This means that all systems running from master will trigger
new certificate creation on next rebuild. Race conditions around
multiple account creation are fixed in #106857, not this commit.
Previously the .enable option was used to encode the condition as well,
which lead to some oddness:
- In order to encode an assertion, one had to invert it
- To disable a check, one had to mkForce it
By introducing a separate .check option this is solved because:
- It can be used to encode assertions
- Disabling is done separately with .enable option, whose default can be
overridden without a mkForce
Since slurm-20.11.0.1 the dbd server requires slurmdbd.conf to be
in mode 600 to protect the database password. This change creates
slurmdbd.conf on-the-fly at service startup and thus avoids that
the database password ends up in the nix store.
It's very surprising that services.tor.client.enable would set
services.privoxy.enable. This violates the principle of least
astonishment, because it's Privoxy that can integrate with Tor, rather
than the other way around.
So this patch moves the Privoxy Tor integration to the Privoxy module,
and it also disables it by default. This change is documented in the
release notes.
Reported-by: V <v@anomalous.eu>
configuration.nix(1) states
users.extraUsers.<name>.createHome
[...] If [...] the home directory already exists but is not
owned by the user, directory owner and group will be changed to
match the user.
i.e. ownership would change only if the user mismatched; the code
however ignores the owner, it is sufficient to enable `createHome`:
if ($u->{createHome}) {
make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
chown $u->{uid}, $u->{gid}, $u->{home};
}
Furthermore, permissions are ignored on already existing directories and
therefore may allow others to read private data eventually.
Given that createHome already acts as switch to not only create but
effectively own the home directory, manage permissions in the same
manner to ensure the intended default and cover all primary attributes.
Avoid yet another configuration option to have administrators make a
clear and simple choice between securely managing home directories
and optionally defering management to own code (taking care of custom
location, ownership, mode, extended attributes, etc.).
While here, simplify and thereby fix misleading documentation.
Mailman can now work with MTAs other than Postfix. You'll have to configure
it yourself using the options in `services.mailman.settings.mta`.
This addition is reflected in the release notes for 21.03.
This partially reverts bf3d3dd19b.
I don't know why we weren't getting a default logfile back then but Xorg
definitely provides one now ($XDG_DATA_HOME for regular users and /var/log for
root, see `man Xorg`)
Only set Before=display-manager.service if it is actually present.
On headless systems, `systemctl list-units --state not-found` will
otherwise show display-manager.service.
Reported-In: https://github.com/NixOS/nixpkgs/issues/88597
Dnscrypt-proxy needs some options to be set before it can do anything useful.
Currently, we only apply what the user configured which, by default, is nothing.
This leads to the dnscrypt-proxy2 service failing to start when you only set
`enable = true;` which is not a great user experience.
This patch makes the module take the example config from the upstream repo as a
base on top of which the user-specified settings are applied (it contains sane
defaults).
An option has been added to restore the old behaviour.
`file_exists` also returns `FALSE` if the file is in a directory that
can't be read by the user. This e.g. happens if permissions for
`nixops(1)`-deployment keys aren't configured correctly.
This patch improves the error message for invalid files to avoid
confusion[1].
[1] https://discourse.nixos.org/t/nixops-deploy-secrets-to-nextcloud/10414/4
This patch:
* Removes an invalid/useless classpath element;
* Removes an unnecessary environment variable;
* Creates the required '/version-2' data subdirectory;
* Redirects audit logging to the "console" (systemd) by default.
Unbound throws the following error:
--8<---------------cut here---------------start------------->8---
error: failed to list interfaces: getifaddrs: Address family not supported by protocol
fatal error: could not open ports
--8<---------------cut here---------------end--------------->8---
The solution is pulled from upstream:
https://github.com/NLnetLabs/unbound/pull/351
Unfortunately, I had a use-case where `services.nginx.config` was
necessary quite recently. While working on that config I had to look up
the module's code to understand which options can be used and which
don't.
To slightly improve the situation, I changed the documentation like
this:
* Added `types.str` as type since `config` is not mergeable on purpose.
It must be a string as it's rendered verbatim into `nginx.conf` and if
the type is `unspecified`, it can be confused with RFC42-like options.
* Mention which config options that don't generate config in
`nginx.conf` are NOT mutually exclusive.
There was some issues with the fallback to passive mode on 2.3, but on
2.4 adaptive mode is always enabled upstream and thermald will fallback
to passive if necessary.
a6e68a65b5/data/thermald.service.in (L9)
This replaces `concatStringsSep "\n"` with the proper generator to make sure
that the generated configuration file ends with a trailing `\n`, which is
required by ssmtp's picky configuration parser to take the last configuration
key into account.
