This was meant to make amazon-ssm-agent work "out of the box" on non-NixOS
systems but the feature never really worked.
The problem is that amazon-ssm-agent looks for the files "amazon-ssm-agent.json"
and "seelog.xml" but the files in the package are named
"amazon-ssm-agent.json.template" and "seelog.xml.template". So even with
this overrideEtc = true it would not be able to find the config.
E.g. you'd get an error like
Error occurred fetching the seelog config file path: open /nix/store/pyfxjr0i0hszcj9b6fqly6344zf9zhcb-amazon-ssm-agent-3.3.484.0/etc/amazon/ssm/seelog.xml: no such file or directory
on startup.
Removing this parameter from the from the package doesn't break things as it didn't work in the first place.
The tests had very much duplication and some if it was even wrong! For
instance, `withRcloneEnv` in the MySQL test didn't have the `"$@"` at
the bottom to execute commands passed to it. Because of that, the MySQL
testcase never checked whether files can be uploaded.
Since tests are just another module-system I decided to abstract away
common things by using it:
* Define a base module with
* an empty `client` node and a `nextcloud` node with defaults
shared among all tests.
* rclone scripts that are used by all tests.
* a `testScript` checking upload/download. Additional checks can be
added via `test-helpers.extraTests`.
* Make common information such as admin user & password shared via
options.
Also, changed the following things:
* The `name` of the final derivation also includes the Nextcloud major
it was tested against.
* Improved the objecstore test by making sure the file was actually
uploaded into the bucket.
* Make sure `withRcloneEnv` actually invokes the command it gets as
`argv`. Until no, nothing was uploaded. This mistake was copied from
the MySQL test that appears to have the same issue (will be addressed
in the next commit).
* Test upload/download through with rclone once to see if Nextcloud
interaction with S3 works fine.
* Make sure we actually have something in the bucket (until now with an
`ls` and no real check, will do some larger cleanups and make this
better in the next commit).
* Use actual AWS-style access keys.
Allow users to disable the shadow authentication suite.
My primary motivation is to reduce the attack surface via setuid
binaries, which shadow understandably introduces many. I realised,
however, that I don't use any of these.
The test demonstrates login working without needing the shadow suite.
We can expose the PLAT prefix to the client via DNS64 so clatd is able
to determine the prefix dynamically. We can also test that some
systemd-networkd PREF64 settings work as expected when exposed on the
router.
This follows 6ee84bcda0.
Here I prefer a simple mention in the release notes instead of some
automatic migration, which could interfere with all the other changes
already potentially requiring some admin interventions.
Co-authored-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
This adds a NixOS module for Grafana Alloy.
I started from the grafana-agent one but dropped all settings and config
management whatsoever.
Grafana Alloy uses its own Alloy config format (similar to HCL), which
is not really possible to express in Nix.
Simply pointing to a path in `/etc`, and leaving it up to the user to configure
it via `environment.etc` allows the user to arrange config files however
it makes most sense for them.
The module, systemd unit etc is called "alloy", not "grafana-alloy" to
follow the way it's packaged on other distros, to follow POLA.
- Introduce more possible options by using the krb format generator.
- Enforce package choice is using a correct package.
- Use meta attribute to decide implementation, allows for overriding the
package.
- Make necessary changes to the format, to allow for multiple ACL files in
heimdal.
- Add systemd target and slice for both implementations.
- Move state to `/var/lib`
- Add documentation
auto-cpufreq is similar to tlp in that it shouldn't be run with
power-profiles-daemon. There functionality can conflict and bugs can
show up. On my system this materialized by auto-cpufreq frequently
shutting down, but there may be other consequences.
This change follows the same pattern as the tlp assertion
When I initially wrote this test, I wasn't aware that services.openssh
could opt into using OpenSSH's default algorithms by just setting the
relevant settings to null.
That's a better approach since:
* it's a simpler setting for this test to have to worry about
* it introduces test coverage for the null case
* the null case should be demonstrated as an example for those that
want to compile without OpenSSL
This library does not actually need to match the Nvidia driver version,
so we do not need to make it available impurely.
This reverts the following commits.
