Eelco Dolstra wrote:
Hm, this is not really the intended use of stateVersion. From the description:
Every once in a while, a new NixOS release may change
configuration defaults in a way incompatible with stateful
data. For instance, if the default version of PostgreSQL
changes, the new version will probably be unable to read your
existing databases. To prevent such breakage, you can set the
value of this option to the NixOS release with which you want
to be compatible. The effect is that NixOS will option
defaults corresponding to the specified release (such as using
an older version of PostgreSQL).
So this is only intended for options that have some corresponding on-disk state. AFAICT this is not the case for sound. In any case stateVersion is a necessary evil that only exists because we can't just upgrade Postgres databases or change SSH host keys. It's not necessary for things like whether sound is enabled. (If the user discovers that sound is suddenly disabled, they can just enable it.)
I had some vague recollection that we also had a configVersion option setting to control the defaults for non-state-related options, but I can't find it so maybe it was only discussed.
This allows one to specify "related packages" in NixOS that get rendered into
the configuration.nix(5) man page. The interface philosophy is pretty much
stolen from TeX bibliography.
See the next several commits for examples.
The use of Nix 2.0 significantly simplifies the installer, since we
can just pass a different store URI (--store /mnt) - it's no longer
needed to set up a chroot environment for the build, and to bootstrap
Nix into the chroot.
Also, commands that need to run in the installation (namely boot
loader installation and setting a root password) are now executed
using nixos-enter.
This also removes the need for nixos-prepare-root since any required
initialisation is done by Nix or by the activation script.
Among other things, this will allow *2nix tools to output plain data
while still being composable with the traditional
callPackage/.override interfaces.
addPassthru became unused in #33057, but its signature was changed at the same
time. This commit restores the original signature and updates the warning and
the changelog.
New thin laptops don't have an ethernet port and so rely on wifi to get
access. With the minimal installer, setup wpa_supplicant can be hard if
it is the first time so here we provide an example.
This was only applicable to very specific hardware, and the only person
with an apparent interest in maintaining it (me) no longer uses the
hardware in question.
"Ejecting" from the Finder ejects the entire device which is then not available for dd. diskutil unmountDisk does the right thing. Furthermore writing to diskN instead of rdiskN failed to complete even after waiting >10 minutes.
before:
- /var/run/memcached is a bad default for a socket path, since its
parent directory must be writeable by memcached.
- Socket directory was not created by the module itself -> this was
left as a burden to the user?
- Having a static uid with a dynamic user name is not very useful.
after:
- Replace services.memcached.socket by a boolean flag. This simplifies
our code, since we do not have to check if the user specifies a
path with a parent directory that should be owned by memcached
(/run/memcached/memcached.sock -> /run/memcached).
- Remove fixed uid/gid allocation. The only file ever owned by the
daemon is the socket that will be recreated on every start.
Therefore user and group ids do not need to be static.
- only create the memcached user, if the user has not specified a
different one. The major use case for changing option is to allow
existing services (such as php-fpm) opening the local unix socket.
If we would unconditionally create a user that option would be
useless.
This allows one to specify "related packages" in NixOS that get rendered into
the configuration.nix(5) man page. The interface philosophy is pretty much
stolen from TeX bibliography.
Changed extraUsers -> users and one case of extraGroups -> groups in nixos manual chapter 7.
According to chatter on IRC these are the proper names for these configuration options nowadays.
Modified based on feedback from Jörg Talheim.
Previously only the line numbers of a giant, internally generated XML file were
printed, without any kind of debuggability.
Now at least the mentioned lines are printed with a little bit of surrounding
context (to have something to grep for).
```
manual-combined.xml:4863: element para: Relax-NG validity error : Did not expect element para there
4859 <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-writing-modules">
4860
4861 <title>Writing NixOS Modules</title>
4862
4863 <para>NixOS has a modular system for declarative configuration. This
4864 system combines multiple <emphasis>modules</emphasis> to produce the
4865 full system configuration. One of the modules that constitute the
```
Since ssh-dss is no longer supported by default, users relying on those
keys for their login may be locked out. They should ideally use stronger
keys, but adding the support for ssh-dss back in can also be done
through extraConfig.
This reverts commit 93c54acf97.
This reopens#30517 @nbp @Ma27
Breaking people's config for this is hardly reasonable as is. If it
absolutely cannot be avoided, at the very least, we need to provide
clear instructions on what people need to upgrade in their config. I
actually had to bisect to the commit, to even find out what property I
should change or define, as the error message was useless. It didn't
even mention a property name.
