Introduces `services.varnish.listen` as a list of structured
listen addresses with all allowed variations of arguments
documented in the man page.
Deprecates `services.varnish.http_address`.
This reverts commit a794031c59.
With the following additions:
Allow `CAP_KILL`, so the dovecot master process may interrupt its child
processes.
Allow new privileges, so dovecot and call the setuid sendmail executable.
Allow AF_NETLINK sockets, so dovecot sieve handling can use the
getifaddrs syscall.
Finally, we now asssert, that no options are set on the legacy dovecot2
systemd unit name, to make the user aware they need to update their
overrides.
It's not clear how to use this command in other systemd units, this
section gives a recommendation.
I realized that there's no explicit mention of `nextcloud-occ` in the
first place, so I wrote some introductory sentences as well.
The tee-supplicant is a program that interacts with OP-TEE OS and allows
loading trusted applications at runtime (among other things). There is
an `optee` test included that uses the pkcs11 trusted application (in
upstream OP-TEE OS), loads it during system startup via tee-supplicant,
and uses `pkcs11-tool` to list available token slots.
See https://discourse.nixos.org/t/i-cannot-for-the-life-of-me-find-the-package-that-has-pg-config/66244/4
I decided against doing this in its own nixpkgs manual: the line
to draw is quite blurry already (e.g. we have documented our package
removal policy in here as well) and having to check two manuals for a
single subsystem feels pretty annoying to me.
The relevant part - where to find pg_config - is written at the top. I
decided to give a bit more context about the way our packaging works
since I realized a few times now that I don't remember all the details
about the problems we had in the past and having to look up individual
commit messages for that isn't very productive.
Sourcehut went a year with no update in nixpkgs, the packages did not
build for months, the module has issues at runtime, one of the
maintainers stopped using NixOS entirely and the other two don't respond
to issues.
Upstream has since also deprecated the Arch Linux and Debian
repositories to install Sourcehut. The only official way that remains is
Alpine Linux on x86_64-linux.
With networkmanager we can provide a much more welcoming network setup
experience in the installer and it costs us less than 10 MB with this
configuration on the minimal ISO.
By default, for new profiles it will enable DHCP and RA and allow
interactive reconfiguration through `nmtui` or `nmcli`. Especially the
TUI interface is very easy to pick up and removes the need for typing in
manual commands when setting up the WLAN connection.
It is unclear where this list originated, but it doesn't make sense to
ship it with all networkmanager installations. The most excessive plugin
is openconnect, that ships a 250 MB closure including webkitgtk.
Instead users now have to specify the plugins they want explicitly. I
updated the option to give hints on how to find them as best as I can.
The new postgresql.target will now wait until recovery is done and
read/write connections are possible.
This allows ensure* scripts and downstream migrations to work properly
after recovery from backup.
Resolves#346886
This avoids restarting the postgresql server, when only ensureDatabases
or ensureUsers have been changed. It will also allow to properly wait
for recovery to finish later.
To wait for "postgresql is ready" in other services, we now provide a
postgresql.target.
Resolves#400018
Co-authored-by: Marcel <me@m4rc3l.de>
There's quite a bit of pingpong redirection with Nixpkgs and NixOS
manual utilities. Since devmode was lacking a README, the descriptive
text is moved there and it's referenced by both manuals.
There exist multiple issues with these options, for example they are not
introspectable, since the values are configured in the config part of the
module.
Also the keypair is always configured for both server and client usage,
which is really surprising. The postfix docs even advise against setting
up client certificates, if they aren't required. [1]
The replacements are the `smtpd_tls_chain_files` for server usage and
`smtp_tls_chain_files` for client usage, which are the prefered way to
configure keys and certificates since Postfix 3.4.0. [2]
[1] https://www.postfix.org/postconf.5.html#smtp_tls_cert_file
[2] https://www.postfix.org/postconf.5.html#smtpd_tls_cert_file
* pkgs.formats.yaml_1_2: init
Same as YAML 1.1 but relies on the unpinned remarshal version which emits
YAML 1.2.
* nixos/postfix-tlspol: init
MTA-STS and DANE/TLSA resolver and TLS policy socketmap server for
Postfix.
* nixos/tests/postfix-tlspol: init
Simple test if the service comes up and the CLI can interact with it and
gives reasonable results.
