The default of 4GB is too low for a production setup and causes
DependencyTrack to hit java.lang.OutOfMemoryError. This causes
Dependency Track to enter a weird state where it will throw 502 and
504 errors.
The initial 4GB was set to make Dependency Track run in the (too
small) VM in the NixOS integration test. Move the explicit heap
configuration there. For the service itself, we now don't set a limit.
This means the JVM will choose its maximum heap on its own, which does
a much better job for realistic scenarios.
I added a release note, because people who run Dependency Track on
very tiny VMs/machines may experience issues.
The project has been unmaintained for a while now and has started failing to build.
Abandonment notice from the maintainer: https://github.com/hbons/SparkleShare/issues/2006
It has been a good run but it is time to say goodbye. Thanks to hbons for all of the work over the years. It looks like there is a good chance of a fork living on but it will take time to see how that shakes out. So for now let's just remove the package.
Introduces `services.varnish.listen` as a list of structured
listen addresses with all allowed variations of arguments
documented in the man page.
Deprecates `services.varnish.http_address`.
This reverts commit a794031c59.
With the following additions:
Allow `CAP_KILL`, so the dovecot master process may interrupt its child
processes.
Allow new privileges, so dovecot and call the setuid sendmail executable.
Allow AF_NETLINK sockets, so dovecot sieve handling can use the
getifaddrs syscall.
Finally, we now asssert, that no options are set on the legacy dovecot2
systemd unit name, to make the user aware they need to update their
overrides.
The tee-supplicant is a program that interacts with OP-TEE OS and allows
loading trusted applications at runtime (among other things). There is
an `optee` test included that uses the pkcs11 trusted application (in
upstream OP-TEE OS), loads it during system startup via tee-supplicant,
and uses `pkcs11-tool` to list available token slots.
Sourcehut went a year with no update in nixpkgs, the packages did not
build for months, the module has issues at runtime, one of the
maintainers stopped using NixOS entirely and the other two don't respond
to issues.
Upstream has since also deprecated the Arch Linux and Debian
repositories to install Sourcehut. The only official way that remains is
Alpine Linux on x86_64-linux.
It is unclear where this list originated, but it doesn't make sense to
ship it with all networkmanager installations. The most excessive plugin
is openconnect, that ships a 250 MB closure including webkitgtk.
Instead users now have to specify the plugins they want explicitly. I
updated the option to give hints on how to find them as best as I can.
The new postgresql.target will now wait until recovery is done and
read/write connections are possible.
This allows ensure* scripts and downstream migrations to work properly
after recovery from backup.
Resolves#346886
This avoids restarting the postgresql server, when only ensureDatabases
or ensureUsers have been changed. It will also allow to properly wait
for recovery to finish later.
To wait for "postgresql is ready" in other services, we now provide a
postgresql.target.
Resolves#400018
Co-authored-by: Marcel <me@m4rc3l.de>
There exist multiple issues with these options, for example they are not
introspectable, since the values are configured in the config part of the
module.
Also the keypair is always configured for both server and client usage,
which is really surprising. The postfix docs even advise against setting
up client certificates, if they aren't required. [1]
The replacements are the `smtpd_tls_chain_files` for server usage and
`smtp_tls_chain_files` for client usage, which are the prefered way to
configure keys and certificates since Postfix 3.4.0. [2]
[1] https://www.postfix.org/postconf.5.html#smtp_tls_cert_file
[2] https://www.postfix.org/postconf.5.html#smtpd_tls_cert_file
* pkgs.formats.yaml_1_2: init
Same as YAML 1.1 but relies on the unpinned remarshal version which emits
YAML 1.2.
* nixos/postfix-tlspol: init
MTA-STS and DANE/TLSA resolver and TLS policy socketmap server for
Postfix.
* nixos/tests/postfix-tlspol: init
Simple test if the service comes up and the CLI can interact with it and
gives reasonable results.
The no-broken-symlinks hook does not fail if bad links exist out of
store, but /build is also a special directory for nix derivations: the
build directory in the builder mount namespace.
There should be no link to /build in the output derivation, so also
error on these directories (through $TMPDIR which default to that)
Closes#410508
vmalert only supports a single datasource for querying metrics and
managing alerts. Because of that, we need two instances to manage alerts
for both VictoriaLogs and VictoriaMetrics.
This is strongly inspired by the change made to Redis, i.e. a new
`instances` option was introduced with each option inside it.
With `mkRenamedOptionModule` it's ensured that existing configurations
still evaluate to the same result.
Add a module for pihole-ftl, which allows declaratively defining the
pihole.toml config file.
Also provide options for adlists to use, which can be added through the pihole
script (packaged as "pihole"). Other state such as clients and groups require
complex database operations, which is normally performed by the pihole
webapp (packaged as "pihole-web").
Extend the dnsmasq module to avoid duplication, since pihole-ftl is a soft-fork
of dnsmasq which maintains compatibility.
Provide the pihole script in `environment.systemPackages` so pihole-ftl can be
easily administrated.
On AMD GPU, you should enable overdrive mode by using `hardware.amdgpu.overdrive.enable = true;` in your configuration.
Co-authored-by: PopeRigby <poperigby@mailbox.org>
Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
Since DEs like KDE Plasma 6, GNOME and COSMIC are not designed to be X11-exclusive, putting them under `services.xserver` is misleading. In particular, GNOME defaults to Wayland these days and X11 support is going to be dropped in near future.
Let’s follow Plasma and move GNOME NixOS options out of `xserver` attribute.
This patch does not include any changes to X11 support itself.
Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
This contains breaking changes, see https://pocket-id.org/docs/setup/migrate-to-v1/.
The frontend now generates only static files and no longer includes a
binary for serving them. The backend has taken over the responsibility
of serving the static assets.
Co-authored-by: ymstnt <21342713+YMSTNT@users.noreply.github.com>
