In https://github.com/NixOS/nixpkgs/pull/120622 cleanup options were
added, but `remove-all-inc-of-but-n-full` was misspelled and as such
was not functioning.
(cherry picked from commit 0a977cf125a86b5580de6e05bfeaa07aa54c4a78)
Since wlroots 0.14 setting WLR_RENDERER_ALLOW_SOFTWARE=1 to allow
software rendering is now enforced [0].
[0]: https://github.com/swaywm/wlroots/pull/2810
(cherry picked from commit 73d7f08b4d89b1af213db5db34e6f39518d88634)
systemd ships `units/serial-getty@.service.m4` with the `--keep-baud`
option.
We override that unit, and didn't add the `--keep-baud` option. (We have
it in our other getty options there).
Having `--keep-baud` in `serial-getty@` makes a lot of sense - the
console keeps working if it's initialized with a less standard baud
rate, such as the [Helios64](https://wiki.kobol.io/helios64/intro/).
(cherry picked from commit ba42d639f16dc774f4fa661243b640b034d7be0a)
Different boards using u-boot SPL require to write to different
locations. Sometimes, the 8MiB gap isn't sufficient - rk3399 boards
write to 0x16384 for example, which is at 8MiB, thus overriding the
fat32 partition with the SPL.
(cherry picked from commit 1db54a5522a2d523e406ce8713bfe88bb9e3f657)
nixos tests are blended with other system configurations, hence
their settings must be either enforced or defaulted.
This particular setting is set via lib.nixosSystem as
`system.nixos.revision = final.mkIf (self ? rev) self.rev;` which would
mean that without this change no flake generated nixos could be blended
with nixos testing.
This setting was made previously constant in
169c6b4b14 in order to avoid pointless
rebuilds of the testing VMs, but was set without enforcing it.
(cherry picked from commit 8bbdff45816c657f679cd77c0a0dbca534a85bf3)
Reading the release notes I got the impression that the latest (and
default) was GR3.8, but it is in fact 3.9. Make that more obvioius.
(cherry picked from commit c789c53ce55d26d4963b48cb109fd3f02838fa11)
This makes the service fail when upgrading the package, so let's
properly restart it instead.
(cherry picked from commit b4c069b1476a92a540e906ef95cd7fb380d29c63)
Commit 3a2e0c36e7 has removed
`--reuse-key` from default renew options, yet the tests still expected
keys not to change. This assertion is now removed, as they are supposed
to change on each renew/change.
(cherry picked from commit b00bcf21abc392ecb1d93bd49f7a5ffbc8524ecf)
Reload only works with a static configuration path as there is no way to
pass the dynamically generated config path to a running solanum
instance, therefore we symlink the configuration to
/etc/solanum/ircd.conf.
But that will prevent reloads of the ircd, because the systemd unit
wouldn't change when the configuration changes. That is why we add the
actual location of the config file to restartTriggers and enable
reloadIfChanged, so changes will not restart, but reload on changes.
(cherry picked from commit 60c62214f5a3c7db6aa30d8a8e02c863b6abcf0a)
Previously this defaulted to the default MOTD in the solanum source
tree, and I don't want my friends to laugh at me. Includes a patch to
the tests to ensure that the MOTD is actually set.
This replicates the fix done in #109705 (solanum is a fork of charybdis,
so they share fundamental logic for this).
Signed-off-by: Christine Dodrill <me@christine.website>
(cherry picked from commit b1fe9fab6fcfa4cdefe7370ba264b281e48de0f8)
Add support for folder jobs
(https://plugins.jenkins.io/cloudbees-folder/) by reworking the service
to support nested jobs.
