Related to #72828
Replaces and closes#76708
Looks like `nix ping-store` does not output anything anymore but still
fails when the connection does not work.
This adds the pinns path to the configuration let CRI-O start properly.
We also change the configuration to the new drop-in syntax.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
If `qemu-vm.nix` is imported, the option `virtualisation.qemu.consoles`
should be set to make sure that the machine's output isn't rendered on
the graphical window of QEMU.
This is needed when interactively running a NixOS test or in conjunction
with `nixos-build-vms(8)`.
The patch 2578557530 tries to only do this
if the option actually exists, however this condition used to be always
false since `options` wasn't imported in the module and pointed to
`lib.options` due to the `with lib;`-clause.
This makes the notification script use the subject generated by smartmontools
itself both for consistency with other distros and to include the hostname.
In some tests, e.g. -f nixos/release.nix tests.simple.x86_64-linux
we use noXlibs and qemu.ga. Now that output is tiny but to get it
a full qemu build is done, and some dependencies like gtk3 won't build
with noXlibs due to their dependencies being too stripped down.
Therefore let's reduce qemu features in noXlibs case.
The `sdlSupport = false;` part probably wasn't needed,
but I added it for consistency.
Discovered via https://github.com/NixOS/nixpkgs/pull/82743 which
improved option checking, causing an evaluation error that was
hard to understand without running the evaluation manually.
symlinkJoin can break (silently) when the passed paths contain symlinks
to directories. This should work now.
Down-side: when lib/tmpfiles.d doesn't exist for some passed package,
the error message is a little less explicit, because we never get
to the postBuild phase (and symlinkJoin doesn't provide a better way):
/nix/store/HASH-NAME/lib/tmpfiles.d: No such file or directory
Also, it seemed pointless to create symlinks for whole package trees
and using only a part of the result (usually very small part).
This patch ensures that latest Nextcloud works flawlessly again on our
`nginx`. The new config is mostly based on upstream recommendations
(again)[1]:
* Trying to access internals now results in a 404.
* All `.php`-routes get properly resolved now.
* Removed 404/403 handling from `nginx` as the app itself takes care of
this. Also, this breaks the `/ocs`-API.
* `.woff2?`-files expire later than other assets like images.
Closes#95293
[1] https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
Turns out lot of software (including Chromium) use bundled fontconfig
so we either need to wrap every one of those, or re-introduce the global unversioned config.
The latter is easier but weakens hermetic configs. But perhaps those are not really worth the effort.
These are now only installed by systemd if HAVE_SYSV_COMPAT is true,
which only is the case if you set sysvinit-path and sysvrcnd-path (which
we explicitly unset in the systemd derivation for quite some time)
From the systemd release notes:
nss-mymachines lost support for resolution of users and groups, and now
only does resolution of hostnames. This functionality is now provided by
nss-systemd. Thus, the 'mymachines' entry should be removed from the
'passwd:' and 'group:' lines in /etc/nsswitch.conf (and 'systemd' added
if it is not already there).
Since systemd 243, docs were already steering users towards using
`journal`:
eedaf7f322
systemd 246 will go one step further, it shows warnings for these units
during bootup, and will [automatically convert these occurences to
`journal`](f3dc6af20f):
> [ 6.955976] systemd[1]: /nix/store/hwyfgbwg804vmr92fxc1vkmqfq2k9s17-unit-display-manager.service/display-manager.service:27: Standard output type syslog is obsolete, automatically updating to journal. Please update│······················
your unit file, and consider removing the setting altogether.
So there's no point of keeping `syslog` here, and it's probably a better
idea to just not set it, due to:
> This setting defaults to the value set with DefaultStandardOutput= in
> systemd-system.conf(5), which defaults to journal.
Since systemd 246, these are only installed by systemd if
HAVE_SYSV_COMPAT is true, which only is the case if you set
sysvinit-path and sysvrcnd-path (which we explicitly unset in the
systemd derivation for quite some time)
This breaks the Nextcloud vhost declaration when adding e.g. another
vhost as the `services.nginx.virtualHosts` option has `{ nextcloud =
...; }` as *default* value which will be replaced by another
`virtualHosts`-declaration with a higher (e.g. the default) priority.
The following cases are now supported & covered by the module:
* `nginx` is enabled with `nextcloud` enabled and other vhosts can be
added / other options can be declared without having to care
about the declaration's priority.
* Settings in the `nextcloud`-vhost in `nginx` have to be altered using
`mkForce` as this is the only way how we officially support `nginx`
for `nextcloud` and customizations have to be done explicitly using
`mkForce`.
* `nginx` will be completely omitted if a user enables nextcloud
and disables nginx using `services.nginx.enable = false;`. (because
nginx will be enabled by this module using `mkDefault`).
