This allows for easier interop with Moonraker, as well as giving an
ability to store klipper configuration files in /var/lib/klipper, thus not
littering /etc with all the backups SAVE_CONFIG does.
- Added `configFile` as an alternative way to specify configuration
- Added `isMutableConfig` and `mutableConfigPath`
Co-authored-by: @lovesegfault <bernardo@meurer.org>
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Co-authored-by: Bernardo Meurer <bernardo@meurer.org>
`unpaper` requires syscall 238 (`set_mempolicy`).
Add this by un-blocking the systemd syscall filter set `@resources`
which is safe in the context of paperless.
This attribute set isn't passed through the NixOS config resolution
mechanism, which means that we can't use lib.mkDefault here.
Instead, just put it before any user overrides so that if the user
specifies this environment variable it'll just override it anyway.
`paperless-ngx.pythonPath` was incomplete due to the missing paperless-ngx
source, so it had to be amended in the service.
Instead of amending it, define it entirely in the service.
This allows an override of `paperless-ngx.propagatedBuildInputs` to be reflected
in the service's PYTHONPATH.
Handing CAP_NET_BIND_SERVICE to the `paperless-web.service` only makes
sense when it actually wants to bind to a port < 1024. Don't hand it out
if that is not the case.
Finding out how to connect paperless to a PostgreSQL database via unix
sockets and peer authentication took me a few minutes, so leaving a hint
in the extraConfig example seems like a good idea to me.
Also remove unnecessary use of literalExpression for attribute set, it
is only required for complex values like functions or values that depend
on other values or packages.
After uploading a document through the webinterface I started seeing
it killed through the SYSBUS signal. Inspecting the call trace led me to
liblapack's memory allocator, that uses the mbind syscall on Linux.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
this mostly means marking options that use markdown already
appropriately and making a few adjustments so they still render
correctly. notable for nftables we have to transform the md links
because the manpage would not render them correctly otherwise.
When `nix.registry.<name>.flake` option is used, additional attributes of the flake were not written to the flake registry file because of a missing parenthesis.
using regular strings works well for docbook because docbook is not as
whitespace-sensitive as markdown. markdown would render all of these as
code blocks when given the chance.
a lot of markdown syntax has already snuck into option docs, many of it
predating the intent to migrate to markdown. we don't convert all of it
here, just that which is accompanied by docbook tags as well. the rest
can be converted by simply adding the mdDoc marker.
this renders the same in the manpage and a little more clearly in the
html manual. in the manpage there continues to be no distinction from
regular text, the html manual gets code-type markup (which was probably
the intention for most of these uses anyway).
Currently, it is not possible to supply sensitive credentials like
`ldap_default_authtok` without writing them to the nix store. This
This commit introduces a new option `environmentFile` where those
credentials can be supplied via environment substitution.
now nix-doc-munge will not introduce whitespace changes when it replaces
manpage references with the MD equivalent.
no change to the manpage, changes to the HTML manual are whitespace only.
make (almost) all links appear on only a single line, with no
unnecessary whitespace, using double quotes for attributes. this lets us
automatically convert them to markdown easily.
the few remaining links are extremely long link in a gnome module, we'll
come back to those at a later date.
markdown can't represent the difference without another extension and
both the html manual and the manpage render them the same, so keeping the
distinction is not very useful on its own. with the distinction removed
we can automatically convert many options that use <code> tags to markdown.
the manpage remains unchanged, html manual does not render
differently (but class names on code tags do change from "code" to "literal").
our xslt already replaces double line breaks with a paragraph close and
reopen. not using explicit para tags lets nix-doc-munge convert more
descriptions losslessly.
only whitespace changes to generated documents, except for two
strongswan options gaining paragraph two breaks they arguably should've
had anyway.
the conversion procedure is simple:
- find all things that look like options, ie calls to either `mkOption`
or `lib.mkOption` that take an attrset. remember the attrset as the
option
- for all options, find a `description` attribute who's value is not a
call to `mdDoc` or `lib.mdDoc`
- textually convert the entire value of the attribute to MD with a few
simple regexes (the set from mdize-module.sh)
- if the change produced a change in the manual output, discard
- if the change kept the manual unchanged, add some text to the
description to make sure we've actually found an option. if the
manual changes this time, keep the converted description
this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
Prior to this change, the configuration value for
`services.gitlab.registry.issuer` was only referenced by the
docker-registry configuration and in the `gitlab-registry-cert` service
while the gitlab config used the hard-coded value "gitlab-issuer".
