Otherwise, the systemd service will reliably fail on a clean boot, as
invidious-router needs a set-up network connection before starting.
(cherry picked from commit fab364e89b)
Reloading was insufficient for changing the dns resolver address, so we
make config changes a restart trigger instead.
(cherry picked from commit e57363be15)
In 623664e84f this part was refactored,
however network.target does not make sense in wantedBy and must be part of after.
(cherry picked from commit bcc1b762e9)
It's not clear how to use this command in other systemd units, this
section gives a recommendation.
I realized that there's no explicit mention of `nextcloud-occ` in the
first place, so I wrote some introductory sentences as well.
(cherry picked from commit 5a6f0a43ae)
Since 25.05 dbtype no longer defaults to sqlite and this yields an error
that is understandable enough but not easy to properly address.
Add an assert that is more explicit.
Before:
```
error: The option `nodes.nextcloud.services.nextcloud.config.dbtype' was accessed but has no value defined. Try setting the option.
```
After:
```
error:
Failed assertions:
- `services.nextcloud.config.dbtype` must be set explicitly (pgsql, mysql, or sqlite)
Before 25.05, it used to default to sqlite but that is not recommended by upstream.
Either set it to sqlite as it used to be, or convert to another type as described
in the official db conversion page:
https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/db_conversion.html
```
Link: https://github.com/NixOS/nixpkgs/pull/369242#issuecomment-3036296243
(cherry picked from commit 78a20758e0)
This, and commits to k3s and util-linux close#409339.
The util-linux.withPatches API was a temporary hack for the 25.05
release to fix Kubernetes, and is going away.
While we're at it, we should use util-linuxMinimal because we do not
need things such as systemd support for kubelet initialization.
(cherry picked from commit 949e299d24)
See https://discourse.nixos.org/t/i-cannot-for-the-life-of-me-find-the-package-that-has-pg-config/66244/4
I decided against doing this in its own nixpkgs manual: the line
to draw is quite blurry already (e.g. we have documented our package
removal policy in here as well) and having to check two manuals for a
single subsystem feels pretty annoying to me.
The relevant part - where to find pg_config - is written at the top. I
decided to give a bit more context about the way our packaging works
since I realized a few times now that I don't remember all the details
about the problems we had in the past and having to look up individual
commit messages for that isn't very productive.
(cherry picked from commit e031c5ff6b)
We currently bypass systemd's switch-root logic by premounting
/sysroot/run. Make sure to propagate its sub-mounts with the recursive
flag, in accordance with the default switch-root logic.
This is required for creds at /run/credentials to survive the transition
from initrd -> host.
(cherry picked from commit 7d36daa76a)
When running with a xfs root partition and using systemd for stage 1
initrd, I noticed in journalctl that fsck.xfs always failed to execute.
The issue is that it is trying to use the below sh interpreter:
`#!/nix/store/xy4jjgw87sbgwylm5kn047d9gkbhsr9x-bash-5.2p37/bin/sh -f`
but the file does not exist in the initrd image.
/nix/store/xy4jjgw87sbgwylm5kn047d9gkbhsr9x-bash-5.2p37/bin/**bash**
exists since it gets pulled in by some package, but the rest of the
directory is not being pulled in.
boot/systemd/initrd.nix mentions that xfs_progs references the sh
interpreter and seems to explicitly try to address this by adding
${pkgs.bash}/bin to storePaths, but that's the wrong bash package.
Update the `storePaths` value to pull in `pkgs.bashNonInteractive`
rather than `pkgs.bash`.
(cherry picked from commit 3332613add)
This fixes postfix' membership in the postfix-tlspol group, since
memberships in a dynamically allocated group don't seem to work out.
Additionally this fixes a typo in the systemd hardening and the test now
prints the results of systemd-analyze security.
(cherry picked from commit df0eb78b31)
Fixes the group membership for postfix processes in the postfix-tlspol
group.
Makes the postfix.service start up after postfix-tlspol.service, because
it depends on it for the TLS policy lookups.
