Before the argument to mediagoblin-gmg would be passed to the actual command
and the rest to sh which is obviously nonsense.
(cherry picked from commit dd63ca898e)
The zoom-us package can be build with pulseaudio and with
support for one or more xdg-desktop-portal implementations.
This new module sets the proper build options
from the system configuration,
and adds the resulting package to `systemPackages`.
If an individual `zoom-us` package is assigned to the
`package` option with `package = zoom-us.override { ... };`,
arguments given to `.override` will take precedence
over the options determined by the module.
This permits to explicitly enable or disable some zoom-us
features while keeping the module's choices for other features.
Co-authored-by: Philip Taron <philip.taron@gmail.com>
(cherry picked from commit 1a5059ded6)
This reverts commit 263297b4e5 while also
explaining in the docs where exactly LANGUAGE is ignored, and why.
Fixes#409306.
(cherry picked from commit 82dfbe95f5)
Since there are now variants of tpm2-pkcs11 with and without ABRMD
support (for the kernel resource manager), ensure we pick the correct
default.
Fixes an accidental backwards incompatibility with the module.
(cherry picked from commit 9c1564e395)
Without this, the greeter is unable to see `orca` program on `PATH`
and so `${gdm}/share/gdm/greeter/autostart/orca-autostart.desktop`
will fail to start it. As a result, screen reader would not work
on the login screen.
(cherry picked from commit 9af27f1cb5)
Containers did not have *systemd-journald-audit.socket* in *additionalUpstreamSystemUnits*, which meant that the unit was not provided.
However the *wantedBy* was added without any additional check, therefore creating an empty unit with just the *WantedBy* on *boot.isContainer* machines.
This caused `systemd-analyze verify` to fail:
```text
systemd-journald-audit.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
```
The upstream unit already contains the following, which should make it safe to include regardless:
```ini
[Unit]
ConditionSecurity=audit
ConditionCapability=CAP_AUDIT_READ
```
For reference, this popped up in the context of #[360426](https://redirect.github.com/NixOS/nixpkgs/issues/360426) as well as #[407696](https://redirect.github.com/NixOS/nixpkgs/pull/407696).
Co-authored-by: Bruce Toll <4109762+tollb@users.noreply.github.com>
Signed-off-by: benaryorg <binary@benary.org>
(cherry picked from commit e434130d0b)
Partially revert #179194 which first filtered
`extraLocaleSettings.LANGUAGE`. Indeed this environment variable is
given precedence according to:
https://www.gnu.org/software/gettext/manual/html_node/Locale-Environment-Variables.html
So using it will simply make all other `extraLocaleSettings` be ignored
in practice, but the OS shouldn't ignore it when aggregating the locales
required in general, as this setup should still be legitimate, and it
may even be useful if you wish to set it by default and use `env -u
LANGUAGE` for some programs.
(cherry picked from commit 263297b4e5)
Consider a user wanting to set up the Linux builder for the first time,
but with a slightly more generous allocation of resources compared to
the default. They'll do something like this:
```
{
virtualisation.cores = 3;
virtualisation.darwin-builder = {
diskSize = 40 * 1024;
memorySize = 4 * 1024;
};
}
```
This will fail with an error like this:
```
error: a 'aarch64-linux' with features {} is required to build '/nix/store/3acpgmwqwnk8g2gc5r05ar2lvmn01b8a-builder.pl.drv', but I am a 'aarch64-darwin' with features {apple-virt, benchmark, big-parallel, nixos-test}
```
But why would they have to rebuild the NixOS system?! All they did was
change the arguments passed to QEMU, and nothing those options control
would affect the NixOS configuration itself... right?
`config.system.build.toplevel` is defined with `allowSubstitutes` set to
`false` by default, which makes it so that the toplevel can't be
substituted if Nix is trying to use it "directly." So because the above
example would have to rebuild the VM runner, which references toplevel
directly, Nix refuses to substitute it, unless `always-allow-substitutes
= true` is set as a Nix option. (In the case where the QEMU options
aren't changed at all, Nix just substitutes the runner, which sidesteps
this issue as the runner itself doesn't use toplevel as an input.)
(cherry picked from commit 747c55e702)
Prevent the specialisation names from containing a forward slash.
Also escape them to allow for spaces in specialisation names.
