Previously, setting listsAsDuplicateKeys or listToValue would make it so
merging these treat all values as lists, by coercing non-lists via
lib.singleton. Some programs (such as gamemode; see #345121), allow some
values to be repeated but not others, which can lead to unexpected
behavior when non-list values are merged like this rather than throwing
an error.
This now makes that behavior opt-in via the mergeAsList option. Setting
mergeAsList (to either true or false) without setting either
listsAsDuplicateKeys or listToValue is an error, since lists are
meaningless in this case.
Currently if a timezone was selected explicitly, the service will
silently override the value, essentially ignoring what is meant to be a
a deliberate choice of option. This may cause confusion as to why the
option is not doing anything when this service is enabled, particularly
in more complex set-ups after some time.
This will simply make the choice deliberate from the user's part, either
by having to remove the option or lowering its priority as a recognition
that it may be ignored.
This change was inspired by the `services.tzupdate` module, which does
the same.
[1]: <https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/tzupdate.nix#L24>
Add a pre v2 copy of deno as deno_1 to provide some stability until our next
release and until 1.46 is fully abandoned soon.
deno_1 is expected to be removed prior to 24.11.
Added a release note.
Updates deno to v2.
Slight refactor of fetcher code for grabbing librusty_v8.
Updated the update scripts to use new Deno v2 interfaces and pull latest
toml dependency from jsr rather than the deno.land registry.
Added release note.
These options are a good start for sandboxing the service. It's planned
to set `ProtectSystem` to `strict` instead of `full`, but that requires
specific directories to be configured as writable. It's also planned to
filter system calls. However, that requires more testing but it
shouldn't prevent us from applying these options for now and add others
later.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Some users would like to customize it.
Also, in current versions of fedimint p2p port in the URL
must be set, due to some bug, so update the example value
to reflect that.
- use upstream service and scripts
- switch to integrated-vtysh-config, abandon per-daemon config
- use always daemon names in options (e.g. ospf -> ospfd)
- zebra, mgmtd and staticd are always enabled
- abandon vtyListenAddress, vtyListenPort options; use
just "extraOptions" or "options" instead, respectively
- extend test to test staticd
- update release-notes
- pkgs.servers.frr: fix sbindir and remove FHS PATH
- introduce services.frr.openFilesLimit option
There's no point for the intermediate `getPath` function calling
`getLuaPath` with the "lua" argument.
There's also no other nginx test this copies code from.
We always call `getLuaPath` with "lua", so constant-propagate it in.
Also, camel-case `lualibs` to `luaLibs.`
Currently if a timezone was selected explicitly, the service will
silently override the value, essentially ignoring what is meant to be a
a deliberate choice of option. This may cause confusion as to why the
option is not doing anything when this service is enabled, particularly
in more complex set-ups after some time.
This will simply make the choice deliberate from the user's part, either
by having to remove the option or lowering its priority as a recognition
that it may be ignored.
This change was inspired by the `services.tzupdate` module, which does
the same.
[1]: <https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/tzupdate.nix#L24>
Fixes CVE-2024-47176 and CVE-2024-47850. NixOS is not affected by these security issues by
default because we do not ship the default configuration file so it fallbacks to `BrowseRemoteProtocols dnssd`.
631/udp is removed from the open firewall ports, it was by the CUPS
browsing protocol.
Deprecate (buildPythonPackage { ... }).override for Python packages in
favour of overridePythonAttrs.
This change does not affect the override interface of most Python
packages, as the override interface is provided by callPackage and
shadows the locally defined override attribute.
systemd 256 supports network.wireguard.* credentials (https://github.com/systemd/systemd/pull/30826).
Check whether PrivateKey / PresharedKey starts with an @, if so it is a credential.
Add postStart code that waits until Scrutiny has opened its port. This
fixes a race condition against scrutiny-collector, which can start (and
fail) before scrutiny is ready.
When 757a455dde refactored the zones to go
from a list to a map, this broke the tests/common/resolver helper.
reproduction:
```
let
pkgs = import <nixpkgs> {};
testConfig = {
name = "resolver-repro";
nodes = {
acme = { nodes, ... }: {
imports = [ (pkgs.path + /nixos/tests/common/acme/server) ];
};
};
testScript = ''
'';
};
in pkgs.nixosTest testConfig
```
These options are a good start for sandboxing the service. It's planned
to set `ProtectSystem` to `strict` instead of `full`, but that requires
specific directories to be configured as writable. It's also planned to
filter system calls. However, that requires more testing but it
shouldn't prevent us from applying these options for now and add others
later.
In my tests, Redmine only bound to an IPv4 address and Unix socket,
which is why I restricted the address families to these both.
