nixos/earlyoom: bring the module up to date
Removes deprecated option `ignoreOOMScoreAdjust`, introduces `killHook`
as a replacement for `notificationsCommand`, and adds an `extraArgs`
option for things not covered by the module.
* nixos/earlyoom: add nixos test
* nixos/earlyoom: add reportInterval
Allows setting the interval for logging a memory report. Defaults to
3600 following upstream
(https://github.com/rfjakob/earlyoom/blob/master/earlyoom.default#L5)
to avoid flooding logs.
* nixos/earlyoom: add free{Mem,Swap}KillThreshold
Fixes https://github.com/NixOS/nixpkgs/issues/83504
This adds the option `networking.wg-quick.interfaces.<name>.autostart`, which defaults to `true`, which is the previous behavior. With this option set to `false`, the systemd-unit will no longer be set to `wantedBy = [ "multi-user.target" ]` and therefore the tunnel has to be enabled/disabled via `systemctl start/stop wg-quick-<name>`.
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
Use `recursiveUpdate` instead of the // operator, as recommended in https://nix.dev/anti-patterns/language#attr1-attr2-merge-operator. Without this change, setting `services.ipfs.extraConfig.Addresses.NoAnnounce` for example will cause `services.ipfs.apiAddress`, `services.ipfs.gatewayAddress` and `services.ipfs.swarmAddress` to be ignored.
The Nix-provided `nix-daemon.socket` file has a
> ConditionPathIsReadWrite=/nix/var/nix/daemon-socket/socket
line, to skip that unit if /nix/var/nix/daemon-socket/socket is
read-only (which is the case in some nixos-containers with that folder
bind-ro-mounted from the host).
In these cases, the unit was skipped.
Systemd 250 (rightfully) started to also skip in these cases:
> [ 237.187747] systemd[1]: Nix Daemon Socket was skipped because of a failed condition check (ConditionPathIsReadWrite=/nix/var/nix/daemon-socket).
However, systemd < 250 didn't skip if /nix/var/nix/daemon-socket/socket
didn't /exist at all/, and we were relying on this bug in the case for
fresh NixOS systems, to have /nix/var/nix/daemon-socket/socket created
initially.
Move the creation of that folder to systemd-tmpfiles, by shipping an
appropriate file in `${nixPackage}/lib/tmpfiles.d/nix-daemon.conf`
(NixOS/nix#6285).
In the meantime, set a systemd tmpfiles rule manually in NixOS.
This has been tested to still work with read-only bind-mounted
/nix/var/nix/daemon-socket/socket in containers, it'll keep them
read-only ;-)
For now at least. I expect someone will find a working type later.
It's incorrect and was causing bad issues. Example test case:
nix-instantiate nixos/release.nix -A tests.xfce.x86_64-linux --dry-run
This is a partial revert of commit b2d803c from PR #162271.
hostNames being deprecated makes configuring hosts with multiple keys a
pain. including the attr name of the entry in the host name list is a
nice convenience though, so we'll retain it and clarify the
documentation on how the actual host name list for an entry is put
together.
Currently it is only possible to add upstream _system_ units. The option
systemd.additionalUpstreamSystemUnits can be used for this.
However, this was not yet possible for systemd.user. In a similar
fashion this was added to systemd-user.nix.
This is intended to have other modules add upstream units.
Add an exception to the `paperless-ng-server` service's
`SystemCallFilter` as the `mbind` syscall is needed when consuming a
document while having a classification model present.
Since b9cfbcafdf, the lack of hexdump in
the closure lead to the generation of empty cookie files. This empty
cookie file is making pleroma to crash at startup now we correctly
read it.
We introduce a migration forcing these empty cookies to be
re-generated to something not empty.
We inject the release cookie path to the pleroma derivation in order
to wrap pleroma_ctl with it. Doing this allows us to remove the
systemd-injected RELEASE_COOKIE path, which was sadly
buggy (RELEASE_COOKIE should point to the *content* of the cookie, not
the file containing it).
