Let's encrypt bumped ACME to V2. We need to update our nixos test to
be compatible with this new protocol version.
We decided to drop the Boulder ACME server in favor of the more
integration test friendly Pebble.
- overriding cacert not necessary
- this avoids rebuilding lots of packages needlessly
- nixos/tests/acme: use pebble's ca for client tests
- pebble always generates its own ca which has to be fetched
TODO: write proper commit msg :)
From https://github.com/zsh-users/zsh-syntax-highlighting#faq:
"It must be sourced after all custom widgets have been created
(i.e., after all zle -N calls and after running compinit)."
zsh-syntax-highlighting must be sourced to the end.
Updating:
- nixos module to use the new `account_reg.json` file.
- use nixpkgs pebble for integration tests.
Co-authored-by: Florian Klink <flokli@flokli.de>
Replace certbot-embedded pebble
Just maching all network interfaces caused many breakages, see #18962
and #71106.
We already don't support the global networking.useDHCP,
networking.defaultGateway(6) options if networking.useNetworkd is
enabled, but direct users to configure the per-device
networking.interfaces.<name?>.… options.
This adds support for deploying to remote hosts without being root:
sudo nixos-rebuild --target-host non-root@host
Without this change, only root@host is able to deploy.
The idea is that if the local command is run with sudo, so should the
remote one, thus there is no need for adding any CLI options.
Slim is abandoned and won't work with wayland.
It's in our best interest to use the display-manager
that makes most sense for Plasma5, sddm.
We've already moved on from it being default in #30890
and the graphical.nix profile, which the virtualbox profile uses,
has sddm anyway.
Even though the release obviously already happened, I think it might
still make sense to add a short note about the attributes not being
supported any longer (and going forward).
(cherry picked from commit 7163d3a9df35904d0c9acc9f643fd70ee3108539)
(cherry picked from commit a64b8c3c191af1317cfdc1ea4f4e5f881c4cf503)
This option was removed because allowing (multiple) regular users to
override host entries affecting the whole system opens up a huge attack
vector. There seem to be very rare cases where this might be useful.
Consider setting system-wide host entries using networking.hosts,
provide them via the DNS server in your network, or use
networking.networkmanager.appendNameservers to point your system to
another (local) nameserver to set those entries.
This reverts commit 60aedadc59.
Using tests from #71212 I am now unable to reproduce there being issues
with starting the default metacity flashback session without this.
On start, unicorn, sidekiq and other parts running ruby code emits
quite a few warnings similar to
/var/gitlab/state/config/application.rb:202: warning: already initialized constant Gitlab::Application::LOOSE_EE_APP_ASSETS
/nix/store/ysb0lgbzxp7a9y4yl8d4f9wrrzy9kafc-gitlab-ee-12.3.5/share/gitlab/config/application.rb:202: warning: previous definition of LOOSE_EE_APP_ASSETS was here
/var/gitlab/state/lib/gitlab.rb:38: warning: already initialized constant Gitlab::COM_URL
/nix/store/ysb0lgbzxp7a9y4yl8d4f9wrrzy9kafc-gitlab-ee-12.3.5/share/gitlab/lib/gitlab.rb:38: warning: previous definition of COM_URL was here
This seems to be caused by the same ruby files being evaluated
multiple times due to the paths being different - sometimes they're
loaded using the direct path and sometimes through a symlink, due to
our split between config and package data. To fix this, we make sure
that the offending files in the state directory always reference the
store path, regardless of that being the real file or a symlink.
We create a wrapper which launches gnome-shell with the correct environment and
cap_sys_nice.
We can then override gnome-shell-wayland.service to use this wrapper.
NOTE: We need to force clear the environment, because the defaults aren't good
for user services. That should probably be fixed.
Otherwise connecting simply fails:
VPN connection: failed to connect: 'La création du fichier « /tmp/lib/NetworkManager-fortisslvpn/0507e3ef-f0e0-4153-af64-b3d9a025877c.config.XSB19Z » a échoué : No such file or directory'
This reverts commit 2ee14c34ed.
This caused the initializers directory to be cleaned out while gitlab
was running in some instances. We clean out the directory on the
preStart stage already, so ensuring existance and permissions should
suffice.
This fixes an issue with a recent addition of a config file
check in c28ded36ef.
Previously it was possible to supply a path as a string
to `configFile`. Now it will fail checking the config file
during evaluation of the module due to sandboxing.
A toggle to disable the check, more informative log messages
and handling for various configFile values are added.
