* nixos/xmonad: xmonad config w/ghc+xmessage
When the "config" option isn't set, we use xmonad-with-packages to
provide xmonad with runtime access to an isolated ghc, ensuring it can
recompile and exec a user's local config (e.g. $HOME/.xmonad/xmonad.hs)
regardless of which ghc (if any) is on PATH.
When the "config" option is set, however, we compile a configured xmonad
executable upfront (during nixos-rebuild), and prior to this commit, it
was not provided with runtime access to an isolated ghc.
As a result, with the "config" option set, it was not possible
to recompile and exec a user's local config unless there was a
compatible version of ghc on PATH with the necessary packages (xmonad,
xmonad-contrib, etc.) in its package database. Adding such a ghc to
environment.systemPackages, e.g.
(haskellPackages.ghcWithPackages (ps: with ps; [xmonad xmonad-contrib]))
is problematic because it adds both ghc and an unconfigured xmonad to
PATH, e.g.
$ ls -l $(which xmonad ghc)
lrwxrwxrwx ... /run/current-system/sw/bin/ghc -> /nix/store/...-ghc-8.10.2-with-packages/bin/ghc
lrwxrwxrwx ... /run/current-system/sw/bin/xmonad -> /nix/store/...-ghc-8.10.2-with-packages/bin/xmonad
Having the unconfigured xmonad on PATH is particularly bad because
restarting xmonad will dump the user into the unconfigured version, and
if no local config exists (e.g. in $HOME/.xmonad/xmonad.hs), they'll be
left in this unconfigured state.
In this commmit, we give the configured xmonad runtime access to ghc
like xmonad-with-packages does for the unconfigured version. The aim
is to allow the user to switch between the nixos module's config and a
local config (e.g. $HOME/.xmonad/xmonad.hs) at will, so they can try out
config changes without performing a nixos-rebuild.
Since the xmonad on PATH is the configured executable, there's no
danger a user could unwittingly restart into the unconfigured version,
and because xmonad will refuse to recompile when no local config
exists, there's no danger a user could unwittingly recompile into an
unconfigured version.
Given that a local config exists, the recompile/restart behavior depends
on two factors:
- which entry point is used
* 'XMonad.xmonad' (default)
* 'XMonad.launch' (recommended in "config" option description)
- what operation is triggered (i.e. via mod+q)
* `spawn "xmonad --recompile && xmonad --restart"` (default)
* `restart "xmonad" True`
* custom function
If the default 'XMonad.xmonad' entrypoint and default mod+q operation
are used, hitting mod+q will compile and exec the local config, which
will remain in use until next time the display manager is restarted.
If the entrypoint is changed to 'XMonad.launch' but mod+q left with its
default operation, hitting mod+q will have no visible effect. The logs
(as seen by running `journalctl --identifier xmonad --follow`) will show
an error,
X Error of failed request: BadAccess (attempt to access private resource denied)
which indicates that the shell was unable to start xmonad because
another window manager is already running (namely, the nixos-configured
xmonad).
https://wiki.haskell.org/Xmonad/Frequently_asked_questions#X_Error_of_failed_request:_BadAccess_.28attempt_to_access_private_resource_denied.29
Changing the mod+q operation to `restart "xmonad" True` (as recommended
in the "config" option's description) will allow a restart of the
nixos-configured xmonad to be triggeredy by hitting mod+q.
Finally, if the entrypoint is 'XMonad.launch', mod+q has been
bound to `restart "xmonad" True` and another key bound to a custom
recompile/restart function (e.g. `compileRestart` as shown in the
"config" option example), the user can switch between the nixos module's
config and their local config, with the custom key switching to the
local config and mod+q switching back.
* nixos/xmonad: refactor let binding
* nixos/xmonad: refactor (eliminate duplicate code)
* nixos/xmonad: install man pages
Prior to this commit, man pages were not installed if the "config"
option was set.
* nixos/xmonad: comment grammar fixups
* nixos/xmonad: writeStateToFile in example config
Calling writeStateToFile prior to recompiling and restarting allows
state (workspaces, etc.) to be preserved across the restart.
* nixos/xmonad: add ivanbrennan to maintainers
* nixos/xmonad: adjust compileRestart example
* nixos/xmonad: add missing import to example config
@poettering decided we only need a limited number of inodes in our /tmp,
so why not limit that for every systemd user? That makes medium-sized nix
builds impossible so this commit restores the old behaviour which is the
kernel default of half the number of physical RAM pages which does not
seem too unreasonable to me.
