The systemd-coredump module required systemd to be built with
withCoredump=true, even if the module was disabled.
- allow systemd to be missing systemd-coredump if the module is disabled
- switch to mkDefault for the sysctl config to allow user overrides when
the module is disabled
- add nixos tests for both the enabled and disabled cases
`cosigned` is no more part of the cosign repository and it has been moved
into a `sigstore/policy-controller` repository. A new package should probably
be created to replace it.
https://github.com/sigstore/cosign/releases/tag/v1.10.0
Instead of enabling the PAM modules based on config.krb5.enable,
introduce a new option to control the PAM modules specifically.
Users may want to turn on config.krb5.enable, to get a working Kerberos
client config with tools like kinit, while letting pam_sss or something
else handle Kerberos password lookups.
the conversion procedure is simple:
- find all things that look like options, ie calls to either `mkOption`
or `lib.mkOption` that take an attrset. remember the attrset as the
option
- for all options, find a `description` attribute who's value is not a
call to `mdDoc` or `lib.mdDoc`
- textually convert the entire value of the attribute to MD with a few
simple regexes (the set from mdize-module.sh)
- if the change produced a change in the manual output, discard
- if the change kept the manual unchanged, add some text to the
description to make sure we've actually found an option. if the
manual changes this time, keep the converted description
this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
Move the defaults to the `config` section of the module, and apply them
with mkDefault.
That way the defaults are merged with user-provided config, and are
merged without having to use lib.mkForce.
with ever more options being markdown rather than docbook the conversion
time is starting to become a significant factor of doc build time.
luckily we can pre-convert all nixos option docs to MD and cache the
result of this conversion, then merge the already-converted json file
with user option docs. we leave options.json unconverted to keep it as
close to the actual nix code as possible.
during docs conversion it can be very useful to know exactly *where* the
error the script complained about is. the name of the option should be
sufficient since option merging is rather rare, and won't merge doc
attributes anyway.
New web builds required updated title information to look for.
Rocket by default only listens on localhost, set to 0.0.0.0 to be
reachable by the client.
Selenium/Webdriver API changes required updates to function calls.
That way the `backupCleanupCommand` can also run when the backup service
failed for some reason.
Fixes: #182089.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
This change allows detecting configuration errors during
switch-to-configuration instead of them being reported asynchronously
*after* switch-to-configuration has exited.
(And update the NixOS test accordingly.)
Due to recent changes (likely a sqlite3 update) the sqlite3 meta-command
did suddenly succeed while sqlite3 is still unable to read the still
encrypted database. It just prints the following output and doesn't
seem to try to open/read the DB (which would fail):
```
main: /home/alice/.config/Signal/sql/db.sqlite r/w
```
We can simply fix this "regression" by instructing sqlite3 to list the tables
in the database (which fails because it cannot read the encrypted DB):
```
machine: must fail: su - alice -c 'sqlite3 ~/.config/Signal/sql/db.sqlite .tables'
machine # [ 47.036720] su[1178]: Successful su for alice by root
machine # [ 47.041049] su[1178]: pam_unix(su:session): session opened for user alice(uid=1000) by (uid=0)
machine # Error: file is not a database
machine # [ 47.116070] su[1178]: pam_unix(su:session): session closed for user alice
(finished: must fail: su - alice -c 'sqlite3 ~/.config/Signal/sql/db.sqlite .tables', in 0.12 seconds)
```
Fix#181463.
The suspend-then-hibernate functionality is implemented by systemd in
the suspend-then-hibernate.target, separately from suspend.target and
hibernate.target. Thus post-resume would not run after resuming from
suspend-then-hibernate.
Fix this by explicitly making post-resume run after
suspend-then-hibernate.
The ConditionFileNotEmpty override patch wasn't correct for stage1, which
does have the modules in /lib. So, remove the patch and set
the right path with overrides in the final system.
Also, make sure systemd-tmpfiles-setup-dev is pulled in to create
all the necessary symlinks.
We want Openldap clients to load /etc/ldap.conf at runtime, not
${pkgs.openldap}/etc/ldap.conf which is always a sample config.
Pass sysconfdir=/etc at compile time, so that /etc/krb5.conf is embedded
in the library as the path of its config file.
Pass sysconfdir=${out}/etc at install time, so that the sample configs
and schema files are correctly included in the build output.
This hack works because the Makefiles are not smart enough to notice
that the sysconfdir variable has changed across invocations -- because
nobody ever writes their Makefiles to be that smart. :-)
Fixes#181937.
Fix bug where pam_u2f options would be partially included in other pam.d
files if the module was enable for specific services, resulting in
broken configuration.
If a host key file is a symlink pointing to an as of yet non-existent
file, we don't want to remove it, but instead follow the symlink and
create the file at that location.
See https://github.com/nix-community/impermanence/issues/101 for more
information on the issue the original behavior creates.
Within a dual VM test-setup a strange behaviour was observed.