Seems silly to install this for use with the local server, but to not
configure it to use the local server. Otherwise, out of the box we
just get an error about no server being configured.
Make secret replacement more robust and futureproof:
- Allow any attribute in `services.geoipupdate.settings` to be a
secret if set to `{ _secret = "/path/to/secret"; }`.
- Hash the license key path before using it as a placeholder in the
config file to minimize the risk of conflicting file paths being
replaced instead.
Previously, all configuration and state data was accessible to all
users on the system running jellyfin. This included user passwords in
the Jellyfin database, as well as credentials for LDAP if configured.
The exact set of accessible data depends on system configuration.
Thanks to Sofie Finnes Øvrelid for reporting this issue.
Fixes: CVE-2022-32198
Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>
systemd-247 provides a mechanism called LoadCredential for secrets and
it is better than environment file. See the section of Environment=
in the manual of systemd.exec for more information.
Some options in config.yaml need values to be strings, which currently
can be used with environmentFile but not loadCredential. But it's
possible to use loadCredential for those options, e.g. we can
substitute their values in ExecStart, but not in ExecStartPre due to
[1].
[1]: https://github.com/systemd/systemd/issues/19604
The Ruby gem `minimagick` is used to export Gant diagrams as PNG.
However, minimagick can't find a font and Redmine throws an error. The
setting `minimagick_font_path` allows configuring a path to a font file
in the Redmine configuration. Thus, add the option
`services.redmine.components.minimagick_font_path` allowing to do that.
Also, add an assertion to check if
`services.redmine.components.minimagick_font_path` is set when
imagemagick is enabled.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
For completeness, configure the setting `imagemagick_convert_command` in
the Redmine configuration file.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Ghostscript is needed to export Gant diagrams as PDF. Thus, add the
option `services.redmine.components.ghostscript` allowing to enable or
disable the component. The component is disabled by default. Enabling
the option will add Ghostscript to the Redmine environment and configure
the setting `gs_command` in the Redmine configuration file.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Currently, optional components and integrations of Redmine are enforced
to install in NixOS. Thus, add the following options allowing the users
to enable or disable the components. They are disabled by default.
Enabling these options will add their package to the Redmine environment
and will configure their specific setting in the Redmine configuration
file.
* services.redmine.components.subversion
* services.redmine.components.mercurial
* services.redmine.components.git
* services.redmine.components.cvs
* services.redmine.components.breezy
* services.redmine.components.imagemagick
Signed-off-by: Felix Singer <felixsinger@posteo.net>
darcs support was dropped with Redmine 4.0.0. Thus, drop the darcs
integration.
For more information, see https://www.redmine.org/issues/26391.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
`ConditionPathExists` belongs in the [Unit] section, not [Service].
The unit now properly checks if the cert file already
exists before activating so certs will not be overwritten anymore.
This allows django-q to set the number of workers according to the CPU
core count and to show memory stats via `manage.py qmonitor`.
This also fixes a non-critical psutil error in paperless-ng-server.
Service:
- Fix misleading comment:
We could in fact implement password copying as a preStart script by
amending BindReadOnlyPaths, but adding an extra service is simpler.
Test:
- Add more detailed subtest names
- Simplify date check
There are many different versions of the `cudatoolkit` and related
cuda packages, and it can be tricky to ensure they remain compatible.
- `cudaPackages` is now a package set with `cudatoolkit`, `cudnn`, `cutensor`, `nccl`, as well as `cudatoolkit` split into smaller packages ("redist");
- expressions should now use `cudaPackages` as parameter instead of the individual cuda packages;
- `makeScope` is now used, so it is possible to use `.overrideScope'` to set e.g. a different `cudnn` version;
- `release-cuda.nix` is introduced to easily evaluate cuda packages using hydra.
using freeform is the new standard way of using modules and should replace
extraConfig.
