From systemd 247, timers can be configured to randomize their delay
once and to apply the same random delay for all future executions.
This allows users to have less jitter between auto-upgrade executions
while still avoiding multiple timers firing simultaneously on a
machine or multiple machines all performing their upgrades
simultaneously.
The default option value (false) is backwards compatible.
All supported versions of NixOS (in fact, back to and including 21.05)
use systemd 247 or later.
Encountered boot errors in pool with `listsnapshots=on` getKeyLocations should ignore snapshots as they will not be well-handled by createImportService later on
Add an option allowing packages containing out-of-tree vhost-user drivers for
QEMU to be specified. The relevant configurations are then linked at runtime
where libvirt expects them.
An example use case for this is virtiofs.
Closes#169733
The issue is that Nextcloud fails to start up after a GC because the
symlink from `override.config.php` is stale.
I'm relatively certain that this is not a bug in the Nix GC - that
would've popped up somewhere else already in the past years - and one of
the reporters seems to confirm that: when they restarted
`nextcloud-setup.service` after the issue appeared, an
`override.config.php` pointing to a different hash was there.
This hints that on a deploy `nextcloud-setup` wasn't restarted properly
and thus replacing the symlink update was missed. This is relatively
hard to trigger due to the nature of the bug unfortunately (you usually
keep system generations for a few weeks and you'll need to change the
configuration - or stdenv - to get a different `override.config.php`),
so getting pointers from folks who are affected is rather complicated.
So I decided to work around this by using systemd-tmpfiles which a lot
of other modules already utilize for this use-case. Now,
`override.config.php` and the directory structure aren't created by
`nextcloud-setup`, but by `systemd-tmpfiles`.
With that, the structure is guaranteed to exist
* on boot, since tmpfiles are always created/applied then
* on config activation, since this is done before services are
(re)started which covers the case for new installations and existing
ones.
Also, the recursive `chgrp` was used as transition tool when we switched
from `nginx` as owning group to a dedicated `nextcloud` group[1][2], but
this was several releases ago, so I don't consider this relevant
anymore.
[1] fd9eb16b24
[2] ca916e8cb3
For some reason, I don't know why I missed those, but
I didn't look at my logs for a while.
It would be nice if we could catch those statically kinda (?) in CI.
The ModemManager shipped fccUnlockScripts are using either qmicli or
mbimcli, to unlock wwan modems. These needs to be available for
ModemManager if you set the fccUnlockScripts link, so instead of having
every user than needs it pull it inn in different ways, we should just
provide the tools if we think they might be needed.
https://modemmanager.org/docs/modemmanager/fcc-unlock
In the past, we emitted `unicast_peer` block even with empty unicast peers list.
This now results in:
```
Keepalived_vrrp[392762]: A unicast keyword has been specified without any unicast peers. Defaulting to multicast. This usage is deprecated - please update your configuration.
```
We do not emit it anymore to avoid this warning.
The example systemd-sysupdate transfer name has a ".conf" suffix,
although the files on the final system are already appended with this
suffix, so the file ends up being "transfer-name.conf.conf". Remove the
suffix in the example so that users will get a transfer filename they
expect.
In commit 41ca9c1, the database config got an additional config entry
for a separate CI database connection [1]. Unfortunately, the main connection
must always be the first entry. The fix for this was only applied when
databasePasswordFile has been set.
This commit fixes the order of the config for deployments without a databasePasswordFile.
[1] https://docs.gitlab.com/ee/update/deprecations.html#single-database-connection-is-deprecated
this commit removes the static assignments for the ntfy-sh user and
group. furthermore, it removes some tmpfiles.d rules which where
initially put in place by https://github.com/NixOS/nixpkgs/pull/234811.
these are however not required, as ntfy-sh will automatically create the
required files and systemd automatically handles the migration process.
A nixosTest is added to demonstrate that the migration is working
reliably.
This also fixes an issue with where systemd would sometimes not start
ntfy-sh. The tmpfiles rules in combination with impermanence caused `/
var/lib/ntfy-sh` to be a directory when it should have been a symlink.
This is a followup to commit bba808dbfa ("nixos/avahi-daemon:
resolve mdns only over enabled protocols, disable ipv6 by default",
2023-10-01, PR #258424). mdns occurs twice in /etc/nsswitch.conf but
that commit changed only the first one (mdns_minimal, before resolve).
This commits ensures that both occurrences are set consistently.
