Generating the file was refactored to be completely in nix.
Functionally it should create the same content as before,
only adding the newlines.
CC recent updaters: @aszlig, @rickynils.
This reverts commit 766207ca1d52db37df5ca17b9bd3bd21a03dfafd.
We need to solve the problem with `environment.profileRelativeEnvVars`.
The best workaround is to make profileRelativeEnvVars prepend paths.
This patch fixes the AppArmor profile path clause and adds
(currently ignored) network rules.
The AppArmor profile used to be defined for the path sbin/dnscrypt-proxy,
but the real path is bin/dnscrypt-proxy (due to sbin now being a symlink
to bin), which permitted the service to run unconfined.
Adding the network rules has no effect other than improving correctness,
as the version of AppArmor in the NixOS kernel fails to enforce network
rules.
postfix 2.11 is much more humane with respect to disk writes since it uses
sockets (which do not change inodes on accesses) instead of fifos (which do).
Added configurations to `bumblebee` package to easy multiple monitors on Optimus
machines.
The behaviour of the default `bumblebee` package hasn't change, so this change
is backwards compatible. Users who want to connect a monitor to their discrete
card should use the package `bumblebee_display` instead.
Also added new configuration option to nixos bumblebee module:
```
hardware.bumblebee.connectDisplay = true
```
will enable the new configuration, but the default is still false.
During install, the bootloader script gets run inside a chroot after the
/etc/group bind-mount is unmounted. Since we're not doing any building,
this should be safe, but really nix should just not care if the group
does not exist when no build is needed.
Fixes#5494
Since the 4.2.8 upgrade, ntpd is broken on NixOS:
Dec 28 19:06:54 hagbard ntpd[27723]: giving up resolving host 1.nixos.pool.ntp.org: Servname not supported for ai_socktype (-8)
This appears to be because DNS resolution doesn't work in chroots
anymore (due to /etc being missing). So disable chroots for now. It's
probably better to use systemd's containment facilities anyway.
