This conditional was introduced in 402b5c67a8
and is supposed to check for `server.START_SSH_SERVER` but instead
checked for `START_SSH_SERVER`.
Co-Authored-By: Pyrox <pyrox@pyrox.dev>
It was brought up that the restricted file-system access breaks
tablespaces[1]. I'd argue that this is the desired behavior, the whole
point of the hardening is the lock the service down and I don't consider
tablespaces common enough to elevate privileges again. Especially since
the workaround is trivial as shown in the diff.
For completeness sake, this adds the necessary `ReadWritePaths` change
to the postgresql section of the manual.
This also adds a small correction about the state of
`ensurePermissions`.
[1] https://github.com/NixOS/nixpkgs/pull/344925#issuecomment-2521188907
This allows users to set the Admin Password via secrets. `configFile` must be writable which is why it isn't sufficient.
nixfmt nixos/modules/services/databases/couchdb.nix
This requires all datasets for the pool specified in `fileSystems` to be
marked noauto.
Note that this implicitly skips some tasks for the pool, such as
`expandOnBoot`, as the pool will not be imported at that time.
It is possible to configure k3s in various ways (cli flags, env
variables, single config file, multiple config files) and everything is
merged together in a final config. The nixos module cannot know if a
configuration option that is missing from the module point of view is
supplied in another way, so it shouldn't assert missing configuration
options.
I don't know the reason for rtkit only getting enabled by
hardware.pulseaudio.enable and not services.pipewire.enable, as they
both use it to get real-time priority, but we can at least help users by
mentioning pipewire in the rtkit option.
From hosts(5):
> For each host a single line should be present with the following
> information:
>
> IP_address canonical_hostname [aliases...]
With lines like "::1 localhost ahost.adomin ahost", we were saying
that the canonical name for "ahost" was "localhost", the opposite of a
canonical name. This is why a second loopback address (127.0.0.2) is
used for hostnames with IPv4 — if they were put after "localhost" on
the 127.0.0.1 line, the same thing would happen. With IPv6 we can't
do the same thing as there's only a single loopback address, so
instead the right thing to do is to simply not list the hostnames in
/etc/hosts, and rely on the myhostname NSS plugin, which will handle
this correctly.
(Note that the examples in hosts(5) also do not include IPv6 FQDN or
hostname entries.)