In particular, this will allow us to place a condition on mails
Before this patch, services.dendrite.environmentFile is used for
secrets and environment variable substitution only happens when this
option is used.
systemd-247 provides a mechanism called LoadCredential for secrets and
it is better than environment file. See the section of Environment=
in the manual of systemd.exec for more information.
This patch always substitute environment variables, which enables the
usage of systemd LoadCredential.
The Nix-provided `nix-daemon.socket` file has a
> ConditionPathIsReadWrite=/nix/var/nix/daemon-socket/socket
line, to skip that unit if /nix/var/nix/daemon-socket/socket is
read-only (which is the case in some nixos-containers with that folder
bind-ro-mounted from the host).
In these cases, the unit was skipped.
Systemd 250 (rightfully) started to also skip in these cases:
> [ 237.187747] systemd[1]: Nix Daemon Socket was skipped because of a failed condition check (ConditionPathIsReadWrite=/nix/var/nix/daemon-socket).
However, systemd < 250 didn't skip if /nix/var/nix/daemon-socket/socket
didn't /exist at all/, and we were relying on this bug in the case for
fresh NixOS systems, to have /nix/var/nix/daemon-socket/socket created
initially.
Move the creation of that folder to systemd-tmpfiles, by shipping an
appropriate file in `${nixPackage}/lib/tmpfiles.d/nix-daemon.conf`
(NixOS/nix#6285).
In the meantime, set a systemd tmpfiles rule manually in NixOS.
This has been tested to still work with read-only bind-mounted
/nix/var/nix/daemon-socket/socket in containers, it'll keep them
read-only ;-)
Add an exception to the `paperless-ng-server` service's
`SystemCallFilter` as the `mbind` syscall is needed when consuming a
document while having a classification model present.
This adds an option `services.taskserver.openFirewall` to allow the user
to choose whether or not the firewall port should be opened for the
service. This is no longer the case by default.
See also https://github.com/NixOS/nixpkgs/issues/19504.
As `nix-daemon.service` does not make use of `ExecStop`, we prefer
to keep the socket up and available. This is important for machines
that run Nix-based services, such as automated build, test, and deploy
services, that expect the daemon socket to be available at all times.
See committed inline comment for further explanation.
The `substituters` option in `nix.settings` uses the order
of the substituters listed to define priority. Prior to https://github.com/NixOS/nixpkgs/pull/139075,
the corresponding option `binaryCaches` is declared in the `nix` namespace,
which is guaranteed to be merged last. However, the order of merging isn't
guaranteed in submodules. This cause definitions to be appended to the default
value instead of prepended, breaking backwards compatibility as reported in https://github.com/NixOS/nixpkgs/issues/158356.
The way this is addressed in the module system is with order priorities via
`mkOrder` and sorting definitions before merging. This PR restores the previous
behavior by setting a higher priority to the substituters option defined internally,
thus all definitions with default priority will be merged before it. This was chosen because
the `mkRenamedOption` function does not preserve order priority so users using legacy options do not have
precise control on placement.
This change should suffice for simple configuration, but further revision to the module system
is needed for to make various `mk*` functions aware of order priorities.
In #139075, mandatoryFeatures was removed from the generated
supportedFeatures, which breaks backward compatibility and is
different from what the description of supportedFeatures says.
Fail scripts on pipeline errors and propagate subshell errors.
If an error occurs in a subshell, including while trying to read a
secret file, we want that error to propagate to the main shell
context. That means we have to set the `inherit_errexit` option, which
allows errors from subshells to propagate to the outer shell. Also,
the subshell cannot run as part of another command, such as `export`,
since that will simply ignore the subshell exit status and only
respect `export`s exit status; first assigning the value to a variable
and then exporting it solves issue.
