The initial version of `rocmOverrideGfx` incorrectly used `lib.mkIf`
in an attempt to prevent interference with previous uses of
`environmentVariables.HSA_OVERRIDE_GFX_VERSION`.
However, the effect was actually to simply erase existing definitions of
`HSA_OVERRIDE_GFX_VERSION` until `rocmOverrideGfx` was set,
which was the situation I was trying to avoid in the first place.
This fixes the bug by switching from `lib.mkIf` to `lib.optionalAttrs`.
This commit switches gitaly's git package from `pkgs.git` to the bundled
`git` package in order to maintain compatibility with the supported git
release by gitaly.
The ollama module in its default configuration relies on systemd's
`DynamicUser=` feature for user allocation. In #305076 that allocation
was made conditional and tied to the `sandboxing` option, that was
intended to fix access to model directories outside the allocated state
directory.
However, by disabling sandboxing ollama would inadvertently run as root,
given that `User=` and `Group=` are not required to be set.
The correct way to grant access to other paths is to allocate static
user and group, and grant permissions to the destination path to that
allocation.
We therefore replace the sandboxing option user and group options, that
default to `null`, which means they default to `DynamicUser=`, but can
be replaced with a statically allocated user/group, and thereby a stable
uid/gid.
Fixes: 552eb759 ("nixos/ollama: add options to bypass sandboxing")
Quoting from upstream's documentation [1]:
> Basically everyone recommends not doing this. Please use [a webserver]
> to handle media file serving.
Given that this commit broke the module for unrelated reasons, I've
decided to just revert it and let downstream users make the choice of
easy vs. secure.
[1]: https://docs.tandoor.dev/system/configuration/#gunicorn-media
This reverts commit e8c56de827.
...not pythonPackage. This is an app, living in pkgs/servers, so
we just use callPackage in all-packages and drop the python module.
python3.pkgs.toPythonModule could be used if a python module was needed.
Before that change legacyPackages.x86_64-linux.python311.pkgs.etebase-server.python
would give a python 3.12 release, and was therefore broken.
etebase-server = toPythonModule (pkgs.etebase-server.override {
python3 = python;
});
would now be correct
dictd doesn't handle SIGTERM and terminates with code 143 (128 + 15
(SIGTERM) instead of 0. This results in systemd marking the service as
failed when a user stops it (with `systemctl stop dictd`). Fix it by
treating code 143 as success.
There are several GPUs that ROCm doesn't officially support but
will work correctly if ROCm is directed to treat the GPU as a different
one that is supported and has a similar architecture.
This can be done by setting `HSA_OVERRIDE_GFX_VERSION`.
Ollama has documentation on this topic: https://github.com/ollama/ollama/blob/main/docs/gpu.md#amd-radeon
Verify that all `href` attributes emitted as part of the entrypoint page
after logging in are reachable.
Co-authored-by: Bruno BELANYI <bruno@belanyi.fr>
- rename hardware.opengl to hardware.graphics
- remove hardware.opengl.driSupport, which does nothing
- remove hardware.opengl.setLdLibraryPath, which should never be done
- rename hardware.opengl.driSupport32Bit to hardware.graphics.enable32Bit
- lost of small docs / formatting cleanups
This was meant to make amazon-ssm-agent work "out of the box" on non-NixOS
systems but the feature never really worked.
The problem is that amazon-ssm-agent looks for the files "amazon-ssm-agent.json"
and "seelog.xml" but the files in the package are named
"amazon-ssm-agent.json.template" and "seelog.xml.template". So even with
this overrideEtc = true it would not be able to find the config.
E.g. you'd get an error like
Error occurred fetching the seelog config file path: open /nix/store/pyfxjr0i0hszcj9b6fqly6344zf9zhcb-amazon-ssm-agent-3.3.484.0/etc/amazon/ssm/seelog.xml: no such file or directory
on startup.
Removing this parameter from the from the package doesn't break things as it didn't work in the first place.
This is not a breaking change. Existing setups continue to work as-is.
Users of `cfg.mailerPasswordFile` will get an option rename/deprecation
warning, but that's it (assuming there is no regression).
