If the PAPERLESS_SECRET_KEY environment variable is left unset
paperless-ngx defaults to a well-known value, which is insecure.
Co-authored-by: Erik Arvstedt <erik.arvstedt@gmail.com>
On current nixpkgs, no modifications to the server settings were
necessary to pass the audit. However, some of the client algorithms were
considered insecure. The client configuration lists all algorithms which
were listed as acceptable by `ssh-audit`.
This can be used as an example of a configuration currently considered
acceptable by `ssh-audit`, and verifies that such a configuration
results in a compatible client/server configuration.
Beware that this test will continue passing when future versions of
`ssh-audit` add support for new algorithms. In other words, the example
configuration represents a subset of what the current version of
`ssh-audit` would consider acceptable.
Use modulesPath so we don't have to magically rewrite paths in activation script,
set stateVersion to the one this was built with (which should approximate "first install")
Release announcement:
https://github.com/psb1558/Junicode-font/releases/tag/v2.001
This is a breaking change, at least in font file naming (Junicode.ttf
is now Junicode-Regular.ttf). In general, 2.0 adds a lot more font
variants and opentype and web font versions of the font.
Seeing as backward compatibility is broken anyway, I opted to break it
a bit more and change custom install path (`junicode-ttf`) to
seemingly more conventional `truetype`; new .otf and .woff2 variants
are then naturally placed in corresponding directories. This
does *not* affect the `fonts.packages` NixOS option, which rearranges
font files anyway, but brings a degree of consistency with other
fonts.
Both the file renaming and the directory structure change break
satysfi, however, so I adjusted its builder accordingly, copying over
only those font variants that were also present in 1.0 series.
You can see in https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html that
this should be "HairPin" not "Hairpin". Using "Hairpin" results in
```
Oct 25 18:55:03 my-host systemd-networkd[843736]: /etc/systemd/network/10-bridge.network:11:
Unknown key name 'Hairpin' in section 'Bridge', ignoring.
```
This flag allows the user to optionally exclude
switch-to-confguration.pl from toplevel.
This is interesting for appliance images where you don't want to re-build
the system. This flag is called `rebuildable` because the standard
interface to do this is `nixos-rebuild` which will not work anymore with
this change.
While there is no fetcher or builder (in nixpkgs) that takes an `md5` parameter,
for some inscrutable reason the nix interpreter accepts the following:
```nix
fetchurl {
url = "https://www.perdu.com";
hash = "md5-rrdBU2a35b2PM2ZO+n/zGw==";
}
```
Note that neither MD5 nor SHA1 are allowed by the syntax of SRI hashes.
Kea may clean the runtime directory when starting (or maybe systemd does
it). I ran into this issue when restarting Kea after changing its
configuration, so I think the fact it normally doesn't clean it is a
race condition (it's cleaned on service start, and normally all Kea
services start at roughly the same time).
The previous implementation works fine when the plugins do not already
contain store paths, which is the case for stuff from munin-contrib.
However, for plugins generated via nix (e.g. with writeShellScriptBin),
it tries to fix the paths in it which already point to the nix store,
ruining everything.
If extraAutoPlugins contains values that carry context (e.g. it comes
from a flake input), the keys generated from them using baseNameOf
inherit that context and the config doesn't compile.
This doesn't actually need to be an attrset anyways, so a bit of
internal refactoring lets us fix this without changing the visible API.
Changes the `mkIf` to trigger if *either* `data_dir`/`metadata_dir` use
`/var/lib/garage`, not only if both do. This is useful to me because I
want to store metadata in `/var/lib/garage` but I also want to store
data in a different mountpoint (via `data_dir` and `ReadWritePaths`).
nixosTests.forgejo: test backup/dump service; nixos/forgejo: pass {env}`GIT_PROTOCOL` via ssh to forgejo; nixosTests.forgejo: test git wire protocol version
Otherwise the tests will fail with `networking.useNetworkd = true;`
because `systemd-resolved` ignores invalid hostnames in `/etc/hosts`
(which is where all hosts from the `nodes`-attribute set end up) and
subsequently e.g. `ssh server_lazy` will fail because the name cannot be
resolved.
