Didn't notice this till I tried removing my custom roon user from the one I was testing with. There's not a 'groups' option for users, only group (primary group) and extraGroups. Use these.
(#68337)
Samba 3 has been discontinued since Q1/2015. So I think it's time
to just wipe it from the pkgs. FuseSMB is pretty much abandoned,
upstream does not exist and it's also not as useful as it used to
be anyways.
osquery was marked as broken since April.
If somebody steps up to fix it, we can always revive it from the
histroy, but there's not much value in shipping completely broken things
in current master.
cc @ma27
As part of the networking.* name space cleanup, connman should be moved
to services.connman. The same will happen for example with
networkmanager in a separate PR.
The binary name was recently changed from openarena-server to oa_ded in
https://github.com/NixOS/nixpkgs/pull/71122 .
That change broke the openarena module and consequently the openarena
test too. This commit fixes both.
As an alternative, we considered reverting the name change in
https://github.com/NixOS/nixpkgs/pull/72824 but we decided oa_ded was
a better name for the binary (it's the name upstream use).
Unfortunately, you can't configure the default user-session
with GDM like lightdm. I've opened a feature request [0]
but I'd like to be able to do this now.
We use a GObject Python script using bindings to AccountsService
to achieve this. I'm hoping the reliable heuristic for session names
is the file's basename. We also have some special logic for which
method to use to set the default session. It seems set_x_session is
deprecated, and thusly the XSession key, but if that method isn't used
when it's an xsession it won't be the default in GDM.
[0]: https://gitlab.gnome.org/GNOME/gdm/issues/535
- Add services.hardware.bluetooth.config option
- Use lib.generators.toINI with both config and extraConfig options
hardware/bluetooth: a couple suggestions
Co-authored-by: Aaron Andersen <aaron@fosslib.net>
The new description should give more clear understanding of when to
edit the option.
I used NixOS to set up a DNS server that is authoritative for certain
zones. The description of the `cacheNetworks` option made me think I
needed to set it to `"any"` to allow people to query the zone I set
up. Reading the source of the module would have clarified my
understanding, but at the time I just read the description and thought
little of it. Later I discovered I was getting tons of DNS requests
and presumably being used for a DNS amplification attack or similar.
I have fixed the problem now, but I would like the option to have a
clearer description so others don't make the same mistake I did.
most likely, people enabling the lorri module also want to use it,
without explicitly having to add it to users.users.<username>.packages.
cc @curiousleo @Profpatsch
Add a virtual user system based around pam and a Berkeley
user database.
Adding the:
- localRoot
- userDbPath
- allowWriteableChroot
- virtualUseLocalPrivs
Vsftpd options.
Ever since setting up bonding the `wpa_supplicant-unit-start` script has
been failing. This is because the file `bonding_masters` in
`/sys/class/net/` is *not* a directory containing `uevent`.
Adding a test to verify the `uevent` path to be sourced exists resolves
the problem.
The SLIM project is abandoned and their last release was in 2013.
Because of this it poses a security risk to systems, no one is working
on it or picked up maintenance. It also lacks compatibility with systemd
and logind sessions. For users, there liikely isn't anything like slim
that's as lightweight in terms of dependencies.
Slurmdbd requires a password database which is stored in slurmdbd.conf.
A seperate config file avoids that the password ends up in the nix store.
Slurmdbd does 19.5 does not support MySQL socket conections.
Adapated the slurm test to provide username and password.
* Fix path in module for slurm to find plugstack.conf
* Fix configure flags so that slurm can be compiled
without internal X11 support (required for spank-x11).
This prevents services to be started before they're initialized, and
renders the `systemd.targets.ceph.wantedBy = lib.mkForce [];` hack in
the vm tests obsolete - The config now starts up ceph after a reboot,
too.
Let's take advantage of that, crash all VMs, and boot them up again.
Don't pass user and group to ceph, and rely on it to drop ceps, but let
systemd handle running it as the appropriate user.
This also inlines the extraServiceConfig into the makeService function,
as we have conditionals depending on daemonType there anyways.
Use StateDirectory to create directories in
/var/lib/ceph/${daemonType}/${clusterName}-${daemonId}.
There previously was a condition on daemonType being one of mds,mon,rgw
or mgr. We only instantiate makeServices with these types, and "osd" was
special.
In the osd case, test examples suggest it'd be in something like
/var/lib/ceph/osd/ceph-${cfg.osd0.name} - so it's not special at all,
but exactly like the pattern for the others.
