The lines stored in `extraConfig` and `worker.<name?>.extraConfig`
should take precedent over values from included files but in order to do
this in rspamd UCL they need to be stored in a file that then gets
included with a high priority. This commit uses the overrides option to
store the value of the two `extraConfig` options in `extra-config.inc`
and `worker-<name?>.inc` respectively.
When the workers option for rspamd was originally implemented it was
based on a flawed understanding of how workers are configured in rspamd.
This meant that while rspamd supports configuring multiple workers of
the same type, so that different controller workers could have different
passwords, the NixOS module did not support this because it would write
an invalid configuration file if you tried.
Specifically a configuration like the one below:
```
workers.controller = {};
workers.controller2 = {
type = "controller";
};
```
Would result in a rspamd configuration of:
```
worker {
type = "controller";
count = 1;
.include "$CONFDIR/worker-controller.inc"
}
worker "controller2" {
type = "controller";
count = 1;
}
```
While to get multiple controller workers it should instead be:
```
worker "controller" {
type = "controller";
count = 1;
.include "$CONFDIR/worker-controller.inc"
}
worker "controller" {
type = "controller";
count = 1;
}
```
When implementing #49620 I included an enable option for both the
locals and overrides options but the code writing the files didn't
actually look at enable and so would write the file regardless of its
value. I also set the type to loaOf which should have been attrsOf
since the code was not written to handle the options being lists.
This fixes both of those issues.
With `promtool` we can check the validity of a configuration before
deploying it. This avoids situations where you would end up with a
broken monitoring system without noticing it - since the monitoring
broke down. :-)
Gluster's pidfile handling is bug-ridden.
I have fixed https://bugzilla.redhat.com/show_bug.cgi?id=1509340
in an attempt to improve it but that is far from enough.
The gluster developers describe another pidfile issue as
"our brick-process management is a total nightmare", see
f1071f17e0/xlators/mgmt/glusterd/src/glusterd-utils.c (L5907-L5924)
I have observed multiple cases where glusterd doesn't start correctly
and systemd doesn't notice because of the erroneous pidfile handling.
To improve the situation, we don't let glusterd daemonize itself any more
and instead use `--no-daemon` and the `Simple` service type.
Removes the old UI build tooling; it is no longer necessary
because as of 1.2.0 it's bundled into the server binary.
It doesn't even need to have JS built, because it's bundled into
the release commit's source tree (see #48714).
The UI is enabled by default, so the NixOS service is
updated to directly use `ui = webUi;` now.
Fixes#48714.
Fixes#44192.
Fixes#41243.
Fixes#35602.
Signed-off-by: Niklas Hambüchen <mail@nh2.me>
This module permits to preload Docker image in a VM in order to reduce
OIs on file copies. This module has to be only used in testing
environments, when the test requires several Docker images such as in
Kubernetes tests. In this case,
`virtualisation.dockerPreloader.images` can replace the
`services.kubernetes.kubelet.seedDockerImages` options.
The idea is to populate the /var/lib/docker directory by mounting qcow
files (we uses qcow file to avoid permission issues) that contain images.
For each image specified in
config.virtualisation.dockerPreloader.images:
1. The image is loaded by Docker in a VM
2. The resulting /var/lib/docker is written to a QCOW file
This set of QCOW files can then be used to populate the
/var/lib/docker:
1. Each QCOW is mounted in the VM
2. Symlink are created from these mount points to /var/lib/docker
3. A /var/lib/docker/image/overlay2/repositories.json file is generated
4. The docker daemon is started.
Setting this variable in the environment of systemd-timedated allows
'timedatectl' to tell if an NTP service is running.
Closes#48917.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
By default rspamd will look for multiple files in /etc/rspamd/local.d
and /etc/rspamd/override.d to be included in subsections of the merged
final config for rspamd. Most of the config snippets in the official
rspamd documentation are made to these files and so it makes sense for
NixOS to support them and this is what this commit does.
