The idea behind that is to enable users and developers of
downstream tools such as home-manager to test Nix master for several
reasons:
* Nix is currently trying to have a `master` branch that's always
releasable[1]. We're still on Nix 2.18 in nixpkgs due to too many
notable regressions. Enabling people to test latest master may help on
that end.
* This uses the most bleeding-edge Nix, but our packaging, so we can
identify issues with our packaging early.
* From what I've seen, most people are using the packages from nixpkgs
anyways instead of the upstream flake, this is far more convenient
anyways.
My plan is to update this once a week. Right now we rely on the
`installCheckPhase` here, but as soon as we have proper regression
testing[2], we may want to add `nixUnstable` there as well (however with
failures being allowed probably).
[1] https://discourse.nixos.org/t/nix-release-schedule-and-roadmap/14204
[2] https://github.com/NixOS/nixpkgs/pull/304332
Since https://github.com/redis/redis/pull/4001 included in 6.2.0
transparent hugepages works when being set to madvise which is the NixOS
and upstream recommended default.
> WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition.
> Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328.
> To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
This avoids having to use workarounds like the following to retain the
default settings which podman requires to run.
virtualisation.containers.storage.settings = lib.recursiveUpdate options.virtualisation.containers.storage.settings.default {
storage.options.mount_program = lib.getExe pkgs.fuse-overlayfs;
};
Currently there is an issue with $PATH & parallel causing build errors.
It’s probably best to just remove the dependency where bash forking is
good enough here.
I found this while perusing the manual thinking about whether or not to install NixOS on my new laptop. It threw me for a loop for a second but as best I can tell this meant to be ".org" like the rest of the example, and not ".com"
I am deeply saddened at the fact that I need to do this. I have no
interest in re-litigating everything that has happened over the past
weeks and months, but I want to make my position(s) extremely clear:
The thought of any of my work contributing to someone's death by drone
makes me feel physically ill.
Recent communications from senior members of the NixOS community have
made it clear that leadership is unaware or uninterested in the basics
of how to run and moderate a community in a way that is resilient to bad
actors. The recent post by @edolstra is tone-deaf and gives me no
confidence that the Nix/NixOS community is a place that I want to remain
involved in going forward. I am thus choosing to remove myself from such
a community.
I also hereby resign from the ACME team.
See also: #307033
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Before the startup, the matrix-appservice-irc service sets up the
registration file such that it can be used by matrix-synapse. Part of
that setup requires us to change the group of said file so that the home
server can read it. Consequently, we need CAP_CHOWN and require that the
@chown system calls are allowed.
While we supposedly set up both of these, the setup of system calls is
broken as we have both an allow and a deny list of syscalls. But while
the allow list contains "@chown", the deny list contains "@privileged"
which contains "@chown" itself. So ultimately, we end up denying
"@chown".
Fix this issue by specifying "@chown" after the deny list.
I manually audited all `RunCommand` and `exec.LookPath` calls in the incus repo, combined with the following information
/run/wrappers/bin
lxc usable-cub 20240427123718.368 WARN idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:165 - newuidmap binary is missing
iw
lxc 20240427123830.358 ERROR network - ../src/lxc/network.c:lxc_netdev_move_wlan:1679 - Couldn't find the application iw in PATH
minio-client
https://github.com/lxc/incus/pull/777
ceph-client
Added, but could be missing bits to actually work
May need full ceph package for `radosgw-admin` for object storage?
Currently the installWrapper warning is issued if sudo (and sudo-rs)
aren't installed. This is fine, except we get the warning even if we
explicitly turn off installWrapper -- say, for this very reason!
Rather than warning on every build until either sudo is installed or
Akkoma is uninstalled, only warn if cfg.installWrapper is true.
Yall won't miss me. The packages I leave orphaned are trivially updated as dependents need the new versions.
But passively endorsing the direction this organization and its leadership is something I can't do.