This reverts commit 128dbb31cc.
Closes#95259
nginx -t not only verifies configuration, but also creates (and chowns)
files. When the `nginx-config-reload` service is used, this can cause
directories to be chowned to `root`, causing nginx to fail.
This moves the nginx -t command into a second ExecReload command, which
runs as nginx's user. While fixing above issue, this will also cause the
configuration to be verified when running `systemctl reload nginx`, not
only when restarting the dummy `nginx-config-reload` unit. The latter is
mostly a workaround for missing features in our activation script
anyways.
Prior to this change, the `config` option (which allows you define the
haskell configuration for xmonad in your configuration.nix instead of
needing something in the home directory) prevents desktop manager
resources from starting. This can be demonstrated by configuring the
following:
```
services.xserver = {
displayManager.defaultSession = "xfce+xmonad";
displayManager.lightdm.enable = true;
desktopManager.xterm.enable = false;
desktopManager.xfce.enable = true;
desktopManager.xfce.enableXfwm = false;
desktopManager.xfce.noDesktop = true;
windowManager.xmonad = {
enable = true;
enableContribAndExtras = true;
extraPackages = haskellPackages: [
haskellPackages.xmonad-contrib
haskellPackages.xmonad-extras
haskellPackages.xmonad
];
config = ''
import XMonad
import XMonad.Config.Xfce
main = xmonad xfceConfig
{ terminal = "terminator"
, modMask = mod4Mask }
'';
};
};
```
and after user log in, search for xfce processes `ps aux | grep xfce`.
You will not find xfce processes running until after the xmonad process is killed.
The bug prevents utilities included with the desktopManager,
(e.g. powerManagement, session logout, etc.)
from working as expected.
Use StateDirectory to create necessary directories and hardcode some
paths. Also drop file based audit logs, they can be found in the
journal. And add module option deprecation messages.
In fd9eb16b24, the option
"services.nextcloud.nginx.enable" has been removed since the module now
exclusively supports nginx only.
Unfortunately, with the option gone from the manual, the link in the
Nextcloud-specific documentation referencing the NixOS option also
became a dead link and thus the manual will no longer build.
I also removed a second reference to this option in the Nextcloud-
specific documentation, which while it doesn't lead to a build error in
the manual is nevertheless a good idea to remove as well to ensure we
don't present outdated information to readers of the manual.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @DavHau, @Ma27
The missing () caused parts of the escripts to be added to the
ExecStartPost line instead of inside the script.
This caused postgresql start to fail under certain conditions.
This creates and opens a luks volume, puts its passphrase into a keyfile
and writes a /etc/crypttab. It then reboots the machine, and verifies
systemd parsed /etc/crypttab properly, and was able to unlock the volume
with the keyfile provided (as we try to mount it).
The memorySize of the VM had to be bumped, as luksFormat would otherwise
run out of memory.
There's a circular dependency to systemd via cryptsetup and lvm2
(systemd -> cryptsetup -> lvm2 -> udev=systemd).
However, cryptsetup only really needs the devmapper component shipped
with lvm2. So build `pkgs.cryptsetup` with a lvm2 that doesn't come with
udev.
Cookie jar can be used to accurately test if the login was successful.
Simply searching for the user name is not sufficient, since it is always
part of the returned page after login. The page should display a phrase
containing the username after login.
- Give a more accurate description of how fileSystems.<name/>.neededForBoot
works
- Give a more detailed description of how fileSystems.<name/>.encrypted.keyFile
works
In 9ac1ab10c9 this library function was
refactored to use mkfs.ext4 instead of cptofs. There are two problems:
If populateImageCommands would create no files (which is fine), a cp
invocation would fail due to missing source arguments.
Another problem is that mkfs.ext4 relies on fakeroot to have sane
uid/gids in the generated filesystem image. This currently doesn't
work for cross compiling.
- remove optons cfg.user, cfg.groups
- add option `serverUser` which is required when not using nginx
- add `serverUser` to nextcloud group
- set user/group to "nextcloud" for nextcloud services
- make setup-service non-root
There are circumstances where running secondary DHCP servers in
non-authoritative mode is advantageous. Retain the previous
authoritative behavior as a default.
This was omitted in the latest update.
Only adds ~400 KB.
It required adding openssl to tests so I tacked on some cleanups.
In particular, the GI_TYPELIB_PATH was already being set in the wrapper
so we can remove it from the module (not sure why Gtk was even there).
Also switched away from using pkgconfig and docbook_xsl aliases
and reordered the expression a bit.
Not strictly an upgrade, but adds a new mongodb-4_2 target with the
current mongodb from that branch.