Discussion on the PR seems to be ongoing, so I'm reverting this, so we
don't break people's systems on unstable.
postage is no longer maintained and has been replaced by the identical pgmanage. See:
https://github.com/workflowproducts/postage#postage-has-been-replaced-with-pgmanage
The following error is raised when a user enables the deprecated `services.postage.enable` option:
Failed assertions:
- services.postage is deprecated in favor of pgmanage. They have the same options so just substitute postage for pgmanage.
Also unifies the BIOS and UEFI installation instructions.
It's a fairly basic usage, but it makes explicity the fact that
you should at least have a main partition and a swap partition,
and will save some users a bit of internet searching while they
are getting set up.
The section was strange to read, as the initial example already used
`listOf' which is mentioned in the very first paragraph. Then you read
in a subsection about `listOf' and the exact same example is given
once again.
This is a squash commit of the joint work from:
* Jan Tojnar (@jtojnar)
* Linus Heckemann (@lheckemann)
* Ryan Mulligan (@ryantm)
* romildo (@romildo)
* Tom Hunger (@teh)
This commit readds and updates the 1.x package from 1.1.4 to 1.1.6 which
also includes the needed command for migrating to 2.x
The module is adjusted to the version change, defaulting to radicale2 if
stateVersion >= 17.09 and radicale1 otherwise. It also now uses
ExecStart instead of the script service attribute. Some missing dots at
the end of sentences were also added.
I added a paragraph in the release notes on how to update to a newer
version.
This change updates the instructions for building a NixOS ISO so that it's clear how to do it.
Previously, the instructions stated to set NIXOS_CONFIG prior to running `nix-build`, yet the example provided by-passed NIXOS_CONFIG anyway. But the *really* important missing piece is the need for nixos/default.nix. See #21840.
This change removes the NIXOS_CONFIG verbiage, and adds steps to clone nixpkgs and (most importantly) cd'ing into nixpkgs/nixos. That way, the reader may think: *Oh, so I need a default.nix and a configuration.nix. Ahhh, OK.*
I purposely added the redundant default.nix argument.
* postgresql service: make 9.6 the default version for 17.09
* postgresql service: change default superuser for 17.09
Change the default superuser from `root` to `postgres` for state
version 17.09
* postgresql service: change default data directory for 17.09
The new directory includes the schema version of the database.
This makes upgrades easier and is more consistent with other distros.
* updated nixos release notes
... because `nixos-generate-config` currently understand it's running under virtualbox, and correctly adds the configuration in `/etc/nixos/hardware-configuration.nix`
When you have a setup consisting of multiple monitors, the default is
that the first monitor detected by xrandr is set to the primary monitor.
However this may not be the monitor you need to be set as primary. In
fact this monitor set to primary may in fact be disconnected.
This has happened for the original submitter of the pull request and it
affected these programs:
* XMonad: Gets confused with Super + {w,e,r}
* SDDM: Puts the login screen on the wrong monitor, and does not
currently duplicate the login screen on all monitors
* XMobar: Puts the XMobar on the wrong monitor, as it only puts the
taskbar on the primary monitor
These changes should fix that not only by setting a primary monitor in
xrandrHeads but also make it possible to make a different monitor the
primary one.
The changes are also backwards-compatible.
The xrandrHeads option has been there since a long time, so there is no
need to advertise it as a new feature.
Instead, let's focus on just what has changed, which is that we now
assign one head to be primary.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The inability to run strace or gdb is the kind of
developer-unfriendliness that we're used to from OS X, let's not do it
on NixOS.
This restriction can be re-enabled by setting
boot.kernel.sysctl."kernel.yama.ptrace_scope" = 1;
It might be nice to have a NixOS module for enabling hardened defaults.
Xref #14392.
Thanks @abbradar.
This is based on a prototype Nicolas B. Pierron worked on during a
discussion we had at FOSDEM.
A new version with a workaround for problems of the reverted original.
Discussion: https://github.com/NixOS/nixpkgs/commit/3f2566689
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
Add link to "Configuration" chapter from "Changing the Configuration" section.
Also, fix grammar error.
