"Update History" (release notes):
https://www.ibm.com/support/pages/node/6998343
The list of APARs ("Authorized Program Analysis Reports")
does not contain anything that would affect security.
With this update, the Java-based
GUI requires a newer jdk version
(note: version 8.1.22.0 was not compatible with the newer jdk).
Also, all URLs in package and module comments are updated.
borgbackup exit code 1 means warning, not error. For example if a file
is modified during backup, borg create exits with code 1. It may be
desirable to count that as success.
This commit fixes the requirement to provide a pruneOption to ensure
that the check command is run when a check option is set. This is useful
for check-only configurations. The option is implicitly set if checkOpts
are given by default.
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
I'm not going anywhere, I'm focusing my energy on other issues, and
getting pinged as a maintainer for packages is a bit distracting (also
I'm not using most of these packages anyways!)
Re-add separate creation of the ~/.config and ~/.cache directories so
that they get correct ownership. Or else they get owned by root.
systemd-tmpfiles also warns about it:
machine # [ 3.022195] systemd-tmpfiles[472]: Detected unsafe path transition /home/user1 (owned by user1) → /home/user1/.cache (owned by root) during canonicalization of home/user1/.cache.
machine # [ 3.024566] systemd-tmpfiles[472]: Detected unsafe path transition /home/user1 (owned by user1) → /home/user1/.config (owned by root) during canonicalization of home/user1/.config.
Fixes: 8d3cf213db ("nixos/borgbackup: replace activationScript via tmpfiles")
"Update History" (release notes):
https://www.ibm.com/support/pages/node/6998343
...does not list any security-relevant changes
(mostly trademark name changes).
Also, all URLs in package and module comments are updated.
The generation of the descriptions always used lib explicitly even
thoughit was already specified with 'with'.
Since using `with lib` is discouraged this was also changed to inherit.
"Update History" (release notes):
https://www.ibm.com/support/pages/node/6998343
At the time of this writing,
the "APAR" links of the "Update History" lead to 404.
However, the abstracts indicate that
this update is not security critical.
Note that this update changed the GUI window title
to "IBM Storage Protect"
(the product itself was renamed with version 8.1.19.0 already).
The commit at hand adapts the GUI vm test accordingly.
Also, all URLs in package and module comments are updated.
I don't use this tool but saw it in the top level and that's not where it should
live.
This could arguably also be seen as a RAID; it's a bit of an in-between.
`tsm-client` uses a global configuration
file that must contain coordinates for each
server that it is supposed to contact.
This configuration consists of text
lines with key-value pairs.
In the NixOS module, these servers may be declared
with an attribute set, where the attribute name
defines an alias for the server, and the value
is again an attribute set with the settings for
the respective server.
This is organized as an option of type `attrsOf submodule...`.
Before this commit:
Important settings have their own option within
the submodule. For everything else, there is
the "catch-all" option `extraConfig` that may
be used to declare any key-value pairs.
There is also `text` that can be used to
add arbitrary text to each server's
section in the global config file.
After this commit:
`extraConfig` and `text` are gone,
the attribute names and values of each server's attribute
set are translated directly into key-value pairs,
with the following notable rules:
* Lists are translated into multiple lines
with the same key, as such is permitted by
the software for certain keys.
* `null` may be used to override/shadow a value that
is defined elsewhere and hides the corresponding key.
Those "important settings" that have previously been
defined as dedicated options are still defined as such,
but they have been renamed to match their
corresponding key names in the configuration file.
There is a notable exception:
"Our" boolean option `genPasswd` influences the "real"
option `passwordaccess', but the latter one is
uncomfortable to use and might lead
to undesirable outcome if used the wrong way.
So it seems advisable to keep the boolean option
and the warning in its description.
To this end, the value of `getPasswd` itself is
later filtered out when the config file is generated.
The tsm-backup service module and the vm test are adapted.
Migration code will be added in a separate
commit to permit easy reversal later, when the
migration code is no longer deemed necessary.
With the tsm-client 8.1.19.0 release,
IBM renamed the product brand from
"IBM Spectrum Protect" to "IBM Storage Protect":
https://www.ibm.com/support/pages/node/6964770 .
The package already got updated in commits
5ff5b2ae4c and
a4b7a62532 .
The commit at hand updates the modules accordingly.
The --rsyncable option changes the behavior of gzip/zstd so that the
resulting files can be incrementally backed up easily. Tools like Borg,
rsync and xdelta can make use their deduplication/diff mechanisms more
easily.