We take advantage of this to factor out the cookie path.
Now, one can just use `networking.networkmanager.plugins = lib.mkForce [];`
if they want to get rid of the plug-ins.
Co-authored-by: lassulus <lassulus@lassul.us>
Fixes race conditions like this:
> systemd[1]: Started prometheus-kea-exporter.service.
> kea-exporter[927]: Listening on http://0.0.0.0:9547
> kea-exporter[927]: Socket at /run/kea/dhcp4.sock does not exist. Is Kea running?
> systemd[1]: prometheus-kea-exporter.service: Main process exited, code=exited, status=1/FAILURE
It doesn't make sense to have a default value for this that's
incompatible with the default locate implementation. It means that
just doing services.locate.enable = true; generates a warning, even if
you don't care about pruning anything. So only use the default prune
list if the locate implementation supports it (i.e., isn't findutils).
If `services.tor.client.enable` is set to false (the default), the `SOCKSPort` option is not added to the torrc file but since Tor defaults to listening on port 9050 when the option is not specified, the tor client is not actually disabled. To fix this, simply set `SOCKSPort` to 0, which disables the client.
Use `mkForce` to prevent potentially two different `SOCKSPort` options in the torrc file, with one of them being 0 as this would cause Tor to fail to start. When `services.tor.client.enable` is set to false, this should always be disabled.
When `services.resolved.enable` is set to true, the file /etc/resolv.conf becomes a symlink to /etc/static/resolv.conf, which is a symlink to /run/systemd/resolve/stub-resolv.conf. Without this commit, tor does not have access to this file thanks to systemd confinement. This results in the following warning when tor starts:
```
[warn] Unable to stat resolver configuration in '/etc/resolv.conf': No such file or directory
[warn] Could not read your DNS config from '/etc/resolv.conf' - please investigate your DNS configuration. This is possibly a problem. Meanwhile, falling back to local DNS at 127.0.0.1.
```
To fix this, simply allow read-only access to the file when resolved is in use.
According to https://github.com/NixOS/nixpkgs/pull/161818#discussion_r824820462, the symlink may also point to /run/systemd/resolve/resolv.conf, so allow that as well.
The new option (disabled by default) pulls in the experimental sensor
calibration files for the Facetime HD camera. These will also be pulled
in by hardware.enableAllFirmware.
Use a quoted heredoc to inject installBootLoader safely into the script,
and restore the previous invocation of `system` with a single argument so
that shell commands keep working.
pam-ussh allows authorizing using an SSH certificate stored in your
SSH agent, in a similar manner to pam-ssh-agent-auth, but for
certificates rather than raw public keys.
Without this fix, evaluating a NixOS configuration with Tomcat enabled and the
default settings results in the following evaluation error:
Failed assertions:
- users.users.tomcat.group is unset. This used to default to
nogroup, but this is unsafe. For example you can create a group
for this user with:
users.users.tomcat.group = "tomcat";
users.groups.tomcat = {};
As of systemd/systemd@e908434458,
systemd-networkd now automatically configures routes to addresses
specified in AllowedIPs unless explicitly disabled with
"RouteTable=off".
As a novice to using this module, I found the existing description to be
quite misleading. It does not at all disable pulling from the registry,
it just loads some image archive that may or may not be related to the
container you're specifying. I had thought there was extra magic behind
this option, but it's just a `docker load`. You need foreknowledge of
the contents of the archive so that whatever it contained is actually
used to run the container.
I've reworded the description to hopefully make this behavior clearer.
This bug is so obscure and unlikely that I was honestly not able to
properly write a test for it. What happens is that we are calling
handleModifiedUnit() with $unitsToStart=\%unitsToRestart. We do this to
make sure that the unit is stopped before it's started again which is
not possible by regular means because the stop phase is already done
when calling the activation script.
recordUnit() still gets $startListFile, however which is the wrong file.
