I was under the impression that setting `services.redis.servers.<name>.save = []` would disable RDB persistence as no schedule would mean no persistence. However since the code did not handle this case specially it actually results in no `save` setting being written and the internal Redis default is used.
This patch handles the empty case to disable RDB persistence.
Disabling RDB persistence is useful in a number of scenarios:
1. Using Redis in a pure-cache mode where persistence is not desired.
2. When using the (generally superior) AOF persistence mode this file is never read so there is little point to writing it.
3. When saving is handled manually
For more information see https://redis.io/docs/manual/persistence/
This is a breaking change as the user may have been relying on `[]` using Redis defaults. However I believe that updating the behaviour for the next release is beneficial as IMHO it is less surprising and does what the user would expect. I have added release notes to warn about this change.
* nixos/vault: add option to start in dev mode.
This is not only useful for nixos tests i.e. when testing vault agent
setups but also when playing around with vault in local setups. In our
tests we can now make use of this option to test more vault features.
i.e. adding this feature has uncovered the need for a `StateDirectory`.
* Update nixos/modules/services/security/vault.nix
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
Co-authored-by: Jonas Chevalier <zimbatm@zimbatm.com>
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
When using the example without the square brackets, nginx fails to start:
```
nginx-pre-start: nginx: [emerg] invalid port in "::1:80" of the "listen" directive in /nix/store/xyz-nginx.conf:29
nginx-pre-start: nginx: configuration file /nix/store/xyz-nginx.conf test failed
```
* Update attribute names in code examples (* -> settings.*).
* Use `nix-shell -p` rather than `nix run` because the example won't
work with the current default Nix.
* Update config values for `element-web`.
* Fix link to `element-web` security considerations.
* Make the synapse expression even smaller and use callout-lists to
explain the code.
* Document how to correctly deploy the shared registration secret.
[1] https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
Potential use cases for disabling `useDefaultFilesystems` include:
- Testing with uncommon filesystem layouts
- Testing scenarios where swapping occurs
- Testing with LUKS-encrypted disks
Closes#177963
Running `nixos/tests/keepassxc.nix` shows:
```
machine # [ 18.705390] xsession[985]: /nix/store/2g2jx5c6x3p152wbiijr0rmky7byqivc-xsession: line 13: nn: command not found
```
This garbled bash script runs without `set -o errexit` and thus skips
"\n\n" as invalid command:
```
$ cat -n /nix/store/2g2jx5c6x3p152wbiijr0rmky7byqivc-xsession
...
\n\n
if [ -e $HOME/.background-image ]; then
/nix/store/wq1d1ph8wj4alpx78akvpbd0a0m9qkd1-feh-3.8/bin/feh --bg-scale $HOME/.background-image
fi
...
```
KeePassXC uses it through
`nixos/modules/services/x11/display-managers/default.nix`:
```
...
# Script responsible for starting the window manager and the desktop manager.
xsession = dm: wm: pkgs.writeScript "xsession" ''
#! ${pkgs.bash}/bin/bash
# Legacy session script used to construct .desktop files from
# `services.xserver.displayManager.session` entries. Called from
# `sessionWrapper`.
# Start the window manager.
${wm.start}
# Start the desktop manager.
${dm.start}
...
'';
...
```
The bogus line was introduced in PR #160752:
```
commit 0bc0dc8090
Author: Shaw Vrana <shaw@vranix.com>
Date: Fri Feb 18 11:27:42 2022 -0800
desktop manager script: start properly
Adds a missing line feed when X is enabled to the start script name
and the appended if check. Resolves#160735
```
I have not tried to reproduce the original issue and thus don't know
why "\n\n" apparently gets interpreted fine in one place but remains
literal the `xsession` case.
However, using a literal newline must be valid for all cases and
certainly fixes the warning seen in KeePassXC tests.
Furthermore, starting the nix string (`''`) with a newline as usual also
fixes its overall indentation.
