"Update History" (release notes):
https://www.ibm.com/support/pages/node/6998343
At the time of this writing,
the "APAR" links of the "Update History" lead to 404.
However, the abstracts indicate that
this update is not security critical.
Note that this update changed the GUI window title
to "IBM Storage Protect"
(the product itself was renamed with version 8.1.19.0 already).
The commit at hand adapts the GUI vm test accordingly.
Also, all URLs in package and module comments are updated.
To help users migrate from the previous
settings to new freeform settings type,
the commit at hand adds some
`mkRemovedOptionModule` and `mkRenamedOptionModule`.
These modules are not designed to work
inside an attribute set of submodules.
They create values for `assertions` and
`warnings` to inform the user of required changes.
Also, these informational texts do not contain
the full attribute path of the changed options.
To work around these deficiencies,
we define the required options `assertions` and `warnings`
inside the submodule and later add the values collected
inside these options to the corresponding top-level options.
In the course of doing so, we also add the full attribute path
to the informational texts so the user knows these warning
and error messages refer to the `tsmClient.servers` option.
Also, we have to filter out `warnings`, `assertions`, and
the "old" options when rendering the target config file.
Check for spaces or duplicate names in server config keys.
Since server config keys are case insensitive,
a setting like
```
{
compression = "yes";
Compression = "no";
}
```
would lead to an ambiguous configuration.
`tsm-client` uses a global configuration
file that must contain coordinates for each
server that it is supposed to contact.
This configuration consists of text
lines with key-value pairs.
In the NixOS module, these servers may be declared
with an attribute set, where the attribute name
defines an alias for the server, and the value
is again an attribute set with the settings for
the respective server.
This is organized as an option of type `attrsOf submodule...`.
Before this commit:
Important settings have their own option within
the submodule. For everything else, there is
the "catch-all" option `extraConfig` that may
be used to declare any key-value pairs.
There is also `text` that can be used to
add arbitrary text to each server's
section in the global config file.
After this commit:
`extraConfig` and `text` are gone,
the attribute names and values of each server's attribute
set are translated directly into key-value pairs,
with the following notable rules:
* Lists are translated into multiple lines
with the same key, as such is permitted by
the software for certain keys.
* `null` may be used to override/shadow a value that
is defined elsewhere and hides the corresponding key.
Those "important settings" that have previously been
defined as dedicated options are still defined as such,
but they have been renamed to match their
corresponding key names in the configuration file.
There is a notable exception:
"Our" boolean option `genPasswd` influences the "real"
option `passwordaccess', but the latter one is
uncomfortable to use and might lead
to undesirable outcome if used the wrong way.
So it seems advisable to keep the boolean option
and the warning in its description.
To this end, the value of `getPasswd` itself is
later filtered out when the config file is generated.
The tsm-backup service module and the vm test are adapted.
Migration code will be added in a separate
commit to permit easy reversal later, when the
migration code is no longer deemed necessary.
With the tsm-client 8.1.19.0 release,
IBM renamed the product brand from
"IBM Spectrum Protect" to "IBM Storage Protect":
https://www.ibm.com/support/pages/node/6964770 .
The package already got updated in commits
5ff5b2ae4c and
a4b7a62532 .
The commit at hand updates the modules accordingly.
Instead of the `defaultSwayPackage` variable that overrides `pkgs.sway`, use a
function that will override the user-defined package, but only if the package
contains the necessary arguments.
In my case I'd like to be able to add `-m last` to `cage` to make sure
that the login form from regreet isn't displayed half on my external
monitor and half on my laptop screen, but on the last connected monitor
only.
That's basically the issue described in #226586, though it's not a
proper fix since the login form is shown on one monitor only.
I noticed that openvpn3 is been clobbering my `/etc/resolv.conf` file. I
dug around a bit, and it turns out that upstream actually does have
support for systemd-resolved. I think it makes sense for us to
automatically enable that feature if the system is configured to use
systemd-resolved.
I opted to not change the default behavior of `pkgs.openvpn3`, but can
easily be convinced to change that if folks think I should.
Otherwise, in non-interactive contexts (e.g. systemd units), this
entry (the default) won't be in the list. Only the profile relative
ones would be, since they were already using session variables. This
is clearly not the correct behavior.