The bug would be triggered if an activation script requests a service
restart for a service that has `stopIfChanged = true` and
switch-to-configuration is killed before the restart phase was run. If
the script is run again, but the activation script is not requesting
more restarts, the unit would be started instead of restarted.
We spent a whole afternoon debugging this, because upstream has very
bad software quality and the error messages were incredibly
misleading.
So let’s document it for the sanity of other people.
Btw, I think the implementation of our module is pretty brittle,
especially the part about diffing tokens to check whether they
changed. We should rather just request a new builder registration
every time, it’s not that much overhead, and always set `replace` so
it is idempotent.
Some systems should not be rebooted at just any time. If the upgrade process takes too long, for instance because of a
slow internet connection, or if the upgrade service is ran during production hours, we want to allow to define a window
outside of which a reboot will not be performed.
The system will then reboot on the next run of the upgrade service which finishes inside the reboot window.
E.g. we can run the update service twice per week, once during the night and once during the day, but reboots are only
allowed during the night. By doing so, a system that is usually shut down during the night will still receive updates
and systems that are turned on 24/7 can be rebooted outside of production hours.
Co-authored-by: Silvan Mosberger <github@infinisil.com>
zsh-autosuggestions supports having fallback strategies expressed
through the ZSH_AUTOSUGGEST_STRATEGY array. For example,
`ZSH_AUTOSUGGEST_STRATEGY=(history completion)`. We should also support
this.
Currently, default options for media-session are empty, making it harder
to adapt them without fully overwriting them. This commit sets these
defaults to the content of the JSON files provided with media-session.
For systems without internet connections, it doesn't make sense to
require the existence of an /etc/resolv.conf file to disable
resolvconf, so let's expose networking.resolveconf.enable as a public
option that can be set to false.
When initializing a system (e.g. first boot / livecd) we have no good
reference source for time. systemd-timesyncd however would revert back
to its configured fallback time (in our case 01.01.1980). Since we
probably don't want to hardcode a specific date as fallback we are now
using the current system time (wherever that might have come from) to
initialize the reference clock file.
The only systems that might be remotely affected by this change are
machines that have highly unreliable RTCs or those where the battery
that backs the RTC is running empty.
Historically these systems always had a tough time with anything time
related and likely required manual intervention.
For stateless systems (those that wipe / between reboots or our
installer CDs) this has the consequence that time will always be reset
to whatever the system comes up with on boot. This is likely the correct
time coming from an RTC. No harm done here the situation is likely
unchanged for them.
For stateful systems (those that retain the / partition across reboots)
there shouldn't be a change at all. They'll provide an initial clock
value once on their lifetime (during first boot / after installation).
From then onwards systemd-timesyncd will update the file with the newer
fallback time (that will be picked up on the next boot).
This adds an option `services.taskserver.openFirewall` to allow the user
to choose whether or not the firewall port should be opened for the
service. This is no longer the case by default.
See also https://github.com/NixOS/nixpkgs/issues/19504.
In issue #157787 @martined wrote:
Trying to use confinement on packages providing their systemd units
with systemd.packages, for example mpd, fails with the following
error:
system-units> ln: failed to create symbolic link
'/nix/store/...-system-units/mpd.service': File exists
This is because systemd-confinement and mpd both provide a mpd.service
file through systemd.packages. (mpd got updated that way recently to
use upstream's service file)
To address this, we now place the unit file containing the bind-mounted
paths of the Nix closure into a drop-in directory instead of using the
name of a unit file directly.
This does come with the implication that the options set in the drop-in
directory won't apply if the main unit file is missing. In practice
however this should not happen for two reasons:
* The systemd-confinement module already sets additional options via
systemd.services and thus we should get a main unit file
* In the unlikely event that we don't get a main unit file regardless
of the previous point, the unit would be a no-op even if the options
of the drop-in directory would apply
Another thing to consider is the order in which those options are
merged, since systemd loads the files from the drop-in directory in
alphabetical order. So given that we have confinement.conf and
overrides.conf, the confinement options are loaded before the NixOS
overrides.
