By using types.lines for 'config', we can specify monit configurations
in lots of modules and they can all be automatically combined together
with newlines. This is desireable because different modules might want
to each specify the small monitoring task specific to their service.
This commit also updates the module to use current idioms.
The `rmilter` module has options for configuring `postfix` to use it but
since that module is deprecated because rspamd now has a builtin worker
that supports the milter protocol this commit adds similar `postfix`
integration options directly to the `rspamd` module.
* Added license: GPLv2.
* Updated homepage and description.
* CFLAGS are no longer necessary as of version 2.2.0.
* Option '-a ::' is no longer necessary as of version 2.2.0.
While this seems silly at first (it's already given as start parameter
to mysqld), it seems like xtrabackup needs that sometimes.
Without it, a Galera cluster cannot be run using the xtrabackup
replication method.
The lines stored in `extraConfig` and `worker.<name?>.extraConfig`
should take precedent over values from included files but in order to do
this in rspamd UCL they need to be stored in a file that then gets
included with a high priority. This commit uses the overrides option to
store the value of the two `extraConfig` options in `extra-config.inc`
and `worker-<name?>.inc` respectively.
When the workers option for rspamd was originally implemented it was
based on a flawed understanding of how workers are configured in rspamd.
This meant that while rspamd supports configuring multiple workers of
the same type, so that different controller workers could have different
passwords, the NixOS module did not support this because it would write
an invalid configuration file if you tried.
Specifically a configuration like the one below:
```
workers.controller = {};
workers.controller2 = {
type = "controller";
};
```
Would result in a rspamd configuration of:
```
worker {
type = "controller";
count = 1;
.include "$CONFDIR/worker-controller.inc"
}
worker "controller2" {
type = "controller";
count = 1;
}
```
While to get multiple controller workers it should instead be:
```
worker "controller" {
type = "controller";
count = 1;
.include "$CONFDIR/worker-controller.inc"
}
worker "controller" {
type = "controller";
count = 1;
}
```
When implementing #49620 I included an enable option for both the
locals and overrides options but the code writing the files didn't
actually look at enable and so would write the file regardless of its
value. I also set the type to loaOf which should have been attrsOf
since the code was not written to handle the options being lists.
This fixes both of those issues.
With `promtool` we can check the validity of a configuration before
deploying it. This avoids situations where you would end up with a
broken monitoring system without noticing it - since the monitoring
broke down. :-)
Gluster's pidfile handling is bug-ridden.
I have fixed https://bugzilla.redhat.com/show_bug.cgi?id=1509340
in an attempt to improve it but that is far from enough.
The gluster developers describe another pidfile issue as
"our brick-process management is a total nightmare", see
f1071f17e0/xlators/mgmt/glusterd/src/glusterd-utils.c (L5907-L5924)
I have observed multiple cases where glusterd doesn't start correctly
and systemd doesn't notice because of the erroneous pidfile handling.
To improve the situation, we don't let glusterd daemonize itself any more
and instead use `--no-daemon` and the `Simple` service type.
Removes the old UI build tooling; it is no longer necessary
because as of 1.2.0 it's bundled into the server binary.
It doesn't even need to have JS built, because it's bundled into
the release commit's source tree (see #48714).
The UI is enabled by default, so the NixOS service is
updated to directly use `ui = webUi;` now.
Fixes#48714.
Fixes#44192.
Fixes#41243.
Fixes#35602.
Signed-off-by: Niklas Hambüchen <mail@nh2.me>
Setting this variable in the environment of systemd-timedated allows
'timedatectl' to tell if an NTP service is running.
Closes#48917.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
By default rspamd will look for multiple files in /etc/rspamd/local.d
and /etc/rspamd/override.d to be included in subsections of the merged
final config for rspamd. Most of the config snippets in the official
rspamd documentation are made to these files and so it makes sense for
NixOS to support them and this is what this commit does.
As part of rspamd 1.8.1 support was added for having custom Lua
rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is
now possible for NixOS to support such rules and so this commit also
adds support for this to the rspamd module.
hass will ignore the standard SIGTERM sent by systemd during stop/restart and we
then have to wait for the timeout after which systemd will forcefully kill the
process.
If instead if we send SIGINT, hass will shut down nicely.
There are many issues reported upstream about the inability to shut down/restart
and it is *supposed* to work with SIGTERM but doesn't.
* run as user 'slurm' per default instead of root
* add user/group slurm to ids.nix
* fix default location for the state dir of slurmctld:
(/var/spool -> /var/spool/slurmctld)
* Update release notes with the above changes
With this option enabled, before creating file/directories/symlinks in baseDir
according to configuration, old occurences of them are removed.