The `nix.*` options, apart from options for setting up the
daemon itself, currently provide a lot of setting mappings
for the Nix daemon configuration. The scope of the mapping yields
convience, but the line where an option is considered essential
is blurry. For instance, the `extra-sandbox-paths` mapping is
provided without its primary consumer, and the corresponding
`sandbox-paths` option is also not mapped.
The current system increases the maintenance burden as maintainers have to
closely follow upstream changes. In this case, there are two state versions
of Nix which have to be maintained collectively, with different options
avaliable.
This commit aims to following the standard outlined in RFC 42[1] to
implement a structural setting pattern. The Nix configuration is encoded
at its core as key-value pairs which maps nicely to attribute sets, making
it feasible to express in the Nix language itself. Some existing options are
kept such as `buildMachines` and `registry` which present a simplified interface
to managing the respective settings. The interface is exposed as `nix.settings`.
Legacy configurations are mapped to their corresponding options under `nix.settings`
for backwards compatibility.
Various options settings in other nixos modules and relevant tests have been
updated to use structural setting for consistency.
The generation and validation of the configration file has been modified to
use `writeTextFile` instead of `runCommand` for clarity. Note that validation
is now mandatory as strict checking of options has been pushed down to the
derivation level due to freeformType consuming unmatched options. Furthermore,
validation can not occur when cross-compiling due to current limitations.
A new option `publicHostKey` was added to the `buildMachines`
submodule corresponding to the base64 encoded public host key settings
exposed in the builder syntax. The build machine generation was subsequently
rewritten to use `concatStringsSep` for better performance by grouping
concatenations.
[1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
`register_new_matrix_user` is a script provided by the matrix-synapse
package to create a new matrix user on the command line.
This commit provides a wrapper around `register_new_matrix_user` that
automatically passes the url (and `registration_shared_secret`, if
present) as CLI arguments.
- regenerate everything
- hardcode to build with node 14 (upstream doesn't support 16 yet)
- remove optional deps to make things build without python2
- set HOME in service environment to prevent crashing
Changes in node-*.nix are autogenerated.
Webclient only allows serving a web directory under /_matrix/client
This only incentivizes running the client under the same domain as the homeserver.
Which is not recommended due to CORS.
most modules can be evaluated for their documentation in a very
restricted environment that doesn't include all of nixpkgs. this
evaluation can then be cached and reused for subsequent builds, merging
only documentation that has changed into the cached set. since nixos
ships with a large number of modules of which only a few are used in any
given config this can save evaluation a huge percentage of nixos
options available in any given config.
in tests of this caching, despite having to copy most of nixos/, saves
about 80% of the time needed to build the system manual, or about two
second on the machine used for testing. build time for a full system
config shrank from 9.4s to 7.4s, while turning documentation off
entirely shortened the build to 7.1s.
some options have default that are best described in prose, such as
defaults that depend on the system stateVersion, defaults that are
derivations specific to the surrounding context, or those where the
expression is much longer and harder to understand than a simple text
snippet.
escape interpolations in descriptions where possible, replace them with
sufficiently descriptive text elsewhere. also expand cfg.* paths in
descriptions.
adds defaultText for all options that use `cfg.*` values in their
defaults, but only for interpolations with no extra processing (other
than toString where necessary)
Previously the extraComponents added to an overriden package would not
have been considered in hardening measures enforced by the module.
Home Assistant is warning the user about component definitions having
moved away from YAML, so using an override to include support for a
component might become the better way moving forward.
The nix.daemonNiceLevel options allows for setting the nice level of the
Nix daemon process. On a modern Linux kernel with group scheduling the
nice level only affects threads relative to other threads in the same
task group (see sched(7)). Therefore this option has not the effect one
might expect.
The options daemonCPUSchedPolicy and daemonIOSchedClass are introduced
and the daemonIONiceLevel option renamed to daemonIOSchedPrority for
consistency. These options allow for more effective control over CPU
and I/O scheduling.
Instead of setting daemonNiceLevel to a high value to increase the
responsiveness of an interactive system during builds -- which would not
have the desired effect, as described above -- one could set both
daemonCPUSchedPolicy and daemonIOSchedClass to idle.