To those who still have faith in turning this around, you da real MVP 🖖
* Minor tweaks to note text
* Elide "The" before attribute names at start of notes
* Turn version numbers into code blocks
* Turn branding into attribute names
* Add TODOs
* Turn code-block version numbers into plain text
... following discussion on Matrix.
---------
Co-authored-by: Weijia Wang <9713184+wegank@users.noreply.github.com>
Previously evaluaton would fail if `smtp.to` was not set, since the
default case was not handled.
With the current versions of the python elasticsearch libraries, any
configuration containing the modules default would fail since it's not a
valid URL.
The issue adressed in #279068 is also adressed, thuse closes#279068.
This was achieved using the following command:
sd 'wrapGAppsHook\b' wrapGAppsHook3 (rg -l 'wrapGAppsHook\b')
And then manually reverted the following changes:
- alias in top-level.nix
- function name in wrap-gapps-hook.sh
- comment in postFixup of at-spi2-core
- comment in gtk4
- comment in preFixup of 1password-gui/linux.nix
- comment in postFixup of qgis/unwrapped-ltr.nix and qgis/unwrapped.nix
- comment in postFixup of telegram-desktop
- comment in postFixup of fwupd
- buildCommand of mongodb-compass
- postFixup of xflux-gui
- comment in a patch in kdePackages.kde-gtk-config and plasma5Packages.kde-gtk-config
- description of programs.sway.wrapperFeatures.gtk NixOS option (manual rebuild)
* PHP 8.3 seems supported, so let's go for it!
* The conditions for which Nextcloud will be the default were bogus: for
<24.11 I'd suggest to go for nextcloud29 already. The people on
unstable relying on the condition were on nextcloud28 so the upgrade
will work fine.
Also, it's unstable, so such upgrades are to be expected IMHO.
* Update the release notes to reflect that the new default is Nextcloud
29 and warn that only one major upgrade at a time can be done.
This fixes an issue with the test where olcDbDirectory must be a
subdirectory of /var/lib/openldap, but is not configured as such, so the
test fails.
All other tests pass properly.
Fixes issues described in #208242 for this part of the nixpkgs tree.
There are no behavioral changes in this, it only adjusts the code so
that it is easier to understand.
Also updates my information and contact info.
I no longer use The Hedgehog as my github username or online presence
username, so this fixes that. It also matches my github username, so it
should be easier for others to mention me if needed.
Since with the completion of the docbook migration) it seems unclear
what relevance editing xml in generall and docbook in particular with
Emacs still has to NixOS at all, and people interested in the topic
will presumably look to other resources elsewhere (e.g. to the nXML
mode's actual documenation).
This test renames server_allowedusers to server-allowed-users.
As a side-effect, since IPs are allocated to machines in alphabetical order,
the IP assigned to server-lazy-socket changed, so the corresponding test had
its IP updated.
- `mount-nvidia-binaries`: this option allows users to avoid mounting
nvidia binaries on the container.
- `mount-nvidia-docker-1-directories`: this option allows users to
avoid mounting `/usr/local/nvidia/lib{,64}` on containers.
Add the NixOS option `hardware.nvidia-container-toolkit-cdi-generator.enable`.
This enables the ability to expose GPU's in containers for container
runtimes that support the Container Device Interface (CDI)
Remove `cdi.static` and `cdi.dynamic.nvidia.enable` attributes.
Was previously broken due to a missing runtime dependency.
> Error: Failed to start device "vtpm": Failed to validate environment: Required tool 'swtpm' is missing
Add package to environment.systemPackages, services.dbus.packages, create gnome-remote-desktop user and group (fixes for GNOME 46)
This adds the `g-r-d` package to environment.systemPackages (allowing the usage of the `grdctl` command along with enabling `g-r-d`'s polkit rule), makes its dbus-related files recognizable to dbus, and creates the `gnome-remote-desktop` user and group necessary for systemd's running of the `gnome-remote-desktop-daemon` with the `--system` subcommand and enabling Remote Login.
https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/compare/45.1...46.0
In file included from ../src/grd-settings.c:28:
/nix/store/xxx-freerdp-3.4.0/lib/pkgconfig/../../include/freerdp3/freerdp/freerdp.h:25:10:
fatal error: winpr/stream.h: No such file or directory
25 | #include <winpr/stream.h>
| ^~~~~~~~~~~~~~~~
compilation terminated.
