Commit Graph

35517 Commits

Author SHA1 Message Date
Sandro Jäckel
9a85d77152
nixos/networkmanager: default firewallBackend to nftables, remove firewallBackend
Co-authored-by: Florian Klink <flokli@flokli.de>

Co-authored-by: Lin Jian <me@linj.tech>
2023-09-21 16:18:57 +02:00
Sandro Jäckel
ad0ca163e1
nixos/networkmanager: cleanup, fix example rendering 2023-09-21 15:16:54 +02:00
Martin Weinelt
b4bd254b86
Merge pull request #256289 from Ma27/refactor-synapse-assertions
nixos/matrix-synapse: refactor assertions for missing listener resources
2023-09-21 14:06:38 +02:00
hexchen
8ec182e570 nixos/prometheus: fix blackbox exporter 2023-09-21 08:49:10 +02:00
Pierre Bourdon
2db9117928
Merge pull request #255556 from louib/allow_disabling_openssh_root_login
nixos/virtualisation: allow configuring openssh root login on GCE
2023-09-21 05:56:12 +02:00
Artturi
7f45760504
Merge pull request #192593 from jlesquembre/test-driver 2023-09-21 00:47:45 +03:00
Yorick
829514e2da
Merge pull request #251597 from wietsedv/calibre-web
nixos/calibre-web: add package and enableKepubify options
2023-09-20 22:35:16 +02:00
Arnout Engelen
69ecad6acb
Merge pull request #254563 from raboof/prometheus-exporter-nextcloud-fixup
prometheus-exporter-nextcloud: require either tokenFile or passwordFile
2023-09-20 22:33:10 +02:00
Nikolay Korotkiy
09846eacb2
Merge pull request #252001 from imincik/qgis-nixos-test
qgis: add nixos tests
2023-09-20 23:46:57 +04:00
Robert Schütz
728bae020d
Merge pull request #253687 from dotlambda/plausible-2.0.0
plausible: 1.4.4 -> 2.0.0
2023-09-20 19:28:09 +00:00
José Luis Lafuente
c25c10e919 nixos/tests: make wait_for timeouts configurable
While working on #192270, I noticed that only some wait_for_* helper
functions make the timeout configurable. I think we should be able to
customize it in all cases
2023-09-20 21:56:46 +03:00
Robert Schütz
c4574a95c5 plausible: also install tracker 2023-09-20 09:07:28 -07:00
Maximilian Bosch
d004375485
nixos/matrix-synapse: refactor assertions for missing listener resources
While reviewing other changes related to synapse I rediscovered the
`lib.findFirst (...) (lib.last resources)` hack to find a listener
supporting the `client` resource. We decided to keep it that way for now
a while ago to avoid scope-creep on the RFC42 refactoring[1]. I wanted
to take care of that and forgot about it.

Anyways, I'm pretty sure that this is bogus: to register a user, you
need the `client` API and not a random listener which happens to be the
last one in the list. Also, you need something which serves the `client`
API to have the entire synapse<->messenger interaction working (whereas
`federation` is for synapse<->synapse).

So I decided to error out if no `client` listener is found. A listener
serving `client` can be defined in either the main synapse process or
one of its workers via `services.matrix-synapse.workers`[2].

However it's generally nicer to use assertions for that because then
it's possible to display multiple configuration errors at once and one
doesn't have to chase one `throw` after another. I decided to also error
out when using the result from `findFirst` though because module
assertions aren't thrown necessarily when you evaluate a single config
attribute, e.g. `config.environment.systemPackages` which depends on an
existing client listener because of `registerNewMatrixUser`[3].

While at it I realized that if `settings.instance_map` is wrongly
configured, e.g. by

    settings.instance_map = mkForce {
      /* no `main` in here */
    }

an `attribute ... missing` error will be thrown while evaluating the
worker assertion.