This improves security, by starting the service as an unprivileged user,
rather than starting as root and relying on the service to drop
privileges. This requires a significant cleanup of pre-init scripts, to
make use of StateDirectory and RuntimeDirectory for permissions.
This patch follows an upstream commit[1].
Before this patch, if acme module is used, caddy will still use an old
cert even a new one is available. The cause is that without --force
flag, caddy will not reload an unchanged config.
Refer to that commit[1] message for more information.
[1]: 979e498d6d
Seems silly to install this for use with the local server, but to not
configure it to use the local server. Otherwise, out of the box we
just get an error about no server being configured.
The `nixos-rebuild` tool calls `get-version-suffix` to figure out the
git revision of the nixpkgs directory if there is a .git.
https://nvd.nist.gov/vuln/detail/CVE-2022-24765 made git throw an
error if the .git search logic is not turned off and a user
tries to access a `.git` directory they don’t own (otherwise a
different user could trick them into setting arbitrary git config).
So from now on we should always explicitely set `--git-dir`, which
turns this search logic (and thus the security check) off.
It was never meant to be used for anything other than testing
and setting it globally can cause weird loops in GTK-based portals,
where the portal will end up waiting for itself until it times out.
https://github.com/NixOS/nixpkgs/issues/135898
Or it can mess up fonts:
https://github.com/NixOS/nixpkgs/issues/155291#issuecomment-1166199585
Having the option in NixOS makes it look like it is okay or even
desirable to enable, when in fact it is a hack that can subtly break apps.
Some apps allow opting into using portal-based APIs, e.g. for Firefox,
you can set `widget.use-xdg-desktop-portal.file-picker` to `1` in about:config.
Otherwise, you can set the `GTK_USE_PORTAL` environment variable to 1
for individual apps.
People who really want it and aware of the downsides can just set
`environment.sessionVariables.GTK_USE_PORTAL = "1";` NixOS option
directly to set the environment variable globally.
- Add a module for the thunar file manager, which depends on the xfconf dbus service, and also has a dbus service and a systemd unit.
- Renames the option services.xserver.desktopManager.xfce.thunarPlugins to programs.thunar.plugins.
Riak have been updated a lot since the version 2.2 (now 3.0.10) but
has seen no updated to the package. This is at this point
a problem forcing us to maintain old versions of erlang.
We would be happy to re accept a newer version of Riak if someone want
to spend the time to set it up.
`boot.initrd.systemd.emergencyAccess` expects passwd(5) formatted
strings, hence `singleLineStr` is too broad.
Use the same type as `users.users.*.hashedPassword` to ensure
consistency across all options where password hashes are used.
From `modules/config/users-groups.nix`:
```
hashedPassword = mkOption {
type = with types; nullOr (passwdEntry str);
...
};
```
More nixpkgs code such as `boot.initrd.systemd.emergencyAccess` defines
options that takes hashed passwords, so move the type definition from
modules/ into lib/.
The type definition itself stays unchanged.
`console.{font,keyMap}` may be a path or a string to a store path,
which should be added to initrd for `systemd-vconsole-setup` before
the prompt for the LUKS password.
Use `networking.resolvconf.package` to allow DNS entries to be set using
the system-wide resolver implementation instead of hardcoding systemd or
openresolv.
Extend the tests by adding DNS entries and making one of the peers use
systemd-networkd (hence systemd-resolved).
Also add a few `networkd`-specific settings.
The substr solution assumed a newline to be present.
The new solution will not remove the newline if it goes missing in the future.
Apparently this is idiomatic perl.
Thanks pennae for the suggestion!
According to https://grafana.com/docs/agent/latest/upgrade-guide/#v0240,
this has been deprecated/moved to -server.http.address and
-server.grpc.address (accepting ip and port) config options in v0.24.0,
and already listens on localhost and not port 80 by default.
According to https://github.com/grafana/agent/pull/1540, -prometheus.*
flages were deprecated in 0.19.0 in favor of the -metrics.*
counterparts. Same applies to `loki` being renamed to `logs`.
