The LUKS header can be on another device (e.g. a USB stick). In my case
it can take up to two seconds until the partition on my USB stick is
available (i.e. the decryption fails without this patch). This will also
remove some redundancy by providing the shell function `wait_target` and
slightly improve the output (one "." per second and a success/failure
indication after 10 seconds instead of always printing "ok").
Restarting them is useless since the filesystem is already
checked. Worse, restarting them causes the filesystem to be unmounted.
Also remove an override for systemd-rkill@.service which no longer
exists.
This reduces the time window during which IP addresses are gone during
switch-to-configuration. A complication is that with stopIfChanged =
true, preStop would try to delete the *new* IP addresses rather than
the old one (since the preStop script now runs after the switch to the
new configuration). So we now record the actually configured addresses
in /run/nixos/network/addresses/<interface>. This is more robust in
any case.
Issue https://github.com/NixOS/nixops/issues/640.
Unfortunately, somewhere between 16.09 and 17.03, paravirtualized
instances stopped working. They hang at the pv-grub prompt
("grubdom>"). I tried reverting to a 4.4 kernel, reverting kernel
compression from xz to bzip2 (even though pv-grub is supposed to
support xz), and reverting the only change to initrd generation
(5a8147479e). Nothing worked so I'm
giving up.
Docker socket is world writable. This means any user on the system is
able to invoke docker command. (Which is equal to having a root access
to the machine.)
This commit makes socket group-writable and owned by docker group.
Inspired by
https://github.com/docker/docker/blob/master/contrib/init/systemd/docker.socket
Commit 75f131da02 added
`chown 'nginx:nginx' '/var/lib/acme'` to the pre-start script,
but since it doesn't use `chown -R`, it is possible that there
are older existing subdirs (like `acme-challenge`)
that are owned to `root` from before that commit went it.
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.
This reverts commit 1a74eedd07. It
breaks NixOps, which expects that
rm -f /etc/ssh/ssh_host_ed25519_key*
systemctl restart sshd
cat /etc/ssh/ssh_host_ed25519_key.pub
works.
When a user or group is revived, this allows it to be allocated the
UID/GID it had before.
A consequence is that UIDs and GIDs are no longer reused.
Fixes#24010.
In order to use qt5ct (Qt5 Configuration Tool) to configure Qt5
settings (theme, font, icons, etc.) under DE/WM without Qt
integration, the environment variable QT_QPA_PLATFORMTHEME should be
set to "qt5ct".
It can be done automatically by this module, or by setting the
variable explicitly in the user or in the system configuration.
Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as
alternatives to apiKey and mysqlPassword, which still work, but are
deprecated with a warning message.
Related to #24288.
Having fixed the Google Compute Engine image build process's copying
of store paths in PR #24264, I ran `nixos-rebuild --upgrade switch`...
and the GCE image broke again, because it sets the NixOS configuration
option for the sysctl variable `kernel.yama.ptrace_scope` to
`mkDefault "1"`, i.e., with override priority 1000, and now the
`sysctl` module sets the same option to `mkDefault "0"` (this was
changed in commit 86721a5f78).
This patch raises the override priority of the Google Compute Engine
image configuration's definition of the Yama sysctl option to 500
(still lower than the priority of an unmodified option definition).
I have tested that this patch allows the Google Compute Engine image
to again build successfully for me.
And adopt the tests to add an interface and remove it again.
It should work when deactivating rstp, it will not work when activating
rstp for the first bridge as then the userspace daemon is not yet
available. But once one bridge is active with stp, it should work with
the reload for any further bridge.
Fixes#21745. Also see #22547.
Currently, if you try to build a NixOS config including channel.nix, e.g.:
nix-build -I nixpkgs=. -I nixos-config=nixos/modules/installer/cd-dvd/installation-cd-minimal.nix nixos -A config.system.build.isoImage
twice in a row, you end up with two different build results. This is
caused by the 'result' symlink of the first build affecting the channel
contents of the second build.
If we use filterSource with a predicate that ignores the 'result'
symlinks, the problem is gone. Do the same thing for VIM/Emacs
swap/backup files to avoid even more 'spurious' rebuilds.
Additionally, filter out the '.git' directory at the same time, as we
'rm -rf' it from the result anyway. This avoids a considerable amount of
unnecessary file I/O copying and deleting the .git directory.
In `nixos/modules/virtualisation/google-compute-image.nix`, copy store
paths with `rsync -a` rather than `cp -prd`, because `rsync` seems
better able to handle the hard-links that may be present in the store,
whereas `cp` may fail to copy them.
I have tested that the Google Compute Engine image builds successfully
for me with this patch, whereas it did not without this patch.
This is the same fix applied for Azure images in commit
097ef6e435d5b3fcde92e67abbaaaaaf05c0723d.
Fixes#23973.
The inability to run strace or gdb is the kind of
developer-unfriendliness that we're used to from OS X, let's not do it
on NixOS.
This restriction can be re-enabled by setting
boot.kernel.sysctl."kernel.yama.ptrace_scope" = 1;
It might be nice to have a NixOS module for enabling hardened defaults.
Xref #14392.
Thanks @abbradar.
kimpanel does not show installed IBus engines or allow switching input
methods. kimpanel does show configured keyboard layouts through kxkb, so I
believe there is some problem communicating with IBus. No error messages are
produced in the log and I have been unable to discover the cause. I have no
intention of continuing to work on kimpanel at this time, so it should be
disabled. The GTK+ 3-based panel provided by IBus is perfectly serviceable in
the interim.
In the absence of XCURSOR_PATH, the function XcursorLibraryPath
in libXcursor will return a hardcoded value unsuitable for NixOS.
Some desktops as well as display managers in NixOS currently do
set XCURSOR_PATH, but there are combinations where neither does
(e.g. SDDM+XFCE), resulting in no cursor themes being available.
The new definition if XCURSOR_PATH is effectively the same as what
KDE's startkde currently does.
Fixes issue #21442.
* The module uses `stringSplit` but it should be `splitString`
* `rmilter` doesn't actually support binding to multiple sockets.
Therefore, bind to the last one specified if `socketActivation` is
`false`.
I also believe there is a bug in this module related to systemd
`ListenStream`. If `socketActivation` is true, Postfix gets
connection timeouts trying to connect to one of the `ListenStream`
inet addresses. I don't know enough about `ListenStream` passing
connections on to `fd:3` to understand what's going on.
These changes are in production (with `socketActivation = false`) via NixOps.
This `tsocks` wrapper leaks DNS requests to clearnet, meanwhile Tor comes with
`torsocks` which doesn't.
Previous commits to this file state that all of this still useful somehow.
Assuming that it's true, at least let's not confuse users with two different tools
and don't clash with the `tsocks` binary from nixpkgs by disabling this by default.
This option was initially added to make it easier to use an
up-to-date list, but now that we always use an up-to-date list
from upstream, there's no point to the option.
From now on, you can either use a resolver listed by dnscrypt
upstream or a custom resolver.
Removes tcpOnly and ephemeralKeys: reifying them as nixos
options adds little beyond improved discoverability. Until
17.09 we'll automatically translate these options into extraArgs
for convenience.
Unless reifying an option is necessary for conditional
computation or greatly simplifies configuration/reduces risk of
misconfiguration, it should go into extraArgs instead.
* Moved the wordpress sources derivation to the attribute pkgs.wordpress. This
makes it easier to override.
* Also introduce the `package` option for the wordpress virtual host config which
defaults to pkgs.wordpress.
* Also fixed the test in nixos/tests/wordpress.nix.