GitHub: closes#105704
This simplifies testing changes to the tailscale service on a local
machine. You can use this as such:
```nix
let
tailscale_patched = magic {};
in {
services.tailscale = {
enable = true;
package = tailscale_patched;
};
};
```
Signed-off-by: Christine Dodrill <me@christine.website>
Previously this option was thought to be necessary to avoid infinite
recursion, but it actually isn't, since the check evaluation isn't fed
back into the module fixed-point.
I've also removed PrivateTmp = true because this is implied by dynamic user.
I've left ProtectHome = true because I believe this is stronger than
ProtectHome = "read-only" which DynamicUser implies.
This allows capping the total amount of memory that will be used for
zram-swap, in addition to the percentage-based calculation, which is
useful when blanket-applying a configuration to many machines.
This is based off the strategy used by Fedora for their rollout of
zram-swap-by-default in Fedora 33
(https://fedoraproject.org/wiki/Changes/SwapOnZRAM), which caps the
maximum amount of memory used for zram at 4GiB.
In future it might be good to port this to the systemd zram-generator,
instead of using this separate infrastructure.
This resolves issue #101963.
When the service is started and no interface is ready yet, wpa_supplicant
is being exec'd with no `-i` flags, thus failing. Once the interfaces
are ready, the udev rule would fire but wouldn't restart the unit because
it wasn't currently running (see systemctl(1) try-restart).
The solution is to exit (with a clear error message) but always restart
wpa_supplicant when the interfaces are modified.
This release replaces the libpulseaudio shim with a pipewire module that acts as a fake pulseaudio server along with a systemd service that loads that module on demand.
The metadata fetcher scripts run each time an instance starts, and it
is not safe to assume that responses from the instance metadata
service (IMDS) will be as they were on first boot.
Example: an EC2 instance can have its user data changed while
the instance is stopped. When the instance is restarted, we want to
see the new user data applied.
The old slapd.conf is deprecated. Replace with slapd.d, and use this
opportunity to write some structured settings.
Incidentally, this fixes the fact that openldap is reported up before
any checks have completed, by using forking mode.
According to Freenode's ##AWS, the metadata server can sometimes
take a few moments to get its shoes on, and the very first boot
of a machine can see failed requests for a few moments.
AWS's metadata service has two versions. Version 1 allowed plain HTTP
requests to get metadata. However, this was frequently abused when a
user could trick an AWS-hosted server in to proxying requests to the
metadata service. Since the metadata service is frequently used to
generate AWS access keys, this is pretty gnarly. Version two is
identical except it requires the caller to request a token and provide
it on each request.
Today, starting a NixOS AMI in EC2 where the metadata service is
configured to only allow v2 requests fails: the user's SSH key is not
placed, and configuration provided by the user-data is not applied.
The server is useless. This patch addresses that.
Note the dependency on curl is not a joyful one, and it expand the
initrd by 30M. However, see the added comment for more information
about why this is needed. Note the idea of using `echo` and `nc` are
laughable. Don't do that.
This gets automatically disabled by docker if the docker backend is
used, but the bundled containerd also doesn't seem to support cgroupsv2,
so disable it explicitly here, too.
See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for
details on why this is desirable, and how it impacts containers.
Users that need to keep using the old cgroup hierarchy can re-enable it
by setting `systemd.unifiedCgroupHierarchy` to `false`.
Well-known candidates not supporting that hierarchy, like docker and
hidepid=… will disable it automatically.
Fixes#73800
Whenever I try to scan from another computer it has to establish >2
connections in order to succeed. With the connections being limited to 1
I can not scan any document.
This is also what other distributions ([Debian], [ArchLinux], …) have
done in one way or another.
[Debian]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850649#5
[ArchLinux]: no limit: 99cba454bb/trunk/saned.socket (L4)
We currently build CONFIG_IPV6=m.
This seems to be not really well-supported in mainline kernels - see
https://lore.kernel.org/netdev/20201115224509.2020651-1-flokli@flokli.de/T/#u
Compiling it as a module doesn't give too much benefit - even for people
who did explicitly set `enableIPv6` to false, the `ipv6` module was
still loaded, as soon as another module was loaded that requires it
(bridge,br_netfilter,wireguard,ip6table_mangle,sctp,…).
By compiling it in, we only loose the possibility to not add it to
`boot.kernelModules` anymore (as it's part of the kernel directly). The
space savings are negligible.
People wanting to disable IPv6 still get the appropriate sysctls and
options set (while having the kernel code loaded), nothing is really
changing here.
This adds a `package` option to allow for easier overriding of the used
CodiMD version and `runCommandLocal` with `nativeBuildInputs` is now
used to pretty print the configuration.
This used to be done by udev, but that was removed in
systemd/systemd@6b2229c. The links are created by systemd at the end of
stage-2, but activation scripts might need them earlier.
This is to ensure that whenever we install the desktop item we also have
the script installed. Prior to b02719a we always had the reference to
the script in the desktop item. Since desktop items are being copied to
home directories and thus "bit rod" over time that absolute path was
removed.