This is not only consistent with upstream example[1] but it also
fixes#118628 -- a longstanding issue with CUPS and printer detection.
[1] https://github.com/avahi/nss-mdns#activation
Conflicts:
pkgs/development/python-modules/dbt-core/default.nix
pkgs/development/python-modules/dbt-semantic-interfaces/default.nix
Still broken by pydantic 2 bump, though.
Systemd-repart will use loopback devices for partition creation if it is
able to, and will fallback to doing "offline" partition creation writing
data directly to files. From what I see looking at the repart code,
there are specific features that cannot be taken advantage of when not
using loopback devices (e.g. no BTRFS subvolumes in systemd v255) and in
certain places they have to perform some manual re-sizing work that can
otherwise be avoided.
A bootspec could remove the `initrdSecrets` attribute and is a perfectly valid bootspec, as can be seen
in the bootspec.cue.
This makes the builder not fail upon missing `initrdSecrets`.
The output is expected to be a list [ hostname, port, optional ipv6 scope ], but the
current regex only outputs [ port ], when only a port is given as address.
Noticed that issue while reviewing #275633: when declaring
`ListenAddress host` without a port, all ports declared by
`Port`/`cfg.ports` will be used with `host` according to
`sshd_config(5)`.
However, if this is done and socket activation is used, only a socket
for port 22 is created instead of a sockets for each port from
`Port`/`cfg.ports`. This patch corrects that behavior.
Also added a regression test for this case.
- Add option to set user and group name
- Set users home to runtime directory, to avoid mixing of temporal files
like caches
- Allow admin to control LIRC service by avoiding LIRC enabling
- Allow admin to set libDir, by removing setting argument config to default
- Add package to environment, to allow easy access for admins to helper
tools like svdrpsend and vdr -h
- Cleanup Nix code by avoiding with statement
The Nextcloud admin guide says that output buffering must be turned off
or otherwise PHP will return memory-related errors [1]. As the default
value for this PHP setting is 4096 and thus enabled the Nextcloud setup
is thus misconfigured by default. This misconfiguration will be shown in
the "Security & setup warnings" dialog for the administrator.
Fix this misconfiguration by setting "output_buffering=0" by default.
[1]: https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/big_file_upload_configuration.html#configuring-php
the bug causes a hard dependency on an underlying device which might not be
valid for all interfaces, also broke the example for networking.sits. this is
due to calling hasAttr first and checking for null afterwards, the bug was
made more apparent in commit 76a3c30
Would otherwise fail with
```
error: A definition for option `systemd.services.auditd.conflicts."[definition 1-entry 1]"' is not of type `string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)'. Definition values:
- In `/nix/store/x2khl2yx0vz2i357x7mz5xm1kagql8ag-source/nixos/modules/security/auditd.nix': "shutdown.target "
```
Automatic advertise in the `http` block about support of HTTP/3
protocol makes it difficult to automatically configure services
to work with it.
HTTP/3 availability must be manually advertised, preferably in
each location block.
see #277861. as the module list grows the argument size in the
lazy-options nix call grows, eventually reaching a hard limit and
causing the build to fail. writing the list to a file instead and import
it instead of providing it directly circumvents this.
In addition to increasing the maximum UDP receive buffer size in the Linux kernel, it is now recommended to do the same for the send buffer size.
This is documented in https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes.
The change to the documentation was made in June: 5b5e58d289.
Without this change, the Kubo daemon will output this warning:
```
failed to sufficiently increase send buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
```
This can be seen while running the NixOS tests.
Closes#277206
The bug mentioned above was a symptom of the issue fixed here: when
opening the `forms` app which is installed via `extraApps` (or the
app store) the site wouldn't work because `.mjs` files had the wrong
Content-Type.
The actual problem got fixed already[1], however this config was not
used for stuff from `/nix-apps` & `/store-apps` which had their own
location section with only a `root ;` statement.
In fact, this setup isn't strictly supported by Nextcloud upstream[2],
so to fix this for good, I decided to follow the upstream suggestion for
app directories outside the server root, i.e. linking them back into the
store path.
This means that the module generates a new derivation now with
* `services.nextcloud.package` linked into it via `lndir`.
* under `nix-apps` is a symlink to the link farm containing all apps
from `services.nextcloud.extraApps`.
* under `store-apps` is a symlink to `/var/lib/nextcloud/store-apps`.
Since this is only used in the NixOS module that also configures this
location for imperatively installed apps, this seems an OK thing to
do.