(cherry picked from commit 64e7fad038)
Kernel 6.16-rc1 removed the poly1305 algorithm in
ceef731b0e22df80a13d67773ae9afd55a971f9e
bcachefs switched to the kernel libraries for poly1305 and chacha20 in
6.15 in 4bf4b5046de0ef7f9dc50f3a9ef8a6dcda178a6d
(cherry picked from commit f9bd91aa07)
Upstream changes were checked by checking out the stable31 branch of the
https://github.com/nextcloud/documentation and comparing:
git diff c1c9b0a072537544769fdd6062989a631d4fb17c admin_manual/installation/nginx-root.conf.sample
Notably, this adds the text/javascript and application/wasm mime types to the list of
gzip'ed mime types, which improves nextcloud loading in our testing.
Also adds webp support.
(cherry picked from commit 0c7a8d5255)
`user-.slice` does not seem to exist, and the config we generate for it is
rejected by systemd (see `systemctl status user-.slice`).
I suppose that what was really intended here, was to configure
`user.slice`, which is the one that is documented in `man systemd.special`.
Reported-by: Ian Sollars <Ian.Sollars@brussels.msf.org>
(cherry picked from commit c28b3143da)
Upstream, intentionally or not, no longer appends the EFI image
with a .pad section for us to hook the rest of the UKI to. This
simply dehardcodes .pad from the awk script, instead using the
very last section in the binary. (Currently .reloc)
Co-authored-by: Yaroslav Bolyukin <iam@lach.pw>
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
`config.services.postgresql.package` is now only available when the
PostgreSQL module is actually enabled. If we're not using the local
database, we'll need to fallback to the latest postgresql version, since
we don't know about the remote version.
(cherry picked from commit 62d2b6d593)
`config.services.postgresql.package` is now only available when the
PostgreSQL module is actually enabled. If we're not using the local
database, we'll need to fallback to the latest postgresql version, since
we don't know about the remote version.
(cherry picked from commit e780b064a8)
`config.services.postgresql.package` is now only available when the
PostgreSQL module is actually enabled. If we're not using the local
database, we'll need to fallback to the latest postgresql version, since
we don't know about the remote version.
(cherry picked from commit da3beb2a08)
E.g. when a remote PostgreSQL database is used
Apparently you can't access the services.postgresql.package value
anymore if postgresql isn't enabled?
(cherry picked from commit ed0af3bf25)
prime-run is the default name on arch linux. This allows me and some others I found on github to slim their config.
(cherry picked from commit 340cd4a445)
Previously, if you set group memberships in both locations, they will
get replaced by the ones in extraJsonFile, which is unexpected as it
kicks users from the group. Now the state files get merged recursively,
including the arrays.
(cherry picked from commit 3b6b50dfad)
1. We bound the directory of certificates, this lead to forced read-only
binds of these directories, even if they should have been bound
read-write for other files in there. Looking at the history, there
seems to be no compelling reason for this, so switch to binding
the files directly.
2. `/run/kanidmd` is configured as `RuntimeDirectory` so bound
automatically and we don’t need to specify it explicitly.
(cherry picked from commit c4f052c08a)
Stalwart 0.11.0 changed the `config.resource.spam-filter` and
`config.resource.webadmin` keys to be `spam-filter.resource` and
`webadmin.resource` respectively. The NixOS has been updated
accordingly, but unfortunately it has mistakenly used
`config.spam-filter.resource` and `config.webadmin.resource`, which are
incorrect and do not do anything.
This commit changes the default configuration to use the correct keys.
Note that due to infinite recursion, the `optionalAttrs` has been
replaced with `mkIf`.
Additionally, some tests were added to catch this regression in the
future.
Fixes#411351
(cherry picked from commit b7ab1fa981)
Fixes services.stash.mutableSettings so that it makes sense. The logic
was previously backwards and the settings would be overriden if
mutableSettings was true.
(cherry picked from commit 7dcad49a30)
The enable attribute of `boot.initrd.systemd.contents.<name>` was
ignored for building initrd storePaths. This resulted in building
derivations for the initrd even if it was disabled.
Found while testing a to build a nixos system with a kernel without
lodable modules[0]
[0]: https://github.com/NixOS/nixpkgs/pull/411792
(cherry picked from commit 99da5ec2bc)
Before the argument to mediagoblin-gmg would be passed to the actual command
and the rest to sh which is obviously nonsense.
(cherry picked from commit dd63ca898e)
The zoom-us package can be build with pulseaudio and with
support for one or more xdg-desktop-portal implementations.
This new module sets the proper build options
from the system configuration,
and adds the resulting package to `systemPackages`.
If an individual `zoom-us` package is assigned to the
`package` option with `package = zoom-us.override { ... };`,
arguments given to `.override` will take precedence
over the options determined by the module.
