This solves an issue, where loading the nixos-unstable module in
nixos-stable using `disabledModules` and `imports` resulted in the
following Caddyfile:
```
<globalConfig>
<vhosts>
<extraConfig>
```
instead of
```
<globalConfig>
<extraConfig>
<vhosts>
```
This is important in cases where `cfg.extraConfig` contains so called
Caddyfile snippets.
See https://caddyserver.com/docs/caddyfile/concepts#structure
Co-authored-by: Lin Jian <me@linj.tech>
This should ensure systemd handles starting all services (main and
workers) in a single transaction, thus preserving unit orderings
defined through After= even when not restarting the target.
This commit makes the OpenSSH option `PermitRootLogin` available to be
configured by other NixOS modules when using the Google Cloud Engine
(GCE) NixOS image builder. Other options like `PasswordAuthentication`
were already configurable, so I think it makes sense to make `PermitRootLogin`
configurable as well is order to disable it completely, for example.
The default just recently changed in 23.11. Users that had
swraid enabled implicitly by NixOS in previous releases got surprised
by warnings even though they do not actually use software RAID.
Fixes#254807
https://git.sr.ht/~c00w/nixpkgs/tree/sdimagebtrfs/item/nixos/lib/make-btrfs-fs.nix
I made only one change which was to use `btrfs check` instead of
`fsck.btrfs` because of this warning
```
btrfs-fs.img> ++ fsck.btrfs /nix/store/6d46rc768c140asy6rjpc5rk568r36zq-btrfs-fs.img
btrfs-fs.img> If you wish to check the consistency of a BTRFS filesystem or
btrfs-fs.img> repair a damaged filesystem, see btrfs(8) subcommand 'check'.
```
Co-authored-by: Colin L Rice <colin@daedrum.net>
The problem we had back then was that `mkRenamedOptionModule` doesn't
work if an option will be moved a level depper, i.e.
services.grafana.provision.dashboards
became
services.grafana.provision.dashboards.settings.provider
I actually planned to remove this before 23.05 (since the change was
already released in 22.11), but as you can see that didn't happen ;-)
I think the grace-period was quite long already. And if someone is
migrating from <22.11 to a current NixOS now, there are very precise
instructions on how to upgrade in the 22.11 release notes.
To those who use Jellyfin's DLNA server, it can happen that the DLNA server starts before we are connected to the LAN.
When this happens, Jellyfin only publishes the DLNA server on the local ports and is not discoverable by devices in the LAN.
In order to fix this, I'm ensuring that Jellyfin starts after we are connected to the network, making it properly discoverable by DLNA clients.
After making this change, Jellyfin's DLNA server is now working as expected on my machine. It used to be consistently undiscoverable.
I verified that this doesn't break anything in situations where the LAN is not available: I disconnected my laptop from the network and rebooted it and Jellyfin started as expected.
This change was informed by reading the suggestion in this article: https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
Actually, it's supposed to be `listOf (attrsOf str)` because each
list-item can match against multiple properties from `urlsplit`[1]. In
fact, `listOf str` breaks URL previews at runtime:
Sep 14 15:03:47 soost synapse[1100355]: synapse.http.server: [GET-116] Failed handle request via 'PreviewUrlResource': <XForwardedForRequest at 0x7f691bd5f730 method='GET' uri='/_matrix/media/r0/preview_url?url=<redacted>' clientproto='HTTP/1.1' site='8448'>
Traceback (most recent call last):
[...]
File "/nix/store/xk5yksbw09p6qwk0maq2cb2in3z6f4gn-matrix-synapse-1.91.2/lib/python3.10/site-packages/synapse/media/url_previewer.py", line 398, in _is_url_blocked
for attrib, pattern in entry.items():
AttributeError: 'str' object has no attribute 'items'
To make sure that people aren't confused when upgrading their configs, I
decided to work with `types.coercedTo` to "pretend" accepting the old
type signature, but then throwing an error explaining what to do (and
rejecting the broken configuration).