9b3461e7ae4e353b67f6
I want to use the final symlinked package in system.checks and need to
access that somehow. Instead of adding a new option, we might as well
convert tmpfiles to the new structure.
The `openssh` and `openssh_hpn` packages are now built without
the Kerberos support by default in an effort to reduce the attack surface.
The Kerberos support is likely used only by a fraction of the total users
(I'm guessing mainly users integrating SSH in an Active Directory env) so
dropping it should not impact too many users. It should also be noted that
the Kerberos/GSSAPI auth is disabled by default in the configuration.
`opensshWithKerberos` and `openssh_hpnWithKerberos` are added in order
to provide an easy migration path for users needing this support.
The `openssh_gssapi` package is kept untouched.
This is not a breaking change. Existing setups continue to work as-is.
Users of `cfg.mailerPasswordFile` will get an option rename/deprecation
warning, but that's it (assuming there is no regression).
This adds `cfg.secrets`, which is a wrapper over systemd's
`LoadCredential=` leveraging Forgejo's `environment-to-ini`.
`environment-to-ini` is intended for configuring Forgejo in OCI
containers.
It requires some fairly annoying escaping of the section names to fit
into the allowed environment variable charset.
E.g. `"log.console".COLORIZE = false` becomes
`FORGEJO__LOG_0x2E_CONSOLE__COLORIZE=false`.
- `.` needs to be replaced with `_0X2E_` and
- `-` needs to be replaced with `_0X2D_`
Those are simply the hex representation of each char from an ASCII
table:
. = ASCII 46 = 46 (decimal) = 2E (hex) = 0x2E = _OX2E_
To make interacting with `environment-to-ini` less annoying, we template
and escape the sections/keys in nix:
`cfg.secrets` takes the same free-form sections/keys as `cfg.settings`.
Meaning there is now a generalized abstraction for all keys, not just
those that have been manually implemented in the past.
It goes as far as theoretically allowing one to have `DEFAULT.APP_NAME`
read from a secret file.
I don't know why one would want to do that, but it has been made
possible by this :^)
More reasonable examples are listed in the `cfg.secrets` option example.
We also continue to bootstrap a handful of secrets like
`security.SECRET_KEY`. This is done is a sort of sidecar bootstrap unit
fittingly called `forgejo-secrets.service`.
Overriding those is, just like before, not really intended and requires
the use of `lib.mkForce` and might lead to breakage. But it is, in a
way, more possible than before.
The accounts directory is based on the hash of the settings.
https://github.com/NixOS/nixpkgs/pull/270221 changed the default of
security.acme.defaults.server from null to the default letsencrypt URL
however as an unwanted side effect this means the accounts directory
changes and the ACME module will create a new a new account.
This can cause issues with people using CAA records that pin the
account ID or people who have datacenter-scale NixOS deployments
We allow setting this option to null again for people who want
to keep the old account and migrate at their own leisure.
Fixes https://github.com/NixOS/nixpkgs/issues/316608
Co-authored-by: Arian van Putten <arian.vanputten@gmail.com>
The comment says this is required by other modules but to be honest, I
cannot see where. Bootloaders will be included automatically by nixos
generation if their `installBootLoader` attribute references it.
This helps us to make kexec images even smaller espeically when
combined with the perlless profile.
The nvidia-modeset module is loaded, which in turn pulls in the nvidia module. This makes bbswitch fail to turn off the card since it would be in use by the module.
Use the `cfg.package.version` (string) instead of the entire package so
users don't see `error: value is a set while a string was expected`
instead of the intended assertion message.
- Use the print dialog to create a sample score.
- Copy also the sample score from the vm to $out of the test.
- Create a bit more screenshots
- Only use machine.wait_for_window, never machine.wait_for_text which
requires OCR which is slow.
- Set XDG_RUNTIME_DIR so it won't dump core.
This prevents the post start script from running
before necessary sockets have been created.
It also prevents an unused shell from being kept around
by using `exec` to make `notify_push` the main process.
When services.gollum.{user,group} was specified a value other than its
default (i.e. "gollum"), the build failed due to referencing a
non-existing user.