Since version 5.2.0 there's non-empty stop phase:
ExecStopPost=/usr/bin/env rm -f "/run/knot-resolver/control/%i"
but it's perfectly OK to run that from a different version
(and typically it's no-op anyway). Real-life example where this helps:
https://github.com/NixOS/nixpkgs/issues/49528#issuecomment-747723198
This allows to use files containing only the mpd password without the
permissions, making it easier for other programs connecting to mpd to read the
password from the same password file.
... build-vm-with-bootloader" for EFI systems
This reverts commit 20257280d9, reversing
changes made to 926a1b2094.
It broke nixosTests.installer.simpleUefiSystemdBoot
and right now channel is lagging behing for two weeks.
This reverts commit 8f177612b1.
Attempting to start any service from udev when systemd-udev-settle is
used at all hangs the boot for 2min. See issue #107341.
Prior to this commit, installation over serial console would requiring
manually having to modify the kernel modeline, as described in
https://github.com/NixOS/nixpkgs/issues/58198 .
This is unnecessarily fiddly, so this commit adds a syslinux boot
entry that has serial enabled.
GRUB already has a serial console entry:
2c07a0800a/nixos/modules/installer/cd-dvd/iso-image.nix (L311-L317)
Why 115200 bps? This is already used in other places, e.g. https://github.com/NixOS/nixpkgs/pull/58196
I tested this change by building the image, booting the image, and
observing the boot process over serial:
$ cd nixos/
$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix
$ sudo cp /nix/store/arcl702c3z8xlndlvnfplq9yhixjvs9k-nixos-20.09pre-git-x86_64-linux.iso/iso/nixos-20.09pre-git-x86_64-linux.iso /dev/sdb
$ picocom -b 115200 /dev/ttyUSB0
`nixos-rebuild build-vm-with-bootloader` currently fails with the
default NixOS EFI configuration:
$ cat >configuration.nix <<EOF
{
fileSystems."/".device = "/dev/sda1";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
}
EOF
$ nixos-rebuild build-vm-with-bootloader -I nixos-config=$PWD/configuration.nix -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/nixos-20.09.tar.gz
[...]
insmod: ERROR: could not insert module /nix/store/1ibmgfr13r8b6xyn4f0wj115819f359c-linux-5.4.83/lib/modules/5.4.83/kernel/fs/efivarfs/efivarfs.ko.xz: No such device
mount: /sys/firmware/efi/efivars: mount point does not exist.
[ 1.908328] reboot: Power down
builder for '/nix/store/dx2ycclyknvibrskwmii42sgyalagjxa-nixos-boot-disk.drv' failed with exit code 32
[...]
Fix it by setting virtualisation.useEFIBoot = true in qemu-vm.nix, when
efi is needed.
And remove the now unneeded configuration in
./nixos/tests/systemd-boot.nix, since it's handled globally.
Before:
* release-20.03: successful build, unsuccessful run
* release-20.09 (and master): unsuccessful build
After:
* Successful build and run.
Fixes https://github.com/NixOS/nixpkgs/issues/107255
Fixes that `containers.<name>.extraVeths.<name>` configuration was not
always applied.
When configuring `containers.<name>.extraVeths.<name>` and not
configuring one of `containers.<name>.localAddress`, `.localAddress6`,
`.hostAddress`, `.hostAddress6` or `.hostBridge` the veth was created,
but otherwise no configuration (i.e. no ip) was applied.
nixos-container always configures the primary veth (when `.localAddress`
or `.hostAddress` is set) to be the containers default gateway, so
this fix is required to create a veth in containers that use a different
default gateway.
To test this patch configure the following container and check if the
addresses are applied:
```
containers.testveth = {
extraVeths.testveth = {
hostAddress = "192.168.13.2";
localAddress = "192.168.13.1";
};
config = {...}:{};
};
```
This means that all systems running from master will trigger
new certificate creation on next rebuild. Race conditions around
multiple account creation are fixed in #106857, not this commit.
