By settings User= to the actual Exim user, systemd will ensure that the
credentials directory will have the correct ownership, allowing users to
utilize LoadCredential=. Exim still gets started as root (and drops
privileges) to preserve the previous behavior.
- Adds an update script to fetch the compatible web vault version
- Removes `vaultwarden-vault` from top-level to prevent independent
updates through e.g. r-ryantm. Istead the vault is now accessible
at `vaultwarden.webvault`.
- The name webvault was chosen because it is the title of the projects
README and it makes it clearer, that this is the web UI.
`xdg-desktop-portal-kde` expects PipeWire to be running, so we enable it by
default, but we don't replace PulseAudio. The user may disable it against our
default, if desired.
In some recent version evcc started requiring `getent` in the PATH, or
else it would fail to start.
It also now requires an sqlite database, which it tries to create a
directory for at `$HOME/.evcc`, so we now need to provide a
StateDirectory.
Some implementation notes:
* cups-pdf, and cups-pdf-to-pdf,
support multiple instances with differing configurations.
This can be accomplished by creating multiple configuration
files with names `cups-pdf-{instance-name}.conf`.
The Nixos module supports this feature by providing
the option `instances` which is an attrset
mapping instance names to instance configurations.
To simplify module usage,
an instance `pdf` is created by default.
* To use a cups-pdf instance, one also needs
a cups queue that connects to the backend.
The module does this automatically by default,
using the `hardware.printers.ensurePrinters`.
It uses one of the ppd files which is
included in the cups-pdf package.
If this isn't desired (e.g. because printer queues
should be created by hand, or configured differently),
the `installPrinter` option can be turned off
(for each instance separately).
* In our configuration, cups calls external programs
using the `cups` account and the `lp` group.
cups-pdf refuses to operate without root privileges,
likely because it needs to change the
ownership of it output pdf files so that
(only) the print job's owner can access them.
The module installs a suid root wrapper for the backend
program that can only be called by the `lp` group.
The cups-pdf package is replaced by a wrapper
package which calls the suid root wrapper.
So cups can call its backend programs as usual.
Setting up the DeviceAllow list with explicitly configured devices was a
nice idea, but sometimes a configured device (`/dev/nvme0n1` an NVMe
namespace) has a parent device (`/dev/nvme0`) that smartctl needs to
access to query metrics.
Falling back to the block and character definitions is probably a valid
fallback.
Its scripts disagree a bit with our flexible
logging approach and our default logging config.
Might want to revisit this at some point.
The `mkdir` failures in the log are harmless.
Adds a new option for backup jobs `inhibitsSleep` which prevents
the system from going to sleep while a backup is in progress.
Uses `systemd-inhibit`, which holds a "lock" that prevents the
system from sleeping while the process it invokes is running.
This did require wrapping the existing backup script using
`writeShellScript` so that it could be run by `systemd-inhibit`.
Changes sgx-psw to append `aesm` to `LD_LIBRARY_PATH`:
- Append instead of prepend to allow for overriding in service config
- As we already add a wrapper to add `aesm` to `LD_LIBRARY_PATH` it is
not necessary to also set in `LD_LIBRARY_PATH` of the systemd service.
Co-authored-by: Vincent Haupert <mail@vincent-haupert.de>
The tests would fail after migrating to `buildNpmPackage`, likely
because we are now using nodejs 18.
> audit: type=1326 audit(1670092271.655:102): auid=4294967295 uid=317 gid=317 ses=4294967295 subj=kernel pid=995 comm="node" exe="/nix/store/dj805sw07vvpbxx39c8g67x8qddg0ikw-nodejs-18.12.1/bin/node" sig=31 arch=c000003e syscall=330 compat=0 ip=0x7ff8b655f37b code=0x8000000
When using the declarative shared folder configuration for resilio sync
it is now possible to pass a path from which to read the secret should
be read at runtime. The path will not be added to the nix store.
The 'secret' parameter to specify the secret directly is still
supported. This option will still store the secret in the nix store.
This commit follows the pattern described in this issue, for upstream
programs that do not provide support for setting a password using a
file: https://github.com/NixOS/nixpkgs/issues/24288
Set environment variable ROON_ID_DIR to the same value as ROON_DATA_DIR
so that it knows it's the same installation after a restart.
Otherwise, each time the server process restarts, the user will need
to log in, and configure any server-local audio devices, again.
This environment variable was found in Roon's "easy installer" script:
https://help.roonlabs.com/portal/en/kb/articles/linux-install#The_Easy_Installer_Recommended
The placement of this option under `nix` was misleading, as it is not
configuration of the Nix daemon, but rather configuration of the NixOS
boot process and how it mounts the Nix store. As such, make it an option
of `boot` to clarify what it actually affects, and imply that it will
only take effect on a reboot.
Since it no longer has the context of nix, adjust the name to include
it.
Currently paths are handled by `types.package`, whose semantics are a
bit of a mess. In particular, it converts path values to derivations
using `toDerivation`, which will lead to problems when flake `outPath`s
become paths in https://github.com/NixOS/nix/pull/6530.
This change makes the "incompatible changes" section in the above PR
obsolete: `nix.registry.nixpkgs.flake = nixpkgs;` works as expected (the
flake is copied to the store).
Hided home/trash/network desktop icons by default.
Also changed their default logo settings (cs_info and menu), so what we
should modify to cinnamon-symbolic is now linuxmint-logo-ring-symbolic.
We are lucky, linuxmint-logo-ring-symbolic only appears in a few other
places and non of them are useful, menu@cinnamon.org/settings-override.json
simply won't work because cinnamon-common doesn't know that file.
Also set default cursor theme, this package now directly provides those
cursor themes. And, we now default to the Mint-Y-Aqua theme.
remove trailing whitespace
switch docs to markdown
use mdDoc
remove trailing whitespace
get rid of double space
add tests and update options to use submodule
remove whitespace
remove whitespace
use mdDoc
remove whitespace
make default a no-op
make ALTER ROLE a single sql statement
document null case
