We separate the different steps (injecting the toplevel and injecting
the specialisations) so that it's easy to document what each snippet is
actually doing.
Render un`_type`d defaults and examples as `literalExpression`s using
`lib.generators.toPretty` so that consumers don't have to reinvent Nix
pretty-printing. `renderOptionValue` is kept internal for now intentionally.
Make `toPretty` print floats as valid Nix values (without a tilde).
Get rid of the now-obsolete `substSpecial` function.
Move towards disallowing evaluation of packages in the manual by
raising a warning on `pkgs.foo.{outPath,drvPath}`; later, this should
throw an error. Instead, module authors should use `literalExpression`
and `mkPackageOption`.
Silence the systemd warning
ListenStream= references a path below legacy directory /var/run/, updating /var/run/cups/cups.sock → /run/cups/cups.sock; please update the unit file accordingly
by resetting the value coming from the upstream unit.
The directory is already set up by cups.socket: managing it with
RuntimeDirectory in cups.service is unnecesary and has the unwanted
effect that upon stopping cupsd systemd will remove it. This includes
the /run/cups/cups.sock socket, so it breaks socket activation.
If socket activation is enable (the default) and printers are configured
declaratively, the ensure-printers service will always start cupsd and
leave it running, thus defeating the point of socket activation.
With this change ensure-printers continues to start the cups.service at
boot, but automatically stops it afterwards if socket activation is
enabled.
Note: Later restarts of ensure-printers will also restart cupsd, but
it's not an issue since it will be reactivate, if necessary.
Yes I know it's dirty to link the rendered HTML, but linking
`#sec-kernel-config` breaks the manual build for me with the following
error:
element link: validity error : IDREF attribute linkend references an unknown ID "sec-kernel-config"
This is something that should probably be fixed, but for the current
change I'd argue that this is good enough (in fact even the
`nix.settings`-option uses that hack).
Its scripts disagree a bit with our flexible
logging approach and our default logging config.
Might want to revisit this at some point.
The `mkdir` failures in the log are harmless.
Adds a new option for backup jobs `inhibitsSleep` which prevents
the system from going to sleep while a backup is in progress.
Uses `systemd-inhibit`, which holds a "lock" that prevents the
system from sleeping while the process it invokes is running.
This did require wrapping the existing backup script using
`writeShellScript` so that it could be run by `systemd-inhibit`.
Changes sgx-psw to append `aesm` to `LD_LIBRARY_PATH`:
- Append instead of prepend to allow for overriding in service config
- As we already add a wrapper to add `aesm` to `LD_LIBRARY_PATH` it is
not necessary to also set in `LD_LIBRARY_PATH` of the systemd service.
Co-authored-by: Vincent Haupert <mail@vincent-haupert.de>
Pin the `nixpkgs` registry entry to the *filtered* nixpkgs source to
avoid copying the entire `.git` directory to the ISO when building
from a local checkout.
Also set `to` directly instead of the `flake.outPath` hack.
The tests would fail after migrating to `buildNpmPackage`, likely
because we are now using nodejs 18.
> audit: type=1326 audit(1670092271.655:102): auid=4294967295 uid=317 gid=317 ses=4294967295 subj=kernel pid=995 comm="node" exe="/nix/store/dj805sw07vvpbxx39c8g67x8qddg0ikw-nodejs-18.12.1/bin/node" sig=31 arch=c000003e syscall=330 compat=0 ip=0x7ff8b655f37b code=0x8000000
Considering that you most likely edit Nix code in the installer, that
seems like a useful thing.
The size of the ISO I got from
nix-build nixos/release.nix -A iso_minimal.x86_64-linux
is still at 877M.
This fixes `lxd init`, which previously failed like this:
$ yes "" | lxd init
[...]
Error: Failed to create storage pool "default": Failed to run: losetup --find --nooverlap --direct-io=on --show /var/lib/lxd/disks/default.img: exec: "losetup": executable file not found in $PATH
- The default cipher is BF-CBC, which openvpn refuses to use by default.
Switched to AES-256-CBC.
- openvpn does not require an external "ip" executable anymore, and does
not support the "ipconfig" option by default, so remove that option.
When no interfaces are managed by systemd-networkd, it will
unconditionally fail. This option allows it to be disabled in those
situations where it prevents system switches from succeeding.
When using the declarative shared folder configuration for resilio sync
it is now possible to pass a path from which to read the secret should
be read at runtime. The path will not be added to the nix store.
The 'secret' parameter to specify the secret directly is still
supported. This option will still store the secret in the nix store.
This commit follows the pattern described in this issue, for upstream
programs that do not provide support for setting a password using a
file: https://github.com/NixOS/nixpkgs/issues/24288
Add a section on ordering option definitions.
