fscrypt can automatically unlock directories with the user's login
password. To do this it ships a PAM module which reads the user's
password and loads the respective keys into the user's kernel keyring.
Significant inspiration was taken from the ecryptfs implementation.
Upon testing the change itself I realized that it doesn't build properly
because
* the `pname` of a php extension is `php-<name>`, not `<name>`.
* calling the extension `openssl-legacy` resulted in PHP trying to compile
`ext/openssl-legacy` which broke since it doesn't exist:
source root is php-8.1.12
setting SOURCE_DATE_EPOCH to timestamp 1666719000 of file php-8.1.12/win32/wsyslog.c
patching sources
cdToExtensionRootPhase
/nix/store/48mnkga4kh84xyiqwzx8v7iv090i7z66-stdenv-linux/setup: line 1399: cd: ext/openssl-legacy: No such file or directory
I didn't encounter that one before because I was mostly interested in
having a sane behavior for everyone not using this "feature" and the
documentation around this. My findings about the behavior with turning
openssl1.1 on/off are still valid because I tested this on `master` with
manually replacing `openssl` by `openssl_1_1` in `php-packages.nix`.
To work around the issue I had to slightly modify the extension
build-system for PHP:
* The attribute `extensionName` is now relevant to determine the output
paths (e.g. `lib/openssl.so`). This is not a behavioral change for
existing extensions because then `extensionName==name`.
However when specifying `extName` in `php-packages.nix` this value is
overridden and it is made sure that the extension called `extName` NOT
`name` (i.e. `openssl` vs `openssl-legacy`) is built and installed.
The `name` still has to be kept to keep the legacy openssl available
as `php.extensions.openssl-legacy`.
Additionally I implemented a small VM test to check the behavior with
server-side encryption:
* For `stateVersion` below 22.11, OpenSSL 1.1 is used (in `basic.nix`
it's checked that OpenSSL 3 is used). With that the "default"
behavior of the module is checked.
* It is ensured that the PHP interpreter for Nextcloud's php-fpm
actually loads the correct openssl extension.
* It is tested that (encrypted) files remain usable when (temporarily)
installing OpenSSL3 (of course then they're not decryptable, but on a
rollback that should still be possible).
Finally, a few more documentation changes:
* I also mentioned the issue in `nextcloud.xml` to make sure the issue
is at least mentioned in the manual section about Nextcloud. Not too
much detail here, but the relevant option `enableBrokenCiphersForSSE`
is referenced.
* I fixed a few minor wording issues to also give the full context
(we're talking about Nextcloud; we're talking about the PHP extension
**only**; please check if you really need this even though it's
enabled by default).
This is because I felt that sometimes it might be hard to understand
what's going on when e.g. an eval-warning appears without telling where
exactly it comes from.
Previously we did socket-activation but this breaks the autostart
feature since upstream expects libvirtd to be started unconditionally on
boot.
Fixes#171623.
Previously, the NixOS test often failed as the copied config file is not
overwriteable. In actual setups, the restart interval is much bigger, such that
systemd-tmpfiles will correct the permissions inbetween.
On some occasions, the GitHub runner service encounters errors which are
deemed retryable but result in the runner's termination. To signal a
retryable error, the runner exits with status code 2:
https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146
To account for that behavior, this commit sets
`RestartForceExitStatus=2` which results in a service restart regardless
of using an ephemeral runner or not.
* s/NextCloud/Nextcloud/g
* `enableBrokenCiphersForSSE` should be enabled by default for any NixOS
installation from before 22.11 to make sure existing installations
don't run into the issue. Not the other way round.
* Update release notes to reflect on that.
* Improve wording of the warning a bit: explain which option to change
to get rid of it.
* Ensure that basic tests w/o `enableBrokenCiphersForSSE` run with
OpenSSL 3.
This makes it possible to remove mint themes in an easy way, in this
case we will just use the default from slick-greeter module, i.e. the
Adwaita theme.
in some circumstances, the setup service would fail with:
ERROR 1062 (23000) at line 5: Duplicate entry '1' for key 'PRIMARY'
so let's use an upsert instead of insert. This also simplifies the
script.
Besides, also fix that when the setup script changes, the corresponding
script is not restarted as it is usually not active, so we trigger a
restart of the main systemd service.
Without this, you get the following error message in the logs:
udisksd[4082]: Failed to load config files: Failed to get contents of the config dir (/etc/libblockdev/conf.d/)Error opening directory “/etc/libblockdev/conf.d/”: No such file or directory. Using the built-in config
In ee0b8a7eaa we made the user service wait on network-online, but
forgot about the system service. We need them _both_ to wait when the
wifi source is enabled.
Allow building other than Legacy-BIOS-only Proxmox images.
Default is unchanged.
To build UEFI proxmox image use:
proxmox.qemuConf.bios = "ovmf";
(default is "seabios")
To build image bootable using both "seabios" and "ovmf" use:
partitionTableType = "hybrid";
BIOS can be switched in Proxmox between "seabios" and "ovmf" and VM still boots.
(GRUB2-only, systemd-boot does not boot under "seabios")
To build systemd-boot UEFI image:
proxmox.qemuConf.bios = "ovmf";
boot.loader.systemd-boot.enable = true;
See the discussion below the original PR[1] and #197443 for more
context.