Previously the .enable option was used to encode the condition as well,
which lead to some oddness:
- In order to encode an assertion, one had to invert it
- To disable a check, one had to mkForce it
By introducing a separate .check option this is solved because:
- It can be used to encode assertions
- Disabling is done separately with .enable option, whose default can be
overridden without a mkForce
Since slurm-20.11.0.1 the dbd server requires slurmdbd.conf to be
in mode 600 to protect the database password. This change creates
slurmdbd.conf on-the-fly at service startup and thus avoids that
the database password ends up in the nix store.
It's very surprising that services.tor.client.enable would set
services.privoxy.enable. This violates the principle of least
astonishment, because it's Privoxy that can integrate with Tor, rather
than the other way around.
So this patch moves the Privoxy Tor integration to the Privoxy module,
and it also disables it by default. This change is documented in the
release notes.
Reported-by: V <v@anomalous.eu>
configuration.nix(1) states
users.extraUsers.<name>.createHome
[...] If [...] the home directory already exists but is not
owned by the user, directory owner and group will be changed to
match the user.
i.e. ownership would change only if the user mismatched; the code
however ignores the owner, it is sufficient to enable `createHome`:
if ($u->{createHome}) {
make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
chown $u->{uid}, $u->{gid}, $u->{home};
}
Furthermore, permissions are ignored on already existing directories and
therefore may allow others to read private data eventually.
Given that createHome already acts as switch to not only create but
effectively own the home directory, manage permissions in the same
manner to ensure the intended default and cover all primary attributes.
Avoid yet another configuration option to have administrators make a
clear and simple choice between securely managing home directories
and optionally defering management to own code (taking care of custom
location, ownership, mode, extended attributes, etc.).
While here, simplify and thereby fix misleading documentation.
Mailman can now work with MTAs other than Postfix. You'll have to configure
it yourself using the options in `services.mailman.settings.mta`.
This addition is reflected in the release notes for 21.03.
This partially reverts bf3d3dd19b.
I don't know why we weren't getting a default logfile back then but Xorg
definitely provides one now ($XDG_DATA_HOME for regular users and /var/log for
root, see `man Xorg`)
Only set Before=display-manager.service if it is actually present.
On headless systems, `systemctl list-units --state not-found` will
otherwise show display-manager.service.
Reported-In: https://github.com/NixOS/nixpkgs/issues/88597
Dnscrypt-proxy needs some options to be set before it can do anything useful.
Currently, we only apply what the user configured which, by default, is nothing.
This leads to the dnscrypt-proxy2 service failing to start when you only set
`enable = true;` which is not a great user experience.
This patch makes the module take the example config from the upstream repo as a
base on top of which the user-specified settings are applied (it contains sane
defaults).
An option has been added to restore the old behaviour.
`file_exists` also returns `FALSE` if the file is in a directory that
can't be read by the user. This e.g. happens if permissions for
`nixops(1)`-deployment keys aren't configured correctly.
This patch improves the error message for invalid files to avoid
confusion[1].
[1] https://discourse.nixos.org/t/nixops-deploy-secrets-to-nextcloud/10414/4
This patch:
* Removes an invalid/useless classpath element;
* Removes an unnecessary environment variable;
* Creates the required '/version-2' data subdirectory;
* Redirects audit logging to the "console" (systemd) by default.
Unbound throws the following error:
--8<---------------cut here---------------start------------->8---
error: failed to list interfaces: getifaddrs: Address family not supported by protocol
fatal error: could not open ports
--8<---------------cut here---------------end--------------->8---
The solution is pulled from upstream:
https://github.com/NLnetLabs/unbound/pull/351
Unfortunately, I had a use-case where `services.nginx.config` was
necessary quite recently. While working on that config I had to look up
the module's code to understand which options can be used and which
don't.
To slightly improve the situation, I changed the documentation like
this:
* Added `types.str` as type since `config` is not mergeable on purpose.
It must be a string as it's rendered verbatim into `nginx.conf` and if
the type is `unspecified`, it can be confused with RFC42-like options.
* Mention which config options that don't generate config in
`nginx.conf` are NOT mutually exclusive.
There was some issues with the fallback to passive mode on 2.3, but on
2.4 adaptive mode is always enabled upstream and thermald will fallback
to passive if necessary.
a6e68a65b5/data/thermald.service.in (L9)
This replaces `concatStringsSep "\n"` with the proper generator to make sure
that the generated configuration file ends with a trailing `\n`, which is
required by ssmtp's picky configuration parser to take the last configuration
key into account.
