This fixes a harmless error from systemd-udevd that looks like:
Dec 23 15:35:23 dellbook systemd-udevd[696]:
/nix/store/iixya3ni5whybpq9zz1h7f4pyw7nhd19-udev-rules/99-local.rules:25
Invalid value "..." for RUN (char 101: invalid substitution type),
ignoring, but please fix it.
Using $$ fixes it using the escaping documented at https://www.freedesktop.org/software/systemd/man/udev.html.
The commit b0bbacb521 was a bit too fast
It did set executable bit for log files.
Also, it didn't account for other directories in state dir:
```
# ls -la /var/spool/nginx/
total 32
drwxr-x--- 8 nginx nginx 4096 Dec 26 12:00 .
drwxr-xr-x 4 root root 4096 Oct 10 20:24 ..
drwx------ 2 root root 4096 Oct 10 20:24 client_body_temp
drwx------ 2 root root 4096 Oct 10 20:24 fastcgi_temp
drwxr-x--- 2 nginx nginx 4096 Dec 26 12:00 logs
drwx------ 2 root root 4096 Oct 10 20:24 proxy_temp
drwx------ 2 root root 4096 Oct 10 20:24 scgi_temp
drwx------ 2 root root 4096 Oct 10 20:24 uwsgi_temp
```
With proposed change, only ownership is changed for state files, and mode is left as is
except that statedir/logs is now group accessible.
This change brings pre-existing installations (where the logfiles
are owned by root) in line with the new permssions (where logfiles
are owned by the nginx user)
Currently to run borg job manually, you have to use systemctl:
```
$ systemctl start borgbackup-job-jobname.service
```
This commit makes wrappers around borg jobs available in $PATH, which have
BORG_REPO and connection args set correctly:
```
$ borg-job-jobname list
$ borg-job-jobname mount ::jobname-archive-2019-12-25T00:01:29 /mnt/some-path
$ borg-job-jobname create ::test /some/path
```
Closes: https://github.com/NixOS/nixpkgs/pull/64888
Co-authored-by: Danylo Hlynskyi <abcz2.uprola@gmail.com>
Currently, LXD always use pkgs.zfs, even if boot.zfs.enableUnstable is set. This
change provides the option to change the LXC, LXD and ZFS packages, and
determines the default ZFS package based on zfs.enableUnstable.
When installing a fresh NixOS system it occasionally happens that you
encounter issues that are rather hard to track down since
`nixos-install(8)` doesn't provide any debugging flags.
This patch adds `-L` to force `nix build` to display the build-log on
stderr and `-v` to increase the log-level of Nix.
Also cleanup a bit, we enabled gnome-settings-daemon even when using elementary-settings-daemon.
I wanted the nixos module ascribe the defaults, not these lists in pkgs.
sway: refactor with a wrapper
This moves the wrapper functionality from the NixOS module to a new package
(wrapper) that wraps the original sway package (sway-unwrapped). Therefore it's
now also possible to properly use Sway on non-NixOS systems out of the box.
The new submodule for the wrapperFeatures makes it easy to extend the
functionality which should become useful in the future.
This also introduces a GTK wrapper feature to fix issues with icon/GTK themes,
e.g. when running waybar or wofi. This should also work for #67704. If not, we
might have to add some additional dependencies/arguments for this case.
When using a modified systemd-package (e.g. to test a patch), it's
recommended to use the `systemd.package`-option to avoid rebuilding all packages
that somehow depend on systemd.
With this change, the modified package is also used by `systemd-nspawn@`
units.
This commit changes the console colors implementation
to use the kernel parameters instead of relying on terminal
escape sequences. This means the palette is applied by the
kernel itself with no custom code running in the initrd
and works for all virtual terminals (not only tty0).
This commit moves all the virtual console related options
to a dedicated config/console.nix NixOS module.
Currently most of these are defined in config/i18n.nix
with a "console" prefix like `i18n.consoleFont`,
`i18n.consoleColors` or under `boot` and are implemented
in tasks/kbd.nix.