This solves the dependency cycle in gcr alternatively so there won't be
two gnupg store paths in a standard NixOS system which has udisks2 enabled
by default.
NixOS users are expected to use the gpg-agent user service to pull in the
appropriate pinentry flavour or install it on their systemPackages and set
it in their local gnupg agent config instead.
Co-authored-by: Florian Klink <flokli@flokli.de>
This solves the dependency cycle in gcr alternatively so there won't be
two gnupg store paths in a standard NixOS system which has udisks2 enabled
by default.
NixOS users are expected to use the gpg-agent user service to pull in the
appropriate pinentry flavour or install it on their systemPackages and set
it in their local gnupg agent config instead.
Co-authored-by: Florian Klink <flokli@flokli.de>
This session would fail to start because we didn't have it in systemd.packages
(as we've switched to systemd gnome-session).
Haven't tested custom sessions.
This fixes user environment setup for sessions which doesn't successfully go
through a shell init.
Note we don't go through `sessionVariables` as we want the wrappers to have
highest priority. It would also cause wrapperDir to occur twice when in shell
sessions, as shells use `sessionVariables` too while prepending wrapperDir in a
custom snippet.
In particular logging in and out of gnome-shell could result in a broken path
without this fix.
Bumps `matrix-synapse` to version 1.4.0[1]. With this version the
following changes in the matrix-synapse module were needed:
* Removed `trusted_third_party_id_servers`: option is marked as deprecated
and ignored by matrix-synapse[2].
* Added `account_threepid_delegates` options as replacement for 3rdparty
server features[3].
* Added `redaction_retention_period` option to configure how long
redacted options should be kept in the database.
* Added `ma27` as maintainer for `matrix-synapse`.
Co-Authored-By: Notkea <pacien@users.noreply.github.com>
Co-authored-by: Maximilian Bosch <maximilian@mbosch.me>
[1] https://matrix.org/blog/2019/10/03/synapse-1-4-0-released
[2] https://github.com/matrix-org/synapse/pull/5875
[3] https://github.com/matrix-org/synapse/pull/5876
If you want to be able to use OpenSC with ssh-agent, you need to be able
to add it to the ssh-agent whitelist. This adds an option,
agentPKCS11Whitelist, that exposes the option.
Note that I currently work around this by injecting the parameter into
the agentTimeout option:
programs.ssh.agentTimeout = "1h -P ${pkgs.opensc}/lib/opensc-pkcs11.so";
but I feel that a proper option would be better :)
This fixes a regression from bb649d96b0.
There were permission problems, when the preStart script tried to copy
the smokeping.fcgi file over the old file.
When having backup jobs that persist to a removable device like an
external HDD, the directory shouldn't be created by an activation script
as this might confuse auto-mounting tools such as udiskie(8).
In this case the job will simply fail, with the former approach
udiskie ran into some issues as the path `/run/media/ma27/backup` was
already there and owned by root.
GDM now specifies ordering between `plymouth-quit` and `display-manager`:
9be5321097
This causes an ordering cycle between GDM and plymouth-quit which can result in
systemd breaking GDM:
```
plymouth-quit.service: Job display-manager.service/start deleted to break
ordering cycle starting with plymouth-quit.service/start
```
Not sure how often this triggers, as I've run my system with plymouth and
9be5321097 without any issues. But I did catch a VM doing this.
NOTE: I also tried to remove the ordering in GDM to see if plymouth managed to
live longer, but it didn't seem to help. So I opted to stick as close to
upstream (upstream GDM specifies ordering, but plymouth does not).
This enlarges the system uid/gid range 6-fold, from 100 to 600 ids. This
is a preventative measure against running out of dynamically allocated
ids for NixOS services with isSystemUser, which should become the
preferred way of allocating uids for non-real users.
We had these set so gtk2 can discover themes properly, however we failed
realize that gtk2 already has a patch that makes it search in XDG_DATA_DIRS.
I don't believe any issue is solved by setting these.
This option was added by mistake since `listenAddress` exists by default
for each prometheus-exporter. Using
`services.prometheus.exporters.wireguard.addr` will now cause a warning,
but doesn't break eval.