GitHub: closes#105704
This simplifies testing changes to the tailscale service on a local
machine. You can use this as such:
```nix
let
tailscale_patched = magic {};
in {
services.tailscale = {
enable = true;
package = tailscale_patched;
};
};
```
Signed-off-by: Christine Dodrill <me@christine.website>
Previously this option was thought to be necessary to avoid infinite
recursion, but it actually isn't, since the check evaluation isn't fed
back into the module fixed-point.
I've also removed PrivateTmp = true because this is implied by dynamic user.
I've left ProtectHome = true because I believe this is stronger than
ProtectHome = "read-only" which DynamicUser implies.
This allows capping the total amount of memory that will be used for
zram-swap, in addition to the percentage-based calculation, which is
useful when blanket-applying a configuration to many machines.
This is based off the strategy used by Fedora for their rollout of
zram-swap-by-default in Fedora 33
(https://fedoraproject.org/wiki/Changes/SwapOnZRAM), which caps the
maximum amount of memory used for zram at 4GiB.
In future it might be good to port this to the systemd zram-generator,
instead of using this separate infrastructure.
This resolves issue #101963.
When the service is started and no interface is ready yet, wpa_supplicant
is being exec'd with no `-i` flags, thus failing. Once the interfaces
are ready, the udev rule would fire but wouldn't restart the unit because
it wasn't currently running (see systemctl(1) try-restart).
The solution is to exit (with a clear error message) but always restart
wpa_supplicant when the interfaces are modified.
This release replaces the libpulseaudio shim with a pipewire module that acts as a fake pulseaudio server along with a systemd service that loads that module on demand.
The metadata fetcher scripts run each time an instance starts, and it
is not safe to assume that responses from the instance metadata
service (IMDS) will be as they were on first boot.
Example: an EC2 instance can have its user data changed while
the instance is stopped. When the instance is restarted, we want to
see the new user data applied.
The old slapd.conf is deprecated. Replace with slapd.d, and use this
opportunity to write some structured settings.
Incidentally, this fixes the fact that openldap is reported up before
any checks have completed, by using forking mode.
According to Freenode's ##AWS, the metadata server can sometimes
take a few moments to get its shoes on, and the very first boot
of a machine can see failed requests for a few moments.
AWS's metadata service has two versions. Version 1 allowed plain HTTP
requests to get metadata. However, this was frequently abused when a
user could trick an AWS-hosted server in to proxying requests to the
metadata service. Since the metadata service is frequently used to
generate AWS access keys, this is pretty gnarly. Version two is
identical except it requires the caller to request a token and provide
it on each request.
Today, starting a NixOS AMI in EC2 where the metadata service is
configured to only allow v2 requests fails: the user's SSH key is not
placed, and configuration provided by the user-data is not applied.
The server is useless. This patch addresses that.
Note the dependency on curl is not a joyful one, and it expand the
initrd by 30M. However, see the added comment for more information
about why this is needed. Note the idea of using `echo` and `nc` are
laughable. Don't do that.
This gets automatically disabled by docker if the docker backend is
used, but the bundled containerd also doesn't seem to support cgroupsv2,
so disable it explicitly here, too.
See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for
details on why this is desirable, and how it impacts containers.
Users that need to keep using the old cgroup hierarchy can re-enable it
by setting `systemd.unifiedCgroupHierarchy` to `false`.
Well-known candidates not supporting that hierarchy, like docker and
hidepid=… will disable it automatically.
Fixes#73800
Whenever I try to scan from another computer it has to establish >2
connections in order to succeed. With the connections being limited to 1
I can not scan any document.
This is also what other distributions ([Debian], [ArchLinux], …) have
done in one way or another.
[Debian]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850649#5
[ArchLinux]: no limit: 99cba454bb/trunk/saned.socket (L4)
We currently build CONFIG_IPV6=m.
This seems to be not really well-supported in mainline kernels - see
https://lore.kernel.org/netdev/20201115224509.2020651-1-flokli@flokli.de/T/#u
Compiling it as a module doesn't give too much benefit - even for people
who did explicitly set `enableIPv6` to false, the `ipv6` module was
still loaded, as soon as another module was loaded that requires it
(bridge,br_netfilter,wireguard,ip6table_mangle,sctp,…).
