* nixos/opensmtpd: Add missing brackets in config
Without this commit, you end up missing the sendmail suid wrapper,
because the "program" attribute would not override the right thing.
* Update nixos/modules/services/mail/opensmtpd.nix
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Apparently setting a variable via `environment.variables` when the same
is already present in `environment.sessionVariables` (that is merged
into the former option) creates a conflict.
For reference: this started with the change in #101274.
The `services.mastodon` module currently hardcodes sidekiq's concurrency
to 25, but doesn't set a DB pool size, which defaults to 5 or the number
of configured web threads.
(This behaviour is very strange, and arguably a mastodon bug.)
This also makes sidekiq's concurrency configurable, because 25 is a tad
high for the hardware I'm running it on.
After recent change `services.smokeping.enable = true;` system
started failing the build as:
```
nixpkgs-master $ nix build --no-link -f nixos system --keep-going
...
Checking that Nix store paths of all wrapped programs exist... FAIL
The path /nix/store/kr2sr80g9ny74im6m6dyh9v44hnzm261-fping-5.0/bin/fping6 does not exist!
Please, check the value of `security.wrappers."fping6".source`.
```
`fping` does not provide `fping6` binary for a while. Let's just remove it.
Closes: https://github.com/NixOS/nixpkgs/issues/138581
Moving the service before multi-user.target (so the `hardened` test
continue to work the way it did before) can result in locking the kernel
too early. It's better to lock it a bit later and changing the test to
wait specifically for the disable-kernel-module-loading.service.
The current name is misleading: it doesn't contain cli arguments,
but several constants and utility functions related to qemu.
This commit also removes the use of `with import ...` for clarity.
- Detailed initial config generation process.
- Detailed Nginx Configuration.
- Detailed private/public conf split.
docs: Improved documentation of Pleroma service
Secrets are only in the private file, and in a draft format for avoiding GitHub
complaints.
Fixed Nginx configuration.
docs: Improved the Nginx reverse proxy settings of Pleroma service
Just setting the XKB_CONFIG_ROOT should be enough, so we don't need to
rebuild the xserver, xkbcomp and other packages anymore.
However, the variable has to be passed explicitely to scripts running at
build time: in particular to xkbvalidate and xkb-console-keymap.
Fixes:
```
activating the configuration...
warning: user ‘systemd-coredump’ has unknown group ‘systemd-coredump’
setting up /etc...
```
Oversight of #133166
Other services that depend on elasticsearch should be started after
it, but since the versions we're packaging have to run as
"Type=simple", they're started as soon as the elasticsearch binary has
been executed, likely winning the race against it.
This makes sure elasticsearch is up and running, responding to a
simple query, before dependents are started.
When cross-compiling, we can't run the runtime shell to check syntax
if it's e.g. for a different architecture. We have two options here.
We can disable syntax checking when cross compiling, but that risks
letting errors through. Or, we can do what I've done here, and change
the syntax check to use stdenv's shell instead of the runtime shell.
This requires the stdenv shell and runtime shell to be broadly
compatible, but I think that's so ingrained in Nixpkgs anyway that
it's fine. And this way we avoid conditionals that check for cross.
Add a shell script that checks if the paths of all wrapped programs
actually exist to catch mistakes. This only checks for Nix store paths,
which are always expected to exist at build time.
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
To keep backward compatibility and have a typing would require making
all options null by default, adding a defaultText containing the actual
value, write the default value logic based on `!= null` and replacing
the nulls laters. This pretty much defeats the point of having used
a submodule type.
The security.wrappers option is morally a set of submodules but it's
actually (un)typed as a generic attribute set. This is bad for several
reasons:
1. Some of the "submodule" option are not document;
2. the default values are not documented and are chosen based on
somewhat bizarre rules (issue #23217);
3. It's not possible to override an existing wrapper due to the
dumb types.attrs.merge strategy;
4. It's easy to make mistakes that will go unnoticed, which is
really bad given the sensitivity of this module (issue #47839).
This makes the option a proper set of submodule and add strict types and
descriptions to every sub-option. Considering it's not yet clear if the
way the default values are picked is intended, this reproduces the current
behavior, but it's now documented explicitly.
I noticed this minor grammar mistake when running update.nix, and then
while grepping to find the source I noticed we had it a few times in
Nixpkgs. Just as easy to fix treewide as it was to fix the one
occurrence I noticed.
The primary use case is tools like sops-nix and agenix to restart units
when secrets change. There's probably other reasons to restart units as
well and a nice thing to have in general.
Allows advanced users to select what packages they want to generate the
man cache for, and even more advanced users to make manualPages
content-addressed to avoid needless rebuilds.
Adds the ability to provide the --write flag in addition to the --serve flag via
a new option, services.sshServe.write.
A user can now share their system as a remote builder with friends easily as
follows:
{
nix = {
sshServe = {
enable = true;
write = true;
keys = ["ssh-dss AAAAB3NzaC1k... alice@example.org"];
};
};
}
Co-authored-by: Raphael Megzari <raphael@megzari.com>
Conflicts:
- pkgs/development/python-modules/pathspec/default.nix
The hashes are equivalent, so it's not a real conflict.
- pkgs/top-level/static.nix
I can't see a solution, deffered redoing this to the later PR:
https://github.com/NixOS/nixpkgs/pull/136849
Matrix homeservers have two important domains. The user-visible server_name and the homeserver domain which serves most of the traffic but is really seen by users. The docs around this variable said "This is used by remote servers to connect to this server" which is very confusing because most of the remote server traffic actually goes the server domain, not the server_name domain. (The server_name domain is only used to fetch the .well-known file that points at the server domain).
I largely copied the wording from https://matrix-org.github.io/synapse/latest/usage/configuration/homeserver_sample_config.html as I found it much more clear.
The treatment of the "source" parameter changed
with eb7120dc79, breaking stuff.
Before that commit, the source parameter was converted to a
string by implicit coercion, which would copy the file to the
store and yield an string containing the store path. Now, by
the virtue of escapeShellArg, toString is called explicitly on
that path, which will yield an string containing the absolute
path of the file.
This commit restores the old behavior.
Dash `echo` interprets backslash escapes. This causes two consecutive backslashes in JSON to turn into a single one before the string is passed to jq, resulting in a parsing error.
This is useful for situations in which you might want to reset certain
things using `--reset-database` or `--reset-deltas` or debug certain
things using any of the debug options like `--debug-perf-stats`.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Qt links against GTK to be able to use native GTK file chooser
in GTK-oriented DEs. However, GTK expects a specific environment,
which means the application needs to be wrapped to prevent crashes
when file chooser is opened in some environments.
This patch bypasses the need for wrapping Qt applications with GTK-related
environment since the file chooser dialogue will now come from a separate
process (instantiated by the XDG desktop portal via D-Bus).
In the future, we could remove the GTK dependency from Qt to fix the crashes
on non-{GNOME,Pantheon} environments. Then, users would be able to choose
between non-native Qt dialogue or native one facilitated by XDG portals
(e.g. through setting `QT_QPA_PLATFORMTHEME` to either `qgnomeplatform`,
or `xdgdesktopportal`).
One disadvantage is adding a Qt dependency to GNOME, even for people
who might not use any Qt apps. But they can easily just add `qt5.enable = false;`
to their NixOS configuration.
The configuration is also presumably less battle tested than plain Qt
with its first-party GTK integration. But it is backed by Fedora
and used by Manjaro GNOME so it cannot be that bad.
Lastly, I worry about ABI compatibility of the platform modules
with apps installed from different Nixpkgs revision.