In my local testing, this resulted in a 2% size increase for backup
files.
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
The sshKey options do not need to be a valid path at build time. Using
string instead allow use case when the path is not known at build time
such as when using systemd credentials (e.g. `sshKey =
"\${CREDENTIALS_DIRECTORY}/zfs-replication_ed25519";`).
As described in the release lifecycle docs from postgresql[1], v11 will
stop receiving fixes as of Nov 9 2023. This means it's EOL throughout
the entire lifetime of 23.11, so let's drop it now.
A lot of examples are also referencing postgresql_11. Where it's
sensible, use postgresql_15 as example now to avoid confusion.
This is also handy because the LLVM 16 fix for postgresql is not
available for postgresql 11 ;-)
[1] https://www.postgresql.org/support/versioning/
Also, add a test to verify that it works.
This change also removes the part of custom package test that verifies
that the correct paths are provided. This is already tested by restore
tests.
Before this change, setting both paths and dynamicFileFrom would cause
paths to be silently ignored. Making that actually apply the obvious
interpretation seems to me to be strictly better than prohibiting the
two from being set at the same time.
The module falsely disabled postgresql completely when the bacula-sd was not enabled.
Quotation marks are not necessary and only useful in `name` fields.
To reduce the danger of accidentally exposing sensitive files processed
by a restic backup to other services/users, enable the `PrivateTmp=`
feature of restic service units, which provides a per service isolation
of `/tmp` and `/var/tmp`.
Co-authored-by: Daniel Nagy <danielnagy@posteo.de>
The restic repository cache location defaults to ~/.cache/restic when
not overwritten either by the --cache-dir command line parameter or the
universal RESTIC_CACHE_DIR environment variable.
Currently, the --cache-dir variable is set to only some restic commands,
but, e.g., not to the unit's preStart command for the module's
initialize option. This results in two distinct cache locations, one at
~/.cache/restic for the initialize commands and one at the configured
--cache-dir location for the restic backup command.
By explicitly setting RESTIC_CACHE_DIR for the unit, only one cache at
the correct location will be used.
https://restic.readthedocs.io/en/v0.15.1/manual_rest.html#caching
this converts meta.doc into an md pointer, not an xml pointer. since we
no longer need xml for manual chapters we can also remove support for
manual chapters from md-to-db.sh
since pandoc converts smart quotes to docbook quote elements and our
nixos-render-docs does not we lose this distinction in the rendered
output. that's probably not that bad, our stylesheet didn't make use of
this anyway (and pre-23.05 versions of the chapters didn't use quote
elements either).
also updates the nixpkgs manual to clarify that option docs support all
extensions (although it doesn't support headings at all, so heading
anchors don't work by extension).
This provides an easy way to specify exclude patterns in config. It was
already possible via extraBackupOptions; this change creates a simpler,
similar to other backup services, way to specify them.
makes sure that program listing tags are separated from their contents
by exactly a newline character. this makes the markdown translation
easier to verify (since no new newlines need to be inserted), and
there's no rendering difference anyway.
Invoke `install` separately for each directory to get ownership right --
i.e. not always owned by root. When owned by root, user sessions break
as no user processes are allowed to create directores there. On normal
systems the directories already exist, but in clean environments / NixOS
test VMs, the bug shows.
Before:
$ namei -l /home/user1/.cache/borg
f: /home/user1/.cache/borg
drwxr-xr-x root root /
drwxr-xr-x root root home
drwx------ user1 users user1
drwxr-xr-x root root .cache
drwxr-xr-x user1 users borg
After:
$ namei -l /home/user1/.cache/borg
f: /home/user1/.cache/borg
drwxr-xr-x root root /
drwxr-xr-x root root home
drwx------ user1 users user1
drwxr-xr-x user1 users .cache
drwxr-xr-x user1 users borg
Adds a new option for backup jobs `inhibitsSleep` which prevents
the system from going to sleep while a backup is in progress.
Uses `systemd-inhibit`, which holds a "lock" that prevents the
system from sleeping while the process it invokes is running.
This did require wrapping the existing backup script using
`writeShellScript` so that it could be run by `systemd-inhibit`.
Configures the `--cache-dir` parameter for the prune and check commands run after backing up. For `check`, also adds a `checkOpts` flag to enable using the cache, since that is disabled by default.