(cherry picked from commit 2b9fc0ccc5)
During testing of Kimai 2.32, it's been found that fixes done in PR
371917 [^1] is not enough to prevent error in the case of upgrading from
2.31 to 2.32.
Hinted by an upstream issue [^2], make sure that the cache is cleared
before running `kimai:install`, not after. This fixes upgrading from
2.31 to 2.32, and should prevent similar issue from popping up again.
[^1]: https://github.com/NixOS/nixpkgs/pull/371917
[^2]: https://github.com/kimai/kimai/issues/5437
I mistakenly added extra whitespace in
https://github.com/NixOS/nixpkgs/pull/401872 which negatively affects
aesthetics of our documentation.
Thought it was part of nixfmt-rfc-styles output, but can't reproduce.
Might have had configured the wrong nixfmt.
It was easy to accidentally trigger infinite recursion if you depended
on `toplevel` in any way before. For instance, if you used
`CopyBlocks` with an image containing `toplevel`. This was because
`toplevel`'s assertion / warning logic has to be evaluated, but that
means evaluating `image.repart`'s assertions / warnings, which
requires evaluating the `repartConfig` attrsets to check for malformed
`Label`s. That causes the module system to type check *all*
`repartConfig` keys, even though most of them aren't used in the
assertions / warnings. So evaluating `system.build.image` evaluates
`repartConfig.CopyBlocks`, which evaluates `toplevel`, which evaluates
assertions / warnings, which evaluates `repartConfig.CopyBlocks` to
type check it. Infinite loop.
Even ignoring this recursion problem, it's still better for the repart
module to have its own assertions / warnings options. You don't have
to use `toplevel` in a repart image, so its assertions / warnings
would have been ignored in that case anyway. This way they're *always*
checked when you build an image.
The current workflow for starting the `linux-builder` on macOS is to run
`nix run nixpkgs#darwin.linux-builder`, which adds keys to the store and
then starts the builder.
Adding the keys requires user input (due to `sudo`) but the actual
builder should just stay running in the background somewhere.
I'd like to automate this process, but it's currently rather complex:
the first part of the script needs user input for `sudo`, and then
there's no signal when the process has finished starting up. The user
will need to see stdout/stderr during the first part, which makes it
challenging to capture it for the second part to determine when startup
has finished.
To fix this, I've split the `create-builder` script into an `add-keys`
script (interactive) and a `run-builder` script (background). These new
scripts are exposed in the `passthru` attributes for external users. The
`create-builder` script is now a simple call of `add-keys` and then
`run-builder`.
See: https://nixos.org/manual/nixpkgs/unstable/#sec-darwin-builder
lib/test.nix relies on `fileset.toSource` which creates a source dir
with the files of interest. `testers.shellcheck` passes all the files in
the source dir to shellcheck. The issue is related to relative path
sourcing, i.e. `source ./lib.sh` where shellcheck cannot make any
assumptions about the working directory.
Options were:
1) Disable this warning with a directive
Prior disabling in the tree:
- pkgs/tools/nix/info/info.sh
- nixos/modules/testing/test-instrumentation.nix
2) Set source-path to SCRIPTDIR with a directive
https://github.com/koalaman/shellcheck/wiki/Directive#source-path
Even though we don't enable external script following for shellcheck
with `-x` flag given every file in the source dir is passed, this
directive seems to capture the intent to help shellcheck a bit
better.
Went with option 2.
Services utilising postsrsd need to connect to it via a Unix socket.
While the path to that socket is static as of now, the discoverability
of that path suffers from the lack of module documentation and a
scattered definition of the individual path components over at least
three lines, even when reading the module source.
By exposing the socket path as a readOnly NixOS option, that value shows
up in the options overview and can be re-used in other parts of NixOS
config.
While we're not (fully) supporting the related features, yet, we already
prevent accidental storage of secrets in the store. This will also avoid
breaking changes in the future, when those features are properly
supported.
The options part of "services.headscale.settings" get rendered directly
into a JSON file. As such, any declared values need to match the actual
config key that upstream uses or they are ineffective.
One such key is "derp.auto_update_enable", which controls whether or not
auto-updates for the DERP map are enabled. This key is misspellt though:
the config is called "derp.auto_update_enabled", and that has always
been the case since the config has been introduced in 57f46ded (Split
derp into its own config struct, 2021-10-22). Any unknown key is simply
ignored by Headscale, and as such the setting is ineffective.
Fix this by renaming the option.