[1] https://github.com/NixOS/nixpkgs/pull/158605#discussion_r815500487
[2] This also means that `registerNewMatrixUser` will still work if you
    offload the entire `client` traffic to a worker.
[3] And getting a useful error message is way better for debugging in such a
    case than `value is null while a set was expected`.
2023-09-20 15:48:03 +02:00
Maciej Krüger
61536e7a1f
nixosTests.sudo-rs: fix syntax 2023-09-20 13:58:08 +02:00
Maciej Krüger
922926cfbc
Merge pull request #253876 from nbraud/nixos/sudo-rs 2023-09-20 13:55:33 +02:00
Lin Jian
d27a248494
Merge pull request #255064 from tomfitzhenry/vikunja-cli
nixos/vikunja: install 'vikunja' CLI tool
2023-09-20 18:03:34 +08:00
zaldnoay
79599c86ae nixos/frp: fix example url of configure file 2023-09-20 13:55:53 +08:00
Weijia Wang
0425ad73b3
Merge pull request #255549 from wegank/wordpress-bump
wordpress: 6.2.2 -> 6.3.1
2023-09-20 00:41:56 +02:00
Will Fancher
c6db677b1c
Merge pull request #255008 from SuperSandro2000/x-triggers-name
systemd-lib: add name to X-{Reloads,Restart}-Triggers to easily ident…
2023-09-19 17:38:05 -04:00
Pol Dellaiera
3ff2629897
Merge pull request #255880 from Atemu/installer-configuration.nix-search.nixos.org
nixos/installer: mention search.nixos.org
2023-09-19 21:50:15 +02:00
Niklas Hambüchen
1a8e576180
Merge pull request #255977 from nh2/vaultwarden-fix-default-config-evaluation
vaultwarden service: Fix doubly-nested `config` value. Fixes evaluation
2023-09-19 18:46:58 +02:00
Niklas Hambüchen
c460434104 nixos/vaultwarden: Fix doubly-nested config value. Fixes evaluation 2023-09-19 16:46:08 +00:00
Nick Cao
e8e461df5d
Merge pull request #254833 from NickCao/qt4-leftover
nixos/environment: drop QT_PLUGIN_PATH for qt4 and kde4 as they has b…
2023-09-19 10:08:27 -04:00
Arnout Engelen
1bf360af28
prometheus-exporter-nextcloud: require either tokenFile or passwordFile
follow-up on 28b3156bc6 which broke
when tokenFile was left empty.

Making both options nullable also allows us to provide a more meaningful
error message when neither authentication method is configured.
2023-09-19 13:19:54 +02:00
Fabián Heredia Montiel
90040cd36a linux/hardened/patches/6.5: init at 6.5.3-hardened1 2023-09-19 07:09:14 +00:00
Artturi
73d552ecb7
Merge pull request #254918 from RaitoBezarius/dnssec-resolved 2023-09-19 06:45:07 +03:00
Erno Hopearuoho
7d112f7da3 luksroot: fix issue when yubikey is detached during boot process
Fixes #228141, which describes an issue where detaching Yubikey during the boot process
causes cryptsetup to write empty passphrase instead of the challenge-response salt stored
on the boot drive.
2023-09-18 23:10:06 -03:00
nicoo
d8d0b8019f nixos/sudo: Add myself as maintainer 2023-09-18 18:03:58 +00:00
nicoo
d63eb55e81 nixos/sudo: Generate sudo-i PAM config for interactive use of sudo-rs 2023-09-18 18:03:58 +00:00
nicoo
7b5b3f5124 nixos/sudo: Add tests for sudo-rs too
Duplicated sudo's testsuite for now, as its maintainer does not with
to collaborate on testing effors; see #253876.

Environment-related tests were removed, as sudo-rs does not support
`(NO)SETENV` yet; see memorysafety/sudo-rs#760
2023-09-18 18:03:58 +00:00
Maximilian Bosch
e4f0f0977e
Merge pull request #241973 from 999eagle/feat/synapse-workers
nixos/synapse: add support for workers, cleanup
2023-09-18 19:54:20 +02:00
Maciej Krüger
4729358fa5 nixos/test-driver: do not break if the command writes to stderr
Capturing `stderr` as part of the return `output` could break existing tests.
2023-09-18 17:36:16 +00:00
nicoo
f66eb0df3b nixos/sudo: Only wrap sudoedit when using Miller's sudo 2023-09-18 17:36:15 +00:00
nicoo
914bf58369 nixos/{sudo, terminfo}: Adjust defaults for compatibility with sudo-rs 2023-09-18 17:36:15 +00:00
nicoo
f0107b4f63 nixos/sudo: Check syntax using the configured package
This is preferable even for regular `sudo`, but will ensure the check is useful
when using `sudo-rs` in the future.

