If a secret path is a subset of a second secret path, there's a risk
that its secret is substituted for the matching part of the second
path. To prevent this, use the sha256 of the paths as placeholder
string instead.
GDM enables Wayland on supported platforms automatically (see ${gnome.gdm}/lib/udev/rules.d/61-gdm.rules), so we removed the `gdm.nvidiaWayland` option.
You will still need `hardware.nvidia.modesetting.enable = true;` with `nvidia` driver, though.
I think calling i2pd directly in `ExecStart` is much nicer than having an extra shell script for no reason. It's also easier to see what's going on when looking at the generated systemd unit file.
* make slurmd depend on network target to ensure basic networking
is available on startup. This fixes behaviour
where slurmd fails with "error: get_addr_info: getaddrinfo() failed".
* Use tmpfiles.d to ensure spool directory exists on start up.
Fail scripts on pipeline errors and propagate subshell errors.
If an error occurs in a subshell, including while trying to read a
secret file, we want that error to propagate to the main shell
context. That means we have to set the `inherit_errexit` option, which
allows errors from subshells to propagate to the outer shell. Also,
the subshell cannot run as part of another command, such as `export`,
since that will simply ignore the subshell exit status and only
respect `export`s exit status; first assigning the value to a variable
and then exporting it solves issue.
The mount options need to be passed as a comma-separated list of options so that they
end up one a single Options line in the resulting mount unit.
The current code passed the options as a list, resulting in several Options lines in
the mount unit, all but the first of these were ignored by systemd however.
This behaviour is not clearly defined in the systemd man page.
* nixos/nftables: Allow use with iptables
Since iptables and nftables do not actually conflict with each other, there's no real reason to artificially prevent people from combining them.
In fact, this practice is known to cause issues like #88643, which is fixed by this commit.
users.users.*.createHome makes home only owner-readable.
This breaks nginx reading static assets from nextcloud's home,
after a nixos-rebuild that did not restart nextcloud-setup.
Closes#112639
When no devices are given the exporter tries to autodiscover available
disks. The previous DevicePolicy was however preventing the exporter
from accessing any device at all, since only explicitly mentioned ones
were allowed.
This commit adds an allow rule for several device classes that I could
find on my machines, that gets set when no devices are explicitly
configured.
There is an existing problem with nvme devices, that expose a character
device at `/dev/nvme0`, and a (namespaced) block device at
`/dev/nvme0n1`. The character device does not come with permissions that
we could give to the exporter without further impacting the hardening.
crw------- 1 root root 247, 0 27. Jan 03:10 /dev/nvme0
brw-rw---- 1 root disk 259, 0 27. Jan 03:10 /dev/nvme0n1
The autodiscovery only finds the character device, which the exporter
unfortunately does not have access to.
However a simple udev rule can be used to resolve this:
services.udev.extraRules = ''
SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk"
'';
Unfortunately I'm not fully aware of the security implications this
change carries and we should question upstream (systemd) why they did
not include such a rule.
The disk group has no members on any of my machines.
❯ getent group disk
disk❌6:
* fix MTP support on KDE Plasma and Dolphin
* Update pkgs/applications/kde/kio-extras.nix
Co-authored-by: ElXreno <elxreno@gmail.com>
Co-authored-by: Peter Hoeg <peter@hoeg.com>
Co-authored-by: ElXreno <elxreno@gmail.com>
The `nix.*` options, apart from options for setting up the
daemon itself, currently provide a lot of setting mappings
for the Nix daemon configuration. The scope of the mapping yields
convience, but the line where an option is considered essential
is blurry. For instance, the `extra-sandbox-paths` mapping is
provided without its primary consumer, and the corresponding
`sandbox-paths` option is also not mapped.
The current system increases the maintenance burden as maintainers have to
closely follow upstream changes. In this case, there are two state versions
of Nix which have to be maintained collectively, with different options
avaliable.
This commit aims to following the standard outlined in RFC 42[1] to
implement a structural setting pattern. The Nix configuration is encoded
at its core as key-value pairs which maps nicely to attribute sets, making
it feasible to express in the Nix language itself. Some existing options are
kept such as `buildMachines` and `registry` which present a simplified interface
to managing the respective settings. The interface is exposed as `nix.settings`.
Legacy configurations are mapped to their corresponding options under `nix.settings`
for backwards compatibility.
Various options settings in other nixos modules and relevant tests have been
updated to use structural setting for consistency.
The generation and validation of the configration file has been modified to
use `writeTextFile` instead of `runCommand` for clarity. Note that validation
is now mandatory as strict checking of options has been pushed down to the
derivation level due to freeformType consuming unmatched options. Furthermore,
validation can not occur when cross-compiling due to current limitations.
