binfmt activation script creates /run/binfmt before mounting /run
when system activation.
To fix it I added dependency to specialfs to binfmt activation
script.
(cherry picked from commit bf227785854c9fd4a14c20db12dd6d3ebaf02981)
This fixes an evaluation error that's blocking the nixos-unstable
channel (#132328).
(cherry picked from commit b5fab53628e8f080bae24ea1396f72d9d21e1f9b)
It seems as since Chromium 92, `chromium` crashes on startup if
`XDG_CONFIG_HOME` points to a read-only (store-)path.
(cherry picked from commit 8c35a69a6ea206204ddfd3116c4497020b9f2724)
Before this commit, the `flake` option was typed with `types.unspecified`.
This type get's merged via [`mergeDefaultOption`](ebb592a04c/lib/options.nix (L119-L128)), which has a line
```nix
else if all isFunction list then x: mergeDefaultOption loc (map (f: f x) list)
```
`lib.isFunction` detects an attrs in the shape of `{__functor = ...}` as
a function and hence this line substitutes such attrs with a function
(f: f x).
If now, a flake input has a `__functor` as it's output, this will
coerce the once attrs to a function. This breaks a lot of things later
in the stack, for example a later `lib.filterAttrs seive <LAMBDA>` will
fail for obious reasons.
According to @infinisil, `types.unspecified` is due to deprecation. In
the meantime this PR provides a specific fix for the specific problem
discovered.
(cherry picked from commit ecae25c3ef137d972e909eb0e85960d90481789e)
installer media can be used on top of existing host configs. In such
scenarions, root fs types will already be defined.
Before this change, this will inevitably lead to the following error:
```console
error: The option `fileSystems./.fsType' has conflicting definition values:
- In `/nix/store/2nl5cl4mf6vnldpbxhrbzfh0n8rsv9fm-source/DevOS/os/hardware/common.nix': "ext4"
- In `/nix/store/jbch90yqx6gg1h3fq30jjj2b6h6jfjgs-source/nixos/modules/installer/cd-dvd/iso-image.nix': "tmpfs"
```
With this patch, the installers will override those values according to
their own local requirement.
Use `mkOverride 60` so that conscientious overriding specially targeted
at the installer, e.g. with `mkForce` is still straight forward.
(cherry picked from commit c219fdffad3fa76c43824bee34d5fb424ff95b87)
Previously, a failed backup would always overwrite ${db}.sql.gz,
because the bash `>` redirect truncates the file; even if the
backup was going to fail.
On the next run, the ${db}.prev.sql.gz backup would be
overwritten by the bad ${db}.sql.gz.
Now, if the backup fails, the ${db}.in-progress.sql.gz is in an
unknown state, but ${db}.sql.gz will not be written.
On the next run, ${db}.prev.sql.gz (our only good backup) will
not be overwritten because ${db}.sql.gz does not exist.
(cherry picked from commit 81c8189a841728a813bcde8604b80427fcf33522)
As per #121293, I ensured the UMask is set correctly
and removed any unnecessary chmod/chown/chgrp commands.
The test suite already partially covered permissions
checking but I added an extra check for the selfsigned
cert permissions.
(cherry picked from commit 083aba4f83b105c30a1386bdb214cb6c85e119e6)
mkEnableOption already adds "Whether to enable" and ends with a ".", so
remove that duplication from the help text.
Also reword it slightly while at it.
(cherry picked from commit 5d3dca497ba7d20c662e8144c0bedb69433a9e4a)
For plugins to work properly, their assets need to be precompiled
along with the rest of Discourse's assets. This means we need to build
new packages when the list of plugins change.
(cherry picked from commit 9af3672f4faaafba0ce0129a87fc7925c14eeb61)
In https://github.com/NixOS/nixpkgs/pull/120622 cleanup options were
added, but `remove-all-inc-of-but-n-full` was misspelled and as such
was not functioning.
(cherry picked from commit 0a977cf125a86b5580de6e05bfeaa07aa54c4a78)
systemd ships `units/serial-getty@.service.m4` with the `--keep-baud`
option.
We override that unit, and didn't add the `--keep-baud` option. (We have
it in our other getty options there).
Having `--keep-baud` in `serial-getty@` makes a lot of sense - the
console keeps working if it's initialized with a less standard baud
rate, such as the [Helios64](https://wiki.kobol.io/helios64/intro/).
(cherry picked from commit ba42d639f16dc774f4fa661243b640b034d7be0a)
Different boards using u-boot SPL require to write to different
locations. Sometimes, the 8MiB gap isn't sufficient - rk3399 boards
write to 0x16384 for example, which is at 8MiB, thus overriding the
fat32 partition with the SPL.
(cherry picked from commit 1db54a5522a2d523e406ce8713bfe88bb9e3f657)
This makes the service fail when upgrading the package, so let's
properly restart it instead.
(cherry picked from commit b4c069b1476a92a540e906ef95cd7fb380d29c63)
Reload only works with a static configuration path as there is no way to
pass the dynamically generated config path to a running solanum
instance, therefore we symlink the configuration to
/etc/solanum/ircd.conf.
But that will prevent reloads of the ircd, because the systemd unit
wouldn't change when the configuration changes. That is why we add the
actual location of the config file to restartTriggers and enable
reloadIfChanged, so changes will not restart, but reload on changes.
(cherry picked from commit 60c62214f5a3c7db6aa30d8a8e02c863b6abcf0a)
Add support for folder jobs
(https://plugins.jenkins.io/cloudbees-folder/) by reworking the service
to support nested jobs.
