Using escapeShellArg does not make sense here because (a) it turned the
list into a string, so the entire service failed and (b) because systemd
does not use the same escaping mechanism as bash.
The clientCertAuth option must be mapped to the etcd environment
variable ETCD_CLIENT_CERT_AUTH and the peerClientCertAuth option to
ETCD_PEER_CLIENT_CERT_AUTH.
Signed-off-by: Maximilian Nitsch <maximilian.nitsch@d3tn.com>
Part of #229910.
Unfortunately this is a little hacky because upstream doesn't intend to
support it for 2.5, but only for 3.0 which isn't out yet, however nodejs-16
will get out of maintenance during the support-span of NixOS 23.05[1].
The only breaking change is that `extract-files` uses a deprecated way
of exposing modules, I went through the list of other breaking
changes in v17 and v18[2][3] and couldn't spot any usage of removed
features, also local testing didn't reveal further issues.
Unfortunately fixing that breakage turned out to be non-trivial.
Currently, `extract-files@9.0.0` is used with the problematic portions
in its `package.json`, however it's only a transitive dependency of
`@graphql-tools/url-loader` & `apollo-upload-client`. Unfortunately, the
versions of that in use require v9 and don't work with a newer version of
`extract-files` with the problem fixed[4]. Also, upgrading the
dependencies in question is not a feasible option because `graphql-tools`
was split up into multiple smaller packages in v8 and also some of the
APIs in use in `wiki.js` were dropped there[5], so this would also be
very time-consuming and non-trivial to fix.
Since this was the only issue, I decided to go down the hacky route and
patch the problem in `package.json` of `extract-files` manually during
our `patchPhase`.
[1] https://github.com/requarks/wiki/discussions/6388
[2] https://nodejs.org/en/blog/release/v17.0.0
[3] https://nodejs.org/en/blog/release/v18.0.0
[4] Upon local testing, this broke with the following error:
Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Package subpath './public/extractFiles' is not defined by "exports" in /wiki/node_modules/extract-files/package.json
[5] For instance `SchemaDirectiveVisitor` in
`server/graph/directives/auth`.
Currently systemd-ask-passwd times out after 1m30s. After 3 tries this
causees systemd to enter the emergency shell and basically lead to an
unbootable system requiring a reboot to be able to try to unlock again.
Also if a pool is imported but not unlocked, the unlock step will no
longer be skipped.
Enable using an erofs filesystem as one of the filesystems needed to
boot the system. This is useful for example in image based deployments
where the Nix store is mounted read only.
[erofs](https://docs.kernel.org/filesystems/erofs.html) offers multiple
benefits over older filesystems like squashfs. Skip fsck.erofs because
it is still experimental.
Calling `eval-config.nix` without a `system` from a Nix flake fails with
`error: attribute 'currentSystem' missing` since #230523. Setting
`system = null` removes the use of `currentSystem` and instead uses the
value from the `nixpkgs` module.
Note that this does not add to the `forbiddenDependenciesRegex`
code because that code check should be unaffected as it only checks
output dependencies, not build dependencies.
Build deps are added after that check, if those are enabled in the
first place.
https://github.com/ipfs/kubo/releases/tag/v0.20.0
When creating a repository with `ipfs init`, `--empty-repo=true` is now the default according to the changelog. Modify the NixOS module to reflect this change and fix the `emptyRepo` setting to work with this change.
This is copied from isoImage.squashfsCompression. It's useful to be
able to customise, as iteration cycles are very slow with xz, and
subjectively systems booted with less efficiently compressed squashfs
stores appear to have faster reads (although I didn't test that
scientificly so there could be other factors).
Store the definition files in the initrd instead of reading them from
the Nix store in /sysroot.
This way, the initrd has to be re-generated every time the definition
files change. When the path to the defintion files instead of the
definition files themselves are embedded in the initrd, however, the
initrd also has to be re-generated every time. In this regard, this
change does not improve the status quo.
However, now systemd-repart also works reliable when the Nix store is
mounted separately from the root partition.
This change also enables new use-cases like creating partitions
necessary to boot the system. However, by default, the root partition
cannot be created on first boot because the systemd-repart service
requires a /sysroot to be mounted. Otherwise, systemd-repart cannot
determine the device to operate on.
Since v253, systemd-repart tries to create temporary directories in
/var/tmp. However, this directory doesn't exist in the initrd. This
commit adds an enviroment variable to re-use the existing /tmp directory
instead of /var/tmp.
Previously, we hardcoded a 60 second timer to stop netdata if we didn't have any answer back.
This is wrong and can cause data loss because the SIGTERM sent by systemd can sometimes be not honored.
Which in turn becomes a SIGKILL, causing potential data loss / corruption.
Offer a flag to users and bump the deadline to 2 minutes.
Because llvmPackages_latest is used in Nixpkgs, by quite a few
packages, it's difficult to keep it up to date, because updating it
requires some level of confidence that every package that uses it is
going to keep working after the update. The result of this is that
llvmPackages_latest is not updated, and so we end up in the situation
that "latest" is two versions older than the latest version we
actually provide. This is confusing and unexpected.
"But won't this end up fragmenting our LLVM versions, if every package
previously using _latest is separately pinned to LLVM 14?", I hear you
ask. No. That fragmentation is already happening, even with an
llvmPackages_latest, because packages that actually require the
_latest_ version of LLVM (15/16), have already been decoupled from
llvmPackages_latest since it hasn't been upgraded. So like it or not,
we can't escape packages depending on specific recent LLVMs. The only
real fix is to get better at keeping the default LLVM up to
date (which I'm reasonably confident we're getting into a better
position to be feasibly better able to do).
So, unless we want to double down on providing a confusingly named
"llvmPackages_latest" attribute that refers to some arbitrary LLVM
version that's probably not the latest one (or even the latest one
available in Nixpkgs), we only have two options here: either we don't
provide such an attribute at all, or we don't use it in Nixpkgs so we
don't become scared to bump it as soon as we have a new LLVM available.
Context summary:
'vma create' can't otherwise write to tmpfs such as /dev/shm.
This is important when used from non-nixos machines which may
have /build as tmpfs.
VMA is Proxmox's virtual machine image format that wraps QEMU images,
augmenting these with proxmox-specific configuration file.
proxmox-image.nix uses the VMA tool to create vma image files.
The VMA tool exists as a patchset ontop of QEMU.
VMA writes its output with open() and O_DIRECT flag.
O_DIRECT does not work on Linux tmpfs [1]. Thus:
$ vma create ~/output.vma ... # works, assuming home isn't tmpfs.
$ vma create /dev/shm/output.vma ... # fails since /dev/shm is tmpfs
Failure results in assert(*errp == NULL).
O_DIRECT is a cache performance hint.
But it currently blocks our usage of nixos-generate -f proxmox from
Non-NixOS hosts and Docker.
The patch here simply removes O_DIRECT:
vma-writer.c later performs memalign due to O_DIRECT, but this is
safe to do with or without O_DIRECT.
Ideally, this should be fixed in upstream Proxmox: Perhaps by falling
back to open without O_DIRECT.
Another attempt to fix this SIGABRT is [2], which writes the vma file
directory to $out/ folder -- however that may still be tmpfs mounted
which it is in our case.
[1] https://lore.kernel.org/lkml/45A29EC2.8020502@tmr.com/t/
[2] https://github.com/NixOS/nixpkgs/pull/224282
