- Removal of top-level `with lib`
- Allow usage of module without setting `platformTheme`, so we can set
the QT_PLUGIN_PATH/QML2_IMPORT_PATH paths without theming
- Add support for kvantum and some other styles
- Add myself as maintainer
Yama is a LSM which restricts debugging. This prevents processes from
snooping on another. It can be easily disabled with sysctl.
This was initially included in #14392 and disabled by default by
86721a5f78.
This has been part of the hardened configuration, but many other distros
ship this for quite some time (Ubuntu for about ten years), so I'd say
it might make sense to enable this per default.
[Motivation](https://github.com/NixOS/nixpkgs/issues/257817#issuecomment-1741705042):
- Having all the XKB options in the same attribute set clarifies their
relation better than using a common option name prefix ("xkb").
- `services.xserver.layout` is an XKB option, but this is not obvious
from its name. Putting it with the other XKB options clarifies this.
Co-authored-by: Michele Guerini Rocco <rnhmjoj@users.noreply.github.com>
Before: `users.users.user1.group = "group-not-defined-anywhere-else"`
would result in user1 having the primary group `nogroup`, assigned at
activation time and only with a (easy to miss) warning from the
activation script. This behaviour is a security issue becase no files
should be owned by `nogroup` and it allows for unrelated users (and
services) to accidentally have access to files they shouldn't have.
After: The configuration above results in this eval error:
- The following users have a primary group that is undefined: user1
Hint: Add this to your NixOS config:
users.groups.group-not-defined-anywhere-else = {};
and remove nano from environment.defaultPackages. In addition also cleanup the file in general.
This is a follow up to #220481
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
The text was originally added [0] following an apparently incomplete
research on how everything plays together. In fact, Nix propagates
`outputs` to the corresponding nested derivations, and there is some
messy behavior in Nixpkgs that only seems to propagate
`meta.outputsToInstall` in `buildEnv`[1].
This change moves the hints on how to use NixOS specifics to NixOS
module documentation (which is hopefully easier to find through
search.nixos.org), describes the default behavior in Nixpkgs (updating
a the link to the source), and removes the confusing mention of
`nix-env`.
the last of them should not be there to begin with. we don't want
beginners to use `nix-env`, as this is known to run them into trouble
eventually.
[0]: https://github.com/NixOS/nixpkgs/pull/76794
[1]: 1774d07242/pkgs/build-support/buildenv/default.nix (L66)
This fixes a bug where the vconsole was not working as intended in systemd stage 1 with systemd v254.
udev rules are now starting with this service instead of whatever happened before.
Clarify that the monochrome font is not included, per #221181.
The new name is also coherent with the name of the font,
according to `fontconfig`: Noto Color Emoji.
- Avoid false-positives on package sets that contain a `terminfo` derivation,
like `haskellPackages` and `sbclPackages`.
- Directly provide a list of names that can be used to update the NixOS module,
rather than a list of derivations which is hard to read in the REPL.
This avoids the possible confusion with `passwordFile` being the file
version of `password`, while it should contain the password hash.
Fixes issue #165858.
Since #246772, cross compiled NixOS is broken because the DateTime perl
package that was used in the update-users-groups.pl script depends on
Testutf8 which does not cross compile (see #198548).
This PR drops the DateTime dependency in favour of TimePiece, which has
less dependencies and whose closure does cross compile.
I initially thought it was related to /var/lib/nixos/{gid-map,uid-map},
but it seems that to migrate GID/UID you have to edit
/etc/{group,passwd} (and update GID/UID in all files). So mention those
files in the warning messages.
We do not really declare module dependencies anywhere else and it would
a nousance to move any file if many other referenced it without being
necessary. Also most higher level modules depend on most of the lower
level ones.
So removing this because it can only potentially cause weird issues.