Since they have little to do with actual internationalisation
and are (informally) in an attrset already, it makes sense to
move them to a specific module.
In 5532065d06, acme was changed to be
RemainAfterExit=true, but `postRun` commands are implemented as
`ExecStopPost`. Systemd now considers the service to be still running
after simp_le is finished, so won't run these commands (e.g. to reload
certificates in a webserver). Change `postRun` to use `ExecStartPost` to
ensure the commands are run in a timely manner.
1. This makes aggregates of submodules (including the very important
"nixos-option users.users.<username>" case) behave the same way as any
other you-need-to-keep-typing-to-get-to-an-option-leaf (eg:
"nixos-option environment").
Before e0780c5:
$ nixos-option users.users.root
error: At 'root' in path 'users.users.root': Attribute not found
An error occurred while looking for attribute names. Are you sure that 'users.users.root' exists?
After e0780c5 but before this change, this query just printed out a raw
thing, which is behavior that belongs in "nix eval", "nix-instantiate
--eval", or "nix repl <<<":
$ nixos-option users.users.root
{
_module = {
args = { name = "root"; };
check = true;
};
createHome = false;
cryptHomeLuks = null;
description = "System administrator";
...
After this change:
$ nixos-option users.users.root
This attribute set contains:
createHome
cryptHomeLuks
description
extraGroups
group
hashedPassword
...
2. For aggregates of other types (not submodules), print out the option
that contains them rather than printing an error message.
Before:
$ nixos-option environment.shellAliases.l
error: At 'l' in path 'environment.shellAliases.l': Attribute not found
An error occurred while looking for attribute names. Are you sure that 'environment.shellAliases.l' exists?
After:
$ nixos-option environment.shellAliases.l
Note: showing environment.shellAliases instead of environment.shellAliases.l
Value:
{
l = "ls -alh";
ll = "ls -l";
ls = "ls --color=tty";
}
...
Deperecates the interfaces option which was used to generate a host:port
list whereas the port was always hardcoded to 53. This unifies the
listen configuration for plain and TLS sockets and allows to specify a
port without an address for wildcard binds.
Systemd dependencies for scripted mode
were refactored according to analysis in #34586.
networking.vswitches can now be used with systemd-networkd,
although they are not supported by the daemon, a nixos receipe
creates the switch and attached required interfaces (just like
the scripted version).
Vlans and internal interfaces are implemented following the
template format i.e. each interface is
described using an attributeSet (vlan and type at the moment).
If vlan is present, then interface is added to the vswitch with
given tag (access mode). Type internal enabled vswitch to create
interfaces (see openvswitch docs).
Added configuration for configuring supported openFlow version on
the vswitch
This commit is a split from the original PR #35127.
This makes ~2.5x speed up of an empty container instantiate, hence reduces
rebuild time of system with many declarative containers.
Note that this doesn't affect production systems much, becaseu those most
likely already include `minimal.nix` profile.
The upstream session files display managers use have no concept of sessions being composed from
desktop manager and window manager. To be able to set upstream session files as default
session, we need a single option. Having two different ways to set default session would be confusing,
though, so we decided to deprecate the old method.
We also created separate script for each session, just like we already had a separate desktop
file for each one, and started using displayManager.sessionPackages mechanism to make the
session handling more uniform.
There's two ways of providing graphical sessions now:
- `displayManager.session` via. `desktopManager.session` and
`windowManager.session`
- `displayManager.sessionPackages`
`sessionPackages` doesn't make a distinction between desktop and window
managers. This makes selecting a session provided by a package using
`desktopManager.default` nonsensical.
We therefor introduce `displayManager.defaultSession` which can select a session
from either `displayManager.session` or `displayManager.sessionPackages`.
It will default to `desktopManager.default + windowManager.default` as before.
If the dm default is "none" it will select the first provided session from
`sessionPackages`.
When running e.g. `nixos-option users.users.ma27`, the evaluation breaks
since `ma27` is the attribute name in `attrsOf (submodule {})`, but not
a part of the option tree and therefore breaks with the following
errors:
```
error: At 'ma27' in path 'users.users.ma27': Attribute not found
An error occurred while looking for attribute names. Are you sure that 'users.users.ma27' exists?