* `sort (<)` also works for strings (TIL!), so no need for comparing
length and whether all keys from `cfg.settings` exist in `cfg.order`
(slightly less overhead).
* Don't build another piece of JSON (`orderedSections`), simply use
`cfg.settings`/`cfg.order` with `__structuredAttrs` to ensure a
properly ordered TOML.
This also has the upside of not having to do quote hackery.
* Also, a freeform submodule isn't strictly needed because we don't have
any special options defined, so replacing that with
`attrsOf format.type`.
Co-authored-by: Silvan Mosberger <github@infinisil.com>
and remove nano from environment.defaultPackages. In addition also cleanup the file in general.
This is a follow up to #220481
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
Prior to this commit the derivation assumed a user's primary group has
the same name as the user themselves. This is standard on linux but not
necessary (and indeed I believe not the default on NixOS).
Closes#232184
Rather than using `priority` with `sortProperties`, a new option called
`order` defines the ordering of the sections. I.e.
order = [ "global" "uptime" "banner" ]
means that `uptime` comes before `banner`. Please note that `global` is
for global settings and not a section. I figured that it'd be too much
magic to hide this in the implementation and ask the user to specify the
order of _each_ section in `settings` instead.
OTOH this makes the intent way clearer than priorities. Also, this
remains opt-in, the option defaults to `attrNames cfg.settings`, i.e.
all sections ordered alphabetically.
Closes#234802
The problem here is that with e.g.
{
uptime.prefix = "Up";
banner.command = "hostname | figlet -f slant";
}
`banner` still appears before `uptime` in the final motd text because
Nix sorts attribute names alphabetically internally.
To work around this without breaking compatibility or losing the
property to override individual sections in other modules - e.g.
{
banner.color = mkForce "blue";
}
I decided to introduce an option `priority` here, similar to the
priority field for `nginx`[1] and with the same semantics (i.e. higher
value means lower priority).
Internally a bunch of env vars are generated, i.e. `env0` to `envN` for
`N` sections with each of them containing a declaration for the TOML,
i.e. `env0` contains `{ uptime.prefix = "Up"; }` and `env1` contains
`{ banner.command = "hostname | figlet -f slant"; }` if `uptime.priority`
is set to a value below 1000.
In this order, the declarations are concatenated together by `jq(1)`
which doesn't sort keys alphabetically which results in a JSON
representation with `uptime` before `banner`. This is finally piped to
`json2toml` which converts this into TOML for rust-motd.
[1] https://nixos.org/manual/nixos/unstable/options#opt-services.nginx.virtualHosts._name_.locations._name_.priority
Use "$out/var/lib" as LOCALSTATEDIR configuration value
by default intsead of "/var/lib"
as a way toward top-level-directory independent runtime.
Add input argument externalLocalStateDir to optionally specify the
path to external LOCALSTATEDIR if not null.
Add NixOS module option
programs.singularity.enableExternalLocalStateDir (default to true)
to use "/var/lib" as LOCALSTATEDIR.
We set[1] ASPELL_CONF to the last nix profile containing lib/aspell in
2013. In 2017, aspell is patched[2] to search NIX_PROFILES, which
makes [1] not needed any more.
Deleting it is also agreed in this discussion[3].
[1]: 0192c02720
[2]: ba4cefe4ae
[3]: https://github.com/NixOS/nixpkgs/pull/30234
remove `with lib;`
profiles option now accepts packages in addition to paths.
profiles option is no longer internal.
cfgDir definition has been inlined.
pulled GIO_EXTRA_MODULES inside mkif.
removed pointless comments with section headings.
defined profiles are now turned into package, allowing to simplify the db update logic.
If other sockets are enabled, such as gpg-agent-browser.socket,
those should be started before gpg-agent.service as well.
Change-Id: I29d3f4b19db9e687425b594dcef863a88ec296c9
Since Linux 5.7 it's possible to set `SO_BINDTODEVICE` via `setsockopt(2)`
as unprivileged user if this operation doesn't imply escaping a VRF
interface[1].
Dropping the wrapper is actually desirable because `captive-browser`
itself doesn't drop capabilities and as a result, the capabilities are
passed on to `chromium` itself[2].
For older kernels, this is still necessary, hence the wrapper will only
be added nowadays if the kernel is older than 5.7.
