and remove nano from environment.defaultPackages. In addition also cleanup the file in general.
This is a follow up to #220481
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
Adds an option to configure a custom WakeOnLan policy instead of the
hard-coded "magic" policy. To ensure compatibility with current
behavior, "magic" is kept as default.
When using e.g. `{ addr = "[::]"; port = 22; }` at `listenAddresses`,
the check fails because of an escaping issue[1] with
last 1 log lines:
> Invalid test mode specification -f
For full logs, run 'nix log /nix/store/c6pbpw5hjkjgipmarwyic9zyqr1xaix5-check-sshd-config.drv'
Using `lib.escapeShellArg` appears to solve the problem.
[1] https://github.com/NixOS/nixpkgs/pull/256090#issuecomment-1738063528
Solves https://github.com/NixOS/nixpkgs/issues/146603
CoreDNS has support for plugins that are added at compile time. This
exposes an argument `externalPlugins` that will build coredns with
the specified plugins.
Example:
```
coredns-fanout = pkgs.coredns.override {
externalPlugins = [
{name = "fanout"; repo = "github.com/networkservicemesh/fanout"; version = "v1.9.1";}
];
vendorHash = "<SRI hash>";
};
```
Prior to this commit the derivation assumed a user's primary group has
the same name as the user themselves. This is standard on linux but not
necessary (and indeed I believe not the default on NixOS).
Closes#232184
PR#256295 reintroduced ruleFile option, but set the default as a path
literal, which was a "string path" previously. This breaks evaluation
for being impure:
error: access to absolute path '/var/lib/usbguard/rules.conf' is forbidden in pure eval mode (use '--impure' to override)
To maintain backwards compatibility, this can't be changed in the Nix language.
We can however ensure that the version Nixpkgs has the more intuitive behavior.
Rather than using `priority` with `sortProperties`, a new option called
`order` defines the ordering of the sections. I.e.
order = [ "global" "uptime" "banner" ]
means that `uptime` comes before `banner`. Please note that `global` is
for global settings and not a section. I figured that it'd be too much
magic to hide this in the implementation and ask the user to specify the
order of _each_ section in `settings` instead.
OTOH this makes the intent way clearer than priorities. Also, this
remains opt-in, the option defaults to `attrNames cfg.settings`, i.e.
all sections ordered alphabetically.
The text was originally added [0] following an apparently incomplete
research on how everything plays together. In fact, Nix propagates
`outputs` to the corresponding nested derivations, and there is some
messy behavior in Nixpkgs that only seems to propagate
`meta.outputsToInstall` in `buildEnv`[1].
This change moves the hints on how to use NixOS specifics to NixOS
module documentation (which is hopefully easier to find through
search.nixos.org), describes the default behavior in Nixpkgs (updating
a the link to the source), and removes the confusing mention of
`nix-env`.
the last of them should not be there to begin with. we don't want
beginners to use `nix-env`, as this is known to run them into trouble
eventually.
[0]: https://github.com/NixOS/nixpkgs/pull/76794
[1]: 1774d07242/pkgs/build-support/buildenv/default.nix (L66)
Since garage 0.8.2, garage accepts environment variables for passing secrets,
e.g. `GARAGE_RPC_SECRET` or `GARAGE_ADMIN_TOKEN`. The added `environmentFile`
allows those secrets to not be present in the nix store.
Update wg-quick.nix such that a search for `WireGuard` in the `NixOS Options` section of search.nixos.org brings up the convenient `networking.wg-quick.interfaces.wg0.configFile` option.
While network.target only guarantees that network devices have been
created the `network-online.target` allows delaying service startup
until after a configurable network state has been reached.
This should resolve spurious failures, e.g. when synapse tries to load
the discovery information for its OIDC provider from a remote host.
Tanvir Ahmed T. reports that `services.xmr-stak.enable = true;` shows
that `23.05` ships broken `xmr-stak` module:
error: function 'anonymous lambda' called with unexpected argument 'cudaSupport'
I broke it when I removed `cudaSupport` flag in
a5ce71d4e8
I'm just removing the option without an attempt to supply the stub as
module was already broken on `23.05` release. There are probably no
users of `xmr-stak` module by now.
Closes: https://github.com/NixOS/nixpkgs/issues/256703
This is just a quick fix based on pname,
as I have no idea how to use slicing in the module
We should instead use slicing to get the package for the host
nix-prefetch-git is either run as part of a build, usually sandboxed,
or outside a build, unsandboxed, to prefetch something that will later
be used in a build. It's important that the latter use produces
hashes that can be reproduced by the former.
One way that they can differ is if the user's git config does
something that changes the result of git clone. I ran into this,
because my global git config automatically enables git-lfs, whereas
nix-prefetch-git otherwise only uses git-lfs if specifically
requested. This led to very confusing hash mismatches.
A couple notes:
---------------
Adding invalid `console=` parameters is not an issue. Any invalid
console is unused. The kernel will use the "rightmost" (last) valid
`console=` parameter as the default output. Thus the SBBR-mandated AMA0
on A1, and ttyS0 on x86_64 as documented by Oracle.
`nvme_core.shutdown_timeout=10` was added as it was written this way in
the A1 images. Unclear whether `nvme.shutdown_timeout=10` is wrong. At
worst this is a no-op.