```
This happens since the option evaluator expects that either the option
exists or the option is a submodule and the "next" token in the
attribute path points to an option (e.g. `users.users.ma27.createHome`).
This patch checks in the `Attribute not found` condition if the attribute-path
actually exists in the config tree. If that's true, a dummy-attrset is created
which contains `{_type = "__nixos-option-submodule-attr";}`, in that case, the
entire entry of the submodule will be displayed.
+ Fixing interrupted descriptions
+ Added more verbose descriptions
+ Addded <literal> to the descriptions
+ uniformly reformated descriptions to break at 80 chars
(cherry picked from commit c7945c8a97df52a468cf32155154cdec021561bc)
Having a default session resulted in GDM not remembering the last used
session.
So do not force the session until setSessionScript is made aware of the
last session used.
When 'grafting' '/nix/store/<hash>-loopback.cfg' from disk onto
'/boot/grub/loopback.cfg' on the iso, the parent 'grub' directory does not
exist yet. In this case it is automatically created and inherits its
attributes, including timestamp, from /nix/store.
This is correct/expected/intentional behavior of xorriso, but has the
undesired result of leaking the timestamps of /nix/store into the iso. For
this reason we put the loopback.cfg in a
'/nix/store/<hash>-loopback.cfg/grub/loopback.cfg' instead, so it will inherit
the attributes from the correctly-timestamped
'/nix/store/<hash>-loopback.cfg/grub' directory.
For the same reason we move '/EFI/boot/efi-background.png' down in the list
so it is grafted after its parent '/EFI/boot' directory is created with
the correct timestamp.
fixes#74944
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
Fixes https://github.com/NixOS/nixpkgs/issues/75075.
To summarize the report in the aforementioned issue, at a glance,
it's a different default than what upstream polkit has. Apparently
for 8+ years polkit defaults admin identities as members of
the wheel group [0]. This assumption would be appropriate on NixOS, where
every member of group 'wheel' is necessarily privileged.
[0]: 763faf434b
If no display manager is enabled this will not make any difference, but
if a Wayland compatible display manager like SDDM is enabled, a session
for Sway will be available. Therefore it does make sense to enable this
by default.
This adds the display manager integration mentioned in #57602.
Allow the user to specify the permissions to apply to download folders
used by transmission. This is useful e.g. when they are stored on a
network share and accessed by other users.
This commit also makes the home and config directories 700, as there
is should be no need for wider permissions there.
Only use sudo if we are currently not running as the nextcloud user.
This is problematic when occ is called from a systemd service with
NoNewPrivileges=true
In the process of making UPower.conf customizable (#73968), it came up
that UPower doesn't load its config from /etc by default.
The UPower derivation is modified to make it load its config from /etc
at runtime, but still install the default config to its nix store path
as before.
The UPower module is modified to put the config in /etc.
When session debugging was enabled in GNOME but not in Pantheon
{
services.xserver = {
desktopManager.pantheon = {
enable = true;
};
desktopManager.gnome3 = {
enable = true;
debug = true;
};
};
}
it caused a conflict:
error: The option `environment.sessionVariables.GNOME_SESSION_DEBUG' has conflicting definitions, in `<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>' and `<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix>'.
gobject-introspection has nothing to do with graphical systems or GNOME, it is needed for language bindings like Python.
This reverts commit d757135c05
Didn't notice this till I tried removing my custom roon user from the one I was testing with. There's not a 'groups' option for users, only group (primary group) and extraGroups. Use these.
(#68337)
The options at `systemd.network` (`links`, `netdevs` and `networks`) are
directly mapped to the three different unit types of `systemd-networkd(8)`.
However there's also the option `systemd.network.units` which is
basically used as a container for generated unit-configs that are linked
to `/etc/systemd/networkd`[1].
