xss-lock needs XDG_SESSION_ID to respond to loginctl lock-session(s)
(and possibly other session operations such as idle hint management).
This change adds XDG_SESSION_ID to the list of imported environment
variables when starting systemctl.
Inspired by home-manager, add importVariables configuration.
Set session to XDG_SESSION_ID when running xss-lock as a service.
Co-authored-by: misuzu <bakalolka@gmail.com>
Attempting to reuse keys on a basis different to the cert (AKA,
storing the key in a directory with a hashed name different to
the cert it is associated with) was ineffective since when
"lego run" is used it will ALWAYS generate a new key. This causes
issues when you revert changes since your "reused" key will not
be the one associated with the old cert. As such, I tore out the
whole keyDir implementation.
As for the race condition, checking the mtime of the cert file
was not sufficient to detect changes. In testing, selfsigned
and full certs could be generated/installed within 1 second of
each other. cmp is now used instead.
Also, I removed the nginx/httpd reload waiters in favour of
simple retry logic for the curl-based tests
The cyclic dependency of systemd → cryptsetup → lvm2 → udev=systemd
needs to be broken somewhere. The previous strategy of building
cryptsetup with an lvm2 built without udev (#66856) caused the
installer.luksroot test to fail. Instead, build lvm2 with a udev built
without cryptsetup.
Fixes#96479.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Testing of certs failed randomly when the web server was still
returning old certs even after the reload was "complete". This was
because the reload commands send process signals and do not wait
for the worker processes to restart. This commit adds log watchers
which wait for the worker processes to be restarted.
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests
I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.
I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.
- Fix duplicate systemd rules on reload services
Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
This allows the user to configure systemd tmpfiles.d via
`environment.etc."tmpfiles.d/X.conf".text = "..."`, which after #93073
causes permission denied (with new X.conf):
```
ln: failed to create symbolic link '/nix/store/...-etc/etc/tmpfiles.d/X.conf': Permission denied
builder for '/nix/store/...-etc.drv' failed with exit code 1
```
or collision between environment.etc and systemd-default-tmpfiles
packages (with existing X.conf, such as tmp.conf):
```
duplicate entry tmpfiles.d/tmp.conf -> /nix/store/...-etc-tmp.conf
mismatched duplicate entry /nix/store/...-systemd-246/example/tmpfiles.d/tmp.conf <-> /nix/store/...-etc-tmp.conf
builder for '/nix/store/...-etc.drv' failed with exit code 1
```
Fixes#96755
GPaste ships keybindings for gnome-control-center. Those depend on GSettings schemas
but there is currently no mechanism for loading schemas other than using global ones
from $XDG_DATA_DIRS. Eventually, I want to add such mechanism but until then,
let's return the impure sessionPath option that was removed in
f63d94eba3
The Deepin Desktop Environment (DDE) is not yet fully packaged in
nixpkgs and it has shown a very difficult task to complete, as
discussed in https://github.com/NixOS/nixpkgs/issues/94870. The
conclusion is that it is better to completely remove it.
The incompatibility does not seem to exist any more: programs linked against fc 2.12
on fc 2.14 system seem to at least display text, even while printing tons of errors
(as long as you generate fc cache manually), and same thing the other way around.
Hopefully it will not be an issue in the future.
$EDITOR is allowed to contain flags, so it is important to allow the
shell to split this normally. For example, Sublime Text needs to be
passed --wait, since otherwise it will daemonise.
$NIXOS_CONFIG can be set to a directory, in which case the file used
is $NIXOS_CONFIG/default.nix. This updates 'nixos-rebuild edit' to
handle that case correctly.
This allows to perform `dd if= of=$img` after the image is built
which is handy to add e.g. uBoot SPL to the built image.
Instructions for some ARM boards sometimes contain this step
that needs to be performed manually, with this patch it can be
part of the nix file used to built the image.
declare -a is not sufficient to make the array variable actually
exist, which resulted in the script failing when the target object did
not have any DT_NEEDED entries. This in turn resulted in some
initramfs libraries not having their rpaths patched to point to
extra-utils, which in turn broke the extra-utils tests.
rfkill was subsumed by util-linux in 2017 [1], and the upstream has not
been updated in over 5 years [2]. This package shadows the rfkill from
util-linux, so it can be completely removed with no breaking changes,
because util-linux is in the base package set in nixos/system-path.
[1] d17fb726b5
[2] https://git.sipsolutions.net/rfkill.git/log/
If the config does not exist, then apparmor_parser will throw a warning.
To avoid that and make the parser configurable, we now add a new option
to it.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This adds the pinns path to the configuration let CRI-O start properly.
We also change the configuration to the new drop-in syntax.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
If `qemu-vm.nix` is imported, the option `virtualisation.qemu.consoles`
should be set to make sure that the machine's output isn't rendered on
the graphical window of QEMU.
This is needed when interactively running a NixOS test or in conjunction
with `nixos-build-vms(8)`.
The patch 2578557530 tries to only do this
if the option actually exists, however this condition used to be always
false since `options` wasn't imported in the module and pointed to
`lib.options` due to the `with lib;`-clause.