The no-broken-symlinks hook does not fail if bad links exist out of
store, but /build is also a special directory for nix derivations: the
build directory in the builder mount namespace.
There should be no link to /build in the output derivation, so also
error on these directories (through $TMPDIR which default to that)
Closes#410508
source https://mozilla-services.readthedocs.io/en/latest/howtos/run-sync-1.5.html#howto-run-sync15
Quotation:
```
Firefox for Android (“Daylight”, versions 79 and later) does support using a non-Mozilla-hosted Sync server. Before logging in, go to App Menu > Settings > About Firefox and click the logo 5 times. You should see a “debug menu enabled” notification. Go back to the main menu and you will see two options for a custom account server and a custom Sync server. Set the Sync server to the URL given above and then log in.
To configure Android Firefox 44 up to 78 to talk to your new Sync server, just set the “identity.sync.tokenserver.uri” exactly as above before signing in to Mozilla accounts and Sync on your Android device.
Important: after creating the Android account, changes to “identity.sync.tokenserver.uri” will be ignored. (If you need to change the URI, delete the Android account using the Settings > Sync > Disconnect… menu item, update the pref, and sign in again.) Non-default TokenServer URLs are displayed in the Settings > Sync panel in Firefox for Android, so you should be able to verify your URL there.
```
the /token/ prefix is experimentally wrong.
vmalert only supports a single datasource for querying metrics and
managing alerts. Because of that, we need two instances to manage alerts
for both VictoriaLogs and VictoriaMetrics.
This is strongly inspired by the change made to Redis, i.e. a new
`instances` option was introduced with each option inside it.
With `mkRenamedOptionModule` it's ensured that existing configurations
still evaluate to the same result.
Pihole's dashboard is a web app which visualises statistics from pihole-FTL
(i.e. dnsmasq), shows query logs, and allows configuration.
With this module, configuration is largely declarative and immutable, so
settings can't be changed, but they can be viewed from the webpage.
The admin page also allows regenerating the DNS ("gravity") database.
Add a module for pihole-ftl, which allows declaratively defining the
pihole.toml config file.
Also provide options for adlists to use, which can be added through the pihole
script (packaged as "pihole"). Other state such as clients and groups require
complex database operations, which is normally performed by the pihole
webapp (packaged as "pihole-web").
Extend the dnsmasq module to avoid duplication, since pihole-ftl is a soft-fork
of dnsmasq which maintains compatibility.
Provide the pihole script in `environment.systemPackages` so pihole-ftl can be
easily administrated.
The phrasing that channels are updated automatically "[when] all packages have been built" could be
read as "all packages have been built successfully". However, in reality, it only meant to say that
all packages have been *attempted* to be built, so a channel may still contain broken packages. This
patch aims to make this clearer by mentioning that only a selection of packages is required to be
built successfully and by pointing to the files which contain these selections.
On AMD GPU, you should enable overdrive mode by using `hardware.amdgpu.overdrive.enable = true;` in your configuration.
Co-authored-by: PopeRigby <poperigby@mailbox.org>
Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
Since DEs like KDE Plasma 6, GNOME and COSMIC are not designed to be X11-exclusive, putting them under `services.xserver` is misleading. In particular, GNOME defaults to Wayland these days and X11 support is going to be dropped in near future.
Let’s follow Plasma and move GNOME NixOS options out of `xserver` attribute.
This patch does not include any changes to X11 support itself.
Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
This contains breaking changes, see https://pocket-id.org/docs/setup/migrate-to-v1/.
The frontend now generates only static files and no longer includes a
binary for serving them. The backend has taken over the responsibility
of serving the static assets.
Co-authored-by: ymstnt <21342713+YMSTNT@users.noreply.github.com>
This keeps us in-line with all previous releases. Users should be able
to still differentiate the NixOS and Nixpkgs release notes based on the
header of Nixpkgs' notes
`gitlab` >= 18.0 requires at least `postgresql` >= 16. GitLab users
are advised to follow the mentioned steps in the manual to upgrade their
PostgreSQL installation.
I looked at the release notes and this was half of the 25.05 highlights
when it's mostly upgrade notes. I didn't really want mostly technical
details to be that prominent, even though it's a big update.
All the upgrade notes should be in Backward Incompatibilities, not the
highlights, so move things around.