As part of rspamd 1.8.1 support was added for having custom Lua
rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is
now possible for NixOS to support such rules and so this commit also
adds support for this to the rspamd module.
hass will ignore the standard SIGTERM sent by systemd during stop/restart and we
then have to wait for the timeout after which systemd will forcefully kill the
process.
If instead if we send SIGINT, hass will shut down nicely.
There are many issues reported upstream about the inability to shut down/restart
and it is *supposed* to work with SIGTERM but doesn't.
`services.virtualisation.libvirtd.onShutdown` was previously unused.
While suspending a domain on host shutdown is the default, this commit
makes it so domains can be shut down, also.
* run as user 'slurm' per default instead of root
* add user/group slurm to ids.nix
* fix default location for the state dir of slurmctld:
(/var/spool -> /var/spool/slurmctld)
* Update release notes with the above changes
Previously, setting "privateNetwork = true" without specifying host and
local addresses would create unconfigured interfaces: ve-$INSTANCE on the host
and eth0 inside the container.
These changes is rebased part of the original PR #3021.
With this option enabled, before creating file/directories/symlinks in baseDir
according to configuration, old occurences of them are removed.
This prevents remainders of an old configuration (libraries, webapps, you name
it) from persisting after activating a new configuration.
100GB breaks cptofs but 50GB is fine and benchmarks shows it takes the same time as building the demo VBox VM with a 10GB disk
+ enabled VM sound output by default
+ set USB controller in USB2.0 mode
+ add manifest file in the OVA as it allows integrity checking on imports
* journald: forward message to syslog by default if a syslog implementation is installed
* added a test to ensure rsyslog is receiving messages when expected
* added rsyslogd tests to release.nix
The nixos-manual service already uses w3m-nographics for a variant that
drops unnecessary junk like various image libraries.
iso_minimal closure (i.e. uncompressed) goes from 1884M -> 1837M.
The changes were found by executing the following in the strongswan
repo (https://github.com/strongswan/strongswan):
git diff 5.6.3..5.7.1 src/swanctl/swanctl.opt
Rootston is just a reference compositor so it doesn't make that much
sense to have a module for it. Upstream doesn't really like it as well:
"Rootston will never be intended for downstream packages, it's an
internal thing we use for testing." - SirCmpwn [0]
Removing the package and the module shouldn't cause much problems
because it was marked as broken until
886131c243. If required the package can
still be accessed via wlroots.bin (could be useful for testing
purposes).
[0]: https://github.com/NixOS/nixpkgs/issues/38344#issuecomment-378449256
* Lets container@.service be activated by machines.target instead of
multi-user.target
According to the systemd manpages, all containers that are registered
by machinectl, should be inside machines.target for easy stopping
and starting container units altogether
* make sure container@.service and container.slice instances are
actually located in machine.slice
https://plus.google.com/112206451048767236518/posts/SYAueyXHeEX
See original commit: https://github.com/NixOS/systemd/commit/45d383a3b8
* Enable Cgroup delegation for nixos-containers
Delegate=yes should be set for container scopes where a systemd instance
inside the container shall manage the hierarchies below its own cgroup
and have access to all controllers.
This is equivalent to enabling all accounting options on the systemd
process inside the system container. This means that systemd inside
the container is responsible for managing Cgroup resources for
unit files that enable accounting options inside. Without this
option, units that make use of cgroup features within system
containers might misbehave
See original commit: https://github.com/NixOS/systemd/commit/a931ad47a8
from the manpage:
Turns on delegation of further resource control partitioning to
processes of the unit. Units where this is enabled may create and
manage their own private subhierarchy of control groups below the
control group of the unit itself. For unprivileged services (i.e.
those using the User= setting) the unit's control group will be made
accessible to the relevant user. When enabled the service manager
will refrain from manipulating control groups or moving processes
below the unit's control group, so that a clear concept of ownership
is established: the control group tree above the unit's control
group (i.e. towards the root control group) is owned and managed by
the service manager of the host, while the control group tree below
the unit's control group is owned and managed by the unit itself.
