system-ups.slice conflicts with shutdown.target, so
ups-killpower.service is never queued at shutdown.
The slice isn't doing anything; removing it is a simple fix.
(cherry picked from commit 30aa6b71f2)
Part of #438800.
The OWASP recommentation[1] is:
> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.
Hence, we turn this off, diverging from the upstream defaults here. An
upstream issue has been opened[2].
[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
[2] https://github.com/grafana/grafana/issues/110369
(cherry picked from commit 409107d2f5)
Fixes all code blocks with "nix" language in markdown files for syntax
errors to be able to run nixfmt in the next step.
(cherry picked from commit 6c47e7d5da)
NUT documentation strongly suggests running `upsmon` as a non-root user
with very limited permissions. This includes only read access to
`upsmon.conf`.
Previously the `RUN_AS_USER` setting could be overwritten with
`mkForce`, but this left the system with technically incorrect
permissions on `upsmon.conf` that would prevent reloading. This patch
provides a way to change the user that `upsmon` runs as while
maintaining correct permissions on `upsmon.conf`.
Fixes#318582
Closes#404580
ChangeLog: https://github.com/grafana/grafana/releases/tag/v12.0.0
A few changes were necessary here:
* the provision seems to be delayed now, so the `machine.succeed` broke
because the result was tested before the provisioning was finished.
Using `wait_until_succeeds` to solve this.
* Work around a problem that got unnoticed during #399404:
the setup-hook is also run in the `goModules` derivation, but
`offlineCache` is missing. As a result, the build breaks. I guess this
was unnoticed because everyone had a goModules with the previous hash
in their store.
Co-authored-by: Emily <git@emilylange.de>
This prevents the network from being torn down before alloy itself it
stopped.
Alloy tries to flush its WAL on SIGTERM, and if the network stack is
already down, it tries to flush logs up to 90s during shutdown/reboot.
From https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/:
> network.target has very little meaning during start-up. It only
> indicates that the network management stack is up after it has been
> reached. Whether any network interfaces are already configured when
> it is reached is undefined. Its primary purpose is for ordering
> things properly at shutdown: since the shutdown ordering of units in
> systemd is the reverse of the startup ordering, any unit that is order
> After=network.target can be sure that it is stopped before the network
> is shut down if the system is powered off. This allows services to
> cleanly terminate connections before going down, instead of abruptly
> losing connectivity for ongoing connections, leaving them in an
> undefined state. […]
As described in https://github.com/NixOS/nixpkgs/pull/394017,
grafana-agent does not build with Go 1.23 anymore, and Go 1.22 has been
removed.
grafana-agent has been deprecated by Grafana (in favour of Grafana
Alloy), and will be EOL on 2025-11-01, which would be part of the
upcoming 25.05 release.
Instead of leaving us with a broken package, drop it alltogether, and
add release notes.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
The LibreNMS cache may contain paths to the old package and may break
when the old package is removed. So it is not enough to clear the cache
only on version updates, as the package will also change when build
inputs change.
This commit updates the setup script to regenerate the cache on every
package change. In addition, it now only performs migrations when the
package version has changed, since the migrations only change on version
updates and don't need to be applied on every package change.
Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:
- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`
Co-authored-by: Shelvacu <git@shelvacu.com>
