This will remove all state directories related to CUPS on startup, which
is particularly useful for guaranteeing that printer discovery works
more reliably on some networks, since CUPS will no longer be able to
store state that effects the next run of the service, such as old
printer names and mDNS information.
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
this makes it easier for one to manually administer freshrss.
for example, i can import OPML from the CLI like:
```
$ nix build .#freshrss
$ freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/import-for-user.php --user admin --file my-opml.opml
```
whereas previously i would have needed to include
`environment.systemPackages = [ php ];` in my system for that to work.
The current `ExecStart` will not allow for multiple sockets to properly
be passed to the program since the extra newline character is interpreted to
be part of the socket path.
Configures the `--cache-dir` parameter for the prune and check commands run after backing up. For `check`, also adds a `checkOpts` flag to enable using the cache, since that is disabled by default.
https://discourse.gnome.org/t/split-and-rename-of-chrome-gnome-shell/11075815ec9e1af...v42.0
- Renamed and split into a separate repo from the extensions.
- CMake build replaced with Meson (jq also not needed)
- requests Python module not needed since updates are now solely handled by GNOME Shell itself
Also
- Corrected license
- Cleaned up the module
- Replaced PYTHONPATH in a wrapper by Python environment
Changelog-Reviewed-By: Jan Tojnar <jtojnar@gmail.com>
This option allows for the customization of the description of the
created gitolite user.
An example of this being useful is for the integration of gitolite with
cgit, which itself uses the gitolite user's description as the author of
the git repo displayed in its generated site.
*Flags implies a list
slightly relevant:
> stdenv: start deprecating non-list configureFlags https://github.com/NixOS/nixpkgs/pull/173172
the makeInstalledTests function in `nixos/tests/installed-tests/default.nix` isn't available outside of nixpkgs so
it's not a breaking change
The original implementation had a few issues:
* The secret was briefly leaked since it is part of the cmdline for
`sed(1)` and on Linux `cmdline` is world-readable.
* If the secret would contain either a `,` or a `"` it would mess with
the `sed(1)` expression itself unless you apply messy escape hacks.
To circumvent all of that, I decided to use `replace-secret` which
allows you to replace a string inside a file (in this case
`#static-auth-secret#`) with the contents of a file, i.e.
`cfg.static-auth-secret-file` without any of these issues.
This commit fixes two bugs:
1) When starting a github-runner for the very first time, the
unconfigure script did not copy the `tokenFile` to the state
directory. This case just was not handled so far. As a result, the
runner could not configure. The unit did, however, fail even before
as the state token file is configured as inaccessible for the service
through `InaccessiblePaths=`. As the given path did not exist in the
described case, setting up the unit's namespacing failed.
2) Similarly, the `tokenFile` is also marked as not accessible to the
service user. There are, however, cases where other namespacing
options make the files inaccessible even before `InaccessiblePaths=`
kicks in; thus, they appear as non existing and cause the namespacing
to fail yet again. Prefixing the entry with a `-` causes Systemd to
ignore the entry if it cannot find it. This is the behavior we want.
I also took fixing those bugs as a chance to refactor the unconfigure
script to make it easier to follow.
`privacyidea-token-janitor`[1] is a tool which helps to automate
maintenance of tokens. This is helpful to identify e.g. orphaned tokens,
i.e. tokens of users that were removed or tokens that were unused for a
longer period of time and apply actions to them (e.g. `disable` or
`delete`).
This patch adds two new things:
* A wrapper for `privacyidea-token-janitor` to make sure it's executable
from CLI. To achieve this, it does a `sudo(8)` into the
`privacyidea`-user and sets up the environment to make sure the
configuration file can be found. With that, administrators can
directly invoke it from the CLI without additional steps.
* An optional service is added which performs automatic cleanups of
orphaned and/or unassigned tokens. Yes, the tool can do way more
stuff, but I figured it's reasonable to have an automatic way to clean
up tokens of users who were removed from the PI instance. Additional
automation steps should probably be implemented in additional
services (and are perhaps too custom to add them to this module).
[1] https://privacyidea.readthedocs.io/en/v3.7/workflows_and_tools/tools/index.html
Some networks can only transfer packets with a lower than normal maximum
transfer unit size. In these cases, it is necessary to set a MTU that
works for the given upstream network.
Wireguard can tag its packets with a firewall mark. This can be used for
firewalls or policy routing. This is very useful in some setups where
all traffic should go through a wireguard interface. The wireguard
packets cannot go through the wireguard interface and must be routed
differently, which can be done via the Firewall Mark.
