This makes sure that we don't try to evaluate the tests with an
incompatible kernel version. The original reviewer didn't react within
10 days, but since they got notified and all this commit is doing is to
fix evaluation, I consider it safe to merge.
Cc: @adisbladis
Right now, the latest kernel is version 5.19, for which there is no
compatible upstream release for ZFS. However, our NixOS VM test always
uses linuxPackages_latest and thus will fail with an evaluation error
most of the time when a new mainline kernel is released.
Since we expose a latestCompatibleLinuxPackages attribute for the ZFS
packages, we already know what's the latest kernel version that is
supported so let's use that instead of linuxPackages_latest.
Signed-off-by: aszlig <aszlig@nix.build>
Co-authored-by: Ctem <c@ctem.me>
Co-authored-by: Brian Leung <leungbk@posteo.net>
Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
The udisks2 service was enabled to fix the test in (c5ebec7ee4).
However, cagebreak doesn't require udisks2, just polkit (which the
udisks2 module enables and which is why the cagebreak test broke after
the udisks2 module was disabled by default).
I've documented why polkit is required in this PR:
https://github.com/NixOS/nixpkgs/pull/156858
In this case the "dependency" chain is basically cagebreak -> wlroots ->
libseat -> logind (with polkit support) -> polkit.
most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
- Replace misleading docs.
- Add new assertions to let configurations make more sense.
- Add clusterInit flag.
- Add some more docs about HA and non-HA modes setup.
- Improve multi-node tests for HA mode.
Fix https://github.com/NixOS/nixpkgs/issues/182085
Due to how complex minecraft world generation has gotten in recent
years, it now can take several minutes to complete the first generation
of a world seed, even on relatively new and powerful hardware.
We are testing if a minecraft server can run inside of a nix enviroment,
and not so much about stress testing the CI.
Test running before this change:
> (finished: waiting for TCP port 43000, in 118.49 seconds)
Test running with this change:
> (finished: waiting for TCP port 43000, in 27.88 seconds)
Choice of using `level-type` and `generate-structures` was made as they
support almost every version of minecraft. These two also make it
extremely clear what it does, compared to the more complex
`generator-settings` and all its toggles.
in [v0.25.0][1]: Breaking changes of Task API (relevant summarized)
- `update` -> `task`
- `GET - /indexes/:indexUid/updates/:updateId` -> `/indexes/:indexUid/tasks`
- `updateId` -> `uid` of `task`
- also: new `GET - /tasks/:taskUid` introduced
- `status` values changed
in [v0.28.0][2]: Breaking changes in `/indexes` endpoints
- `total` now appear in the response body
[1]: https://github.com/meilisearch/meilisearch/releases/tag/v0.25.0
[2]: https://github.com/meilisearch/meilisearch/releases/tag/v0.28.0
So far, we have been building Systemd without `BPF_FRAMEWORK`. As a
result, some Systemd features like `RestrictNetworkInterfaces=` cannot
work. To make things worse, Systemd doesn't even complain when using a
feature which requires `+BPF_FRAMEWORK`; yet, the option has no effect:
# systemctl --version | grep -o "\-BPF_FRAMEWORK"
-BPF_FRAMEWORK
# systemd-run -t -p RestrictNetworkInterfaces="lo" ping -c 1 8.8.8.8
This commit enables `BPF_FRAMEWORK` by default. This is in line with
other distros (e.g., Fedora). Also note that BPF does not support stack
protector: https://lkml.org/lkml/2020/2/21/1000. To that end, I added a
small `CFLAGS` patch to the BPF building to keep using stack protector
as a default.
I also added an appropriate NixOS test.
According to pulseaudio(1), a system wide pulseaudio instance
can only be accessed by members of the `pulse-access` group.
This name seems to be hardcoded in
pulseaudio -- I didn't find any switch to change it.
We need to define the group so users can connect to the deamon.
This commit also fixes the systemwide pulseaudio vm test:
Previously, the test user `alice`
was just a member of the `audio` group.
This blocked access to the daemon and failed the test.
The commit changes the group assignment and fixes the vm test.
The test tries to detect the presence of pavucontrol's
window by looking for the tab label "Playback".
However, the OCR mechanism fails to resolve the
text, possibly due to the grey background color.
To fix this issue, we instead look for the name of the
sound device ("Dummy Output") which gets resolved by OCR.
Note: Strangely, the tab "Playback" *is* correctly
resolved when the test is run in interactive mode.
This might be due to the changed screen resolution,
but I didn't investigate further.
Enable keter module
Keter is an apploader which:
1. has the old app running on a port.
2. loads a new one, and wait for that to complete
3. switches the old with the new one once the new one finished loading.
It supports more functionality but this use case
is the primary one being used by supercede.
Adds keter as a module to nixos.
Currently keter is unusable with nix,
because it relies on bundeling of a tar and uploading that to a specific folder.
These expressions automate these devops tasks,
with especially nixops in mind.
This will work with versions above 1.8
The test seems to work.
This uses a new version of keter which has good
support for status code on error pages.
We're using this config at production at supercede
so it should be fine.
Squash log:
==========
mention keter in changelog
Update generated release notes
Always restart keter on failure
This is a little bit of extra stability in case keter crashes.
Which can happen under extreme conditions (DoS attacks).
Update nixos/doc/manual/release-notes/rl-2205.section.md
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/module-list.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Remove sanitization
don't put domain in as a string
Update nixos/tests/keter.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
add jappie as module maintainer
Use type path instead of two seperate options
Fix generated docs
added test machinery to figure out why it's failing
Fix the test, use console output
run nixpkgs-fmt on all modules
Inline config file.
This get's rid of a lot of inderection as well.
Run nix format
remove comment
simplify executable for test
delete config file
add config for keter root
Remove after redis clause
set keter root by default to /var/lib/keter
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
fix nit
add newlines
add default text and move description in a long description
Delete rather obvious comment
fix release db thing
remove longDescription and put it in a comment instead
change description of mkEnalbeOption
explain what keter does by using the hackage synopsis
set domain to keterDomain and same for executable
move comment to where it's happening
fix type error
add formatting better comment
try add seperate user for keter
Revert "try add seperate user for keter"
This reverts commit d3522d36c96117335bfa072e6f453406c244e940.
Doing this breaks the setup
set default to avoid needing cap_net_bind_service
remove weird comment
use example fields
eleborated on process leakage
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
run nixpkgs-fmt
update docs
Fix formatting, set keter package by default
format our little nixexpr
replace '' -> " where possible
drop indent for multiline string
make description much shorter
regen docs database
Introduced by fd7d901133. The openldap
module now expects the database directory to be below
`/var/lib/openldap`, oterhwise it'll fail evaluation like this:
Failed assertions:
- Database dc=example,dc=org has `olcDbDirectory` (/var/db/openldap) that is not a subdirectory of
`/var/lib/openldap/`.