We are running over 6000 tests by now and they take around 5 minutes
on faster machines and tests alot of components that endusers will not
actually be using. It is sufficient if we run them on package upgrades
and in the passthrough test.
To make it easier to start and stop all GitLab services, introduce
`gitlab.target` which wants all services (meaning they will start with
it) and which all services are part of (meaning they will stop with
it).
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
A function is more appropriate for this use. See
http://mywiki.wooledge.org/BashFAQ/050 for reference.
Also, we don't need to run the service as root: since we essentially
run all commands as `services.postgresql.superUser` anyway, the whole
service can just run as that user instead.
Change the default SMTP port to `25`, to better match the default
address `localhost`. This gets rid of some error outputs in the test,
where it fails to connect to localhost:465.
Also, don't enable postfix by default unless it's actually useful to
us.
This removes all the subdirectories in `config` on start.
From one version of GitLab to the next, the files in the `config`
directory changes. Since we're only overwriting the existing files
with ones from the repo, cruft sometimes gets left behind,
occationally causing issues.
Ideally, all configuration put in the `config` directory is declared
by NixOS options and we could just remove the whole directory on
start, but I'm not sure if that's the case. It would also require a
little bit of additional rework and testing. The subdirectories,
however, should seldom contain user configuration and the ones that
frequently does, `initializers`, is already removed on start.
Without this patch merging options like
services.xserver.windowManager.xmonad.extraPackages
results in the evaluation error:
error: value is a list while a set was expected, at nixpkgs/lib/options.nix:77:23
With this patch we get the desired merging behaviour that just concatenates the
resulting package lists.
(cherry picked from commit 6e99f9fdec)
Co-Authored-By: Silvan Mosberger <contact@infinisil.com>
The `platform` field is pointless nesting: it's just stuff that happens
to be defined together, and that should be an implementation detail.
This instead makes `linux-kernel` and `gcc` top level fields in platform
configs. They join `rustc` there [all are optional], which was put there
and not in `platform` in anticipation of a change like this.
`linux-kernel.arch` in particular also becomes `linuxArch`, to match the
other `*Arch`es.
The next step after is this to combine the *specific* machines from
`lib.systems.platforms` with `lib.systems.examples`, keeping just the
"multiplatform" ones for defaulting.
Judging from `"${pkgs.element-web}/config.sample.json"`,
this needs be a URL starting with `https://`; without it one gets:
Your Element is misconfigured
Invalid base_url for m.homeserver
In the default configuration we have timers for creating and deleting
snapper snapshots, and it looks like if we just create configs with
correct mountpoints we will get automatic snapshots (which either
used to be true, or seems to be only true on Archlinux according to
their wiki). In default snapper configuration TIMELINE_CREATE and
TIMELINE_CLEANUP are set to "no", so just providing configs won't
be enough for having automatic backups, which are the main usecase
for snapper. In other linux distributions you would use `snapper
create-config` to generate configs for partitions and you'd have a
chance to notice that TIMELINE_CREATE is set to no. Also, my guess is
that it might be set to no by default for safety reasons in regular distros,
so that the config won't be actioned upon until the user finishes
customizing it.
Added JWT_SECRET and INTERNAL_TOKEN to be persistent, like SECRET_KEY and LFS_JWT_SECRET do. Also renamed some vars belonging to SECRET_KEY and LFS_JWT_SECRET to get a consistent naming scheme over all secrets.
The comment at the top of git-and-tools/default.nix said:
/* All git-relates tools live here, in a separate attribute set so that users
* can get a fast overview over what's available.
but unfortunately that hasn't actually held up in practice.
Git-related packages have continued to be added to the top level, or
into gitAndTools, or sometimes both, basically at random, so having
gitAndTools is just confusing. In fact, until I looked as part of
working on getting rid of gitAndTools, one program (ydiff) was
packaged twice independently, once in gitAndTools and once at the top
level (I fixed this in 98c3490196).
So I think it's for the best if we move away from gitAndTools, and
just put all the packages it previously contained at the top level.
