Fix an error in the validation code when the public key is in a
nonstandard location. The check command fails and the key is
incorrectly assumed to be expiring.
When using the Modern config from the Mozilla SSL config generator,
the `ssl_ciphers` parameter does not need to be set
as only TLSv1.3 is permitted and all of its ciphers are reasonable.
Treat it the same as IPv4 (I'm tempted to disable IPv4 by default);
this is the only option I still need to set manually to enjoy IPv6-only
networks including printer discovery!
This reverts commit aab534b894 & uses the
driverInteractive attribute for the test driver instead.
This has the same effect but removes the extra module in the
nixos-build-vms code.
This fixes an eval error that occurred on hydra with the small channel
and the `nixos.tests.boot.biosCdrom.x86_64-linux` attribute:
> $ nix-instantiate nixos/release-small.nix -A nixos.tests.boot.biosCdrom.x86_64-linux
> warning: unknown setting 'experimental-features'
> error: The option `virtualisation.qemu' does not exist. Definition values:
> - In `/home/andi/dev/nixos/nixpkgs/nixos/modules/testing/test-instrumentation.nix':
> {
> consoles = [ ];
> package = {
> _type = "override";
> content = <derivation /nix/store/q72h2cdcb9zjgiay5gdgzwddjkbjr7xq-qemu-host-cpu-only-for-vm-tests-5.1.0.drv>;
> ...
> (use '--show-trace' to show detailed location information)
In bc2188b we changed test test-instrumentation to also set the QEMU
package that is being used. That change unfortunately caused us to
always assing values to the virtualisation.qemu.package option even when
the option is not defined. The original code was explicitly testing for
the consoles case but the then newly extended version did not adjust the
check as the intention was probably not clear.
With this commit we are always ensuring the entire virtualisation.qemu
section exists and can thus drop the individual tests for each of the
sections since the QEMU module always defines both the package and the
consoles option when it's root is defined..
In https://github.com/NixOS/nixpkgs/issues/100119 pantheon's greeter
has g-s-d running which allows brightness controls via pkexec.
This is changed in newer versions of g-s-d (pantheon uses a fork currently),
but whenever brightness is changed with a shell of `shadow` we get
```
Oct 10 23:51:44 kirXps pkexec[18722]: lightdm: Executing command [USER=root] [TTY=unknown] [CWD=/var/lib/lightdm] [COMMAND=/run/current-system/sw/bin/elementary-settings-daemon/gsd-backlight-helper /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-eDP-1/intel_backlight 65587]
```
I'm not sure this should be strictly needed, so we should try to
revert later on when pantheon's g-s-d is updated.
This adds basically an indirection to systemPackages
to automatically install an interface for flatpak for their respective
environments. e.g if I enable pantheon and flatpak you'll get appcenter,
and on gnome you'll see gnome-software.
https://github.com/NixOS/nixpkgs/issues/99648#issuecomment-706691174
When we redid the default apps we didn't add gnome-boxes for
rdp/vnc. (plus it doesn't really work well in nixos). With gnome-connections
we can now have this functionality, as file sharing is a default function
in g-c-c Sharing.
When I test a change e.g. in the module system manually, I usually use
`nixos-build-vms(8)` which also gives me a QEMU window where I can play
around in the freshly built VM.
It seems as this has changed recently when the default package for
non-interactive VM tests using the same framework was switched to
`pkgs.qemu_test` to reduce the closure size. While this is a reasonable
decision for our CI tests, I think that you really want a QEMU window of
the VM by default when using `nixos-build-vms(8)`.
[1] bc2188b083
This should NOT be backported to 20.09!
When 21.03 is released, the DB changes are about a year old and
operators had two release cycles for the upgrade. At this point it
should be fair to remove the compat layer to reduce the complexity of
the module itself.
The `curve25519-sha256` key exchange method is defined in RFC 8731 that
is identical to curve25519-sha256@libssh.org. OpenSSH supports the
method since version 7.4, released on 2016-12-19. It is literally a
violation of the "both in Secure Secure Shell and Mozilla guidelines"
rule, but it provides essentially the same but a future-proof default.
Also, links to the Mozilla OpenSSH guidelines are updated to refer to
the current place.