Having `display-manager` conflict with `plymouth-quit` causes this lock up:
- `plymouth-quit-wait` starts up, waiting for plymouth-quit to run
- `lightdm` starts up
- `plymouth-quit` can't start, it conflicts with lightdm
- `plymouth-quit-wait` keeps waiting on plymouth-quit to kill plymouthd
The idea is having LightDM control when plymouth quits, but communication with
plymouth was broken: https://github.com/NixOS/nixpkgs/pull/71064
Unfortunately having the conflict breaks switching to configurations with
plymouth enabled. So we still need to remove the conflict.
fixes#71034
The rationale for this is that old filesystems have recieved little scrutiny
wrt. security relevant bugs.
Lifted from OpenSUSE[1].
[1]: 8cb42fb665
Co-Authored-By: Renaud <c0bw3b@users.noreply.github.com>
Default getfacl behavior is to remove leading slash on absolute
paths in its header printed to stdout.
Before the header it will also print a message about it...
Switches -p -or --absolute-names can turn this off
and remove some noise from our tests logs.
In fact, don't create them at all because Nix does that automatically.
Also remove modules/programs/shell.nix because everything it did is
now done automatically by Nix.
gitlab:db:configure prints the root user's password to stdout on
successful setup, which means it will be logged to the
journal. Silence this informational output. Errors are printed to
stderr and will thus still be let through.
The mime type definitions included with nginx are very incomplete, so
we use a list of mime types from the mailcap package, which is also
used by most other Linux distributions by default.
The networking.virtual test does not work with networkd yet, for
multiple reasons:
- network-online.target is not reached, because tun0 and tap0 are
considered as required for online but _not_ brought up or assigned
the configured addresses
- the commands later in the test rely on some units from the scripted
network setup
cc @fpletz networkd exper
cc @globin we looked at this together
I have `users.defaultUserShell = pkgs.fish;` set on my server and when I ran `nixos-rebuild switch --target-host …`, the command failed with the following error:
fish: Unsupported use of '='. To run 'nix-store' with a modified environment, please use 'env PATH=… nix-store…'
That is because fish requires env to set environment variables for a program. It should also work on other shells.
This reverts commit e9bf955fd6. We use
nixos-install to ensure that make-disk-image produces the same result
as a regular installation (9802da517f)
and to reduce code duplication. If there is something broken in
nixos-install, it should be fixed there.
xfce4-volumed-pulse is not abandoned, but is superseded by a panel
plugin which is not available when not using the desktop.
Fixes: volume up/down keys support
These improvements come from shopping around
at what other downstreams have done with their
systemd units and recent changes like [0] to gdm.
Note there's no requries or after on dbus.socket because
settings BusName will set this up automaticallly and
give it a type of dbus.
[0]: 2d57f45962
uinput needs to be added to boot.kernelModules in order for the udev
rules defined by steam to be run and set permissions correctly on
/dev/uinput.
See https://github.com/NixOS/nixpkgs/issues/70471.
List all modules that *may* be required depending on individual container
configurations; don't expect that further modules can be loaded after boot.
Fixes https://github.com/NixOS/nixpkgs/issues/38676
Openvswitch was upgraded to the latest
stable version (currenty 2.12.0). This remove ovs-monitor-ipsec
commands.
LTS version is still available using
`config.virtualisation.vswitch.package = pkgs.openvswitch-lts`
it has been upgraded to 2.5.6.
This commit is a split from the original PR #35127.
The initializers directory is populated with files from the gitlab
distribution on start, but old files will be left in the state folder
even if they're removed from the distribution, which can lead to
startup failures. Fix this by always purging the directory on start
before populating it.
Since the preStart script is no longer running in privileged mode, we
reassign the files in the state directory and its config subdirectory
to the user we're running as. This is done by splitting the preStart
script into a privileged and an unprivileged part where the privileged
part does the reassignment.
Also, delete the database.yml symlink if it exists, since we want to
create a real file in its place.
Fixes#68696.
This introduces an option wifi.backend to the networkmanager module.
Co-authored-by: Cole Mickens <cole.mickens@gmail.com>
Co-authored-by: worldofpeace <worldofpeace@protonmail.ch>
GNOME initial setup's run is conditioned on whether
the gnome-initial-setup-done file exists in XDG_CONFIG_HOME
Because of this, every existing user will have initial setup
running because they never ran it before.
To prevent this we create the file if the users stateVersion
is older than 20.03 (the release we added this module).
Also drop uneeded manual conflicts as systemd.packages
does handle this.
We were only replacing them in the profiles. We also need to do this in
the values of variables, including both the session-relative variables
and the non-session-relative variables.
- register gnome-session and gnome-settings-daemon services.