Takes either a boolean argument or a list of control group
controller names. If true, delegation is turned on, and all
supported controllers are enabled for the unit, making them
available to the unit's processes for management. If false,
delegation is turned off entirely (and no additional controllers are
enabled). If set to a list of controllers, delegation is turned on,
and the specified controllers are enabled for the unit. Note that
additional controllers than the ones specified might be made
available as well, depending on configuration of the containing
slice unit or other units contained in it. Note that assigning the
empty string will enable delegation, but reset the list of
controllers, all assignments prior to this will have no effect.
Defaults to false.
Note that controller delegation to less privileged code is only safe
on the unified control group hierarchy. Accordingly, access to the
specified controllers will not be granted to unprivileged services
on the legacy hierarchy, even when requested.
The following controller names may be specified: cpu, cpuacct, io,
blkio, memory, devices, pids. Not all of these controllers are
available on all kernels however, and some are specific to the
unified hierarchy while others are specific to the legacy hierarchy.
Also note that the kernel might support further controllers, which
aren't covered here yet as delegation is either not supported at all
for them or not defined cleanly.
In this update:
* binaries `ckb` and `ckb-daemon` are renamed to `ckb-next` and `ckb-next-daemon`
* build system changed from qmake to cmake
* the directory searched for animation plugins no longer needs to be patched, as a result of the build system change
* modprobe patch has been bumped, since the source repository layout has changed
* the cmake scripts are quite FHS-centric and require patching to fix install locations
"machine.target" doesn't actually exist, it's misspelled version
of "machines.target". However, the "systemd-nspawn@.service"
unit already has a default dependency on "machines.target"
This was overlooked on a rebase of mine on master, when I didn't realize
that in the time of me writing the znc changes this new option got
introduced.
On AMD hardware with Mesa 18, compton renders some colours incorrectly
when using the glx backend. This patch sets an environmental variable
for compton so colours are rendered correctly.
Topical bug: <https://bugs.freedesktop.org/show_bug.cgi?id=104597>
This breaks with networking backends enabled and
also creates large delays on boot when some services depends
on the network target. It is also not really required
because tinc does create those interfaces itself.
fixes#27070
Tor requires ``SOCKSPort 0`` when non-anonymous hidden services are
enabled. If the configuration doesn't enable Tor client features,
generate a configuration file that explicitly includes this disabling
to allow such non-anonymous hidden services to be created (note that
doing so still requires additional configuration). See #48622.
* nat/bind/dhcp.service:
Remove. Those services have nothing to do with a link-level service.
* sys-subsystem-net-devices-${if}.device:
Add as BindsTo dependency as this will make hostapd stop when the
device is unplugged.
* network-link-${if}.service:
Add hostapd as dependency for this service via requiredBy clause,
so that the network link is only considered to be established
only after hostapd has started.
* network.target:
Remove this from wantedBy clause as this is already implied from
dependencies stacked above hostapd. And if it's not implied than
starting hostapd is not required for this particular network
configuration.
This reverts commit 10addad603, reversing
changes made to 7786575c6c.
NixOS scripts should be kept in the NixOS source tree, not in
pkgs. Moving them around is just confusing and creates unnecessary
code/history churn.
Move all the nixos-* scripts from the nixos distribution as real
packages in the pkgs/ package set.
This allows non-nixos users to run the script as well. For example,
deploying a remote machine with:
nixos-rebuild --target-host root@hostname --build-host root@hostname
A module for security options that are too small to warrant their own module.
The impetus for adding this module is to make it more convenient to override
the behavior of the hardened profile wrt user namespaces.
Without a dedicated option for user namespaces, the user needs to
1) know which sysctl knob controls userns
2) know how large a value the sysctl knob needs to allow e.g.,
Nix sandbox builds to work
In the future, other mitigations currently enabled by the hardened profile may
be promoted to options in this module.
This option represents the ZNC configuration as a Nix value. It will be
converted to a syntactically valid file. This provides:
- Flexibility: Any ZNC option can be used
- Modularity: These values can be set from any NixOS module and will be
merged correctly
- Overridability: Default values can be overridden
Also done:
Remove unused/unneeded options, mkRemovedOptionModule unfortunately doesn't work
inside submodules (yet). The options userName and modulePackages were never used
to begin with
The system variable is used from the (possibly polluted) shell
environment.
