Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: Ctem <c@ctem.me>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
Co-authored-by: a-kenji <aks.kenji@protonmail.com>
Co-authored-by: Ctem <c@ctem.me>
Co-authored-by: Brian Leung <leungbk@posteo.net>
Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
Before this change, the description for
security.wrappers.<name>.capabilities made it seem like you could just
string together the names of capabilities like this:
capabilities = "CAP_SETUID,CAP_SETGID";
In reality, each item in the list must be a full-on capability clause:
capabilities = "CAP_SETUID=ep,CAP_SETGID+i";
This attribute set isn't passed through the NixOS config resolution
mechanism, which means that we can't use lib.mkDefault here.
Instead, just put it before any user overrides so that if the user
specifies this environment variable it'll just override it anyway.
Optional functionality of AusweisApp2 requires an UDP port to be opened.
The module allows for convenient configuration and serves as documentation.
See also https://github.com/NixOS/nixpkgs/issues/136269
deprecate literalDocBook by adding a warning (that will not fire yet) to
its uses and other docbook literal strings by adding optional warning
message to mergeJSON.
This reverts commit 05958b228b.
Issue https://github.com/NixOS/nixpkgs/issues/188998 is concerns quite a
few NixOS users with full disk encryption and custom keymap.
Since there hasn't been a proper fix agreed upon and merged, I am
reverting this.
The changes can be applied again, when it is ensured that they do not
break custom keymaps in initrd.
Summary: fix errors with example code in the manual that shows how to set up DNS-01 verification via the acme protocol, e.g. for those who want to get wildcard certificates from Let's Encrypt.
Fix syntax error in nix arrays (there should not be commas.)
Fix permissions on /var/lib/secrets so it can be read by bind daemon. Without this fix bind won't start.
Add the missing feature: put the generated secret into certs.secret
In order to be able to use the unixd service with the `verify_ca` and
`verify_hostnames` set to `true` it needs to be able to read the
certificate store. This change bind mounts the cacert paths for the
unixd service.
Allow @resources syscalls in the grafana.service unit. While Grafana
itself does not need them, some plugins (incl. first party) crash if
they fail to setrlimit. This was first seen with the official grafana
Clickhouse datasource plugin.
The @resources syscalls set is fairly harmess anyway.
`paperless-ngx.pythonPath` was incomplete due to the missing paperless-ngx
source, so it had to be amended in the service.
Instead of amending it, define it entirely in the service.
This allows an override of `paperless-ngx.propagatedBuildInputs` to be reflected
in the service's PYTHONPATH.
We are building fwupd daemon with polkit support which means
polkit daemon is required.
Previously polkit was enabled by default via udisks2 but that
stopped with f763710065
breaking the fwupd installed tests as a result.
Let’s add the polkit dependency to the fwupd module to ensure polkit is available.
Handing CAP_NET_BIND_SERVICE to the `paperless-web.service` only makes
sense when it actually wants to bind to a port < 1024. Don't hand it out
if that is not the case.
Finding out how to connect paperless to a PostgreSQL database via unix
sockets and peer authentication took me a few minutes, so leaving a hint
in the extraConfig example seems like a good idea to me.
Also remove unnecessary use of literalExpression for attribute set, it
is only required for complex values like functions or values that depend
on other values or packages.
After uploading a document through the webinterface I started seeing
it killed through the SYSBUS signal. Inspecting the call trace led me to
liblapack's memory allocator, that uses the mbind syscall on Linux.
Prior to this change, ffmpeg couldn't be built for an
environment.noXlibs system, because it would fail in:
ffmpeg → SDL2 → libdecor
ffmpeg certainly does not need support for SDL2 windowing on a noXlibs
system.
This fix is important because the minidlna NixOS test, which uses the
minimal profile (and therefore environment.noXlibs) and ffmpeg, can't
currently build.
The primary difference between the standard and minimal variants of
this package is that all the X libraries are removed from the minimal
variant.
I had to switch the order of the definitions in all-packages.nix to
avoid an infinite recursion after the overlay was applied.
When switching between different NixOS configurations (with and
without nullmailer and other services), it can happen that the UID of
the nullmailer user changes. When it happens, the nullmailer service
happily starts, but the user cannot send any email, because the
sendmail wrapper doesn't have permission to write them to the queue.
