This adds migration instructions for the removed global shared instance
configuration of fcgiwrap.
Adding those explicit messages to the previous options requires moving
the newly defined options from `services.fcgiwrap.*` to
`services.fcgiwrap.instances.*` due to an option namespace clash.
`mkRenamedOptionModule` was not used because the previous options do
not directly map to the new ones. In particular, `user` and `group`
were described as setting the socket's permission, but were actually
setting the process' running user.
Co-authored-by: Minijackson <minijackson@riseup.net>
The initial version of `rocmOverrideGfx` incorrectly used `lib.mkIf`
in an attempt to prevent interference with previous uses of
`environmentVariables.HSA_OVERRIDE_GFX_VERSION`.
However, the effect was actually to simply erase existing definitions of
`HSA_OVERRIDE_GFX_VERSION` until `rocmOverrideGfx` was set,
which was the situation I was trying to avoid in the first place.
This fixes the bug by switching from `lib.mkIf` to `lib.optionalAttrs`.
This commit switches gitaly's git package from `pkgs.git` to the bundled
`git` package in order to maintain compatibility with the supported git
release by gitaly.
The ollama module in its default configuration relies on systemd's
`DynamicUser=` feature for user allocation. In #305076 that allocation
was made conditional and tied to the `sandboxing` option, that was
intended to fix access to model directories outside the allocated state
directory.
However, by disabling sandboxing ollama would inadvertently run as root,
given that `User=` and `Group=` are not required to be set.
The correct way to grant access to other paths is to allocate static
user and group, and grant permissions to the destination path to that
allocation.
We therefore replace the sandboxing option user and group options, that
default to `null`, which means they default to `DynamicUser=`, but can
be replaced with a statically allocated user/group, and thereby a stable
uid/gid.
Fixes: 552eb759 ("nixos/ollama: add options to bypass sandboxing")
Quoting from upstream's documentation [1]:
> Basically everyone recommends not doing this. Please use [a webserver]
> to handle media file serving.
Given that this commit broke the module for unrelated reasons, I've
decided to just revert it and let downstream users make the choice of
easy vs. secure.
[1]: https://docs.tandoor.dev/system/configuration/#gunicorn-media
This reverts commit e8c56de827.