When using Merkuro in Plasma 6, the 'Contacts' widget will automatically
be added to the default panel. Unfortunately, it does not work unless
`kdePackages.kcontacts` is also present in the environment. This adds
the dependency if Plasma 6 is also enabled alongside Merkuro.
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
This patch adds support for using systemd's LoadCredential
feature to read in a json file at a path defined in the
services.nextcloud.secretFile option.
This is a follow up to 2ce1e84103.
The key change here is, that the match was on the hydra database only
previously, but is now limited to to the hydra role instead. This avoids
conflicts with rules that are created by other modules or downstream
users.
With this change, we can remove the additional "postgres postgres" line,
because the default pg_hba line will kick in again and allow the
postgres user access to the postgres role.
Renaming the map from hydra-users to hydra is for consistency, so that
all modules can define maps matching in name with the role they manage.
The change from ident to peer is just cosmetic, ident is only used for
TCP connections and falls back to peer anyway.
NUT documentation strongly suggests running `upsmon` as a non-root user
with very limited permissions. This includes only read access to
`upsmon.conf`.
Previously the `RUN_AS_USER` setting could be overwritten with
`mkForce`, but this left the system with technically incorrect
permissions on `upsmon.conf` that would prevent reloading. This patch
provides a way to change the user that `upsmon` runs as while
maintaining correct permissions on `upsmon.conf`.
Fixes#318582
I'm a little annoyed at myself that I only realized this _after_ #392030
got merged. But I realized that if something else is using AF_VSOCK or
you simply have another interactive test running (e.g. by another user
on a larger builder), starting up VMs in the driver fails with
qemu-system-x86_64: -device vhost-vsock-pci,guest-cid=3: vhost-vsock: unable to set guest cid: Address already in use
Multi-user setups are broken anyways because you usually don't have
permissions to remove the VM state from another user and thus starting
the driver fails with
PermissionError: [Errno 13] Permission denied: PosixPath('/tmp/vm-state-machine')
but this is something you can work around at least.
I was considering to generate random offsets, but that's not feasible
given we need to know the numbers at eval time to inject them into the
QEMU args. Also, while we could do this via the test-driver, we should
also probe if the vsock numbers are unused making the code even more
complex for a use-case I consider rather uncommon.
Hence the solution is to do
sshBackdoor.vsockOffset = 23542;
when encountering conflicts.
In 0.15.1 frigate has a logic error that makes it not ensure the model
cache dir exists before using it.
A workaround has been committed for newer versions, so we can drop this
on the next release.
Fixes: #402813
Without this, Mutter will complain at startup:
.gnome-shell-wr[1013]: Failed to make thread 'KMS thread' high priority scheduled: GDBus.Error:org.freedesktop.DBus.Error.NameHasNoOwner: Name "org.freedesktop.RealtimeKit1" does not exist
PipeWire, WirePlumber and xdg-desktop-portal-gnome complain about the missing service too.
Since v12, PostgreSQL doesn't support recovery.conf anymore and fails to
start up when this option is set:
FATAL: using recovery command file "recovery.conf" is not supported
This is documented at:
https://www.postgresql.org/docs/current/recovery-config.html
The new implementation of `mapAttrsToList` is simpler than the previous one, avoiding an extra string conversion. Benchmarking shows a slight performance improvement. See the discussion here: https://discourse.nixos.org/t/another-implementation-of-mapattrstolist
Additionally, I searched nixpkgs for expressions equivalent to the old `mapAttrsToList` and replaced them with direct calls to the new implementation.
Closes#404580
ChangeLog: https://github.com/grafana/grafana/releases/tag/v12.0.0
A few changes were necessary here:
* the provision seems to be delayed now, so the `machine.succeed` broke
because the result was tested before the provisioning was finished.
Using `wait_until_succeeds` to solve this.
* Work around a problem that got unnoticed during #399404:
the setup-hook is also run in the `goModules` derivation, but
`offlineCache` is missing. As a result, the build breaks. I guess this
was unnoticed because everyone had a goModules with the previous hash
in their store.
Co-authored-by: Emily <git@emilylange.de>
GitLab 17.11 started using rails activeRecord encryption for some values.
Introduce new key files. This is breaking for unstable/25.05.
Also add a test to prevent this from happening unnoticed in the future.
For the future there should also be an option to set multiple activeRecord
keys for rotation.