Use matching client and server versions in mongodb tests- tests were
using the mongo 3.4 client to connect, and this finally doesn't work
with server 4.2.
Per reviewer suggestion, adding myself as cheetah3 maintainer.
Additionally, reestore comments describing the purpose of the
build-dependencies patch
Along with the `socat` fix in the parent commit, this makes
the Flatpak’s installed tests finally pass again.
The tests seem to need slightly over 2G of disk space,
and it appears that the test suite was ported to Python 3 in 1.5.1:
2b6641575d
Flatpak’s installed tests build Flatpak runtimes, among other things.
Upstream code does this by copying some programs on `PATH`
as well as some possible dependencies from host’s /usr.
We patch the code to use `nix-store --query --requisites`
to make the dependency discovery easier.
The Flatpak’s installed tests add `socat` to `PATH` and later run
`nix-store --query --requisites` on its location but it was failing with
error: path '/nix/store/qcyf7nq5vvfw32967sv4j6z190inrbrc-socat-1.7.3.4' is not valid
The issue occurred because, while the host Nix store is bind mounted into the test VM,
the VM’s store uses its own database that only contains the packages in the VM’s closure.
Since the test commands are not actually part of the VM but only passed through PTY,
the `flatpak.installedTests` derivation was not part of the VM’s closure, so `nix-store`
in the VM could not get information about its dependency `socat`.
Let’s make the `installedTests` of the tested package part of the test VM’s closure
by passing it as a global environment variable. This will also have the added benefit
that user no longer has to type the path when running the installed tests manually in the VM;
they can just use `gnome-desktop-testing-runner -d $TESTED_PACKAGE_INSTALLED_TESTS`,
which is much more conducive to tab completion.
* Update: https://gitlab.freedesktop.org/pwithnall/malcontent/-/releases/0.8.0
* Fix the separation patch.
* Add `itstool` to ui (needed for building localized help).
* Use `pkg-config` instead of the `pkgconfig` alias.
* Fix some issues related to multiple outputs:
* Make the module pass specific output to `dbus.packages` since the `dbus` NixOS module will not generate configuration with correct interface paths otherwise.
* Change `malcontent-ui` package to primarily-a-program type derivation (`out`+`lib` instead of `bin`+`out`) since there are more and more `malcontent-control`-specific assets.
* This also fixes the issue where application data (desktop files, icons…) were installed to `out`, which is not installed by `environment.systemPackages`/`system-path.nix`’s `buildEnv` by default when `bin` output is also present.
* Make `malcontent` package install `out` output too so that `system-path.nix` links that too. It contains the AccountsService & Polkit data files.
* Split the library and PAM module out of `malcontent.out` so that they are not installed with the data files.
* This revealed a bug in the `gobject-introspection` setup hook.
I just got an Xbox One controller and I wasn't satisfied with the xpad
driver that ships with the Linux kernel
xpadneo supports more features and fixes problems with
incorrect button mappings
https://atar-axis.github.io/xpadneo
This change introduces more fine-grained requestEncryptionCredentials.
While previously when requestEncryptionCredentials = true, the
credentials for all imported pools and all datasets in these imported
pools were requested, it is now possible to select exactly the pools and
datasets for which credentials should be requested.
It is still possible to set requestEncryptionCredentials = true, which
continues to act as a wildcard for all pools and datasets, so the change
is backwards compatible.
This is necessary for VPNs where some of the nodes run pre-1.1 versions.
Most of Linux distros [0] and even the nixpkgs.tinc attribute run on that
version, so it might be useful to have that option.
[0] https://repology.org/project/tinc/versions
The toplevel derivations of systems that have `networking.hostName`
set to `""` (because they want their hostname to be set by DHCP) used
to be all named
`nixos-system-unnamed-${config.system.nixos.label}`.
This makes them hard to distinguish.
A similar problem existed in NixOS tests where `vmName` is used in the
`testScript` to refer to the VM. It defaulted to the
`networking.hostName` which when set to `""` won't allow you to refer
to the machine from the `testScript`.
This commit makes the `system.name` configurable. It still defaults to:
```
if config.networking.hostName == ""
then "unnamed"
else config.networking.hostName;
```
but in case `networking.hostName` needs to be to `""` the
`system.name` can be set to a distinguishable name.
This modifies the `router` to not give out a range of IP addresses but
only give out a fixed address based on the MAC address using the
`services.dhcpd4.machines` option.
To get access to the MAC address the `qemuNicMac` function is defined
and exported from `qemu-flags.nix`.
The resilio module places the directoryRoot configuration in the webui
section. However, the generated configuration fails on the current
version of Resilio Sync with:
Invalid key context: 'directory_root' must be in global config section
This change places this key in the global configuration section to
solve this error.
