Without this, the greeter is unable to see `orca` program on `PATH`
and so `${gdm}/share/gdm/greeter/autostart/orca-autostart.desktop`
will fail to start it. As a result, screen reader would not work
on the login screen.
(cherry picked from commit 9af27f1cb5)
During testing of Kimai 2.32, it's been found that fixes done in PR
371917 [^1] is not enough to prevent error in the case of upgrading from
2.31 to 2.32.
Hinted by an upstream issue [^2], make sure that the cache is cleared
before running `kimai:install`, not after. This fixes upgrading from
2.31 to 2.32, and should prevent similar issue from popping up again.
[^1]: https://github.com/NixOS/nixpkgs/pull/371917
[^2]: https://github.com/kimai/kimai/issues/5437
Services utilising postsrsd need to connect to it via a Unix socket.
While the path to that socket is static as of now, the discoverability
of that path suffers from the lack of module documentation and a
scattered definition of the individual path components over at least
three lines, even when reading the module source.
By exposing the socket path as a readOnly NixOS option, that value shows
up in the options overview and can be re-used in other parts of NixOS
config.
While we're not (fully) supporting the related features, yet, we already
prevent accidental storage of secrets in the store. This will also avoid
breaking changes in the future, when those features are properly
supported.
The options part of "services.headscale.settings" get rendered directly
into a JSON file. As such, any declared values need to match the actual
config key that upstream uses or they are ineffective.
One such key is "derp.auto_update_enable", which controls whether or not
auto-updates for the DERP map are enabled. This key is misspellt though:
the config is called "derp.auto_update_enabled", and that has always
been the case since the config has been introduced in 57f46ded (Split
derp into its own config struct, 2021-10-22). Any unknown key is simply
ignored by Headscale, and as such the setting is ineffective.
Fix this by renaming the option.
This patch adds support for using systemd's LoadCredential
feature to read in a json file at a path defined in the
services.nextcloud.secretFile option.
This is a follow up to 2ce1e84103.
The key change here is, that the match was on the hydra database only
previously, but is now limited to to the hydra role instead. This avoids
conflicts with rules that are created by other modules or downstream
users.
With this change, we can remove the additional "postgres postgres" line,
because the default pg_hba line will kick in again and allow the
postgres user access to the postgres role.
Renaming the map from hydra-users to hydra is for consistency, so that
all modules can define maps matching in name with the role they manage.
The change from ident to peer is just cosmetic, ident is only used for
TCP connections and falls back to peer anyway.
NUT documentation strongly suggests running `upsmon` as a non-root user
with very limited permissions. This includes only read access to
`upsmon.conf`.
Previously the `RUN_AS_USER` setting could be overwritten with
`mkForce`, but this left the system with technically incorrect
permissions on `upsmon.conf` that would prevent reloading. This patch
provides a way to change the user that `upsmon` runs as while
maintaining correct permissions on `upsmon.conf`.
Fixes#318582
In 0.15.1 frigate has a logic error that makes it not ensure the model
cache dir exists before using it.
A workaround has been committed for newer versions, so we can drop this
on the next release.
Fixes: #402813
Without this, Mutter will complain at startup:
.gnome-shell-wr[1013]: Failed to make thread 'KMS thread' high priority scheduled: GDBus.Error:org.freedesktop.DBus.Error.NameHasNoOwner: Name "org.freedesktop.RealtimeKit1" does not exist
PipeWire, WirePlumber and xdg-desktop-portal-gnome complain about the missing service too.
Since v12, PostgreSQL doesn't support recovery.conf anymore and fails to
start up when this option is set:
FATAL: using recovery command file "recovery.conf" is not supported
This is documented at:
https://www.postgresql.org/docs/current/recovery-config.html
The new implementation of `mapAttrsToList` is simpler than the previous one, avoiding an extra string conversion. Benchmarking shows a slight performance improvement. See the discussion here: https://discourse.nixos.org/t/another-implementation-of-mapattrstolist
Additionally, I searched nixpkgs for expressions equivalent to the old `mapAttrsToList` and replaced them with direct calls to the new implementation.
Closes#404580
ChangeLog: https://github.com/grafana/grafana/releases/tag/v12.0.0
A few changes were necessary here:
* the provision seems to be delayed now, so the `machine.succeed` broke
because the result was tested before the provisioning was finished.
Using `wait_until_succeeds` to solve this.
* Work around a problem that got unnoticed during #399404:
the setup-hook is also run in the `goModules` derivation, but
`offlineCache` is missing. As a result, the build breaks. I guess this
was unnoticed because everyone had a goModules with the previous hash
in their store.