This commit prevents that. Instead of creating the directories by the
nullmailer user, which doesn't have permissions to change ownership,
we now create them by the systemd-tmpfiles, which has sufficient
permissions to adjust ownership.
most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
there are sufficiently few variable list around, and they are
sufficiently simple, that it doesn't seem helpful to add another
markdown extension for them. rendering differences are small, except in
the tor module: admonitions inside other blocks cannot be made to work
well with mistune (and likely most other markdown processors), so those
had to be shuffled a bit. we also lose paragraph breaks in the list
items due to how we have to render from markdown to docbook, but once we
remove docbook from the pipeline those paragraph breaks will be restored.
mostly no rendering changes. some lists (like simplelist) don't have an
exact translation to markdown, so we use a comma-separated list of
literals instead.
this mostly means marking options that use markdown already
appropriately and making a few adjustments so they still render
correctly. notable for nftables we have to transform the md links
because the manpage would not render them correctly otherwise.
most of the screen tags used in option docs are actually listings of
some sort. nsd had a notable exception where its screen usage was pretty
much a raw markdown block that made most sense to convert into docbook lists.
the way these are written they introduce lots of whitespace in each
line, which will cause those lines to render as code when converted to
markdown. override the whole description instead.
- Replace misleading docs.
- Add new assertions to let configurations make more sense.
- Add clusterInit flag.
- Add some more docs about HA and non-HA modes setup.
- Improve multi-node tests for HA mode.
Fix https://github.com/NixOS/nixpkgs/issues/182085
Makes it easier to configure `rust-motd`. Currently, it takes care of
the following things:
* Creating a timer to regularly refresh the `motd`-text and a hardened
service (which is still root to get access to e.g. fs-mounts, but
read-only because of hardening flags).
* Disabling `PrintLastLog` in `sshd.conf` if the last-login feature of
`rust-motd` is supposed to be used.
* Ensure that the banner is actually shown when connecting via `ssh(1)`
to a remote server with this being enabled.
Syncthing config XML uses `fsPath` setting for specifying the path to the versioning folder. This commit adds `services.syncthing.folders.<name>.versioning.fsPath` option to enable this functionality declaratively. Previously, `versioning.params.versionsPath` was used, which doesn't work.
This config is removed when removing[1] fonts.fontconfig.hinting.style
option.
However, when adding[2] that option back, this config is missing.
[1]: 65592837b6
[2]: 659096dd89
Long story short: the SSH agent protocol doesn't support telling from
which tty the request is coming from, so the the pinentry curses prompt
appears on the login tty and messes up the output and may hang.
The current trick to workaround this is informing the gnupg agent every
time you start a shell: this assumes you will run `ssh` in the latest
tty, if you don't the latest tty will be messed up this time.
The ideal solution would be updating the tty exactly when (and where)
you run `ssh`. This is actually possible using a catch-all Match block
in ssh_config and using the `exec` feature that hooks a command to the
current shell.
Source for the new trick: https://unix.stackexchange.com/a/499133/110465
no change in rendered output. the html manual could render <screen>
blocks differently, but so far it hasn't (and if we need to make a
distinction we can use a special info string).
this notable also now interprets a markdown-flavored list in
triton_sd_config as actual markdown and renders it differently, but this
is arguably for the better (and probably the original intention).
no other rendering changes.
there seems to be a lot of markdown in the prometheus module that
should've been docbook instead. temporarily convert it to docbook to
keep the diff for the docbook->md conversion of prometheus inspectable.
When `nix.registry.<name>.flake` option is used, additional attributes of the flake were not written to the flake registry file because of a missing parenthesis.
#167013 introduced a property conflict with the concurrently-written commit
aea940da63, over property
systemd.services.prosody. Fix this by moving the reload option into the block.
This option is based on a recommendation from a page last updated in
2014 (see https://www.freedesktop.org/wiki/Software/Glamor/), and it
is not necessary anymore.
Also, it did the wrong thing: it forced DRI2, but Glamor should also
work with DRI3, that is a better option most of the time. So let's
remove this option, folks that still want to force this manually can do
so in other ways.
The split of Ethereum into Execution Layer and Consensus Layer adds a
requirement for communication between execution client and consensus
client using secur JWT tokens. In Geth this is configurable using the
`--authrpc.*` CLI flags which are currently not exposed by this service.
For more details read the following article:
https://geth.ethereum.org/docs/interface/consensus-clients
Signed-off-by: Jakub Sokołowski <jakub@status.im>
These are now required otherwise startup fails with:
> TypeError: 'NoneType' object is not subscriptable
The chosen levels are stricter than default but don't require unsupported signing or DB editing so seem like a reasonable high bar for now. It is easy for users to lower the levels so it is better to be stricter by default.
Default levels: 0ce0588725/mautrix_facebook/example-config.yaml (L247-L263)
This make the process of applying overlays more reliable by:
1. Ignoring dtb files that are not really device trees. [^1]
2. Adding a `filter` option (per-overlay, there already is a global one)
to limit the files to which the overlay applies. This is useful
in cases where the `compatible` string is ambiguous and multiple
unrelated files match.