[1] c427bfec18
[2] 08450562e5/bind_device_linux.go (L11-L14)
and because our setcap wrapper makes all capabilities
inheritable.
Unfortunately there's no test for me to confirm that it works,
so all I can do is ask for maintainers, unfortunately -- I mean...
This is your opportunity!
Fix regression where the systemd units for atop are no longer
automatically started at boot when programs.atop.enable = true.
Regression was introduced in commit: 09350ff7d4
nixos/atop: Convert log format to fix service start
This commit restructures the atop systemd service config so that the
code to convert the log format gets configured as a preStart script
along with the addition of the wantedBy rule.
8ea644997f moved the configuration outside
the pinentryFlavor check, causing evaluation to fail when it was set to
null.
960a5142aa removed the upstream systemd
units, causing gpg-agent.service to be conditional on pinentryFlavor.
It is currently not obvious how to install/use xonsh with dependencies and python packages.
This PR implements a wrapper that allows you to construct a custom xonsh environment by using:
``` nix
xonsh.override { extraPackages = ps: [ ps.requests ]; }
```
This allows users to set
`programs.firefox.nativeMessagingHosts.euwebid = true` to make the
native companion app available in Firefox.
It's used by the Web eID browser extension
(https://addons.mozilla.org/en/firefox/addon/web-eid-webextension/),
which can be tried out at https://web-eid.eu/ - pressing the
"Authenticate" button there should open a new window.
Else the files in the runtime can't be accessed from the vimrc. I also remove the /etc. I thought it's a leftover of the old runtime implementation which is replaced in 307b125.
Co-authored-by: linsui <linsui555@gmail.com>
Before, setting {option}`programs.steam.package` would result in a steam without
the {option}`hardware.opengl.package`, {option}`hardware.opengl.extraPackages`
etc. You had to manually add them yourself.
Additionally, overlaying `steam = prev.steam.override { extraLibraries = [ ... ]; }`
resulted in those extra libraries not actually being put into the fhsenv because
they'd be fully overridden by the option's default.
Now, the user can supply a custom steam to {option}`programs.steam.package` with
its own list of extraLibraries which will not be overridden and overlays work as
expected too.
environment.systemPackages can include any package, which means it can
be a top-level store path that is not a derivation and thus will not
have a name attribute - their name is extracted from the path instead.
This patch provides input arguments `newuidmapPath` and `newgidmapPath`
for apptainer and singularity to specify the path to the SUID-ed executables
newuidmap and newgidmap where they are not available from the FHS PATH.
As NixOS places those suided executables in a non-FHS position
(/run/wrapper/bin), this patch provides
programs.singularity.enableFakeroot option and implement with the above
input parameters.
Upstream changes:
singularity 3.8.7 (the legacy) -> apptainer 1.1.3 (the renamed) / singularity 3.10.4 (Sylabs's fork)
Build process:
* Share between different sources
* Fix the sed regexp to make defaultPath patch work
* allowGoReference is now true
* Provied input parameter removeCompat (default to false)
that removes the compatible "*singularity*" symbolic links
and related autocompletion files when projectName != "singularity"
* Change localstatedir to /var/lib
* Format with nixpkgs-fmt
* Fix the defaultPath patching
and use it instead of the `<executable> path` config directive
deprecated in Apptainer
* Provide dependencies for new functionalities such as
squashfuse (unprivileged squashfs mount)
* Provide an attribute `defaultPathInputs` to override
prefix of container runtime default PATH
NixOS module programs.singularity:
* Allow users to specify packages
* Place related directories to /var/lib
* Format with nixpkgs-fmt
singularity-tools:
* Allow users to specify packages
* Place related directories to /var/lib when building images in VM
fixes this warning:
cdrecord <= 2.01.01a05 will be run with root privileges on kernel >= 2.6.8
Since Linux kernel 2.6.8 cdrecord <= 2.01.01a05 will not work when run suid root for security reasons anymore.