The two VMs are connected via one vde_switch instance
(instancevirtualisation.vlans = [ 1 ]; IMO a bad attribute name for
switch instances, has nothing to do with VLANs in sense of 802.1Q).
A ping on the base interface (eth1) works, but not on VLAN
subinterfaces (vlan1@eth1). A tcpdump of eth1 includes the ARP requests
tagged with the subinterfaces VLAN ID, but responses seems not to pass
the vde_switch. This works fine if performed on the base interface.
Putting the vde_switch in hub mode results in flooding
traffic to all vde_switch ports. This results in a expected behaviour
and a ping on a VLAN subinterface works as expected.
Signed-off-by: Philippe Schaaf <philippe.schaaf@secunet.com>
airsonic_is_up should return a bool, but machine.succeed returns a
string causing testScriptWithTypes to fail. This is fixed by executing
the cmd with machine.execute and checking the status code.
We want Openldap clients to load /etc/ldap.conf at runtime, not
${pkgs.openldap}/etc/ldap.conf which is always a sample config.
Pass sysconfdir=/etc at compile time, so that /etc/krb5.conf is embedded
in the library as the path of its config file.
Pass sysconfdir=${out}/etc at install time, so that the sample configs
and schema files are correctly included in the build output.
This hack works because the Makefiles are not smart enough to notice
that the sysconfdir variable has changed across invocations -- because
nobody ever writes their Makefiles to be that smart. :-)
Fixes#181937.
Setting `cgroup-driver=systemd` was originally necessary to match with
docker, else the kubelet would not start (#111835)
However, since then, docker support has been dropped from k3s (#177790).
As such, this option is much less necessary.
More importantly, it now seems to be actively causing issues. Due to an
upstream k3s bug, it's resulting in the kubelet and containerd having
different cgroup drivers, which seems to result in some difficult to
debug failure modes.
See
https://github.com/NixOS/nixpkgs/issues/181790#issuecomment-1188840862
for a description of this problem.
Removing this flag entirely seems reasonable to me, and it results in
k3s working again on my machine.
The group configuration parameter allow to share access to yggdrasil
control socket with the users in the system. In the version we propose,
it is null by default so that only root can access the control socket,
but let user create their own group if they need.
Remove User= durective in systemd unit. Should a user with the specified
name already exist in the system, it would be used silently instead of a
dynamic user which could be a security concern.
Since version 0.4 Yggdrasil works again using systemd's DynamicUser option.
This patch reenables it to improve security.
We tested this with both persistent and non-persistent keys. Everything
seems to work fine.
This avoids putting a large disk image in the store (and possibly
in a binary cache), while improving runtime performance.
Assuming you're running an SSD, and/or with plenty of cache (?)
it is feasible to preempt the virtualization overhead before
VM start, in single-digit seconds.
For some tests that perform many reads on the store, the improved
performance of EROFS is sufficient that not only the image creation
overhead is compensated for, but is actually faster.
Stats for nixosTests.gitlab:
Baseline without useNixStoreImage: >1000s
Baseline with useNixStoreImage without writableStore = false
ext4 image in store: 277 seconds
+ significant image build time and/or disk space
Disposable erofs image: 249 seconds _including_ image build time
Custom erofs overlay on 9p host store: 391 seconds; presumably
because the overlay still performs too many 9p accesses, or perhaps
some other overhead. This solution had no obvious performance
advantage, while requiring extra options to work, so it was
discarded.
The option `services.jira.sso.applicationPassword` has been replaced by
`applicationPasswordFile` that needs to be readable by the `jira`-user
or group.
The new `crowd.properties` is created on startup in `~jira` and the
secret is injected into it using `replace-secret`.
Rely on services.jenkins-job-builder to reload the configuration instead
of doing that manually in the test.
(If this had been implemented already, it would have caught the bug
fixed by the parent commit, that services.jenkins-job-builder failed to
reload jenkins config from disk.)
The current authentication code is broken against newer jenkins:
jenkins-job-builder-start[1257]: Asking Jenkins to reload config
jenkins-start[789]: 2022-07-12 14:34:31.148+0000 [id=17] WARNING hudson.security.csrf.CrumbFilter#doFilter: Found invalid crumb 31e96e52938b51f099a61df9505a4427cb9dca7e35192216755659032a4151df. If you are calling this URL with a script, please use the API Token instead. More information: https://www.jenkins.io/redirect/crumb-cannot-be-used-for-script
jenkins-start[789]: 2022-07-12 14:34:31.160+0000 [id=17] WARNING hudson.security.csrf.CrumbFilter#doFilter: No valid crumb was included in request for /reload by admin. Returning 403.
jenkins-job-builder-start[1357]: curl: (22) The requested URL returned error: 403
Fix it by using `jenkins-cli` instead of messing with `curl`.
This rewrite also prevents leaking the password in process listings. (We
could probably do it without `replace-secret`, assuming `printf` is a
shell built-in, but this implementation should be safe even with shells
not having a built-in `printf`.)
