Using __del__ is somewhat unsound resource cleanup in our clase the
logger already closed its logfile and therefor fails with exception
before the rest of the resources can be cleaned up.
Before this change, the hash of the etc metadata image was included in
the mount unit that's responsible for mounting this metadata image in the
initrd.
And because this metadata image changes with every change to the etc
contents, the initrd would be rebuild every time as well.
This can lead to a lot of rebuilds (especially when revision info is
included in /etc/os-release) and all these initrd archives use up a lot of
space on the ESP.
With this change, we instead include a symlink to the metadata image in the
top-level directory, in the same way as we already do for things like init and
prepare-root, and we deduce the store path from the init= kernel parameter,
in the same way as we already do to find the path to init and prepare-root.
Doing so avoids rebuilding the initrd all the time.
See notice in the README:
https://github.com/neoclide/coc-python
> WARNING: it's recommended to use coc-pyright if
> you're using python3 or use coc-jedi if you're using jedi,
> the code of coc-python is too hard to maintain!
If that isn't convincing, the repo was archived on 2020-12-24.
Part of #229475
The URL scheme for downloading plugins has changed a long time ago and
the used URL is dead. Gerrit only throws an error since it can't load
the plugin but it continues to boot. However, instead of maintaining
URLs to 3rdparty plugins, which end up dead anyway, just drop it. The
test should cover Gerrit and not 3rd party plugins.
Also, while on it, drop the setting `plugins.allowRemoteAdmin = true`
since it's not needed.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
🎉
This package has been deprecated and unmaintained upstream for almost a
decade, has required extensive patching to keep working on new Python
versions, will inevitably break again with Python 3.13 dropping 2to3,
is lacking a maintainer in Nixpkgs, is now unused in the tree, and
has caused us all far too many headaches lately. Let’s put an end
to this!
Shout‐outs to mweinelt and jchv for dealing with this situation
early on, pyrox0, Sigmanificient, and dotlambda for tackling a bunch
of packages, and natsukium for help with reviews. I never thought this
would get finished so quickly. We’ve collectively handled almost
1½ packages per day in the three months since I first opened the
tracking issue, and sometimes helped move the entire ecosystem forward.
Closes: #326513
In order to emulate the `nixos-rebuild switch` that is called if the EC2
user data is a nix expression, run the switch-to-configuration script
for the current running config.
Group only needs limited access, while other users don't need access at
all. So set the UMask to 027.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
It was breaking knot-dns.tests.knot
New knotd uses fchown to cover cases where user changes during startup.
In typical Linux cases the user is kept the same and there are
capabilities instead, but the syscall still happens and got caught here.
systemd requires paths in `ReadWritePaths=` to exist before setting up
the service sandbox, so dhcpcd should be ordered after resolvconf.
Making resolvconf a oneshot service ensure `After=resolvconf.service`
works correctly.
We cannot use `mkRenamedOptionModule` or `mkRemovedOptionModule` inside
a freeform option. Thus we have to manually assert these deprecated
options aren't used rather than aliasing them to their replacement.
This updates the ipu6 driver and firmware to a more recent version,
which seems to at least work in Chrom{e,ium}.
ipu6-drivers now relies on the in-kernel ipu6 kernel driver, so we
update our logic and metadata for it.
Tests were not changed according to the new prometheus firewall port
settings.
With this change we now check that the port is not accessible form the
outside, while everything still works from localhost.
This allows settings multiple scripts in `.custom.start` and
`.custom.end`, as Gamemode reads them back out into a list.
This is slightly annoying, as *any* duplicate keys will appear multiple
times, while gamemode will only accept the last one for most keys
(clobbering previous ones). Ideally, it would be possible to only enable
`listsAsDuplicateKeys` for scripts, but this does not seem to be
possible in `pkgs.formats.ini`.
When installing NixOS on a machine with Windows, the "easiest" solution
to dual-boot is re-using the existing EFI System Partition (ESP), which
allows systemd-boot to detect Windows automatically.
However, if there are multiple ESPs, maybe even on multiple disks,
systemd-boot is unable to detect the other OSes, and you either have to
use Grub and os-prober, or do a tedious manual configuration as
described in the wiki:
https://wiki.nixos.org/w/index.php?title=Dual_Booting_NixOS_and_Windows&redirect=no#EFI_with_multiple_disks
This commit automates and documents this properly so only a single line
like
boot.loader.systemd-boot.windows."10".efiDeviceHandle = "HD0c2";
is required.
In the future, we might want to try automatically detecting this
during installation, but finding the correct device handle while the
kernel is running is tricky.
Previously, setting listsAsDuplicateKeys or listToValue would make it so
merging these treat all values as lists, by coercing non-lists via
lib.singleton. Some programs (such as gamemode; see #345121), allow some
values to be repeated but not others, which can lead to unexpected
behavior when non-list values are merged like this rather than throwing
an error.