This permits to explicitly enable or disable some zoom-us
features while keeping the module's choices for other features.
Co-authored-by: Philip Taron <philip.taron@gmail.com>
(cherry picked from commit 1a5059ded6)
This reverts commit 263297b4e5 while also
explaining in the docs where exactly LANGUAGE is ignored, and why.
Fixes#409306.
(cherry picked from commit 82dfbe95f5)
Since there are now variants of tpm2-pkcs11 with and without ABRMD
support (for the kernel resource manager), ensure we pick the correct
default.
Fixes an accidental backwards incompatibility with the module.
(cherry picked from commit 9c1564e395)
Without this, the greeter is unable to see `orca` program on `PATH`
and so `${gdm}/share/gdm/greeter/autostart/orca-autostart.desktop`
will fail to start it. As a result, screen reader would not work
on the login screen.
(cherry picked from commit 9af27f1cb5)
Containers did not have *systemd-journald-audit.socket* in *additionalUpstreamSystemUnits*, which meant that the unit was not provided.
However the *wantedBy* was added without any additional check, therefore creating an empty unit with just the *WantedBy* on *boot.isContainer* machines.
This caused `systemd-analyze verify` to fail:
```text
systemd-journald-audit.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
```
The upstream unit already contains the following, which should make it safe to include regardless:
```ini
[Unit]
ConditionSecurity=audit
ConditionCapability=CAP_AUDIT_READ
```
For reference, this popped up in the context of #[360426](https://redirect.github.com/NixOS/nixpkgs/issues/360426) as well as #[407696](https://redirect.github.com/NixOS/nixpkgs/pull/407696).
Co-authored-by: Bruce Toll <4109762+tollb@users.noreply.github.com>
Signed-off-by: benaryorg <binary@benary.org>
(cherry picked from commit e434130d0b)
Partially revert #179194 which first filtered
`extraLocaleSettings.LANGUAGE`. Indeed this environment variable is
given precedence according to:
https://www.gnu.org/software/gettext/manual/html_node/Locale-Environment-Variables.html
So using it will simply make all other `extraLocaleSettings` be ignored
in practice, but the OS shouldn't ignore it when aggregating the locales
required in general, as this setup should still be legitimate, and it
may even be useful if you wish to set it by default and use `env -u
LANGUAGE` for some programs.
(cherry picked from commit 263297b4e5)
Consider a user wanting to set up the Linux builder for the first time,
but with a slightly more generous allocation of resources compared to
the default. They'll do something like this:
```
{
virtualisation.cores = 3;
virtualisation.darwin-builder = {
diskSize = 40 * 1024;
memorySize = 4 * 1024;
};
}
```
This will fail with an error like this:
```
error: a 'aarch64-linux' with features {} is required to build '/nix/store/3acpgmwqwnk8g2gc5r05ar2lvmn01b8a-builder.pl.drv', but I am a 'aarch64-darwin' with features {apple-virt, benchmark, big-parallel, nixos-test}
```
But why would they have to rebuild the NixOS system?! All they did was
change the arguments passed to QEMU, and nothing those options control
would affect the NixOS configuration itself... right?
`config.system.build.toplevel` is defined with `allowSubstitutes` set to
`false` by default, which makes it so that the toplevel can't be
substituted if Nix is trying to use it "directly." So because the above
example would have to rebuild the VM runner, which references toplevel
directly, Nix refuses to substitute it, unless `always-allow-substitutes
= true` is set as a Nix option. (In the case where the QEMU options
aren't changed at all, Nix just substitutes the runner, which sidesteps
this issue as the runner itself doesn't use toplevel as an input.)
(cherry picked from commit 747c55e702)
Prevent the specialisation names from containing a forward slash.
Also escape them to allow for spaces in specialisation names.
(cherry picked from commit 2b9fc0ccc5)
During testing of Kimai 2.32, it's been found that fixes done in PR
371917 [^1] is not enough to prevent error in the case of upgrading from
2.31 to 2.32.
Hinted by an upstream issue [^2], make sure that the cache is cleared
before running `kimai:install`, not after. This fixes upgrading from
2.31 to 2.32, and should prevent similar issue from popping up again.
[^1]: https://github.com/NixOS/nixpkgs/pull/371917
[^2]: https://github.com/kimai/kimai/issues/5437