- gnome-shell is already registered due to having a xdg portal
- manually specify that gsd is wanted by gnome-session
(systemd.packages doesn't pick the .wants directories for some reason)
GDM is now killed if tty1 is started after gdm is launched. This follows
upstream's gdm service config.
This might cause problems with nixos-rebuild switch though. See the reasoning
and work that led to not following upstream on this:
https://github.com/NixOS/nixpkgs/issues/214394a180dac46d4da
We don't want to ignore config that can mess up machines. In general
this should always fail evaluation, as you think you are changing
behaviour and don't, which can easily create run-time errors we can
catch early.
The test has recently been failing due to the IPv6 address
on the server still being in the tentative state, when the
client sends its first request. The server will not start
using the IPv6 address until DAD has completed.
Scripted networking seems not to wait for DAD completion
before completing network-online.target, so let's switch
to networkd instead, which does.
https://github.com/MindFlavor/prometheus_wireguard_exporter/releases/tag/3.1.1
This release adds a flag `-l` which takes an address where the exporter
is available. The default is `0.0.0.0` (previously, `0.0.0.0` was used
by default).
Please note that there are no dependency changes in Cargo and therefore
the cargo hash didn't change.
Since version 2.3 (https://github.com/NixOS/nix/pull/2949 which was
cherry-picked to master) Nix issues a warning when --no-net wasn't
passed and there is no network interface. This commit adds the --no-net
flag to the nix.conf check such that no warning is issued.
This commits makes it clearer to a novice reader how to configure several
diferent types of SSID connections that were otherwise obscurely documented
Resolves#66650
Quoting from the splitString docstring:
NOTE: this function is not performant and should never be used.
This replaces trivial uses of splitString for splitting version
strings with the (potentially builtin) splitVersion.
Fixes eval on darwin after #69072
Resolved conflict in pkgs/tools/security/thc-hydra/default.nix
Basically had to revert a1c0e10564 which
adapts #69210 to master that doesn't yet have
329a88efa7
Tested using maintainers/scripts/eval-release.sh before and after to see
that the fix works
This commit adds a Strict-Transport-Security header to
the nginx config file generated by the nextcloud module.
The Strict-Transport-Security header is recommended in
official guide for hardening Nextcloud installations:
https://docs.nextcloud.com/server/16/admin_manual/installation/harden_server.html
Further, if it is not set, we see a warning in the security scan results
in the Nextcloud admin panel:
```
The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips
```
Images generated with nixos-install will be supported by machinectl
problem is that systemd-nspawn's private usersns feature clashes
with DynamicUser and RuntimeDirectory features, which causes NixOS
images to not boot. There is an upstream issue for this
https://github.com/systemd/systemd/issues/13622
Make sure that we don't create a database if we're not going to
connect to it. Also, fix the assertion that usernames be equal to only
trig when peer authentication is used (databaseHost == "").
config.services.postgresql.package is only defined when the postgresql
service is activated, which means we fail to evaluate when
databaseCreateLocally == false. Fix this by using the default
postgresql package when the postgresql service is disabled.
This sets networking.useDHCP to false and for all interfaces found the
per-interface useDHCP to true. This replicates the current default
behaviour and prepares for the switch to networkd.
The state path now, since the transition from initialization in
preStart to using systemd-tmpfiles, has the following restriction: no
parent directory can be owned by any other user than root or the user
specified in services.gitlab.user. This is a potentially breaking
change and the cause of the error isn't immediately obvious, so
document it both in the release notes and statePath description.
In #68792 it was discovered that /dev/fuse doesn't have
wordl-read-writeable permissions anymore. The cause of this is that the
tmpfiles examples in systemd were reorganized and split into more files.
We thus lost some of the configuration we were depending on.
In this commit some of the new tmpfiles configuration that are
applicable to us are added which also makes wtmp/lastlog in the pam
module not necessary anymore.
Rationale for the new tmpfile configs:
- `journal-nowcow.conf`: Contains chattr +C for journald logs which
makes sense on copy-on-write filesystems like Btrfs. Other filesystems
shouldn't do anything funny when that flag is set.
- `static-nodes-permissions.conf`: Contains some permission overrides
for some device nodes like audio, loop, tun, fuse and kvm.
- `systemd-nspawn.conf`: Makes sure `/var/lib/machines` exists and old
snapshots are properly removed.
- `systemd-tmp.conf`: Removes systemd services related private tmp
folders and temporary coredump files.