This now makes that behavior opt-in via the mergeAsList option. Setting
mergeAsList (to either true or false) without setting either
listsAsDuplicateKeys or listToValue is an error, since lists are
meaningless in this case.
Currently if a timezone was selected explicitly, the service will
silently override the value, essentially ignoring what is meant to be a
a deliberate choice of option. This may cause confusion as to why the
option is not doing anything when this service is enabled, particularly
in more complex set-ups after some time.
This will simply make the choice deliberate from the user's part, either
by having to remove the option or lowering its priority as a recognition
that it may be ignored.
This change was inspired by the `services.tzupdate` module, which does
the same.
[1]: <https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/tzupdate.nix#L24>
Add a pre v2 copy of deno as deno_1 to provide some stability until our next
release and until 1.46 is fully abandoned soon.
deno_1 is expected to be removed prior to 24.11.
Added a release note.
Updates deno to v2.
Slight refactor of fetcher code for grabbing librusty_v8.
Updated the update scripts to use new Deno v2 interfaces and pull latest
toml dependency from jsr rather than the deno.land registry.
Added release note.
These options are a good start for sandboxing the service. It's planned
to set `ProtectSystem` to `strict` instead of `full`, but that requires
specific directories to be configured as writable. It's also planned to
filter system calls. However, that requires more testing but it
shouldn't prevent us from applying these options for now and add others
later.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Some users would like to customize it.
Also, in current versions of fedimint p2p port in the URL
must be set, due to some bug, so update the example value
to reflect that.
- use upstream service and scripts
- switch to integrated-vtysh-config, abandon per-daemon config
- use always daemon names in options (e.g. ospf -> ospfd)
- zebra, mgmtd and staticd are always enabled
- abandon vtyListenAddress, vtyListenPort options; use
just "extraOptions" or "options" instead, respectively
- extend test to test staticd
- update release-notes
- pkgs.servers.frr: fix sbindir and remove FHS PATH
- introduce services.frr.openFilesLimit option
There's no point for the intermediate `getPath` function calling
`getLuaPath` with the "lua" argument.
There's also no other nginx test this copies code from.
We always call `getLuaPath` with "lua", so constant-propagate it in.
Also, camel-case `lualibs` to `luaLibs.`
Currently if a timezone was selected explicitly, the service will
silently override the value, essentially ignoring what is meant to be a
a deliberate choice of option. This may cause confusion as to why the
option is not doing anything when this service is enabled, particularly
in more complex set-ups after some time.
This will simply make the choice deliberate from the user's part, either
by having to remove the option or lowering its priority as a recognition
that it may be ignored.
This change was inspired by the `services.tzupdate` module, which does
the same.
[1]: <https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/tzupdate.nix#L24>
Fixes CVE-2024-47176 and CVE-2024-47850. NixOS is not affected by these security issues by
default because we do not ship the default configuration file so it fallbacks to `BrowseRemoteProtocols dnssd`.
631/udp is removed from the open firewall ports, it was by the CUPS
browsing protocol.
Deprecate (buildPythonPackage { ... }).override for Python packages in
favour of overridePythonAttrs.
This change does not affect the override interface of most Python
packages, as the override interface is provided by callPackage and
shadows the locally defined override attribute.
systemd 256 supports network.wireguard.* credentials (https://github.com/systemd/systemd/pull/30826).
Check whether PrivateKey / PresharedKey starts with an @, if so it is a credential.
Add postStart code that waits until Scrutiny has opened its port. This
fixes a race condition against scrutiny-collector, which can start (and
fail) before scrutiny is ready.
When 757a455dde refactored the zones to go
from a list to a map, this broke the tests/common/resolver helper.
reproduction:
```
let
pkgs = import <nixpkgs> {};
testConfig = {
name = "resolver-repro";
nodes = {
acme = { nodes, ... }: {
imports = [ (pkgs.path + /nixos/tests/common/acme/server) ];
};
};
testScript = ''
'';
};
in pkgs.nixosTest testConfig
```
These options are a good start for sandboxing the service. It's planned
to set `ProtectSystem` to `strict` instead of `full`, but that requires
specific directories to be configured as writable. It's also planned to
filter system calls. However, that requires more testing but it
shouldn't prevent us from applying these options for now and add others
later.
In my tests, Redmine only bound to an IPv4 address and Unix socket,
which is why I restricted the address families to these both.
The command `systemd-analyze security redmine.service` reports an
overall exposure level of 2.9 with this patch.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
The test currently fails because we attempt to switch to a NixOS
configuration that is _very_ different from the one we are switching
from (e.g. the new configuration has an entirely empty /etc/fstab,
causing switch-to-configuration to want to start unmounting all
filesystems defined in the old configuration).
previously if you set the "user" option and did not create a group
account with the same name the module would create a service that would
fail to start.
with this change:
- the module is more explicit about this behaviour
- you can configure the group directly, so that you're not forced to a
particular user/group structure
- you can read the group name used by the redis service. this is useful
for giving other services permission to use the redis socket.