The Infinality bytecode interpreter is removed in favor of the new v40 TrueType
interpreter. In the past, the Infinality interpreter provided support for
ClearType-style hinting instructions while the default interpreter (then v35)
provided support only for original TrueType-style instructions. The v40
interpreter corrects this deficiency, so the Infinality interpreter is no longer
necessary.
To understand why the Infinality interpreter is no longer necessary, we should
understand how ClearType differs from TrueType and how the v40 interpreter
works. The following is a summary of information available on the FreeType
website [1] mixed with my own editorializing.
TrueType instructions use horizontal and vertical hints to improve glyph
rendering. Before TrueType, fonts were only vertically hinted; horizontal hints
improved rendering by snapping stems to pixel boundaries. Horizontal hinting is
a risk because it can significantly distort glyph shapes and kerning. Extensive
testing at different resolutions is needed to perfect the TrueType
hints. Microsoft invested significant effort to do this with its "Core fonts for
the Web" project, but few other typefaces have seen this level of attention.
With the advent of subpixel rendering, the effective horizontal resolution of
most displays increased significantly. ClearType eschews horizontal hinting in
favor of horizontal supersampling. Most fonts are designed for the Microsoft
bytecode interpreter, which implements a compatibility mode with
TrueType-style (horizontal and vertical) instructions. However, applying the
full horizontal hints to subpixel-rendered fonts leads to color fringes and
inconsistent stem widths. The Infinality interpreter implements several
techniques to mitigate these problems, going so far as to embed font- and
glyph-specific hacks in the interpreter. On the other hand, the v40 interpreter
ignores the horizontal hinting instructions so that glyphs render as they are
intended to on the Microsoft interpreter. Without the horizontal hints, the
problems of glyph and kerning distortion, color fringes, and inconsistent stem
widths--the problems the Infinality interpreter was created to solve--simply
don't occur in the first place.
There are also security concerns which motivate removing the Infinality patches.
Although there is an updated version of the Infinality interpreter for FreeType
2.7, the lack of a consistent upstream maintainer is a security concern. The
interpreter is a Turing-complete virtual machine which has had security
vulnerabilities in the past. While the default interpreter is used in billions
of devices and is maintained by an active developer, the Infinality interpreter
is neither scrutinized nor maintained. We will probably never know if there are
defects in the Infinality interpreter, and if they were discovered they would
likely never be fixed. I do not think that is an acceptable situtation for a
core library like FreeType.
Dropping the Infinality patches means that font rendering will be less
customizable. I think this is an acceptable trade-off. The Infinality
interpreter made many compromises to mitigate the problems with horizontal
hinting; the main purpose of customization is to tailor these compromises to the
user's preferences. The new interpreter does not have to make these compromises
because it renders fonts as their designers intended, so this level of
customization is not necessary.
The Infinality-associated patches are also removed from cairo. These patches
only set the default rendering options in case they aren't set though
Fontconfig. On NixOS, the rendering options are always set in Fontconfig, so
these patches never actually did anything for us!
The Fontconfig test suite is patched to account for a quirk in the way PCF fonts
are named.
The fontconfig option `hintstyle` is no longer configurable in NixOS. This
option selects the TrueType interpreter; the v40 interpreter is `hintslight` and
the older v35 interpreter is `hintmedium` or `hintfull` (which have actually
always been the same thing). The setting may still be changed through the
`localConf` option or by creating a user Fontconfig file.
Users with HiDPI displays should probably disable hinting and antialiasing: at
best they have no visible effect.
The fontconfig-ultimate settings are still available in NixOS, but they are no
longer the default. They still work, but their main purpose is to set rendering
quirks which are no longer necessary and may actually be
detrimental (e.g. setting `hintfull` for some fonts). Also, the vast array of
font substitutions provided is not an appropriate default; the default setting
should be to give the user the font they asked for.
[1]. https://www.freetype.org/freetype2/docs/subpixel-hinting.html
Added extra config options to allow reading passwords from file rather
than the world-readable nix store.
The full config.json file is created at service startup.
Relevant to #18881
Newer versions of DNSCrypt proxy *can* cache lookups (via
plugin); make the wording more neutral wrt. why one might want
to run the proxy in a forwarding setup.
1) The forking behavior of `buildbot start` is temporarily broken for
mysterious reasons that I'm still looking into
2) Let systemd do the forking: no point in using two different process
startup wait loops
The nixbld group belongs to nix-daemon and you really don't want to be
in it. If you are in it, nix-daemon will kill your processes when you
least expect it :)
It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available. We
filter mount syscalls to prevent the process from undoing the fs
isolation.
Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.
We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...). Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
After the change of the bonding options, the examples were not quite correct.
The diff is over-the top because the new `let` needs everything indented.
Also add a small docstring to the `networkd` attr in the networking test.
Set `networking.networkmanager.wifi.macAddress` or `networking.networkmanager.ethernet.macAddress`
to one of these values to change your macAddress.
* "XX:XX:XX:XX:XX:XX": set the MAC address of the interface.
* "permanent": use the permanent MAC address of the device.
* "preserve": don’t change the MAC address of the device upon activation.
* "random": generate a randomized value upon each connect.
* "stable": generate a stable, hashed MAC address.
See https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/ for more information
Version 2.0.0 is installed as a separate package called "couchdb2".
When setting the config option "package" attribute to pkgs.couchdb2, a
corresponding service configuration will be generated. If a previous
1.6 installation exists, the databases can still be found on the local
port (default: 5986) and can be replicated from there.
Note that single-node or cluster setup still needs to be configured
manually, as described in
http://docs.couchdb.org/en/2.0.0/install/index.html.
We only care about /nix/store because its contents might be out of
sync with /nix/var/nix/db. Syncing other filesystems might cause
unnecessary delays or hangs (e.g. I encountered a case where an NFS
mount was taking a very long time to sync).
The implicit behavior of pulling it out of the classpath seemed not
to work properly and could be thrown off by other things on the
classpath also providing the properties file. This guarantees that
our settings stick.
We now make it happen later in the boot process so that multi-user
has already activated, so as to not run afoul of the logic in
switch-to-configuration.pl. It's not my favorite solution, but at
least it works. Also added a check to the VM test to catch the failure
so we don't break in future.
Fixes#23121
phpfpm currently uses `readFile` to read the php.ini file from the
phpPackage. This causes php to be build at evaluation time.
This eliminates the use of readFile and builds the php.ini at build
time.
This reverts commit 29caa185a7.
Not clear what the proper thing to do is. cf94cdb59b renders this
question mostly moot. Reverting before 17.03 branch to avoid a repeat
of #19054.
reason:
- We currently have an open discussion regarding a more modular
firewall (https://github.com/NixOS/nixpkgs/issues/23181) and
leaving null makes future extension easier.
- the current default might not cover all use cases (different ssh port)
and might break setups, if applied blindly
This PR adds support for ```iio-sensor-proxy``` used by GNOME v3 and
others for reading data from the accelerometer, gps, compass and similar sensors
built into some relatively recent laptops.
Additionally, there is a NixOS module exposed via hardware.sensor.iio
for enabling services, udev rules and dbus services.
When dhcpcd instead of networkd is used, the network-online.target behaved
the same as network.target, resulting in broken services that need a working
network connectivity when being started.
This commit makes dhcpcd wait for a lease and makes it wanted by
network-online.target. In turn, network-online.target is now wanted by
multi-user.target, so it will be activated at every boot.
Using toJSON on a string value works because the allowed JSON escape
sequences is almost a subset of the systemd allowed escape sequences.
