Discovered via https://github.com/NixOS/nixpkgs/pull/82743 which
improved option checking, causing an evaluation error that was
hard to understand without running the evaluation manually.
symlinkJoin can break (silently) when the passed paths contain symlinks
to directories. This should work now.
Down-side: when lib/tmpfiles.d doesn't exist for some passed package,
the error message is a little less explicit, because we never get
to the postBuild phase (and symlinkJoin doesn't provide a better way):
/nix/store/HASH-NAME/lib/tmpfiles.d: No such file or directory
Also, it seemed pointless to create symlinks for whole package trees
and using only a part of the result (usually very small part).
This patch ensures that latest Nextcloud works flawlessly again on our
`nginx`. The new config is mostly based on upstream recommendations
(again)[1]:
* Trying to access internals now results in a 404.
* All `.php`-routes get properly resolved now.
* Removed 404/403 handling from `nginx` as the app itself takes care of
this. Also, this breaks the `/ocs`-API.
* `.woff2?`-files expire later than other assets like images.
Closes#95293
[1] https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
Turns out lot of software (including Chromium) use bundled fontconfig
so we either need to wrap every one of those, or re-introduce the global unversioned config.
The latter is easier but weakens hermetic configs. But perhaps those are not really worth the effort.
These are now only installed by systemd if HAVE_SYSV_COMPAT is true,
which only is the case if you set sysvinit-path and sysvrcnd-path (which
we explicitly unset in the systemd derivation for quite some time)
From the systemd release notes:
nss-mymachines lost support for resolution of users and groups, and now
only does resolution of hostnames. This functionality is now provided by
nss-systemd. Thus, the 'mymachines' entry should be removed from the
'passwd:' and 'group:' lines in /etc/nsswitch.conf (and 'systemd' added
if it is not already there).
Since systemd 243, docs were already steering users towards using
`journal`:
eedaf7f322
systemd 246 will go one step further, it shows warnings for these units
during bootup, and will [automatically convert these occurences to
`journal`](f3dc6af20f):
> [ 6.955976] systemd[1]: /nix/store/hwyfgbwg804vmr92fxc1vkmqfq2k9s17-unit-display-manager.service/display-manager.service:27: Standard output type syslog is obsolete, automatically updating to journal. Please update│······················
your unit file, and consider removing the setting altogether.
So there's no point of keeping `syslog` here, and it's probably a better
idea to just not set it, due to:
> This setting defaults to the value set with DefaultStandardOutput= in
> systemd-system.conf(5), which defaults to journal.
Since systemd 246, these are only installed by systemd if
HAVE_SYSV_COMPAT is true, which only is the case if you set
sysvinit-path and sysvrcnd-path (which we explicitly unset in the
systemd derivation for quite some time)
This breaks the Nextcloud vhost declaration when adding e.g. another
vhost as the `services.nginx.virtualHosts` option has `{ nextcloud =
...; }` as *default* value which will be replaced by another
`virtualHosts`-declaration with a higher (e.g. the default) priority.
The following cases are now supported & covered by the module:
* `nginx` is enabled with `nextcloud` enabled and other vhosts can be
added / other options can be declared without having to care
about the declaration's priority.
* Settings in the `nextcloud`-vhost in `nginx` have to be altered using
`mkForce` as this is the only way how we officially support `nginx`
for `nextcloud` and customizations have to be done explicitly using
`mkForce`.
* `nginx` will be completely omitted if a user enables nextcloud
and disables nginx using `services.nginx.enable = false;`. (because
nginx will be enabled by this module using `mkDefault`).
This reverts commit 128dbb31cc.
Closes#95259
nginx -t not only verifies configuration, but also creates (and chowns)
files. When the `nginx-config-reload` service is used, this can cause
directories to be chowned to `root`, causing nginx to fail.
This moves the nginx -t command into a second ExecReload command, which
runs as nginx's user. While fixing above issue, this will also cause the
configuration to be verified when running `systemctl reload nginx`, not
only when restarting the dummy `nginx-config-reload` unit. The latter is
mostly a workaround for missing features in our activation script
anyways.
Prior to this change, the `config` option (which allows you define the
haskell configuration for xmonad in your configuration.nix instead of
needing something in the home directory) prevents desktop manager
resources from starting. This can be demonstrated by configuring the
following:
```
services.xserver = {
displayManager.defaultSession = "xfce+xmonad";
displayManager.lightdm.enable = true;
desktopManager.xterm.enable = false;
desktopManager.xfce.enable = true;
desktopManager.xfce.enableXfwm = false;
desktopManager.xfce.noDesktop = true;
windowManager.xmonad = {
enable = true;
enableContribAndExtras = true;
extraPackages = haskellPackages: [
haskellPackages.xmonad-contrib
haskellPackages.xmonad-extras
haskellPackages.xmonad
];
config = ''
import XMonad
import XMonad.Config.Xfce
main = xmonad xfceConfig
{ terminal = "terminator"
, modMask = mod4Mask }
'';
};
};
```
and after user log in, search for xfce processes `ps aux | grep xfce`.
You will not find xfce processes running until after the xmonad process is killed.
The bug prevents utilities included with the desktopManager,
(e.g. powerManagement, session logout, etc.)
from working as expected.
Use StateDirectory to create necessary directories and hardcode some
paths. Also drop file based audit logs, they can be found in the
journal. And add module option deprecation messages.
In fd9eb16b24, the option
"services.nextcloud.nginx.enable" has been removed since the module now
exclusively supports nginx only.