Signed-off-by: Masanori Ogino <167209+omasanori@users.noreply.github.com>
Removing the `Accept-Encoding` header breaks applications which may
produce already compressed content.
Removing this header is staded in the nginx docs but is ment as an
example, not as an recomendation.
This attribute is a generalized version of cryptHomeLuks for creating an
entry in /etc/security/pam_mount.conf.xml. It lets the configuration
control all the attributes of the <volume> entry, instead of just the
path. The default path remains the value of cryptHomeLuks, for
compatibility.
This reverts commit 3cd2b59b8c.
It created infinite recursion when using LXQt, since lxqt module
uses `config.system.path` in `services.xserver.desktopManager.session`.
`config.system.path` is a `buildEnv` that depends on `environment.systemPackages`.
serviceConfig.ProtectSystem is usually a string so if set, the assert
itself would error out leaving no useable trace:
# nixos-rebuild switch --show-trace
building Nix...
building the system configuration...
error: while evaluating the attribute 'config.system.build.toplevel' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:293:5:
while evaluating 'foldr' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:52:20, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:128:12:
while evaluating 'fold'' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:55:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:59:8:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:121:50, called from undefined position:
while evaluating the attribute 'assertion' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/security/systemd-confinement.nix:163:7:
value is a string while a Boolean was expected
Fix the check to give a sensible assert message instead; the attribute
should either be not set or false bool to pass.
Closes: #99000
xserver uses the wrong version of xkbvalidate, the one from
buildPackages should be used or else the resulting xkbvalidate binary is
compiled for the target architecture.
This changes the default behavior which opened by default the firewall rules.
The users now need to declare explicitely they want to open the firewall.
This also fixes some various small limitations:
- Drop unnecessary quoting
- Drop duplicated gerbera interface definition
- Fix configuration indentation
In the sense that the pkgs dependency will be pulled if the service is
transcoding enabled. Otherwise, the transcoding part is completely dropped from
the generated configuration.
Secrets are injected from the environment into the rendered
configuration before each startup using envsubst.
The test now makes use of this feature for the server password.
When using the ACME DNS-01 challenge, there is a possibility of a
failure to resolve the challenge if the record is not propagated
fast enough. To circumvent this generic DNS problem, this adds
a setting to explicitly tell the ACME provider to use a certain DNS
resolver to lookup the challenge.
Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
This reverts commit fb6d63f3fd.
I really hope this finally fixes#99236: evaluation on Hydra.
This time I really did check basically the same commit on Hydra:
https://hydra.nixos.org/eval/1618011
Right now I don't have energy to find what exactly is wrong in the
commit, and it doesn't seem important in comparison to nixos-unstable
channel being stuck on a commit over one week old.
Please note that this is only for 21.03 since `nextcloud19` is intended
to be the default for the already feature-frozen 20.09 (the bump itself
is supposed to get backported however).
This should hopefully solve races with DNS servers (such as unbound)
during the activation of a new generation. Previously unbound could
still be unavailable and thus the acme script would fail.
The only nix version available in the installer should be the version
configure in the module system. If someone needs `nixUnstable` in their
`nixos-install` they should probably set the module option and not just
add it to the closure.
9544c6078e / #96672 removed the samba option
`syncPasswordsByPam`.
Need to remove this option from the pam module, otherwise it will cause build errors
- Fix wrong order in which font indexes are created
mkfontdir requires the file fonts.scale to consider scalable fonts,
thus, mkfontscale should be run before
- Search more font formats, in particular, bit-mapped formats
This option is not documented anywhere and while it may be set
in configuration.nix to enable integration, having it on by
default when using both plasma and firefox is a great convenience;
just like all other desktop environments do it already.
services.networking.firewall might have existed during import of this
module in 2016, but it is unknown as of today.
Point to the proper boolean knob to avoid confusion.
Conform to RFC 1123 [0], specifically to "2.1 Host Names and Numbers",
which allow starting host name with alphanumerical instead of alphabetical characters.
RFC 1123 updates RFC 952 [1], which is referenced in "man 5 hosts".
[0]: https://tools.ietf.org/html/rfc1123
[1]: https://tools.ietf.org/html/rfc952
The `package`-option is always useful if modifying a package in an
overlay would mean that a lot of other packages need to be rebuilt as
well.