This should not be exposed to the user as it's unclear whether or not it
should be used directly which can be pretty confusing which is why I decided to
declare this option as internal (including all sub-options as `internal`
doesn't seem to be propagated to submodules).
[1] 9db75ed88f/nixos/modules/system/boot/networkd.nix (L933-L937)
This PR is part of the networking.* namespace cleanup. We feel that
networking.hostConf is rarely used and provides little value compared to
using environment.etc."host.conf" directly.
Provide sensible default: multi on
Samba 3 has been discontinued since Q1/2015. So I think it's time
to just wipe it from the pkgs. FuseSMB is pretty much abandoned,
upstream does not exist and it's also not as useful as it used to
be anyways.
This is a more sane default since we do not magically (without opt-in)
pull in binaries from `~/bin`. That is not really an expected behavior
for many users. Users that still want that behavior can now just flip
that switch.
This PR is part of the networking.* namespace cleanup.
ssmtp used to be configured via `networking.defaultMailServer` which is
sort of misleading since it provides options only for ssmtp. Other
dumb mail relays like nullmailer have always been living under
services.
The intent of this PR is to align ssmtp's options with those of similar
services. Specifically, two renames have been done:
* Rename `networking.defaultMailHost` to `services.ssmtp`.
* Rename `directDelivery` to `enable` because this is what it basically does.
Previously, socket units wouldn't be restarted if they were
changed. To restart the socket, the service the socket is attached
to needs to be stopped first before the socket can be restarted.
osquery was marked as broken since April.
If somebody steps up to fix it, we can always revive it from the
histroy, but there's not much value in shipping completely broken things
in current master.
cc @ma27
As part of the networking.* name space cleanup, connman should be moved
to services.connman. The same will happen for example with
networkmanager in a separate PR.
The binary name was recently changed from openarena-server to oa_ded in
https://github.com/NixOS/nixpkgs/pull/71122 .
That change broke the openarena module and consequently the openarena
test too. This commit fixes both.
As an alternative, we considered reverting the name change in
https://github.com/NixOS/nixpkgs/pull/72824 but we decided oa_ded was
a better name for the binary (it's the name upstream use).
This PR is part of the networking.* namespace cleanup.
The Cisco VPN module is currently of limited value since it just creates
config files but does not manage services. The same functionality can be
achieved by using _environment.etc_ instead.
It would be a different situation if we had a full service module. So if
you are annoyed by this change, please consider write a more featureful
module and put its options unter _services.networking.vpnc_.
Note that this change removes options for *Cisco VPN*, not
*networkmanager-vpn*.
Unfortunately, you can't configure the default user-session
with GDM like lightdm. I've opened a feature request [0]
but I'd like to be able to do this now.
We use a GObject Python script using bindings to AccountsService
to achieve this. I'm hoping the reliable heuristic for session names
is the file's basename. We also have some special logic for which
method to use to set the default session. It seems set_x_session is
deprecated, and thusly the XSession key, but if that method isn't used
when it's an xsession it won't be the default in GDM.
[0]: https://gitlab.gnome.org/GNOME/gdm/issues/535
- Add services.hardware.bluetooth.config option
- Use lib.generators.toINI with both config and extraConfig options
hardware/bluetooth: a couple suggestions
Co-authored-by: Aaron Andersen <aaron@fosslib.net>
This adds an `extraConfig` option to timesyncd for setting additional
options in `/etc/systemd/timesyncd.conf`.
This is similar to things like `services.journald.extraConfig` and
`services.logind.extraConfig`.
The new description should give more clear understanding of when to
edit the option.
I used NixOS to set up a DNS server that is authoritative for certain
zones. The description of the `cacheNetworks` option made me think I
needed to set it to `"any"` to allow people to query the zone I set
up. Reading the source of the module would have clarified my
understanding, but at the time I just read the description and thought
little of it. Later I discovered I was getting tons of DNS requests
and presumably being used for a DNS amplification attack or similar.
I have fixed the problem now, but I would like the option to have a
clearer description so others don't make the same mistake I did.