In d6e84a4574 the test-framework was
changed to replace all dashes with underscores of hostnames in the
python code to have readable hostnames that are valid. I.e.
nodes.foo-bar = {}
represents a host with a valid hostname and it can be referenced in the
`testScript` with `foo_bar`.
Applying this here fixes the test for both scripted networking and
networkd.
when using the host's openssh service (not the builtin golang one).
This enables the use of the much faster and more efficient wire protocol
version 2.
See https://git-scm.com/docs/protocol-v2
This should allow us to catch issues regarding that in the future.
nixos/gitea had an issue with the dump service recently, which didn't
affect us, fortunately.
But to be fair, it only affected non-default-y setups.
Not something we are able to catch in the current, rather simple, config
of our test.
Still, I see a lot of value adding this new subtest to our test suite.
Anyhow, this patch also exposes the resulting tarball as test (build)
output, which is a nice addition IMHO, as it allows some sort of
external sanity-check, if needed, without running the test interactive.
The current state is certainly very wrong - testing ZFS only on i686.
I suspect it was a typo (?) in commit 2de3caf011.
The current practical problem is that the test fails,
though in a part that looks cross-platform (which adds confusion):
https://hydra.nixos.org/build/239290208#tabs-buildsteps
The knot_server_zone_count metric does not exist anymore, and the next
best thing to watch for is the zone serial, that we define ourselves.
The serial is a number and displayed in the scientific notation, i.e.
>>> machine.succeed('curl localhost:9433/metrics|grep 019 >&2')
[...]
knot # knot_zone_serial{zone="test."} 2.019031301e+09
The new exporter has proper console scripts definition, that sets up
another executable name.
The package now also shells out to pidof, which is why we require procps
in the unit PATH.
nginx lua needs resty
the enableSandbox option of nginx was removed in 535896671b
the test fails with
```
vm-test-run-nginx-sandbox> machine # [ 47.753580] nginx[1142]: nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
vm-test-run-nginx-sandbox> machine # [ 47.756064] nginx[1142]: nginx: [alert] failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:
vm-test-run-nginx-sandbox> machine # [ 57.911766] systemd[1]: Failed to start Nginx Web Server.
```
The idea is to run an async process waiting for swtpm
and we have to ensure that `FD_CLOEXEC` is cleared on this process'
stdin file descriptor, we use `fdflags` for this, a loadable builtin in
Bash ≥ 5.
The async process when exited will terminate `swtpm`, we bind the
termination of the async process to the termination of QEMU by virtue of
having `qemu` exec in that Bash script.
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
Co-authored-by: Raito Bezarius <masterancpp@gmail.com>
bind_interface is the mosquitto way of trying to bind to all addresses
on an interface, but it is unreliable (trying to bind to link-local v6
addresses *sometimes* but not always) and just prone to failure in
general for reasons we have yet to discover.
since this kind of automatic behavior isn't particularly necessary in a
declarative system we may as well skip it.
From `postgresql_15`'s release notes:
> PostgreSQL 15 also revokes the CREATE permission from all users except
a database owner from the public (or default) schema.
https://www.postgresql.org/about/news/postgresql-15-released-2526/
This directly affects `services.postgresql.ensureUsers` in NixOS,
leading to
> permission denied for schema public
`postgresql_15` is now the default for stateVersion `23.11`/`unstable`.
So until this is resolved globally, we work around this issue.
Recent change to nixos-rebuild (https://github.com/NixOS/nixpkgs/pull/258571)
adds systemd-run, which brings with it a cleaner environment
(ie $PATH not available).
Workaround: use absolute path for ln to avoid command-not-found error
This script would always "detect" the "powersave" governor as it is available on
practically all CPUs while the "ondemand" governor is only available on some old
CPUs.
IME the "powersave" governor barely provides any power savings but introduces
massive performance deficits, including noticable stuttering. This is not the
default experience we should offer users, even for those who use laptops.
Use the kernel default (currently "performance", CPU makers may change it in
future) instead.
This adds a NixOS module for Soft Serve, a tasty, self-hostable Git
server for the command line. The module has a test that checks some
basic things like creating users, creating a repo and cloning it.
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