This causes nixos-install to fail in a nix-shell because the system
shell variable is automatically set to the current system (e.g.
x86_64-linux).
- added package option to specify which version of redmine
- added themes option back in to allow specifying redmine themes
- added plugins option back in to allow specifying redmine plugins
- added database.socket option to allow mysql unix socket authentication
- added port option to allow specifying the port rails runs on
- cleaned up Gemfile so it is much less hacky
- switched to ruby version 2.4 by default as suggested by documentation http://www.redmine.org/projects/redmine/wiki/redmineinstall#Installing-Redmine
- fixed an annoyance (bug) in the service causing recursive symlinks
- fixed ownership bug on log files generated by redmine
- updates reflecting renames in nixos options
- added a nixos test
Dummy display manager that allows running X as a normal user.
The X server is started manually from a vt using `startx`.
Session startup commands must be provided by the user
in ~/.xinitrc, which is NOT automatically generated.
Previously you either had to set the setuid bit yourself or workaround
`isSystemUser = true` (for a loginable shell) to access the weechat
screen.
`programs.screen` shouldn't do this by default to avoid taking too much
assumptions about the setup, however `services.weechat` explicitly
requires tihs.
See #45728
Included changes:
* upstream repository has moved, URLs changed accordingly
* journaldriver bumped to new upstream release
The new release includes an important workaround for an issue that
could cause log-forwarding to fail after service restarts due to
invalid journal cursors being persisted.
This patch uses the library function `lib.escapeShellArg` to improve
the handling of shell aliases in the NixOS module `bash`, copying the
corresponding change made to the `zsh` module in commit
1e211a70cb (for which GitHub pull
request #47471 was filed).
This patch resolves GitHub issue #16973.
This change presumably also should be copied to the `fish` module, but
I don't know `fish` syntax so that won't be done by me.
GitHub: CloseNixOS/nixpkgs#16973.
When logging into a container by using
nixos-container root-login
all nix-related commands in the container would fail, as they
tried to modify the nix db and nix store, which are mounted
read-only in the container. We want nixos-container to not
try to modify the nix store at all, but instead delegate
any build commands to the nix daemon of the host operating system.
This already works for non-root users inside a nixos-container,
as it doesn't 'own' the nix-store, and thus defaults
to talking to the daemon socket at /nix/var/nix/daemon-socket/,
which is bind-mounted to the host daemon-socket, causing all nix
commands to be delegated to the host.
However, when we are the root user inside the container, we have the
same uid as the nix store owner, eventhough it's not actually
the same root user (due to user namespaces). Nix gets confused,
and is convinced it's running in single-user mode, and tries
to modify the nix store directly instead.
By setting `NIX_REMOTE=daemon` in `/etc/profile`, we force nix
to operate in multi-user mode, so that it will talk to the host
daemon instead, which will modify the nix store for the container.
This fixes#40355
Several service definitions used `mkEnableOption` with text starting
with "Whether to", which produced funny option descriptions like
"Whether to enable Whether to run the rspamd daemon..".
This commit corrects this, and adds short descriptions of services
to affected service definitions.
The problem was that the non-fatal warning was not omitted
from the output when constructing a nix expression.
Now it seems OK for me. When return code is OK,
the warnings don't get passed anywhere, but I expect
that won't matter for this utility. Fatal errors are still shown.
as using /var/run now emits a warning by systemd's tmpfiles.d.
As /var/run is already a symlink to /run, this can't break anything, and
data does not need to be migrated.
The autoupgrade service defined in `system.autoUpgrade`
(`nixos/modules/installer/tools/auto-upgrade.nix`) doesn't have `su` in
its path and thus yields a warning during the `daemon-reload`.
Specifying the absolute path fixes the issue.
Fixes#47648
The init script slightly differs depending on which shell is in use.
So for bash it should be in the interactiveShellInit as well.
In this case we don't need a mkIf as `bash` is enabled by default
on NixOS.