I'm not sure if the config file format is still supported (it could be),
but we shouldn't use deprecated configs.
Run the device tree overlays through the preprocessor before compiling it, as
is done in the kernel. This helps make overlays easier to understand, and
improves compatibility with those found in the wild.
I found the correct command line by running the kernel build with V=1, and then
removing all the arguments related to dependency tracking.
Since dtc 1.4.7 (released in 2018), there has been a much nicer syntax for
device tree overlays. This commit converts the dtsText example to use this
syntax.
Qt4 is on it's way out, according to
https://github.com/NixOS/nixpkgs/pull/174634
Barco's ClickShare driver/client requires Qt4;
an update isn't in sight anywhere.
To prepare for the removal of Qt4,
the commit at hand removes the
ClickShare package and its NixOS module.
The release notes are appended with a hint about the
removal and some alternatives that might help users
that are still in need of the driver/client functionality.
The preStart script for the IPFS service will print parts of the configuration
to stdout (and therefore, the journal) when applying profiles on startup. This
may lead to unwanted disclosure of private information, such as remote pinning
service API keys. Fix by sending stdout to /dev/null.
Make secret replacement more robust and futureproof:
- Allow any attribute in `services.parsedmarc.settings` to be a
secret if set to `{ _secret = "/path/to/secret"; }`.
- Hash secret file paths before using them as a placeholders in the
config file to minimize the risk of conflicting file paths being
replaced instead.
Make secret replacement more robust and futureproof:
- Allow any attribute in `services.geoipupdate.settings` to be a
secret if set to `{ _secret = "/path/to/secret"; }`.
- Hash the license key path before using it as a placeholder in the
config file to minimize the risk of conflicting file paths being
replaced instead.
Commit 8109d8a set the `StateDirectory=` option of the systemd service
configuration to the value of `cfg.workDir` which is wrong, according
to dasJ [1]. This commit resolves this issue by stripping the
`/var/lib/` prefix from `cfg.workDir`.
[1] https://github.com/NixOS/nixpkgs/pull/172824#issuecomment-1130350412
On one of the two machines I have running openldap, openldap failed to start due to a "timeout". Increasing the allowed startup delay didn't help.
I noticed the following in logs:
```
openldap.service: Got notification message from PID 5224, but reception only permitted for main PID 5223
```
It turns out that on this machine at least, openldap apparently sends the notification from a non-main process, which means that we need this NotifyAccess setting for systemd to record that it successfully started. Without it, after 30 seconds systemd kills the process because it didn't receive the sd_notify call.
Somehow the other machine I have on nixos running ldap works fine even without this, but I could not figure out what changes the behavior.
Given that AFAIU NotifyAccess still restricts to "from the cgroup of the service", I think this change should be safe.
A simpler implementation of 7d8b303e3f
that uses an assertion instead of a derivation.
`pathHasContext` seems a bit better than `hasPrefix storeDir` because it
avoids a string comparison, and catches nonsense like
`"foo${pkgs.hello}bar"`.
Apparently since systemd v250 a `ListenStream` in an override file won't
override the unit, but will be appended to a list of socket addresses.
The socket unit fails if two or more addresses have the same port,
probably because two systemd processes try to listen to it at once.
The solution is to add an empty `ListenStream=` to reset all previous
definitions.
Fix#175478.
`nixos/modules/installer/kexec/kexec-boot.nix` doesn't contain any
custom NixOS config, other than importing `netboot-minimal.nix` (which
imports `netboot-base.nix`, which imports `netboot.nix`.
`netboot.nix` really is just describing a self-contained system config,
running entirely off kernel and initrd, so we might as well move the
kexec script generation there as well.
`netboot.nix` already contains some `system.build` attributes.
Provide a `system.build.kexecTree` attribute (and `kexecScript` for
composability).
It is already installed by xdg.icons.enable.
Let’s also enable that option explicitly to prevent users from accidentally
disabling it since GNOME will be severely broken without it.
