the initial change was already made ad hoc in 10a75ab, in response to the recently introduced enforced redirects mapping that is supposed to keep stable URLs.
due to the redirect mechanism's current limitation to locations within
the same site (that is, either the Nixpkgs xor the NixOS manual), and
the observation that noteworthy Nixpkgs changes tend to be
self-contained, it seemed reasonable to introduce a seperate release
notes document. it also has the advantage that users of only Nixpkgs
don't have to deal with release notes that are only relevant for NixOS.
the original change was already lossless for NixOS users, since the
Nixpkgs release notes are appended to the NixOS release notes.
this change moves the pre-existing Nixpkgs notes to the new dedicated page.
Co-authored-by: Gagarin Valentin Gagarin <valentin@gagarin.work>
Previously, `http://` scheme was hard coded into the caddy config if
`webserver = "caddy"` was chosen. This is fine for local testing, but is
problematic if you want your nixos host to be public facing.
In the public facing case, you generally want to be using TLS. But since
the wordpress module generates the caddyfile rule, the user's nixos
config cannot easily change it to also allow https.
An alternative would be to reverse proxy an https rule to the generated
http rule, but that's somewhat questionable as there's not an internal
http endpoint to proxy to. It might be possible but I couldn't figure
it out.
So simplify by omitting the scheme. This causes caddy to use https by
default and 301 redirect any http requests to the https endpoint. Caddy
will just do the right thing if it's being hosted on a local/internal
hostname (self sign certificates).
This should be backwards compatible with previous default if users are
using reasonable browsers/tools.
Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
Includes patch suggested by @shuni64 which fixes half precision ABI
issues
Includes hipblaslt compression patch
Includes configurable hipblaslt support in rocblas
rocmPackages_6.hipblaslt: respect NIX_BUILD_CORES in tensilelite
rocmPackages_6.hipblas: propagate hipblas-common
rocmPackages_6.clr: avoid confusion with hipClangPath
Co-authored-by: Gavin Zhao <git@gzgz.dev>
Previously, this option was supposed to be a file of the form
`CLOUDFLARE_API_TOKEN=...`, which has a few problems:
- That's not an api token. It's an env file fit for passing to systemd's
`EnvironmentFile` option. The user could typo the variable name, or
intentionally/unintentionally include unrelated environment variables.
- It's not how secret files usually work in NixOS. Secret files are
usually just the secret, and don't leak details about how the secret
is passed to the service.
- This increases friction for people switching between cloudflare dyndns
services, such as `services.cloudflare-dyndns` and
`services.cfdyndns`, which both have a `apiToken` option, but (before
this change) with different semantics.
It's unusual to use the plugdev group in NixOS. So instead, give access
to users in the jlink group. It does not conflict with the uaccess tag,
which grants access to seat sessions.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
This reverts commit d64a233e4c.
A stdenv bug breaks emacs.pkgs.withPackages wrapper. A fix PR[1] will
take a few weeks to reach users because it has to go through a staging
cycle. Revert this for now to unbreak emacs.pkgs.withPackages
wrapper.
[1]: https://github.com/NixOS/nixpkgs/pull/388908
Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:
- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`
Co-authored-by: Shelvacu <git@shelvacu.com>
Make the cloudflared tunnel service use systemd credentials and dynamic
users, removing the services.cloudflared.user and .group option.
Also add an option to provide the cert.pem file, without which tunnels
defined declaratively would not work.
Additionally, add an assertion checking that the certificate file is
provided if there are declarative routes defined.
Closes#259770Closes#207050
The motivation for the former is to not execute the container as root,
so you don't have to `sudo -i` to perform podman management tasks.
The idea behind healthchecks is to be able to keep the unit in the
activating state until the container is healthy, only then then unit is
marked as active.
The following changes were necessary:
* Move the ctr-id into `/run/${containerName}` to make podman can
actually write to it since it's now in its RuntimeDirectory.
* Make `sdnotify` option configurable (`healthy` for healthchecks that
must pass, default remains `conmon`).
* Set Delegate=yes for `sdnotify=healthy` to make sure a rootless
container can actually talk to sd_notify[1].
* Add a warning that lingering must be enabled to have a `systemd --user`
instance running which is required for the cgroup support to work
properly.
* Added a testcase for rootless containers with both conmon and
healthchecks.
[1] https://github.com/containers/podman/discussions/20573#discussioncomment-7612481