[1] https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlsplit
It fails to build with
npm ERR! code 1
npm ERR! path /nix/store/n7sdkr41nax0mn8drh3lxymqbmrradi4-tedicross-0.8.7/lib/node_modules/tedicross/node_modules/sodium
npm ERR! command failed
npm ERR! command sh -c node install.js --preinstall
npm ERR! Static libsodium was not found at /nix/store/n7sdkr41nax0mn8drh3lxymqbmrradi4-tedicross-0.8.7/lib/node_modules/tedicross/node_modules/sodium/deps/build/lib/libsodium so compiling libsodium from source.
npm ERR! automake is required, but wasn't found on this system
npm ERR! make: *** [Makefile:62: libsodium] Error 1
npm ERR! /nix/store/n7sdkr41nax0mn8drh3lxymqbmrradi4-tedicross-0.8.7/lib/node_modules/tedicross/node_modules/sodium/install.js:287
npm ERR! throw new Error(cmdLine + ' exited with code ' + code);
npm ERR! ^
npm ERR!
npm ERR! Error: make libsodium exited with code 2
npm ERR! at ChildProcess.<anonymous> (/nix/store/n7sdkr41nax0mn8drh3lxymqbmrradi4-tedicross-0.8.7/lib/node_modules/tedicross/node_modules/sodium/install.js:287:19)
npm ERR! at ChildProcess.emit (node:events:514:28)
npm ERR! at ChildProcess._handle.onexit (node:internal/child_process:291:12)
npm ERR!
npm ERR! Node.js v18.17.1
Historically, we allowed downgrade of DNSSEC, but some folks argue
this may decrease actually the security posture to do opportunistic DNSSEC.
In addition, the current implementation of (opportunistic) DNSSEC validation
is broken against "in the wild" servers which are usually slightly non-compliant.
systemd upstream recommended to me (in personal communication surrounding
the All Systems Go 2023 conference) to disable DNSSEC validation until
they work on it in a significant capacity, ideally, by next year.
This commit introduces a `networking.networkmanager.fccUnlockScripts`
option, which allows specifying additional, usually vendor-provided
unlock scripts.
networking.networkmanager.enableBundledFccUnlockScripts is refactored to
make use of the same mechanism internally.
PR #155414 introduced an option to support enabling the FCC unlock
scripts that ModemManager provides, but since 1.18.4 doesn't execute
anymore.
However, this option is specifically only about the unlock scripts
provided with ModemManager so far. Rename the option to make this more
obvious.
Clarify that the monochrome font is not included, per #221181.
The new name is also coherent with the name of the font,
according to `fontconfig`: Noto Color Emoji.
For NVLink topology systems we need fabricmanager. Fabricmanager itself is
dependent on the datacenter driver set and not the regular x11 ones, it is also
tightly tied to the driver version. Furhtermore the current cudaPackages
defaults to version 11.8, which corresponds to the 520 datacenter drivers.
Future improvement should be to switch the main nvidia datacenter driver version
on the `config.cudaVersion` since these are well known from:
> https://docs.nvidia.com/deploy/cuda-compatibility/index.html#use-the-right-compat-package
This adds nixos configuration options `hardware.nvidia.datacenter.enable` and
`hardware.nvidia.datacenter.settings` (the settings configure fabricmanager)
Other interesting external links related to this commit are:
* Fabricmanager download site:
- https://developer.download.nvidia.com/compute/cuda/redist/fabricmanager/linux-x86_64/
* Data Center drivers:
- https://www.nvidia.com/Download/driverResults.aspx/193711/en-us/
Implementation specific details:
* Fabricmanager is added as a passthru package, similar to settings and
presistenced.
* Adds `use{Settings,Persistenced,Fabricmanager}` with defaults to preserve x11
expressions.
* Utilizes mkMerge to split the `hardware.nvidia` module into three comment
delimited sections:
1. Common
2. X11/xorg
3. Data Center
* Uses asserts to make the configurations mutualy exclusive.
Notes:
* Data Center Drivers are `x86_64` only.
* Reuses the `nvidia_x11` attribute in nixpkgs on enable, e.g. doesn't change it
to `nvidia_driver` and sets that to either `nvidia_x11` or `nvidia_dc`.
* Should have a helper function which is switched on `config.cudaVersion` like
`selectHighestVersion` but rather `selectCudaCompatibleVersion`.
My system does not use `bcache` and I sould prever my `systemPackages`
not to have bcache tools.
The change does not change the default but proviced usual `enable` knob.
Add new command `nixos-rebuild list-generations`. It will show an output
like
```
$ nixos-rebuild list-generations
Generation Build-date NixOS version Kernel Configuration Revision Specialisations
52 (current) Fri 2023-08-18 08:17:27 23.11.20230817.0f46300 6.4.10 448160aeccf6a7184bd8a84290d527819f1c552c *
51 Mon 2023-08-07 17:56:41 23.11.20230807.31b1eed 6.4.8 99ef480007ca51e3d440aa4fa6558178d63f9c42 *
```
This also mentions the change in the upcoming release notes
fixes#232505
Implements the new option `security.acme.maxConcurrentRenewals` to limit
the number of certificate generation (or renewal) jobs that can run in
parallel. This avoids overloading the system resources with many
certificates or running into acme registry rate limits and network
timeouts.