Before this change, starting atop regularly caused a quadratic
increase in the number of log files over time, as each daily log file
was copied (multiple times) to a new file, and then left there because
the upgrade was a no-op. This eventually led to atop being unable to
start because the log file name became too long!
this converts meta.doc into an md pointer, not an xml pointer. since we
no longer need xml for manual chapters we can also remove support for
manual chapters from md-to-db.sh
since pandoc converts smart quotes to docbook quote elements and our
nixos-render-docs does not we lose this distinction in the rendered
output. that's probably not that bad, our stylesheet didn't make use of
this anyway (and pre-23.05 versions of the chapters didn't use quote
elements either).
also updates the nixpkgs manual to clarify that option docs support all
extensions (although it doesn't support headings at all, so heading
anchors don't work by extension).
MD can only do the latter, so change them all over now to keeps diffs reviewable.
this also includes <literal><xref> -> <xref> where options are referenced since
the reference will implicitly add an inner literal tag.
markdown cannot represent those links. remove them all now instead of in
each chapter conversion to keep the diff for each chapter small and more
understandable.
When this module was first introduced, it processed the runtime option
in a way that nested the resulting files and directories under an etc
directory.
https://github.com/NixOS/nixpkgs/pull/98506/files#diff-685092dbb1852fbf30857fe3505d25dc471dc79d0f31c466523b5f5822b68127R11-R21
That implementation relied on nixos/modules/system/etc/make-etc.sh, a
script that was later removed.
eb7120dc79
The implementation was updated to use linkFarm, which changed the
behavior slightly, in that the configured files and directories are no
longer automatically nested under an etc directory.
307b1253a7
But the module still configures neovim's runtimepath in a way that
assumes the old nesting behavior.
04f574a1c0/nixos/modules/programs/neovim.nix (L173)
Restore the original behavior, nesting runtime files and directories
under an etc directory.
This fixes a typo that prevented the fish keybindings from being loaded.
Also, the keybindings are now only loaded if programs.skim.keybindings
is true, which matches the behavior for bash and zsh.
Building etc."fish/setEnvironment.fish" needs
config.system.build.setEnvironment, which can be very large. And what
babelfishTranslate does is to translate env vars exported by bash
syntax, which does not need much computing power.
This patch can reduce the network traffic when using remote builders
with almost no harm.
Both Zsh and Bash support aliases that begin with characters also used to
indicate options to the “alias” built-in command, as long as the alias
definition is preceeded by a double dash.
This allows, e.g, for “alias -- +x=chmod +x”.
When a script specifies the shell option “nounset” as part of the shebang (e.g.,
via “#!/usr/bin/env -S zsh -u”), our initialization scripts would produce error
messages of the form:
__ETC_FOO_SOURCED: parameter not set
These messages could probably be confusing to users when running such scripts.
By providing a fall-back in the parameter expansion, we can avoid them.
This patch does not address interactive shell start-up, where such messages may
(or may not) be less problematic.
Zsh ships some rudimentary completions for programs where upstream also ships
their own completions (e.g., curl). So as not to shadow those completions, we
need to prepend to the fpath instead of appending.
Fixes#197502
Neovim does not load the user configuration when enabled through the
module, unlike when the package is added to the home or system packages
directly. I think this difference is worth mentioning in the module's
documentation, because it was confusing to some friends.
Optional functionality of AusweisApp2 requires an UDP port to be opened.
The module allows for convenient configuration and serves as documentation.
See also https://github.com/NixOS/nixpkgs/issues/136269
most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
this mostly means marking options that use markdown already
appropriately and making a few adjustments so they still render
correctly. notable for nftables we have to transform the md links
because the manpage would not render them correctly otherwise.
Makes it easier to configure `rust-motd`. Currently, it takes care of
the following things:
* Creating a timer to regularly refresh the `motd`-text and a hardened
service (which is still root to get access to e.g. fs-mounts, but
read-only because of hardening flags).
* Disabling `PrintLastLog` in `sshd.conf` if the last-login feature of
`rust-motd` is supposed to be used.
* Ensure that the banner is actually shown when connecting via `ssh(1)`
to a remote server with this being enabled.
Long story short: the SSH agent protocol doesn't support telling from
which tty the request is coming from, so the the pinentry curses prompt
appears on the login tty and messes up the output and may hang.
The current trick to workaround this is informing the gnupg agent every
time you start a shell: this assumes you will run `ssh` in the latest
tty, if you don't the latest tty will be messed up this time.
The ideal solution would be updating the tty exactly when (and where)
you run `ssh`. This is actually possible using a catch-all Match block
in ssh_config and using the `exec` feature that hooks a command to the
current shell.