Ugh. So stuff I am aware of here:
- In freerdp3.pc, winpr3 is in Requires.private.
- In https://github.com/FreeRDP/FreeRDP/blob/3.4.0/include/freerdp/freerdp.h#L25 <winpr/stream.h>
is included.
- In GNOME/gnome-remote-desktop@d29909a
<freerdp/freerdp.h> is included in src/grd-settings.c.
- We patched pkg-config in NixOS to not include Requires.private in --cflags according to
mate-desktop/atril issue 351.
- According to https://gitlab.gnome.org/GNOME/gjs/-/issues/571, Requires.private is probably correct
if no data types are exposed in public API.
So to fix this somewhere, if src/grd-settings.c has direct usage of winpr, we can PR to g-r-d declaring
the dep. If freerdp/freerdp.h exposes winpr data types we PR to freerdp and move winpr to Requires.
Probably someone can help me do the check, I am committing this simply to unbreak the build for now.
Changelog-Reviewed-By: Maxine Aubrey <max@ine.dev>
In the initial configuration the enablePHP config option is present. In the following abstracted example the commonConfig doesn't include it anymore.
Previous PRs #88505 and #284906 added the enablePHP config option to the commonConfig. @aanderse commented in https://github.com/NixOS/nixpkgs/pull/88505#issuecomment-632575200 the usage of enablePHP shouldn't be encouraged, `services.phpfpm` should be preferred whenever possible. So we remove the enablePHP config from theses examples.
Without the change the eval fails as:
$ nix build --no-link -f. redlib.tests
error: attribute 'redlib' missing
at pkgs/by-name/re/redlib/package.nix:50:26:
49| passthru.tests = {
50| inherit (nixosTests) redlib;
| ^
51| };
Did you mean redis?
- xz compression added for module files
- no support for kernel 6.8 or newer
- sri format used for hash
- release notes for 24.05 updated
Signed-off-by: birkb <birk@batchworks.de>
Follow-up to #282377. #282377 broke `environment.etc."wireplumber<...>"`,
however WirePlumber did not yet have `extraConfig` style options for
configuring it ergonomically outside of `environment.etc`. This has
caused issues for people who had custom config files for WirePlumber, as
having to create a config package just to edit some settings is not as
ergonomic or discoverable as with a proper `extraConfig` style option.
This commit fixes this issue by adding the `extraConfig` option for
additional config file and the `extraScripts` option for additional
scripts to be used by config files.
With WirePlumber 0.5 it is possible to supply config files and scripts
via the `XDG_DATA_DIRS` variable to the WirePlumber daemon. This is how
the new options and with this change also the `configPackages` option
expose their files to the daemon. This way
`environment.etc."wireplumber"` works again for user configuration and
breakage of old configs from 23.11 to 24.05 should be limited to those
caused by the change in the config format from WirePlumber 0.4 to 0.5.
This change makes `baseOptionsJSON` (`lazy-option.json`) take
our existing `documentation.nixos.options.warningsAreErrors` option into
account to then set the `NIX_ABORT_ON_WARN` environment variable within
its build sandbox accordingly.
Given `documentation.nixos.options.warningsAreErrors` default to true,
our nixpkgs CI check that builds the NixOS manual for each PR, will now
fail when something raises a warning, e.g. as part of the `lib.mdDoc`
deprecation.
This should prevent new PRs with lib.mdDoc from getting merged.
Previously, the manual would build successfully, even if an eval warning
was raised.
This reverts parts of commit d87c4e1a72 from @Mic92
After switching from nixos-23.11 to nixos-unstable, I got the following error:
```
$ nixos-rebuild switch --flake nixos/#digitalocean
...
error:
Failed assertions:
- You must set the option ‘boot.loader.grub.devices’ or 'boot.loader.grub.mirroredBoots' to make the system bootable.