Co-authored-by: Emily <git@emilylange.de>
GitLab 17.11 started using rails activeRecord encryption for some values.
Introduce new key files. This is breaking for unstable/25.05.
Also add a test to prevent this from happening unnoticed in the future.
For the future there should also be an option to set multiple activeRecord
keys for rotation.
qcluster won't be happy if it's started before the database migrations
have been run.
12:25:47 [Q] ERROR Failed to pull task from broker
Traceback (most recent call last):
File "/nix/store/w5ndmidmkiy02vvgl7cxx1fkzc1pichg-python3-3.12.9-env/lib/python3.12/site-packages/django/db/backends/utils.py", line 89, in _execute
return self.cursor.execute(sql, params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/w5ndmidmkiy02vvgl7cxx1fkzc1pichg-python3-3.12.9-env/lib/python3.12/site-packages/django/db/backends/sqlite3/base.py", line 328, in execute
return super().execute(query, params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
sqlite3.OperationalError: no such table: django_q_ormq
- Start after network-online as ncps requires all upstreams to be online
and reachable when starting
- Remove a bad assertion causing failures at eval time when using
secrets management systems
Upstream has archived the OpenSMTPD-extras repository with 82c49af (add
deprecation notice, 2024-10-22). Instead, it has created a set of
repositories, each containing one of the tables. The old tables aren't
compatible anymore with recent OpenSMTPD versions due to changed
protocols. Other extras, like the queues, don't have an alternative to
the best of my knowledge.
Furthermore, opensmtpd-extras doesn't even build anymore, furthermore
indicating that there aren't any users of this package. Remove the
"opensmtpd-extras" package and raise errors pointing to the new
standalone tables.
Add a release note.
Before this change, running piper would fail with
> cannot enable executable stack as shared object requires
because the stack is marked rwx on newer libonnxruntime versions.
According to the manpage the rsyncd.conf has a global section without a
module header. Settings for listening port or bind address must be put
there and will not work if defined in a global submodule (i.e. below a
"[global]" header).
This commit changes the ini format generator for the rsyncd service to
allow a global section in the config file without a submodule header.
Fixes#304293
Credits to @nydragon
* remove retrocompat, add incompat release notes
- Added a NixOS module using RFC42 and plenty of systemd hardening
- Added a NixOS VM Test which checks the basic functionality
- Refactored the package to support HSM and UI
We recently upgraded to cloudflare-dyndns 5.3:
24f9910708,
so we can now use this new `CLOUDFLARE_API_TOKEN_FILE` feature that
landed in v5.2: 1d563d2752
There should be no need to add custom components without YAML configuration to
extraComponents for systemd service modifications to become effective (e.g.
serial access).
Disables the "Open updater" button in the admin overview and makes sure it is not possible to update the instance through the web interface.
Nextcloud runs from the source code in the nix store and should not try to update itself manually.
The only way to update Nextcloud is to update nixpkgs and therefore the web updater must be disabled.
https://hydra.nixos.org/build/295225429
This unbreaks nixosTests.budgie when a fix for qt6gtk2 is still in
review. This does not seem to work in Wayland so I guess we will
eventually drop that in next Budgie bump anyway.
See also 7e685d3693 for Cinnamon and 36bc3f46ba for Pantheon.
Use vwifi to write a proper test for Kismet. This test demonstrates how
to simulate wireless networks in NixOS tests, and extract meaningful
data by putting an interface in monitor mode using Kismet.
Fix compatibility with previous versions by making sure all the uploads
and plugins end up in the correct directory. Add a test for the exact
path we care about to ensure that it doesn't work "on accident."
Discovered while updating instances to unstable.
This prevents the network from being torn down before alloy itself it
stopped.
Alloy tries to flush its WAL on SIGTERM, and if the network stack is
already down, it tries to flush logs up to 90s during shutdown/reboot.
From https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/:
> network.target has very little meaning during start-up. It only
> indicates that the network management stack is up after it has been
> reached. Whether any network interfaces are already configured when
> it is reached is undefined. Its primary purpose is for ordering
> things properly at shutdown: since the shutdown ordering of units in
> systemd is the reverse of the startup ordering, any unit that is order
> After=network.target can be sure that it is stopped before the network
> is shut down if the system is powered off. This allows services to
> cleanly terminate connections before going down, instead of abruptly
> losing connectivity for ongoing connections, leaving them in an
> undefined state. […]