Previously the script would fail in both cases.
[^1]: For example, there is dtbs/overlays/overlay_map.dtb in the
Raspberry Pi 1 kernel.
using regular strings works well for docbook because docbook is not as
whitespace-sensitive as markdown. markdown would render all of these as
code blocks when given the chance.
a lot of markdown syntax has already snuck into option docs, many of it
predating the intent to migrate to markdown. we don't convert all of it
here, just that which is accompanied by docbook tags as well. the rest
can be converted by simply adding the mdDoc marker.
this renders the same in the manpage and a little more clearly in the
html manual. in the manpage there continues to be no distinction from
regular text, the html manual gets code-type markup (which was probably
the intention for most of these uses anyway).
In version 1.5.5 of fwupd the uefi plugin was renamed to
uefi-capsule. As part of those changes the configuration file was
renamed and changed.
This modules configuration mismatch was generally hidden because
when udisks2 is enabled fwupd will use that instead. Without
udisks2 the following warning is seen:
WARNING: UEFI ESP partition not detected or configured
While it might seem odd, 0.0.0.0/0 or ::/0 gateways are valid and
commonly used on point-to-point links (e.g. a wireguard tunnel) to
indicate that all traffic needs to be sent to a given interface.
systemd-networkd actually documents this as a valid configuration in its
man pages [1].
Tested to do the right thing in one of my NixOS containers using
a Wireguard tunnel as its default route.
[1] https://www.freedesktop.org/software/systemd/man/systemd.network.html#DefaultRouteOnDevice=
According to pulseaudio(1), a system wide pulseaudio instance
can only be accessed by members of the `pulse-access` group.
This name seems to be hardcoded in
pulseaudio -- I didn't find any switch to change it.
We need to define the group so users can connect to the deamon.
This commit also fixes the systemwide pulseaudio vm test:
Previously, the test user `alice`
was just a member of the `audio` group.
This blocked access to the daemon and failed the test.
The commit changes the group assignment and fixes the vm test.
This does make the out-of-the-box install perhaps a bit worse, since
networking may need to be manually configured. However, it makes it less
frustrating that upon every start of this service, a *removed* autostart
network will be re-added when removed by the user. See
https://github.com/NixOS/nixpkgs/issues/73418 for details.
Behavior from other distros:
- Adds autostart net on install: Fedora
- Does not add autostart net : Debian, Arch
This does not break any existing installs since it does not affect any
autostart network already in-place.
Enable keter module
Keter is an apploader which:
1. has the old app running on a port.
2. loads a new one, and wait for that to complete
3. switches the old with the new one once the new one finished loading.
It supports more functionality but this use case
is the primary one being used by supercede.
Adds keter as a module to nixos.
Currently keter is unusable with nix,
because it relies on bundeling of a tar and uploading that to a specific folder.
These expressions automate these devops tasks,
with especially nixops in mind.
This will work with versions above 1.8
The test seems to work.
This uses a new version of keter which has good
support for status code on error pages.
We're using this config at production at supercede
so it should be fine.
Squash log:
==========
mention keter in changelog
Update generated release notes
Always restart keter on failure
This is a little bit of extra stability in case keter crashes.
Which can happen under extreme conditions (DoS attacks).
Update nixos/doc/manual/release-notes/rl-2205.section.md
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/module-list.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Remove sanitization
don't put domain in as a string
Update nixos/tests/keter.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
add jappie as module maintainer
Use type path instead of two seperate options
Fix generated docs
added test machinery to figure out why it's failing
Fix the test, use console output
run nixpkgs-fmt on all modules
Inline config file.
This get's rid of a lot of inderection as well.
Run nix format
remove comment
simplify executable for test
delete config file
add config for keter root
Remove after redis clause
set keter root by default to /var/lib/keter
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
fix nit
add newlines
add default text and move description in a long description
Delete rather obvious comment
fix release db thing
remove longDescription and put it in a comment instead
change description of mkEnalbeOption
explain what keter does by using the hackage synopsis
set domain to keterDomain and same for executable
move comment to where it's happening
fix type error
add formatting better comment
try add seperate user for keter
Revert "try add seperate user for keter"
This reverts commit d3522d36c96117335bfa072e6f453406c244e940.
Doing this breaks the setup
set default to avoid needing cap_net_bind_service
remove weird comment
use example fields
eleborated on process leakage
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
run nixpkgs-fmt
update docs
Fix formatting, set keter package by default
format our little nixexpr
replace '' -> " where possible
drop indent for multiline string
make description much shorter
regen docs database