The only exception is `\/` which JSON allows but systemd doesn't.
Luckily this sequence isn't required and toJSON don't produce it making
the result valid for systemd consumption.
Examples of things that this fixes are environment variables with double
quotes or newlines.
Since systemd version 232 the install subcommand of bootctl opens the
loader.conf with fopen() modes "wxe", where the "e" stands for
exclusive, so the call will fail if the file exists.
For installing the boot loader just once this is fine, but if we're
using NIXOS_INSTALL_BOOTLOADER on a systemd where the bootloader is
already present this will fail.
Exactly this is done within the simpleUefiGummiboot installer test,
where nixos-install is called twice and thus the bootloader is also
installed twice, resulting in an error during the fopen call:
Failed to open loader.conf for writing: File exists
Removing the file prior to calling bootctl should fix this.
I've tested this using the installer.simpleUefiGummiboot test and it now
succeeds.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22925
This leads to the following error when trying to install a new machine
where the machine ID wasn't yet initialized during boot:
Failed to get machine did: No such file or directory
In addition this was also detected by the simpleUefiGummiboot installer
test.
So let's generate a fallback machine ID by using
systemd-machine-id-setup before actually running bootctl.
Tested this by running the installer.simpleUefiGummiboot test, it still
fails but not because of the machine ID.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22561
This is deliberate because using the taskd binary to configure
Taskserver has a good chance of messing up permissions.
The nixos-taskserver tool now can manage even manual configurations, so
there really is no need anymore to expose the taskd binary.
If people still want to use the taskd binary at their own risk they can
still add taskserver to systemPackages themselves.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Putting an include directive in the configuration file referencing a
store path with the real configuration file has the disavantage that
once we change the real configuration file the store path is also a
different one.
So we would have to replace that include directive with the new
configuration file, which is very much error-prone, because whenever
taskd modifies the configuration file on its own it generates a new one
with *only* the key/value options and without any include directives.
Another problem is that we only added the include directive on the first
initalization, so whenever there is *any* configuration change, it won't
affect anything.
We're now passing all the configuration options via command line,
because taskd treats everything in the form of --<name>=<value> to be a
configuration directive.
This also has the effect that we now no longer have extraConfig, because
configuration isn't a file anymore.
Instead we now have an attribute set that is mapped down to
configuration options.
Unfortunately this isn't so easy with the way taskd is configured,
because there is an option called "server" and also other options like
"server.cert", "server.key" and so on, which do not map very well to
attribute sets.
So we have an exception for the "server" option, which is now called
"server.listen", because it specifies the listening address.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #22705
The helper tool so far was only intended for use in automatic PKI
handling, but it also is very useful if you have an existing CA.
One of the main advantages is that you don't need to specify the data
directory anymore and the right permissions are also handled as well.
Another advantage is that we now have an uniform management tool for
both automatic and manual config, so the documentation in the NixOS
manual now applies to the manual PKI config as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The error message displays that a specific user doesn't exist in an
organisation, but uses the User object's name attribute to show which
user it was.
This is basically a very stupid chicken and egg problem and easily fixed
by using the user name provided on the command line.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
reason: after the upgrade of iputils from 20151218 to 20161105
functionality of ping6 and tracepath6 was merged into ping and tracepath.
Ping is now mostly a drop-in replacment for ping6, except that selecting a
specific interface is done by encoding it into the address (ex.: fe80::1%eth0)
rather then specifing it with the `-I` flag.
To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:
programs.wireshark.enable = true;
The setuid wrapper is available for users in the 'wireshark' group.
Changes v1 -> v2:
- add "defaultText" to the programs.wireshark.package option (AFAIK,
that prevents the manual from being needlessly rebuilt when the
package changes)
Since the bonds interface changed to a lot more possible values we create a
mapping of kernel bond attribute names and values to networkd attributes.
Those match for the most part, but have to transformed slightly.
There is also an assert that unknown options won’t slip through silently.
Until now the four attributes available very selectively provided a small
subset, while copying upstream documentation.
We make driver options an arbitrary key-value set and point to kernel
documentation, which is always up-to-date. This way every option can be set.
The four already existing options are deprecated with a warning.
The initialization code is now a systemd service that explicitly
waits for network-online, so the occasional failure I was seeing
because the `nixos-rebuild` couldn't get anything from the binary
cache should stop. I hope!
* The source attribute is mandatory, not optional
* The program attribute is optional
* Move the info about the mandatory attribute first (most important,
IMHO)
Previously, netdev units for network interfaces defined in the nixos
configurations would bindTo the systemd device unit of the interface if
not in a container.
In situations where you switch to a new nixos configration with changes
to network-setup.service (like nameservers) and have stacked interfaces
like vlans on a bond, it would fail to propagate restarts to the netdevs
correctly resulting with broken networking. The bond would be present
but no vlan interfaces rendering the machine unreachable.
My fear is that the udev events fail to propagate correctly while a systemd
transaction that is also restarting the triggered netdev service is running.
This commit changes this behaviour so netdev services bindTo other netdev
services if present and otherwise fall back to the previous behaviour.
We also noticed that stacked interfaces would sometimes seemingly be stopped
in the wrong order. For instance in the above example, the bond interface
would be deleted before the vlan interfaces resulting in the vlan interfaces
not being present when their service is being stopped. This would cause the
systemd transaction to fail and thus break networking. Their postStop hooks
are now allowed to fail as we have reached the desired state.
fix#22709
Recent pvgrub (from Grub built with “--with-platform=xen”) understands
the Grub2 configuration format. Grub legacy configuration (menu.lst) is
ignored.
The GeoIP databases from MaxMind have no stable URLs and change every
month (or so). Our current method of packaging these database in Nix and
playing catch-up with ever-changing file hashes is a bad idea. For
instance, it makes it impossible to realize old NixOS configurations.
This patch adds a NixOS service that periodically updates the GeoIP
databases in /var/lib/geoip-databases. Moving NixOS modules over can be
done in later patches.
I tried adding MD5 check, but not all databases have them, so i skipped
it. We are downloading over HTTPS though, it should be good. I also
tried adding zip support, but the first zip file I extracted had a
different filename inside than the archive name, which breaks an
assumption in this service, so I skipped that too.
Changes v9 -> v10:
- Pass "--max-time" to curl to set upper bound on downloads (ensures
no indefinite hanging if there's problem with networking).
Timeout for network connectivity check: 60s.
Timeout for geoip database (each): 15m.
Changes v8 -> v9:
- Mention the random timer delay in the documentation for the
'interval' option.
Changes v7 -> v8:
- Add "RemainAfterExit=true" for the setup service, so it won't be
restarted needlessly. (Thanks @danbst!)
Changes v6 -> v7:
- Add --skip-existing flag to geoip-updater, which skips updating
existing database files. Pass that flag when we run the service on
boot (and on any NixOS configuration change).
(IMHO, this is somewhat a workaround for systemd persistent timers
not being triggered immediately when a timer has never expired
before. But it does have the nice side effect of ensuring that the
installed databases always correspond to the configured ones, since
the service is now always run after configuration changes.)
Changes v5 -> v6:
- Update database files atomically (per DB)
- If a database is removed from the configuration, it'll be removed
from /var/lib/geoip-databases too (on next run).
- Add NixOS module assertion so that if user inputs non- .gz or .xz
file there will be a build time error instead of runtime.
- Run updater as user "nobody" instead of "root".
- Rename NixOS service from "geoip-databases" to "geoip-updater".
- Drop RemainAfterExit, or else the timer won't trigger the unit.