This also fixes this deprecation warning (as a happy side effect):
WARNING:jenkins_jobs.cli.subcommand.test:(Deprecated) The default output behavior of `jenkins-jobs test` when given the --output flag will change in JJB 3.0. Instead of writing jobs to OUTPUT/jobname; they will be written to OUTPUT/jobname/config.xml. The new behavior can be enabled by the passing `--config-xml` parameter
(cherry picked from commit 4bcb22e17aa8677c6b3fc4625732d4da791a576f)
Firefox has been decoupled from the system certificate store since the
nss p11-kit integration in combination with our cacert package does not
expose CKA_NSS_MOZILLA_CA_POLICY, which among other things is required
for addon updates.
(cherry picked from commit 2d4ed9bae6f9c80d75cf5ef18ccdac85cf889ff3)
The test doesn't evaluate since #125469 because Linux 5.11 got removed
as it's EOL.
As this fixes the evaluation of the test and it only removes a
declaration that was apparently forgotten, I figured that a push to
unbreak the test is fine.
(cherry picked from commit 10eab5b6b3d1d38ffd3594fa6e4be13924dafd15)
A hard failure breaks the NixOS installer, which can't possibly
know the interface names in advance.
(cherry picked from commit be01320a6c39867eac0a20b4dfe04680d3b1ce26)
62733b37b4 broke evaluation in all
places `pkgs.mysql` was used. Fix this by changing all occurrences to
`pkgs.mariadb`.
(cherry picked from commit 59e0120aa5c1241d48048afa615e25c65d7e366d)
In 0.3.0 of the json-exporter[1] it was switched to a different jsonpath
library which made some changes - especially for spaces in keys -
necessary. Also I decided to remove the pretty-printed JSON as this
would interfere with the bash quoting too much. If one needs
pretty-printed output, they can still pipe the output to `jq`.
[1] https://github.com/prometheus-community/json_exporter/releases/tag/v0.3.0
(cherry picked from commit 976d668e5c5566c3e96b17d667830a0f3ed1bbb5)
This should help in rare hardware-specific situations where the root is
not automatically detected properly.
We search using a marker file. This should help some weird UEFI setups
where the root is set to `(hd0,msdos2)` by default.
Defaulting to `(hd0)` by looking for the ESP **will break themeing**. It
is unclear why, but files in `(hd0,msdos2)` are not all present as they
should be.
This also fixes an issue introduced with cb5c4fcd3c
where rEFInd stopped booting in many cases. This is because it ended up
using (hd0) rather than using the `search` which was happening
beforehand, which in turn uses (hd0,msdos2), which is the ESP.
Putting back the `search` here fixes that.
(cherry picked from commit 20b023b5ea63a6513a4dce7f162736a00bce5cc8)
This technically changes nothing. In practice `$root` is always the
"CWD", whether searched for automatically or not.
But this serves to announce we are relying on `$root`... I guess...
(cherry picked from commit c9bb054dd68964b0eb9a38c51bdf824bfb212fc7)
Adds includeStorePaths, allowing the omission of the store paths.
You generally want to leave it on, but tooling may disable this
to insert the store paths more efficiently via other means, such
as bind mounting the host store.
(cherry picked from commit 5259d66b7487b94233821e28aafb0683ae3f1df6)
The root filesystem resizing step, `resize2fs -M', does not provide any
control over the amount of slack left in the result. It can produce an
arbitrarily tight fit, depending on how well the payload aligns with
ext4 data structures.
This is problematic, as NixOS must create a few files and directories
during its first boot, before the root is enlarged to match the size of
the containing SD card.
An overly tight fit can cause failures in the first stage:
mkdir: can't create directory '/mnt-root/proc': No space left on device
or in the second stage:
install: cannot create directory '/var': No space left on device
A previous version of `make-ext4-fs' (before PR #79368) was explicitly
"reserving" 16 MiB of free space in the final filesystem. Manually
calculating the size of an ext4 filesystem is a perilous endeavor,
however, and the method it employed was apparently unreliable.
Reverting is consequently not a good option.
A solution would be to create some sort of "balloon" occupying inodes
and blocks in the image prior to invoking `resize2fs -M', and to remove
these temporary files/directories before the compression step.