GL was already participially disabled because X11 is disabled and lead to
the following error when building gst-plguins-good:
```
Did not find CMake 'cmake'
Found CMake: NO
Run-time dependency gstreamer-gl-prototypes-1.0 found: NO (tried pkgconfig and cmake)
Looking for a fallback subproject for the dependency gstreamer-gl-prototypes-1.0
meson.build:328:2: ERROR: Neither a subproject directory nor a gst-plugins-base.wrap file was found.
```
Without the change non-default configs like:
fonts.fontconfig.subpixel.rgba = "rgb"
fail to build the system as:
fontconfig-conf> ln: failed to create symbolic link 'dst/': No such file or directory
fontconfig before version 2.13.1 was apparently implicitly not using
subpixel antialiasing. The fontconfig NixOS module deviated from this,
using subpixel antialiasing with `rgb` layout by default. In fontconfig
2.14.1, subpixel antialiasing was inadvertently enabled as the default:
2b6afa02ab
According to https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/337,
that deviates from GNOME/GTK’s defaults, which resulted in apps taking the
settings directly from fontconfig (e.g. Firefox) from diverging from GNOME
programs.
The change was subsequently reverted in 2.14.2, choosing the greyscale
antialiasing explicitly: 030759b74f
Let’s reflect this default setting in the NixOS module.
Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
`sub-pixel` has been enabled by default since 2.14.1: 2b6afa02ab
`antialias` since 2.14.1: 0825a178e8
`lcdfilter` since 2.13.95: e1c7c6d744
`hintstyle` since 2.12.1: 98434b3392
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
If QT_QPA_PLATFORMTHEME is set to qt5ct, Qt 6 apps can utilize qt6ct, to
achieve consistent theming across the two major versions.
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
Because llvmPackages_latest is used in Nixpkgs, by quite a few
packages, it's difficult to keep it up to date, because updating it
requires some level of confidence that every package that uses it is
going to keep working after the update. The result of this is that
llvmPackages_latest is not updated, and so we end up in the situation
that "latest" is two versions older than the latest version we
actually provide. This is confusing and unexpected.
"But won't this end up fragmenting our LLVM versions, if every package
previously using _latest is separately pinned to LLVM 14?", I hear you
ask. No. That fragmentation is already happening, even with an
llvmPackages_latest, because packages that actually require the
_latest_ version of LLVM (15/16), have already been decoupled from
llvmPackages_latest since it hasn't been upgraded. So like it or not,
we can't escape packages depending on specific recent LLVMs. The only
real fix is to get better at keeping the default LLVM up to
date (which I'm reasonably confident we're getting into a better
position to be feasibly better able to do).
So, unless we want to double down on providing a confusingly named
"llvmPackages_latest" attribute that refers to some arbitrary LLVM
version that's probably not the latest one (or even the latest one
available in Nixpkgs), we only have two options here: either we don't
provide such an attribute at all, or we don't use it in Nixpkgs so we
don't become scared to bump it as soon as we have a new LLVM available.
* add sector size parameter to swap randomEncryption
* add key size parameter to swap randomEncryption
* allow deviceName to be overridden for encrypted swap
* create test for swap random encryption
* update release notes
0d7cd66652 broke validation for hashes with options
such as those generated with `mkpasswd --method=sha-512 --rounds=1000000`:
$6$rounds=1000000$xpzZ6Rfg873gZnDY$RxS7lpVnohfDrrKG3lt9UFHED1KoiPGzH7zQv/HzwalZepo/IfFtxw05ap25duEJSKYhC14.Fn9eXszEpWVtF.
This fixes it.
A change made in #166308 added `networking.resolvconf.package` to the
`environment.systemPackages` list, so it is installed as part of the
system image. However it does so unconditionally, meaning that even if
the `config.networking.resolvconf.enable` is set to false the package
listed in the `networking.resolvconf.package` would still be intalled.
This change makes it so the package installation will depend on the
status of the `config.networking.resolvconf.enable` option instead.
The single option tries to do too much work, which just ends up confusing people.
