This commit refactors `services.grafana.provision.datasources` towards
the RFC42 style. To preserve backwards compatibility, we have to jump
through a ton of hoops, introducing esoteric type signatures and bizarre
structs. The Grafana module definition should hopefully become a lot
cleaner after a release cycle or two once the old configuration style is
completely deprecated.
This is done for sd-images only here, but should probably also be done
for dvd-images.
The --invariant arg should be a better way of making mkfs.vfat deterministic.
The previous version of invoking faketime was building fine and reproducible
when I was compiling an sdimage for aarch64 under emulation.
It was however still logging errors:
ERROR: ld.so: object '/nix/store/1c2cp2709kmvby8ql2n9946v7l52nn50-libfaketime-0.9.9/lib/libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/nix/store/1c2cp2709kmvby8ql2n9946v7l52nn50-libfaketime-0.9.9/lib/libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
The logged errors were presumably inaccurate somehow as calling
faketime was required for reproducibility, even though the log makes it
looks like it failed.
This commit refactors `services.grafana.provision.dashboards` towards
the RFC42 style. To preserve backwards compatibility, we have to jump
through a ton of hoops, introducing esoteric type signatures and bizarre
structs. The Grafana module definition should hopefully become a lot
cleaner after a release cycle or two once the old configuration style is
completely deprecated.
The polkit support in pcsclite is entirely optional but package enables
it unconditionally and this breaks connecting to the pcscd daemon on
systems without polkit.
The fix is making this configurable and automatically disabling
`polkitSupport` when the polkit service is disabled.
Currently, this is using a "URI prefix match", but per nginx docs,
```
[...] the location with the longest matching prefix is selected and remembered. Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used.
```
which means a config like this (from wordpress service) will override that
```
locations = {
"~ /\\." = {
priority = 800;
extraConfig = "deny all;";
};
};
```
😱
Luckily, from nginx docs:
```
If the longest matching prefix location has the “^~” modifier then regular expressions are not checked.
```
Whew!
Use hostPlatform if both the host and the containers nixpkgs supports
hostPlatform, otherwise fall back to localSystem. This preseves backwards
compatibility.
This will remove all state directories related to CUPS on startup, which
is particularly useful for guaranteeing that printer discovery works
more reliably on some networks, since CUPS will no longer be able to
store state that effects the next run of the service, such as old
printer names and mDNS information.
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
this makes it easier for one to manually administer freshrss.
for example, i can import OPML from the CLI like:
```
$ nix build .#freshrss
$ freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/import-for-user.php --user admin --file my-opml.opml
```
whereas previously i would have needed to include
`environment.systemPackages = [ php ];` in my system for that to work.
The current `ExecStart` will not allow for multiple sockets to properly
be passed to the program since the extra newline character is interpreted to
be part of the socket path.
Configures the `--cache-dir` parameter for the prune and check commands run after backing up. For `check`, also adds a `checkOpts` flag to enable using the cache, since that is disabled by default.
https://discourse.gnome.org/t/split-and-rename-of-chrome-gnome-shell/11075815ec9e1af...v42.0
- Renamed and split into a separate repo from the extensions.
- CMake build replaced with Meson (jq also not needed)
- requests Python module not needed since updates are now solely handled by GNOME Shell itself
Also
- Corrected license
- Cleaned up the module
- Replaced PYTHONPATH in a wrapper by Python environment
Changelog-Reviewed-By: Jan Tojnar <jtojnar@gmail.com>
The `boot.zfs.enabled` option is marked `readOnly`, so this is the only way to
successfully build a NixOS installer image for platforms that zfs does not build
for.
Co-authored-by: Alyssa Ross <hi@alyssa.is>
This option allows for the customization of the description of the
created gitolite user.
An example of this being useful is for the integration of gitolite with
cgit, which itself uses the gitolite user's description as the author of
the git repo displayed in its generated site.
Neovim does not load the user configuration when enabled through the
module, unlike when the package is added to the home or system packages
directly. I think this difference is worth mentioning in the module's
documentation, because it was confusing to some friends.
*Flags implies a list
slightly relevant:
> stdenv: start deprecating non-list configureFlags https://github.com/NixOS/nixpkgs/pull/173172
the makeInstalledTests function in `nixos/tests/installed-tests/default.nix` isn't available outside of nixpkgs so
it's not a breaking change
The original implementation had a few issues:
* The secret was briefly leaked since it is part of the cmdline for
`sed(1)` and on Linux `cmdline` is world-readable.
* If the secret would contain either a `,` or a `"` it would mess with
the `sed(1)` expression itself unless you apply messy escape hacks.