During initialization, we also need these folders, before the unit is
started up. Move the mkdir -p commands in the vm tests to the line
immediately before they're required.
The two new options make it possible to create the interface in one namespace
and move it to a different one, as explained at https://www.wireguard.com/netns/.
In cases where you boot up really quickly (like in the VM test on a
non-busy host), tinydns might want to bind before the loopback interface
is fully up. Order tinydns after network.target to fix that.
Incorrect merging of modules resulted in dhcpcd being enabled causing flaky network connection.
https://github.com/NixOS/nixpkgs/pull/64364
Fixing it uncovered an infinite recursion from the same commit, previously masked by the incorrect merge.
We can just drop the `mkDefault` for `networking.wireless.enable` as it is already `false` by default.
Closes: https://github.com/NixOS/nixpkgs/issues/72416
When we did the revert of adding gnome-flashback to systemd.packages [0]
I forgot to test with other display managers. If we use GDM with gnome-flashback
it appears it doesn't try to fallback to non-systemd startup and always fails and
starts the regular gnome-session. So adding gnome-flashback to systemd.packages
was perfectly fine, but we did forgot one detail. We need systemd targets for the
customSessions which is added using mkSystemdTargetForWm in the gnome-
flashback package.
[0]: 42f567b30d
This change ensures that `dhcpcd.service` is restarted as soon as the
exit hook changes. I use this hook to do additional configuration for my
network (like setting a route via the given gateway to my WireGuard) and
when changing parts of this exit hook I'd expect to get this activated
when switching to my new configuration.
When the option services.vault.storageBackend is set to "file", a
systemd.tmpfiles.rules was added, with extraneous []. These are not
needed and have been removed.
This is a good example of a package/module that should be distributed
externally (e.g. as a flake [1]): it's not stable yet so anybody who
seriously wants to use it will want to use the upstream repo. Also,
it's highly specialized so NixOS is not really the right place at the
moment (every NixOS module slows down NixOS evaluation for everybody).
[1] https://github.com/edolstra/jormungandr/tree/flake
Instead of assign the libinput options to touchpad devices only, it
should be appied by any device using libinput.
Due to the fact that `40-libinput.conf` already defines libinput as
driver for any detected input device, we can use `MatchDriver` to appy
options.
I've noticed a similar issue in Pantheon, without this
sound theme installed there's no system sounds.
I believe it's because the gnome theme and the pantheon
theme inherit this one.
It seems that dnsdist doesn't actually request CAP_NET_BIND_SERVICE, which is why normally it's executed and root and setuids to another, unprivileged, user. This means that as it is, dnsdist will be unable to bind to any port under 1024 and will fail with access denied.
Removing CAP_SETGID and CAP_SETUID is also related to this as we don't actually change the uid or gid after the fact as we use DynamicUser. (That part isn't strictly NEEDED but there's no reason to have those capabilities if we don't use them).
There are also some additional sandboxing we can remove from the service definition as they are assumed true or strict by DynamicUser: specifically PrivateTmp and ProtectSystem respectively.
ProtectHome is still there, despite being assumed read-only as setting it to true means they are seen as empty. I don't think it really matters as I don't know if systemd will ignore it or not, but I didn't see any reason to go hunting for excuses to make it a bigger change.
- spawn the geoclue-agent directly instead of running it via bash
- document why we cannot use DynamicUser = true
- have systemd create the home directory instead of using an explicit
tmpfiles.d fragment
* lm_sensors: add fancontrol module + nixos test
fancontrol is a small script that checks temperature sensors and adapts
fan speeds accordingly. It reads a text config file that can be
auto-generated by running the pwmconfig wizard on the live system.
Default behavior is to continue executing the script even when one or
multiple steps fail. We want to abort early if any part of the
initialization fails to not run with a partially initialized state.
Default behavior also allows dereferencing non-existent variables,
potentially resulting in hard-to-find bugs.
This option was removed because allowing (multiple) regular users to
override host entries affecting the whole system opens up a huge attack
vector. There seem to be very rare cases where this might be useful.
Consider setting system-wide host entries using networking.hosts,
provide them via the DNS server in your network, or use
networking.networkmanager.appendNameservers to point your system to
another (local) nameserver to set those entries.
This reverts commit 60aedadc59.
Using tests from #71212 I am now unable to reproduce there being issues
with starting the default metacity flashback session without this.
