This brings two benefits. For one thing, it exposes the generated
config file which users can build separately to validate it. For
another, it allows users to provide their own config file.
* Move watchdogd to correct section
* Move FileSender to correct position
* Reword
* Add TODO querying meaning of dwarf-fortress note
* Remove comments suggesting random item placement
* Add comments asking to maintain alphabetical order
Given that we were overriding qemu_test to enable this anyway,
enabling this by default saves Hydra a QEMU build.
There's also clear demand from users[1] for this feature, so our
alternatives are:
- Offer a qemu-canokey attribute. I don't want to do this, because I
don't think there's any reason to make Hydra build an extra QEMU.
- Enable it only for qemu_test. I don't want to do this, because it
will lead to users using qemu_test without understanding its
subtleties.
- Force users to build from source. I don't think there's any reason
to do this when it's unlikely to hurt anybody having it enabled by
default. There's no reason to single out canokey to be disabled by
default in spite of users' needs given that we enable so many other
optional QEMU features.
[1]: https://github.com/canokeys/canokey-qemu/issues/6
This will not affect the options, but allows to not configure settings at
all, if you don't need to. Unbreaks the NixOS test, which relies on this
behavior.
Fixes: #312757
This patch is about removing `wireguardPeerConfig`,
`dhcpServerStaticLeaseConfig` - a.k.a. the
AbstractSingletonProxyFactoryBean of nixpkgs - and friends.
As a former colleague said
> worst abstraction ever
I second that. I've written enough networkd config for NixOS systems so
far to have a strong dislike. In fact, these don't even make sense:
`netdevs.wireguardPeers._.wireguardPeerConfig` will be rendered into
the key `[WireGuardPeer]` and every key from `wireguardPeerConfig` is in
there. Since it's INI, there's no place where sections on the same level
as wireguardPeerConfig fit into. Hence, get rid of it all.
For the transition, using the old way is still allowed, but gives a
warning. I think we could drop this after one release.
The tests of rosenpass and systemd-networkd-dhcpserver-static-leases
were broken on the rev before, hence they were updated, but are still
not building.
Module has been fixed and now uses the maintenance service to cache
settings so as to not require environment files wherever possible.
The tests now test using mariadb and postgresql as well as sqlite to be
more complete. A test has been added for testing whether app.js has been
compiled successfully, as well as to check whether the cronjob fires
successfully.
Given the current situation, I have not been able to take care of
anything related to that module. Upgrades are merged without upgrading
properly the module, unfortunately.
This caused too much divergence and I still do not have the energy to
take care of it.
I will leave it to the more active recent committers who touched the
module to take it from there.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This is a follow-up to 8d7f3c9dbd and
ae48735c53.
Running the config validation in the build sandbox is impossible and
will fail when using `cfg.configFile` or `-config.expand-env=true`.
`cfg.configFile` is a string of a path which is simply not available to
the build sandbox.
Similarly, one may opt to use `cfg.configuration` with environment
variables in combination with `-config.expand-env=true`.
The environment variables referenced that way are also not available
in the build sandbox.
So we skip the validation when it's impossible (`cfg.configFile`) or
likely impossible (`-config.expand-env=true`).
An alternative approach would be something like nixos/prometheus'
`services.prometheus.checkConfig` that takes a boolean and makes
toggling the config validation user-facing.
The original code tests output of `ip addr add` command to detect if an
adress already exists. The error message was changed in the past and the
test no longer works.
The patch replaces `ip addr add` with `ip addr replace`. The new command
replaces an existing address or creates a new one if there isn't any.
fixes 306841
Commit a52e27d4f6
changed the `ensurePrinter` mechanism such that it uses
`lib.cli.toGNUCommandLineShell` to assemble the
`lpadmin` command line that creates the required printer.
Before that commit, the command line contained
single quotes (')to protect certain options from being
(mis-)interpreted by the shell.
The new mechanism no longer needs those quotes as
`lib.cli.toGNUCommandLineShell` takes care of quoting/escaping.
Unfortunatelly, the commit missed the
quotes around the `-o` command line part.
`lib.cli.toGNUCommandLineShell` now properly escapes
those quotes, thereby including them in the effective
command line arguments that are passed to `lpadmin`.