- `var.conf`: Creates some useful directories in `/var` which we would
create anyway at some point. Also includes
`/var/log/{wtmp,btmp,lastlog}`.
Fixes#68792.
These are the leftovers of an older PR.
a. Send messages to auditd if auditing is enabled.
b. Add missing dbus configuration if dnsmasq is used for DNS
Even a simple typo fix can result in a reflow of a whole paragraph, leading to illegible diffs. The majority of text editors supports wrapping the source code to a comfortable width so it makes sense to me to sacrifice the few that do not rather than the unfortunately line-oriented diff tools.
... otherwise enabling it causes a merge conflict.
Enabling it was necessary to give enough entropy for the sshd daemon in
my libvirt/nixops VM to generate keys see
https://github.com/NixOS/nixops/issues/1199.
The new systemd in 19.09 gives an "Access Denied" error when doing
"systemctl daemon-reexec" on an 19.03 system. The fix is to use the
previous systemctl to signal the daemon to re-exec itself. This
ensures that users don't have to reboot when upgrading from NixOS
19.03 to 19.09.
Fixes problems such as:
systemd[1]: Failed to put bus name to hashmap: File exists
systemd[1]: dbus-org.freedesktop.nm-dispatcher.service: Two services allocated for the same bus name org.freedesktop.nm_dispatcher, refusing operation.
Problem is that systemd treats symlinks to files outside the service
path differently, causing our old workaround to look like two separate services.
These symlinks are intended to be a means for manually emulating
the behavior of the `Alias=` directive in these services.
Unfortunately even making these symlinks relative isn't enough,
since they don't make it to where it matters--
that only makes the links in /etc/static/systemd/system/*
relative, with systemd still being shown non-relative links
in /etc/systemd/system/*.
To fix this, drop all of this at the package level
and instead simply specify the aliases in the NixOS modules.
Also handle the same for modemmanager,
since the networkmanager NixOS module also handles that.
During the last update, `hydra-notify` was rewritten as a daemon which
listens to postgresql notifications for each build[1]. The module
uses the `hydra-notify.service` unit from upstream's Hydra module and
the VM test ensures that email notifications are sent properly.
Also updated `hydra-init.service` to install `pg_trgm` on a local
database if needed[2].
[1] c7861b85c4
[2] 8a0a5ec3a3
We ship `https://cache.nixos.org` as binary cache by default which
automatically substitutes the test derivation used inside the Hydra
test. However it needs to be built locally to confirm that
`hydra-queue-runner` works properly.
Also inherited the platform name for the test derivation from `system`
to ensure that the build can be tested on each supported platform.
ZHF #68361
Fixes problems such as:
systemd[1]: Failed to put bus name to hashmap: File exists
systemd[1]: dbus-org.freedesktop.nm-dispatcher.service: Two services allocated for the same bus name org.freedesktop.nm_dispatcher, refusing operation.
Problem is that systemd treats symlinks to files outside the service
path differently, causing our old workaround to look like two separate services.
These symlinks are intended to be a means for manually emulating
the behavior of the `Alias=` directive in these services.
Unfortunately even making these symlinks relative isn't enough,
since they don't make it to where it matters--
that only makes the links in /etc/static/systemd/system/*
relative, with systemd still being shown non-relative links
in /etc/systemd/system/*.
To fix this, drop all of this at the package level
and instead simply specify the aliases in the NixOS modules.
Also handle the same for modemmanager,
since the networkmanager NixOS module also handles that.
IE6 is long gone and this directive is not useful anymore. We can
spare a few CPU cycles (and maybe skip some bugs) by not trying to
disable gzip for MSIE6.
This option was added in 6336048c58 but it
is essentially a complete duplicate of the existing cfg.servers and
there seems to be no reason to keep maintaining it.
Furthermore, it requires annoying duplication if you try to do option
merging, e.g. merging in sets into your configuration.nix that add
`services.chrony.initstepslew` options will overwrite the servers option
unless you keep it, but that means you just have to duplicate
config.networking.timeServers again anyway which is an implementation
detail!
Signed-off-by: Austin Seipp <aseipp@pobox.com>
'iburst' allows chrony to make very quick adjustments to the clock by
doing a couple rapid measurements outside of the default 'minpoll'
option. This helps improve rapid time adjustment at boot, and is enabled
by default.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This is reckless, ill-advised, pointless, and I will be scorned for it,
but it makes me feel a lot better.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
When mailman-web restarts, it removes the generated "static" directory. This
breaks a currently running httpd process, which needs a re-start, too, to
obtain a new handle for the newly generated path.