(cherry picked from commit a585f987fa32f2e81b3f273291971151c25f98b7)
From Postfix documentation:
With this setting, the Postfix SMTP server will not reject mail with "User
unknown in local recipient table". Don't do this on systems that receive mail
directly from the Internet. With today's worms and viruses, Postfix will become
a backscatter source: it accepts mail for non-existent recipients and then
tries to return that mail as "undeliverable" to the often forged sender
address.
The tag wasn't properly closed which caused the manual build to fail.
Tested with: nix-build nixos/release.nix -A manual.x86_64-linux
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This patch add a new argument to Nixpkgs default expression named "overlays".
By default, the value of the argument is either taken from the environment variable `NIXPKGS_OVERLAYS`,
or from the directory `~/.nixpkgs/overlays/`. If the environment variable does not name a valid directory
then this mechanism would fallback on the home directory. If the home directory does not exists it will
fallback on an empty list of overlays.
The overlays directory should contain the list of extra Nixpkgs stages which would be used to extend the
content of Nixpkgs, with additional set of packages. The overlays, i-e directory, files, symbolic links
are used in alphabetical order.
The simplest overlay which extends Nixpkgs with nothing looks like:
```nix
self: super: {
}
```
More refined overlays can use `super` as the basis for building new packages, and `self` as a way to query
the final result of the fix-point.
An example of overlay which extends Nixpkgs with a small set of packages can be found at:
https://github.com/nbp/nixpkgs-mozilla/blob/nixpkgs-overlay/moz-overlay.nix
To use this file, checkout the repository and add a symbolic link to
the `moz-overlay.nix` file in `~/.nixpkgs/overlays` directory.
Network Manager calls dhclient on container interfaces and fails
which locks you out of the container after a few seconds, unless
you tell it not to manage these interfaces.
Commits
351d12437 ("nixos/release-notes: PHP config-file-scan-dir /etc -> /etc/php.d")
41c8aa8d6 ("php: change config-file-scan-dir from /etc to /etc/php.d")
were merged to master _after_ NixOS 16.09. Commit 351d12437 then wrongly
updated the NixSO 16.09 release notes. Fix by moving the entry to NixOS
17.03.
`stripHash` documentation states that it prints out the stripped name to
the stdout, but the function stored the value in `strippedName`
instead.
Basically all usages did something like
`$(stripHash $foo | echo $strippedName)` which is just braindamaged.
Fixed the implementation and all invocations.
This introduces VirtualBox version 5.1.6 along with a few refactored
stuff, notably:
* Kernel modules and user space applications are now separate
derivations.
* If config.pulseaudio doesn't exist in nixpkgs config, the default is
now to build with PulseAudio modules.
* A new updater to keep VirtualBox up to date.
All subtests in nixos/tests/virtualbox.nix succeed on my machine and
VirtualBox was reported to be working by @DamienCassou (although with
unrelated audio problems for another fix/branch) and @calbrecht.
The change is backwards-compatible for users of the NixOS module but not
if people were using the package directly, so let's warn users about
that.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Before this commit updating /var/setuid-wrappers/ folder introduced
a small window where NixOS activation scripts could be terminated
and resulted into empty /var/setuid-wrappers/ folder.
That's very unfortunate because one might lose sudo binary.
Instead we use two atomic operations mv and ln (as described in
https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/)
to achieve atomicity.
Since /var/setuid-wrappers is not a directory anymore, tmpfs mountpoints
were removed in installation scripts and in boot process.
Tested:
- upgrade /var/setuid-wrappers/ from folder to a symlink
- make sure /run/setuid-wrappers-dirs/ legacy symlink is really deleted
This removes our hardcoded presets which weren't updated for quite some time.
Infinality now has new hardcoded presets in freetype, which can be overriden if
desired with environment variables (as before). Accordingly, updated NixOS
module to set the hardcoded preset.
Additionally used a more "right" type for substitutions.
The name gitlab-runner clashes with a component of Gitlab CI with the
same name and only confuses people. It's now called gitlab-bundle and
a convenience-script gitlab-rake for easier invocation of rake tasks
was added. This was the primary use case of gitlab-runner.
In light of Emacs packaging improvements such as those mentioned
in #11503, and with the addition of a systemd service (#15807
and #16356), and considering that the wiki page is completely
out of date (#13217), it seems that some documentation is in order.
Enabling EFI runtime services provides a venue for injecting code into
the kernel.
When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services. The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).
This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
* Hydra doesn't like spaces in filenames.