This has been there since v209 [1]
```
The interface name to use. This option has lower precedence than NamePolicy=, so for this setting to take effect, NamePolicy= must either be unset, empty, disabled, or all policies configured there must fail. Also see the example below with "Name=dmz0".
Note that specifying a name that the kernel might use for another interface (for example "eth0") is dangerous because the name assignment done by udev will race with the assignment done by the kernel, and only one interface may use the name. Depending on the order of operations, either udev or the kernel will win, making the naming unpredictable. It is best to use some different prefix, for example "internal0"/"external0" or "lan0"/"lan1"/"lan3".
```
[1] 43b3a5ef61
most likely, people enabling the lorri module also want to use it,
without explicitly having to add it to users.users.<username>.packages.
cc @curiousleo @Profpatsch
Add a virtual user system based around pam and a Berkeley
user database.
Adding the:
- localRoot
- userDbPath
- allowWriteableChroot
- virtualUseLocalPrivs
Vsftpd options.
Ever since setting up bonding the `wpa_supplicant-unit-start` script has
been failing. This is because the file `bonding_masters` in
`/sys/class/net/` is *not* a directory containing `uevent`.
Adding a test to verify the `uevent` path to be sourced exists resolves
the problem.
The SLIM project is abandoned and their last release was in 2013.
Because of this it poses a security risk to systems, no one is working
on it or picked up maintenance. It also lacks compatibility with systemd
and logind sessions. For users, there liikely isn't anything like slim
that's as lightweight in terms of dependencies.
Slurmdbd requires a password database which is stored in slurmdbd.conf.
A seperate config file avoids that the password ends up in the nix store.
Slurmdbd does 19.5 does not support MySQL socket conections.
Adapated the slurm test to provide username and password.
* Fix path in module for slurm to find plugstack.conf
* Fix configure flags so that slurm can be compiled
without internal X11 support (required for spank-x11).
This prevents services to be started before they're initialized, and
renders the `systemd.targets.ceph.wantedBy = lib.mkForce [];` hack in
the vm tests obsolete - The config now starts up ceph after a reboot,
too.
Let's take advantage of that, crash all VMs, and boot them up again.
Don't pass user and group to ceph, and rely on it to drop ceps, but let
systemd handle running it as the appropriate user.
This also inlines the extraServiceConfig into the makeService function,
as we have conditionals depending on daemonType there anyways.
Use StateDirectory to create directories in
/var/lib/ceph/${daemonType}/${clusterName}-${daemonId}.
There previously was a condition on daemonType being one of mds,mon,rgw
or mgr. We only instantiate makeServices with these types, and "osd" was
special.
In the osd case, test examples suggest it'd be in something like
/var/lib/ceph/osd/ceph-${cfg.osd0.name} - so it's not special at all,
but exactly like the pattern for the others.
During initialization, we also need these folders, before the unit is
started up. Move the mkdir -p commands in the vm tests to the line
immediately before they're required.
The two new options make it possible to create the interface in one namespace
and move it to a different one, as explained at https://www.wireguard.com/netns/.
In cases where you boot up really quickly (like in the VM test on a
non-busy host), tinydns might want to bind before the loopback interface
is fully up. Order tinydns after network.target to fix that.
Add --use-remote-sudo option. When set, remote commands will be prefixed
with 'sudo'. This allows using sudo remotely _without_ having to use
sudo locally (when using --build-host/--taget-host).
Incorrect merging of modules resulted in dhcpcd being enabled causing flaky network connection.
https://github.com/NixOS/nixpkgs/pull/64364
Fixing it uncovered an infinite recursion from the same commit, previously masked by the incorrect merge.
We can just drop the `mkDefault` for `networking.wireless.enable` as it is already `false` by default.
Closes: https://github.com/NixOS/nixpkgs/issues/72416
When we did the revert of adding gnome-flashback to systemd.packages [0]
I forgot to test with other display managers. If we use GDM with gnome-flashback
it appears it doesn't try to fallback to non-systemd startup and always fails and
starts the regular gnome-session. So adding gnome-flashback to systemd.packages
was perfectly fine, but we did forgot one detail. We need systemd targets for the
customSessions which is added using mkSystemdTargetForWm in the gnome-
flashback package.