```
In my nixos config I don't set boot.loader.grub.devices or boot.loader.grub.mirroredBoots explicitly.
It seems like the values are not really defaulted via mkDefault? I am still relatively new to Nix, not sure how to fix this properly, so I am proposing to revert this change.
In the replacement arg of gsub() the & symbol is a special character
that need to be escaped. To avoid this, and further issues due to the
variable name possibly being interpreted as a regex, we do a normal
substring replacement.
This fixes issues #279803.
When passing a path to restartTriggers or reloadTriggers, X-Restart/Reload-Triggers
will get populated by the absolute path of the file on the machine where the
config is evaluated. This patch corrects this behavior.
If allowAuxiliaryImperativeNetworks is enabled, the wpa_supplicant
daemon complains fails to start if /etc/wpa_supplicant.conf does not
exist. As this can be created using wpa_cli (or similar) later, it
shouldn't matter, so let's create an empty one.
This fixes issues #157537, #299466.
It should be curl -L (follow redirects), not curl -l (FTP directory
listing option). I know because it's my mistake.
Fixes: d4b989cafc ("nixos/deconz: delay signalling service readiness until it's actually up")
postgresql14Packages.promscale_extension breaks with:
Error:
0: `pgx-0.6.1` shouldn't be used with `cargo-pgx-0.7.4`,
please use `pgx = "~0.7.4"` in your `Cargo.toml`.
However, pinning cargo-pgx to 0_6_1 via the following
buildPgxExtension.override { cargo-pgx = cargo-pgx_0_6_1; }
does not work either, because the build then fails with:
thread 'main' panicked at /build/promscale_extension-0.8.0-vendor.tar.gz/proc-macro2/src/fallback.rs:756:9:
"__mbstate_t_union_(unnamed_at_/nix/store/ij144ma6vs8acil8r9hgr8xkb1dp9azg-glibc-2_39-5-dev/include/bits/types/__mbstate_t_h_16_3)" is not a valid Ident
This seems to be related to [1], which indicates that this is a
problem with newer LLVM / clang toolchains.
At the same time th upstream package is deprecated / archived since
the 2nd of April 2024 [2]. Additionally this package is unfree and
thus very unlikely to be forked. Since we can't expect this to be
fixed, the only sensible thing to do is to remove the package.
[1]: https://github.com/rust-lang/rust-bindgen/issues/2312
[2]: https://github.com/timescale/promscale/issues/1836
Closes#267442
$ nix path-info -Sh /nix/store/qj1dm7wfw5m3mxf1gn3fdm0az9y1h5ny-linux-firmware-20240312-xz
/nix/store/qj1dm7wfw5m3mxf1gn3fdm0az9y1h5ny-linux-firmware-20240312-xz 440.3M
$ nix path-info -Sh /nix/store/c3szcjxb3g990dbiz7llwmkaf0bi98j2-linux-firmware-20240312-zstd
/nix/store/c3szcjxb3g990dbiz7llwmkaf0bi98j2-linux-firmware-20240312-zstd 460.6M
This is an increase of 4.4%, but OTOH zstd has a significantly higher
decompression speed[1].
[1] https://gregoryszorc.com/blog/2017/03/07/better-compression-with-zstandard/
that NixOS manual section talks a lot about Nixpkgs package
configuration, which really should not be there but rather in the
Nixpkgs manual itself. but this is a rabbit hole for another time.
Co-authored-by: Dominic Mills <dominic.millz27@gmail.com>
With the changes introduced in #303388 tesseract would only be compiled
with the languages defined in `PAPERLESS_OCR_LANGUAGE`. However, english
is always required, making tesseract fail to build when only non-english
languages are defined in tesseract:
```
eng.traineddata must be present in tessdata for Tesseract to work
```
- Fixed the `systemPackages` definition: it contained just the package
name without preceding `pkgs`
- Removed `lib.mdDoc` usage in accordance with #303841
Bash was considered a runtime dependency as the two files `install-sh`
and `mkinstalldirs` was included in the library output. These files has a shebang
for `#!/bin/sh` which is replaced by nix to point to bash in the fixup phase.