To circumvent all of that, I decided to use `replace-secret` which
allows you to replace a string inside a file (in this case
`#static-auth-secret#`) with the contents of a file, i.e.
`cfg.static-auth-secret-file` without any of these issues.
Systemd 250:
> DHCPv4 client support in systemd-networkd learnt a new Label= option
> for configuring the address label to apply to configure IPv4
> addresses.
> The [IPv6AcceptRA] section of .network files gained support for a new
> UseMTU= setting that may be used to control whether to apply the
> announced MTU settings to the local interface.
> The [DHCPv4] section in .network file gained a new Use6RD= boolean
> setting to control whether the DHCPv4 client request and process the
> DHCP 6RD option.
> The [DHCPv6] section in .network file gained a new setting
> UseDelegatedPrefix= to control whether the delegated prefixes will be
> propagated to the downstream interfaces.
> The [IPv6AcceptRA] section of .network files now understands two new
> settings UseGateway=/UseRoutePrefix= for explicitly configuring
> whether to use the relevant fields from the IPv6 Router Advertisement
> records.
> The [RoutingPolicyRule] section of .network file gained a new
> SuppressInterfaceGroup= setting.
> The IgnoreCarrierLoss= setting in the [Network] section of .network
> files now allows a duration to be specified, controlling how long to
> wait before reacting to carrier loss.
Systemd 246:
> systemd-networkd's [DHCPv4] section gained a new setting UseGateway=
> which may be used to turn off use of the gateway information provided
> by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be
> used to configure how to process leases that lack a lifetime option.
> The IPv6Token= section in the [Network] section is deprecated, and
>> the [IPv6AcceptRA] section gained the Token= setting for its
>> replacement. The [IPv6Prefix] section also gained the Token= setting.
>> The Token= setting gained 'eui64' mode to explicitly configure an
>> address with the EUI64 algorithm based on the interface MAC address.
>> The 'prefixstable' mode can now optionally take a secret key. The
>> Token= setting in the [DHCPPrefixDelegation] section now supports all
>> algorithms supported by the same settings in the other sections.
* Remove `ForceDHCPv6PDOtherInformation=`
* Add a missing `WithoutRA=` option
Systemd 250:
> The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section
> has been removed. Please use the WithoutRA= and UseDelegatedPrefix=
> settings in the [DHCPv6] section and the DHCPv6Client= setting in the
> [IPv6AcceptRA] section to control when the DHCPv6 client is started
> and how the delegated prefixes are handled by the DHCPv6 client.
Adapt to changes introduced in Systemd 250:
> The [DHCPv6PrefixDelegation] section in .network file is renamed to
> [DHCPPrefixDelegation], as now the prefix delegation is also
> supported with DHCPv4 protocol by enabling the Use6RD= setting.
Replaces the `dhcpV6PrefixDelegationConfig` with
`dhcpPrefixDelegationConfig` and throws an error if the old option is
used.
Also adapt the respective IPv6 prefix delegation test.
This commit fixes two bugs:
1) When starting a github-runner for the very first time, the
unconfigure script did not copy the `tokenFile` to the state
directory. This case just was not handled so far. As a result, the
runner could not configure. The unit did, however, fail even before
as the state token file is configured as inaccessible for the service
through `InaccessiblePaths=`. As the given path did not exist in the
described case, setting up the unit's namespacing failed.
2) Similarly, the `tokenFile` is also marked as not accessible to the
service user. There are, however, cases where other namespacing
options make the files inaccessible even before `InaccessiblePaths=`
kicks in; thus, they appear as non existing and cause the namespacing
to fail yet again. Prefixing the entry with a `-` causes Systemd to
ignore the entry if it cannot find it. This is the behavior we want.
I also took fixing those bugs as a chance to refactor the unconfigure
script to make it easier to follow.
Before this patch, the entry match condition always fails, causing all
entries being removed. The error is not noticed because later they are
re-generated.
Before this patch, the gen_number found by regex contains
"-specialisation-foo" if specialisation is used. As a result, applying
int() to gen_number raises ValueError, causing entries containing
a specialisation part not being removed.
Lego has a built-in mechanism for sleeping for a random amount
of time before renewing a certificate. In our environment this
is not only unnecessary (as our systemd timer takes care of it)
but also unwanted since it slows down the execution of the
systemd service encompassing it, thus also slowing down the
start up of any services its depending on.
Also added FixedRandomDelay to the timer for more predictability.
Fixes#190493
Check if an actual key file exists. This does not
completely cover the work accountHash does to ensure
that a new account is registered when account
related options are changed.
Fixes#191794
Lego threw a permission denied error binding to port 80.
AmbientCapabilities with CAP_NET_BIND_SERVICE was required.
Also added a test for this.