Successfully tested the change on a productive Nextcloud 28.0.1 with
several apps installed via `extraApps` (`forms`, `cospend`, `maps`,
`user_saml` and a few more).
[1] 292c74c7a9
[2] https://docs.nextcloud.com/server/28/admin_manual/apps_management.html#using-custom-app-directories
When `config.boot.zfs.enableUnstable` is set to true, grub was built with the `zfs` package even though the rest of the system uses the `zfsUnstable` package.
The effect of this can only be seen when `zfs` and `zfsUnstable` actually differ (which is not currently the case), for example when overriding one of them locally.
Since 2c5abd89c7 setting the option `boot.kernel.sysctl."net.core.rmem_max"` no longer has any downsides compared to what was previously used. Since 439350753e the same is also true for `boot.kernel.sysctl."net.core.wmem_max"`.
- Use `options = {` instead of repeating `options` for every option
- Change the description of "net.core.rmem_max" slightly to match the kernel documentation
* fixes#250302
* ASHMEM was removed in Linux 5.18 and waydroid can use MEMFD instead.
MEMFD is enabled by default in 4.18 and later kernels while we
already require this version for namespace support.
The pre-start script was actually trying to convert these leftover
`*.new` and even `*.new.new` files, and failing to do so because the
`*.new.new` files were being overwritten and removed before they were
converted.
Since the repart image is built on the build platform, use
`buildPackages` to construct the image. This allows for systemd-repart
images for cross-compiled nixos configurations to work properly.
The `authority.file.path` field of a cert spec is
[defined as follows]
(https://github.com/cloudflare/certmgr/tree/v3.0.3#pki-specs):
> if this is included, the CA certificate will be saved here.
It follows the same file specification format above. Use this
if you want to save your CA cert to disk.
So certmgr fails, because each certmgr spec (apiserver,
addonManager, ...) wants to manage the file at the `cert.caCert`
location. However, the `authority.file.path` field is not needed
for generating a certificate, as the certificate is generated by
the CA, which is reachable at `authority.remote` (e.g.
https://localhost:8888 with `easyCerts = true`). The
`authority.file.path` field just saves the certificate of the CA
to disk.
Only one extra group was add. Some times you want the agents users to
be member of other groups like 'docker'. This change make this possible.
Co-authored-by: Florian Klink <flokli@flokli.de>
This replaces the krb5 module's options with RFC 42-style krb5.settings
option, while greatly simplifying the code and fixing a few bugs,
namely:
- #243068 krb5: Configuration silently gets ignored when set by
multiple modules
- not being able to use mkIf etc. inside subattributes of
krb5.libdefaults, e.g. krb5.libdefaults.default_realm = mkIf ...
See #144575.
Closes#243068.
Co-authored-by: h7x4 <h7x4@nani.wtf>
When a system has a wrong date and time timesyncd is unable to synchronize it
because DNSSEC doesn't work. In order to break this chicken and egg problem
systemd-timesync disables DNSSEC validation by setting
SYSTEMD_NSS_RESOLVE_VALIDATE=0 in the unit file. However, it doesn't work in
NixOS because it uses NSCD. This patch disables NSCD in systemd-timesyncd when
SYSTEMD_NSS_RESOLVE_VALIDATE is set to 0 so that it uses NSS libraries
directly. In order for it to be able to find the libnss_resolve.so.2 library
this patch adds the systemd directory in the nix store to the LD_LIBRARY_PATH.
Before components was not an array and the first loop did never loop
through all entries but through the entire output of find without
splitting by new line.
Tested by copying the preStart script out of the nix store, doing the
change and observing that now the custom-components directory is indeed
being cleaned up after removing a custom component.
"Update History" (release notes):
https://www.ibm.com/support/pages/node/6998343
At the time of this writing,
the "APAR" links of the "Update History" lead to 404.
However, the abstracts indicate that
this update is not security critical.
Note that this update changed the GUI window title
to "IBM Storage Protect"
(the product itself was renamed with version 8.1.19.0 already).
The commit at hand adapts the GUI vm test accordingly.
Also, all URLs in package and module comments are updated.
Changed `services.zerotierone.localConf` default value to `null` and type to `nullOr attrs` per input.
Changed `systemd` preStart script to delete
`/var/lib/zerotier-one/local.conf` when it is a symlink, and rename when it is an actual file, then only create a symlink to the nix store when `services.zerotierone.localConf` is not null.
When reloading the dbus-broker service (e.g. when switching to a new generation),
the reload fails when /tmp got remounted after the service had been started.