- Bring back "curl --fail", or else we won't catch and log curl
failures.
Changes v4 -> v5:
- Add "GeoLite2-City.mmdb.gz" to default database list.
Changes v3 -> v4:
- Remove unneeded geoip-updater-setup.service after adding
'wantedBy = [ "multi-user.target" ]' directly to
geoip-updater.service
- Drop unneeded "Service" name from service descriptions.
Changes v2 -> v3:
- Network may be down when starting from a cold boot, so try a few
times. Possibly, if using systemd-networkd, it'll pass on the first
try. But with default DHCP on NixOS, the service is started before
hostnames can be resolved and thus we need a few extra seconds.
- Add error handling and mark service as failed if fatal error.
- Add proper syslog log levels.
- Add RandomizedDelaySec=3600 to the timer to not put high load on the
MaxMind servers. Suggested by @Mic92.
- Set RemainAfterExit on geoip-updater.service instead of
geoip-updater-setup.service. (The latter is only a proxy that pulls
in the former service).
Changes v1 -> v2:
From Данило Глинський (Danylo Hlynskyi) <abcz2.uprola@gmail.com>:
nixos/geoip-databases: add `databases` option and fix initial setup
There were two great issues when using this service:
- When you just enable service, databases aren't downloaded, they are
downloaded when timer triggers. Fixed this with automatic download on
first system activation.
- When there is no internet, updater outputs nothing to logs, which is
IMO misbehavior. Fixed this with removing `--fail` option, better be
explicit here.
The Raspberry Pi boot loader was deleting all xx-initrd text files
(which simply contain the path to the actual initrd files) just after
having created them. The code was actually trying to delete real,
obsolete initrd files, which are named <hash>-initrd-initrd (after path
cleaning), but the glob was catching the other files as well.
Turns out all variants of start.elf and fixup.dat are needed (depending
on what's in config.txt). I was under the mistaken impression that you
were supposed to rename one of the variants to switch using them, but
nope.
A very simple skeleton for now that doesn't attempt to model any of
the agent configuration, but we can grow it later. Tested and works
on an EC2 instance with ECS.
Recent versions of libreswan seem to omit this file, but it may be added/changed in the future. It is silly to have the service fail because a file is missing that only enriches the environment.
This fixes an issue where `nixops deploy` wouldn't restart the chrony
service when the chrony configuration changed, because it wouldn't
detect that `/etc/chrony.conf` was a dependency of the chrony service.
Regression introduced by 0cb487ee04.
This changed the result for defaultGateway to be a submodule instead of
just a plain string, so instead of using just cfg.defaultGateway we need
to pass cfg.defaultGateway.address now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
Overriding ``glibcLocales`` via nixpkgs.overlays not works,
so I added i18n.glibcLocales parameter, defaulted with
old override, using i18n.supportedLocales.
From Postfix documentation:
With this setting, the Postfix SMTP server will not reject mail with "User
unknown in local recipient table". Don't do this on systems that receive mail
directly from the Internet. With today's worms and viruses, Postfix will become
a backscatter source: it accepts mail for non-existent recipients and then
tries to return that mail as "undeliverable" to the often forged sender
address.
20e81f7c0d prevented key generation in
`preStart`, leaving the service broken for the case where the user has
no pre-existing key.
Eventually, we ought to store the state elsewhere so that `/etc` can be
read-only but for now we fix this the easy way.
Pushing to gogs only works if the `gogs` user's shell is `bash`. For error and
solution, refer to [this SO thread](http://stackoverflow.com/a/22315659)
DBus daemon now loads its config from /run/current-system/dbus.
Reloading the daemon makes it re-read that file and catch the updates
after a system upgrade.
Offline mode: When adding a lot of data, start this service.
It will will not flood the DHT since it only exposes the API.
When you are done simply reverse the process.
Allow password login to the installation this allows doing remote installation
via SSH. All that need to be done on the local machine is:
1. Boot from the installation media
2. Set a password with passwd
3. Enable SSH with systemctl start sshd
It is safe as root doesn't have a password by default
and SSH is disabled by default.
Fixes#20718
This allows overriding the `server_name` attribute of virtual
hosts. By doing so it is possible to have multiple virtualHost
definitions that share the same `server_name`. This is useful in
particular when you need a HTTP as well as a HTTPS virtualhost: same
server_name, different port.
A default of 0 means that if you deploy two NixOS boxes with the default
configuration, the second will fail because the brokerId was already in
use. Using -1 instead tells it to pick one automatically at first start.
This provides a default console_cmd for the slim display-manager.
When the user enters "console" as the user name, slim will run this
command.
Having a default is rather important; the virtual terminals don't work
with some display drivers, so having a broken X session can leave you
locked out of your machine.
Without it, the following error is shown in the "Add Printer" window:
Failed to group devices: 'The name org.fedoraproject.Config.Printing was not provided by any .service files'
* Fix the FW names
FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw.
* Update the comment (documentation) at the top
Order the chains of the main table alphabetically (like in the rest of
the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop
(used while reloading the firewall).
* Refactor the module (mainly comments)
- Move some attributes to the top for better visibility (that should
hopefully make it easier to read and understand this module without
jumping around too much).
- Add some missing examples and improve some descriptions.
- Reorder the mkOption attributes for consistency.
- Wrap lines at 72 characters.
- Use two spaces between sentences.
This adds pulseaudio.daemon.config, which is a set of keys to values
which are directly translated to keys and values of pulseaudio's
daemon.conf, e. g.
hardware.pulseaudio.daemon.config = { flat-volumes = "no"; }
becomes
flat-volumes=no
in pulse/daemon.conf.
The reason being less mental overhead when reading upstream
documentation. Examples can be pasted right into the configuration
instead of translating to Nix attrset first.
Make sure that the output of the sieve compiler produces files that
have a newer time stamp than the source sieve script. Otherwise you
get errors in the logs about Dovecot not being able to compile do to a
permission issue.
ckb is a driver for Corsair keyboards/mice. It also contains a graphical tool for configuring their LED backlight settings.
The driver is implemented as a userland daemon. A NixOS module is included that runs this as a systemd service.
The content of programs.zsh.interactiveShellInit was
inserted too soon in the generated zshrc
This caused some settings related to autocompletion to be ignored
This reverts commit 712e62c260.
This commit broke NixOS containers. Systemd wouldn't detect if a container
started successfully and would kill it again after a grace period.
Additionally this prints mount errors due to already mounted filesystems
at boot.
I have left in 2 NixOS custom config directives, so the configuration
should be the same with the only change in behaviour being that the
service is not eagerly loaded but in fact only socket activated, which
it should be.
Using outputsToInstall the intended behaviour of including host and dnsutils
when bind is installed can be implemented instead of using symlinks to fix
installing all outputs individually with nix-env.
Fixes#19761.
It hides bugs and do you ever actually want to serve up an empty directory?
It was pretty confusing to me when it tried to write into a read-only store
path because I accidentally pointed it to the wrong store path.
Until now nixos only delivered the latest zfs release. This release is often not
compatible with the latest mainline kernel. Therefor an unstable variant is
added, which might be based on testing releases or git revisions.
fixes#21359
perlPackages.TextWrapI18N: init at 0.06
perlPackages.Po4a: init at 0.47
jade: init at 1.2.1
ding-libs: init at 0.6.0
Switch nscd to no-caching mode if SSSD is enabled.
abbradar: disable jade parallel building.