Since we're only setting the BindReadOnlyPaths option, the order isn't
that important since all those paths are merged anyway and we still
don't lose the ability to reset the option since overrides.conf comes
afterwards.
Fixes: https://github.com/NixOS/nixpkgs/issues/157787
Signed-off-by: aszlig <aszlig@nix.build>
This fixes the following issues with the database provisioning script
included in the services.keycloak module:
- It lacked permission to access the DB password file specified in the
module option 'services.keycloak.database.passwordFile'.
- It prevented Keycloak from starting after the second time if the user
chose MySQL for the database.
This effectively fixes the majority of all VM tests which were broken
because `/dev/vda` (or any other block device) wasn't mountable:
machine # mounting /dev/vda on /...
machine # mount: mounting /dev/vda on /mnt-root/ failed: No such device[ 2.820976] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
machine # [ 2.821757] CPU: 0 PID: 1 Comm: init Not tainted 5.10.72 #1-NixOS
machine # [ 2.821757] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
machine # [ 2.821757] Call Trace:
machine # [ 2.821757] dump_stack+0x6b/0x83
machine # [ 2.821757] panic+0x101/0x2c8
machine # [ 2.821757] do_exit.cold+0x14/0xb3
machine # [ 2.821757] do_group_exit+0x33/0xa0
machine # [ 2.821757] __x64_sys_exit_group+0x14/0x20
machine # [ 2.821757] do_syscall_64+0x33/0x40
machine # [ 2.821757] entry_SYSCALL_64_after_hwframe+0x44/0xa9
machine # [ 2.821757] RIP: 0033:0x7f67ec2800f6
machine # [ 2.821757] Code: 00 4c 8b 0d 2c 5d 11 00 eb 19 66 2e 0f 1f 84 00 00 00 00 00 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 22 f4 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e2 f7 d8 64 41 89 01 eb da 66 2e 0f 1f 84 00
machine # [ 2.821757] RSP: 002b:00007fff8f5a71d8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
machine # [ 2.821757] RAX: ffffffffffffffda RBX: 0000000000699704 RCX: 00007f67ec2800f6
machine # [ 2.821757] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
machine # [ 2.821757] RBP: 0000000000000004 R08: 00000000000000e7 R09: ffffffffffffff80
machine # [ 2.821757] R10: 00007f67ec33f3e0 R11: 0000000000000202 R12: 000000000000000b
machine # [ 2.821757] R13: 00007fff8f5a75a8 R14: 0000000000000000 R15: 00000000004fc198
machine # [ 2.821757] Kernel Offset: 0x31e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
machine # [ 2.821757] Rebooting in 1 seconds..
This happened because the kernel failed to load modules such as `ext4`
from `boot.initrd.availableKernelModules`[1] on e.g. a `mount(2)` syscall.
The problem is that `kmod` isn't linked against `libpthread.so.0`
anymore because it got merged into `libc.so.6` (however, the .so still
exists), but still needs it:
machine # newfstatat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/lib/x86_64", 0x7ffd951114c0, 0) = -1 ENOENT (No such file or directory)
machine # openat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/lib/x86_64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
machine # newfstatat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/lib/x86_64", 0x7ffd951114c0, 0) = -1 ENOENT (No such file or directory)
machine # openat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/lib/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
machine # newfstatat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/lib", 0x7ffd951114c0, 0) = -1 ENOENT (No such file or directory)
machine # openat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.34-36/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
machine # writev(2, [{iov_base="/nix/store/kdc9n48ksdc1a8y8w512w"..., iov_len=69}, {iov_base=": ", iov_len=2}, {iov_base="error while loading shared libra"..., iov_len=36}, {iov_base=": ", iov_len=2}, {iov_base="libpthread.so.0", iov_len=15}, {iov_base=": ", iov_len=2}, {iov_base="cy
machine # ) = 184
machine # exit_group(127) = ?
machine # +++ exited with 127 +++
machine # mount: mounting /dev/vda on /mnt-root/ failed: No such device
machine # [ 19.167180] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
machine # [ 19.167711] CPU: 0 PID: 1 Comm: init Not tainted 5.10.72 #1-NixOS
This is not a problem
* inside stage-1 because `LD_LIBRARY_PATH` points to `$out/lib` of
extra-utils where `libpthread.so.6` also exists.
