When the user's home directory is created using `createHome` e.g.
```
users.users.alice = {
home = "/users/alice";
createHome = true;
};
```
The `/users` directory was created with the same permissions as `/users/alice`, `0700` by default.
The parent directory `/users` permissions results in `createHome` creating a home directory that is inaccessible to the user:
```
$ su alice
$ cd /user/alice
cd: permission denied: /users/alice
```
The underlying cause is `make_path($u->{home}, { mode => oct($u->{homeMode}) })` which sets, in the example above`, `/users` to `0700`. Instead it should be `0755` like other system directories `/var`, `/dev`, etc.
Many terminal packages don't cross compile, so the `terminfo`
NixOS module was not usable for nixos configurations that are
cross-compiled.
Terminfo files (AFAIK) are small files that contain data about
terminal capability, so they should never have any runtime
dependencies that would cause any executables or otherwise
incompatible outputs from the `buildPlatform` to leak into the
nixos config's closure.
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
resolvconf.conf is a shell script and unlike resolv.conf, multiple
nameservers are specified by space separating them instead of adding
multiple lines.
Fixes: fc060cc3cb
The update-lingering activation script currently fails during rebuilds.
This happens when removing a user with linger enabled.
The call to loginctl disable-linger runs for the non-existent user.
This returns an error code which causes the failure.
To mitigate this, this PR removes any residual linger files.
These are files named for the user in /var/lib/systemd/linger.
A simple check for user existence determines whether to delete the file.
This happens before the call to disable-linger to avoid any errors.
Fixes#283769.
Nix has a suprising behavior where if the option `extra-foo` is set before `foo`, then setting `foo` overwrites the setting for `extra-foo`. This is reported as https://github.com/NixOS/nix/issues/9487, and will likely not be fixed any time soon.
This works around this issue by always putting `extra-*` settings after non-extra ones in the nixos-generated `/etc/nix.conf`.
Follow-up to #269551
Avoid creating a new instance of nixpkgs to access two variables.
`pkgs.pkgsi686Linux` was being accessed whenever the feature is being
used or not.
A second instance of nixpkgs is being created in
`nixos/modules/config/stub-ld.nix` and can be disabled by setting
`environment.ldso32 = null` or `environment.stub-ld.enable = false`.
Both combined fixes this error:
error: attribute 'i686-linux' missing
Portals are global so we can just link them globally.
There might, in theory, be some unexpected system-path contamination
(e.g. when a portal package installs its executables to `/bin`)
but I think the risk is relatively minor compared to the added complexity.
While at it, let’s point the environment variable to system-path.
That will allow changes to installed portals to apply without having to re-log in.
x-d-p only looks for portal definitions in one of two places:
- datadir (which we cannot install anything to, since Nix packages are immutable)
- when `XDG_DESKTOP_PORTAL_DIR` environment variable is set, the path specified therein
(meant for tests, disables looking for portal configuration anywhere else)
Let’s introduce our own `NIX_XDG_DESKTOP_PORTAL_DIR` environment variable
that will only control the portal definitions lookup.
We will not use it for searching for configuration
because it would require looking in the parent directory
and `XDG_CONFIG_DIRS` variable is sufficient for us.
After 4b128008c5 it took me a while in a
test setup to find out why `root` didn't have the password anymore I
declared in my config.
Because of that I got reminded how the order of preference works for the
password options:
hashedPassword > password > hashedPasswordFile
If the user is new, initialPassword & initialHashedPassword are also
relevant. Also, the override is silent in contrast to any other
conflicting definition in NixOS.
To make this less surprising I decided to warn in such a case -
assertions would probably break too much that technically works as
intended.
Also removed the `initialHashedPassword` for `root`. This would cause a
warning whenever you set something in your own config and a `!` is added
automatically by `users-groups.pl`.
`systemd-sysusers` also seems to implement these precedence rules, so
having the warning for that case also seems useful.
- Use `options = {` instead of repeating `options` for every option
- Change the description of "net.core.rmem_max" slightly to match the kernel documentation
This replaces the krb5 module's options with RFC 42-style krb5.settings
option, while greatly simplifying the code and fixing a few bugs,
namely:
- #243068 krb5: Configuration silently gets ignored when set by
multiple modules
- not being able to use mkIf etc. inside subattributes of
krb5.libdefaults, e.g. krb5.libdefaults.default_realm = mkIf ...
See #144575.
Closes#243068.
Co-authored-by: h7x4 <h7x4@nani.wtf>
we previously defined a custom type for `boot.kernel.sysctl."net.core.rmem_max"`
to resolve to the highest value set. this patch adds the same behavior to
`"net.core.wmem_max"`.
as this changes the type from a string to an integer, which is a breaking
change this patch also includes a release note and updates the transmission
module to use a number for `wmem_max`.
If we include users with unset groups, we get this very confusing
message, with invalid Nix code:
- The following users have a primary group that is undefined: qyliss
Hint: Add this to your NixOS configuration:
users.groups. = {};
We don't need to include such users in this check, since they'll be
caught anyway by this one:
- users.users.qyliss.group is unset. This used to default to
nogroup, but this is unsafe. For example you can create a group
for this user with:
users.users.qyliss.group = "qyliss";
users.groups.qyliss = {};