The result is that no option is applied anymore.
The commit at hand simply removes the superfluous quotes.
With this change, options are again properly applied as before.
Add '~' and '^' to the supported characters for the field. These
characters are needed to be able to define all versions that are
compatible with the UAPI Version Format specification.
One example where this is used is the `%A` flag in systemd.unit. If we
don't allow these other characters, we for example cannot declare a
pre-relase version.
systemd, as far as I can tell, doesn't enforce any restrictions on the
os-release fields.
https://uapi-group.org/specifications/specs/version_format_specification/
Allow loading pretalx plugins in a declarative manner. They are passed
into the package dependencies at build time, so that collectstatic and
other django maintenance functions account for them, since we cannot
regenerate assets at runtime anyway.
The explicit `replication_mode` option in `services.garage.settings`
has been removed and is now handled by the freeform settings in order
to allow it being completely absent (for Garage 1.x).
That module option previously `toString`'ed the value it's configured
with, which is now no longer possible.
Warn the user if they're still using a non-string here.
This migrates the syntax for a few configuration values,
which now need to be quoted strings for user values.
This also disables the use of a public resolver,
which is not accessible in the sandbox.
This makes it possible for other systemd units to depend on
keycloak.service using `after` and `wants` relationships, and systemd
will actually wait for Keycloak to finish its initialization before
starting any dependent units. This can be important for services like
oauth2-proxy, which (when configured to use Keycloak as its auth
provider) will fail to start until Keycloak's
`.well-known/openid-configuration` endpoint is available.
This fixes build failures with the wayland dependency:
Quoting @nevivurn:
"guestadditions->...->wayland, but the test config pulls in
modules/profiles/minimal.nix which disables xlibs and thus it won't build"
Co-authored-by: Yongun Seong <nevivurn@nevi.dev>
Upstream (accidentally) broke support for postgresql 12 and 13 on
v0.2.1 by changing the signature of the `from_datum` function[^1].
This went unnoticed since the release branch `0.2` did not have CI.
Furthermore, they are removing support for these versions of postgresql
on v0.3.0[^2].
[^1]: 97e861d51d
[^2]: https://github.com/tensorchord/pgvecto.rs/issues/343
One of the module that already supports the systemd-confinement module
is public-inbox. However with the changes to support DynamicUser and
ProtectSystem, the module will now fail at runtime if confinement is
enabled (it's optional and you'll need to override it via another
module).
The reason is that the RootDirectory is set to /var/empty in the
public-inbox module, which doesn't work well with the InaccessiblePaths
directive we now use to support DynamicUser/ProtectSystem.
To make this issue more visible, I decided to just change the priority
of the RootDirectory option definiton the default override priority so
that whenever another different option is defined, we'll get a conflict
at evaluation time.
Signed-off-by: aszlig <aszlig@nix.build>
Our more thorough parametrised tests uncovered that with the changes for
supporting DynamicUser, we now have the situation that for static users
the root directory within the confined environment is now writable for
the user in question.
This is obviously not what we want and I'd consider that a regression.
However while discussing this with @ju1m and my suggestion being to
set TemporaryFileSystem to "/" (as we had previously), they had an even
better idea[1]:
> The goal is to deny write access to / to non-root users,
>
> * TemporaryFileSystem=/ gives us that through the ownership of / by
> root (instead of the service's user inherited from
> RuntimeDirectory=).
> * ProtectSystem=strict gives us that by mounting / read-only (while
> keeping its ownership to the service's user).
>
> To avoid the incompatibilities of TemporaryFileSystem=/ mentioned
> above, I suggest to mount / read-only in all cases with
> ReadOnlyPaths = [ "+/" ]:
>
> ...
>
> I guess this would require at least two changes to the current tests:
>
> 1. to no longer expect root to be able to write to some paths (like
> /bin) (at least not without first remounting / in read-write
> mode).
> 2. to no longer expect non-root users to fail to write to certain
> paths with a "permission denied" error code, but with a
> "read-only file system" error code.
I like the solution with ReadOnlyPaths even more because it further
reduces the attack surface if the user is root. In chroot-only mode this
is especially useful, since if there are no other bind-mounted paths
involved in the unit configuration, the whole file system within the
confined environment is read-only.