This prevents remainders of an old configuration (libraries, webapps, you name
it) from persisting after activating a new configuration.
The changes were found by executing the following in the strongswan
repo (https://github.com/strongswan/strongswan):
git diff 5.6.3..5.7.1 src/swanctl/swanctl.opt
This was overlooked on a rebase of mine on master, when I didn't realize
that in the time of me writing the znc changes this new option got
introduced.
On AMD hardware with Mesa 18, compton renders some colours incorrectly
when using the glx backend. This patch sets an environmental variable
for compton so colours are rendered correctly.
Topical bug: <https://bugs.freedesktop.org/show_bug.cgi?id=104597>
This breaks with networking backends enabled and
also creates large delays on boot when some services depends
on the network target. It is also not really required
because tinc does create those interfaces itself.
fixes#27070
Tor requires ``SOCKSPort 0`` when non-anonymous hidden services are
enabled. If the configuration doesn't enable Tor client features,
generate a configuration file that explicitly includes this disabling
to allow such non-anonymous hidden services to be created (note that
doing so still requires additional configuration). See #48622.
* nat/bind/dhcp.service:
Remove. Those services have nothing to do with a link-level service.
* sys-subsystem-net-devices-${if}.device:
Add as BindsTo dependency as this will make hostapd stop when the
device is unplugged.
* network-link-${if}.service:
Add hostapd as dependency for this service via requiredBy clause,
so that the network link is only considered to be established
only after hostapd has started.
* network.target:
Remove this from wantedBy clause as this is already implied from
dependencies stacked above hostapd. And if it's not implied than
starting hostapd is not required for this particular network
configuration.
This option represents the ZNC configuration as a Nix value. It will be
converted to a syntactically valid file. This provides:
- Flexibility: Any ZNC option can be used
- Modularity: These values can be set from any NixOS module and will be
merged correctly
- Overridability: Default values can be overridden
Also done:
Remove unused/unneeded options, mkRemovedOptionModule unfortunately doesn't work
inside submodules (yet). The options userName and modulePackages were never used
to begin with
- added package option to specify which version of redmine
- added themes option back in to allow specifying redmine themes
- added plugins option back in to allow specifying redmine plugins
- added database.socket option to allow mysql unix socket authentication
- added port option to allow specifying the port rails runs on
- cleaned up Gemfile so it is much less hacky
- switched to ruby version 2.4 by default as suggested by documentation http://www.redmine.org/projects/redmine/wiki/redmineinstall#Installing-Redmine
- fixed an annoyance (bug) in the service causing recursive symlinks
- fixed ownership bug on log files generated by redmine
- updates reflecting renames in nixos options
- added a nixos test
Dummy display manager that allows running X as a normal user.
The X server is started manually from a vt using `startx`.
Session startup commands must be provided by the user
in ~/.xinitrc, which is NOT automatically generated.
Previously you either had to set the setuid bit yourself or workaround
`isSystemUser = true` (for a loginable shell) to access the weechat
screen.
`programs.screen` shouldn't do this by default to avoid taking too much
assumptions about the setup, however `services.weechat` explicitly
requires tihs.
See #45728
Included changes:
* upstream repository has moved, URLs changed accordingly
* journaldriver bumped to new upstream release
The new release includes an important workaround for an issue that
could cause log-forwarding to fail after service restarts due to
invalid journal cursors being persisted.
Several service definitions used `mkEnableOption` with text starting
with "Whether to", which produced funny option descriptions like
"Whether to enable Whether to run the rspamd daemon..".
This commit corrects this, and adds short descriptions of services
to affected service definitions.
as using /var/run now emits a warning by systemd's tmpfiles.d.
As /var/run is already a symlink to /run, this can't break anything, and
data does not need to be migrated.
This is necessary when system-wide dconf settings must be configured, i.e. to
disable GDM's auto-suspending of the machine when no user is logged in.
Related to https://github.com/NixOS/nixpkgs/issues/42053.
environment.sessionVariables cannot refer to the values of env vars,
and as a result this has caused problems in a variety of scenarios.
One use for these is that they're injected into /etc/profile,
elewhere these are used to populate an 'envfile' for pam
(`pam 5 pam_env.conf`) which mentions use of HOME being
potentially problematic.
Anyway if the goal is to make things easier for users,
simply do the NIX_PATH modification as extraInit.
This fixes the annoying problems generated by the current approach
(#40165 and others) while hopefully serving the original goal.
