The nixos/caddy module is somewhat old by now
and has undergone quite some refactors.
This specific module option (originally named
`ca`) used to make a bit more sense when
Caddy did not have multiple ACME CAs as
fallback (LE & ZeroSSL) by configured by
default yet (ZeroSSL came with v2.3.0).
I also rephrased the description slightly,
to mention Caddy's automatic issuer fallback
and a note which this option maps to in the
Caddyfile, to provide a bit more context and
a more up-to-date recommendation.
Specifically that "fine-grained configuration"
section comes from a time when this module did
some custom tls/issuer config json merging
with the templated Caddyfile using `jq`.
The "The URL to the ACME CA's directory"
section is a word-for-word copy from the
official Caddy docs, which also include a link
to LE's docs to the referenced staging
endpoint. So I added that as well.
Since ddclient@24ba945 (v3.10.0), the type and meaning of the "ipv6"
option has changed. This resulted in the following warning when
starting the service:
WARNING: file /run/ddclient/ddclient.conf, line 13:
Invalid Value for keyword 'ipv6' = 'no'
This therefore removes the matching boolean option.
More advanced configurations can use the "extraConfig" option instead.
As with many things, we have scenarios where we don't want to boot on a
disk / bootloader and also we don't want to boot directly.
Sometimes, we want to boot through an OptionROM of our NIC, e.g. netboot
scenarios or let the firmware decide something, e.g. UEFI PXE (or even
UEFI OptionROM!).
This is composed of:
- `directBoot.enable`: whether to direct boot or not
- `directBoot.initrd`: enable overriding the
`config.system.build.initialRamdisk` defaults, useful for
netbootRamdisk for example.
This makes it possible.
This is necessary because this test relies on switching the root fs to an empty one which
does not have a Nix store available in stage 1, therefore, we have to make this test
host-store only.
A better fix in the long term is to evaluate whether this is worth to enable a proper
Nix store image for it with EROFS?
This essentially backports
https://github.com/systemd/systemd/pull/27791. `systemd-networkd.service`
is sent the `SIGTERM` signal, but it is not required to be stopped
before `initrd-switch-root.target` is reached, despite the use of
`systemctl isolate initrd-switch-root.target`. This is because when
there is no ordering at all between two units, and a transaction stops
one and starts the other, the two operations can happen
simultaneously. This means the service could still be running when
`switch-root` actually occurs. Then, stage 2 systemd will see the
service still running and decide it doesn't need to add a start
operation for it to its initial transaction. Finally, the service
exits, but only after it's already too late. If, however, there is any
ordering at all between a stopping unit and a starting unit, then the
stop operation will be done first. This way, we ensure that the
service is properly exited before doing `switch-root`.
This is something to keep in mind going forward. There may be other
services that need this treatment. These `before` and `conflicts`
definitions are the correct way to ensure a unit is actually stopped
before you reach initrd-switch-root
not using this any more, and really don't have the energy to deal with
neither the fallout of ubnt not officially supporting mongodb newer than
3.6, nor the hacks nixpkgs contains to work around that.
I'm merging this without review, since the tests run by ofborg are
succeeding. In addition to that, it's fixing a currently broken test so
the worst that could happen is that the test still does not work.
Since 816614bd62, the service is set to use the exim user so that
systemd takes care of the credentials ownership. The executable is
still required to run as root, to then drop privileges. The prefix '+'
that was used however interfers with the use of privilege restrictions
and other sandboxing options. Since we only want to escape the "User"
setting, we can use the '!' prefix instead.
The test fails because the way the configuration switch was implemented
back then was by using a dummy configuration and simply activating that
dummy configuration from within the test script.
Nowadays, this doesn't work anymore and fails to typecheck because the
dummy "newServer" will inherit the same value for networking.hostName,
which in turn will generate two attributes for "server":
> testScriptWithTypes:43: error: Name "server" already defined on line 43
> [no-redef]
> client1: Machine; client2: Machine; server: Machine; server: Machine;
Fortunately, we don't need to do workarounds like this anymore and there
is the "specialisation" option, which allows to do this in a less ugly
way (and it also works with mypy).
Signed-off-by: aszlig <aszlig@nix.build>