[1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215
Signed-off-by: aszlig <aszlig@nix.build>
This is to make sure that we test all of the DynamicUser/User/Group and
PrivateTmp options in a uniform way. The reason why we need to do this
is because we recently introduced support for the DynamicUser option and
since there are some corner cases where we might end up with more
elevated privileges (eg. writable directories in some cases), we want to
make sure that the environment is as restrictive as with a static
User/Group assignment.
I also removed various checks that try to os.chown(), since with our new
recursive checker those are redundant.
Signed-off-by: aszlig <aszlig@nix.build>
So far the architecture for the tests was that we would use a systemd
socket unit using the Accept option to start a small shell process where
we can pipe commands into by connecting to the socket created by the
socket unit.
This is unnecessary since we can directly use the code snippets from the
individual subtests and systemd will take care of checking the return
code in case we get any assertions[^1].
Another advantage of this is that tests now run in parallel, so we can
do rather expensive things such as looking in /nix to see whether
anything is writable.
The new assert_permissions() function is the main driver behind this and
allows for a more fine-grained way to check whether we got the right
permissions whilst also ignoring irrelevant things such as read-only
empty directories.
Our previous approach also just did a read-only check, which might be
fine in full-apivfs mode where the attack surface already is large, but
in chroot-only mode we really want to make sure nothing is every
writable.
A downside of the new approach is that currently the unit names are
numbered via lib.imap1, which makes it annoying to track its definition.
[^1]: Speaking of assertions, I wrapped the code to be run with pytest's
assertion rewriting, so that we get more useful AssertionErrors.
Signed-off-by: aszlig <aszlig@nix.build>
When experimenting on ways how to refactor the test, I wrote a
significant enough amount of Python to warrant a dedicated Python file.
This commit is mainly to prepare for that and make it easier to track
renames.
Signed-off-by: aszlig <aszlig@nix.build>
The reason why I originally used the "description" attribute was that it
can be easily used to parametrise the tests so that we can specify
common constraints and apply it across a number of different
configurations.
When porting the tests to Python, the description attribute was replaced
by inlining it into the Python code, most probably because it was easier
to do in bulk since using Nix to generate the subtest parts would be
very complicated to do since we also had to please Black (a Python code
formatter that we no longer use in test scripts).
Since we now also want to support DynamicUser in systemd-confinement,
the need to parametrise the tests became apparent again because it's now
easier to refactor our subtests to run both with *and* without
DynamicUser set to true.
Signed-off-by: aszlig <aszlig@nix.build>
Eelco has made several early contributions to NixOS including writing
the samba module among other things, but is more or less inactive these
days.
By my brief inspection, he has not committed to the nixos/ tree since
releasing Nix 2.13 in early 2023 and merging a PR to networking tests
slightly before that. A lot of these tests/modules are actually
unmaintained in practice, so we should update the code to reflect the
practical reality so someone can consider picking them up.
Otherwise, setting services.caddy.enableReload to false fails in a very bad fashion:
The reload command still gets executed, but fails:
```
Apr 26 21:23:01 n1-rk1 systemd[1]: Reloading Caddy...
Apr 26 21:23:01 n1-rk1 caddy[70793]: {"level":"info","ts":1714166581.733018,"msg":"using provided configuration","config_file":"/etc/caddy/caddy_config","config_adapter":"caddyfile"}
Apr 26 21:23:01 n1-rk1 caddy[70793]: {"level":"warn","ts":1714166581.7353032,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/caddy_config","line":3}
Apr 26 21:23:01 n1-rk1 caddy[70793]: Error: sending configuration to instance: performing request: Post "http://localhost:2019/load": dial tcp [::1]:2019: connect: connection refused
Apr 26 21:23:01 n1-rk1 systemd[1]: caddy.service: Control process exited, code=exited, status=1/FAILURE
Apr 26 21:23:01 n1-rk1 systemd[1]: Reload failed for Caddy.
```
… and the server is not restarted either, as a ExecReload= command is
specified.
Fix this, by only setting ExecReload if the reload exists.
The first empty string is still necessary to reset the old option.