It is already installed by xdg.mime.enable.
Let’s also enable that option explicitly to prevent users from accidentally
disabling it since GNOME will be severely broken without it.
Previously, `makeInitrd` added the whole closure of the squashfs
derivation to initrd.
This closure contains the squashfs.img and some store paths which are
still referenced by the compressed squashfs.img.
These extra store paths are unused in stage 1.
With `makeInitrdNG` only the squashfs.img is added to the initrd.
(`makeInitrdNG` only resolves shared library references instead of the
whole closure).
This shrinks the netboot ramdisk by ~6% for a minimal system and
significantly decreases the size of the uncompressed root filesystem
in stage 1.
An empty LD_LIBRARY_PATH may confuse some applications into appending
:, creating an empty segment that insecurely refers to the current
directory, not the absence of directories.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
The backupPrepareCommand and backupCleanupCommand options offer a way to
run a script to prepare for backup and then cleanup it once finish.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Allow providing the repository as a file, useful when we don't want it
being stored in the Git repository as plain text.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Previously, all configuration and state data was accessible to all
users on the system running jellyfin. This included user passwords in
the Jellyfin database, as well as credentials for LDAP if configured.
The exact set of accessible data depends on system configuration.
Thanks to Sofie Finnes Øvrelid for reporting this issue.
Fixes: CVE-2022-32198
Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>
Handling of the string length condition in should_update
was broken, as evident with the log message
> leaving systemd-boot 246 in place (250.4 is not newer)
Discussion with @mweinelt came to the conclusion
that Python's "<" operator already does what we need,
so the should_update function can be dropped.
Fixes a30de3b849
Raw logs are stored in a versioned binary format and must be update with
atopconvert(1) upon atop version updates.
Failure to do so results in atop.service startup failure as I found out
the hard way after the "atop: 2.6.0 -> 2.7.1"[0] bump:
```
May 31 01:49:25 <hostname> sh[2269709]: existing file /var/log/atop/atop_20220531 has incompatible header
May 31 01:49:25 <hostname> sh[2269709]: (created by version 2.6 - current version 2.7)
May 31 01:49:25 <hostname> systemd[1]: atop.service: Main process exited, code=exited, status=7/NOTRUNNING
```
Convert logs in `ExecStartPre` and replace them iff updated.
This is to avoid changing original modification times upon every service
start and thus work against atop's log rotation (see existing
`ExecStartPre`).
0: https://github.com/NixOS/nixpkgs/pull/175180#issuecomment-1141546487
systemd-247 provides a mechanism called LoadCredential for secrets and
it is better than environment file. See the section of Environment=
in the manual of systemd.exec for more information.
Some options in config.yaml need values to be strings, which currently
can be used with environmentFile but not loadCredential. But it's
possible to use loadCredential for those options, e.g. we can
substitute their values in ExecStart, but not in ExecStartPre due to
[1].
[1]: https://github.com/systemd/systemd/issues/19604
Prior to this patch:
$ nix-instantiate --eval -E '
> with import ./. {
> localSystem.config = "aarch64-unknown-linux-musl";
> };
> (nixos {}).config.nixpkgs.localSystem.config
> '
"aarch64-unknown-linux-gnu"
Because only the system triple was being passed through, the Musl part
of the system specification was lost. This patch fixes various
occurrences of NixOS evaluation when a Nixpkgs evaluation is already
available, to pass through the full elaborated system attribute set,
to avoid this loss of precision.
Since, 4ddc78818e systemd-boot-builder
is broken in two ways:
* if no systemd-boot is currently installed *and* the NIXOS_INSTALL_BOOTLOADER
env variable is not set, it will try to run "bootctl update", which will fail
* if the currently installed systemd-boot version is newer than the version
we're about to install, it will also try to run "bootctl update", which will fail
This patch changes the behaviour,
* for the first case to still fail, but not even bother to try running
"bootctl update" and instead erroring out with an exception
* for the second case to leave the newer version in place, restoring
the pre - 4ddc78818e behaviour
To do the proper version check a new "should_update" helper function was introduced,
mimicing the compare_product C function from bootctl. If the following systemd
issue gets resolved, we would have a nice way to get rid of this function:
> https://github.com/systemd/systemd/issues/23450
This change allows to again switch to a different NixOS configuration which contains
an older systemd-boot.