It turned out that /dev/snd/* always exists even if there are no sound
drivers loaded at all. Loading `snd` and `snd_timer` fixes that
situation. It is probably fair to assume someone that wants to use sound
also enables that in the NixOS configuration.
With systemd version 243 network units with empty match block will
generate warnigs. The reasoning seems to be that the intended behaviour
is hard to infere. Being explicit about really meaning any interface is
the reasonable thing here.
We want to get rid of this mechanism in the long run but as long as we
do not have a replacement we should stick with it and keep it in
reasonable good shape.
Rules are a translation of what's done in the
GDM module and adjustments based of looking at
Arch Linux's configuration and upstream's.
A side effect of this change is that gnome-keyring
and kwallet modules should work as expected when in-
cluded.
Fixes#64259#62045
Adds the ability to make any parameter specified in extraConfig secret
by defining it an attrset containing the attr _secret, which in turn
is a path to a file containing the actual secret.
Introduce new functions which allows modules to define options where,
if the input is an attrset and the output is JSON, the user can define
arbitrary secrets.
Use the postgresql module to provision a local db (if
databaseCreateLocally is true) instead of doing this locally.
Switch to using the local unix socket for db connections by default;
this is needed since dbs created by the postgresql module only support
peer authentication.
Instead of running the rake tasks db:schema:load, db:migrate and
db:seed_fu, run gitlab:db:configure, which in turn runs these tasks
when needed.
Solves issue #53852 for gitlab.
Add support for storing secrets in files outside the nix store, since
files in the nix store are world-readable and secrets therefore can't
be stored safely there.
The old string options are kept, since they can potentially be handy
for testing purposes, but their descriptions now state that they
shouldn't be used in production. The manual section is updated to use
the file options rather than the string options and the tests now test
both.
This fixes the warning being emitted by nixos-rebuild switch:
building Nix...
building the system configuration...
trace: warning: types.string is deprecated because it quietly concatenates strings
It started emitting a warning in #66346.
This plugin is fairly outdated and depends on python2 libraries that
don't receive any updates either (xmpppy for instance[1]).
[1] https://pypi.org/project/xmpppy/
Always enable the UART because the VirtualBug bug that required running without the UART was fixed in 6.0.10. Stop using an old kernel version because the tests work with the default kernel.
(cherry picked from commit ae93571e8d04cebd69491a789d902d6481e05d3f)
In c814d72b51, a bunch of packages were
changed to use the pname attribute, among them were the quake3-demodata
and quake3-pointrelease which we use for the quake3 test.
Fortunately, having pname available means that we no longer need to
match using a prefix, so fixing this eval error also simplifies our
matching.
I directly pushed this to master because the change is non-controversial
and we can't break things that are already broken :-)
Signed-off-by: aszlig <aszlig@nix.build>
* remove kinetic
* release note
* add johanot as maintainer
nixos/ceph: create option for mgr_module_path
- since the upstream default is no longer correct in v14
* fix module, default location for libexec has changed
* ceph: fix test
* maintain only one version
* ceph-client: init
* include ceph-volume python tool in output
nixos/ceph: extraConfig, fix test, wait for ceph-mgr to become active
* run ceph with disk group permission
* add extraConfig option for the global section
needed per cluster
* clear up how ceph.conf is generated
* fix ceph testcase
Since we moved gsettings-desktop-schemas to top-level, gnome3.glib-networking was the same as glib-networking.
We could try to make the top-level variant not depend on gsettings-desktop-schemas again but that is probably
pointless, as the dependency is rather small compared to things like libproxy. Instead, we will just drop
the package in gnome3 attr set and always rely on the top-level expression.
Since https://github.com/NixOS/nixpkgs/pull/61321, local-fs.target is
part of sysinit.target again, meaning units without
DefaultDependencies=no will automatically depend on it, and the manual
set dependencies can be dropped.
The redis module currently fails to start up, most likely due to running
a chown as non-root in preStart.
While at it, I hardcoded it to use systemd's StateDirectory and
DynamicUser to manage directory permissions, removed the unused
appendOnlyFilename option, and the pidFile option.
We properly tell redis now it's daemonized, and it'll use notify support
to signal readiness.
