Previously, it was held back due to the ENA driver not building on the
current default (5.15). The previous commit bumps the ENA driver, which
allows 5.15 to work.
This will package up the closure of pkgs.hello in a tarball, and will
later on verify machinectl pull-tar properly unpacked it, serving as a
regression test for #108158.
Closes#108158
Initially applied via e7f6370701, then
reverted by 96aaf29234.
Re-applying this patch: the pleroma NixOS test is broken without it.
It was originally impossible to login in toot without having an
interactive shell. I opened https://github.com/ihabunek/toot/pull/180
upstream to fix that and fetch this patch for this test.
The author decided to fix the issue using a slightly different
approach at a3eb5dca24
Because of this upstream fix, our custom patch does not apply anymore.
Using that stdin-based login upstream feature.
Pointing pleroma_ctl to the right RELEASE_COOKIE as well.
Tailscale uses policy routing to enable certain traffic to bypass
routes that lead into the Tailscale mesh. NixOS's reverse path
filtering setup doesn't understand the policy routing at play,
and so incorrectly interprets some of this traffic as spoofed.
Since this only breaks some features of Tailscale, merely warn
users about it, rather than make it a hard error.
Updates tailscale/tailscale#4432
Signed-off-by: David Anderson <dave@natulte.net>
Added Nextcloud 23 and set it as the default Nextcloud version for the
NixOS module. Added PHP 8.1 as an option for phpPackage and default for
Nextcloud ≥ 24.
For some features, tailscaled uses getent(1) to get the shell
of OS users. getent(1) is in the glibc derivation. Without this
derivation in the path, tailscale falls back to /bin/sh for all
users.
Signed-off-by: David Anderson <dave@natulte.net>
activating the configuration...
setting up /etc...
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.messagebus’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
chown: warning: '.' should be ':': ‘root.root’
reloading user units for root...
Installing Firefox is a good example for a package that could be
installed as a user, since it is a graphical one.
Also use thunderbird as a second example.
network-manager-applet uses differrent naming scheme from the VPN plug-ins.
Let’s revert to the previous state, for now, to fix eval. We can do the rename later.
This reverts commit cecb014d5d.
The test would previously error out like this:
> synapse_homeserver[1155]: synapse.config._base.ConfigError: You have
> enabled open registration without any verification. This is a known
> vector for spam and abuse. If you would like to allow public
> registration, please consider adding email, captcha, or token-based
> verification. Otherwise this check can be removed by setting the
> `enable_registration_without_verification` config option to `true`.
In a previous PR [1], the conditional to generate a new host key file
was changed to also include the case when the file exists, but has zero
size. This could occur when the system is uncleanly powered off shortly
after first boot.
However, ssh-keygen prompts the user before overwriting a file. For
example:
$ touch hi
$ ssh-keygen -f hi
Generating public/private rsa key pair.
hi already exists.
Overwrite (y/n)?
So, lets just try to remove the empty file (if it exists) before running
ssh-keygen.
[1] https://github.com/NixOS/nixpkgs/pull/141258
This special case for Btrfs was added in 51bc82960a. One year later beddd36c95 added code to skip the fsck entirely if the filesystem is Btrfs. This made the `if` statement unnecessary.
Release notes available at https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-18-0-0.
The way the database port is configured changed in Keycloak 18 and the
old way of including it in the `db-url-host` setting no longer
works. Use the new `db-url-port` setting instead.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Signed-off-by: Kim Lindberger <kim.lindberger@gmail.com>
- Make tests/lxd.nix use NixOS's lxdMeta & lxdImage to avoid relying on
3rd party containers such as Alpine Linux for testing purposes.
- Merge tests/lxd-image.nix into tests/lxd.nix, since now both have a
similar structure.
- Extract duplicated inline LXD configuration into a separate file,
- Add passthru.lxd-nftables & passthru.lxd-image-server.
This has a number of benefits such as that applying service limits will
actually work since there isn't a layer of indirection (the Docker daemon)
between the systemd service and the container runtime.
This was an annoyance for me as I have editor hooks cleaning up
trailing white space which lead to regenerating parts of the release notes unnecessarily.
Without this, if the network goes down for a while, systemd will give up after 5 restarts:
Scheduled restart job, restart counter is at 5.
Stopped Nebula VPN service for myvpn.
nebula@myvpn.service: Start request repeated too quickly.
Failed with result 'exit-code'.
Failed to start Nebula VPN service for myvpn.
Most network services need this, but for VPNs it's extra important.
This commit implements the following additional test cases for gitlab:
- Creating regular users
- git clone over http and ssh
- git push over ssh
- Forking projects
- Creating and merging Merge Requests
- Opening and closing issues.
People running nixos-install in non-NixOS environments
occasionally run into the mktemp builtin not being loaded
into bash (yes, even NixOS' bash). Rather than try and
figure out why exactly that is happening, just use a known
good mktemp from coreutils.
See https://blog.prosody.im/prosody-0.12.0-released for more
informations.
We remove the various lua wrappers introduced by
6799a91843 and
16d0b4a69f. It seems like we don't need
them anymore. I'm not brave enough to dig into the Lua machinery to
see what resolved that. Sorry, you'll have to trust me on that one.
We should probably think about the migration from http_upload to
http_file_share for the NixOS module. It's not trivial, we need to
make sure we don't break the already uploaded URLs.
This commit refactors the way how configuration files are deployed to
the `/etc/asterisk` directory.