* The zip file contained nix/store/.../OEBPS rather than OEBPS at
top-level, causing some programs (like okular) to barf.
* Remove the redundant $dst/epub directory.
* manual: Mark commands that require root
Mark every command that requires to be run as root by prefixing them
with '#' instead of '$'.
* manual: Add note about commands that require root
When displaying a warning about a removed Option we should always
include reasoning why it was removed and how to get the same
functionality without it.
Introduces such a description argument and patches occurences (mostly
with an empty string).
startGnuPGAgent: further notes on replacement
This allows setting options for the same LUKS device in different
modules. For example, the auto-generated hardware-configuration.nix
can contain
boot.initrd.luks.devices.crypted.device = "/dev/disk/...";
while configuration.nix can add
boot.initrd.luks.devices.crypted.allowDiscards = true;
Also updated the examples/docs to use /disk/disk/by-uuid instead of
/dev/sda, since we shouldn't promote the use of the latter.
This allows to use <olink> tags inside NixOS options to reference
sections from the manual. I've originally introduced it in #14476 to
reference the Taskserver specific documentation from the options
reference but as suggested by @nbp, this was done as a separate pull
request to ensure greater visibility rather than being "hidden" in the
Taskserver branch.
The build time for the manual is around 30s on my machine without this
change and 34s with this change, so it shouldn't have a very big impact
on the build time of the manual.
Olinks between the options reference and the manual now will look like
this:
"More instructions about NixOS in conjuction with Taskserver can be
found in the NixOS manual at Chapter 15, Taskserver."
More documentation about olinks can be found here:
http://www.sagehill.net/docbookxsl/Olinking.html
Acked-by: Eelco Dolstra <eelco.dolstra@logicblox.com>
This command was useful when NixOS was spread across multiple
repositories, but now it's pretty pointless (and obfuscates what
happens, i.e. "git clone git://github.com/NixOS/nixpkgs.git").
This adds a Taskserver module along with documentation and a small
helper tool which eases managing a custom CA along with Taskserver
organisations, users and groups.
Taskserver is the server component of Taskwarrior, a TODO list
application for the command line.
The work has been started by @matthiasbeyer back in mid 2015 and I have
continued to work on it recently, so this merge contains commits from
both of us.
Thanks particularly to @nbp and @matthiasbeyer for reviewing and
suggesting improvements.
I've tested this with the new test (nixos/tests/taskserver.nix) this
branch adds and it fails because of the changes introduced by the
closure-size branch, so we need to do additional work on base of this.
This reverts commit 1d77dcaed3.
It will be reintroduced along with #14700 as a separate branch, as
suggested by @nbp.
I added this to this branch because I thought it was a necessary
dependency, but it turns out that the build of the manual/manpages still
succeeds and merely prints a warning like this:
warning: failed to load external entity "olinkdb.xml"
Olink error: could not open target database 'olinkdb.xml'.
Error: unresolved olink: targetdoc/targetptr = 'manual/module-taskserver'.
The olink itself will be replaced by "???", so users looking at the
description of the option in question will still see the reference to
the NixOS manual, like this:
More instructions about NixOS in conjuction with Taskserver can be found
in the NixOS manual at ???.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
My first attempt to do this was to just use a conditional <refsection/>
in order to not create exact references in the manpage but create the
reference in the HTML manual, as suggested by @edolstra on IRC.
Later I went on to use <olink/> to reference sections of the manual, but
in order to do that, we need to overhaul how we generate the manual and
manpages.
So, that's where we are now:
There is a new derivation called "manual-olinkdb", which is the olinkdb
for the HTML manual, which in turn creates the olinkdb.xml file and the
manual.db. The former contains the targetdoc references and the latter
the specific targetptr elements.
The reason why I included the olinkdb.xml verbatim is that first of all
the DTD is dependent on the Docbook XSL sources and the references
within the olinkdb.xml entities are relative to the current directory.
So using a store path for that would end up searching for the manual.db
directly in /nix/store/manual.db.
Unfortunately, the <olinks/> that end up in the output file are
relative, so for example if you're clicking on one of these within the
PDF, the URL is searched in the current directory.
However, the sections from the olink's text are still valid, so we could
use an alternative URL for that in the future.
The manual doesn't contain any links, so even referencing the relative
URL shouldn't do any harm.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
My first attempt to do this was to just use a conditional <refsection/>
in order to not create exact references in the manpage but create the
reference in the HTML manual, as suggested by @edolstra on IRC.