Also mention `mkDefault` in the section on `mkOverride`.
Clarify the code a bit by renaming `defaultPriority` to
`defaultOverridePriority` and introducing `defaultOrderPriority`.
Set environment variable ROON_ID_DIR to the same value as ROON_DATA_DIR
so that it knows it's the same installation after a restart.
Otherwise, each time the server process restarts, the user will need
to log in, and configure any server-local audio devices, again.
This environment variable was found in Roon's "easy installer" script:
https://help.roonlabs.com/portal/en/kb/articles/linux-install#The_Easy_Installer_Recommended
The placement of this option under `nix` was misleading, as it is not
configuration of the Nix daemon, but rather configuration of the NixOS
boot process and how it mounts the Nix store. As such, make it an option
of `boot` to clarify what it actually affects, and imply that it will
only take effect on a reboot.
Since it no longer has the context of nix, adjust the name to include
it.
Or else systemd-oomd gets marked as failed due to
"Userspace Out-Of-Memory (OOM) Killer was skipped because of a failed condition check (ConditionControlGroupController=v2)."
and cause the system to enter degraded state.
Ref https://github.com/NixOS/nixpkgs/issues/195085
Currently paths are handled by `types.package`, whose semantics are a
bit of a mess. In particular, it converts path values to derivations
using `toDerivation`, which will lead to problems when flake `outPath`s
become paths in https://github.com/NixOS/nix/pull/6530.
This change makes the "incompatible changes" section in the above PR
obsolete: `nix.registry.nixpkgs.flake = nixpkgs;` works as expected (the
flake is copied to the store).
Hided home/trash/network desktop icons by default.
Also changed their default logo settings (cs_info and menu), so what we
should modify to cinnamon-symbolic is now linuxmint-logo-ring-symbolic.
We are lucky, linuxmint-logo-ring-symbolic only appears in a few other
places and non of them are useful, menu@cinnamon.org/settings-override.json
simply won't work because cinnamon-common doesn't know that file.
Also set default cursor theme, this package now directly provides those
cursor themes. And, we now default to the Mint-Y-Aqua theme.
remove trailing whitespace
switch docs to markdown
use mdDoc
remove trailing whitespace
get rid of double space
add tests and update options to use submodule
remove whitespace
remove whitespace
use mdDoc
remove whitespace
make default a no-op
make ALTER ROLE a single sql statement
document null case
We don't need both wget and curl, so let's use only curl (which is
part of a minimal NixOS closure, unlike wget).
Logging to the console is helpful for debugging.
Instances without SSH keys configured will receive a 404 from the
metadata server when attempting to fetch an SSH key. This is not an
actual problem though, and shouldn't result in the service failing.
If the metadata server cannot be reached, the script will fail at an
earlier stage when attempting to get authentication data.
This also removes automatic enablement/mounting of instance store swap
devices and ext3 filesystems. This behaviour is strongly opinionated
and shouldn't be enabled by default.
The unionfs behaviour never took effect anyway, because the AMI
manifest path only exists for instance store-backed AMIs, which have
not been supported by nixpkgs since
84742e2293 (2019).
The inline comments explain the reasoning behind this change. This
work was initiated due to failing tests explicitly for glusterfs, but
my hunch is that any nixosTest adjacent to rpcbind will start working
again.
Ref: https://github.com/NixOS/nixpkgs/issues/175339
The change that allows setting the secrets by an environment file had
the undocumented side effect of allowing to set any key by the environment
file (Related PR: https://github.com/tulir/mautrix-telegram/pull/332).
This is required to e.g. set `bridge.login_shared_secret`, which was not
documented before.
GitHub: closes#103347
Closes#198646
* The options `password`/`basicAuthPassword` were removed for
datasources in Grafana 9. The only option to declare them now is to use
`secureJsonData`.
* Fix description for contactPoints provisioning: when using file/env
providers, nothing will be leaked into the store.
* Fix regex in file-provider usage check: it's also possible to either
use `$__env{FOO}` or `$FOO` to fetch secrets from the environment.
* Fix warning for datasources: `password`/`basicAuthPassword` was
removed, also check for each setting in `secureJsonData` if
env/file-provider was used (then no warning is needed!).
The hack with `either` had the side-effect that the sub-options of the
submodule didn't appear in the manual. I decided to remove this because
the "migration" isn't that hard, you just need to fix some module
declarations.
However, `mkRenamedOptionModule` wouldn't work here because it'd create
a "virtual" option for the deprecated path (i.e.
`services.grafana.provision.{datasources,dashboards}`), but that's the
already a new option, i.e. the submodule for the new stuff.
To make sure that you still get errors, I implemented a small hack using
`coercedTo` which throws an error if a list is specified (as it would be
done on 22.05) which explains what to do instead to make the migration
easier.