Co-authored-by: Martin Weinelt <mweinelt@users.noreply.github.com>
- initialSystem was keeping track of the evaluating system
- it had been used by `nesting.children`
- since, 20.09, `nesting.children` has been replaced with named
specializations
It appears that this option was left over and not cleand up properly.
`extra-utils` composes the set of programs and libraries needed by
1. copying over all programs
2. copying over all libraries any program directly links against
3. set the runtime path for every program to the library directory
It seems that this approach misses the case where a library itself links
against another library. That is to say, `extra-utils` assumes that
either only progams link against libraries or that every library linked
to by a library is already linked to by a program.
`mount.zfs` linking against `libcrypto`, in turn linking against `libdl`
shows how the current approach falls short:
```
$ objdump -p $(which mount.zfs) | grep NEEDED | grep -e libdl -e libcrypto
NEEDED libcrypto.so.1.1
$ ldd (which mount.zfs) | grep libdl
libdl.so.2 => /nix/store/ybkkrhdwdj227kr20vk8qnzqnmj7a06x-glibc-2.34-115/lib/libdl.so.2 (0x00007f9967a9a000
```
Using `mount.zfs` directly in stage 1 init still works since
`LD_LIBRARY_PATH` overrides this (as intended).
util-linux's `mount` however executes `mount.zfs` with LD_LIBRARY_PATH
removed from its environment as can be seen with strace(1) in an
interactive stage 1 init shell (`boot.shell_on_fail` kernel parameter):
```
# env -i LD_LIBRARY_PATH=$LD_LIBRARY_PATH $(which strace) -ff -e trace=/exec -v -qqq $(which mount) /mnt-root
execve("/nix/store/3gqbb3swgiy749fxd5a4k6kirkr2jr9n-extra-utils/bin/mount", ["/nix/store/3gqbb3swgiy749fxd5a4k"..., "/mnt-root"], ["LD_LIBRARY_PATH=/nix/store/3gqbb"...]) = 0
[pid 1026] execve("/sbin/mount.zfs", ["/sbin/mount.zfs", "<redacted>", "/mnt-root", "-o", "rw,zfsutil"], []) = 0
/sbin/mount.zfs: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=1026, si_uid=0, si_status=127, si_utime=0, si_stime=0} ---
```
env(1) is used for clarity (hence subshells for absoloute paths).
While `mount` uses the right library path, `mount.zfs` is stripped of
it, so ld.so(8) fails resolve `libdl` (as required by `libcrypto`).
To fix this and not rely on `LD_LIBRARY_PATH` to be set, fix the library
path inside libraries as well.
This finally mounts all ZFS filesystems using `zfsutil` with correct and
intended mount options.
At least pkgs/os-specific/linux/util-linux/default.nix uses
```
"--enable-fs-paths-default=/run/wrappers/bin:/run/current-system/sw/bin:/sbin"
```
which does not cover stage 1 init's PATH as all executables are put
under /bin/.
Fix util-linux's `mount` usage by symlinking /sbin to it.
Consider ZFS filesystems meant to be mounted with zfs.mount(8), e.g.
```
config.fileSystems."/media".options = [ "zfsutil" ];
config.fileSystems."/nix".options = [ "zfsutil" ];
```
`zfsutil` uses dataset properties as mount options such that zfsprops(7)
do not have to be duplicated in fstab(5) entries or manual mount(8)
invocations.
