Even if the tools that assemble /etc can handle leading slashes, this
still is not correct. For example, you could have both /X11 and X11 in
environment.etc which makes overriding hard.
With the update of systemd to v255, the repart tool switched to use 4K
sector sizes by default. This change sets the appliance-repart-image
test to use a sector size of 512B to fit in with the existing NixOS VM
test infrastructure using qemu disks with 512B sector sizes.
Borrowing from here to match hardened profile with more recent kernels:
* https://madaidans-insecurities.github.io/guides/linux-hardening.html?#boot-parameters
* https://github.com/a13xp0p0v/kernel-hardening-checker/
Removed "slub_debug" as that option disables kernel memory address
hashing. You also see a big warning about this in the dmesg:
"This system shows unhashed kernel memory addresses via the console, logs, and other interfaces."
"init_on_alloc=1" and "init_on_free=1" zeroes all SLAB and SLUB allocations. Introduced in 6471384af2a6530696fc0203bafe4de41a23c9ef. Also the default for the Android Google kernel btw. It is on by default through the KConfig.
"slab_nomerge" prevents the merging of slab/slub caches. These are
effectively slab/slub pools.
"LEGACY_VSYSCALL_NONE" disables the older vsyscall mechanic that relies on
static address. It got superseeded by vdsos a decade ago. Read some
LWN.net to learn more ;)
"debugfs=off" I'm sure there are some few userspace programs that rely on
debugfs, but they shouldn't.
Most other things mentioned on the blog where already the default on a
running machine or may not be applicable.
Most other Kconfigs changes come from the kernel hardening checker and
were added, when they were not applied to the kernel already.
Unsure about CONFIG_STATIC_USERMODEHELPER. Would need testing.
This will gracefully shut down the service instead of resulting in errors like
this:
```
Jan 24 10:11:11 foo livebook[981676]: 10:11:11.922 [error] GenServer :disksup terminating
Jan 24 10:11:11 foo livebook[981676]: ** (stop) {:port_died, :normal}
Jan 24 10:11:11 foo livebook[981676]: Last message: {:EXIT, #Port<0.8>, :normal}
Jan 24 10:11:11 foo livebook[981676]: 10:11:11.922 [error] GenServer :memsup terminating
Jan 24 10:11:11 foo livebook[981676]: ** (stop) {:port_died, :normal}
```
The current build of livebook does not work with the new [Livebook
Teams](https://livebook.dev/teams/) features. The problem can be observed by
running the current version of livebook, adding a new team and going to the team
page. The process will crash and the team page will show a 500 error.
The base of the problem is that the escript build method is not officially
supported. This commit changes the livebook package to use the `mix release`
workflow, which is also the one used to build the official Docker container.
Unfortunately, the binary built with `mix release` does not support command line
arguments like the `escript` binary does. Instead, users need to pass in most of
the configuration as environment variables, as documented
[here](https://hexdocs.pm/livebook/readme.html#environment-variables). As a
result, this commit also changes the Livebook service to reflect this new way of
configuring Livebook.
Finally, the Livebook release configuration specifically excludes the
ERTS (Erlang Runtime System), which means that the resulting release cannot run
without Erlang installed.
I have tested the results (both of the package and the service) locally.
Since this is supposed to be a secret, use a file path as an input
instead of making it part of the expression, which would expose it in
the nix store.
There were several modules, critically including NetworkManager, which
were not prepared for this change. Most of the change was good,
however. Let's bring back the dependency and change the assertion to a
warning for now.
Adds a function to wait for a new QMP event with a model filter
so that you can expect specific type of events with specific payloads.
e.g. a guest-reset-induced shutdown event.
Plugin configuration is pesky in dovecot2, let's warn about potential conflicts
in the module system by using a fancy regex.
This is only band-aid, this should be removed ASAP.
We clean up also a 21.05-era warning.
doc: add figure definition to bespoke syntax reference
doc: add example definition to bespoke syntax reference
doc: add footnote definition to beskpoke syntax reference
The usage of footnotes in the manuals is not the one documented
in markdown-it-py: https://python-markdown.github.io/extensions/footnotes/
doc: add inline comment definition to beskpoke syntax reference
doc: add typographic replacements to beskpoke syntax reference
doc: Fix rendering of bespoke syntax reference
doc: remove references to DocBook in the NixOS manual
doc: add entry on lack of HTML support
doc: Minor improvement
doc: update typographic replacements entry in beskpoke syntax reference
doc: add link reference definitions to beskpoke syntax reference
doc: fix footnote definition in beskpoke syntax reference
doc: Minor improvements from code review
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