In fontconfig’s 60-generic.conf, order of preference is estabilished for emoji
font family. Because fontconfig parses the config files in lexicographic order,
appending each <prefer> from <alias> element to the family’s prefer list
(to be prepended before the family) [1], our font family defaults stored
in 52-nixos-default-fonts.conf will take precedence. That is, of course, unless
the default „weak“ binding [2] is used. Emoji family binds strongly [3],
so we need to set binding to “same” for our <alias>es to be considered before
the ones from 60-generic.conf.
By default, we will set the option to all emoji fonts supported by fontconfig,
so that emoji works for user if they have at least one emoji font installed.
If they have multiple emoji fonts installed, we will use the fontconfig’s
order of preference [4].
[1]: https://github.com/bohoomil/fontconfig-ultimate/issues/51#issuecomment-64678322
[2]: https://www.freedesktop.org/software/fontconfig/fontconfig-user.html#AEN25
[3]: cc8442dec8
[4]: c41c922018
With local-fs.target part of sysinit.target
(https://github.com/NixOS/nixpkgs/pull/61321), we don't need to add it
explicitly to certain units anymore, and can change dependencies like
they are in other distros (I picked from Google's official CentOS 7
image here).
Like them, use StandardOutput=journal+console to pipe google-*.service
output to the serial console as well.
It turns out that checking for the last mount time of an ext4 file
system isn't a very reliable way to check whether the file system was
properly unmounted.
When creating that test in the first place (88530e02b6),
I was reluctant to inspect the file system when the VM is down and was
searching for a way to check for a clean unmount *after* the file system
was mounted again to make sure we don't need to create a 512 MB raw
image on the host.
Fortunately however, when converting from qcow2, qemu-img actually
writes a sparse file, so for most file systems (that is, file systems
supporting sparse files) this shouldn't waste a lot of disk space.
So when investigating the flakiness, I found that whenever the test is
failing, the unmount of /test-x-initrd-mount was done *before* the final
step during which systemd remounts+unmounts all the remaining file
systems.
I haven't investigated why this is the case, but the test is a
regression test for https://github.com/NixOS/nixpkgs/issues/35268, which
actually didn't unmount the file system *at* *all*, so really all we
need to take care here is whether the unmount has happened and not
*how*.
To make sure that checking the filesystem state is enough for this, I
temporarily replaced the $machine->shutdown call with $machine->crash
and verified that the file system state is "not clean".
Signed-off-by: aszlig <aszlig@nix.build>
Fixes: https://github.com/NixOS/nixpkgs/issues/67555
Adds:
- gnome-color-manager
- services.avahi
It appears that GeoClue requires its daemon and IIRC has
been default enabled in other distros for a while.
- orca
It's the default screen-reader.
It currently lacks an emoji font-family which means it has to be
disabled for them to function [0]. Additionally it's fallen out of
necessity to ship custom font rendering settings (as far as I'm aware
of).
[0]: https://github.com/NixOS/nixpkgs/pull/67215
Any system uid will do, so we let the system allocate
one for us. The 'mailman' group is gone entirely since
we don't need it. Users who wish to run the 'mailman'
administration utility can do so via 'sudo':
$ sudo -u mailman mailman info
Also, simplify the syntax of our user.users entry to
rely on an attribute set rather than a list.
That's one of my itches - when I'm sshing from Emacs' term to a NixOS
machine, it doesn't detect that I'm running emacs and showing a title
escape sequence. This commit fixes it, checking against $TERM to
prevent this from ever bothering anyone again.
* nixos/acme: Fix ordering of cert requests
When subsequent certificates would be added, they would
not wake up nginx correctly due to target units only being triggered
once. We now added more fine-grained systemd dependencies to make sure
nginx always is aware of new certificates and doesn't restart too early
resulting in a crash.
Furthermore, the acme module has been refactored. Mostly to get
rid of the deprecated PermissionStartOnly systemd options which were
deprecated. Below is a summary of changes made.
* Use SERVICE_RESULT to determine status
This was added in systemd v232. we don't have to keep track
of the EXITCODE ourselves anymore.
* Add regression test for requesting mutliple domains
* Deprecate 'directory' option
We now use systemd's StateDirectory option to manage
create and permissions of the acme state directory.
* The webroot is created using a systemd.tmpfiles.rules rule
instead of the preStart script.
* Depend on certs directly
By getting rid of the target units, we make sure ordering
is correct in the case that you add new certs after already
having deployed some.
Reason it broke before: acme-certificates.target would
be in active state, and if you then add a new cert, it
would still be active and hence nginx would restart
without even requesting a new cert. Not good! We
make the dependencies more fine-grained now. this should fix that
* Remove activationDelay option
It complicated the code a lot, and is rather arbitrary. What if
your activation script takes more than activationDelay seconds?