A new option `publicHostKey` was added to the `buildMachines`
submodule corresponding to the base64 encoded public host key settings
exposed in the builder syntax. The build machine generation was subsequently
rewritten to use `concatStringsSep` for better performance by grouping
concatenations.
[1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
Empty parantheses are not supported in regular expressions on
Darwin/macOS. The old regular expression produces an error during
evaluation. This commit fixes that.
Nix‘s `builtins.match` works with extend POSIX regular expressions. The
specification for these regular expression states[^1] that the result
for a left paranthesis immediately followed by a right paranthesis
outside of a bracket expression is undefined.
[^1]: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_04_03
Currently it's rather difficult to install tmux plugins. The process involves two steps:
1. Specify the correct `pkg.tmuxPlugins` package in `environment.systemPackages`
2. Adding to the configuration file to instantiate the plugin.
This commit allows the user to specify a list of plugins under `programs.tmux.plugins`.
Update nixos/modules/programs/tmux.nix
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Tor waits ShutdownWaitLength seconds (30s by default) before actually shutting down. Since the systemd timeout is also set to 30 seconds, this results in a race condition that ends up killing Tor most of the time on my machine during shutdown.
To fix this, add the ShutdownWaitLength setting and tell systemd to wait 30 seconds more than that.
Arch Linux also has `TimeoutSec` set to 60 seconds: 6df716fe19/trunk/tor.service.
This option behaves exactly like `boot.extraModprobeConfig`, except that it also includes the generated modprobe.d file in the initrd.
Many years ago, someone tried to include the normal modprobe.d/nixos.conf file generated by `boot.extraModprobeConfig` in the initrd: 0aa2c1dc46. This file contains a reference to a directory with firmware files inside. Including firmware in the initrd made it too big, so the commit was reverted again in 4a4c051a95.
The `boot.extraModprobeConfig` option not changing the initrd caused me much confusion because I tried to set the maximum cache size for ZFS and it didn't work.
Closes https://github.com/NixOS/nixpkgs/issues/25456.
Modules that do not depend on e.g. toplevel should not have to include it just to set
things in `system.build`. As a general rule, this keeps tests simple, usage flexible
and evaluation fast. While one module is insignificant, consistency and good practices
are.
Release notes: https://github.com/swaywm/sway/releases/tag/1.7
Notable (backward incompatible) changes:
- The default terminal changed from Alacritty to foot
Known issues:
- `swaynag` will crash when Sway 1.6.1 is still running while the Nix
package (and thus `swaynag`) is already updated to version 1.7.
- The experimental Ozone/Wayland support of Electron apps will be broken
for a while. Electron version 17 should work but the Chromium fixes
haven't yet been backported to Electron version 16.
NixOS module: programs.sway.extraPackages: The "alacritty" package was
replaced with "foot".
VM test: We switched from the OpenGL ES 2.0 renderer to Pixman. The
terminal was also changed to foot but Alacritty is still used for the
XWayland test (since foot doesn't support X11).
Co-authored-by: Patrick Hilhorst <git@hilhorst.be>
`register_new_matrix_user` is a script provided by the matrix-synapse
package to create a new matrix user on the command line.
This commit provides a wrapper around `register_new_matrix_user` that
automatically passes the url (and `registration_shared_secret`, if
present) as CLI arguments.
- regenerate everything
- hardcode to build with node 14 (upstream doesn't support 16 yet)
- remove optional deps to make things build without python2
- set HOME in service environment to prevent crashing
Changes in node-*.nix are autogenerated.
Commit ca58bd0a50 broke the test networking.networkd.static. This happened because the test sets `networking.defaultGateway`. This is implemented by adding the gateway to the list of `routes` using `mkDefault`. The `routes` are then overridden by an empty list in the newly added code. Replace `mkDefault` with `id` so the two lists are merged and everything (hopefully) works as expected.
See https://github.com/NixOS/nixpkgs/pull/144590 for a more context.
LXC containers like those used by VPSAdminOS might want to install a bootloader
so passing `true` to `system.build.installBootLoader` without any priority specified,
causes a conflict for such systems with the recent `system.build` changes:
4014fb6a64
Fixes: https://github.com/NixOS/nixpkgs/issues/155839
If the Nix daemon has never been enabled (nix.enable has always been
set to false), the gcroots directory won't exist. If the Nix daemon
is later enabled, the GC roots for booted-system and current-system
will be missing, and they might end up being garbage collected. Since
it's cheap to add GC roots even if the daemon will never be enabled,
let's just always add them so we're okay in the case where the daemon
is enabled later.