This changeset takes the simpler approach of simply dropping the
resizing step.
Note that this does *not* result in a larger image in general, as the
current procedure does not truncate the `.img' file anyway. In fact, it
has been observed to yield *smaller* compressed images---probably
because of some "noise" left after resizing. E.g., before-vs-after:
-r--r--r-- 2 root root 607M 1. Jan 1970 nixos-sd-image-21.11pre-git-x86_64-linux.img.zst
-r--r--r-- 2 root root 606M 1. Jan 1970 nixos-sd-image-21.11pre-git-x86_64-linux.img.zst
(cherry picked from commit 7c2adb1d5c1f0b05dc030365f9a811a6431af0e1)
Reusing the same private/public key on renewal has two issues:
- some providers don't accept to sign the same public key
again (Buypass Go SSL)
- keeping the same private key forever partly defeats the purpose of
renewing the certificate often
Therefore, let's remove this option. People wanting to keep the same
key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the
previous behavior. Alternatively, we could put this as an option whose
default value is true.
(cherry picked from commit 632c8e1d54e299f656aa677f25552e1127f12849)
iptables is currently defined in `all-packages.nix` to be
iptables-compat. That package does however not contain `ethertypes`.
Only `iptables-nftables-compat` contains this file so the symlink
dangles.
(cherry picked from commit 2eeecef3fc70e35b2f4c6d8424e4c726c140e330)
A secret key generated by the nixos module was misspelled, which could
possibly impact the security of session cookies.
To recover from this situation we will wipe all security keys that were
previously generated by the NixOS module, when the misspelled one is
found. This will result in all session cookies being invalidated. This
is confirmed by the wordpress documentation:
> You can change these at any point in time to invalidate all existing
> cookies. This does mean that all users will have to login again.
https://wordpress.org/support/article/editing-wp-config-php/#security-keys
Meanwhile this issue shouldn't be too grave, since the salting function
of wordpress will rely on the concatenation of both the user-provided
and automatically generated values, that are stored in the database.
> Secret keys are located in two places: in the database and in the
> wp-config.php file. The secret key in the database is randomly
> generated and will be appended to the secret keys in wp-config.php.
https://developer.wordpress.org/reference/functions/wp_salt/
Fixes: 2adb03fdae ("nixos/wordpress:
generate secrets locally")
Reported-by: Moritz Hedtke <Moritz.Hedtke@t-online.de>
(cherry picked from commit 724ed08df02546fea2ab38613d615dd47461528c)
Assert that the PostgreSQL version being deployed is the one used
upstream. Allow the user to override this assertion, since it's not
always possible or preferable to use the recommended one.
(cherry picked from commit 544adbfcab2e92c2fe5774cae67f2edf165eb97e)
As per `man systemd.path`:
> When a service unit triggered by a path unit terminates
> (regardless whether it exited successfully or failed),
> monitored paths are checked immediately again,
> **and the service accordingly restarted instantly**.
Thus the existence of the path unit made it impossible to stop the
wireguard service using e.g.
systemctl stop wireguard-wg0.service
Systemd path units are not intended for program inputs such
as private key files.
This commit simply removes this usage; the private key is still
generated by the `generateKeyServiceUnit`.
(cherry picked from commit d344dccf3dc592242f11ef993acb9ecee8d84796)
Note that it made into 2 entries, one about new options in the first section.
Another in the breaking compatibility section due to the openFirewall option
which changes the behavior.
Co-authored-by: schmittlauch <t.schmittlauch+nixos@orlives.de>
(cherry picked from commit 93a80a4390499b4204cf6836bcc6cab5debecccb)
The tests timeout on AArch64 (e.g. [0] and [1]), likely because the QEMU
option "-vga virtio" isn't supported there (unfortunately I currently
lack access to an AArch64 system with NixOS to investigate).
This also affects the test for Cage but that one is already limited to
x86_64-linux.
