The recommended TLS configuration comes with `ssl_stapling on` and
`ssl_stapling_verify on`. However, this last directive also requires
the use of `ssl_trusted_certificate` to verify the received answer.
When using `enableACME` or similar, we can help the user by providing
the correct value for the directive.
The result can be tested with:
openssl s_client -connect web.example.com:443 -status 2> /dev/null
Without OCSP stapling, we get:
OCSP response: no response sent
After this change, we get:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Aug 30 20:46:00 2018 GMT
A shared exported guard `__NIXOS_SET_ENVIRONMENT_DONE` is introduced that can
be used to prevent child shells from sourcing `system.build.setEnvironment`
the second time.
This fixes e.g. `nix run derivation` when run from e.g. ZSH through the console or
ssh. Before this Bash would resource the common environment resetting the `PATH`
environment variable.
We also export `system.build.setEnvironment` to `/etc/set-environment` making it
easy to reset the common environment with `. /etc/set-environment` when
needed and to grep for environment variables in `/etc` (which was the
motivation of #30418).
This reverts changes made in b00a3fc6fd
(the original #30418).
This allows one to add rules which change a packet's routing table:
iptables -t raw -I PREROUTING 1 -m set --match-set myset src -j MARK --set-mark 2
ip rule add fwmark 2 table 1 priority 1000
ip route add default dev wg0 table 1
to the beginning of raw table PREROUTING chain, and still have rpfilter.
DefaultTimeoutStartSec is normally set to 90 seconds and works fine. But
when running NixOS tests on a very slow machine (like a VM without
nested virtualisation support) this default is to low and causes
systemd units to fail spuriously. One symptom of this issue are tests
at times failing with "timed out waiting for the VM to connect".
Since the VM connect timeout is 300 seconds I also set
DefaultTimeoutStartSec to this which is ridiculously high.
The background color option is self-explanatory.
The mode is either `normal` or `stretch`, they are as defined by GRUB,
where normal will put the image in the top-left corner of the menu, and
stretch is the default, where it stretches the image without
consideration for the aspect ratio.
* https://www.gnu.org/software/grub/manual/grub/grub.html#background_005fimage
The wallpaper used is *structurally compatible* with the other one,
meaning that the logo is at the same location, and not bigger.
It has one drawback: the logo is brighter, which clashes with the grub
usage. This is to be fixed with new options in grub.
The additions are:
- image/svg+xml for SVG images
- application/atom+xml for Atom feeds
These types are also present in mime.types. For better readability,
the list is sorted and formatted with one type per line.
The test sporadically failed on hydra when a request was made
before the service was actually listening on its port.
Explicitly wait for the port to open.
Since matrix-synapse 0.33.0 underscores in server names are rejected
by server name validation, causing the test to fail:
valueError: Server name 'server_sqlite' contains invalid characters
Relevant upstream change:
546bc9e28b
- wait for node to listen before starting munin-cron
- increase timeout for munin-cron startup
- disable a failing plugin to remove irrelevant error message
This prevents issues when gitea adds new locales etc. And if they
change locale values in future versions. Or if you rollback to a
previous version of gitea it might be a good idea to use the previous
locale files.
This is a 277K (as of right now) addition that can greatly help in some
last recourse scenarios. The specific rEFInd setup will not be able to
boot the installer image, but this is not why it has been added. It has
been added to make use of its volumes scanning capabilities to boot
existing EFI images on the target computer, which is sometimes necessary
with buggy EFI. While is isn't NixOS's job to fix buggy EFI, shipping
this small bit with the installer will help the unlucky few.
Example scenario: two wildly different EFI implementation I have
encountered have fatal flaws in which they sometimes will lose all the
settings, this includes boot configuration. This is compounded by the
fact that the two specific and distinct implementation do not allow
manually adding ESP paths from their interface. The only recourse is to
let the EFI boot the default paths, EFI/boot/boot{platform}.efi, which
is not a default location used by the NixOS bootloaders. rEFInd is able
to scan the volumes and detect the existing efi bootloaders, and boot
them successfully.
Following up https://github.com/NixOS/nixpkgs/pull/23665
Bootable USB-drives are not limited to ISO-images, there can be "normal" MBR/GPT-partitioned disk connected via USB-rack.
Also, "uas" implies "usb-storage", so there is no need to mention both.
thermald has two modes: zero-config and manual. Sometimes it is useful
to manually configure thermald to achieve better thermal results or to give
thermald a hand when detecting possible cooling options.
I broke it:
in job ‘nixos.iso_graphical.x86_64-linux’:
The option `services.udisks2.enable' has conflicting definitions, in `/nix/store/bwcjw1ddj94q83vbbnq1nnrs5aisaw59-source/nixos/modules/profiles/installation-device.nix' and `/nix/store/bwcjw1ddj94q83vbbnq1nnrs5aisaw59-source/nixos/modules/services/x11/desktop-managers/plasma5.nix'.
And don't need to source the uevent files anymore either since $MAJOR
or $MINOR aren't used elsewhere.
[dezgeg: The reason these are no longer needed is that 0d27df280f
switched /tmp to a devtmpfs which automatically creates such device
nodes]
When rebuilding you have to manually run `systemctl --user
daemon-reload`. It gathers all authenticated users using
`loginctl list-user` and runs `daemon-reload` for each of them.
This is a first step towards a `nixos-rebuild` which is able to reload
user units from systemd. The entire task is fairly hard, however I
consider this patch usable as it allows to restart units without running
`daemon-reload` for each authenticated user.
This bumps Hydra to the latest revision available. As Hydra doesn't have
a release model (and therefore no tags) ATM, the derivation will pin
against the actual git revision and the date of the commit in the
derivation name.
Additionally the following changes have been made:
* Dropped `postUnpack` phase. It is useful when working with the Hydra
source (and no dirty changes shall be used in `release.nix`, but is has
no use in `nixpkgs`).
* Added myself as maintainer to have more folks available in case of
future breakage.
* Implemented support for Nix 2.0 and `unstable` (currently 2.1):
Since 1672bcd230447f1ce0c3291950bdd9a662cee974 in NixOS/nix the
evaluator differentiates between `settings` and `evalSettings`.
Previously `restrictEval` in `hydra-eval-jobs.cc` has been set in
`settings`, this doesn't work anymore in Nix 2.1 and is therefore
incompatible to Nix 2.0 on an API level.
To resolve this, the flag `isGreaterNix20` parses the version string
of `pkgs.nix` and applies a patch if nix.version<=2.0.
Furthermore the Hydra build with Nix 2.1 requires `boost` as build input
which is not needed for Nix 2.0. To avoid unnecessary increase in the
closure size this library will only used as build input for
nix.version>2.0.
* Fixed the NixOS test for `hydra`:
disabled binary cache to allow sandbox builds (otherwise it would
query `cache.nixos.org` during the Hydra build inside the test).
Additionally the trivial.nix jobset required simplification (as done
in NixOS/hydra, e.g. tests/api-test.nix) as bash is not available in
the build sandbox as builder (even when adding pkgs.bash to
systemPackages).
The easiest workaround to confirm a the functionality of a jobset
without importing nixpkgs is to use the default shell /bin/sh which
is mounted from `pkgs.busybox` into the build env
(https://github.com/NixOS/nixpkgs/pull/44841#discussion_r209751972) in the
VM and a named pipe to create $out.
Closes#44044
This fixes an issue where setting both
`boot.loader.systemd-boot.editor` to `false` and
`boot.loader.systemd-boot.consoleMode` to any value would concatenate
the two configuration lines in the output, resulting in an invalid
`loader.conf`.