One way to check if things are borked is to try:
$ sudo env | grep NIX_PATH
Which (before this change) prints NIX_PATH variable with
an unexpanded $HOME in the value.
-------
This does mean the following won't contain user channels for 'will':
$ sudo -u will nix-instantiate --eval -E builtins.nixPath
However AFAICT currently they won't be present either,
due to unescaped $HOME. Unsure if similar situation for other users
of sessionVariables (not sudo) work with current situation
(if they exist they will regress after this change AFAIK).
The socket activation I added to the rspamd module doesn't actually work
and can't be made to work without changes to rspamd.
See: #47421
See: rspamd/rspamd#2035
Introduced by 0f3b89bbed.
If services.nixosManual.showManual is enabled and
documentation.nixos.enable is not, there is no
config.system.build.manual available, so evaluation fails. For example
this is the case for the installer tests.
There is however an assertion which should catch exactly this, but it
isn't thrown because the usage of config.system.build.manual is
evaluated earlier than the assertions.
So I split the assertion off into a separate mkIf to make sure it is
shown appropriately and also fixed the installation-device profile to
enable documentation.nixos.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @oxij
- Use socket-activated epmd - that way there won't be any trouble when
more than one erlang system is used within a single host.
- Use new automation-friendly configuration file format
- Use systemd notifications instead of buggy 'rabbitmqctl wait' for
confirming successful server startup.
'wait' bug: https://github.com/rabbitmq/rabbitmq-server/issues/463
- Use 'rabbitmqctl shutdown' instead of 'stop', because it's not
pid-file based
- Use sane systemd unit defaults from RabbitMQ repo:
https://github.com/rabbitmq/rabbitmq-server/blob/master/docs/rabbitmq-server.service.example
- Support for external plugins
Most importantly, this sets PrivateTmp, ProtectHome, and ProtectSystem
so that Chrony flaws are mitigated, should they occur.
Moving to ProtectSystem=full however, requires moving the chrony key
files under /var/lib/chrony -- which should be fine, anyway.
This also ensures ConditionCapability=CAP_SYS_TIME is set, ensuring
that chronyd will only be launched in an environment where such a
capability can be granted.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This reverts commit 67c8c49177.
'nix run nixos.firefox' is *not* supposed to work - the Nix 2.x
interface attempts to standardize on nixpkgs.*, to get rid of the
nixos/nixpkgs confusion that existed with the channels interface. So
let's not bring that confusion back.
Because when I see "config.system.build.manual.manual" after I forgot
what it means I ask "Why do I need that second `.manual` there again?".
Doesn't happen with `config.system.build.manual.manualHTML`.
/run/rmilter is set by systemd, and have root:root ownership, which
prevent pid file to write.
This fix suggested to be promoted to 18.09 branch.
(Although rmilter itself is deprecated, and I plan to remove it, after
18.09 would be released)
Add package libratbag and service module ratbagd
Libratbag contains ratbagd daemon and ratbagctl cli to configure
buttons, dpi, leds, etc. of gaming mice.
Add mvnetbiz to maintainers.
Instead of searching `/usr` it should search for the `xkb`,
$XDG_DATA_DIRS will be searched. With this approach we allow compliance
on NixOS and non-NixOS systems to find `symbols` in the `xkb` directory.
The patch has been accepted by upstream, but isn't released yet, so this
is mainly a temporary fix until we can bump ZSH to the next stable version.
The `xserver` module links `/share/X11/xkb` to `/run/current-system` to
make this possible.
The fix can be tested inside the following VM:
```
{
zshtest = {
programs.zsh.enable = true;
users.extraUsers.vm = {
password = "vm";
isNormalUser = true;
};
services.xserver.enable = true;
};
}
```
Fixes#46025
This allows the definition of a custom derivation of Exim,
which can be used to enable custom features such as LDAP and PAM support.
The default behaviour remains unchanged (defaulting to pkgs.exim).
That way the built-in web server is usable by default but users can use
$HOME/web directly (instead of having to use a symlink), if they want to
customize the webpage.
Without a group the gid will default to 65534 (2^16 - 2) which maps to
"nogroup". IMO it makes more sense to explicitly set a valid group.
Adding pkgs.sks to environment.systemPackages is not required (IIRC we
want to avoid bloating environment.systemPackages). Instead it seems
like a better idea to make the relevant binaries available to the user
sks and enable useDefaultShell so that "su -l sks" can be used for
manual interaction (that way the files will always have the correct
owner).