Now, it's `nixos.tests.misc.default` and `nixos.tests.misc.lix` since
Lix introduction in #310194.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Depending on the startup order of the two machines it might take a few
moments to get both zones transfered, which can lead to SERVFAIL
responses on busy machines.
Add missing http:// scheme. Without it pixiecore logs this and never
contacts the API server:
[DHCP] Couldn't get bootspec for [REDACTED_MAC_ADDR]: Get "localhost:8080/v1/boot/[REDACTED_MAC_ADDR]": unsupported protocol scheme "localhost"
`nixosTests.misc` is an interesting smoketest as a last (cheap) line of
defense against Nix regressions.
We rework it to accept any arbitrary package manager for Lix.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
The kernel used on aarch64-linux is built with CONFIG_BLK_DEV_LOOP=y,
so the test previously did not work on aarch64-linux.
The module for Hybla congestion control is available as a loadable
module both on x86_64-linux and aarch64-linux.
This adds an implementation of switch-to-configuration that allows for
closer interaction with the lifecycle of systemd units by using DBus
APIs directly instead of using systemctl. It is disabled by default, but
can be enabled by specifying `{ system.switch = { enable = false; enableNg = true; }; }`.
* Another batch of release not edits
* Elide mention of dub lockfiles
Co-authored-by: Weijia Wang <9713184+wegank@users.noreply.github.com>
* Qualify qtmultimedia with qt6
Co-authored-by: Weijia Wang <9713184+wegank@users.noreply.github.com>
---------
Co-authored-by: Weijia Wang <9713184+wegank@users.noreply.github.com>
The change introduced in #308303 refers to the virtualHosts attrset
key which can be any string. The servername is the actual primary
hostname used for the certificate.
This fixes use cases like:
services.nginx.virualHosts.foobar.serverName = "my.fqdn.org";
The state directory contains static files that need to be accessible by
a webserver, but homeMode defaults to 0750 and switching the generation
will always force the homeMode, thereby breaking access to the assets.
Instead, fully rely on systemd to provide the StateDirectory with the
correct mode.
The state directory contains static files that need to be accessible by
a webserver, but homeMode defaults to 0750 and switching the generation
will always force the homeMode, thereby breaking access to the assets.
Instead, fully rely on systemd to provide the StateDirectory with the
correct mode.
This is a feature supported out of the box by upstream and allows the
incusd service to be restarted without impacting running
instances. While this does give up a bit of reproducibility, qemu and
lxc for example, there are clear benefits in allowing the host to
apply updates without impacting instances.
Modeled after the zabbly implementation: 2a67c3e260/systemd/incus-startup.service
This will now be the default.
borgbackup exit code 1 means warning, not error. For example if a file
is modified during backup, borg create exits with code 1. It may be
desirable to count that as success.
The change I merged too hastily in #302300 increases the size by
~30%. This could be improved upon, but in the meantime let's go back
to xz while keeping zstd-compressed firmware (only 4.4% larger) and
_support_ for zstd-compressed modules.
In accordance to the upstream release cycle, we now provide 2 flavours
of the percona mysql ecosystem. The default is the LTS variant,
additionally there is now the floating `percona-server_innovation`
always pointing to the most recent regular release.
- mentioned in release notes
- adapted all depending tests and tools (xtrabackup)
This release belongs to the "innovation" release track of Percona,
making it likely to diverge over time from the LTS release. Hence I just
created a separate packaging expression for this.
In 8bb777ee37 a condition was added to
only execute the createdb.sh script if database setup was configurated.
However a superfluace " was added at the end of the line which cased an
escaping error the resulted in #309520.
Fixes#309520
We remove the global rootlog in favor of instantiating the logger as
required in the __init__.py and pass it down as a parameter (of our
AbstractLogger type).
Previously, the XML logging was always present and only created an
output file if a special environment variable was present. We now only
create the XML logger if the environment variable is present, saving us
from logging to XML internally if it is not required.
We add a new logger that allows generating a junit-xml compatible report
listing the subtests used in the nixos integration test. Junit-xml is a
widely used standard for test reports. The report can be used for quick
evaluation of which subtest failed.
We use the newly AbstractLogger class and separate the XML and Terminal
logging that is currently mixed into one class. We restore the old
behavior by introducing a CompositeLogger that takes care of logging
both to terminal and XML.
