Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
This was a workaround to begin with, as hardened kernel didn't support tracing.
Back then kernel level tracing was only available through debugfs, and now that
tracefs has been available on NixOS for a while now, enabled in
Link: https://github.com/NixOS/nixpkgs/pull/388751
This workaround can be removed and bpf can be used with tracefs.
Link: https://github.com/NixOS/nixpkgs/issues/360957
Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
With release 6.0, the themes directory was moved to a different location
and thus the NixOS Redmine module needs to be adjusted. Assets seem to
be stored in public/assets now and so that needs to be handled by the
NixOS module as well.
[1] https://www.redmine.org/issues/41731
Signed-off-by: Felix Singer <felixsinger@posteo.net>
This has been deprecated since before 24.05 was released
and displaying a warning.
This change means that only "managed", i.e.
Nix-native configurations are supported.
Using `systemd.services.<name>.script` pulls in bash in the ExecStart
line for a service. Since our "script" was only one line anyways,
we can inline it to just use ExecStart directly. Losing shell features
shouldn't be detrimental here, as we're not using pipes and there are
no globs to expand.
docker-registry.service has a `After` dependency on gitlab-registry-cert.
On the first start, docker-registry.service fails to start as it already
runs when gitlab-registry-cert.service starts up, and not when it finished.
Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:
- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`
Co-authored-by: Shelvacu <git@shelvacu.com>
Make use of systemd's LoadCredentials feature to allow for the secret
file to be better managed without having to be world-readable, since
due to DynamicUser it was not possible to assign it to one specific
user.
weechat can run in TUI or headless mode. Introduce the option
`headless` for specifying that. Based on the setting, it configures
the appropriate binary in the `binary` option and it also configures the
systemd unit accordingly. `headless` is disabled by default.
This doesn't change the current behaviour.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Configuring an user home directory also enables several invocations and
mechanisms, e.g. SSH authorized_keys or bashrc, which is bad from a
security perspective. The service doesn't need that at all and the
environment is set up over different ways now. So drop it.
This doesn't change the current behaviour.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
In preparation for dropping the user home directory, set up the state
directory manually. Use the systemd unit options when /var/lib/weechat
is used and use systemd-tmpfiles for all other locations. Not sure if it
makes any difference. However, it seems systemd tends to control its
directories in /var/lib and so it might make more sense to use the
existing options of the systemd unit.
This doesn't change the current behaviour.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
The environment variable hides the actual state directory of weechat in
systemctl. To make it more obvious, use the equivalent CLI parameter.
This doesn't change the current behaviour.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