So:
- don't force the console font, the kernel can figure this out as of #210205
- don't force the systemd-boot mode, it's an awkward mode that's not supported
on most things and will break flicker-free boot
- add a separate option for the xorg cursor scaling trick and move it under the xorg namespace
- add a general `fonts.optimizeForVeryHighDPI` option that explicitly says what it does
- alias the old option to that
- don't set any of those automatically in nixos-generate-config
Updates the warnings message for statefully set up passwords, now that
weak algorithms have been removed from our libxcrypt package.
Additionall we now add proper validation for hashing schemes used in
`hashedPassword`.
Neither will prevent a rebuiild, but instead issue a warning, that this
requires immediate remediation, or else users will be unable to login.
Reuses the crypt scheme ids as provided by the libxcrypt package.
Without this change, users that have both `initialHashedPassword` and
`hashedPassword` set will have `initialHashedPassword` take precedence,
but only for the first time `/etc/passwd` is generated. After that,
`hashedPassword` takes precedence. This is surprising behavior as it
would generally be expected for `hashedPassword` to win if both are set.
This wouldn't be a noticeable problem (and an assert could just be made
instead) if the users-groups module did not default the
`root.intialHashedPassword` value to `!`, to prevent login by default.
That means that users who set `root.hashedPassword` and use an ephemeral
rootfs (i.e. `/etc/passwd` is created every boot) are not able to log in
to the root account by default, unless they switch to a new generation
during the same boot (i.e. `/etc/passwd` already exists and
`hashedPassword` is used instead of `initialHashedPassword`) or they set
`root.initialHashedPassword = null` (which is unintuitive and seems
redundant).
From SuperSandro2000's post-merge review of the PR adding this,
nixos/no-x-libs: add qtbase. Sandro added a comment about this after I had
already merged it; self'/super' previously masked the top level self/super.
mkAliasOptionModule should not default to mdDoc descriptions because
that can break out-of-tree users of documentation infrastructure. add an
explicitly-MD variant for now, to be removed some time after the MD
transition is complete.
Introduce a `users.users.<name>.expires` option to allows setting an
expiry date to user accounts.
This is useful when members should gain temporary access and you don't
want to have to roll out another system update to disable them.
To allow for a reasonably fast deprecation of weak password hashing
schemes we provide an activation script that checks existing hashes in
/etc/shadow and issues a warning for user accounts that still rely on
deprecated hashes.
Co-Authored-By: oxalica <oxalicc@pm.me>
Icon caches should be generated for directories under $out/share/icons, as the comments mention, but it is done for files as well which does not make the build fail but results in files under $out/share/icons being turned into empty directories, see /run/current-system/sw/share/icons/gnome-logo-text.svg as an example.
Fixes a deadlock where post-resume.target has After=post-resume.service
and post-resume.service runs systemctl try-restart post-resume.target
the systemctl call cannot complete if post-resume.target was already
queued at that time.
This reverts commit 05958b228b.
Issue https://github.com/NixOS/nixpkgs/issues/188998 is concerns quite a
few NixOS users with full disk encryption and custom keymap.
Since there hasn't been a proper fix agreed upon and merged, I am
reverting this.
The changes can be applied again, when it is ensured that they do not
break custom keymaps in initrd.
Prior to this change, ffmpeg couldn't be built for an
environment.noXlibs system, because it would fail in:
ffmpeg → SDL2 → libdecor
ffmpeg certainly does not need support for SDL2 windowing on a noXlibs
system.
This fix is important because the minidlna NixOS test, which uses the
minimal profile (and therefore environment.noXlibs) and ffmpeg, can't
currently build.
The primary difference between the standard and minimal variants of
this package is that all the X libraries are removed from the minimal
variant.
I had to switch the order of the definitions in all-packages.nix to
avoid an infinite recursion after the overlay was applied.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
mostly no rendering changes. some lists (like simplelist) don't have an
exact translation to markdown, so we use a comma-separated list of
literals instead.