Right now it wrongly seems as if you can set
`sshBackdoor.enable = true;` for each test and not only for debugging
purposes.
This is wrong however since you'd need to pass /dev/vhost-vsock into the
sandbox for this (which is also a prerequisite for #392117).
To make that clear, two things were changed:
* add a warning to the manual to communicate this.
* exit both interactive and non-interactive driver early if
/dev/vhost-vsock is missing and the ssh backdoor is enabled.
If that's the case, we pass a CLI flag to the driver already in the
interactive case. This change also sets the flag for the
non-interactive case.
That way we also get a better error if somebody tries to enable this
on a system that doesn't support that.
The manual says that you need at least 8 GB of disk to install in Virtualbox, but the installer returns an error and says that you need at least 10 GB.
I'm a little annoyed at myself that I only realized this _after_ #392030
got merged. But I realized that if something else is using AF_VSOCK or
you simply have another interactive test running (e.g. by another user
on a larger builder), starting up VMs in the driver fails with
qemu-system-x86_64: -device vhost-vsock-pci,guest-cid=3: vhost-vsock: unable to set guest cid: Address already in use
Multi-user setups are broken anyways because you usually don't have
permissions to remove the VM state from another user and thus starting
the driver fails with
PermissionError: [Errno 13] Permission denied: PosixPath('/tmp/vm-state-machine')
but this is something you can work around at least.
I was considering to generate random offsets, but that's not feasible
given we need to know the numbers at eval time to inject them into the
QEMU args. Also, while we could do this via the test-driver, we should
also probe if the vsock numbers are unused making the code even more
complex for a use-case I consider rather uncommon.
Hence the solution is to do
sshBackdoor.vsockOffset = 23542;
when encountering conflicts.
GitLab 17.11 started using rails activeRecord encryption for some values.
Introduce new key files. This is breaking for unstable/25.05.
Also add a test to prevent this from happening unnoticed in the future.
For the future there should also be an option to set multiple activeRecord
keys for rotation.
This reverts commit 8a34d575f6.
PR #351093 removed the `programs.k3b` module due to some confusion about
its relevance. In order to write CDs, the security wrappers that allow
running cdrao and cdrecord with elevated privileges are in fact
necessary.
According to the manpage the rsyncd.conf has a global section without a
module header. Settings for listening port or bind address must be put
there and will not work if defined in a global submodule (i.e. below a
"[global]" header).
This commit changes the ini format generator for the rsyncd service to
allow a global section in the config file without a submodule header.
Fixes#304293
Credits to @nydragon
* remove retrocompat, add incompat release notes
With this it's possible to trivially SSH into running machines from the
test-driver. This is especially useful when running VM tests
interactively on a remote system.
This is based on `systemd-ssh-proxy(1)`, so there's no need to configure
any additional networking on the host-side.
Suggested-by: Ryan Lahfa <masterancpp@gmail.com>
Roboto was already set as the font for the manuals,
but without a way to get it, so people who didn't
happen to have it installed saw their default font
As the conduwuit project has been officially discontinued,
and the conduwuit NixOS module hasn't been around long enough
to appear in any stable NixOS release, we've removed it.
Initial implementation of the GoDNS service module. This module allows users to enable and configure the GoDNS service on their NixOS system. It includes options for specifying the GoDNS package and the path to the configuration file.
this equates to -fno-strict-aliasing
this is not a particularly new flag and is supported by all our
gcc and clang versions.
add to pkgsExtraHardening's defaultHardeningFlags.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
the initial change was already made ad hoc in 10a75ab, in response to the recently introduced enforced redirects mapping that is supposed to keep stable URLs.
due to the redirect mechanism's current limitation to locations within
the same site (that is, either the Nixpkgs xor the NixOS manual), and
the observation that noteworthy Nixpkgs changes tend to be
self-contained, it seemed reasonable to introduce a seperate release
notes document. it also has the advantage that users of only Nixpkgs
don't have to deal with release notes that are only relevant for NixOS.
the original change was already lossless for NixOS users, since the
Nixpkgs release notes are appended to the NixOS release notes.
this change moves the pre-existing Nixpkgs notes to the new dedicated page.
Co-authored-by: Gagarin Valentin Gagarin <valentin@gagarin.work>