By compiling it in, we only loose the possibility to not add it to
`boot.kernelModules` anymore (as it's part of the kernel directly). The
space savings are negligible.
People wanting to disable IPv6 still get the appropriate sysctls and
options set (while having the kernel code loaded), nothing is really
changing here.
This adds a `package` option to allow for easier overriding of the used
CodiMD version and `runCommandLocal` with `nativeBuildInputs` is now
used to pretty print the configuration.
This used to be done by udev, but that was removed in
systemd/systemd@6b2229c. The links are created by systemd at the end of
stage-2, but activation scripts might need them earlier.
This is to ensure that whenever we install the desktop item we also have
the script installed. Prior to b02719a we always had the reference to
the script in the desktop item. Since desktop items are being copied to
home directories and thus "bit rod" over time that absolute path was
removed.
Other units depend on nss-lookup.target and expect the DNS resolution to
work once that target is reached. The previous version
`wants=nss-lookup.target` made this unit require the nss-lookup.target
to be reached before this was started.
Another change that we can probalby do is drop the before relationship
with the nss-lookup.target. That might just be implied with the current
version.
This option allows users to specify a local UNIX control socket to
"remote control" the daemon. System users, that should be permitted to
access the daemon, must be in the `unbound` group in order to access the
socket. When a socket path is configured we are also creating the
required group.
Currently this only supports the UNIX socket mode while unbound actually
supports more advanced types. Users are still able to configure more
complex scenarios via the `extraConfig` attribute.
When this option is set to `null` (the default) it doesn't affect the
system configuration at all. The unbound defaults for control sockets
apply and no additional groups are created.
Previously we just applied a very minimal set of restrictions and
trusted unbound to properly drop root privs and capabilities.
With this change I am (for the most part) just using the upstream
example unit file for unbound. The main difference is that we start
unbound was `unbound` user with the required capabilities instead of
letting unbound do the chroot & uid/gid changes.
The upstream unit configuration this is based on is a lot stricter with
all kinds of permissions then our previous variant. It also came with
the default of having the `Type` set to `notify`, therefore we are also
using the `unbound-with-systemd` package here. Unbound will start up,
read the configuration files and start listening on the configured ports
before systemd will declare the unit "running". This will likely help
with startup order and the occasional race condition during system
activation where the DNS service is started but not yet ready to answer
queries.
Aditionally to the much stricter runtime environmet I removed the
`/dev/urandom` mount lines we previously had in the code (that would
randomly fail during `stop`-phase).
The `preStart` script is now only required if we enabled the trust
anchor updates (which are still enabled by default).
Another beneefit of the refactoring is that we can now issue reloads via
either `pkill -HUP unbound` or `systemctl reload unbound` to reload the
running configuration without taking the daemon offline. A prerequisite
of this was that unbound configuration is available on a well known path
on the file system. I went for /etc/unbound/unbound.conf as that is the
default in the CLI tooling which in turn enables us to use
`unbound-control` without passing a custom configuration location.
This adds modules for the icecream scheduler and daemon.
Icecream can be used for distributed compilation, especially in
environments with diverse toolchains, since it sends the complete build
environment to the daemon.
Unfortunatley the daemon can't be run with DynamicUser = true, since the
daemon requires to be started as root in order to accept other build
environments, see [1].
[1]: https://github.com/icecc/icecream#using-icecream-in-heterogeneous-environments
For the same reason Alertmanager supports environmentFile to pass
secrets along, it is useful to support the same for Prometheus'
configuration to store bearer tokens outside the Nix store.
These were broken since 2016:
f0367da7d1
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.
NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.
I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(ad16158c10/src/basic/ratelimit.c (L16))
* nixos/postgresql: fix inaccurate docs for authentication
We actually use peer authentication, then md5 based authentication.
trust is not used.
* Use a link for mkForce docs
Co-authored-by: aszlig <aszlig@redmoonstudios.org>
Co-authored-by: lf- <lf-@users.noreply.github.com>
Co-authored-by: aszlig <aszlig@redmoonstudios.org>
Use of Tailscale requires using the `tailscale` CLI to talk to the
daemon. If the CLI isn't in systemPackages, the resulting user experience
is confusing as the Tailscale daemon does nothing.
Signed-off-by: David Anderson <dave@natulte.net>