The nixos option `config.networking.wireguard.interface.<name>.fwMark`
is of type `types.str` and not `types.int` to allow for specifying the
mark as a hexadecimal value.
This will clean up the module slightly and bring it more in line with Pantheon & Cinnamon.
While at it do some other refactoring inspired by those modules:
- Correct a typo in light background attribute name.
- Rename the attribute name.
- Quote arguments.
- Extract the overridden package list and override text into variables.
- Avoid having separate copy commands for overrides from packages.
- Avoid `with` statements.
- Use `concatMapStringsSep`.
This allows for easier interop with Moonraker, as well as giving an
ability to store klipper configuration files in /var/lib/klipper, thus not
littering /etc with all the backups SAVE_CONFIG does.
- Added `configFile` as an alternative way to specify configuration
- Added `isMutableConfig` and `mutableConfigPath`
Co-authored-by: @lovesegfault <bernardo@meurer.org>
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Co-authored-by: Bernardo Meurer <bernardo@meurer.org>
`unpaper` requires syscall 238 (`set_mempolicy`).
Add this by un-blocking the systemd syscall filter set `@resources`
which is safe in the context of paperless.
Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: a-kenji <aks.kenji@protonmail.com>
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: Ctem <c@ctem.me>
Co-authored-by: a-kenji <aks.kenji@protonmail.com>
Co-authored-by: Brian Leung <leungbk@posteo.net>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: Ctem <c@ctem.me>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
Co-authored-by: a-kenji <aks.kenji@protonmail.com>
Co-authored-by: Ctem <c@ctem.me>
Co-authored-by: Brian Leung <leungbk@posteo.net>
Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
This attribute set isn't passed through the NixOS config resolution
mechanism, which means that we can't use lib.mkDefault here.
Instead, just put it before any user overrides so that if the user
specifies this environment variable it'll just override it anyway.
On spectrum-os.org, mailman-web is run at /lists. With this change,
it's possible for us to switch from a custom uWSGI configuration to
the one now built in to the Mailman module.
In order to be able to use the unixd service with the `verify_ca` and
`verify_hostnames` set to `true` it needs to be able to read the
certificate store. This change bind mounts the cacert paths for the
unixd service.
Allow @resources syscalls in the grafana.service unit. While Grafana
itself does not need them, some plugins (incl. first party) crash if
they fail to setrlimit. This was first seen with the official grafana
Clickhouse datasource plugin.
The @resources syscalls set is fairly harmess anyway.
`paperless-ngx.pythonPath` was incomplete due to the missing paperless-ngx
source, so it had to be amended in the service.
Instead of amending it, define it entirely in the service.
This allows an override of `paperless-ngx.propagatedBuildInputs` to be reflected
in the service's PYTHONPATH.
We are building fwupd daemon with polkit support which means
polkit daemon is required.
Previously polkit was enabled by default via udisks2 but that
stopped with f763710065
breaking the fwupd installed tests as a result.
Let’s add the polkit dependency to the fwupd module to ensure polkit is available.
Handing CAP_NET_BIND_SERVICE to the `paperless-web.service` only makes
sense when it actually wants to bind to a port < 1024. Don't hand it out
if that is not the case.
Finding out how to connect paperless to a PostgreSQL database via unix
sockets and peer authentication took me a few minutes, so leaving a hint
in the extraConfig example seems like a good idea to me.
Also remove unnecessary use of literalExpression for attribute set, it
is only required for complex values like functions or values that depend
on other values or packages.
After uploading a document through the webinterface I started seeing
it killed through the SYSBUS signal. Inspecting the call trace led me to
liblapack's memory allocator, that uses the mbind syscall on Linux.
When switching between different NixOS configurations (with and
without nullmailer and other services), it can happen that the UID of
the nullmailer user changes. When it happens, the nullmailer service
happily starts, but the user cannot send any email, because the
sendmail wrapper doesn't have permission to write them to the queue.