The current solution builds a Nix derivation containing all config files
and symlinks it to `/etc/asterisk`. The problem with that approach is
that it is not possible to provide additional configuration that should
not be written to the Nix store, i.e. files containing credentials.
The proposed solution changes the creation of configuration files so
that each configuration file gets symlinked to `/etc/asterisk`
individually so that it becomes possible to provide additional config
files to `/etc/asterisk` as well.
Renaming the variable from `initScript` to `bashAndZshInitScript` makes it clearer, what it is actually used for.
Moving the fish init script right below the other call to `thefuck --alias` makes it more obvious, when one of them is different in some important way.
We can make the growfs and makefs binaries conditional because we know
if we'll need them. Also move the cryptsetup generator to the luksroot
so it's not included when not needed.
We drop some generators altogether: systemd-getty-generator because we
don't have getty anyway in stage 1, systemd-system-update-generator
because we don't use that logic in NixOS and
systemd-veritysetup-generator because stage 1 has no veritysetup support
(yet) and if it had, we still wouldn't want to include the generator
unconditionally.
First, add the builtin udev rules to /etc/udev/rules.d so they are used.
Then, add all networkd .link units to the initrd. This is done in the
old stage 1 as well so I assume this is needed even when networkd is not
used. I assume this is for things like changing the MAC address.
Also limit the number of udev/lib binaries that is put into the initrd
because the old initrd doesn't use all units either.
Currently we're still using scripted networking by default. A problem
with scripted networking is that having `useDHCP` on potentially
non-existing interfaces (e.g. an ethernet interface for USB tethering)
can cause the boot to hang.
Closes#107908
Previously this wasn't done in the `forEach`-expression for
`cfg.interfaces` and thus `networking.useDHCP` didn't have any effect if
no further interface was statically configured.
We can't assume that DRI card minor is the same as NVidia GPU device minor,
because some DRI minors could be taken by GPUs of other vendors.
Fixes#87788, #98942.
Run each browser check as a separate NixOS test.
This fixes a problem in which one browser starts up before the previous
browser is finished exiting, exhausting a resource and causing a
spurious test failure.
As a bonus, splitting the test
* Gives more signal about exactly what's broken in the pass/fail status,
* Makes it easier to quickly diagnose test failures,
* Makes development iteration faster,
* Allows concurrent test execution, which makes the test finish sooner
when parallel builds are enabled.
* Would allow each browser's test to be included in its nixpkgs
passthru.tests, if desired (not done in this commit).
Reviewed-by: rnhmjoj <rnhmjoj@inventati.org>
this commit passes the build dependencies to the
pgadmin nixos test for package and regression testing.
Also added changelog and some clarifying comments.
Signed-off-by: Florian Brandes <florian.brandes@posteo.de>
We need to move NixOS containers somewhere else so these don't clash
with Podman, Skopeo & other container software in the libpod &
cri-o/cri-u/libcontainer ecosystems.
The state directory move is not strictly a requirement but is good for
consistency.
Tested on a RPi3 B+ with a 2g swapfile. On that system the test
still sometimes fails, but I suspect this is because it is really
just not powerful enough for this task.
Fixes#170395
The NixOS evaluation would complain:
trace: warning: literalExample is deprecated, use literalExpression instead, or use literalDocBook for a non-Nix description.
The description for the runner in the UI is by default sthg like
"npm_nixos_d0544ed48909" i.e., the name of the attribute.
I wanted to have a more user-friendly description and added a
description to the service.
Seems like gitlab-runner doesn't like having both fields set:
"Cannot use two forms of the same flag: description name"
so I used one or the other.
This avoids the scenario where you activate a new config over Tailscale,
and a long delay between the "stop services" and "start services" phases
of the activation script lead to your terminal freezing for tens of
seconds, until tailscaled finally gets started again and the session
recovers.
Per the documentation of stopIfChanged, this is only safe to do if the
service definition is robust to stopping the old process using the new
service definition. As the maintainer of the upstream systemd unit, I
can confirm that Tailscale is robust to this scenario: it has to be
in order to work right on several other distros that just do
unpack-then-restart, rather than the more complex stop-unpack-start
dance.
Signed-off-by: David Anderson <dave@natulte.net>
This includes disabling some features in the initrd by default, this is
only done when the new initrd is used. Namely, ext and bcache are
disabled by default. bcache gets an own enable option while ext is
detected like any other filesystem.
I recently learned that Nextcloud 23's new profile feature — basically a
way for users to share personal contact details — has a problematic
default setting, profile data is shared with **everyone** by default.
This means that an unauthenticated user can access personal information
by accessing `nextcloud.tld/u/user.name`.
The announcement of v23 states[1]:
> We go a step further and introduce a profile page. Here you can put a
> description of yourself, show links to, for example, social media, what
> department you are in and information on how to contact you. All these
> are of course entirely optional and you can choose what is visible to who!
> The profile and user status are accessible also from our mobile and desktop clients.
It's not mentioned that by default you share personal information[3] with
everyone and personally I think that's somewhat problematic.
To work around that, I decided to add an option for the recently added[2]
and even set it to `false` by default to make an explicit opt-in for
that feature.
[1] https://nextcloud.com/blog/nextcloud-hub-2-brings-major-overhaul-introducing-nextcloud-office-p2p-backup-and-more/
[2] https://github.com/nextcloud/server/pull/31624/files
[3] By default, this affects the following properties:
* About
* Full name
* Headline
* Organisation
* Profile picture
* Role
* Twitter
* Website
Phone, Address and Email are not affected and only shown to
authenticated users by default.