This new option, networking.wireguard.interfaces.NAME.metric, allows
increasing the metric of the routes, effectively lowering priority.
(I'm using high metric to allow having the Wireguard interface always
up, even when the client machines are on their home network. Before I
had to stop the interface when home to avoid packet routing issues.)
Closes#234802
The problem here is that with e.g.
{
uptime.prefix = "Up";
banner.command = "hostname | figlet -f slant";
}
`banner` still appears before `uptime` in the final motd text because
Nix sorts attribute names alphabetically internally.
To work around this without breaking compatibility or losing the
property to override individual sections in other modules - e.g.
{
banner.color = mkForce "blue";
}
I decided to introduce an option `priority` here, similar to the
priority field for `nginx`[1] and with the same semantics (i.e. higher
value means lower priority).
Internally a bunch of env vars are generated, i.e. `env0` to `envN` for
`N` sections with each of them containing a declaration for the TOML,
i.e. `env0` contains `{ uptime.prefix = "Up"; }` and `env1` contains
`{ banner.command = "hostname | figlet -f slant"; }` if `uptime.priority`
is set to a value below 1000.
In this order, the declarations are concatenated together by `jq(1)`
which doesn't sort keys alphabetically which results in a JSON
representation with `uptime` before `banner`. This is finally piped to
`json2toml` which converts this into TOML for rust-motd.
[1] https://nixos.org/manual/nixos/unstable/options#opt-services.nginx.virtualHosts._name_.locations._name_.priority
While working on #192270, I noticed that only some wait_for_* helper
functions make the timeout configurable. I think we should be able to
customize it in all cases
While reviewing other changes related to synapse I rediscovered the
`lib.findFirst (...) (lib.last resources)` hack to find a listener
supporting the `client` resource. We decided to keep it that way for now
a while ago to avoid scope-creep on the RFC42 refactoring[1]. I wanted
to take care of that and forgot about it.
Anyways, I'm pretty sure that this is bogus: to register a user, you
need the `client` API and not a random listener which happens to be the
last one in the list. Also, you need something which serves the `client`
API to have the entire synapse<->messenger interaction working (whereas
`federation` is for synapse<->synapse).
So I decided to error out if no `client` listener is found. A listener
serving `client` can be defined in either the main synapse process or
one of its workers via `services.matrix-synapse.workers`[2].
However it's generally nicer to use assertions for that because then
it's possible to display multiple configuration errors at once and one
doesn't have to chase one `throw` after another. I decided to also error
out when using the result from `findFirst` though because module
assertions aren't thrown necessarily when you evaluate a single config
attribute, e.g. `config.environment.systemPackages` which depends on an
existing client listener because of `registerNewMatrixUser`[3].
While at it I realized that if `settings.instance_map` is wrongly
configured, e.g. by
settings.instance_map = mkForce {
/* no `main` in here */
}
an `attribute ... missing` error will be thrown while evaluating the
worker assertion.
[1] https://github.com/NixOS/nixpkgs/pull/158605#discussion_r815500487
[2] This also means that `registerNewMatrixUser` will still work if you
offload the entire `client` traffic to a worker.
[3] And getting a useful error message is way better for debugging in such a
case than `value is null while a set was expected`.
follow-up on 28b3156bc6 which broke
when tokenFile was left empty.
Making both options nullable also allows us to provide a more meaningful
error message when neither authentication method is configured.
This exposes the banner message option in GDM. Some computing
environments have compliance requirements which include displaying a
message to the user before logon.
Fixes#228141, which describes an issue where detaching Yubikey during the boot process
causes cryptsetup to write empty passphrase instead of the challenge-response salt stored
on the boot drive.
Duplicated sudo's testsuite for now, as its maintainer does not with
to collaborate on testing effors; see #253876.
Environment-related tests were removed, as sudo-rs does not support
`(NO)SETENV` yet; see memorysafety/sudo-rs#760
This is preferable even for regular `sudo`, but will ensure the check is useful
when using `sudo-rs` in the future.
Also, dropped antediluvian comment about the syntax check being disabled,
when it was clearly not commented out:
- introduced in 2007, commit 6d65f0ae03ae14f3e978d89959253d9a8f5e0ec1;
- reverted in 2014, commit e68a5b265a,
but without ammending the comments.
This solves an issue, where loading the nixos-unstable module in
nixos-stable using `disabledModules` and `imports` resulted in the
following Caddyfile:
```
<globalConfig>
<vhosts>
<extraConfig>
```
instead of
```
<globalConfig>
<extraConfig>
<vhosts>
```
This is important in cases where `cfg.extraConfig` contains so called
Caddyfile snippets.
See https://caddyserver.com/docs/caddyfile/concepts#structure
Co-authored-by: Lin Jian <me@linj.tech>
This should ensure systemd handles starting all services (main and
workers) in a single transaction, thus preserving unit orderings
defined through After= even when not restarting the target.
This commit makes the OpenSSH option `PermitRootLogin` available to be
configured by other NixOS modules when using the Google Cloud Engine
(GCE) NixOS image builder. Other options like `PasswordAuthentication`
were already configurable, so I think it makes sense to make `PermitRootLogin`
configurable as well is order to disable it completely, for example.