Ref https://github.com/NixOS/nixpkgs/issues/156400.
Instead of hard-coding a single `configFile` for
`privacyidea-ldap-proxy.service` which is pretty unmergable with other
declarations it now uses a RFC42-like approach. Also to make sure that
secrets can be handled properly without ending up in the Nix store, it's
possible to inject secrets via envsubst
{
services.privacyidea.ldap-proxy = {
enable = true;
environmentFile = "/run/secrets/ldap-pw";
settings = {
privacyidea.instance = "privacyidea.example.org";
service-account = {
dn = "uid=readonly,ou=serviceaccounts,dc=example,dc=org";
password = "$LDAP_PW";
};
};
};
}
and the following secret file (at `/run/secrets`):
LDAP_PW=<super-secret ldap pw>
For backwards-compat the old `configFile`-option is kept, but it throws
a deprecation warning and is mutually exclusive with the
`settings`-attrset. Also, it doesn't support secrets injection with
`envsubst` & `environmentFile`.
Wait until home-assistant is fully reloaded or restarted to spot
possible errors during startup.
Swap out bluetooth_tracker for esphome, since the bluetooth tracker
causes errors, when it does not find a bluetooth device.
Drop mosquitto from the environment. It wasn't used since the 2022.3.0
release when MQTT stopped being configurable from the YAML config.
It has been like this since the module was added, but it hasn't caused
problems because greetd assumes a default user of "greeter"[1] when it
isn't found anyway
[1]: d700309623/item/greetd/src/config/mod.rs (L127)
Suppose you want to provide a LDAP-based directory search to your
homeserver via a service-user with a bind-password. To make sure that
this doesn't end up in the Nix store, it's now possible to set a
substitute for the bindPassword like
services.mxisd.extraConfig.ldap.connection = {
# host, bindDn etc.
bindPassword = "$LDAP_BIND_PW";
};
and write the actual secret into an environment file that's readable for
`mxisd.service` containing
LDAP_BIND_PW=<your secret bind pw>
and the following setting in the Nix expression:
services.mxisd.environmentFile = "/runs/ecrets/mxisd";
(cherry picked from commit aa25ce7aa1a89618e4257fd46c7d20879f54c728)
Without this change, configurations like
```nix
fileSystems."/path/to/bindMountedDirectory" = {
device = "/path/to/originalDirectory";
options = [ "bind" ];
};
```
will lead to a warning message in `dmesg`:
```
systemd-fstab-generator: Checking was requested for "/path/to/originalDirectory", but it is not a device.
```
This happens because the generated /etc/fstab entry contains a non-zero fsck pass number, which doesn't make sense for a bind mount.
This reverts commit 7141ab0f0b.
reverting this for now to unblock staging-next
{UNKNOWN}: aggregate job ‘tested’ failed with the error: nixpkgs.tests.packageTestsForChannelBlockers.curl.withCheck.x86_64-linux: does not exist
at /nix/store/9i92scfqz5idhmjrmjnqhrvjgyydzfns-hydra-perl-deps/lib/perl5/site_perl/5.34.0/Catalyst/Model/DBIC/Schema.pm line 526
...by using `replace-secret` instead of `sed` when injecting the
password into the ddclient config file. (Verified with `execsnoop`.)
Ref https://github.com/NixOS/nixpkgs/issues/156400.
* Update to the latest upstream version of pass-secret-service that includes
systemd service files.
* Add patch to fix use of a function that has been removed from the Python
Cryptography library in NixOS 22.05
* Install systemd service files in the Nix package.
* Add NixOS test to ensure the D-Bus API activates the service unit.
* Add myself as a maintainer to the package and NixOS test.
* Use checkTarget instead of equivalent custom checkPhase.
The `bash` binary is needed for running some plugins, notably the alarm notify plugins. If the binary isn't in the path, alarms notifications aren't sent and the netdata error log instead contains `/usr/bin/env: 'bash': No such file or directory`.
The FUSE mount functionality of IPFS was broken by the update to v0.13.0, so disable it. Hopefully it will be fixed soon.
See https://github.com/ipfs/kubo/issues/9044.
The ${opt.*} syntax will print the full path when NixOS is used
as a submodule.
nixpkgs.system / nixpkgs.localSystem must not be read by any
other module because its meaning is ambiguous in cross vs
non-cross contexts. hostPlatform is generally what you need.
*Where* you build something generally doesn't matter in a
system _configuration_ context like NixOS.
Due to lack of maintenance. It is not compatible with the default
Python version (due to the tornado 5) dependency, and doesn't look
like it will be any time soon.
Install Parallel Tools updated for version 17 of Parallels for macOS. This
fixes clipboard sharing, so that copy and paste works between the host
macOS and the guest NixOS VM. Support for guests on M1 Apple Silicon-based
Macs (aarch64-linux) is also added.
Co-authored-by: Paul Smith <paulsmith@gmail.com>
Co-authored-by: Weijia Wang <9713184+wegank@users.noreply.github.com>