This adds `cfg.secrets`, which is a wrapper over systemd's
`LoadCredential=` leveraging Forgejo's `environment-to-ini`.
`environment-to-ini` is intended for configuring Forgejo in OCI
containers.
It requires some fairly annoying escaping of the section names to fit
into the allowed environment variable charset.
E.g. `"log.console".COLORIZE = false` becomes
`FORGEJO__LOG_0x2E_CONSOLE__COLORIZE=false`.
- `.` needs to be replaced with `_0X2E_` and
- `-` needs to be replaced with `_0X2D_`
Those are simply the hex representation of each char from an ASCII
table:
. = ASCII 46 = 46 (decimal) = 2E (hex) = 0x2E = _OX2E_
To make interacting with `environment-to-ini` less annoying, we template
and escape the sections/keys in nix:
`cfg.secrets` takes the same free-form sections/keys as `cfg.settings`.
Meaning there is now a generalized abstraction for all keys, not just
those that have been manually implemented in the past.
It goes as far as theoretically allowing one to have `DEFAULT.APP_NAME`
read from a secret file.
I don't know why one would want to do that, but it has been made
possible by this :^)
More reasonable examples are listed in the `cfg.secrets` option example.
We also continue to bootstrap a handful of secrets like
`security.SECRET_KEY`. This is done is a sort of sidecar bootstrap unit
fittingly called `forgejo-secrets.service`.
Overriding those is, just like before, not really intended and requires
the use of `lib.mkForce` and might lead to breakage. But it is, in a
way, more possible than before.
When services.gollum.{user,group} was specified a value other than its
default (i.e. "gollum"), the build failed due to referencing a
non-existing user.
Also updates my information and contact info.
I no longer use The Hedgehog as my github username or online presence
username, so this fixes that. It also matches my github username, so it
should be easier for others to mention me if needed.
With the changes introduced in #303388 tesseract would only be compiled
with the languages defined in `PAPERLESS_OCR_LANGUAGE`. However, english
is always required, making tesseract fail to build when only non-english
languages are defined in tesseract:
```
eng.traineddata must be present in tessdata for Tesseract to work
```
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
This option resolves#301746 by allowing the admin to bypass the
creation of the paperless directories by systemd-tmpfiles.
This is necessary when, for example, those directories lie inside an NFS
mount that the root user does not have rw access to.
Fixes#301746
This replaces the paperless-copy-password service with the use of
systemd's LoadCredential mechanism.
It is not a breaking change since it is gated behind `cfg.passwordFile`.
This commit adds an option to configure the amount of threads to use
with sidekiq-cluster. The GitLab default is currently set to 20 threads. In
space constrained environments this may become a problem with running
out of memory as a result.
Hard coding the name to `libreddit` makes it impossible to use
this module to run `redlib` (a continued fork of `libreddit`).
As `libreddit` has the `mainProgram` meta attribute set, changing
this to `lib.getExe` should not change the module for `libreddit`,
but allows it to work with the `redlib` package.
The main idea behind that was to be able to do more sophisticated
merging for stuff that goes into `postgresql.conf`:
`shared_preload_libraries` is a comma-separated list in a `types.str`
and thus not mergeable. With this change, the option accepts both a
comma-separated string xor a list of strings.
This can be implemented rather quick using `coercedTo` +
freeform modules. The interface still behaves equally, but it allows to
merge declarations for this option together.
One side-effect was that I had to change the `attrsOf (oneOf ...)` part into
a submodule to allow declaring options for certain things. While at it,
I decided to move `log_line_prefix` and `port` into this structure as
well.
The commands for writing the database password string into the final
configuration file are ran in any case, even if it's not needed. Make
that conditional on if a password file is set.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
This is shamelessly stolen from Photoprism's module, and should allow
executing the manage script without resorting to various tricks due to
relying on transient users.
paperless-web-start[658743]: kombu.exceptions.OperationalError: [Errno 24] Too many open files: '/nix/store/k6h0pihpi3ih31zjk6ragqcp4mjz4pjs-python3.11-concurrent-log-handler-0.9.24/lib/python3.11/site-packages/concurrent_log_handler-0.9.24.dist-info/entry_points.txt'