This got broken up into separate `replication_factor` and
`consistency_mode` settings with Garage 1.x, and due to the the "none"
default kicking in, Garage fails to startup with
> : Error: Either the legacy replication_mode or replication_level and consistency_mode can be set, not both.
if we actually make the migratiom as documented in the migration guide.
Drop this explicit setting, so users can set replication_mode or
replication_factor/consistency_mode, depending on the version they're
using.
Many terminal packages don't cross compile, so the `terminfo`
NixOS module was not usable for nixos configurations that are
cross-compiled.
Terminfo files (AFAIK) are small files that contain data about
terminal capability, so they should never have any runtime
dependencies that would cause any executables or otherwise
incompatible outputs from the `buildPlatform` to leak into the
nixos config's closure.
Conflicts in luaPackages.luarocks-nix:
- 8b563cd9f9 switched to the new version format (prefixed by 0 since there was no relevant last tag in the branch).
bc4f6fa543 bumped version and switched to the new version format. But the tag used is not part of the branch the commit comes from (master).
Used the new version but replaced the tag prefix with 0.
- b73ec84b9e removed meta (it is already set in the overridden luarocks). But that would cause the update script to try to update the overridden luarocks (as did the previously used old.meta).
bf311d950e modified meta to fix the update script properly.
Kept the meta from the latter since it allows update script to work.
This sets the exception handler to show the full exception on startup.
We don't think it does anything else, with respect to logging, for
instance. Everything else can be configured in the config file, and this
is plain reasonable to simply always enable in our view.
This commit fixes the requirement to provide a pruneOption to ensure
that the check command is run when a check option is set. This is useful
for check-only configurations. The option is implicitly set if checkOpts
are given by default.
Motivation: Allow the sshd package to be built differently to the ssh
package (programs.ssh.package). For example, build sshd(1) without
openssl, but built ssh(1) with OpenSSL support.
Set the default to be programs.ssh.package, to preserve compatibility.
This makes kwin_wayland successfully gain SCHED_RR priority, which
significantly improves the rendering lag, ie. cursor movement and
desktop animations, under heavy CPU load like on compilation.
This was already enabled for plasma5 but is not for plasma6 somehow.
These have been deprecated since NixOS 20.03.
Also fixes evaluation error caused by moving
the `defaultSessionFromLegacyOptions` variable
in 6be2bfcc32
and turn it in to a list.
The current setting of system.forbiddenDependenciesRegex is a string, meaning only one such regex as any additional setting would result in conflicts.
As maintainers have already started using this setting eg. in profiles, it would be good if this setting would accept a list of regex to allow the end
user to make use of it in addition to package maintainers.
Closes#233865. Currently, the documentation for `boot.loader.grub.theme` misleadingly implies that it needs a package for a grub theme instead of a path to a grub theme.
This service performs operations that significantly increase the
performance of Nextcloud, can take a while. These are designed however
to not require maintenance mode and can be executed during normal
operation[1].
Make nextcloud-cron a simple unit instead of oneshot: otherwise we risk
that it'll be stopped by the startup timeout (oneshot executes ExecStart
while "activating") which can be an issue for very long running tasks or
if Nextcloud needs to catch up if one task was broken for a while.
[1] https://docs.nextcloud.com/server/29/admin_manual/maintenance/upgrade.html#long-running-migration-steps
Previously you needed to set an devRootTokenID when dev=true despite the option being optional
Caused by wrong default value and not allowing null as value
https://github.com/kanidm/kanidm/releases/tag/v1.2.0
Added updatescript, and removed Cargo.lock as no more git deps.
New release process documented here:
a67d1f5160/book/src/support.md
Re-ordered test and removed anonymous login as logout no longer works:
[info]: Ignoring request to logout session - these sessions are not recorded
Notes:
- barf went into contrib/ and officially unsupported.
- verify was removed entirely.
- the makefile is a bit smarter now and doesn't require many
of the previous workarounds.
This is a breaking change that converts the 'src' csv column (a git URI) to a 'rockspec'
fullpath uri.
before this, luarocks-nix would clone the repo and look for rockspecs
with a brittle algorithm. This removes the ambiguity on which rockspec
to package while allowing to remove a bunch of brittle code from
luarocks-nix.