[0]: https://hydra.nixos.org/build/144148809
[1]: https://hydra.nixos.org/build/144103034
(cherry picked from commit abb9ea73f7b2bd8d0862be47a0a1010d7644136b)
* The options tlsKey and tlsCert require being accessible by DynamicUser at runtime, which currently requires copying the files into the matrix service state directory. Fixing this might require breaking changes. Thus the module should not be included in a stable release.
nixos/filesystems: condition mount-pstore.service on unmounted /sys/fs/pstore
(cherry picked from commit d7555732bc8bb8a2acb50fd4ecba96c825b4f21e)
Reason: activation throws an error from failing to start the unit
Enforce UMask on the systemd unit to restrict the permissions of files
created. Especially the homeserver signing key should not be world
readable, and media is served through synapse itself, so no other user
needs access to these files.
Use a prestart chmod to fixup the permissions on the signing key.
In newer versions of Nix (at least on 2.4pre20201102_550e11f) the
`extra-` prefix for config options received a special meaning and the
option `extra-sandbox-paths` isn't recognized anymore. This commit fixes
it.
It doesn't cause a behavior change when using older versions of Nix but
does cause an extra newline to appear in the config, thus changing the
hash.
Instead of requiring the user to bundle the certificate and private
key into a single file, provide separate options for them. This is
more in line with most other modules.
`install` copies the files before setting their mode, so there could
be a breif window where the secrets are readable by other users
without a strict umask.
Feeding `psql` the password on the command line leaks it through the
`psql` process' `/proc/<pid>/cmdline` file. Using `echo` to put the
command in a file and then feeding `psql` the file should work around
this, since `echo` is a bash builtin and thus shouldn't spawn a new
process.
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead.
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
The PAM config deployed would not check anything meaningful. Remove it
and rely on the defaults in the security.pam module to fix login with
arbitrary credentials.
Resolves: #123435
It was basically just a `environment.systemPackages` synonym,
only GNOME used it, and it was stretching the responsibilities
of the flatpak module too far.
It also makes it cleaner to avoid installing the program
using GNOME module’s `excludePackages` option.
Partially reverts: https://github.com/NixOS/nixpkgs/pull/101516
Fixes: https://github.com/NixOS/nixpkgs/issues/110310
Alexandru Scvortov
Dima
Niklas Hambüchen
Michael Weiss
Florian Klink
David Arnold
Bjørn Forsman
talyz
Mewp
Martin Weinelt
lassulus
Christine Dodrill
Robert Hensing
Domen Kožar
Vladimír Čunát
Jan Solanti
Maximilian Bosch
Natan Lao
Jonathan Ringer
rnhmjoj
Jan Tojnar
AmineChikhaoui
Anders Kaseorg
Samuel Dionne-Riel
Patrick Hilhorst
Robert Hensing
Thomas Depierre
zowoq
Sandro
Julien Moutinho
Daniel Nagy
Damien Diederen
oxalica
Vincent Bernat
Janne Heß
Dominik Xaver Hörl
Ivan Kozik
Antoine R. Dumont (@ardumont)
Michael Lingelbach
Tom Fitzhenry
regnat
Guillaume Girol
Ryan Mulligan
Martin Weinelt
Maciej Krüger
Kira Bruneau
github-actions[bot]
sohalt
Vika
Jacek Galowicz
eyJhb
Elis Hirwing
Kerstin Humm
ajs124
Thiago Kenji Okada
misuzu
legendofmiracles
Jonas Chevalier
Emery Hemingway
Christoph Hrdinka
Gabriel Gonzalez
Sebastian Neubauer
Tim Van Baak
Paul Schyska
Guillaume Girol
Michele Guerini Rocco
Jörg Thalheim
Aaron Andersen
Nicolas Berbiche
Georg Haas
Pamplemousse
Robert Schütz
Ashlynn Anderson
Michael Raskin