This commit prevents that. Instead of creating the directories by the
nullmailer user, which doesn't have permissions to change ownership,
we now create them by the systemd-tmpfiles, which has sufficient
permissions to adjust ownership.
most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
there are sufficiently few variable list around, and they are
sufficiently simple, that it doesn't seem helpful to add another
markdown extension for them. rendering differences are small, except in
the tor module: admonitions inside other blocks cannot be made to work
well with mistune (and likely most other markdown processors), so those
had to be shuffled a bit. we also lose paragraph breaks in the list
items due to how we have to render from markdown to docbook, but once we
remove docbook from the pipeline those paragraph breaks will be restored.
mostly no rendering changes. some lists (like simplelist) don't have an
exact translation to markdown, so we use a comma-separated list of
literals instead.
this mostly means marking options that use markdown already
appropriately and making a few adjustments so they still render
correctly. notable for nftables we have to transform the md links
because the manpage would not render them correctly otherwise.
most of the screen tags used in option docs are actually listings of
some sort. nsd had a notable exception where its screen usage was pretty
much a raw markdown block that made most sense to convert into docbook lists.
the way these are written they introduce lots of whitespace in each
line, which will cause those lines to render as code when converted to
markdown. override the whole description instead.
- Replace misleading docs.
- Add new assertions to let configurations make more sense.
- Add clusterInit flag.
- Add some more docs about HA and non-HA modes setup.
- Improve multi-node tests for HA mode.
Fix https://github.com/NixOS/nixpkgs/issues/182085
Syncthing config XML uses `fsPath` setting for specifying the path to the versioning folder. This commit adds `services.syncthing.folders.<name>.versioning.fsPath` option to enable this functionality declaratively. Previously, `versioning.params.versionsPath` was used, which doesn't work.
This config is removed when removing[1] fonts.fontconfig.hinting.style
option.
However, when adding[2] that option back, this config is missing.
[1]: 65592837b6
[2]: 659096dd89
no change in rendered output. the html manual could render <screen>
blocks differently, but so far it hasn't (and if we need to make a
distinction we can use a special info string).
this notable also now interprets a markdown-flavored list in
triton_sd_config as actual markdown and renders it differently, but this
is arguably for the better (and probably the original intention).
no other rendering changes.
there seems to be a lot of markdown in the prometheus module that
should've been docbook instead. temporarily convert it to docbook to
keep the diff for the docbook->md conversion of prometheus inspectable.
When `nix.registry.<name>.flake` option is used, additional attributes of the flake were not written to the flake registry file because of a missing parenthesis.
#167013 introduced a property conflict with the concurrently-written commit
aea940da63, over property
systemd.services.prosody. Fix this by moving the reload option into the block.
This option is based on a recommendation from a page last updated in
2014 (see https://www.freedesktop.org/wiki/Software/Glamor/), and it
is not necessary anymore.
Also, it did the wrong thing: it forced DRI2, but Glamor should also
work with DRI3, that is a better option most of the time. So let's
remove this option, folks that still want to force this manually can do
so in other ways.
The split of Ethereum into Execution Layer and Consensus Layer adds a
requirement for communication between execution client and consensus
client using secur JWT tokens. In Geth this is configurable using the
`--authrpc.*` CLI flags which are currently not exposed by this service.
For more details read the following article:
https://geth.ethereum.org/docs/interface/consensus-clients
Signed-off-by: Jakub Sokołowski <jakub@status.im>
These are now required otherwise startup fails with:
> TypeError: 'NoneType' object is not subscriptable
The chosen levels are stricter than default but don't require unsupported signing or DB editing so seem like a reasonable high bar for now. It is easy for users to lower the levels so it is better to be stricter by default.
Default levels: 0ce0588725/mautrix_facebook/example-config.yaml (L247-L263)
using regular strings works well for docbook because docbook is not as
whitespace-sensitive as markdown. markdown would render all of these as
code blocks when given the chance.
a lot of markdown syntax has already snuck into option docs, many of it
predating the intent to migrate to markdown. we don't convert all of it
here, just that which is accompanied by docbook tags as well. the rest
can be converted by simply adding the mdDoc marker.
this renders the same in the manpage and a little more clearly in the
html manual. in the manpage there continues to be no distinction from
regular text, the html manual gets code-type markup (which was probably
the intention for most of these uses anyway).
In version 1.5.5 of fwupd the uefi plugin was renamed to
uefi-capsule. As part of those changes the configuration file was
renamed and changed.
This modules configuration mismatch was generally hidden because
when udisks2 is enabled fwupd will use that instead. Without
udisks2 the following warning is seen:
WARNING: UEFI ESP partition not detected or configured
Enable keter module
Keter is an apploader which:
1. has the old app running on a port.
2. loads a new one, and wait for that to complete
3. switches the old with the new one once the new one finished loading.
It supports more functionality but this use case
is the primary one being used by supercede.
Adds keter as a module to nixos.