Source for the new trick: https://unix.stackexchange.com/a/499133/110465
this renders the same in the manpage and a little more clearly in the
html manual. in the manpage there continues to be no distinction from
regular text, the html manual gets code-type markup (which was probably
the intention for most of these uses anyway).
make (almost) all links appear on only a single line, with no
unnecessary whitespace, using double quotes for attributes. this lets us
automatically convert them to markdown easily.
the few remaining links are extremely long link in a gnome module, we'll
come back to those at a later date.
we can't embed syntactic annotations of this kind in markdown code
blocks without yet another extension. replaceable is rare enough to make
this not much worth it, so we'll go with «thing» instead. the module
system already uses this format for its placeholder names in attrsOf
paths.
markdown can't represent the difference without another extension and
both the html manual and the manpage render them the same, so keeping the
distinction is not very useful on its own. with the distinction removed
we can automatically convert many options that use <code> tags to markdown.
the manpage remains unchanged, html manual does not render
differently (but class names on code tags do change from "code" to "literal").
our xslt already replaces double line breaks with a paragraph close and
reopen. not using explicit para tags lets nix-doc-munge convert more
descriptions losslessly.
only whitespace changes to generated documents, except for two
strongswan options gaining paragraph two breaks they arguably should've
had anyway.
the conversion procedure is simple:
- find all things that look like options, ie calls to either `mkOption`
or `lib.mkOption` that take an attrset. remember the attrset as the
option
- for all options, find a `description` attribute who's value is not a
call to `mdDoc` or `lib.mdDoc`
- textually convert the entire value of the attribute to MD with a few
simple regexes (the set from mdize-module.sh)
- if the change produced a change in the manual output, discard
- if the change kept the manual unchanged, add some text to the
description to make sure we've actually found an option. if the
manual changes this time, keep the converted description
this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
- Add a module for the thunar file manager, which depends on the xfconf dbus service, and also has a dbus service and a systemd unit.
- Renames the option services.xserver.desktopManager.xfce.thunarPlugins to programs.thunar.plugins.
Qt4 is on it's way out, according to
https://github.com/NixOS/nixpkgs/pull/174634
Barco's ClickShare driver/client requires Qt4;
an update isn't in sight anywhere.
To prepare for the removal of Qt4,
the commit at hand removes the
ClickShare package and its NixOS module.
The release notes are appended with a hint about the
removal and some alternatives that might help users
that are still in need of the driver/client functionality.
Raw logs are stored in a versioned binary format and must be update with
atopconvert(1) upon atop version updates.
Failure to do so results in atop.service startup failure as I found out
the hard way after the "atop: 2.6.0 -> 2.7.1"[0] bump:
```
May 31 01:49:25 <hostname> sh[2269709]: existing file /var/log/atop/atop_20220531 has incompatible header
May 31 01:49:25 <hostname> sh[2269709]: (created by version 2.6 - current version 2.7)
May 31 01:49:25 <hostname> systemd[1]: atop.service: Main process exited, code=exited, status=7/NOTRUNNING
```
Convert logs in `ExecStartPre` and replace them iff updated.
This is to avoid changing original modification times upon every service
start and thus work against atop's log rotation (see existing
`ExecStartPre`).
0: https://github.com/NixOS/nixpkgs/pull/175180#issuecomment-1141546487
network-manager-applet uses differrent naming scheme from the VPN plug-ins.
Let’s revert to the previous state, for now, to fix eval. We can do the rename later.
This reverts commit cecb014d5d.
Renaming the variable from `initScript` to `bashAndZshInitScript` makes it clearer, what it is actually used for.
Moving the fish init script right below the other call to `thefuck --alias` makes it more obvious, when one of them is different in some important way.
* Change groupId to gid to align with the rest of NixOS modules
* Add a check to the gid option to ensure it is greater than or equal
to 1000
* Use the overridden package for the wrappers
Browser Integration requires setgid and setuid programs, which needs to be done in the system configuration.
This is cleaner than the ad-hoc ways we have to set things up for platforms without a global configuration file.
hostNames being deprecated makes configuring hosts with multiple keys a
pain. including the attr name of the entry in the host name list is a
nice convenience though, so we'll retain it and clarify the
documentation on how the actual host name list for an entry is put
together.