This also fixes this deprecation warning (as a happy side effect):
WARNING:jenkins_jobs.cli.subcommand.test:(Deprecated) The default output behavior of `jenkins-jobs test` when given the --output flag will change in JJB 3.0. Instead of writing jobs to OUTPUT/jobname; they will be written to OUTPUT/jobname/config.xml. The new behavior can be enabled by the passing `--config-xml` parameter
(cherry picked from commit 4bcb22e17aa8677c6b3fc4625732d4da791a576f)
A hard failure breaks the NixOS installer, which can't possibly
know the interface names in advance.
(cherry picked from commit be01320a6c39867eac0a20b4dfe04680d3b1ce26)
62733b37b4 broke evaluation in all
places `pkgs.mysql` was used. Fix this by changing all occurrences to
`pkgs.mariadb`.
(cherry picked from commit 59e0120aa5c1241d48048afa615e25c65d7e366d)
In 0.3.0 of the json-exporter[1] it was switched to a different jsonpath
library which made some changes - especially for spaces in keys -
necessary. Also I decided to remove the pretty-printed JSON as this
would interfere with the bash quoting too much. If one needs
pretty-printed output, they can still pipe the output to `jq`.
[1] https://github.com/prometheus-community/json_exporter/releases/tag/v0.3.0
(cherry picked from commit 976d668e5c5566c3e96b17d667830a0f3ed1bbb5)
This should help in rare hardware-specific situations where the root is
not automatically detected properly.
We search using a marker file. This should help some weird UEFI setups
where the root is set to `(hd0,msdos2)` by default.
Defaulting to `(hd0)` by looking for the ESP **will break themeing**. It
is unclear why, but files in `(hd0,msdos2)` are not all present as they
should be.
This also fixes an issue introduced with cb5c4fcd3c
where rEFInd stopped booting in many cases. This is because it ended up
using (hd0) rather than using the `search` which was happening
beforehand, which in turn uses (hd0,msdos2), which is the ESP.
Putting back the `search` here fixes that.
(cherry picked from commit 20b023b5ea63a6513a4dce7f162736a00bce5cc8)
This technically changes nothing. In practice `$root` is always the
"CWD", whether searched for automatically or not.
But this serves to announce we are relying on `$root`... I guess...
(cherry picked from commit c9bb054dd68964b0eb9a38c51bdf824bfb212fc7)
Reusing the same private/public key on renewal has two issues:
- some providers don't accept to sign the same public key
again (Buypass Go SSL)
- keeping the same private key forever partly defeats the purpose of
renewing the certificate often
Therefore, let's remove this option. People wanting to keep the same
key can set extraLegoRenewFlags to `[ --reuse-key ]` to keep the
previous behavior. Alternatively, we could put this as an option whose
default value is true.
(cherry picked from commit 632c8e1d54e299f656aa677f25552e1127f12849)
iptables is currently defined in `all-packages.nix` to be
iptables-compat. That package does however not contain `ethertypes`.
Only `iptables-nftables-compat` contains this file so the symlink
dangles.
(cherry picked from commit 2eeecef3fc70e35b2f4c6d8424e4c726c140e330)
A secret key generated by the nixos module was misspelled, which could
possibly impact the security of session cookies.
To recover from this situation we will wipe all security keys that were
previously generated by the NixOS module, when the misspelled one is
found. This will result in all session cookies being invalidated. This
is confirmed by the wordpress documentation:
> You can change these at any point in time to invalidate all existing
> cookies. This does mean that all users will have to login again.
https://wordpress.org/support/article/editing-wp-config-php/#security-keys
Meanwhile this issue shouldn't be too grave, since the salting function
of wordpress will rely on the concatenation of both the user-provided
and automatically generated values, that are stored in the database.
> Secret keys are located in two places: in the database and in the
> wp-config.php file. The secret key in the database is randomly
> generated and will be appended to the secret keys in wp-config.php.
https://developer.wordpress.org/reference/functions/wp_salt/
Fixes: 2adb03fdae ("nixos/wordpress:
generate secrets locally")
Reported-by: Moritz Hedtke <Moritz.Hedtke@t-online.de>
(cherry picked from commit 724ed08df02546fea2ab38613d615dd47461528c)
Assert that the PostgreSQL version being deployed is the one used
upstream. Allow the user to override this assertion, since it's not
always possible or preferable to use the recommended one.
(cherry picked from commit 544adbfcab2e92c2fe5774cae67f2edf165eb97e)
As per `man systemd.path`:
> When a service unit triggered by a path unit terminates
> (regardless whether it exited successfully or failed),
> monitored paths are checked immediately again,
> **and the service accordingly restarted instantly**.
Thus the existence of the path unit made it impossible to stop the
wireguard service using e.g.
systemctl stop wireguard-wg0.service
Systemd path units are not intended for program inputs such
as private key files.
This commit simply removes this usage; the private key is still
generated by the `generateKeyServiceUnit`.
(cherry picked from commit d344dccf3dc592242f11ef993acb9ecee8d84796)
Silvan Mosberger
Kazutoshi Noguchi
davidak
Luke Granger-Brown
lassulus
Maximilian Bosch
Domen Kožar
David Arnold
Robert Hensing
Vladimír Čunát
Martin Weinelt
Eelco Dolstra
Michael Francis
Niklas Hambüchen
Valentin Conrad
Timothy DeHerrera
Marc 'risson' Schmitt
Jan Tojnar
talyz
Jörg Thalheim
Jeremy Kolb
Yureka
illustris
Robert Hensing
Atemu
Lucas Savva
Bjørn Forsman
Philipp Hausmann
Aaron Andersen
Alexandru Scvortov
Dima
Florian Klink
Jan Solanti
Natan Lao
Jonathan Ringer
rnhmjoj
AmineChikhaoui
Samuel Dionne-Riel
zowoq
Julien Moutinho
Daniel Nagy
Vincent Bernat
Janne Heß