Otherwise we get a clash when generating the initrd since the initrd tmpfiles
options create a symlink at /etc/tmpfiles.d/ and any subsequent writes inside
this directory because of initrd.systemd.contents will cause a permission denied
error.
This gives the ability to not write `NTP=` to the `timesyncd.conf` file
(servers = null) as opposed to writing `NTP=` (servers = []) which is
interpreted slightly differently by systemd:
> When the empty string is assigned, the list of NTP servers is reset,
and all prior assignments will have no effect.
Shellcheck complains:
> args=(
> ^-- SC2054 (warning): Use spaces, not commas, to separate array elements.
Add a comment disabling shellcheck in this case and annotating why.
Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>
The inclusion of the "meta ipsec" rule in the default reverse path
filtering breaks systems not built with specific XFRM kernel config
options. Specifically CONFIG_XFRM must be set, which gets selected
by CONFIG_NFT_XFRM, which is hidden behind CONFIG_XFRM_USER.
These options are not selected by default in most defconfig's provided
by the kernel with the exception of some device-specific defconfigs.
These options are not set by the nix kernel common_config, and I would
argue that IPSec support does not belong in a minimal kernel as that
elevates its support status above other in-kernel VPN interfaces.
The contributor of this feature does not seem interested in working
towards a solution that does not break systems running kernels built
with "autoModules = false" while supporting this feature, and as this
silently breaks firewalls into an insecure state and poses an immediate
security issue I propose this be reverted until a solution that does not
break such systems is proposed.
https://github.com/NixOS/nixpkgs/pull/310857#discussion_r1742834970
Devices used as firewalls, if they do not have the required kernel
config, will fail to load the new firewall rules and will upon boot pass
traffic without any filtering into the internal network.
Devices exposed directly to the internet, after reboot, will boot
without filtering potentially exposing services not intended to be
exposed to the internet, such as databases.
The following platforms in nixpkgs appear to be impacted:
- pc_simplekernel
- pogoplug4
- sheevaplug
- zero-gravitas
- zero-sugar
- utilite
- guruplug
- beaglebone
- fuloong2f_n32
References to hardware without autoModules can be found in
nixos-hardware, as well as in active third-party repos on github.
I suspect there are other users impacted that do not have their configurations
public, as autoModules = true leads to long compile times when targeting
kernels to less standard hardware or hardware with quirks that require
patches that cannot be upstreamed.
This reverts commit 3c12ef3f21.
In d9dc50dc11 the usage of `with lib;` has
been removed from thinkfan.nix. Unfortunately, adjusting the check line
and its usage of the functions all,id,zipListsWith has not been updated
resulting in evaluation errors complaining about "undefined variable".
Update: partly covered in 0646a0771b of #339084
rel: #208242
Untrimmed mbrola-voices is leaking into the installer images again.
Instead of trying to manually squash every path it could possibly
leak through, use a very big hammer.
Exposes all currently available command-line arguments that were
missing, including some that were impossible to use with the catch-all
option `extraArgs` alone, requiring changes to other parts of the
system.
Those are now all self-contained in the module.
The service now uses systemd's `DynamicUsers`.
With mautrix-signal v0.7.0 the bridge is built upon the bridgev2
architecture. With this, the configuration file was slightly rearranged.
Options like login_shared_secret_map and double_puppet_server_map were
dropped.
Because `virtualisation.diskSize = null` does result in a broken vm runner,
see https://github.com/NixOS/nixpkgs/issues/292901.
diskSize was declared to be nullable when it first got types in a
tree-wide commit:
30f0faac22
But it seemingly never actually supported it, as "${cfg.diskSize}M" is
passed to qemu-img create, which doesn't allow an empty size parameter.
closes: https://github.com/NixOS/nixpkgs/issues/292901
2.3.0 is the final release, the repo is now archived.
Also I don't use it anymore for quite a while, so it didn't have a real
nixpkgs maintainer either.
Closes#338712
A sed with nested double quotes is inserting malformed XML into /etc/fonts/fonts.conf, this commit put the sed command into single quotes to properly insert double quotes to enclose the XML attribute.
