The SLIM project is abandoned and their last release was in 2013.
Because of this it poses a security risk to systems, no one is working
on it or picked up maintenance. It also lacks compatibility with systemd
and logind sessions. For users, there liikely isn't anything like slim
that's as lightweight in terms of dependencies.
Slurmdbd requires a password database which is stored in slurmdbd.conf.
A seperate config file avoids that the password ends up in the nix store.
Slurmdbd does 19.5 does not support MySQL socket conections.
Adapated the slurm test to provide username and password.
* Fix path in module for slurm to find plugstack.conf
* Fix configure flags so that slurm can be compiled
without internal X11 support (required for spank-x11).
This prevents services to be started before they're initialized, and
renders the `systemd.targets.ceph.wantedBy = lib.mkForce [];` hack in
the vm tests obsolete - The config now starts up ceph after a reboot,
too.
Let's take advantage of that, crash all VMs, and boot them up again.
Don't pass user and group to ceph, and rely on it to drop ceps, but let
systemd handle running it as the appropriate user.
This also inlines the extraServiceConfig into the makeService function,
as we have conditionals depending on daemonType there anyways.
Use StateDirectory to create directories in
/var/lib/ceph/${daemonType}/${clusterName}-${daemonId}.
There previously was a condition on daemonType being one of mds,mon,rgw
or mgr. We only instantiate makeServices with these types, and "osd" was
special.
In the osd case, test examples suggest it'd be in something like
/var/lib/ceph/osd/ceph-${cfg.osd0.name} - so it's not special at all,
but exactly like the pattern for the others.
During initialization, we also need these folders, before the unit is
started up. Move the mkdir -p commands in the vm tests to the line
immediately before they're required.
The two new options make it possible to create the interface in one namespace
and move it to a different one, as explained at https://www.wireguard.com/netns/.
In cases where you boot up really quickly (like in the VM test on a
non-busy host), tinydns might want to bind before the loopback interface
is fully up. Order tinydns after network.target to fix that.
Incorrect merging of modules resulted in dhcpcd being enabled causing flaky network connection.
https://github.com/NixOS/nixpkgs/pull/64364
Fixing it uncovered an infinite recursion from the same commit, previously masked by the incorrect merge.
We can just drop the `mkDefault` for `networking.wireless.enable` as it is already `false` by default.
Closes: https://github.com/NixOS/nixpkgs/issues/72416
When we did the revert of adding gnome-flashback to systemd.packages [0]
I forgot to test with other display managers. If we use GDM with gnome-flashback
it appears it doesn't try to fallback to non-systemd startup and always fails and
starts the regular gnome-session. So adding gnome-flashback to systemd.packages
was perfectly fine, but we did forgot one detail. We need systemd targets for the
customSessions which is added using mkSystemdTargetForWm in the gnome-
flashback package.
[0]: 42f567b30d
When the option services.vault.storageBackend is set to "file", a
systemd.tmpfiles.rules was added, with extraneous []. These are not
needed and have been removed.
This is a good example of a package/module that should be distributed
externally (e.g. as a flake [1]): it's not stable yet so anybody who
seriously wants to use it will want to use the upstream repo. Also,
it's highly specialized so NixOS is not really the right place at the
moment (every NixOS module slows down NixOS evaluation for everybody).
[1] https://github.com/edolstra/jormungandr/tree/flake
Instead of assign the libinput options to touchpad devices only, it
should be appied by any device using libinput.
Due to the fact that `40-libinput.conf` already defines libinput as
driver for any detected input device, we can use `MatchDriver` to appy
options.
I've noticed a similar issue in Pantheon, without this
sound theme installed there's no system sounds.
I believe it's because the gnome theme and the pantheon
theme inherit this one.
It seems that dnsdist doesn't actually request CAP_NET_BIND_SERVICE, which is why normally it's executed and root and setuids to another, unprivileged, user. This means that as it is, dnsdist will be unable to bind to any port under 1024 and will fail with access denied.
Removing CAP_SETGID and CAP_SETUID is also related to this as we don't actually change the uid or gid after the fact as we use DynamicUser. (That part isn't strictly NEEDED but there's no reason to have those capabilities if we don't use them).
There are also some additional sandboxing we can remove from the service definition as they are assumed true or strict by DynamicUser: specifically PrivateTmp and ProtectSystem respectively.
ProtectHome is still there, despite being assumed read-only as setting it to true means they are seen as empty. I don't think it really matters as I don't know if systemd will ignore it or not, but I didn't see any reason to go hunting for excuses to make it a bigger change.
- spawn the geoclue-agent directly instead of running it via bash
- document why we cannot use DynamicUser = true
- have systemd create the home directory instead of using an explicit
tmpfiles.d fragment
* lm_sensors: add fancontrol module + nixos test
fancontrol is a small script that checks temperature sensors and adapts
fan speeds accordingly. It reads a text config file that can be
auto-generated by running the pwmconfig wizard on the live system.
Default behavior is to continue executing the script even when one or
multiple steps fail. We want to abort early if any part of the
initialization fails to not run with a partially initialized state.
Default behavior also allows dereferencing non-existent variables,
potentially resulting in hard-to-find bugs.
This option was removed because allowing (multiple) regular users to
override host entries affecting the whole system opens up a huge attack
vector. There seem to be very rare cases where this might be useful.
Consider setting system-wide host entries using networking.hosts,
provide them via the DNS server in your network, or use
networking.networkmanager.appendNameservers to point your system to
another (local) nameserver to set those entries.