This commit adds the following
* the uucp user
* options for HylaFAX server to control startup and modems
* systemd services for HylaFAX server processes
including faxgettys for modems
* systemd services to maintain the HylaFAX spool area,
including cleanup with faxcron and faxqclean
* default configuration for all server processes
for a minimal working configuration
Some notes:
* HylaFAX configuration cannot be initialized with faxsetup
(as it would be common on other Linux distributions).
The hylafaxplus package contains a template spool area.
* Modems are controlled by faxgetty.
Send-only configuration (modems controlled by faxq)
is not supported by this configuration setup.
* To enable the service, one or more modems must be defined with
config.services.hylafax.modems .
* Sending mail *should* work:
HylaFAX will use whatever is in
config.services.mail.sendmailSetuidWrapper.program
unless overridden with the sendmailPath option.
* The admin has to create a hosts.hfaxd file somewhere
(e.g. in /etc) before enabling HylaFAX.
This file controls access to the server (see hosts.hfaxd(5) ).
Sadly, HylaFAX does not permit account-based access
control as is accepts connections via TCP only.
* Active fax polling should work; I can't test it.
* Passive fax polling is not supported by HylaFAX.
* Pager transmissions (with sendpage) are disabled by default.
I have never tested or used these.
* Incoming data/voice/"extern"al calls
won't be handled by default.
I have never tested or used these.
This adds several improvements the previously introduced
`services.weechat` module:
* Dropped `services.weechat.init` as the initialization script can now
be done on package-level since 2af41719bc using the `configure`
function.
* Added `sessionName` option to explicitly configure a name for the
`screen` session (by default: weechat-screen).
* Added `binary` option to configure the binary name (e.g.
`weechat-headless`).
* Added docs regarding `screen` session and `weechat.service`.
Previously it was only possible to use very simple Riemann config.
For more complicated scenarios you need a directory of clojure
files and the config file that riemann starts with should be in this
directory.
This fixes a regression introduced in commit
700e21d6da
nix needs ssh on path for the SSH substituter functionality,
not only the distributed builds functionality.
Signed-off-by: Niklas Hambüchen <mail@nh2.me>
The switch from slim to lightdm in #30890 broke some nixos tests
because lightdm by default doesn't permit auto-login for root.
Override /etc/pam.d/lightdm-autologin to allow it.
The option was added in 1251b34b5b
with type `types.path` but default `null`, so eval failed with
the default setting. This broke the acme and certmgr tests.
cc: @vincentbernat @fpletz
This is the semantics as understood by `xdg-open`. Using these semantics
on a non-colon-separated variable works because it acts as if it was a
one element long list.
This fixes an issue where it would try to exec
`google-chrome-beta:google-chrome:chromium:firefox` on a system
configured with these semantics in mind.
Switch from slim to lightdm as the display-manager.
If plasma5 is used as desktop-manager use sdddm.
If gnome3 is used as desktop-manager use gdm.
Based on #12516
The recommended TLS configuration comes with `ssl_stapling on` and
`ssl_stapling_verify on`. However, this last directive also requires
the use of `ssl_trusted_certificate` to verify the received answer.
When using `enableACME` or similar, we can help the user by providing
the correct value for the directive.
The result can be tested with:
openssl s_client -connect web.example.com:443 -status 2> /dev/null
Without OCSP stapling, we get:
OCSP response: no response sent
After this change, we get:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Aug 30 20:46:00 2018 GMT
This allows one to add rules which change a packet's routing table:
iptables -t raw -I PREROUTING 1 -m set --match-set myset src -j MARK --set-mark 2
ip rule add fwmark 2 table 1 priority 1000
ip route add default dev wg0 table 1
to the beginning of raw table PREROUTING chain, and still have rpfilter.
The wallpaper used is *structurally compatible* with the other one,
meaning that the logo is at the same location, and not bigger.
It has one drawback: the logo is brighter, which clashes with the grub
usage. This is to be fixed with new options in grub.
The additions are:
- image/svg+xml for SVG images
- application/atom+xml for Atom feeds
These types are also present in mime.types. For better readability,
the list is sorted and formatted with one type per line.
This prevents issues when gitea adds new locales etc. And if they
change locale values in future versions. Or if you rollback to a
previous version of gitea it might be a good idea to use the previous
locale files.
thermald has two modes: zero-config and manual. Sometimes it is useful
to manually configure thermald to achieve better thermal results or to give
thermald a hand when detecting possible cooling options.
This allows the user to add `wpa_supplicant` config options not yet supported by Nix without having to write the entire `wpa_supplicant.conf` file manually.
