* Update attribute names in code examples (* -> settings.*).
* Use `nix-shell -p` rather than `nix run` because the example won't
work with the current default Nix.
* Update config values for `element-web`.
* Fix link to `element-web` security considerations.
* Make the synapse expression even smaller and use callout-lists to
explain the code.
* Document how to correctly deploy the shared registration secret.
[1] https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
According to https://grafana.com/docs/agent/latest/upgrade-guide/#v0240,
this has been deprecated/moved to -server.http.address and
-server.grpc.address (accepting ip and port) config options in v0.24.0,
and already listens on localhost and not port 80 by default.
According to https://github.com/grafana/agent/pull/1540, -prometheus.*
flages were deprecated in 0.19.0 in favor of the -metrics.*
counterparts. Same applies to `loki` being renamed to `logs`.
I'm not sure if the config file format is still supported (it could be),
but we shouldn't use deprecated configs.
The preStart script for the IPFS service will print parts of the configuration
to stdout (and therefore, the journal) when applying profiles on startup. This
may lead to unwanted disclosure of private information, such as remote pinning
service API keys. Fix by sending stdout to /dev/null.
Commit 8109d8a set the `StateDirectory=` option of the systemd service
configuration to the value of `cfg.workDir` which is wrong, according
to dasJ [1]. This commit resolves this issue by stripping the
`/var/lib/` prefix from `cfg.workDir`.
[1] https://github.com/NixOS/nixpkgs/pull/172824#issuecomment-1130350412
On one of the two machines I have running openldap, openldap failed to start due to a "timeout". Increasing the allowed startup delay didn't help.
I noticed the following in logs:
```
openldap.service: Got notification message from PID 5224, but reception only permitted for main PID 5223
```
It turns out that on this machine at least, openldap apparently sends the notification from a non-main process, which means that we need this NotifyAccess setting for systemd to record that it successfully started. Without it, after 30 seconds systemd kills the process because it didn't receive the sd_notify call.
Somehow the other machine I have on nixos running ldap works fine even without this, but I could not figure out what changes the behavior.
Given that AFAIU NotifyAccess still restricts to "from the cgroup of the service", I think this change should be safe.