Closes#21150
This code in amazon-image.nix:
if mountFS "$device" "$mp" "" auto; then
if [ -z "$diskForUnionfs" ]; then diskForUnionfs="$mp"; fi
fi
relies on mountFS to return a zero exit status if mounting
succeeds. But the lustrateRoot check in mountFS was causing a non-zero
exit status. As a result /disk0 would be mounted, but not used for
/tmp.
(cherry picked from commit d082ed8c35dec48aee2afd1303b3c8b2a1b242b0)
/etc/hostname is the file used by hostnamectl(1) and the
org.freedesktop.hostname1 dbus service (both provided by systemd) to get
the "static hostname". Better provide it so that users of those
tools/services get a proper hostname.
An example of an issue created by the lack of /etc/hostname is that the
bluetooth stack on NixOS identifies itself to peers as "BlueZ $VERSION"
instead of the hostname.
References:
https://www.freedesktop.org/software/systemd/man/hostname.html
Changes v1 -> v2:
* ensure /etc/hostname ends with a newline
* cpu-freq: Try powersave if ondemand is not available
* Revert "cpu-freq: Try powersave if ondemand is not available"
This reverts commit 4dc56db37e32dcfecd667ebbf88263e47b296097.
Consult available scaling governors; for freshly generated configs, this provides a better experience than relying on a default that might not work everywhere.
* fix/asterisk-module: use unix-group for asterisk-files
* fix/asterisk-module: add configOption to use some default config-files
* fix/asterisk-module: correction of skel copy
* fix/asterisk-module: use /etc/asterisk as configDir
* fix/asterisk-module: add reload; do not restart unit
* asterisk: 13.6.0 -> 14.1.2
* fix/asterisk: compile with lua, pjsip, format_mp3
* fix/asterisk: fix indentation
* fix/asterisk: remove broken flag
The profile minimal has several drawbacks: no man pages, unusual 'dbus'
lib that makes many X11 pieces to rebuild, etc.
With xz compression in the squashfs, despite these additions, the iso is
smaller than what it was in 16.09.
It seems that it is a GPL violation to distribute zfs in the
installation ISOs.
https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/
If anyone knows the issue better and has a reason to reenable it
legally, feel free to reenable it. I don't know much about it.
The current default value of listenAddress = null blows up:
$ nixos-rebuild build
error: cannot coerce null to a string, at
.../nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix:97:16
With listenAddress = "" we use the same default as upstream and there is
no blow up :-)
...by providing a default value of "no labels" (an empty attrset).
Without this change we get
$ nixos-rebuild test -I nixpkgs=.
building Nix...
building the system configuration...
error: The option `services.prometheus.scrapeConfigs.[definition 1-entry 1].static_configs.[definition 1-entry 1].labels' is used but not defined.
which is unneeded, because labels _are_ optional.
All the new options in detail:
Enable docker in multi-user.target make container created with restart=always
to start. We still want socket activation as it decouples dependencies between
the existing of /var/run/docker.sock and the docker daemon. This means that
services can rely on the availability of this socket. Fixes#11478#21303
wantedBy = ["multi-user.target"];
This allows us to remove the postStart hack, as docker reports on its own when
it is ready.
Type=notify
The following will set unset some limits because overhead in kernel's ressource
accounting was observed. Note that these limit only apply to containerd.
Containers will have their own limit set.
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Upgrades may require schema migrations. This can delay the startup of dockerd.
TimeoutStartSec=0
Allows docker to create its own cgroup subhierarchy to apply ressource limits on
containers.
Delegate=true
When dockerd is killed, container should be not affected to allow
`live restore` to work.
KillMode=process
currently services.nginx does not start up if `networking.enableIPv6 = false`
the commit changes the nginx behavior to handle this case accordingly.
The commit resolves#21308
Overlayfs is quite a bit faster, e.g. with it the KDE 5 test takes ~7m
instead of ~30m on my laptop (which is still not great, since plain
9pfs is ~4m30s).
The structured options are incomplete compared to upstream and I think
it will be a maintenance burden to try to keep up. Instead, provide an
option for the raw config file contents (prometheus.yml).
This works around:
machine: must succeed: nix-store -qR /run/current-system | grep nixos-
machine# error: changing ownership of path ‘/nix/store’: Invalid argument
Probably Nix shouldn't be anal about the ownership of the store unless
it's trying to build/write to the store.
http://hydra.nixos.org/build/45093872/nixlog/17/raw
(cherry picked from commit 57a0f140643cde409022e297ed05e05f8d34d778)
Previously we were using two or three (qemu_kvm, qemu_test, and
qemu_test with a different dbus when minimal.nix is included).
(cherry picked from commit 8bfa4ce82ea7d23a1d4c6073bcc044e6bf9c4dbe)
This option is defined in qemu-vm.nix, but that module is not always
imported.
http://hydra.nixos.org/build/44817443
(cherry picked from commit 03c55005dfd6fbcd5cf8e00128a3bb6336b3bc0f)
Otherwise it starts way too early, only to fail and having to restart
until devices are available. It is less wasteful to simply wait until
there's a reasonable chance of success. This is consistent with
upstream.
networkd options are always correct or up to date. This option allows to by
pass type checking. It is also easier to write because examples can be just copy
and paste from manpages.
Networkd units can contain secrets. In future also wireguard vpn will be supported by
networkd. To avoid leakage of private keys, those could be then also put outside
of the /nix/store
Having a writeable /etc/systemd/network also allows to quick fix network issues,
when upgrading `nixos-rebuild switch` would require network on its own (due
updates).
This reverts commit 656cc3acaf because it
causes building the manual to fail:
$ nixos-rebuild build
...
building path(s) ‘/nix/store/s9y5z78z5pssvmixcmv9ix13gs8xj87f-manual-olinkdb’
Writing /nix/store/s9y5z78z5pssvmixcmv9ix13gs8xj87f-manual-olinkdb/manual.db for book(book-nixos-manual)
./man-pages.xml:625: element para: Relax-NG validity error : Did not expect element para there
./man-pages.xml:3: element variablelist: Relax-NG validity error : Element refsection has extra content: variablelist
./man-pages.xml:29: element refsection: Relax-NG validity error : Element refentry has extra content: refsection
./man-pages.xml:3: element reference: Relax-NG validity error : Element reference failed to validate content
./man-pages.xml fails to validate
CC @cleverca22, @Mic92
- most nixos user only require time synchronisation,
while ntpd implements a battery-included ntp server (1,215 LOCs of C-Code vs 64,302)
- timesyncd support ntp server per interface (if configured through dhcp for instance)
- timesyncd is already included in the systemd package, switching to it would
save a little disk space (1,5M)
The collectd service runs as an unprivileged user by default, so it does
not leak more information to its data directory than any user can obtain
elsewhere by other means.
If people are running it as root and are worried about information leak,
we can add collectd group and set perms to 750.
CC @offlinehacker.
Fixes#21198.
A secret can be stored in a file. It is written at runtime in the
configuration file.
Note it is also possible to write them in the nix store for dev
purposes.
This commit introduces a nixos module for the Openstack Keystone
service. It also provides a optional bootstrap step that creates some
basic initial resources (tenants, endpoints,...).
The provided test starts Keystone by enabling bootstrapping and checks
if user creation works well.
This commit is based on initial works made by domenkozar.
Split packages in three categories, all of them going into the system
package list:
- pre-requisite packages
- core packages
- optional packages
Add a new configuration option 'environment.lxqt.excludePackages' to
specify optional LXQt packages that should be excluded from system
packages.
Add 'gvfs' as a pre-requisite package, needed by 'pcmanfm-qt' to
handle virtual places, like "Computer" and "Network".
