- drop media-session (rip 💀)
- stop trying to let people override default configs, those never got merged correctly
- drop all the complexity arising from having to vendor default config files
- build docs in sandbox as we no longer recurse
Otherwise the `minio.service` service will fail either:
* with a message that the EnvironmentFile does not exist
* or silently with potentially stale credentials
The module was allowing specific chown syscalls, which is brittle because
there are several and different ones are used by glibc on different
architectures. For example, fchownat was already added to the allowlist for
aarch64, while on armv6l chrony crashes because chown32 is not in the
allowlist.
systemd provides the @chown syscall set, which includes all the chown
syscalls and avoids this brittleness. I believe the syscalls would all be
equivalent from an attacker's perspective, so there is unlikely to be any
security impact.
The restic repository cache location defaults to ~/.cache/restic when
not overwritten either by the --cache-dir command line parameter or the
universal RESTIC_CACHE_DIR environment variable.
Currently, the --cache-dir variable is set to only some restic commands,
but, e.g., not to the unit's preStart command for the module's
initialize option. This results in two distinct cache locations, one at
~/.cache/restic for the initialize commands and one at the configured
--cache-dir location for the restic backup command.
By explicitly setting RESTIC_CACHE_DIR for the unit, only one cache at
the correct location will be used.
https://restic.readthedocs.io/en/v0.15.1/manual_rest.html#caching
Headscale now supports passing the OIDC client secret via a file, as
added in [juanfont/headscale#1127][1127]. Lets use that.
The headscale option is `client_secret_path`; let's make it consistent
and rename the Nix option to this. Note that I wasn't able to do this:
mkRenamedOptionModule [ ... "client_secret_file" ] [ ... "client_secret_path" ]
I get such error:
error: evaluation aborted with the following error message: 'cannot find attribute `services.headscale.settings.oidc.client_secret_file''
[1127]: https://github.com/juanfont/headscale/pull/1127
This prevents issues I'm seeing with the hydra I'm running on my laptop.
Every time I reboot it I see eval errors like this:
```
error fetching latest change from git repo at `https://github.com/nixos/nixpkgs.git':
fatal: unable to access 'https://github.com/nixos/nixpkgs.git/': Could not resolve host: github.com
```
This is because the evaluator already starts before the network is
actually online. It should wait until the network is fully online before
starting evaluation to prevent evaluation errors like above.
This makes it so that alternative packages, such as `pkgs.forgejo` are
able to be used instead of the default `pkgs.gitea`.
Also adds myself as a maintainer of the module.
The varible `gitea`, which was used instead of `cfg.package`, has been
replaced with the variable `exe`, and is instead the value of the main
executable, as gotten from `lib.getExe`. `cfg.package` is used when this
value is not appropriate.
Gitea spawns `gpg` processes for commit signing related actions.
Those `gpg` processes need `mlock` (probably to prevent secrets
in the memory to swap).
Blocking it (as part of the `@memlock` preset) causes any
commit signing related actions to error out as http/500
* k3s: add environmentFile option
Enabling to include secrets through configuration such as 'sops'
* Update nixos/doc/manual/release-notes/rl-2305.section.md
Co-authored-by: Jairo Llopis <973709+yajo@users.noreply.github.com>
Nothing the script `config.sh` does prior to the final call to
`Runner.Listener configure` is relevant for the systemd service.
Particularly, we don't need (nor want) any of the artifacts the `env.sh`
script creates.
Since version 1.10.0 paperless-ngx depends on the NLTK library which is
used to pre-process data for machine learning. NLTK needs certain
data for stemming, stopword removal etc. This data has to be downloaded
first. This commit introduces a new systemd service that does the
downloading.
We’ve been having trouble figuring out which kind of token to use and
why our setup would break every few system updates.
This should clarify which options there are, and which ones lead to
better results.
Ideally there would be a manual section that has a step-by-step guide
on how to set up the github runner, with screenshots and everything.
Purge contents of `workDir` as root to also allow the removal of files
marked as read-only. It is easy to create read-only files in `workDir`,
e.g., by copying files from the Nix store.