On start, unicorn, sidekiq and other parts running ruby code emits
quite a few warnings similar to
/var/gitlab/state/config/application.rb:202: warning: already initialized constant Gitlab::Application::LOOSE_EE_APP_ASSETS
/nix/store/ysb0lgbzxp7a9y4yl8d4f9wrrzy9kafc-gitlab-ee-12.3.5/share/gitlab/config/application.rb:202: warning: previous definition of LOOSE_EE_APP_ASSETS was here
/var/gitlab/state/lib/gitlab.rb:38: warning: already initialized constant Gitlab::COM_URL
/nix/store/ysb0lgbzxp7a9y4yl8d4f9wrrzy9kafc-gitlab-ee-12.3.5/share/gitlab/lib/gitlab.rb:38: warning: previous definition of COM_URL was here
This seems to be caused by the same ruby files being evaluated
multiple times due to the paths being different - sometimes they're
loaded using the direct path and sometimes through a symlink, due to
our split between config and package data. To fix this, we make sure
that the offending files in the state directory always reference the
store path, regardless of that being the real file or a symlink.
We create a wrapper which launches gnome-shell with the correct environment and
cap_sys_nice.
We can then override gnome-shell-wayland.service to use this wrapper.
NOTE: We need to force clear the environment, because the defaults aren't good
for user services. That should probably be fixed.
Otherwise connecting simply fails:
VPN connection: failed to connect: 'La création du fichier « /tmp/lib/NetworkManager-fortisslvpn/0507e3ef-f0e0-4153-af64-b3d9a025877c.config.XSB19Z » a échoué : No such file or directory'
This reverts commit 2ee14c34ed.
This caused the initializers directory to be cleaned out while gitlab
was running in some instances. We clean out the directory on the
preStart stage already, so ensuring existance and permissions should
suffice.
This fixes an issue with a recent addition of a config file
check in c28ded36ef.
Previously it was possible to supply a path as a string
to `configFile`. Now it will fail checking the config file
during evaluation of the module due to sandboxing.
A toggle to disable the check, more informative log messages
and handling for various configFile values are added.
This session would fail to start because we didn't have it in systemd.packages
(as we've switched to systemd gnome-session).
Haven't tested custom sessions.
Bumps `matrix-synapse` to version 1.4.0[1]. With this version the
following changes in the matrix-synapse module were needed:
* Removed `trusted_third_party_id_servers`: option is marked as deprecated
and ignored by matrix-synapse[2].
* Added `account_threepid_delegates` options as replacement for 3rdparty
server features[3].
* Added `redaction_retention_period` option to configure how long
redacted options should be kept in the database.
* Added `ma27` as maintainer for `matrix-synapse`.
Co-Authored-By: Notkea <pacien@users.noreply.github.com>
Co-authored-by: Maximilian Bosch <maximilian@mbosch.me>
[1] https://matrix.org/blog/2019/10/03/synapse-1-4-0-released
[2] https://github.com/matrix-org/synapse/pull/5875
[3] https://github.com/matrix-org/synapse/pull/5876
This fixes a regression from bb649d96b0.
There were permission problems, when the preStart script tried to copy
the smokeping.fcgi file over the old file.
When having backup jobs that persist to a removable device like an
external HDD, the directory shouldn't be created by an activation script
as this might confuse auto-mounting tools such as udiskie(8).
In this case the job will simply fail, with the former approach
udiskie ran into some issues as the path `/run/media/ma27/backup` was
already there and owned by root.
This option was added by mistake since `listenAddress` exists by default
for each prometheus-exporter. Using
`services.prometheus.exporters.wireguard.addr` will now cause a warning,
but doesn't break eval.
Having `display-manager` conflict with `plymouth-quit` causes this lock up:
- `plymouth-quit-wait` starts up, waiting for plymouth-quit to run
- `lightdm` starts up
- `plymouth-quit` can't start, it conflicts with lightdm
- `plymouth-quit-wait` keeps waiting on plymouth-quit to kill plymouthd
The idea is having LightDM control when plymouth quits, but communication with
plymouth was broken: https://github.com/NixOS/nixpkgs/pull/71064
Unfortunately having the conflict breaks switching to configurations with
plymouth enabled. So we still need to remove the conflict.
fixes#71034
In fact, don't create them at all because Nix does that automatically.
Also remove modules/programs/shell.nix because everything it did is
now done automatically by Nix.
gitlab:db:configure prints the root user's password to stdout on
successful setup, which means it will be logged to the
journal. Silence this informational output. Errors are printed to
stderr and will thus still be let through.