Bash was considered a runtime dependency as the two files `install-sh`
and `mkinstalldirs` was included in the library output. These files has a shebang
for `#!/bin/sh` which is replaced by nix to point to bash in the fixup phase.
This additional module allows the tailscale auth proxy to be configured
independently of nginx. The tailscale auth proxy works with both caddy
and traefik. All prior nginx/tailscale-auth options are retained as
aliases.
Prior to this patch, FreshRSS fails to load with an initial
`authType = "none"` setting, instead providing an error:
"Error during context user init!"
To fix this, this patch changes the freshrss-config service to
setup the initial `defaultUser` when `authType = "none"`
is configured.
This allows us to set things like dependencies in a way that we can
catch typos at eval time.
So instead of
```nix
systemd.services.foo.wants = [ "bar.service" ];
```
we can write
```nix
systemd.services.foo.wants = [ config.systemd.services.bar.name ];
```
which will throw an error if no such service has been defined.
Not all cases can be done like this (eg template services), but in a lot
of cases this will allow to avoid typos.
There is a matching option on the unit option
(`systemd.units."foo.service".name`) as well.
The Xfce desktop manager only has background image support when
`xfdesktop` is used. Otherwise, we want the possibility to specify a
custom background via the `~/.background-image` file.
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
This option resolves#301746 by allowing the admin to bypass the
creation of the paperless directories by systemd-tmpfiles.
This is necessary when, for example, those directories lie inside an NFS
mount that the root user does not have rw access to.
Fixes#301746
This replaces the paperless-copy-password service with the use of
systemd's LoadCredential mechanism.
It is not a breaking change since it is gated behind `cfg.passwordFile`.
%u modifier can be used to get the username in systemd config
$USER var expansion does not work without manually importing $USER
Should fix opening links in home manager/user profile programs
A userspace tool for setting and getting AMD CPU power
and performance parameters.
The module adds `ryzen_monitor_ng` to `environment.systemPackages` and
enables the `ryzen-smu` module, as `ryzen_monitor_ng` requires the
`ryzen_smu` kernel module to function.
Provide a module for installing ryzen_smu, a Linux kernel driver
that exposes access to the SMU (System Management Unit) for
certain AMD Ryzen Processors.
Installs monitor_cpu, a userspace tool for viewing info.
Using fork of original to match ryzen_monitor_ng, a more advanced
userspace tool for accessing the SMU via this kernel module,
planned for a later commit.
Instead of only testing the runner registration, which doesn't tell us
all that much, we now test a (very simple) but actual workflow directly
runner on the host (type `:host`).
For this to work, we cache the official `actions/checkout` action from
GitHub as FOD and essentially mirror one version of it to Forgejo as
part of the test.
Since Forgejo does not yet provide an API endpoint for the workflow status
(whether a workflow is running, failed or successful), we have to resort
to parsing html for now.
It has some rather over the top poll logic, but I feel like will work
for quite some time without issues going unnoticed or whatever (TM).
This is essentially a response to a bug I found in
`services.gitea-actions-runner`, because we had no way to test that
module besides the runner registration (which, again, doesn't really
tell us all that much).
This fixes an issue where running the official `actions/checkout` action
from GitHub on a runner with label `:host`, would fail with incredibly
unhelpful error messages.
Turns out, this is due to `$HOME` not being set.
We inherited almost all of this test from `nixos/tests/gitea` when we
decided to split.
This change saves some resources (just 2 instead of 3 VMs) and is (IMHO)
easier to follow and improve upon.
Closes#285688
This is misleading because `initialScript` will only be executed at the
*very first* run of postgresql. I.e. when deploying synapse to a server
with an existing postgresql, this won't work.
We don't have a good way of automatically provisioning databases
_declaratively_, so for now just explain what needs to be done here and
leave it to the user how to include this into their deployment.
