This is not a breaking change. Existing setups continue to work as-is.
Users of `cfg.mailerPasswordFile` will get an option rename/deprecation
warning, but that's it (assuming there is no regression).
This adds `cfg.secrets`, which is a wrapper over systemd's
`LoadCredential=` leveraging Forgejo's `environment-to-ini`.
`environment-to-ini` is intended for configuring Forgejo in OCI
containers.
It requires some fairly annoying escaping of the section names to fit
into the allowed environment variable charset.
E.g. `"log.console".COLORIZE = false` becomes
`FORGEJO__LOG_0x2E_CONSOLE__COLORIZE=false`.
- `.` needs to be replaced with `_0X2E_` and
- `-` needs to be replaced with `_0X2D_`
Those are simply the hex representation of each char from an ASCII
table:
. = ASCII 46 = 46 (decimal) = 2E (hex) = 0x2E = _OX2E_
To make interacting with `environment-to-ini` less annoying, we template
and escape the sections/keys in nix:
`cfg.secrets` takes the same free-form sections/keys as `cfg.settings`.
Meaning there is now a generalized abstraction for all keys, not just
those that have been manually implemented in the past.
It goes as far as theoretically allowing one to have `DEFAULT.APP_NAME`
read from a secret file.
I don't know why one would want to do that, but it has been made
possible by this :^)
More reasonable examples are listed in the `cfg.secrets` option example.
We also continue to bootstrap a handful of secrets like
`security.SECRET_KEY`. This is done is a sort of sidecar bootstrap unit
fittingly called `forgejo-secrets.service`.
Overriding those is, just like before, not really intended and requires
the use of `lib.mkForce` and might lead to breakage. But it is, in a
way, more possible than before.
The accounts directory is based on the hash of the settings.
https://github.com/NixOS/nixpkgs/pull/270221 changed the default of
security.acme.defaults.server from null to the default letsencrypt URL
however as an unwanted side effect this means the accounts directory
changes and the ACME module will create a new a new account.
This can cause issues with people using CAA records that pin the
account ID or people who have datacenter-scale NixOS deployments
We allow setting this option to null again for people who want
to keep the old account and migrate at their own leisure.
Fixes https://github.com/NixOS/nixpkgs/issues/316608
Co-authored-by: Arian van Putten <arian.vanputten@gmail.com>
The comment says this is required by other modules but to be honest, I
cannot see where. Bootloaders will be included automatically by nixos
generation if their `installBootLoader` attribute references it.
This helps us to make kexec images even smaller espeically when
combined with the perlless profile.
The nvidia-modeset module is loaded, which in turn pulls in the nvidia module. This makes bbswitch fail to turn off the card since it would be in use by the module.
Use the `cfg.package.version` (string) instead of the entire package so
users don't see `error: value is a set while a string was expected`
instead of the intended assertion message.
- Use the print dialog to create a sample score.
- Copy also the sample score from the vm to $out of the test.
- Create a bit more screenshots
- Only use machine.wait_for_window, never machine.wait_for_text which
requires OCR which is slow.
- Set XDG_RUNTIME_DIR so it won't dump core.
This prevents the post start script from running
before necessary sockets have been created.
It also prevents an unused shell from being kept around
by using `exec` to make `notify_push` the main process.
When services.gollum.{user,group} was specified a value other than its
default (i.e. "gollum"), the build failed due to referencing a
non-existing user.
Propagate the configuration setting through an envvar, check the envvar in the compositor.
Needed because querying AccountsSettings for this information fails, due to Ubuntu-only
"InputSources" interface. So you're stuck on US layout without this hack.
The memory limit is equal to what's configured in php-fpm. Given that we
run in a different environment, it seems reasonable to allow different
memory contraints here.
nix tests now moved to `nixosTests.nix-misc`
Revert "nixos/tests/misc: support old and new path-info output structure"
This reverts commit 903f315fe5.
Revert "nixos/tests/misc: call the tester `test` to be `callTest`-ed"
This reverts commit b35ccb7fda.
Revert "nixos/tests/misc: rework and take ownership"
This reverts commit 81854ca604.