I guess I missed that upon review because the branch was too old and I
cherry-picked the commit onto my deployment branch which is based on
22.05. Sorry for that!
[1] https://github.com/NixOS/nixpkgs/pull/162784#issuecomment-1306848036
Support will be dropped on 01 Jan 2023[1]. Normally we'd keep it around
until then, but considering that it's an LTS kernel it may be better to
do it before 22.11 to make sure there are no unpleasant surprises.
Closes#199933
[1] https://endoflife.date/linux
i based this on the neighboring lightdm-greeters/mini.nix module.
lightdm-mobile-greeter doesn't have a lot of configuration options.
it grabs the default user to login as from lightdm, along with which DE
it should launch. so no further configuration should be needed aside
from enabling `services.xserver.displayManager.lightdm.enable` and
either setting `services.xserver.displayManager.defaultSession` to the
appropriate session or explicitly defining a seat like:
```nix
services.xserver.displayManager.lightdm.extraSeatDefaults = ''
user-session = phosh
'';
```
Not a big deal in most of the cases because wordpress ensures that this
directory exists on its own, but with our twentig customizations that's
actually causing issues.
(cherry picked from commit 3285342bfe5f401dda84c13c834e73154928a61c)
mountFS adds these strings to fstab and then relies on `mount` parsing fstab. If
they have spaces or tabs in them, that would break fstab and therefore not mount
with the unhelpful error: No such file or directory.
Co-authored-by: Lily Foster <lily@lily.flowers>
Co-authored-by: Luflosi <Luflosi@users.noreply.github.com>
I need to fix copying the chrome://gpu content to the clipboard (Ctrl+a doesn't
work anymore so we have to click the button) but we can at least test the font
rendering for now.
\<foo\> will often be displayed like \<foo>, for example by mkdocs.
I've tested a number of markdown renderers and they render html escape
sequences fine.
It's a very useful backend (that probably should be enabled by default,
like on Ubuntu), let's start by making it easier to discover.
Ref https://github.com/NixOS/nixpkgs/issues/28406.
This is a small smoke test of each piece (setuid, setgid, caps) of
wrappers' functionality. It doesn't try to check for combinations of
functionalities or anything more complicated.
Point $SANE_CONFIG_DIR and $LD_LIBRARY_PATH to symlinks in /etc, instead
of directly to nix store paths, so that activating a new configuration
takes effect immediately, instead of requiring users to re-login.
Building etc."fish/setEnvironment.fish" needs
config.system.build.setEnvironment, which can be very large. And what
babelfishTranslate does is to translate env vars exported by bash
syntax, which does not need much computing power.
This patch can reduce the network traffic when using remote builders
with almost no harm.
when a new peer is added, it does not modify any active units, because
the interface unit remains the same. therefore the new peer is not added
until next reboot or manual action.
Icon caches should be generated for directories under $out/share/icons, as the comments mention, but it is done for files as well which does not make the build fail but results in files under $out/share/icons being turned into empty directories, see /run/current-system/sw/share/icons/gnome-logo-text.svg as an example.
Fixes a deadlock where post-resume.target has After=post-resume.service
and post-resume.service runs systemctl try-restart post-resume.target
the systemctl call cannot complete if post-resume.target was already
queued at that time.
Previously, dhcpcd and bitcoind starting up in parallel could lead to
the following error in bitcoind:
```
bitcoind: libevent: getaddrinfo: address family for nodename not supported
bitcoind: Binding RPC on address 127.0.0.1 port 8332 failed.
bitcoind: Unable to bind any endpoint for
```
After the initial failure, the bitcoind service would always restart successfully.
This race condition, where both applications were simultaneously
manipulating network resources, was only triggered under specific
hardware conditions.
Fix it by running bitcoind after dhcp has started (by running after
`network-online.target`).
This bug and the fix only affect the default NixOS scripted
networking backend.
Until this commit, the documentation suggested `multi-user.target`
as `wantedBy` for all services.
Since `multi-user.target` is not available for user services,
propose a different default for those in the documentation.
Co-authored-by: Naïm Favier <n@monade.li>
Co-authored-by: Florian Warzecha <liketechnik@disroot.org>
Percona Server for MySQL 5.6 is no more maintained due to the EOL of MySQL 5.6.
See https://www.percona.com/downloads/Percona-Server-5.6/LATEST/.
A bit hard to list all the potential security issues affecting it but CVE-2021-27928
should be one of them.
The new defaults allows jenkins-job-builder to reload the configuration
out-of-the-box, whereas the previous defaults required users to manually
reload/restart jenkins, or configure accessUser/accessTokenFile
themselves.
(If `extraJavaOptions = [ "-Djenkins.install.runSetupWizard=false" ]`
then the initial admin user is *not* created and you have to use JCasC
or something else to bootstrap.)
Netdev collector needs AF_NETLINK permissions to work. It will fail with
the message "couldn't get netstats: socket: address family is not
supported by protocol" otherwise.
If folders and devices are not configured explicitly, do not wipe the
changes done via the web GUI. Currently the list of devices or folders
will be reset unless overrideFolders/overrideDevices is disabled.
This corrects the multi-node test after a couple recent changes which
resulted in it being broken.
The `lib.toString` change was an incorrect tree-wide refactor, and the
aarch64 change also introduced an error in python indentation/formatting
I believe.