The boot tests import test-instrumentation.nix directly to create a VM
image that only contains things such as the backdoor and serial console
the same way as used by other NixOS VM tests.
With one difference though: It doesn't need nor want to have 9p
filesystems mounted, because we actually want to test an image rather
than re-using most stuff from the host's store.
Change tested against the boot.uefiUsb and ipv6 tests, just that it
becomes clear we don't break either the tests with 9p nor the boot
tests (which were already broken but now succeed).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
even if cups rewrites its config file due to config changes made through
its web-based management UI, we need to keep the PATH pointing to
currently-live nix store directories. fixes#20806.
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.
systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.
Fixes https://github.com/NixOS/nixpkgs/issues/20948
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
- As noted on github, GDM needs different parameters for X.
- Making xserverArgs a true list instead of concat-string helps to
filter it and it feels more correct anyway.
- Tested: gdm+gnome, lightdm+gnome. There seems to be no logout option
in gnome, and gdm doesn't offer other sessions, but maybe these are normal.
It was deprecated and removed from all modules in the tree by #18319.
The wireguard module PR (#17933) was still in the review at the time and
the deprecated usage managed to slip inside.
Previously, we would only set a default value, on the theory that
`boot.kernelPackages` could be used to sanely configure a custom grsec
kernel. Regrettably, this is not the case and users who expect e.g.,
`boot.kernelPackages = pkgs.linuxPackages_latest` to work will end up
with a non-grsec kernel (this problem has come up twice on the bug
tracker recently).
With this patch, `security.grsecurity.enable = true` implies
`boot.kernelPackages = linuxPackages_grsec_nixos` and any customization
must be done via package override or by eschewing the module.
Fixes#20713, though I'm certain nixpkgs contains loads of places
without proper quoting, as (ba)sh unfortunately encourages that.
The only plus side is that most of such problems in nixpkgs aren't
actually security problems but mere annoyance to those who are foolish
enough to use "weird" characters in critical names.
Allows one or more directories to be mounted as a read-only file system.
This makes it convenient to run volatile containers that do not retain
application state.
The configuration { services.openssh.enable = true;
services.openssh.forwardX11 = false; } caused
programs.ssh.setXAuthLocation to be set to false, which was not the
intent. The intent is that programs.ssh.setXAuthLocation should be
automatically enabled if needed or if xauth is already available.
riak-cs: added to all-packages
Added Riak CS nix file to pkgs
Added service file for Riak CS
Removed Erlang_basho specific bindings from the Riak CS repo
riak-cs: changed description
riak-cs: added license
riak-cs: added maintainer
riak_cs: chgned indentations
riak-cs: removed overly complex srcs mechanism
riak-cs: added systemd module
riak-cs: changed Erlang module to Basho-specific version
riak-cs: made modular form
riak-cs: Added a default package in service options
riak-cs: Fixed default package in service options
riak-cs: Patched Makefile
riak_cs: added to module-list
riak_cs: changed from string to actual package in modules
riak-cs: changed example
riak-cs: removed default
riak-cs: changed to defaultText
stanchion: changed default option to defaultText
riak-cs: added defaults; changed types to str
riak-cs: added to all-packages
Added Riak CS nix file to pkgs
Added service file for Riak CS
Removed Erlang_basho specific bindings from the Riak CS repo
riak-cs: changed description
riak-cs: added license
riak-cs: added maintainer
riak_cs: chgned indentations
riak-cs: removed overly complex srcs mechanism
riak-cs: added systemd module
riak-cs: changed Erlang module to Basho-specific version
riak-cs: made modular form
riak-cs: Added a default package in service options
riak-cs: Fixed default package in service options
riak-cs: Patched Makefile
riak_cs: added to module-list
riak_cs: changed from string to actual package in modules
Using a custom package set with the NixOS module is no longer
something I wish to support. It's still *possible* but not
advertised. Secondly, the requiredKernelConfig didn't really
do anything (setting kernelPackages to a non-grsec kernel would
just silently let the user boot into a non-grsec setup ...).
Fix automatic mouse grabbing/releasing when running as a vmware guest.
1. The xf86inputvmmouse is not loaded by default. Add it.
2. InptutDevice sections for which specify a driver are ignored if
AutoAddDevices is enabled (which it is by default). See [1]. Instead use
an InputClass to load the vmmouse driver.
[1] https://www.x.org/archive/X11R7.7/doc/man/man5/xorg.conf.5.xhtml#heading8
The reason to patch QEMU is that with latest Nix, tests like "printing"
or "misc" fail because they expect the store paths to be owned by uid 0
and gid 0.
Starting with NixOS/nix@5e51ffb1c2, Nix
builds inside of a new user namespace. Unfortunately this also means
that bind-mounted store paths that are part of the derivation's inputs
are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534.
This in turn causes things like sudo or cups to fail with errors about
insecure file permissions.
So in order to avoid that, let's make sure the VM always gets files
owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store
path.
In addition, this adds a virtualisation.qemu.program option so that we
can make sure that we only use the patched version if we're *really*
running NixOS VM tests (that is, whenever we have imported
test-instrumentation.nix).
Tested against the "misc" and "printing" tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It was lacking the dbus configuration to bind to
org.freedesktop.DisplayManager, and it was passing fixed TTY/display
numbers to the X server (see 9be012f0d4).
Using the example before this commit resulted in the following error:
```
error: value is a string while a list was expected, at /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/services/misc/nix-daemon.nix:349:37
```
* Sync systemd units with upstream. Upstream uses SIGUSR2 instead of SIGHUP
to reload the clamd service.
* Convert freshclam service to a oneshot service activated by a systemd timer.
This way we can make clamd wait for freshclam to finish fetching the virus
database before failing to start if the database doesn't exist yet.
* Fixes console tools to work as expected as they require hardcoded config
file locations.
The old etcd port 4001 is no longer enabled by default in etcd 3.
The new port is 2379 and is officially assigned by IANA.
There were still some services left that expect etcd on port 4001 by default.
This changes the default to 2379 everywhere.
It should not cause problems for users as the etcd by nix does listen on the new port only by default anyway.
This needs to be included for VirtualBox to detect that it needs to start the video driver. "modesetting" is also set in virtualbox-image.nix but this line seems to take precedence over that one (even though the virtualbox-image.nix has a higher override?) This should fix the problems that I and a few others have been having with the .ova files built for nixos.org.
Fixes#20007.
Using the --force option on GRUB isn't recommended, but there are very
specific instances where it makes sense. One example is installing on a
partitionless disk.
The current default probe config uses the unwrapped fping binary, which
leads to an error because fping must be executed with elevated
permissions.
I fixed this by changing the path to the default binary to the
setuid-wrapped version.
This commit includes two changes:
1. A new `extraConfig` option to allow administrators to set any
vsftpd configuration option that isn't directly supported by this
derivation.
2. Correctly set the `anon_root` vsftpd option to `anonymousUserHome`
In the prestart config of the smokeping service, smokeping is executed
initially. This happens as the user root and writes some files to
$smokepingHome, which can't be overwritten by the smokeping user. This
gives an error message.
I fixed this by moving the chown step after the initial smokeping runs,
so that it also affects the generated files.
The matrix-synapse user has `createHome = true;` which runs before the
`preStart` script, so the home directory will always exist and the block
will never execute.
Also don't include default path to keys in the configuration file,
because synapse will choke if it tries to open them before they
exist (even with `--generate-keys`).
Thanks to @NeQuissimus in a5c1985fef for
updating busybox, which since version 1.25 doesn't allow local variables
outside of functions anymore (which is the desired behaviour).