By generating a version-5 GUID based on $out (which contains
the derivation hash) and preventing isohybrid from overwriting
the GPT table (which already is populated correctly by xorriso).
Tested by:
* booting from USB disk on a UEFI system
* booting from USB disk on a non-UEFI system
* booting from CD on a UEFI system
* booting from CD on a non-UEFI system
* booting from CD on an OSX system
Also tested that "nix-build ./nixos/release-combined.nix -A
nixos.iso_minimal.x86_64-linux -I nixpkgs=~/nixpkgs-r13y --check"
now succeeds.
Fixes#74047
Build error introduced in fe7053f75a:
parser error : Opening and ending tag mismatch: commmand line 6139 and command
escription><para>Base64 preshared key generated by <commmand>wg genpsk</command>
^
Writing "command" with only two "m" fixes building the NixOS manual.
Signed-off-by: aszlig <aszlig@nix.build>
This allows disabling users.mutableUsers without configuring any
authentication mechanisms (passwords, authorized SSH keys) other than
Google OS Login.
> WARNING: PID file creation will be removed in Sidekiq 6.0, see #4045.
Please use a proper process supervisor to start and manage your
services
Since NixOS uses a proper process supervisor AND does not use the PID
file anywhere, we can just drop it to be upwards compatible and fix that
warning.
This is analogous to #70447.
With security.lockKernelModules=true, docker commands result in the following
error without at least loading veth:
$ docker run hello-world
/nix/store/mr50kaan2vs4gc40ymwncb2vci25aq7z-docker-19.03.2/libexec/docker/docker: Error response from daemon: failed to create endpoint epic_kare on network bridge: failed to add the host (veth8b381f3) <=> sandbox (veth348e197) pair interfaces: operation not supported.
ERRO[0003] error waiting for container: context canceled
- Begin a new chapter "GPU Acceleration", this should also cover
VA-API, OpenGL, Vulkan, etc.
- Add a general blurb about OpenCL and how to check whether OpenCL
devices are found.
- Add a section about enabling OpenCL for AMD GPUs specifically.
This adds yubikey-agent as a package and a nixos module.
On macOS, we use `wrapProgram` to set pinentry_mac as default in PATH;
on Linux we rely on the user to set their preferred pinentry in PATH.
In particular, we use a systemd override to prefix PATH to select a
chosen pinentry program if specified.
On Linux, we need libnotify to provide the notify-send utility for
desktop notifications (such as "Waiting for Yubikey touch...").
This might work on other flavors of unix, but I haven't tested.
We reuse the programs.gnupg.agent.pinentryFlavor option for
yubikey-agent, but in doing so I hit a problem: pinentryFlavour's
default value is specified in a mkDefault, but only conditionally. We
ought to be able to pick up the pinentryFlavour whether or not gpg-agent
is running. As a result, this commit moves the default value to the
definition of programs.gnupg.agent.enable.
This reverts commit d3a26a5ecd.
Using ServiceConfig.ExecStart instead of script lead to the content not
being executed in a shell anymore, which broke the secrets being read
from a file and passed as a command line parameter.
This lets users do sneaky things before systemd starts, and
permanently affect the environment in which systemd runs. For example,
we could start systemd in a non-default network namespace by setting
the systemdExecutable to a wrapper script containing:
#!/bin/sh
ip netns add virtual
touch /var/run/netns/physical
mount -o bind /proc/self/ns/net /var/run/netns/physical
exec ip netns exec virtual systemd
_note: the above example does literally work, but there are unresolved
problems with udev and dhcp._
Also, add some sleep statements in between, which seems to at least feel
like it causes
> WARNING: Device /dev/vda* not initialized in udev database even after waiting 10000000 microseconds.
To occur less frequently.
This eventually still succeeds after some amount of waiting, I suspect
some racyness in the way lvm's udev-triggered scripts trigger other
units.
In the current implementation, there's no possibility to modify the default
parameter for keepalive. This is a number that indicates how frequently
keepalive messages should be sent from the worker to the buildmaster,
expressed in seconds. The default (600) causes a message to be sent to
the buildmaster at least once every 10 minutes.
If the worker is behind a NAT box or stateful firewall, these messages
may help to keep the connection alive: some NAT boxes tend to forget about
a connection if it has not been used in a while. When this happens, the
buildmaster will think that the worker has disappeared, and builds will
time out. Meanwhile the worker will not realize than anything is wrong.
This is required by (among others) Podman to run containers in rootless mode.
Other distributions such as Fedora and Ubuntu already set up these mappings.
The scheme with a start UID/GID offset starting at 100000 and increasing in 65536 increments is copied from Fedora.