Also, I linkified the options in the manual now to make it easier to
navigate between those.
GTK 4 applications use accessibility bus directly
and will try to connect to it every time a widget is created:
https://gitlab.gnome.org/GNOME/gtk/-/issues/4831
This will make GTK 4 apps (e.g. newly ported Nautilus) grind
to a halt on systems that do not have AT-SPI service installed.
Let’s explicitly disable accessibility support with an environment
variable when the AT-SPI service is not enabled to avoid that.
Just like we do for ATK-based applications with `NO_AT_BRIDGE`.
Fixes: https://github.com/NixOS/nixpkgs/issues/197188
To allow for a reasonably fast deprecation of weak password hashing
schemes we provide an activation script that checks existing hashes in
/etc/shadow and issues a warning for user accounts that still rely on
deprecated hashes.
Co-Authored-By: oxalica <oxalicc@pm.me>
- Do not use `daemon`, it has been synonymous to `out` since 783c40eb68
- Do not use explicit `out` output, it has been default since a17216af4c (originally introduced in 2132c86c45)
This commit fixes broken non-declarative configs by
making the assertions more relaxed.
It also allows to remove the forced configuration merge by making
`settings` `null`able (now the default).
Both cases (trivial non-declarative config and `null`able config) are
verified with additional tests.
Fixes#198665
Version 251.6 of systemd introduced a small change[1] that now checks
whether the fsck command is available in *addition* to the filesystem
specific fsck.$fsname executable.
When bumping systemd to version 251.7 on our side[2], we introduced that
change. This subsequently caused our "fsck" test to fail and it looks
like this was an oversight during the pull request[3] introducing the
bump.
Since the fsck wrapper binary is in util-linux, I decided to address
this by adding util-linux to fsPackages because util-linux is already
part of the closure of any NixOS system so the impact should be pretty
low.
[1]: 73db7d9932
[2]: 844a08cc06
[3]: https://github.com/NixOS/nixpkgs/pull/199618
Signed-off-by: aszlig <aszlig@nix.build>
Relative paths are interpreted relative to the working directory, which
is currently unset and thus defaults to `/`. However we want to change
the working directory in a future release such that relative paths are
interpreted relative to `/var/lib/syncthing`.
Currently, we build `man-cache` with `runCommandLocal`, which causes it
to get re-built locally instead of fetched from cache. While the
resulting derivation might be small, it does take a fair bit of time to
build for all my systems, and would be _far_ quicker to fetch.
With this change, we use `runCommand` instead of `runCommandLocal`,
allowing it to get fetched from cache instead of rebuilt for all hosts.
fscrypt can automatically unlock directories with the user's login
password. To do this it ships a PAM module which reads the user's
password and loads the respective keys into the user's kernel keyring.
Significant inspiration was taken from the ecryptfs implementation.
Upon testing the change itself I realized that it doesn't build properly
because
* the `pname` of a php extension is `php-<name>`, not `<name>`.
* calling the extension `openssl-legacy` resulted in PHP trying to compile
`ext/openssl-legacy` which broke since it doesn't exist:
source root is php-8.1.12
setting SOURCE_DATE_EPOCH to timestamp 1666719000 of file php-8.1.12/win32/wsyslog.c
patching sources
cdToExtensionRootPhase
/nix/store/48mnkga4kh84xyiqwzx8v7iv090i7z66-stdenv-linux/setup: line 1399: cd: ext/openssl-legacy: No such file or directory
I didn't encounter that one before because I was mostly interested in
having a sane behavior for everyone not using this "feature" and the
documentation around this. My findings about the behavior with turning
openssl1.1 on/off are still valid because I tested this on `master` with
manually replacing `openssl` by `openssl_1_1` in `php-packages.nix`.
To work around the issue I had to slightly modify the extension
build-system for PHP:
* The attribute `extensionName` is now relevant to determine the output
paths (e.g. `lib/openssl.so`). This is not a behavioral change for
existing extensions because then `extensionName==name`.
However when specifying `extName` in `php-packages.nix` this value is
overridden and it is made sure that the extension called `extName` NOT
`name` (i.e. `openssl` vs `openssl-legacy`) is built and installed.
The `name` still has to be kept to keep the legacy openssl available
as `php.extensions.openssl-legacy`.
Additionally I implemented a small VM test to check the behavior with
server-side encryption:
* For `stateVersion` below 22.11, OpenSSL 1.1 is used (in `basic.nix`
it's checked that OpenSSL 3 is used). With that the "default"
behavior of the module is checked.
* It is ensured that the PHP interpreter for Nextcloud's php-fpm
actually loads the correct openssl extension.