This reverts commit e827697fd3.
This seems to cause various issues during system activation, as reported
in https://github.com/NixOS/nixpkgs/issues/302771 for example.
Due to being close to branchoff, revert this for now.
We'll open a tracking issue to collect and sort out remaining issues.
This fixes the following warning:
trace: warning: bitwarden-directory-connector-cli.timer is ordered after 'network-online.target' but doesn't depend on it
The idea behind that is to enable users and developers of
downstream tools such as home-manager to test Nix master for several
reasons:
* Nix is currently trying to have a `master` branch that's always
releasable[1]. We're still on Nix 2.18 in nixpkgs due to too many
notable regressions. Enabling people to test latest master may help on
that end.
* This uses the most bleeding-edge Nix, but our packaging, so we can
identify issues with our packaging early.
* From what I've seen, most people are using the packages from nixpkgs
anyways instead of the upstream flake, this is far more convenient
anyways.
My plan is to update this once a week. Right now we rely on the
`installCheckPhase` here, but as soon as we have proper regression
testing[2], we may want to add `nixUnstable` there as well (however with
failures being allowed probably).
[1] https://discourse.nixos.org/t/nix-release-schedule-and-roadmap/14204
[2] https://github.com/NixOS/nixpkgs/pull/304332
Since https://github.com/redis/redis/pull/4001 included in 6.2.0
transparent hugepages works when being set to madvise which is the NixOS
and upstream recommended default.
> WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition.
> Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328.
> To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
This avoids having to use workarounds like the following to retain the
default settings which podman requires to run.
virtualisation.containers.storage.settings = lib.recursiveUpdate options.virtualisation.containers.storage.settings.default {
storage.options.mount_program = lib.getExe pkgs.fuse-overlayfs;
};
Currently there is an issue with $PATH & parallel causing build errors.
It’s probably best to just remove the dependency where bash forking is
good enough here.
I found this while perusing the manual thinking about whether or not to install NixOS on my new laptop. It threw me for a loop for a second but as best I can tell this meant to be ".org" like the rest of the example, and not ".com"
I am deeply saddened at the fact that I need to do this. I have no
interest in re-litigating everything that has happened over the past
weeks and months, but I want to make my position(s) extremely clear:
The thought of any of my work contributing to someone's death by drone
makes me feel physically ill.
Recent communications from senior members of the NixOS community have
made it clear that leadership is unaware or uninterested in the basics
of how to run and moderate a community in a way that is resilient to bad
actors. The recent post by @edolstra is tone-deaf and gives me no
confidence that the Nix/NixOS community is a place that I want to remain
involved in going forward. I am thus choosing to remove myself from such
a community.
I also hereby resign from the ACME team.
See also: #307033
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Before the startup, the matrix-appservice-irc service sets up the
registration file such that it can be used by matrix-synapse. Part of
that setup requires us to change the group of said file so that the home
server can read it. Consequently, we need CAP_CHOWN and require that the
@chown system calls are allowed.
While we supposedly set up both of these, the setup of system calls is
broken as we have both an allow and a deny list of syscalls. But while
the allow list contains "@chown", the deny list contains "@privileged"
which contains "@chown" itself. So ultimately, we end up denying
"@chown".
Fix this issue by specifying "@chown" after the deny list.
I manually audited all `RunCommand` and `exec.LookPath` calls in the incus repo, combined with the following information
/run/wrappers/bin
lxc usable-cub 20240427123718.368 WARN idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:165 - newuidmap binary is missing
iw
lxc 20240427123830.358 ERROR network - ../src/lxc/network.c:lxc_netdev_move_wlan:1679 - Couldn't find the application iw in PATH
minio-client
https://github.com/lxc/incus/pull/777
ceph-client
Added, but could be missing bits to actually work
May need full ceph package for `radosgw-admin` for object storage?
Currently the installWrapper warning is issued if sudo (and sudo-rs)
aren't installed. This is fine, except we get the warning even if we
explicitly turn off installWrapper -- say, for this very reason!
Rather than warning on every build until either sudo is installed or
Akkoma is uninstalled, only warn if cfg.installWrapper is true.