See the following upstream commit of busybox which is the change that
let's this problem surface:
https://git.busybox.net/busybox/commit/?id=ef2386b80abfb22ccb697ddbdd4047aacc395c50
So this has been an error I've made on my end in
67223ee205, because I originally had a
function for killing the processes but desired to inline it because it's
only used in one place.
This fixes the boot-stage1 NixOS test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The old version would export two lists to a bash builder and do pairwise
processing on the bash side. In the new version we instead generate a
logic free builder on the Nix side. This is not only conceptually
simpler but reduces the amount of code and intermediate values.
`head -cNUM ... | tr -dc SET` might generate output containing fewer
than NUM characters. Given the limited alphabet, this could result in a
fairly weak passphrase. The construction `tr </dev/urandom | head
-cNUM`, however, is sure to give us the full `NUM`.
The dnsmasq instance run by the xen-bridge.service errorenously
hands out 172.16.0.0 as the netmask over DHCP to the VMs. This
commit removes the option responsible for that from dnsmasq.conf,
so that the proper netmask is inferred by dnsmasq instead.
Addresses https://github.com/NixOS/nixpkgs/issues/19883
The calls to iptables in xen-bridge.service were missing the -w switch,
which caused them to fail if another script was calling iptables
at the same time. Fix it by adding the -w switch.
Addresses https://github.com/NixOS/nixpkgs/issues/19849 .
`startAt = ""` as in `startAt = optionalString false ...` results
in an invalid timer unit (due to "" being promoted to a singleton
list and not filtered out).
Ref: c9941c4b5e
`startAt = ""` as in `startAt = optionalString false ...` results
in an invalid timer unit (due to "" being promoted to a singleton
list and not filtered out).
Ref: c9941c4b5e
* gnome3: default to 3.22
* zuki-themes: add src for gnome 3.22, remove 3.18
* gnome3_22.vte_290: copy from gnome3.20
* termite: use vte-select-text from gnome3_20
For some reason, between Linux 4.4.19 and 4.4.20, the atkbd and libps2
kernel modules lost their dependency on i8042 in modules.dep, causing
i8042 not to be included in the initrd. This breaks keyboard in the
initrd, in turn breaking LUKS.
This only happens on the 16.03 branch; on 16.09, it appears i8042 is
pulled into the initrd anyway (through some other dependency,
presumably). But let's include it explicitly.
http://hydra.nixos.org/build/40468431
It was already ordered after systemd-udev-settle.service, but that
doesn't do anything if no other units require
systemd-udev-settle.service. This was causing random failures during X
server startup, e.g.
machine# [ 12.691372] display-manager[607]: (EE) open /dev/dri/card0: No such file or directory
http://hydra.nixos.org/build/41062823
Currently only for the user services as NixOS handles the named system
instances slightly differently.
syncthing and syncthing-inotify are done the same way.
There are 4 parts to this:
1) Copy in the upstream unit files
2) Make the nixos module use the definition from upstream
3) Enable restarting of all instances (system and user) on resume
4) Allow the traffic in the firewall on default ports if wanted
fixes#18973
* Add extraOptions option, to pass arbitrary command line options to
atftp. Especially useful to specify which address to bind to
(--bind-addres ...).
* Improve descriptions (fix a typo, document default bind address,
don't repeat service name in systemd description + capitalize)
* Change default server directory from /var/empty to /srv/tftp, and
change types.str to types.path.
The new units mirror the upstream systemd units as closely as possible.
I could not find a reason why the service would need to be restarted on
resuming from suspend, and the upstream units also do not contain such a
restriction, so I removed the `partOf = [ "post-resume.target"]`.
This fixes#19525.
gnome-x-session provides good defaults which we really should not
override.
We have to add assertions to gdm.nix if the user specified one of those.
enableTCP must be configured through a gnome setting
dunno why we have terminate but it probably breaks stuff
We should expose configFile so we can use it from gdm module.
This makes it easy to specify kernel patches:
boot.kernelPatches = [ pkgs.kernelPatches.ubuntu_fan_4_4 ];
To make the `boot.kernelPatches` option possible, this also makes it
easy to extend and/or modify the kernel packages within a linuxPackages
set. For example:
pkgs.linuxPackages.extend (self: super: {
kernel = super.kernel.override {
kernelPatches = super.kernel.kernelPatches ++ [
pkgs.kernelPatches.ubuntu_fan_4_4
];
};
});
Closes#15095
`stripHash` documentation states that it prints out the stripped name to
the stdout, but the function stored the value in `strippedName`
instead.
Basically all usages did something like
`$(stripHash $foo | echo $strippedName)` which is just braindamaged.
Fixed the implementation and all invocations.
* x11 module: don't restart the display manager indefinitely
If the display managers crashes continuously in loops it prevents the
user from switching to the console and try to fix things. Especially
when using the "auto" display manager it can happen quite easily.
* x11 module: fix display manager restart timeouts
It takes more than 1 second to boot the X server.
The initial commit accidentally left in some commented code and if you were
using alerts, they simply didn't work.
Smokeping also includes some JS code for the webui allowing you to zoom into
graphs and it was not passed into the homedir. Additionally, generate
static html pages for other webservers to serve the cache directory.
Add additional options to specify sendmail path or mailhost and verify that both
are not set.
Add one extra config hook that allows you to bypass all of the invidual config
stanzas and just hand it a string.
Previously, the list of CA certificates was generated with a perl script
which is included in curl. As this script is not very flexible, this commit
refactors the expression to use the python script that Debian uses to
generate their CA certificates from Mozilla's trust store in NSS.
Additionally, an option was added to the cacerts derivation and the
`security.pki` module to blacklist specific CAs.
Now the tracking works with aggregated devices on aggregated devices.
So container with physical device where the device is put in a bond
which is the basis for a bridge is now handled correctly.
Test that adding physical devices to containers works, find that network setup
then doesn't work because there is no udev in the container to tell systemd
that the device is present.
Fixed by not depending on the device in the container.
Activate the new container test for release
Bonds, bridges and other network devices need the underlying not as
dependency when used inside the container. Because the device is already
there.
But the address configuration needs the aggregated device itself.
PHP FPM will now notify systemd when it's done initializing and ready to
serve requests.
Additionally ```systemctl status phpfpm``` will now show statistics such
as:
```
Status: "Processes active: 0, idle: 8, Requests: 0, slow: 0, Traffic: 0req/sec"
```
---
Using the configure option relieves us of the patch and passing the path
via the env var in many places. Also the env var may not be inherited
when components like gdm spawn new sessions.
This fixes two bugs:
* When socket activation is detected, the service itself is added to stop-start list instead of its sockets.
* When service is marked to restart instead of stop (`StopIfChanged = no`) we don't need to restart sockets.
The following changes are included:
1) install user unit files from upstream dbus
2) use absolute paths to config for --system and --session instances
3) make socket activation of user units configurable
There has been a number of PRs to address this, so this one does the
bare minimum, which is to make the functionality available and
configurable but defaults to off.
Related PRs:
- #18382
- #18222
(cherry picked from commit f7215c9b5b47dfb0a6dbe87ff33d7730729a32e5)
Signed-off-by: Domen Kožar <domen@dev.si>
Since some changes to the setuid wrappers, there is a symlink involved
and it doesn't resolve correctly inside the chroot. Do the check inside
the chroot to make it work again.
This ensures that most "trivial" derivations used to build NixOS
configurations no longer depend on GCC. For commands that do invoke
gcc, there is runCommandCC.