Given the example configuation above, /media is correctly mounted with
`setuid=off` translated into `nosuid`:
```
$ zfs get -Ho value setuid /media
off
$ findmnt -t zfs -no options /media
rw,nosuid,nodev,noexec,noatime,xattr,posixacl
```
/nix however was mounted with default mount(8) options:
```
$ zfs get -Ho value setuid /nix
off
$ findmnt -t zfs -no options /nix
rw,relatime,xattr,noacl
```
This holds true for all other ZFS properties/mount options, including
`exec/[no]exec`, `devices/[no]dev`, `atime/[no]atime`, etc.
/nix is mounted using BusyBox's `mount` during stage 1 init while /media
is mounted later using proper systemd and/or util-linux's `mount`.
Tracing stage 1 init showed that BusyBox never tried to execute
mount.zfs(8) as intended by `zfsutil`.
Replacing it with util-linux's `mount` and adding the mount helper
showed attempts to execute mount.zfs(8).
Ensure ZFS filesystems are mounted with correct options iff `zfsutil` is
used.
Very confusingly, the `isPowerPC` predicate in
`lib/systems/inspect.nix` does *not* match `powerpc64le`!
This is because `isPowerPC` is defined as
isPowerPC = { cpu = cpuTypes.powerpc; };
Where `cpuTypes.powerpc` is:
{ bits = 32; significantByte = bigEndian; family = "power"; };
This means that the `isPowerPC` predicate actually only matches the
subset of machines marketed under this name which happen to be 32-bit
and running in big-endian mode which is equivalent to:
with stdenv.hostPlatform; isPower && isBigEndian && is32bit
This seems like a sharp edge that people could easily cut themselves
on. In fact, that has already happened: in
`linux/kernel/common-config.nix` there is a test which will always
fail:
(stdenv.hostPlatform.isPowerPC && stdenv.hostPlatform.is64bit)
A more subtle case of the strict isPowerPC being used instead of the
moreg general isPower accidentally are the GHC expressions:
Update pkgs/development/compilers/ghc/8.10.7.nix
Update pkgs/development/compilers/ghc/8.8.4.nix
Update pkgs/development/compilers/ghc/9.2.2.nix
Update pkgs/development/compilers/ghc/9.0.2.nix
Update pkgs/development/compilers/ghc/head.nix
Since the remaining legitimate use sites of isPowerPC are so few, remove
the isPowerPC predicate completely. The alternative expression above is
noted in the release notes as an alternative.
Co-authored-by: sternenseemann <sternenseemann@systemli.org>
* origin/staging-next: (62 commits)
Re-Revert "lua: fix on darwin by using makeBinaryWrapper (#172749)"
openldap: fix cross-compilation
makeBinaryWrapper: fix codesign on aarch64-darwin
python3Packages.ldap: fix linking with openldap 2.5+
Revert "lua: fix on darwin by using makeBinaryWrapper (#172749)"
wine: enable parallel build again
pkgsi686Linux.gdb: fix formatting for 32-bit systems
gtk4: Fix incorrect merge
nixos/openldap: use upstream unit defaults
openldap: update maintainers
openldap: 2.4.58 -> 2.6.2
Revert "Add mingwW64-llvm cross-system."
lua: fix on darwin by using makeBinaryWrapper (#172749)
python310Packages.python-mimeparse: execute tests
pandas: fix darwin build
gtk3: 3.24.33 -> 3.24.33-2022-03-11
gtk4: patch fixing g-c-c crashes
e2fsprogs: patch for CVE-2022-1304
firefox-unwrapped: fix cross compilation
rustc: expose correct llvmPackages for cross compile
...
Otherwise, it wouldn't get restarted when a new system configuration
was activatad, so the Postfix configuration wouldn't be updated.
Fixes: fb2fa1b50f ("nixos/postfix: pull setup into its own unit")
There is a comment above the invocation of 'nextcloud-occ app:enable', stating
that the script should not fail if any of the apps cannot be enabled, but there
is nothing in place to suppress errors. The app:enable command already
continues installing the remaining apps when one fails to install, and we do not
want to suppress errors in the setup script, so this just removes the comment
about not failing.