We use `127.0.1.1` instead of `127.0.0.1` because some applications will fail if
`127.0.0.1` resolves to something other than `localhost`.
Debian does the same.
See #1248 and #36261.
Since `networking.hosts` is properly typed all of that magic `/etc/hosts` generator
does can be dropped. People that disagree with the value of `networking.hosts` can
simply `mkForce`.
This is necessary when system-wide dconf settings must be configured, i.e. to
disable GDM's auto-suspending of the machine when no user is logged in.
Related to https://github.com/NixOS/nixpkgs/issues/42053.
I think pam_lastlog is the only thing that writes to these files in
practice on a modern Linux system, so in a configuration that doesn't
use that module, we don't need to create these files.
I used tmpfiles.d instead of activation snippets to create the logs.
It's good enough for upstream and other distros; it's probably good
enough for us.
Nix 2.0 no longer uses these directories.
/run/nix/current-load was moved to /nix/var/nix/current-load in 2017
(Nix commit d7653dfc6dea076ecbe00520c6137977e0fced35). Anyway,
src/build-remote/build-remote.cc will create the current-load directory
if it doesn't exist already.
/run/nix/remote-stores seems to have been deprecated since 2014 (Nix
commit b1af336132cfe8a6e4c54912cc512f8c28d4ebf3) when the documentation
for $NIX_OTHER_STORES was removed, and support for it was dropped
entirely in 2016 (Nix commit 4494000e04122f24558e1436e66d20d89028b4bd).
The default value for journald's Storage option is "auto", which
determines whether to log to /var/log/journal based on whether that
directory already exists. So NixOS has been unconditionally creating
that directory in activation scripts.
However, we can get the same behavior by configuring journald.conf to
set Storage to "persistent" instead. In that case, journald will create
the directory itself if necessary.
Previously, the activation script was responsible for ensuring that
/etc/machine-id exists. However, the only time it could not already
exist is during stage-2-init, not while switching configurations,
because one of the first things systemd does when starting up as PID 1
is to create this file. So I've moved the initialization to
stage-2-init.
Furthermore, since systemd will do the equivalent of
systemd-machine-id-setup if /etc/machine-id doesn't have valid contents,
we don't need to do that ourselves.
We _do_, however, want to ensure that the file at least exists, because
systemd also uses the non-existence of this file to guess that this is a
first-boot situation. In that case, systemd tries to create some
symlinks in /etc/systemd/system according to its presets, which it can't
do because we've already populated /etc according to the current NixOS
configuration.
This is not necessary for any other activation script snippets, so it's
okay to do it after stage-2-init runs the activation script. None of
them declare a dependency on the "systemd" snippet. Also, most of them
only create files or directories in ways that obviously don't need the
machine-id set.
environment.sessionVariables cannot refer to the values of env vars,
and as a result this has caused problems in a variety of scenarios.
One use for these is that they're injected into /etc/profile,
elewhere these are used to populate an 'envfile' for pam
(`pam 5 pam_env.conf`) which mentions use of HOME being
potentially problematic.
Anyway if the goal is to make things easier for users,
simply do the NIX_PATH modification as extraInit.
This fixes the annoying problems generated by the current approach
(#40165 and others) while hopefully serving the original goal.
One way to check if things are borked is to try:
$ sudo env | grep NIX_PATH
Which (before this change) prints NIX_PATH variable with
an unexpanded $HOME in the value.
-------
This does mean the following won't contain user channels for 'will':
$ sudo -u will nix-instantiate --eval -E builtins.nixPath
However AFAICT currently they won't be present either,
due to unescaped $HOME. Unsure if similar situation for other users
of sessionVariables (not sudo) work with current situation
(if they exist they will regress after this change AFAIK).
Previously single quotes were used by default for aliases and the module
never warned about possible collisions when having a shell alias which
relies on single quotes.
Adding `escapeShellArg` works around this fixes the issue and ensures that a
properly quoted value is written to `/etc/zshrc`.
The socket activation I added to the rspamd module doesn't actually work
and can't be made to work without changes to rspamd.
See: #47421
See: rspamd/rspamd#2035