Since the dbus-broker service starts early, and does not have default dependencies,
this situation does occur in practice.
This change makes sure that if there are mount units for /tmp, dbus-broker gets
ordered after them.
See also https://github.com/systemd/systemd/issues/28515
This makes sure we don't need any workarounds for running Invidious with a local
PostgreSQL database.
Changing the default user should be fine as the new init script for PostgreSQL automatically
creates the new user and changes the existing database's owner to the new user. The old user
will still linger and must be removed manually.
See also: https://github.com/NixOS/nixpkgs/pull/266270
This simplifies the setup to receive emails from the ZFS Event Daemon
by relying on the sendmail wrapper defined by other modules such as
msmtp or Postfix.
This is more similar to how other modules like smartd deal with email
configuration.
The user is no longer required to define and rebuild their own ZFS
package to add email support.
GitHub: closes https://github.com/NixOS/nixpkgs/issues/132464
Convert the `ipfsMountDir` and `ipnsMountDir` settings to RFC42-style settings.
I don't know why I didn't already do this in a255c43f44, I guess I just missed it.
This fixes a panic of the kubo daemon which could occur under certain conditions when the daemon was starting.
It was caused by the `ipfs.service` unit not depending on the `ipfs-api.socket` and `ipfs-gateway.socket` units with `Wants=`. This allows the `ipfs.service` to be started manually or by `nixos-rebuild` without the sockets being set up before that. When that happens, the daemon won't know about these sockets and will only use what is set in `services.kubo.settings.Addresses.Gateway` and `services.kubo.settings.Addresses.API`. By default the `API` is an empty list in NixOS though. The daemon doesn't like this at all and panics on startup, see https://github.com/ipfs/kubo/issues/10056.
With this commit, starting `ipfs.service` will first set up the two sockets before starting the actual service.
Adding the `Sockets=` option implicitly adds a `Wants=` for the sockets and this is exactly what we need. See https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html#Implicit%20Dependencies . This can be checked with `systemctl show ipfs.service`.
This should probably be upstreamed to the unit file in the Kubo repo.
The problem can be reproduced in the following way:
- Add `services.kubo.enable = true` to `/etc/nixos/configuration.nix`
- `sudo nixos-rebuild switch` (this may already fail, not sure why it's not deterministic for me)
- `sudo systemctl stop ipfs-api.socket`
- `sudo systemctl stop ipfs-gateway.socket`
- `sudo systemctl stop ipfs.service`
- `sudo systemctl start ipfs.service`
Fixes#248447.
The previous code did not apply any changes to the upstream defaults on being presented with an empty list.
This changes the code to use the above behaviour on a `null` value while an empty list is passed through as normal which yields a systemd configuration line with empty value which resets it to an empty value.
Signed-off-by: benaryorg <binary@benary.org>
This reverts commit 413011ddf4.
Using separate lockfile directories prevents the different kea daemons
from using the interprocess sync lockfile.
Keeping the runtime directory around might be the better approach.
we previously defined a custom type for `boot.kernel.sysctl."net.core.rmem_max"`
to resolve to the highest value set. this patch adds the same behavior to
`"net.core.wmem_max"`.
as this changes the type from a string to an integer, which is a breaking
change this patch also includes a release note and updates the transmission
module to use a number for `wmem_max`.
This fixes the following eval error:
```
error: nodePackages.node-red cannot be found in pkgs
```
when having `services.node-red.enable = true;` without specifying
`services.node-red.package`, just like the nixos VM test.
Follow-up of f509382c11, which attempted
to fix this as well.
Breakage introduced in 0a37316d6c.
Using `/bin/sh` in udev rules is fine (as it's guaranteed to point to a
(bash) shell on NixOS), and actually is better than hardcoding absolute
paths, at least in cases where these rules are also added to the
(systemd-based) initrd (via boot.initrd.services.udev.rules).
To allow this, we need to update the check routine that assembles the
list of files needing fixup, to explicitly exclude `/bin/sh` occurences.
To do this, we convert the pattern to a PCRE regex (which requires "/"
to be escaped), and add `(?!/bin/sh\b)` as a negative lookahead.
This subsequently allows udev rules to (start using) `/bin/sh` again, so
they'll work in-initrd.
* Always use PHP 8.2: at the time of writing, Nextcloud also suggests to
use 8.2 rather than 8.3 in the manual for v28.
One contributing factor is probably that all plugins need new releases
to declare PHP 8.3 support.