Also, dropped antediluvian comment about the syntax check being disabled,
when it was clearly not commented out:
  - introduced in 2007, commit 6d65f0ae03ae14f3e978d89959253d9a8f5e0ec1;
  - reverted in 2014, commit e68a5b265a,
    but without ammending the comments.
2023-09-18 17:36:15 +00:00
nicoo
c11da39117 nixos/sudo: Drop the sudoers comment for extraRules
All rules are now handled through `extraRules`,
and it is never empty so `optionalString` isn't needed either.
2023-09-18 17:36:15 +00:00
nicoo
717e51a140 nixos/sudo: Make the default rules' options configurable 2023-09-18 17:36:15 +00:00
nicoo
b1eab8ca53 nixos/sudo: Handle root's default rule through extraRules
This makes things more uniform, and simplifies compatibility with sudo-rs.

Moreover, users can not inject rules before this if they need to.
2023-09-18 17:35:45 +00:00
nicoo
3a95964fd5 nixos/sudo: Drop useless lib. qualifiers
Also normalise indentation for `mdDoc` to what's prevalent in this file.
2023-09-18 17:35:07 +00:00
nicoo
8b9e867ac8 nixos/sudo: Refactor checks for Todd C. Miller's implemetation 2023-09-18 17:35:07 +00:00
nicoo
f5aadb56be nixos/sudo: Refactor option definitions 2023-09-18 17:35:06 +00:00
nicoo
0365b05f13 nixos/terminfo: Add config option not to add extra sudo config
This will be necessary for compatibility with `sudo-rs`.
2023-09-18 17:35:06 +00:00
nicoo
8742134c80 nixos/sudo: Only keep SSH_AUTH_SOCK if used for authentication
This will make compatibility with `sudo-rs` easier.
2023-09-18 17:35:06 +00:00
nicoo
454151375d nixos/sudo: Don't include empty sections
This makes the generated sudoers a touch easier to read.
2023-09-18 17:35:06 +00:00
nicoo
409d29ca73 nixos/sudo: Split up configFile into individual sections 2023-09-18 17:35:06 +00:00
Atemu
9084f59d36 nixos/installer: mention search.nixos.org
It's immensely helpful and more user-friendly than the humongous
configuration.nix man page.
2023-09-18 14:38:26 +02:00
Lin Jian
4dc624f9c7
Merge pull request #255264 from emilylange/nixos/caddy
nixos/caddy: ensure vhosts come after user-specified `cfg.extraConfig`
2023-09-18 19:34:34 +08:00
emilylange
fcdcccaed6
nixos/caddy: ensure vhosts come after user-specified cfg.extraConfig
This solves an issue, where loading the nixos-unstable module in
nixos-stable using `disabledModules` and `imports` resulted in the
following Caddyfile:

```
<globalConfig>

<vhosts>

<extraConfig>
```

instead of

```
<globalConfig>

<extraConfig>

<vhosts>
```

This is important in cases where `cfg.extraConfig` contains so called
Caddyfile snippets.

See https://caddyserver.com/docs/caddyfile/concepts#structure

Co-authored-by: Lin Jian <me@linj.tech>
2023-09-18 11:12:19 +02:00
Sophie Tauchert
24f6a70abf
nixos/synapse: make sure workers require main process
This should ensure systemd handles starting all services (main and
workers) in a single transaction, thus preserving unit orderings
defined through After= even when not restarting the target.
2023-09-18 10:52:54 +02:00
Sophie Tauchert
aed8a5c6cd
nixos/synapse: add documentation for required reverse proxy setup 2023-09-18 08:24:38 +02:00