* on a running system because `${pkgs.glibc}/lib` is part of kmod's
rpath.
However this is a problem inside the kernel which calls `modprobe` (in
our case `kmod`) to load modules and doesn't know about
`LD_LIBRARY_PATH`. Also, the rpath-reference was nuked.
To work around this, the kernel's `modprobe`
(i.e. `/proc/sys/kernel/modprobe`) now points to a wrapper which
explicitly declares `LD_LIBRARY_PATH`. We can't use `makeWrapper` here
because `modprobe` itself must not be renamed. Otherwise, `kmod` (which
is the link-target of `modprobe`) won't work because it expects
`argv[0] == "modprobe"` to perform modprobe's tasks.
[1] https://nixos.org/manual/nixos/stable/options.html#opt-boot.initrd.availableKernelModules
Update version to 1.4.231.
Build 231 points to a specific commit from the 1.4.x branch adding many
fixes and improvements. Since this version is an unofficial release, add
an unstable prefix to the version string in Nixpkgs.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Signed-off-by: Franz Pletz <fpletz@fnordicwalking.de>
logrotate.timer is enough for rotating logs. Enabling logrotate.service would
make the service start on every configuration switch, leading to tests failure when
logrotate is enabled.
Also update test to make sure the timer is active and runs the service
on date change.
https://github.com/ipfs/fs-repo-migrations/releases/tag/v2.0.2
This is pretty much a complete rewrite of the ipfs-migrator package.
In version 2.0.0 a major change was made to the way the migrator works. Before, there was one binary that contained every migration. Now every migration has its own binary. If fs-repo-migrations can't find a required binary in the PATH, it will download it off the internet. To prevent that, build every migration individually, symlink them all into one package and then wrap fs-repo-migrations so it finds the package with all the migrations.
The change to the IPFS NixOS module and the IPFS package is needed because without explicitly specifying a repo version to migrate to, fs-repo-migrations will query the internet to find the latest version. This fails in the sandbox, for example when testing the ipfs passthru tests.
While it may seem like the repoVersion and IPFS version are in sync and the code could be simplified, this is not the case. See https://github.com/ipfs/fs-repo-migrations#when-should-i-migrate for a table with the IPFS versions and corresponding repo versions.
Go 1.17 breaks the migrations, so use Go 1.16 instead. This is also the Go version used in their CI, see 3dc218e300/.github/workflows/test.yml (L4). See https://github.com/ipfs/fs-repo-migrations/pull/140#issuecomment-982715907 for a previous mention of this issue. The issue manifests itself when doing anything with a migration, for example `fs-repo-11-to-12 --help`:
```
panic: qtls.ClientHelloInfo doesn't match
goroutine 1 [running]:
github.com/marten-seemann/qtls-go1-15.init.0()
github.com/marten-seemann/qtls-go1-15@v0.1.1/unsafe.go:20 +0x132
```
Also add myself as a maintainer for this package.
This fixes the test failure discovered in https://github.com/NixOS/nixpkgs/pull/160914.
See https://github.com/ipfs/fs-repo-migrations/issues/148 to read some of my struggles with updating this package.
The argument parser used by snapserver behaves differntly for optional
arguments with existing defaults. In such cases, the standalone argument
name is a valid input and a following value is interpreted as a
positional argument. Therefore the argument and the value must be
provided as a single argument seperated by equals sign.
Overriding can now happen using module options, which is preferred
because it is more discoverable and doesn't require knowledge of
overrides in the first place.
While the documentation said to set this to null, in case an imperative
config was supposed to be used, this was not possible with the typing in
place.