The command `systemd-analyze security redmine.service` reports an
overall exposure level of 2.9 with this patch.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
The test currently fails because we attempt to switch to a NixOS
configuration that is _very_ different from the one we are switching
from (e.g. the new configuration has an entirely empty /etc/fstab,
causing switch-to-configuration to want to start unmounting all
filesystems defined in the old configuration).
previously if you set the "user" option and did not create a group
account with the same name the module would create a service that would
fail to start.
with this change:
- the module is more explicit about this behaviour
- you can configure the group directly, so that you're not forced to a
particular user/group structure
- you can read the group name used by the redis service. this is useful
for giving other services permission to use the redis socket.
The rss-bridge service changes introduced in f2201789fe
resp. https://github.com/NixOS/nixpkgs/pull/223148 removes the need for
the package patch. This commit removes the patch to ease updating and
maintenance.
Relevant service functionality was also removed (e.g. the setting of
RSSBRIDGE_DATA).
The explicit definition of FileCache.path so users can easily see its
default value and change it, requires to use a freeformType to let users
freely add potentially upcoming config options. This type is restricted
to ini types (although we coerce them to environment variables).
This however makes the list of enabled_bridges impossible. That was
fixed by explicitly introducing this option with a type allowing lists.
The default value however should be unset, which is expressed as `null`,
which further spurred a change in the environment variable generation to
ignore null values (instead of coercing them to an empty string).
A breaking change note was added to highlight this change. A check that
warns users of the not-application of their existing config file is
not easily possible, as people could have only added or changed the
config.ini.php file on the file system without changing a nix variable.
allowing multiple definitions of that option to be merged, because:
- their order should be irrelevant
- it might make sense to declare multiples of them at different locations
dnsmasq dhcp-leasefile defaults to /var/lib/dnsmasq/dnsmasq.leases, so
use that as the default for the exporter too. Curiously, the example was
using the working path, so this patch simply swaps "example" and
"default" values.
Explicitly waiting for influxdb2 in the test, instead of fixing the
underlying issue[1], was hiding a real bug[2]. Now that the bug has been
fixed we can remove the wait code.
[1] Commit 732d36522f ("nixos/influxdb2: wait until service is ready")
[2] https://github.com/NixOS/nixpkgs/issues/317017 ("Scrutiny tries to start before influxdb has started")
Added a decorator function to handle any
exceptions generated by test functions and
apply some retry logic with backoff.
Also wrapped the unwrapped add-a curl which
was causing some fails.
In the next release of Pebble, the certificate
subject is no longer populated with a useful domain name.
This change will refactor the fullchain validation assertions
to avoid checking the subject line.
This will fix the conflict when another DE using the full `xdg-desktop-portal-gtk` is enabled simultaneously with GNOME.
There will not be conflicts at runtime since the portals have been configured by `gnome-session` in `xdg.portal.configPackages` for a while now.
There will be minimal effect on system closure as all the extra x-d-p dependencies are also used by GNOME platform.
This will fix the conflict when another DE using the full `xdg-desktop-portal-gtk` is enabled simultaneously with Deepin.
Currently, our Deepin uses `gtk` as the preferred default implementation for all portals so presumably the duplicate portals should not have been disabled anyway.
The added closure size should be negligible, as most of the packages are probably also used by Deepin transitively.
This will fix the conflict when another DE using the full `xdg-desktop-portal-gtk` is enabled simultaneously with Cinnamon.
There will no longer be conflicts at runtime since the portals are now configured by `cinnamon-common` in `xdg.portal.configPackages`.
The added closure size should be negligible, as most of the packages are also used by Cinnamon.
I have no idea what this escape sequence even is, but it breaks the nix parser with cryptic errors if not used in a comment.
A friend let me know MacOS is prone to input weird spaces, not sure if that is the source.
Candidates were located and created with:
chr="$(echo -e '\xc2\xa0')"; rg -F "$chr" -l | xe sd -F "$chr" " "
There are some examples left, most being example output from `tree` in various markdown documents, some patches which we can't really touch, and `pkgs/tools/nix/nixos-render-docs/src/tests/test_commonmark.py` which I'm not sure if should be addressed
Contour was broken for aarch64 in #253334, and completely broke
in #344788 for all platforms.
This removes the broken package, and adds a notice to remove broken
packages in the future. aarch64 users have waited a year for this to be
fixed, so I think we should lean to be more eager to remove in general,
and then the fix can come when it is ready, instead of letting it block
this.
Resolves: #258515
Signed-off-by: Christina Sørensen <christina@cafkafk.com>
In order to not expose Redmine over all interfaces, allow configuring an
IP address it should bind to. Listen to 0.0.0.0 by default.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
