The tee-supplicant is a program that interacts with OP-TEE OS and allows
loading trusted applications at runtime (among other things). There is
an `optee` test included that uses the pkcs11 trusted application (in
upstream OP-TEE OS), loads it during system startup via tee-supplicant,
and uses `pkcs11-tool` to list available token slots.
If a Python package does not come with either `format` or `pyproject` we
consider it a setuptools build, that calls `setup.py` directly, which is
deprecated.
This change, as a first step, migrates a large chunk of these packages to
set setuptools as their explicit format
This is so we can unify the problem space for the next step of the
migration.
Sourcehut went a year with no update in nixpkgs, the packages did not
build for months, the module has issues at runtime, one of the
maintainers stopped using NixOS entirely and the other two don't respond
to issues.
Upstream has since also deprecated the Arch Linux and Debian
repositories to install Sourcehut. The only official way that remains is
Alpine Linux on x86_64-linux.
This option does not configure sendmail itself because it is impossible
as sendmail is an alias for many things and could mean msmtp or postfix
or exim or something else.
Instead we rely on the PROTOCOL setting as initially proposed #384582
and based on that open up the sandboxing settings because if the user
configures sendmail, they want it to work and not have to configure yet
another things.
Also makes postfix specific things conditional on postfix being enabled
as msmtp does not need them.
Also we can set SENDMAIL_PATH unconditionally as every wrapper I am
aware of uses that path.
Changed the service type from forking to notify,
which should gives a better indication of when the service is ready.
Changed the preStart into an ExecStart,
in order for upstream's NotifyAccess=main to work.
Added Restart=on-abnormal for better service stability.
This avoids restarting the postgresql server, when only ensureDatabases
or ensureUsers have been changed. It will also allow to properly wait
for recovery to finish later.
To wait for "postgresql is ready" in other services, we now provide a
postgresql.target.
Resolves#400018
Co-authored-by: Marcel <me@m4rc3l.de>
By being in sync with the pname, it makes it easier to walk back from
the pname that shows in the /nix/store back to the attribute.
This change should not cause any rebuild.
This reverts commit fbb577d3c5.
This is already controlled by `services.displayManager.sessionPackages`, as explained in https://github.com/NixOS/nixpkgs/pull/411518#issuecomment-2936523214.
Because of that PR, now xsessions and wayland session desktop files of every packages in `environment.systemPackages` are now being linked to `/run/current-system/sw/share`. This is highly unwanted behaviour.
GitLab 17.11 started using rails activeRecord encryption for some values.
Introduce new key files. This is breaking for unstable/25.05.
Also add a test to prevent this from happening unnoticed in the future.
For the future there should also be an option to set multiple activeRecord
keys for rotation.
This feature goes all the way back to v1.20.0 (mid 2023) back when
Forgejo was still a soft-fork and simply used the nixos/gitea module.
The tl;dr:
nixos/gitea enabled it as part of the Gitea 1.20 bump PR, while Forgejo
was still at 1.19.4 and did not support this yet, causing Forgejo to
get restarted after 90s by systemd in a loop. This, among other things,
was part of the reason why Forgejo forked the nixos/gitea module into
nixos/forgejo and it since moving independently in nixpkgs.
systemd-notify provides more accurate service unit states over the
previous service type "simple".
Ref: b61919e5e0
Ref: 44aee34594
Without this fix, when setting `services.tzupdate.enable = true`, the service would never run automatically.
Now, it's actually enabled in systemd and it actually gets executed.
Still, it could be improved with a timer as explained in https://github.com/NixOS/nixpkgs/issues/127984#issuecomment-2512059143, but this makes it at least work out of the box when rebooting the system.
Closes#249767
Before we only created the admin user when passwordFile was set.
Now it is possible to set PAPERLESS_ADMIN_USER and
PAPERLESS_ADMIN_PASSWORD directly to create the admin user, like in the
upstream Docker image.
Instead of duplicating the options from the upstream service file and letting
them get out of sync, use the file directly and only configure the needed
overrides. In particular, the upstream improvements include the mounts not
being globally visible any more, so they can't be used for bypassing nosuid and
the like, and the custom cleanup script that performed the unmount becomes
unnecessary.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
This was a workaround to begin with, as hardened kernel didn't support tracing.
Back then kernel level tracing was only available through debugfs, and now that
tracefs has been available on NixOS for a while now, enabled in
Link: https://github.com/NixOS/nixpkgs/pull/388751
This workaround can be removed and bpf can be used with tracefs.
Link: https://github.com/NixOS/nixpkgs/issues/360957
Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
With release 6.0, the themes directory was moved to a different location
and thus the NixOS Redmine module needs to be adjusted. Assets seem to
be stored in public/assets now and so that needs to be handled by the
NixOS module as well.
[1] https://www.redmine.org/issues/41731
Signed-off-by: Felix Singer <felixsinger@posteo.net>
This has been deprecated since before 24.05 was released
and displaying a warning.
This change means that only "managed", i.e.
Nix-native configurations are supported.
Using `systemd.services.<name>.script` pulls in bash in the ExecStart
line for a service. Since our "script" was only one line anyways,
we can inline it to just use ExecStart directly. Losing shell features
shouldn't be detrimental here, as we're not using pipes and there are
no globs to expand.
docker-registry.service has a `After` dependency on gitlab-registry-cert.
On the first start, docker-registry.service fails to start as it already
runs when gitlab-registry-cert.service starts up, and not when it finished.
Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:
- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`
Co-authored-by: Shelvacu <git@shelvacu.com>