This is a standard environment that doesn't contain a C/C++
compiler. This is mostly to prevent trivial builders like runCommand
and substituteAll from pulling in gcc for simple configuration changes
on NixOS.
This allows us to define system user targets in addition to the existing
services, timers and sockets.
Furthermore, we add a top-level configuration keyword:
- Documentation
Every interactive zsh sources /etc/zshrc (see STARTUP/SHUTDOWN FILES in zshautll(1))
Therefor every interactive zsh process will respect the content of these variables.
Using `export` will also lead to child processes inheriting this value.
This leads to problems, if other interactive shells are spawned such as bash,
because they use an incomptabible history format (without timestamps).
There seems to be also cases, where the local HISTSIZE in ~/.zshrc is
not sourced but /etc/zshrc, which leads to history truncation in other shells.
4.1.12
======
Bugfixes
--------
Fix malformed edns query assertion failure, reported by Michal Kepien (NASK).
4.1.11
======
Features
--------
* When tcp is more than half full, use short timeout for tcp session.
* Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
* Fix#790: size-limit-xfr can stop NSD from downloading infinite zone transfer data size, from Toshifumi Sakaguchi. Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865.
Bugfixes
--------
* Fix build without IPv6, patch from Zdenek Kaspar.
* Fix#783: Trying to run a root server without having configured it silently gives wrong answers.
* Fix#782: Serve DS record but parent zone has no NS record.
* Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.
4.1.10
======
Features
--------
* ip-freebind: yesno option in nsd.conf sets IP_FREEBIND socket option for Linux, binds to interfaces and addresses that are down.
* NSD includes AAAA before A for queries over IPV6 (in delegations). And TC is set if no glue can be provided with a delegation because of packet size.
* print notice that nsd is starting before taking off.
Bugfixes
--------
* Fix for openssl 1.1.0, HMAC_CTX size not exported from openssl.
* Fix#751: NSD fails to occlude names below a DNAME.
* If set without nsd.db print "" as the default in the man pages.
* Fix#755: NSD spins after a zone update and a lot of TCP queries.
* Fix for NSEC3 with zone signed without exact match for empty nonterminals, the answer for that domain gets closest encloser.
* #772 Document that recvmmsg has IPv6 problems on some linux kernels.
4.1.9
=====
Bugfixes
--------
* Change the nsd.db file version because of nanosecond precision fix.
The services/networking directory is already quite polluted and the
first point where I was looking for the offlineimap module was in
services/mail and didn't find it there.
Offlineimap already has IMAP in its name and clearly belongs to the
"mail" category so let's move it there.
Tested by evaluating a configuration with services.offlineimap enabled.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @DamienCassou
Coercing the derivation to string causes the package to be built during
evaluation rather than during actual realization which is completely
unnecessary because we don't need additional Nix expression information
for the package (nor do we need it for the service).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @DamienCassou
Cc: @Profpatsch (stumbled on this because of him)
Using "tmpfs" as a script part for system.activationScripts is a bit
misleading since 6efcfe03ae.
We no longer solely mount tmpfs within this script, so using "specialfs"
fits more nicely in terms of naming.
Tested against the "simple" NixOS installer test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Regression introduced by 79d4636d50.
The mentioned commit moves /run/keys from stage 2 to
boot.specialFileSystems, the latter being remounted during system
activation.
Unfortunately, the specialMount function in the activation script does
this unconditionally and thus will fail if it can't be remounted because
the mount point simply doesn't exist.
We now check the mount point for existance and only remount if it exists
but mkdir + mount it if it doesn't.
Tested against the "simple" NixOS installer test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This adds the containers.<name>.enableTun option allowing containers to
access /dev/net/tun. This is required by openvpn, tinc, etc. in order to
work properly inside containers.
The new option builds on top of two generic options
containers.<name>.additionalCapabilities and
containers.<name>.allowedDevices which also can be used for example when
adding support for FUSE later down the road.
When Grub is to be used with UEFI, it is not going to write to any MBR
of any disk. As such, it is safe to use multiple "nodev" device entries
when mirroring the ESP partition to multiple disks.
E.g.:
```
boot.loader.grub = {
enable = true;
version = 2;
zfsSupport = true;
efiSupport = true;
mirroredBoots = [
{ devices = [ "nodev" ]; path = "/boot1"; efiSysMountPoint = "/boot1"; }
{ devices = [ "nodev" ]; path = "/boot2"; efiSysMountPoint = "/boot2"; }
{ devices = [ "nodev" ]; path = "/boot3"; efiSysMountPoint = "/boot3"; }
];
};
boot.loader.efi.canTouchEfiVariables = true;
```
Fixes#18584
...instead of mesa_noglu.out. Closures of systems remain unchanged,
as both are in (and the .out output is very small anyway).
This is to make sure that we use lib*GL* that aren't slowed down by grsecurity.
All swap device option sets "have" a label, it's just that sometimes it's
undefined. Because we set a `device` attribute when we have a label anyway it's
ok to just check device prefix.
Fixes#18891.
Get rid of the "or null" stuff. Also change 'cfg . "foo"' to 'cfg.foo'.
Also fixed what appears to be an actual bug: in postStartScript,
cfg.attribute (where attribute is a function argument) should be
cfg.${attribute}.
Using types.str doesn't work if you want to mkBefore/mkAfter across
different module definitions, because it only allows for one definition
for the same priority.
This is especially useful if you deploy Hetzner machines via NixOps,
because the physical specification already defines localCommands.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit removes all references to emacs24 with the exception of
emacs24-macports. The two folders in `pkgs/applications/editors` named
`emacs-24` and `emacs-24` are consolidated to a new `emacs` folder.
Various parts in nixpkgs also referenced `emacs24Packages` (pinned to
`emacs24`) explicitly where `emacsPackages` (non-pinned) is more
appropriate. These references get fixed by this commit too.
It looks like the cpu type part of modalias might have changed, my
systems (4.4.20 and 4.7.2) show something like the following:
```
cpu:type:x86,ven0000fam0006mod003F:feature:,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,001C,002B,0034,003B,003D,0068,006F,0070,0072,0074,0075,0076,007D,0080,0081,0089,008C,008D,0091,0093,0094,0095,0096,0097,0098,0099,009A,009B,009C,009D,009E,009F,00C0,00C5,0120,0123,0125,0127,0128,0129,012A,0140
```
Update the rngd modalias rule to match this so udev properly has
systemd start rngd.
This reverts commit 1010271c63.
This reverts commit e85e51d41f.
The first commit causes multiple regressions. The second commit tries to
fix the regressions, but does not catch all of them. There are multiple
failing tests, one of which is blocking a package update. That is not
acceptable for a cosmetic patch.
* influxdb module: add postStart
* cadvisor module: increase TimeoutStartSec
Under high load, the cadvisor module can take longer than the default 90
seconds to start. This change should hopefully fix the test on Hydra.
Regression introduced by bccd75094f.
The mentioned commit removed the pkgs.gtk attribute, but forgot to
change this within the xfce module.
Tested using the xfce NixOS test and it has passed on my machine.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Regression introduced by 1010271c63.
This caused the line after using the loginuid module to be concatenated
with the next line without a newline.
In turn this has caused a lot of the NixOS VM tests to either run very
slowly (because of constantly hitting PAM errors) or simply fail.
I have tested this only with one of the failing NixOS tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
While entering the chroot should provide the same amount of isolation,
the preStart script will run with full root privileges and so would
benefit from some isolation as well (in particular due to
unbound-anchor, which can perform network I/O).