The mime type definitions included with nginx are very incomplete, so
we use a list of mime types from the mailcap package, which is also
used by most other Linux distributions by default.
xfce4-volumed-pulse is not abandoned, but is superseded by a panel
plugin which is not available when not using the desktop.
Fixes: volume up/down keys support
These improvements come from shopping around
at what other downstreams have done with their
systemd units and recent changes like [0] to gdm.
Note there's no requries or after on dbus.socket because
settings BusName will set this up automaticallly and
give it a type of dbus.
[0]: 2d57f45962
The initializers directory is populated with files from the gitlab
distribution on start, but old files will be left in the state folder
even if they're removed from the distribution, which can lead to
startup failures. Fix this by always purging the directory on start
before populating it.
Since the preStart script is no longer running in privileged mode, we
reassign the files in the state directory and its config subdirectory
to the user we're running as. This is done by splitting the preStart
script into a privileged and an unprivileged part where the privileged
part does the reassignment.
Also, delete the database.yml symlink if it exists, since we want to
create a real file in its place.
Fixes#68696.
This introduces an option wifi.backend to the networkmanager module.
Co-authored-by: Cole Mickens <cole.mickens@gmail.com>
Co-authored-by: worldofpeace <worldofpeace@protonmail.ch>
GNOME initial setup's run is conditioned on whether
the gnome-initial-setup-done file exists in XDG_CONFIG_HOME
Because of this, every existing user will have initial setup
running because they never ran it before.
To prevent this we create the file if the users stateVersion
is older than 20.03 (the release we added this module).
Also drop uneeded manual conflicts as systemd.packages
does handle this.
- register gnome-session and gnome-settings-daemon services.
- gnome-shell is already registered due to having a xdg portal
- manually specify that gsd is wanted by gnome-session
(systemd.packages doesn't pick the .wants directories for some reason)
GDM is now killed if tty1 is started after gdm is launched. This follows
upstream's gdm service config.
This might cause problems with nixos-rebuild switch though. See the reasoning
and work that led to not following upstream on this:
https://github.com/NixOS/nixpkgs/issues/214394a180dac46d4da
We don't want to ignore config that can mess up machines. In general
this should always fail evaluation, as you think you are changing
behaviour and don't, which can easily create run-time errors we can
catch early.
https://github.com/MindFlavor/prometheus_wireguard_exporter/releases/tag/3.1.1
This release adds a flag `-l` which takes an address where the exporter
is available. The default is `0.0.0.0` (previously, `0.0.0.0` was used
by default).
Please note that there are no dependency changes in Cargo and therefore
the cargo hash didn't change.
Since version 2.3 (https://github.com/NixOS/nix/pull/2949 which was
cherry-picked to master) Nix issues a warning when --no-net wasn't
passed and there is no network interface. This commit adds the --no-net
flag to the nix.conf check such that no warning is issued.
This commits makes it clearer to a novice reader how to configure several
diferent types of SSID connections that were otherwise obscurely documented
Resolves#66650
Quoting from the splitString docstring:
NOTE: this function is not performant and should never be used.
This replaces trivial uses of splitString for splitting version
strings with the (potentially builtin) splitVersion.
Fixes eval on darwin after #69072
Resolved conflict in pkgs/tools/security/thc-hydra/default.nix
Basically had to revert a1c0e10564 which
adapts #69210 to master that doesn't yet have
329a88efa7
Tested using maintainers/scripts/eval-release.sh before and after to see
that the fix works
This commit adds a Strict-Transport-Security header to
the nginx config file generated by the nextcloud module.
The Strict-Transport-Security header is recommended in
official guide for hardening Nextcloud installations:
https://docs.nextcloud.com/server/16/admin_manual/installation/harden_server.html
Further, if it is not set, we see a warning in the security scan results
in the Nextcloud admin panel:
```
The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips
```
Make sure that we don't create a database if we're not going to
connect to it. Also, fix the assertion that usernames be equal to only
trig when peer authentication is used (databaseHost == "").
config.services.postgresql.package is only defined when the postgresql
service is activated, which means we fail to evaluate when
databaseCreateLocally == false. Fix this by using the default
postgresql package when the postgresql service is disabled.
The state path now, since the transition from initialization in
preStart to using systemd-tmpfiles, has the following restriction: no
parent directory can be owned by any other user than root or the user
specified in services.gitlab.user. This is a potentially breaking
change and the cause of the error isn't immediately obvious, so
document it both in the release notes and statePath description.
These are the leftovers of an older PR.
a. Send messages to auditd if auditing is enabled.
b. Add missing dbus configuration if dnsmasq is used for DNS