* It is tested that (encrypted) files remain usable when (temporarily)
installing OpenSSL3 (of course then they're not decryptable, but on a
rollback that should still be possible).
Finally, a few more documentation changes:
* I also mentioned the issue in `nextcloud.xml` to make sure the issue
is at least mentioned in the manual section about Nextcloud. Not too
much detail here, but the relevant option `enableBrokenCiphersForSSE`
is referenced.
* I fixed a few minor wording issues to also give the full context
(we're talking about Nextcloud; we're talking about the PHP extension
**only**; please check if you really need this even though it's
enabled by default).
This is because I felt that sometimes it might be hard to understand
what's going on when e.g. an eval-warning appears without telling where
exactly it comes from.
Previously we did socket-activation but this breaks the autostart
feature since upstream expects libvirtd to be started unconditionally on
boot.
Fixes#171623.
Previously, the NixOS test often failed as the copied config file is not
overwriteable. In actual setups, the restart interval is much bigger, such that
systemd-tmpfiles will correct the permissions inbetween.
On some occasions, the GitHub runner service encounters errors which are
deemed retryable but result in the runner's termination. To signal a
retryable error, the runner exits with status code 2:
https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146
To account for that behavior, this commit sets
`RestartForceExitStatus=2` which results in a service restart regardless
of using an ephemeral runner or not.
* s/NextCloud/Nextcloud/g
* `enableBrokenCiphersForSSE` should be enabled by default for any NixOS
installation from before 22.11 to make sure existing installations
don't run into the issue. Not the other way round.
* Update release notes to reflect on that.
* Improve wording of the warning a bit: explain which option to change
to get rid of it.
* Ensure that basic tests w/o `enableBrokenCiphersForSSE` run with
OpenSSL 3.
This makes it possible to remove mint themes in an easy way, in this
case we will just use the default from slick-greeter module, i.e. the
Adwaita theme.
in some circumstances, the setup service would fail with:
ERROR 1062 (23000) at line 5: Duplicate entry '1' for key 'PRIMARY'
so let's use an upsert instead of insert. This also simplifies the
script.
Besides, also fix that when the setup script changes, the corresponding
script is not restarted as it is usually not active, so we trigger a
restart of the main systemd service.
Without this, you get the following error message in the logs:
udisksd[4082]: Failed to load config files: Failed to get contents of the config dir (/etc/libblockdev/conf.d/)Error opening directory “/etc/libblockdev/conf.d/”: No such file or directory. Using the built-in config
In ee0b8a7eaa we made the user service wait on network-online, but
forgot about the system service. We need them _both_ to wait when the
wifi source is enabled.
Allow building other than Legacy-BIOS-only Proxmox images.
Default is unchanged.
To build UEFI proxmox image use:
proxmox.qemuConf.bios = "ovmf";
(default is "seabios")
To build image bootable using both "seabios" and "ovmf" use:
partitionTableType = "hybrid";
BIOS can be switched in Proxmox between "seabios" and "ovmf" and VM still boots.
(GRUB2-only, systemd-boot does not boot under "seabios")
To build systemd-boot UEFI image:
proxmox.qemuConf.bios = "ovmf";
boot.loader.systemd-boot.enable = true;
See the discussion below the original PR[1] and #197443 for more
context.
I guess I missed that upon review because the branch was too old and I
cherry-picked the commit onto my deployment branch which is based on
22.05. Sorry for that!
[1] https://github.com/NixOS/nixpkgs/pull/162784#issuecomment-1306848036
i based this on the neighboring lightdm-greeters/mini.nix module.
lightdm-mobile-greeter doesn't have a lot of configuration options.
it grabs the default user to login as from lightdm, along with which DE
it should launch. so no further configuration should be needed aside
from enabling `services.xserver.displayManager.lightdm.enable` and
either setting `services.xserver.displayManager.defaultSession` to the
appropriate session or explicitly defining a seat like:
```nix
services.xserver.displayManager.lightdm.extraSeatDefaults = ''
user-session = phosh
'';
```
Not a big deal in most of the cases because wordpress ensures that this
directory exists on its own, but with our twentig customizations that's
actually causing issues.
(cherry picked from commit 3285342bfe5f401dda84c13c834e73154928a61c)
mountFS adds these strings to fstab and then relies on `mount` parsing fstab. If
they have spaces or tabs in them, that would break fstab and therefore not mount
with the unhelpful error: No such file or directory.
Co-authored-by: Lily Foster <lily@lily.flowers>
Co-authored-by: Luflosi <Luflosi@users.noreply.github.com>
It's a very useful backend (that probably should be enabled by default,
like on Ubuntu), let's start by making it easier to discover.
Ref https://github.com/NixOS/nixpkgs/issues/28406.