Architecture considerations:
- simplicity, lightweight: Concerns have been voiced about making this
already rather complex module even more convoluted. Additionally,
locking solutions shall not significantly increase performance and
footprint of individual job runs.
To accomodate these concerns, this solution is implemented purely in
Nix, bash, and using the light-weight `flock` util. To reduce
complexity, jobs are already assigned their lockfile slot at system
build time instead of dynamic locking and retrying. This comes at the
cost of not always maxing out the permitted concurrency at runtime.
- no stale locks: Limiting concurrency via locking mechanism is usually
approached with semaphores. Unfortunately, both SysV as well as
POSIX-Semaphores are *not* released when the process currently locking
them is SIGKILLed. This poses the danger of stale locks staying around
and certificate renewal being blocked from running altogether.
`flock` locks though are released when the process holding the file
descriptor of the lock file is KILLed or terminated.
- lockfile generation: Lock files could either be created at build time
in the Nix store or at script runtime in a idempotent manner.
While the latter would be simpler to achieve, we might exceed the number
of permitted concurrent runs during a system switch: Already running
jobs are still locked on the existing lock files, while jobs started
after the system switch will acquire locks on freshly created files,
not being blocked by the still running services.
For this reason, locks are generated and managed at runtime in the
shared state directory `/var/lib/locks/`.
nixos/security/acme: move locks to /run
also, move over permission and directory management to systemd-tmpfiles
nixos/security/acme: fix some linter remarks in my code
there are some remarks left for existing code, not touching that
nixos/security/acme: redesign script locking flow
- get rid of subshell
- provide function for wrapping scripts in a locked environment
nixos/acme: improve visibility of blocking on locks
nixos/acme: add smoke test for concurrency limitation
heavily inspired by m1cr0man
nixos/acme: release notes entry on new concurrency limits
nixos/acme: cleanup, clarifications
the schema files referenced in the current preStart are empty.
other ones exist, but don't apply cleanly either.
calling update.php with --update-schema works for initial setup and
updates. if the database schema is already up to date, it's idempotent.
- Avoid false-positives on package sets that contain a `terminfo` derivation,
like `haskellPackages` and `sbclPackages`.
- Directly provide a list of names that can be used to update the NixOS module,
rather than a list of derivations which is hard to read in the REPL.
When not setting `settings` and setting `openFirewall = true`
evaluation would fail because it tries to access `settings.bind_port`
while `settings == null`
it should be checking that it is not a broken symlink but bash
conditionals are difficult
-d was causing the directory to not be created if it does not exist
```
$ install -m 0755 -d $PWD/hello
$ ls
hello/
$ ln -s something notexist
'notexist' -> 'something'
$ ls -l
lrwxrwxrwx artturin artturin 9 B Sat Sep 9 06:59:44 2023 notexist@ ⇒ something
drwxr-xr-x artturin artturin 2 B Sat Sep 9 06:59:36 2023 hello/
$ install -m 0755 -d $PWD/notexist
install: cannot change permissions of ‘/home/artturin/nixgits/my-nixpkgs/test/notexist’: No such file or directory
```
This avoids the possible confusion with `passwordFile` being the file
version of `password`, while it should contain the password hash.
Fixes issue #165858.
The module for Plasma 5 contained two pointless setuid wrappers:
* kscreenlocker_greet was introduced when the kscreenlocker package
dropped kcheckpass. However, this was actually replaced by making
proper use of PAM (which finally calls its unix_chkpwd setuid binary).
kscreenlocker_greet itself was never intended to be setuid.
Fortunately, this is not exploitable, because QCoreApplication
immediately aborts if it detects setuid. The wrapper is still
incorrect and pointless, so remove it.
* start_kdeinit can optionally use setuid root or setcap
CAP_SYS_RESOURCE to reduce its OOM killer score. However, with systemd
startup, start_kdeinit does not get used at all. So in this case, the
setuid wrapper is pointless, and so is removed as well. Ideally, the
case where systemd startup is not enabled would use a capability
wrapper instead, but since systemd startup is the default in NixOS and
kinit is deprecated upstream for KF6, I don't bother any more.