[0]: 42f567b30d
This change ensures that `dhcpcd.service` is restarted as soon as the
exit hook changes. I use this hook to do additional configuration for my
network (like setting a route via the given gateway to my WireGuard) and
when changing parts of this exit hook I'd expect to get this activated
when switching to my new configuration.
When the option services.vault.storageBackend is set to "file", a
systemd.tmpfiles.rules was added, with extraneous []. These are not
needed and have been removed.
This is a good example of a package/module that should be distributed
externally (e.g. as a flake [1]): it's not stable yet so anybody who
seriously wants to use it will want to use the upstream repo. Also,
it's highly specialized so NixOS is not really the right place at the
moment (every NixOS module slows down NixOS evaluation for everybody).
[1] https://github.com/edolstra/jormungandr/tree/flake
Automated consumers can use 'sed 1d' or similar to remove this header.
This probably makes this output *easier* to consume correctly. Having
this header show up in consumers' terminal or log output is probably not
useful, but hiding it without hiding all error messages would have been
more troublesome that just stripping it from stdout.
I.e., previously, unsophisticated use would show undesired output:
$ some-other-tool
This attribute set contains:
This attribute set contains:
This attribute set contains:
This attribute set contains:
<Actual some-other-tool output>
The simplest way to hide this undesired output would have been
nixos-option ... 2>/dev/null, which would hide all error messages.
We do not wish to encourage that.
Correct use would have been something like:
nixos-option ... 2> >( grep --line-buffered -v 'This attribute set contains:')
After this change, correct use is simpler:
nixos-option ... | sed 1d
or
nixos-option ... | sed '1/This attribute set contains:/d'
if the caller don't know if this invocation of nixos-option will yield
an attribute listing or an option description.
Switch from convention "appease clang-tidy --checks='*'" to
"References are like non-nullptr pointers". The clang-tidy check
"google-runtime-references" complains about non-const reference
arguments, but this is not a convention used in Nix.
Switch from convention "appease clang-tidy --checks='*'" to
"References are like non-nullptr pointers". The clang-tidy check
"google-runtime-references" complains about non-const reference
arguments, but this is not a convention used in Nix.
Switch from convention "appease clang-tidy --checks='*'" to
"References are like non-nullptr pointers". The clang-tidy check
"google-runtime-references" complains about non-const reference
arguments, but this is not a convention used in Nix.
I don't think this matters. As long as one or the other of these is
a std::string, I get an operator== that looks at content rather than
pointer equality. I picked casting the constant over casting the dynamic
thing in hopes that the compiler would have a better chance at optimizing
away any runtime cost.
Deferring to reviewer.
This is important because this contains some code copied from nix (as an
interim expediency until that functionality can be exported via nix's
API). The license specified here must be compatible with this borrowing.
Select the same license that nix is released under: lgpl2Plus.
Specifically, with
clang-format --style='{ IndentWidth: 4, BreakBeforeBraces: Mozilla, ColumnLimit: 120, PointerAlignment: Middle }'
which was the clang-format invocation that produced the fewest diffs on
the nix source out of ~20 that I tried.
Also add --all, which shows the value of all options. Diffing the --all
output on either side of contemplated changes is a lovely way to better
understand what's going on inside nixos.
Instead of assign the libinput options to touchpad devices only, it
should be appied by any device using libinput.
Due to the fact that `40-libinput.conf` already defines libinput as
driver for any detected input device, we can use `MatchDriver` to appy
options.
I've noticed a similar issue in Pantheon, without this
sound theme installed there's no system sounds.
I believe it's because the gnome theme and the pantheon
theme inherit this one.
Change order of pam_mount.conf.xml so that users can override the preset configs.
My use case is to mount a gocryptfs (a fuse program) volume. I can not do that in current order.