Unfortunately, with the option gone from the manual, the link in the
Nextcloud-specific documentation referencing the NixOS option also
became a dead link and thus the manual will no longer build.
I also removed a second reference to this option in the Nextcloud-
specific documentation, which while it doesn't lead to a build error in
the manual is nevertheless a good idea to remove as well to ensure we
don't present outdated information to readers of the manual.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @DavHau, @Ma27
The missing () caused parts of the escripts to be added to the
ExecStartPost line instead of inside the script.
This caused postgresql start to fail under certain conditions.
This creates and opens a luks volume, puts its passphrase into a keyfile
and writes a /etc/crypttab. It then reboots the machine, and verifies
systemd parsed /etc/crypttab properly, and was able to unlock the volume
with the keyfile provided (as we try to mount it).
The memorySize of the VM had to be bumped, as luksFormat would otherwise
run out of memory.
There's a circular dependency to systemd via cryptsetup and lvm2
(systemd -> cryptsetup -> lvm2 -> udev=systemd).
However, cryptsetup only really needs the devmapper component shipped
with lvm2. So build `pkgs.cryptsetup` with a lvm2 that doesn't come with
udev.
Cookie jar can be used to accurately test if the login was successful.
Simply searching for the user name is not sufficient, since it is always
part of the returned page after login. The page should display a phrase
containing the username after login.
- Give a more accurate description of how fileSystems.<name/>.neededForBoot
works
- Give a more detailed description of how fileSystems.<name/>.encrypted.keyFile
works
In 9ac1ab10c9 this library function was
refactored to use mkfs.ext4 instead of cptofs. There are two problems:
If populateImageCommands would create no files (which is fine), a cp
invocation would fail due to missing source arguments.
Another problem is that mkfs.ext4 relies on fakeroot to have sane
uid/gids in the generated filesystem image. This currently doesn't
work for cross compiling.
- remove optons cfg.user, cfg.groups
- add option `serverUser` which is required when not using nginx
- add `serverUser` to nextcloud group
- set user/group to "nextcloud" for nextcloud services
- make setup-service non-root
There are circumstances where running secondary DHCP servers in
non-authoritative mode is advantageous. Retain the previous
authoritative behavior as a default.
This was omitted in the latest update.
Only adds ~400 KB.
It required adding openssl to tests so I tacked on some cleanups.
In particular, the GI_TYPELIB_PATH was already being set in the wrapper
so we can remove it from the module (not sure why Gtk was even there).
Also switched away from using pkgconfig and docbook_xsl aliases
and reordered the expression a bit.
Not strictly an upgrade, but adds a new mongodb-4_2 target with the
current mongodb from that branch.
Use matching client and server versions in mongodb tests- tests were
using the mongo 3.4 client to connect, and this finally doesn't work
with server 4.2.
Per reviewer suggestion, adding myself as cheetah3 maintainer.
Additionally, reestore comments describing the purpose of the
build-dependencies patch
Along with the `socat` fix in the parent commit, this makes
the Flatpak’s installed tests finally pass again.
The tests seem to need slightly over 2G of disk space,
and it appears that the test suite was ported to Python 3 in 1.5.1:
2b6641575d
Flatpak’s installed tests build Flatpak runtimes, among other things.
Upstream code does this by copying some programs on `PATH`
as well as some possible dependencies from host’s /usr.
We patch the code to use `nix-store --query --requisites`
to make the dependency discovery easier.
The Flatpak’s installed tests add `socat` to `PATH` and later run
`nix-store --query --requisites` on its location but it was failing with
error: path '/nix/store/qcyf7nq5vvfw32967sv4j6z190inrbrc-socat-1.7.3.4' is not valid
The issue occurred because, while the host Nix store is bind mounted into the test VM,
the VM’s store uses its own database that only contains the packages in the VM’s closure.
Since the test commands are not actually part of the VM but only passed through PTY,
the `flatpak.installedTests` derivation was not part of the VM’s closure, so `nix-store`
in the VM could not get information about its dependency `socat`.
Let’s make the `installedTests` of the tested package part of the test VM’s closure
by passing it as a global environment variable. This will also have the added benefit
that user no longer has to type the path when running the installed tests manually in the VM;
they can just use `gnome-desktop-testing-runner -d $TESTED_PACKAGE_INSTALLED_TESTS`,
which is much more conducive to tab completion.
* Update: https://gitlab.freedesktop.org/pwithnall/malcontent/-/releases/0.8.0
* Fix the separation patch.
* Add `itstool` to ui (needed for building localized help).
* Use `pkg-config` instead of the `pkgconfig` alias.
* Fix some issues related to multiple outputs:
* Make the module pass specific output to `dbus.packages` since the `dbus` NixOS module will not generate configuration with correct interface paths otherwise.
* Change `malcontent-ui` package to primarily-a-program type derivation (`out`+`lib` instead of `bin`+`out`) since there are more and more `malcontent-control`-specific assets.
* This also fixes the issue where application data (desktop files, icons…) were installed to `out`, which is not installed by `environment.systemPackages`/`system-path.nix`’s `buildEnv` by default when `bin` output is also present.
* Make `malcontent` package install `out` output too so that `system-path.nix` links that too. It contains the AccountsService & Polkit data files.
* Split the library and PAM module out of `malcontent.out` so that they are not installed with the data files.
* This revealed a bug in the `gobject-introspection` setup hook.