The commit enforces buildPackages in the builder but neglects
the fact that the builder is intended to run on the target system.
Because of that, the builder will fail when remotely building a
configuration eg. with nixops or nix-copy-closure.
This reverts commit a6ac6d00f98c7cc814008c1e6e288feaa2e123c6.
Following changes in https://github.com/NixOS/nixpkgs/pull/91092 the `path` attribute is now a list
instead of being a string. This resulted resulted in the following evaluation error:
"cannot coerce a list to a string, at [...]/nixos/modules/services/networking/openvpn.nix:16:18"
so we now need to convert it to the right type ourselves.
Closes https://github.com/NixOS/nixpkgs/issues/97360.
This fixes the case when Jack Audio Daemon is running
as a service via `services.jack.jackd` and Pulseaudio
running as a *user* service.
Two issues prevented connecting `pulse` with `jackd`:
* Missing `JACK_PROMISCUOUS_SERVER` environment variable for `pulse` user service,
resulting in `pulse` trying to access `jackd` as if it was running as part of
the users session.
* `jackd` not being able to access socket created by `pulse` due to socket
created using user ID and `users` group. Change allows `jackd` to access
the socket created by `pulse` correctly.
`pulse` now also autoloads `module-jack-sink` and `module-jack-source`
if `services.jack.jackd.enable` is set.
The default `pulse` package is now set to `pulseaudioFull` automatically
if `services.jack.jackd.enable` is set.
Add the option `environmentFile` to allow passing secrets to the service
without adding them to the Nix store, while keeping the current
configuration via the existing environment file intact.
powerDownCommands is supposed to run before shutdown, but the current
implementation only runs before-sleep, thus not enabling wakeonlan on
devices when powering off even if the hardware supports it.
Taking into consideration the possibility of unexpected shutdown, it is
preferable to move the commands to powerUpCommands instead which is
executed at boot time as well as after resume - that should cover all
use cases for wakeonlan.
Fixes#91352
Right now the UX for installing NixOS on a headless system is very bad.
To enable sshd without physical steps users have to have either physical
access or need to be very knowledge-able to figure out how to modify the
installation image by hand to put an `sshd.service` symlink in the
right directory in /nix/store. This is in particular a problem on ARM
SBCs (single board computer) but also other hardware where network is
the only meaningful way to access the hardware.
This commit enables sshd by default. This does not give anyone access to
the NixOS installer since by default. There is no user with a non-empty
password or key. It makes it easy however to add ssh keys to the
installation image (usb stick, sd-card on arm boards) by simply mounting
it and adding a keys to `/root/.ssh/authorized_keys`.
Importantly this should not require nix/nixos on the machine that
prepare the installation device and even feasiable on non-linux systems
by using ext4 third party drivers.
Potential new threats: Since this enables sshd by default a
potential bug in openssh could lead to remote code execution. Openssh
has a very good track-record over the last 20 years, which makes it
far more likely that Linux itself would have a remote code execution
vulnerability. It is trusted by millions of servers on many operating
systems to be exposed to the internet by default.
Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
readd perl (used in shell scripts), rsync (needed for NixOps) and strace (common debugging tool)
they where previously removed in https://github.com/NixOS/nixpkgs/pull/91213
Co-authored-by: Timo Kaufmann <timokau@zoho.com>
Co-authored-by: 8573 <8573@users.noreply.github.com>
systemd-confinement's automatic package extraction does not work correctly
if ExecStarts ExecReload etc are lists.
Add an extra flatten to make things smooth.
Fixes#96840.
xss-lock needs XDG_SESSION_ID to respond to loginctl lock-session(s)
(and possibly other session operations such as idle hint management).
This change adds XDG_SESSION_ID to the list of imported environment
variables when starting systemctl.
Inspired by home-manager, add importVariables configuration.
Set session to XDG_SESSION_ID when running xss-lock as a service.
Co-authored-by: misuzu <bakalolka@gmail.com>
