Before this change, the description for
security.wrappers.<name>.capabilities made it seem like you could just
string together the names of capabilities like this:
capabilities = "CAP_SETUID,CAP_SETGID";
In reality, each item in the list must be a full-on capability clause:
capabilities = "CAP_SETUID=ep,CAP_SETGID+i";
This attribute set isn't passed through the NixOS config resolution
mechanism, which means that we can't use lib.mkDefault here.
Instead, just put it before any user overrides so that if the user
specifies this environment variable it'll just override it anyway.
Optional functionality of AusweisApp2 requires an UDP port to be opened.
The module allows for convenient configuration and serves as documentation.
See also https://github.com/NixOS/nixpkgs/issues/136269
deprecate literalDocBook by adding a warning (that will not fire yet) to
its uses and other docbook literal strings by adding optional warning
message to mergeJSON.
This reverts commit 05958b228b.
Issue https://github.com/NixOS/nixpkgs/issues/188998 is concerns quite a
few NixOS users with full disk encryption and custom keymap.
Since there hasn't been a proper fix agreed upon and merged, I am
reverting this.
The changes can be applied again, when it is ensured that they do not
break custom keymaps in initrd.
Allow @resources syscalls in the grafana.service unit. While Grafana
itself does not need them, some plugins (incl. first party) crash if
they fail to setrlimit. This was first seen with the official grafana
Clickhouse datasource plugin.
The @resources syscalls set is fairly harmess anyway.
`paperless-ngx.pythonPath` was incomplete due to the missing paperless-ngx
source, so it had to be amended in the service.
Instead of amending it, define it entirely in the service.
This allows an override of `paperless-ngx.propagatedBuildInputs` to be reflected
in the service's PYTHONPATH.
We are building fwupd daemon with polkit support which means
polkit daemon is required.
Previously polkit was enabled by default via udisks2 but that
stopped with f763710065
breaking the fwupd installed tests as a result.
Let’s add the polkit dependency to the fwupd module to ensure polkit is available.
Handing CAP_NET_BIND_SERVICE to the `paperless-web.service` only makes
sense when it actually wants to bind to a port < 1024. Don't hand it out
if that is not the case.
Finding out how to connect paperless to a PostgreSQL database via unix
sockets and peer authentication took me a few minutes, so leaving a hint
in the extraConfig example seems like a good idea to me.
Also remove unnecessary use of literalExpression for attribute set, it
is only required for complex values like functions or values that depend
on other values or packages.
After uploading a document through the webinterface I started seeing
it killed through the SYSBUS signal. Inspecting the call trace led me to
liblapack's memory allocator, that uses the mbind syscall on Linux.
Prior to this change, ffmpeg couldn't be built for an
environment.noXlibs system, because it would fail in:
ffmpeg → SDL2 → libdecor
ffmpeg certainly does not need support for SDL2 windowing on a noXlibs
system.
This fix is important because the minidlna NixOS test, which uses the
minimal profile (and therefore environment.noXlibs) and ffmpeg, can't
currently build.
The primary difference between the standard and minimal variants of
this package is that all the X libraries are removed from the minimal
variant.
I had to switch the order of the definitions in all-packages.nix to
avoid an infinite recursion after the overlay was applied.