I've implemented this here by just making gitAndTools an alias for the
top level -- this saves having loads of lines in aliases.nix. This
means that people can keep referring to gitAndTools in their
configuration, but it won't be allowed to be used within Nixpkgs, and
it won't be presented to new users by e.g. nix search.
The only other change here that I'm aware of is that
appendToName "minimal" is not longer called on the default git
package, because doing that would have necessitated having a private
gitBase variable like before. I think it makes more sense not to do
that anyway, and reserve the "minimal" suffix only for gitMinimal.
This patch:
* Removes an invalid/useless classpath element;
* Removes an unnecessary environment variable;
* Creates the required '/version-2' data subdirectory;
* Redirects audit logging to the "console" (systemd) by default.
These were broken since 2016:
f0367da7d1
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.
NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.
I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(ad16158c10/src/basic/ratelimit.c (L16))
This changes the default behavior which opened by default the firewall rules.
The users now need to declare explicitely they want to open the firewall.
This also fixes some various small limitations:
- Drop unnecessary quoting
- Drop duplicated gerbera interface definition
- Fix configuration indentation
In the sense that the pkgs dependency will be pulled if the service is
transcoding enabled. Otherwise, the transcoding part is completely dropped from
the generated configuration.
> WARNING: PID file creation will be removed in Sidekiq 6.0, see #4045.
Please use a proper process supervisor to start and manage your
services
Since NixOS uses a proper process supervisor AND does not use the PID
file anywhere, we can just drop it to be upwards compatible and fix that
warning.
This switches the unit to Restart=on-failure and switches the CPU policy
to fifo (the daemon tries to do that itself, but is denied permission).
Also add the package to $PATH to be able to use fs_cli easily.
nixos/modules/config/nsswitch.nix uses `passwdArray` for both `passwd`
and `group`, but when moving this into the sss module in
edddc7c82a, it didn't get split
appropriately.
This reverts commits 9d0de0dc57,
27d2857a99. 'nix ping-store' is an
experimental command so it doesn't work in Nix 2.4 unless you set
'experimental-features = nix-command' in nix.conf.
Instead of making the configuration less portable by hard coding the number of
jobs equal to the cores we can also let nix set the same number at runtime.
This allows you to specify the system-wide flake registry. One use is
to pin 'nixpkgs' to the Nixpkgs version used to build the system:
nix.registry.nixpkgs.flake = nixpkgs;
where 'nixpkgs' is a flake input. This ensures that commands like
$ nix run nixpkgs#hello
pull in a minimum of additional store paths.
You can also use this to redirect flakes, e.g.
nix.registry.nixpkgs.to = {
type = "github";
owner = "my-org";
repo = "my-nixpkgs";
};
Running the manual on a TTY is useless in the graphical ISOs and not
particularly useful in non-graphical ISOs (since you can also run
'nixos-help').
Fixes#83157.
* Linkify all service options used in the code-examples.
* Demonstrated the use of `riot-web.override {}`.
* Moved the example how to configure a postgresql-database for
`matrix-synapse` to this document from the 20.03 release-notes.
The v7 series is very different.
This commit introduces the 3 packages: fahclient, fahcontrol and
fahviewer. It also rebuilds the NixOS module to map better with the new
client.
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
Default behavior is to continue executing the script even when one or
multiple steps fail. We want to abort early if any part of the
initialization fails to not run with a partially initialized state.
Default behavior also allows dereferencing non-existent variables,
potentially resulting in hard-to-find bugs.
On start, unicorn, sidekiq and other parts running ruby code emits
quite a few warnings similar to
/var/gitlab/state/config/application.rb:202: warning: already initialized constant Gitlab::Application::LOOSE_EE_APP_ASSETS
/nix/store/ysb0lgbzxp7a9y4yl8d4f9wrrzy9kafc-gitlab-ee-12.3.5/share/gitlab/config/application.rb:202: warning: previous definition of LOOSE_EE_APP_ASSETS was here
/var/gitlab/state/lib/gitlab.rb:38: warning: already initialized constant Gitlab::COM_URL
/nix/store/ysb0lgbzxp7a9y4yl8d4f9wrrzy9kafc-gitlab-ee-12.3.5/share/gitlab/lib/gitlab.rb:38: warning: previous definition of COM_URL was here
This seems to be caused by the same ruby files being evaluated
multiple times due to the paths being different - sometimes they're
loaded using the direct path and sometimes through a symlink, due to
our split between config and package data. To fix this, we make sure
that the offending files in the state directory always reference the
store path, regardless of that being the real file or a symlink.