Because even if I change the `<fusermount>` and `<fuserumount>` by add below to extraVolumes
```
<fusemount>${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"</fusemount>
<fuseumount>${pkgs.fuse}/bin/fusermount -u %(MNTPT)</fuseumount>
```
mount.fuse still does not work because it can not find `fusermount`. pam_mount will told stat /bin/fusermount failed.
Fine, I can add a `<path>` section to extraVolumes
```
<path>${pkgs.fuse}/bin:${pkgs.coreutils}/bin:${pkgs.utillinux}/bin</path>
```
but then the `<path>` section is overridden by the hardcoded `<path>${pkgs.utillinux}/bin</path>` below. So it still does not work.
Adding `systemd-importd` to the build, so that `machinectl`s `import-.*`
may actually do anything. Currently they fail with
```
Failed to transfer image: The name org.freedesktop.import1 was not provided by any .service files
```
as `systemd-importd` is not built. Also registers the regarding dbus
api and service in the systemd module.
Invoke xrandr to actually connect the device.
Additionally, we let systemd create the logs directory and use our module loader
instead of handling it manually.
It seems that dnsdist doesn't actually request CAP_NET_BIND_SERVICE, which is why normally it's executed and root and setuids to another, unprivileged, user. This means that as it is, dnsdist will be unable to bind to any port under 1024 and will fail with access denied.
Removing CAP_SETGID and CAP_SETUID is also related to this as we don't actually change the uid or gid after the fact as we use DynamicUser. (That part isn't strictly NEEDED but there's no reason to have those capabilities if we don't use them).
There are also some additional sandboxing we can remove from the service definition as they are assumed true or strict by DynamicUser: specifically PrivateTmp and ProtectSystem respectively.
ProtectHome is still there, despite being assumed read-only as setting it to true means they are seen as empty. I don't think it really matters as I don't know if systemd will ignore it or not, but I didn't see any reason to go hunting for excuses to make it a bigger change.
Add a new option permitting to point certbot to an ACME Directory
Resource URI other than Let's Encrypt production/staging one.
In the meantime, we are deprecating the now useless Let's Encrypt
production flag.
- spawn the geoclue-agent directly instead of running it via bash
- document why we cannot use DynamicUser = true
- have systemd create the home directory instead of using an explicit
tmpfiles.d fragment
* lm_sensors: add fancontrol module + nixos test
fancontrol is a small script that checks temperature sensors and adapts
fan speeds accordingly. It reads a text config file that can be
auto-generated by running the pwmconfig wizard on the live system.
Both options were introduced in systemd v243[1]. Those options can be
used to ensure that LinkLocalAddressing is only configured for a given
interface if DHCPv4 fails. To quote `systemd.network(5)`:
```
If "fallback" or "ipv4-fallback" is specified, then an IPv4
link-local address is configured only when DHCPv4 fails. If "fallback", an IPv6 link-local
address is always configured, and if "ipv4-fallback", the address is not configured. Note
that, the fallback mechanism works only when DHCPv4 client is enabled, that is, it requires
"DHCP=yes" or "DHCP=ipv4".
```
[1] 8bc17bb3f7
Default behavior is to continue executing the script even when one or
multiple steps fail. We want to abort early if any part of the
initialization fails to not run with a partially initialized state.
Default behavior also allows dereferencing non-existent variables,
potentially resulting in hard-to-find bugs.
Previously setting `allowKeysForGroup = true; group = "foo"` would not
apply the group permission change of the certificates until the service
gets restarted. This commit fixes this by making systemd restart the
service every time it changes.
Note that applying this commit to a system with an already running acme
systemd service doesn't fix this immediately and you still need to wait
for the next refresh (or call `systemctl restart acme-<domain>`). Once
everybody's service has restarted once this should be a problem of the
past.
While switching NixOS configurations with both
networking.useNetworkd = true;
virtualisation.virtualbox.host.enable;
You often end up waiting for systemd-networkd-wait-online.service.