Later I went on to use <olink/> to reference sections of the manual, but
in order to do that, we need to overhaul how we generate the manual and
manpages.
So, that's where we are now:
There is a new derivation called "manual-olinkdb", which is the olinkdb
for the HTML manual, which in turn creates the olinkdb.xml file and the
manual.db. The former contains the targetdoc references and the latter
the specific targetptr elements.
The reason why I included the olinkdb.xml verbatim is that first of all
the DTD is dependent on the Docbook XSL sources and the references
within the olinkdb.xml entities are relative to the current directory.
So using a store path for that would end up searching for the manual.db
directly in /nix/store/manual.db.
Unfortunately, the <olinks/> that end up in the output file are
relative, so for example if you're clicking on one of these within the
PDF, the URL is searched in the current directory.
However, the sections from the olink's text are still valid, so we could
use an alternative URL for that in the future.
The manual doesn't contain any links, so even referencing the relative
URL shouldn't do any harm.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
At some point we probably want to replace this with a curated list
of configurations or even an upstreamed repository of examples, but
for now this is just noise.
FixesNixOS/nixpkgs#14522
It's not by any means exhaustive, but we're still going to change the
implementation, so let's just use this as a starting point.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Unetbootin works by altering the image and placing a boot loader on it.
For this reason, it cannot work with UEFI and the installation guides
for other distributions (incl. Debian and Fedora) recommend against
using it.
Since dd writes the image verbatim to the drive, and not just the files,
it is not necessary to change the label after using it for UEFI
installations.
vcunat: tiny changes to the PR. Close#14139.
- Enforce that an option declaration has a "defaultText" if and only if the
type of the option derives from "package", "packageSet" or "nixpkgsConfig"
and if a "default" attribute is defined.
- Enforce that the value of the "example" attribute is wrapped with "literalExample"
if the type of the option derives from "package", "packageSet" or "nixpkgsConfig".
- Warn if a "defaultText" is defined in an option declaration if the type of
the option does not derive from "package", "packageSet" or "nixpkgsConfig".
- Warn if no "type" is defined in an option declaration.
Allow usage of list of strings instead of a comma-separated string
for filesystem options. Deprecate the comma-separated string style
with a warning message; convert this to a hard error after 16.09.
15.09 was just released, so this provides a deprecation period during
the 16.03 release.
closes#10518
Signed-off-by: Robin Gloster <mail@glob.in>
First of all this fixes an evaluation error I introduced in ae466ba,
which wasn't triggered by any of my own tests against the change because
there are usually no NixOS options that are declared outside of the
<nixpkgs> tree. I renamed the attribute name from "fn" to "fileName"
first and later to "fullPath" but forgot one still occuring "filename".
Thanks to @vcunat for noticing this.
Another thing that he pointed out was that the "stripPrefix" function
can be factored away entirely, because it's very similar to
"removePrefix" in <nixpkgs/lib>.
Unfortunately we can't use "removePrefix" as is, because we need to
account for the final shlash.
So instead of removing it twice and/or retaining "stripPrefix", let's
append a shlash on every "prefixesToStrip" and we can use "removePrefix"
as is.
Tested with:
taalo-build nixos/release.nix -A tests.installer.simple.x86_64-linux
And:
w3m -dump "$(
nix-build nixos/release.nix -A manual.x86_64-linux
)/share/doc/nixos/options.html"
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @vcunat
Let's use a simple (unflipped) fold and break out the actual core
stripPrefix function from stripAnyPrefixes (I personally love
point-less^H^H^H^Hfree style but if I'd be anal I'd even go further and
factor away the "fn:").
Also, let's use path as a better name for "fn" (filename), because
that's what it is and also cannot be confused with "fn" meaning
"function".
We now toString all of the prefixes, so there shouldn't be any need to
implicily toString the extraSources anymore.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Regression introduced by e6cd147ae7.
This broke all of the installer tests, because they needed to rebuild
the manual within the test machine, while it only has a closure of the
already pre-built system in place.
The problem here was just that the order of the arguments got mixed up
in stripAnyPrefixes, so it was actually trying to strip the path off the
prefix, not the other way around.
So in the end no prefix was stripped at all, so we ended up having full
store paths in the manual, which in turn caused the build within the VM
to fail, because the prefixes differed.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>