Introduces an option `services.datadog-agent.extraIntegrations` that
can be set to include additional Datadog agent integrations from the
integrations-core repository.
Documentation and an example is provided with the change.
Relates to NixOS/nixpkgs#40399
Refactors the datadog-agent (i.e. V6) module to let users configure
arbitrary checks, not just a limited set, without having to resort to
linking the files manually and updating the systemd unit.
Checks are now configured via a `services.datadog-agent.checks` option
which takes an attribute set in which the keys refer directly to
Datadog check names, and the values are attribute sets representing
Datadog's configuration structure.
With this mechanism users can configure arbitrary integrations, for
example for the `ntp`-check, simply by saying:
services.datadog-agent.checks.ntp = {
init_config = null;
# ... other check configuration options as per Datadog
# documentation
};
The previous check-specific configuration options for non-default
checks have been removed. Disk & network check configuration options
have been kept rather than making them a `default`-value of the
`checks`-option because they will be overridden by user-configurations
in that case.
Relates to NixOS/nixpkgs#40399.
Some modules of cloud-init can cope with a network not immediately
available (notably, the EC2 module), but some others won't retry if
network is not available (notably, the Cloudstack module).
network.target doesn't give much guarantee about the network
availability. Applications not able to start without a fully
configured network should be ordered after network-online.target.
Also see #44573 and #44524.
We override the ESP mount point in the config file /etc/fwupd/uefi.conf
(available since version 1.0.6), as it is set to a path in the nix store
during build time.
Tests are disabled as it needs /etc/os-release, which is not available
when building with sandboxing enabled.
Vladimír Čunát
Edward Tjörnhammar
Silvan Mosberger
Jörg Thalheim
Léo Gaspard
volth
Ryan Mulligan
Franz Pletz
Brian Olsen
Renaud
Aaron Andersen
Sander van der Burg
Janik Rabe
Markus Kowalewski
sveitser
Janne Heß
Peter Simons
Sarah Brofeldt
Michael Raskin
Andreas Rammhold
Niklas Hambüchen
Robin Gloster
Joachim F
Robert Hensing
Austin Seipp
obadz
Dejan Lukan
Peter Hoeg
Johan Thomsen
Will Dietz
xeji
Lancelot SIX
Lassulus
Alyssa Ross
Pavel Goran
Samuel Leathers
Bas van Dijk
Jan Tojnar
Wout Mertens
Ján Hrnko
Marwan Aljubeh
Maximilian Bosch
qolii
Izorkin
Rob Vermaas
Drew Hess
Victor SENE
Pierre Bourdon
Matthew Bauer
worldofpeace
Tmplt
Daniel Rutz
Jörg Thalheim
Michael Raitza
Jean-Paul Calderone
clefru
Aneesh Agrawal
rnhmjoj
Nick Hu
Ingolf Wagner
Yegor Timoshenko
Florian Jacob
Alexey Shmalko
Jeff Slight
Alexander V. Nikolaev
Ben Wolsieffer
Victor SENE
Vincent Ambo
lassulus
Timo Kaufmann
WilliButz
Linus Heckemann
Andrew Childs
nyanloutre
Pascal Wittmann
Graham Christensen
Dominik Xaver Hörl
Elis Hirwing
Robert Hensing
Domen Kožar
aszlig
Alexey Lebedeff
Kristoffer Thømt Ravneberg
Jan Malakhovski
Eelco Dolstra
Samuel Dionne-Riel
Vladyslav Mykhailichenko
Frederik Rietdijk
Michael Peyton Jones
Christian Kögler
Matt Votava
Edmund Wu
Janne Heß
Frederik Rietdijk
Jean-Paul Calderone
Erik Arvstedt
rembo10
pacien
Bob van der Linden
Michael Alan Dorman
Uli Baum
Okina Matara
Michael Weiss
Yarny0
Tad Fisher
Yegor Timoshenko
David Smith
Shea Levy
Alberto Berti
Yorick
Florian Klink
Ricardo M. Correia
Tobias Happ
John Ericson
John Ericson
Nadrieril
Vincent Bernat
Johannes Lötzsch
Nikolay Amiantov
Tuomas Tynkkynen
Augustin Borsu
adisbladis
Jake Woods
srghma
Tobias Happ
Alex Whitt
Mitsuhiro Nakamura
Johannes Frankenau
Samuel Leathers
Edmund Wu
Daiderd Jordan
Deven Lahoti
Yorick van Pelt
Vincent Ambo
Rodney Lorrimar
Geoffrey Huntley
André-Patrick Bubel
Thomas Bach