See https://blog.prosody.im/prosody-0.12.0-released for more
informations.
We remove the various lua wrappers introduced by
6799a91843 and
16d0b4a69f. It seems like we don't need
them anymore. I'm not brave enough to dig into the Lua machinery to
see what resolved that. Sorry, you'll have to trust me on that one.
We should probably think about the migration from http_upload to
http_file_share for the NixOS module. It's not trivial, we need to
make sure we don't break the already uploaded URLs.
This commit refactors the way how configuration files are deployed to
the `/etc/asterisk` directory.
The current solution builds a Nix derivation containing all config files
and symlinks it to `/etc/asterisk`. The problem with that approach is
that it is not possible to provide additional configuration that should
not be written to the Nix store, i.e. files containing credentials.
The proposed solution changes the creation of configuration files so
that each configuration file gets symlinked to `/etc/asterisk`
individually so that it becomes possible to provide additional config
files to `/etc/asterisk` as well.
Renaming the variable from `initScript` to `bashAndZshInitScript` makes it clearer, what it is actually used for.
Moving the fish init script right below the other call to `thefuck --alias` makes it more obvious, when one of them is different in some important way.
We can make the growfs and makefs binaries conditional because we know
if we'll need them. Also move the cryptsetup generator to the luksroot
so it's not included when not needed.
We drop some generators altogether: systemd-getty-generator because we
don't have getty anyway in stage 1, systemd-system-update-generator
because we don't use that logic in NixOS and
systemd-veritysetup-generator because stage 1 has no veritysetup support
(yet) and if it had, we still wouldn't want to include the generator
unconditionally.
First, add the builtin udev rules to /etc/udev/rules.d so they are used.
Then, add all networkd .link units to the initrd. This is done in the
old stage 1 as well so I assume this is needed even when networkd is not
used. I assume this is for things like changing the MAC address.
Also limit the number of udev/lib binaries that is put into the initrd
because the old initrd doesn't use all units either.
Currently we're still using scripted networking by default. A problem
with scripted networking is that having `useDHCP` on potentially
non-existing interfaces (e.g. an ethernet interface for USB tethering)
can cause the boot to hang.
Closes#107908
Previously this wasn't done in the `forEach`-expression for
`cfg.interfaces` and thus `networking.useDHCP` didn't have any effect if
no further interface was statically configured.
We can't assume that DRI card minor is the same as NVidia GPU device minor,
because some DRI minors could be taken by GPUs of other vendors.
Fixes#87788, #98942.
We need to move NixOS containers somewhere else so these don't clash
with Podman, Skopeo & other container software in the libpod &
cri-o/cri-u/libcontainer ecosystems.
The state directory move is not strictly a requirement but is good for
consistency.
The NixOS evaluation would complain:
trace: warning: literalExample is deprecated, use literalExpression instead, or use literalDocBook for a non-Nix description.
The description for the runner in the UI is by default sthg like
"npm_nixos_d0544ed48909" i.e., the name of the attribute.
I wanted to have a more user-friendly description and added a
description to the service.
Seems like gitlab-runner doesn't like having both fields set:
"Cannot use two forms of the same flag: description name"
so I used one or the other.
This avoids the scenario where you activate a new config over Tailscale,
and a long delay between the "stop services" and "start services" phases
of the activation script lead to your terminal freezing for tens of
seconds, until tailscaled finally gets started again and the session
recovers.
Per the documentation of stopIfChanged, this is only safe to do if the
service definition is robust to stopping the old process using the new
service definition. As the maintainer of the upstream systemd unit, I
can confirm that Tailscale is robust to this scenario: it has to be
in order to work right on several other distros that just do
unpack-then-restart, rather than the more complex stop-unpack-start
dance.
Signed-off-by: David Anderson <dave@natulte.net>
This includes disabling some features in the initrd by default, this is
only done when the new initrd is used. Namely, ext and bcache are
disabled by default. bcache gets an own enable option while ext is
detected like any other filesystem.
I recently learned that Nextcloud 23's new profile feature — basically a
way for users to share personal contact details — has a problematic
default setting, profile data is shared with **everyone** by default.
This means that an unauthenticated user can access personal information
by accessing `nextcloud.tld/u/user.name`.
The announcement of v23 states[1]:
> We go a step further and introduce a profile page. Here you can put a
> description of yourself, show links to, for example, social media, what
> department you are in and information on how to contact you. All these
> are of course entirely optional and you can choose what is visible to who!
> The profile and user status are accessible also from our mobile and desktop clients.
It's not mentioned that by default you share personal information[3] with
everyone and personally I think that's somewhat problematic.
To work around that, I decided to add an option for the recently added[2]
and even set it to `false` by default to make an explicit opt-in for
that feature.