Instead, one should use systemd dependencies to make sure some
action happens before setting the certificate live.
e.g. If you want to wait until your cert is published in DNS DANE /
TLSA, you could create a unit that blocks until it appears in DNS:
```
RequiredBy=acme-${cert}.service
After=acme-${cert}.service
ExecStart=publish-wait-for-dns-script
```
The custom session script is always executed (when it exists). This change
passes the selected session script and select session name to the custom session
script, so that it can defer to the selected session script based on the value
of the selected session name.
The `keys.target` is used to indicate whether all NixOps keys were
successfully uploaded on an unattended reboot. However this can cause
startup issues e.g. with NixOS containers (see #67265) and can block
boots even though this might not be needed (e.g. with a dovecot2
instance running that doesn't need any of the NixOps keys).
As described in the NixOps manual[1], dependencies to keys should be
defined like this now:
``` nix
{
systemd.services.myservice = {
after = [ "secret-key.service" ];
wants = [ "secret-key.service" ];
};
}
```
However I'd leave the issue open until it's discussed whether or not to
keep `keys.target` in `nixpkgs`.
[1] https://nixos.org/nixops/manual/#idm140737322342384
Janne Heß
Maximilian Bosch
Tom Fitzhenry
Jörg Thalheim
Will Dietz
Johan Thomsen
Florian Klink
Frederik Rietdijk
Eelco Dolstra
Félix Baylac-Jacqué
Drew
Ricardo M. Correia
Silva Alejandro Ismael
Bjørn Forsman
Matthias Beyer
Aaron Andersen
worldofpeace
Malte Brandy
Tor Hedin Brønner
Franz Pletz
edef
SRGOM
Vladimír Čunát
Dima
Elis Hirwing
Jan Tojnar
ft
Astro
talyz
Symphorien Gibol
Chuck
WilliButz
David Anderson
Victor SENE
Arian van Putten
Philip Potter
Justin Humm
Jörg Thalheim
Silvan Mosberger
Izorkin
Jonathan Ringer
WilliButz
Joachim F
Mario Rodas
Martin Weinelt
c0bw3b
Olgierd "Allgreed" Kasprowicz
wodim
Robin Gloster
Christoph Hrdinka
Milan Pässler
Michael Fellinger
Konrad Borowski
Haemin Yoo
José Romildo Malaquias
Andreas Rammhold
Fabian Möller
Michał Krzysztof Feiler
Linus Heckemann
Thomas Tuegel
Maximilian Güntner
Samuel Leathers
Mathieu A.-Tetreault
markuskowa
geistesk
Matthieu Coudron
Joachim Fasting
(cdep)illabout
Albert Safin
Bas van Dijk
elseym
lassulus
Victor Nawothnig
Netix (Espinet François)
Okinan
Nikolay Amiantov
worldofpeace
Elias Probst
Trolli Schmittlauch
Silvan Mosberger
Peter Simons
yvt
Tim Steinbach
Frank Doepper
Michael Peyton Jones
Calvin Kim
AmineChikhaoui
Christian Kögler
Samuel Dionne-Riel
Svein Ove Aas
Craige McWhirter
Peter Hoeg
Dmitry Kalinkin
Daniel KT
Marek Mahut
Evils-Devils
Evils
Roman Volosatovs
Notkea
volth
Minijackson
Martin Milata
danbst
Sascha Grunert
Jos van Bakel
Matthew Bauer
Alex Rice
Robert Helgesson
Alex Whitt
Antoine R. Dumont (@ardumont)
Thomas Kerber
Léo Gaspard
Tom Hall
Mikhail Klementev
obadz
schneefux
Christian Kögler
Vincent Bernat
Austin Seipp
Averell Dalton
Alyssa Ross
Sander van der Burg
adisbladis
Michael Bishop
toonn
Frederik Rietdijk
Sarah Brofeldt
rnhmjoj
Ivan Kozik
Domen Kožar
Ambroz Bizjak
aszlig
Katharina Fey
Andrew Childs
Kristoffer
Christian Kampka
Ben Wolsieffer
William Casarin
Florian Jacob
Marti Serra
Evan Stoll
Eric Wolf
Vika
Arian van Putten
Jaka Hudoklin
Pascal Bach
Danielle Lancashire
Hugo Geoffroy
davidak