Currently keter is unusable with nix,
because it relies on bundeling of a tar and uploading that to a specific folder.
These expressions automate these devops tasks,
with especially nixops in mind.
This will work with versions above 1.8
The test seems to work.
This uses a new version of keter which has good
support for status code on error pages.
We're using this config at production at supercede
so it should be fine.
Squash log:
==========
mention keter in changelog
Update generated release notes
Always restart keter on failure
This is a little bit of extra stability in case keter crashes.
Which can happen under extreme conditions (DoS attacks).
Update nixos/doc/manual/release-notes/rl-2205.section.md
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/module-list.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Remove sanitization
don't put domain in as a string
Update nixos/tests/keter.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
add jappie as module maintainer
Use type path instead of two seperate options
Fix generated docs
added test machinery to figure out why it's failing
Fix the test, use console output
run nixpkgs-fmt on all modules
Inline config file.
This get's rid of a lot of inderection as well.
Run nix format
remove comment
simplify executable for test
delete config file
add config for keter root
Remove after redis clause
set keter root by default to /var/lib/keter
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
fix nit
add newlines
add default text and move description in a long description
Delete rather obvious comment
fix release db thing
remove longDescription and put it in a comment instead
change description of mkEnalbeOption
explain what keter does by using the hackage synopsis
set domain to keterDomain and same for executable
move comment to where it's happening
fix type error
add formatting better comment
try add seperate user for keter
Revert "try add seperate user for keter"
This reverts commit d3522d36c96117335bfa072e6f453406c244e940.
Doing this breaks the setup
set default to avoid needing cap_net_bind_service
remove weird comment
use example fields
eleborated on process leakage
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
run nixpkgs-fmt
update docs
Fix formatting, set keter package by default
format our little nixexpr
replace '' -> " where possible
drop indent for multiline string
make description much shorter
regen docs database
Other popular distros (OpenSuse, Ubuntu, Gentoo, Arch) read $HOME/.profile when starting X11 display managers.
When moving to nixOS, that is then broken leading to unpredictable behavior (probably programs not working).
This adds similar behavior to https://github.com/sddm/sddm/blob/develop/data/scripts/Xsession
Related to #185979
The `runsvc.sh` script wraps a JavaScript script which starts
`Runner.Listener` and also handles failures. This has the downside that
the service _always_ exits with status code 0, i.e., success. This
causes frequent service restarts when running in ephemeral mode with a
faulty config as Systemd always sees a success exit status. To prevent
this, this commit changes the service config to call `Runner.Listener`
directly. The JavaScript wrapper stops the process with a SIGINT, hence,
the Systemd unit now sends a SIGINT to stop the service.
Adds the module option `ephemeral`. If set to true, configures the
runner registration with the `--ephemeral` option. This causes the
runner to exit after processing a single job, to de-register itself, and
to delete its configuration. Afterward, systemd restarts the service
which triggers a new ephemeral registration with a clean state.
This commit introduces support for runner registrations through a
personal access token (PAT). To use a PAT instead of a registration
token, place an appropriately scoped PAT in `tokenFile`. If the file
contains a PAT, the configuration script queries a new runner
registration token. Using a runner registration token directly continues
to work as before.
Using the runtime directory as `RUNNER_ROOT` is wrong. We should always
use the state directory like we already do when invoking the runner
configure script. Otherwise, the runner constructs the wrong path for
some files (.credentials, .runner, ...).
This is to ensure the targets are stopped when nscd is stopped to
prevent races on switch. Example interaction: nscd is stopped, some
service that requires nss-user-lookup.target is restarted. Without this
PR, nss-user-lookup.target would still be active, hence the service
would start without nscd running.
Plausible fails on start because clickhouse is not ready,
when clickhouse has low CPU available, eg.
```nix
{systemd.services.clickhouse.serviceConfig.CPUWeight = 20;}
```
Fixed with
```nix
{systemd.services.plausible.after = [ "clickhouse.service" ];}
```
This was enabled by default in 18a7ce76fc
with the reason that it would be "useful regardless of the desktop
environment.", which I'm not arguing against.
The reason why this should not be enabled by default is that there are a
lot of systems that NixOS runs on that are not desktop systems.
Users on such systems most likely do not want or need this feature and
could even consider this an antifeature.
Furthermore, it is surprising to them to find out that they have this
enabled on their systems.
They might be even more surprised to find that they have polkit enabled
by default, which was a default that was flipped in
a813be071c. For some discussion as to why
see https://github.com/NixOS/nixpkgs/pull/156858.