In case of `sudo` this is actually the case: when having an override for
it (e.g. for `withInsults = true;`), you'd have to rebuild e.g. `zfs`
and `grub` although that's not strictly needed.
systemd.exec(5) on DynamicUser:
> If a statically allocated user or group of the configured name
> already exists, it is used and no dynamic user/group is allocated.
Using DynamicUser while still setting a group name can be
useful for granting access to resources that can otherwise only be
accessed with entirely static IDs.
The /run/wrapper directory is a tmpfs. Unfortunately, it's mounted with
its root directory has the standard (for tmpfs) mode: 1777 (world writeable,
sticky -- the standard mode of shared temporary directories). This means that
every user can create new files and subdirectories there, but can't
move/delete/rename files that belong to other users.
* programs.neovim: init
Allows to build a proper runtime folder with after/ ftplugin/ parser/ subfolders etc.
(neo)vim expects a few different folders, for instance to load
treesitter parsers.
This PR reuses the builder from the etc module, notwithstanding the
different modes/uid/gid.
This allows to get rid of some autocmd in customRC (via proper use of
the folder hierarchy) which is a win in my opinion.
Both packages will get EOLed within the lifetime of 20.09. `nextcloud17`
can be removed entirely (the attribute-path is kept however to provide
meaningful errors), however `nextcloud18` must be kept as `insecure` to
make sure that users from `nextcloud17` can properly upgrade to
`nextcloud19` on NixOS 20.09.
Turns out, `dd_url` should only be used in proxy scenarios, not to point
datadog to their EU endpoint - `site` should be used for that.
The `dd_url` setting doesn't affect APM, Logs or Live Process intake
which have their own "*_dd_url" settings.
The postfix exporter needs to access postfix's `queue/public/` directory
to read the `showq` socket inside. Instead of making the public
directory world accessible, this sets the postfix exporter's group to
`postdrop` by default, when the postfix service is enabled.
- This is fetched from a different URL, so allow passing that explicitly.
- There also isn't an nvidia-persistenced or nvidia-settings release for
this version, so use 450.57 instead. Also implement passing
persistenced and settings version explicitly.
Co-authored-by: Dmitry Kalinkin <dmitry.kalinkin@gmail.com>
Nick Hu
Andreas Rammhold
rnhmjoj
Jörg Thalheim
Aneesh Agrawal
Jörg Thalheim
Klemens Nanni
Ivan Tham
WORLDofPEACE
Maximilian Bosch
Benjamin Hipple
Felix Tenley
Vladimír Čunát
Gabriel Ebner
Aaron Andersen
Robert Helgesson
Jan Tojnar
Piotr Bogdan
Doron Behar
WilliButz
Nathaniel Glen
Alexandre Macabies
Flakebi
Anton Plotnikov
Joe Edmonds
Lucas Savva
Eelco Dolstra
symphorien
Izorkin
Martin Weinelt
Justin Lovinger
Masanori Ogino
Florian Klink
Kevin Cox
Minijackson
midchildan
Joseph D. Long
Marc 'risson' Schmitt
V
Jonathan Ringer
Edmund Wu
Martin Weinelt
Michael Weiss
Mario Rodas
Antonio Yang
tnias
Dustin Frisch
ajs124
Janne Heß
Alvar
David Reiss
Frederik Rietdijk
Dominique Martinet
Malte Brandy
Frederik Rietdijk
Lassulus
Michele Guerini Rocco
Dominik Xaver Hörl
Bernardo Meurer
Ben Wolsieffer
Simon Pettersson
Ryan Mulligan
Michael Weiss
zowoq
Miles Breslin
Timo Kaufmann
Linus Heckemann
Antoine R. Dumont (@ardumont)
Edward Tjörnhammar
markuskowa
Silvan Mosberger
elseym
Jeroen Simonetti
Robert Hensing
Jack Kelly
adisbladis
Léo Gaspard
Tim Steinbach
Emilio Perez
Augustin Borsu
Cole Helbling
Jonas Meurer
Anderson Torres
Konrad Borowski
Matt Votava
0x4A6F
Sumner Evans
Emery Hemingway
Matthieu Coudron
Joachim F
Michael Raskin
TredwellGit
Graham Christensen
WilliButz
Robin Gloster
Joe Hermaszewski
Sascha Grunert