* Fix upgradeWarning for installing v27 now that v28 is out.
* Drop upgrade warning for v24. This one is EOL for quite a while
already, so right now everybody should've switched (or carefully
studied the release notes in case they were upgrading from <23.05) and
we can clean up the module a little bit.
v25 was dropped not so long ago, so if it's still referenced (because
somebody didn't declare `services.nextcloud.package` and has
`system.stateVersion = "22.11";`) it's appropriate to still give a
specialized error.
services.udev.path already contains some defaults, these are however
defined in the module implementation, not options.
Update the description to make this more clear.
If we include users with unset groups, we get this very confusing
message, with invalid Nix code:
- The following users have a primary group that is undefined: qyliss
Hint: Add this to your NixOS configuration:
users.groups. = {};
We don't need to include such users in this check, since they'll be
caught anyway by this one:
- users.users.qyliss.group is unset. This used to default to
nogroup, but this is unsafe. For example you can create a group
for this user with:
users.users.qyliss.group = "qyliss";
users.groups.qyliss = {};
I saw this trace when building my system configuration this morning:
```
lazy-options.json> trace: warning: literalExample is deprecated, use literalExpression instead, or use literalMD for a non-Nix description.
```
This warning was introduced in https://github.com/NixOS/nixpkgs/pull/237557.
The option this commit changes was introduced in https://github.com/NixOS/nixpkgs/pull/137003.
This will cause systemd to chown /var/lib/jenkins to the user that
the jenkins systemd service runs as, fixing permission issues when
mounting /var/lib/jenkins from another data volume.
It uses the same logic that garage is using, too, checking for the
prefix.
Since 1557027, makeModulesClosure doesn't create a lib/firmware
directory if there is no firmware in the initramfs. If this happens,
systemd-stage-1 fails to build.
/lib only contains /lib/modules and /lib/firmware, both of while are
from modulesClosure. Therefore, we can just add the entirety of
${modulesClosure}/lib to the initramfs to allow for the possibility that
lib/firmware doesn't exist. This also brings systemd-stage-1 in line
with the traditional stage-1.
#264753 mistakenly used the dataDir option to set the -data argument.
This broke existing configurations because -data used to be set to
configDir (implicitly, using the -home option, which is equivalent to
setting -config and -data to the same value).
Fix this by introducing a new databaseDir option sets -data and defaults
to configDir. This maintains the existing behavior by default while
still allowing users to specify separate config and database
directories.
In 759ec111 the ping setuid wrapper was removed in favour of giving
permissions to perform ICMP echo requests to all users.
The problem is that the systemd file that was supposed to change the
`net.ipv4.ping_group_range` sysctl is not always installed, specifically
only if systemd.coredump.enable.
In that case the range is "0 1", which is effectively restricts ping to
only root.
This change explicitely sets the range to "0 2^31-1", as systemd does.
This is necessary to allow the usbhid driver to successfully send
commands to the attached UPS.
It is possible to work around this by explicitly using setting the user
flag (e.g. `upsdrvctl -u root shutdown`), though it is much simpler to
install the udev rules rather than patch things further.
Until now, if you set `services.xserver.xkb.dir` to a dir containing
a custom keyboard layout, and making this layout the default via
`services.xserver.xkb.layout`, `xkbvalidate` would complain:
The value `gb-CapsLockIsHyperL' for keyboard layout is invalid.
Please check the definition in `services.xserver.xkb.layout'.
Detailed XKB compiler errors:
Couldn't find file "symbols/gb-CapsLockIsHyperL" in include paths
1 include paths searched:
/nix/store/x1ahkafwzv66s3yxffvrjc0ixkcjiig6-xkeyboard-config-2.31/etc/X11/xkb
3 include paths could not be added:
/homeless-shelter/.config/xkb
/homeless-shelter/.xkb
/etc/xkb
Abandoning symbols file "(unnamed)"
Failed to compile xkb_symbols
Failed to compile keymap
This is because the `xkb_*()` functions in `xkbvalidate` were not
told to use our `xkbDir`.
This commit fixes it by passing the dir as an environment variable
as described on:
* https://xkbcommon.org/doc/current/group__include-path.html
* https://xkbcommon.org/doc/current/group__context.html
Using the user-set default shell (which is intended for non-system users) for the nix-ssh user can lead to unpredictable behavior, such as `fish` complaining about the unwritable home directory on every connection. Bash is guaranteed to be available and work as expected, so explicitly use it instead.