[1] https://nextcloud.com/blog/nextcloud-hub-2-brings-major-overhaul-introducing-nextcloud-office-p2p-backup-and-more/
[2] https://github.com/nextcloud/server/pull/31624/files
[3] By default, this affects the following properties:
* About
* Full name
* Headline
* Organisation
* Profile picture
* Role
* Twitter
* Website
Phone, Address and Email are not affected and only shown to
authenticated users by default.
There is no need to install them when they will not be picked up
by the Appearance panel of GNOME Control Center without
a XML metadata file anyway.
They will be pulled into the closure via overrides
so that is not a concern either.
This reverts commit 7f3bc5b8fa.
This reverts commit fa607bc939.
On first run, Postfix will refuse to start if it's started before
Mailman is up, because it'll try to read the map files generated
Mailman the first time it's started, and they won't exist yet. To fix
this, make sure Postfix isn't started until after Mailman is up if
they're both activated at the same time.
The old way of writing the file omited qoutes within strings which are needed by some configurations like federations.
The quotes got lost when `echo`ing the content via `echo '${builtins.toJSON x}'`.
The pkgs.formats.json does handle that race condition properly, so this commit switches the writing to that helper.
`fcitx5` and `service.earlyoom` rely on use XDG autostart files to start.
But for X session with only window manager and no desktop manager
(`none` is used), no one can start them.
This options is added to run these autostart files for sessions without
desktop manager to make other services just work.
The current type for the busId options are too relaxed, a stricter
constraint should be imposed to guard against typos which result
in Xorg unable to start.
This commit restricts the type to adhere to the B/D/F notation[1] for
addressing devices as expected by the module option.
[1] - https://wiki.osdev.org/PCI#Configuration_Space_Access_Mechanism_.231
Apparently this was never properly tested and never worked. When the IPFS repo needs upgrading, the first call to ipfs, which is run before running the migration, fails with the error message "Error: ipfs repo needs migration".
To fix this, simply run the migration before any `ipfs config` calls but don't run it when `dataDir` is empty and we need to call `ipfs init`.
Writing a NixOS test for this would require keeping at least two versions of IPFS in Nixpkgs, which we don't currently do.
cpio includes the number of directory hard links in archives it creates.
Some filesystems, like btrfs, do not count directory hard links the same
way as more common filesystems like ext4 or tmpfs, so archives built
when /tmp is on such a filesystem do not reproduce. This patch replaces
cpio with bsdtar, which does not have this issue. The specific
invocation is from this page:
https://reproducible-builds.org/docs/archives/
1. Update the default values of several addresses-related settings
that have been changed by upstream.
2. Make `dns.address` take multiple addresses. This is needed
for dual stack, now working by default.
UEFI firmware does not have to be able to read ISO9660 filesystems, so
the El Torito mechanism provides a way to specify an embedded FAT32
image which contains files the UEFI firmware itself must be able to
read, such as UEFI executables. Once GRUB starts and reads its
configuration, it can access the ISO9660 filesystem to load other files.
This change removes the unused kernel, initrd, and GRUB font files from
the El Torito image, but keeps the GRUB configuration and UEFI
executables. These files have been present since EFI support was
originally introduced in commit 097c656. Other distribution ISOs, such
as Ubuntu 20.04, Fedora 35, and Windows 10 work this way too. This saves
24MiB on x86_64 and 61MiB on aarch64 ISOs.
GNOME 42 needs two wallpaper pictures – for the default (light)
colour scheme and for the dark one. Because we are clearing out
the paths in `gsettings-desktop-schemas` to prevent closure
from bloating, we need to set them in the NixOS module.
Since the wallpaper for the default colour scheme is dark,
will relegate it to the dark colour scheme and switch
to a light blue variant for the default colour scheme.
That one has inverted roundel for the NixOS logo but
it is the only light-ish background that has the logo
of the same size and placing as the dark wallpaper.
This module exposes a config.system.build.kexecBoot attribute,
which returns a directory with kernel, initrd and a shell script
running the necessary kexec commands.
It's meant to be scp'ed to a machine with working ssh and kexec binary
installed.
This is useful for (cloud) providers where you can't boot a custom image, but
get some Debian or Ubuntu installation.
With version 17 of Keycloak, the Wildfly based distribution was
deprecated in favor of the one based on Quarkus. The difference in
configuration is massive and to accommodate it, both the package and
module had to be rewritten.
This allows django-q to set the number of workers according to the CPU
core count and to show memory stats via `manage.py qmonitor`.
This also fixes a non-critical psutil error in paperless-ng-server.
Service:
- Fix misleading comment:
We could in fact implement password copying as a preStart script by
amending BindReadOnlyPaths, but adding an extra service is simpler.
Test:
- Add more detailed subtest names
- Simplify date check
It's already defined in `systemd/user.nix`.
This is a leftover from commit b6d50528dd
where all `systemd.user` settings were moved to `systemd/user.nix`.
- Fix the name of the env
- Add the correct kmod to the initrd
- Add `less` to make journalctl usable
- Fix SYSTEMD_SULOGIN_FORCe for rescue.target
- Add some missing binaries