Evidently, this default is not only surprising to users, but also module
developers, as most if not all modules for desktop environments already
explicity set services.udisks2.enable = true; which they don't need to
right now.
Currently, it is not possible to supply sensitive credentials like
`ldap_default_authtok` without writing them to the nix store. This
This commit introduces a new option `environmentFile` where those
credentials can be supplied via environment substitution.
- improve some descriptions
- device -> devices
- add options
- extraArgs
- port
- create a symlink in RUNTIME_DIRECTORY
- grant it read permission of /dev/uinput
- relax network-related restrictions when port is used
- change type of some hardening options to list to align with systemd
- CapabilityBoundingSet
- IPAddressDeny
- SystemCallArchitectures
now nix-doc-munge will not introduce whitespace changes when it replaces
manpage references with the MD equivalent.
no change to the manpage, changes to the HTML manual are whitespace only.
Upstream XMonad was using our xmonad patch file for their flake build to
support our nixos module. This would of course break the build upstream
if the version we patched and their master branch diverged. We
[discussed] that it'd make sense to upstream the environment var code.
In the process it seemed sensible to rename the NIX_GHC variable as
well, since it isn't really Nix-specific – it's just a way to set the
GHC binary to execute. This change has been [implemented] upstream in an
unreleased version of xmonad now – meaning we'll be able to drop the
xmonad patch soon!
This also clarifies the situation in nixpkgs a bit: NIX_GHC is easy to
confuse with the environment variable used in the ghcWithPackages
wrapper where it is used to set an alternative prefix for a GHC-wrapper
for applications trying to discover it via e.g. ghc-paths. It is an
implementation detail in this context, as it is in the case of the
xmonad module. Since they are different implementations doing different
things, different names also make sense.
[discussed]: 36d5761b3e
[implemented]: 23f36d7e23
A larger number of bluetooth components were introduced in 2022.8.0. To
make them work we need to add a hardening exception, so they can
discover and use bluetooth devices.
make (almost) all links appear on only a single line, with no
unnecessary whitespace, using double quotes for attributes. this lets us
automatically convert them to markdown easily.
the few remaining links are extremely long link in a gnome module, we'll
come back to those at a later date.
we can't embed syntactic annotations of this kind in markdown code
blocks without yet another extension. replaceable is rare enough to make
this not much worth it, so we'll go with «thing» instead. the module
system already uses this format for its placeholder names in attrsOf
paths.
markdown can't represent the difference without another extension and
both the html manual and the manpage render them the same, so keeping the
distinction is not very useful on its own. with the distinction removed
we can automatically convert many options that use <code> tags to markdown.
the manpage remains unchanged, html manual does not render
differently (but class names on code tags do change from "code" to "literal").
our xslt already replaces double line breaks with a paragraph close and
reopen. not using explicit para tags lets nix-doc-munge convert more
descriptions losslessly.
only whitespace changes to generated documents, except for two
strongswan options gaining paragraph two breaks they arguably should've
had anyway.
Enabling soju without providing a value for tlsCertificate currently
results in:
error: The option `services.soju.tlsCertificate' is used but not
defined.
Since tlsCertificate is intended to be optional, set default to null.
Additionally, add assertions to ensure that both tlsCertificate and
tlsCertificateKey are either set or unset.
the conversion procedure is simple:
- find all things that look like options, ie calls to either `mkOption`
or `lib.mkOption` that take an attrset. remember the attrset as the
option
- for all options, find a `description` attribute who's value is not a
call to `mdDoc` or `lib.mdDoc`
- textually convert the entire value of the attribute to MD with a few
simple regexes (the set from mdize-module.sh)
- if the change produced a change in the manual output, discard
- if the change kept the manual unchanged, add some text to the
description to make sure we've actually found an option. if the
manual changes this time, keep the converted description
this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
For reference:
- ./nixos/modules/services/monitoring/grafana.nix
- 80192f1fe3/debian/service
- 5894b9b77a/trunk/prometheus.service
I have omitted the Limit* as they do not appear to be commonly used in
NixOS, and, per `man systemd.exec`, are less preferred vs. cgroup
limits.
Move the defaults to the `config` section of the module, and apply them
with mkDefault.
That way the defaults are merged with user-provided config, and are
merged without having to use lib.mkForce.
That way the `backupCleanupCommand` can also run when the backup service
failed for some reason.
Fixes: #182089.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