As `nix-daemon.service` does not make use of `ExecStop`, we prefer
to keep the socket up and available. This is important for machines
that run Nix-based services, such as automated build, test, and deploy
services, that expect the daemon socket to be available at all times.
See committed inline comment for further explanation.
Not entirely sure when it got broken this time, but when creating a VM
network with `nixos-build-vms(8)`, there are should be the following scripts:
* `$out/bin/nixos-test-driver` which drops into an interactive shell to
interactively perform test steps.
* `$out/bin/nixos-run-vms` which non-interactively starts the VMs from
the network so that one can manually play around in the VM.
The latter also starts an interactive shell for a while now which means
that it does the exact same thing as `nixos-test-driver` which is not
its purpose.
The live image is primarily used for installation so we should make
link to manual as well as other useful tools front and center,
instead of having them buried in the app drawer.
The default GNOME apps can still be found there when the ISO
is used for demonstration purposes.
New ntopng version supports running as specified user. Create a separate
user for ntopng with a separate Redis instance.
Separate instance is only used for new `system.stateVersion`s to avoid
breaking existing setups. To configure that we add two new options,
`redis.address` and `redis.createInstance`. They can also be used to
specify your own Redis address.
fixes#158802
Sets the mysql backup systemd service type to "oneshot" to ensure the
service is marked as started after the backup script fully proceeds. This
allows to reliably depend on completing of this service by other services.
systemd needs this so special characters (like the ones in wireguard
units that appear because they are part of base64) can be escaped using
the \x syntax.
Root of the issue is that `glob()` handles the backslash internally
which is obviously not what we want here.
Also add a test case and fix some perlcritic issues in the subroutine.
Database provisioning was shown to be racy since adding a recorder test
using PostgreSQL. There is no harm in waiting for these services,
because if they're not available they will be ignored.
It simply should not be required to override the package for such a
common use case, especially since the module usually adds another
override on top to inherit extraComponents.
After this change users with non-declarative configs need to set
`services.home-assistant.config` to an `null`, or their
`configuration.yaml` will be overwritten.
The reason for this is that with rfc42 style defaults the config
attribute set will never be empty by default.
If people take the time to setup network-online.target correctly we
should wait for it. If they don't it's basically the same as
network.target anyway, so no harm done.
Over time I've seen multiple integrations that have dealt badly with
missing network connectivity at startup, this should alleviate further
pains.
The given example is now closer to a sane default people will want to
start with. It also displays the existance of extraComponents, a feature
that will receive more usage with home-assistant warning about
components that have completely migrated away from YAML configuration.
--port and --address have both been deprecated and are nonfunctional
starting with kubernetes 1.23. Use --secure-port and --bind-address
instead. This means that users can no longer rely on the insecure port
for anything, so update the release notes accordingly.
The `substituters` option in `nix.settings` uses the order
of the substituters listed to define priority. Prior to https://github.com/NixOS/nixpkgs/pull/139075,
the corresponding option `binaryCaches` is declared in the `nix` namespace,
which is guaranteed to be merged last. However, the order of merging isn't
guaranteed in submodules. This cause definitions to be appended to the default
value instead of prepended, breaking backwards compatibility as reported in https://github.com/NixOS/nixpkgs/issues/158356.
The way this is addressed in the module system is with order priorities via
`mkOrder` and sorting definitions before merging. This PR restores the previous
behavior by setting a higher priority to the substituters option defined internally,
thus all definitions with default priority will be merged before it. This was chosen because
the `mkRenamedOption` function does not preserve order priority so users using legacy options do not have
precise control on placement.
This change should suffice for simple configuration, but further revision to the module system
is needed for to make various `mk*` functions aware of order priorities.
logrotate global options only affect rules following them - as such,
services.logrotate.extraConfig being added last makes the option only
useful for adding new paths but not for setting global options (e.g.
'dateext' so all logs are rotate with a date suffix).
Moving this first solves this problem, and we can then use this instead
of default paths config to append missingok/notifempty.