This happens because the vboxnet0 device doesn't have a carrier until
virtualbox machines are started, so networkd gets stuck in
"Configuring":
⇒ networkctl list
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback carrier unmanaged
2 wlp2s0 wlan routable unmanaged
3 vboxnet0 ether no-carrier configuring
This updates the NixOS virtualbox host module to include a
RequiredForOnline=no statement in the generated 40-vboxnet0.network
file, so networkd doesn't consider it necessary for
systemd-networkd-wait-online.service to finish.
Let's encrypt bumped ACME to V2. We need to update our nixos test to
be compatible with this new protocol version.
We decided to drop the Boulder ACME server in favor of the more
integration test friendly Pebble.
- overriding cacert not necessary
- this avoids rebuilding lots of packages needlessly
- nixos/tests/acme: use pebble's ca for client tests
- pebble always generates its own ca which has to be fetched
TODO: write proper commit msg :)
From https://github.com/zsh-users/zsh-syntax-highlighting#faq:
"It must be sourced after all custom widgets have been created
(i.e., after all zle -N calls and after running compinit)."
zsh-syntax-highlighting must be sourced to the end.
Updating:
- nixos module to use the new `account_reg.json` file.
- use nixpkgs pebble for integration tests.
Co-authored-by: Florian Klink <flokli@flokli.de>
Replace certbot-embedded pebble
Just maching all network interfaces caused many breakages, see #18962
and #71106.
We already don't support the global networking.useDHCP,
networking.defaultGateway(6) options if networking.useNetworkd is
enabled, but direct users to configure the per-device
networking.interfaces.<name?>.… options.
This adds support for deploying to remote hosts without being root:
sudo nixos-rebuild --target-host non-root@host
Without this change, only root@host is able to deploy.
The idea is that if the local command is run with sudo, so should the
remote one, thus there is no need for adding any CLI options.
Slim is abandoned and won't work with wayland.
It's in our best interest to use the display-manager
that makes most sense for Plasma5, sddm.
We've already moved on from it being default in #30890
and the graphical.nix profile, which the virtualbox profile uses,
has sddm anyway.
This option was removed because allowing (multiple) regular users to
override host entries affecting the whole system opens up a huge attack
vector. There seem to be very rare cases where this might be useful.
Consider setting system-wide host entries using networking.hosts,
provide them via the DNS server in your network, or use
networking.networkmanager.appendNameservers to point your system to
another (local) nameserver to set those entries.
This reverts commit 60aedadc59.
Using tests from #71212 I am now unable to reproduce there being issues
with starting the default metacity flashback session without this.
On start, unicorn, sidekiq and other parts running ruby code emits
quite a few warnings similar to
/var/gitlab/state/config/application.rb:202: warning: already initialized constant Gitlab::Application::LOOSE_EE_APP_ASSETS
/nix/store/ysb0lgbzxp7a9y4yl8d4f9wrrzy9kafc-gitlab-ee-12.3.5/share/gitlab/config/application.rb:202: warning: previous definition of LOOSE_EE_APP_ASSETS was here
/var/gitlab/state/lib/gitlab.rb:38: warning: already initialized constant Gitlab::COM_URL
/nix/store/ysb0lgbzxp7a9y4yl8d4f9wrrzy9kafc-gitlab-ee-12.3.5/share/gitlab/lib/gitlab.rb:38: warning: previous definition of COM_URL was here
This seems to be caused by the same ruby files being evaluated
multiple times due to the paths being different - sometimes they're
loaded using the direct path and sometimes through a symlink, due to
our split between config and package data. To fix this, we make sure
that the offending files in the state directory always reference the
store path, regardless of that being the real file or a symlink.
We create a wrapper which launches gnome-shell with the correct environment and
cap_sys_nice.
We can then override gnome-shell-wayland.service to use this wrapper.
NOTE: We need to force clear the environment, because the defaults aren't good
for user services. That should probably be fixed.
Otherwise connecting simply fails:
VPN connection: failed to connect: 'La création du fichier « /tmp/lib/NetworkManager-fortisslvpn/0507e3ef-f0e0-4153-af64-b3d9a025877c.config.XSB19Z » a échoué : No such file or directory'