This reverts commit 2ee14c34ed.
This caused the initializers directory to be cleaned out while gitlab
was running in some instances. We clean out the directory on the
preStart stage already, so ensuring existance and permissions should
suffice.
Bumps `matrix-synapse` to version 1.4.0[1]. With this version the
following changes in the matrix-synapse module were needed:
* Removed `trusted_third_party_id_servers`: option is marked as deprecated
and ignored by matrix-synapse[2].
* Added `account_threepid_delegates` options as replacement for 3rdparty
server features[3].
* Added `redaction_retention_period` option to configure how long
redacted options should be kept in the database.
* Added `ma27` as maintainer for `matrix-synapse`.
Co-Authored-By: Notkea <pacien@users.noreply.github.com>
Co-authored-by: Maximilian Bosch <maximilian@mbosch.me>
[1] https://matrix.org/blog/2019/10/03/synapse-1-4-0-released
[2] https://github.com/matrix-org/synapse/pull/5875
[3] https://github.com/matrix-org/synapse/pull/5876
In fact, don't create them at all because Nix does that automatically.
Also remove modules/programs/shell.nix because everything it did is
now done automatically by Nix.
gitlab:db:configure prints the root user's password to stdout on
successful setup, which means it will be logged to the
journal. Silence this informational output. Errors are printed to
stderr and will thus still be let through.
The initializers directory is populated with files from the gitlab
distribution on start, but old files will be left in the state folder
even if they're removed from the distribution, which can lead to
startup failures. Fix this by always purging the directory on start
before populating it.
Since the preStart script is no longer running in privileged mode, we
reassign the files in the state directory and its config subdirectory
to the user we're running as. This is done by splitting the preStart
script into a privileged and an unprivileged part where the privileged
part does the reassignment.
Also, delete the database.yml symlink if it exists, since we want to
create a real file in its place.
Fixes#68696.
Since version 2.3 (https://github.com/NixOS/nix/pull/2949 which was
cherry-picked to master) Nix issues a warning when --no-net wasn't
passed and there is no network interface. This commit adds the --no-net
flag to the nix.conf check such that no warning is issued.
Make sure that we don't create a database if we're not going to
connect to it. Also, fix the assertion that usernames be equal to only
trig when peer authentication is used (databaseHost == "").
config.services.postgresql.package is only defined when the postgresql
service is activated, which means we fail to evaluate when
databaseCreateLocally == false. Fix this by using the default
postgresql package when the postgresql service is disabled.
The state path now, since the transition from initialization in
preStart to using systemd-tmpfiles, has the following restriction: no
parent directory can be owned by any other user than root or the user
specified in services.gitlab.user. This is a potentially breaking
change and the cause of the error isn't immediately obvious, so
document it both in the release notes and statePath description.
Adds the ability to make any parameter specified in extraConfig secret
by defining it an attrset containing the attr _secret, which in turn
is a path to a file containing the actual secret.
Use the postgresql module to provision a local db (if
databaseCreateLocally is true) instead of doing this locally.
Switch to using the local unix socket for db connections by default;
this is needed since dbs created by the postgresql module only support
peer authentication.
Instead of running the rake tasks db:schema:load, db:migrate and
db:seed_fu, run gitlab:db:configure, which in turn runs these tasks
when needed.
Solves issue #53852 for gitlab.
Add support for storing secrets in files outside the nix store, since
files in the nix store are world-readable and secrets therefore can't
be stored safely there.
The old string options are kept, since they can potentially be handy
for testing purposes, but their descriptions now state that they
shouldn't be used in production. The manual section is updated to use
the file options rather than the string options and the tests now test
both.
Since https://github.com/NixOS/nixpkgs/pull/61321, local-fs.target is
part of sysinit.target again, meaning units without
DefaultDependencies=no will automatically depend on it, and the manual
set dependencies can be dropped.
