While reviewing other changes related to synapse I rediscovered the
`lib.findFirst (...) (lib.last resources)` hack to find a listener
supporting the `client` resource. We decided to keep it that way for now
a while ago to avoid scope-creep on the RFC42 refactoring[1]. I wanted
to take care of that and forgot about it.
Anyways, I'm pretty sure that this is bogus: to register a user, you
need the `client` API and not a random listener which happens to be the
last one in the list. Also, you need something which serves the `client`
API to have the entire synapse<->messenger interaction working (whereas
`federation` is for synapse<->synapse).
So I decided to error out if no `client` listener is found. A listener
serving `client` can be defined in either the main synapse process or
one of its workers via `services.matrix-synapse.workers`[2].
However it's generally nicer to use assertions for that because then
it's possible to display multiple configuration errors at once and one
doesn't have to chase one `throw` after another. I decided to also error
out when using the result from `findFirst` though because module
assertions aren't thrown necessarily when you evaluate a single config
attribute, e.g. `config.environment.systemPackages` which depends on an
existing client listener because of `registerNewMatrixUser`[3].
While at it I realized that if `settings.instance_map` is wrongly
configured, e.g. by
settings.instance_map = mkForce {
/* no `main` in here */
}
an `attribute ... missing` error will be thrown while evaluating the
worker assertion.
[1] https://github.com/NixOS/nixpkgs/pull/158605#discussion_r815500487
[2] This also means that `registerNewMatrixUser` will still work if you
offload the entire `client` traffic to a worker.
[3] And getting a useful error message is way better for debugging in such a
case than `value is null while a set was expected`.
follow-up on 28b3156bc6 which broke
when tokenFile was left empty.
Making both options nullable also allows us to provide a more meaningful
error message when neither authentication method is configured.
This exposes the banner message option in GDM. Some computing
environments have compliance requirements which include displaying a
message to the user before logon.
This solves an issue, where loading the nixos-unstable module in
nixos-stable using `disabledModules` and `imports` resulted in the
following Caddyfile:
```
<globalConfig>
<vhosts>
<extraConfig>
```
instead of
```
<globalConfig>
<extraConfig>
<vhosts>
```
This is important in cases where `cfg.extraConfig` contains so called
Caddyfile snippets.
See https://caddyserver.com/docs/caddyfile/concepts#structure
Co-authored-by: Lin Jian <me@linj.tech>
This should ensure systemd handles starting all services (main and
workers) in a single transaction, thus preserving unit orderings
defined through After= even when not restarting the target.
The problem we had back then was that `mkRenamedOptionModule` doesn't
work if an option will be moved a level depper, i.e.
services.grafana.provision.dashboards
became
services.grafana.provision.dashboards.settings.provider
I actually planned to remove this before 23.05 (since the change was
already released in 22.11), but as you can see that didn't happen ;-)
I think the grace-period was quite long already. And if someone is
migrating from <22.11 to a current NixOS now, there are very precise
instructions on how to upgrade in the 22.11 release notes.
To those who use Jellyfin's DLNA server, it can happen that the DLNA server starts before we are connected to the LAN.
When this happens, Jellyfin only publishes the DLNA server on the local ports and is not discoverable by devices in the LAN.
In order to fix this, I'm ensuring that Jellyfin starts after we are connected to the network, making it properly discoverable by DLNA clients.
After making this change, Jellyfin's DLNA server is now working as expected on my machine. It used to be consistently undiscoverable.
I verified that this doesn't break anything in situations where the LAN is not available: I disconnected my laptop from the network and rebooted it and Jellyfin started as expected.
This change was informed by reading the suggestion in this article: https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
Actually, it's supposed to be `listOf (attrsOf str)` because each
list-item can match against multiple properties from `urlsplit`[1]. In
fact, `listOf str` breaks URL previews at runtime:
Sep 14 15:03:47 soost synapse[1100355]: synapse.http.server: [GET-116] Failed handle request via 'PreviewUrlResource': <XForwardedForRequest at 0x7f691bd5f730 method='GET' uri='/_matrix/media/r0/preview_url?url=<redacted>' clientproto='HTTP/1.1' site='8448'>
Traceback (most recent call last):
[...]
File "/nix/store/xk5yksbw09p6qwk0maq2cb2in3z6f4gn-matrix-synapse-1.91.2/lib/python3.10/site-packages/synapse/media/url_previewer.py", line 398, in _is_url_blocked
for attrib, pattern in entry.items():
AttributeError: 'str' object has no attribute 'items'
To make sure that people aren't confused when upgrading their configs, I
decided to work with `types.coercedTo` to "pretend" accepting the old
type signature, but then throwing an error explaining what to do (and
rejecting the broken configuration).
[1] https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlsplit
It fails to build with
npm ERR! code 1
npm ERR! path /nix/store/n7sdkr41nax0mn8drh3lxymqbmrradi4-tedicross-0.8.7/lib/node_modules/tedicross/node_modules/sodium
npm ERR! command failed
npm ERR! command sh -c node install.js --preinstall
npm ERR! Static libsodium was not found at /nix/store/n7sdkr41nax0mn8drh3lxymqbmrradi4-tedicross-0.8.7/lib/node_modules/tedicross/node_modules/sodium/deps/build/lib/libsodium so compiling libsodium from source.
npm ERR! automake is required, but wasn't found on this system
npm ERR! make: *** [Makefile:62: libsodium] Error 1
npm ERR! /nix/store/n7sdkr41nax0mn8drh3lxymqbmrradi4-tedicross-0.8.7/lib/node_modules/tedicross/node_modules/sodium/install.js:287
npm ERR! throw new Error(cmdLine + ' exited with code ' + code);
npm ERR! ^
npm ERR!
npm ERR! Error: make libsodium exited with code 2
npm ERR! at ChildProcess.<anonymous> (/nix/store/n7sdkr41nax0mn8drh3lxymqbmrradi4-tedicross-0.8.7/lib/node_modules/tedicross/node_modules/sodium/install.js:287:19)
npm ERR! at ChildProcess.emit (node:events:514:28)
npm ERR! at ChildProcess._handle.onexit (node:internal/child_process:291:12)
npm ERR!
npm ERR! Node.js v18.17.1
This commit introduces a `networking.networkmanager.fccUnlockScripts`
option, which allows specifying additional, usually vendor-provided
unlock scripts.
networking.networkmanager.enableBundledFccUnlockScripts is refactored to
make use of the same mechanism internally.
PR #155414 introduced an option to support enabling the FCC unlock
scripts that ModemManager provides, but since 1.18.4 doesn't execute
anymore.
However, this option is specifically only about the unlock scripts
provided with ModemManager so far. Rename the option to make this more
obvious.
the schema files referenced in the current preStart are empty.
other ones exist, but don't apply cleanly either.
calling update.php with --update-schema works for initial setup and
updates. if the database schema is already up to date, it's idempotent.
When not setting `settings` and setting `openFirewall = true`
evaluation would fail because it tries to access `settings.bind_port`
while `settings == null`
The module for Plasma 5 contained two pointless setuid wrappers:
* kscreenlocker_greet was introduced when the kscreenlocker package
dropped kcheckpass. However, this was actually replaced by making
proper use of PAM (which finally calls its unix_chkpwd setuid binary).
kscreenlocker_greet itself was never intended to be setuid.
Fortunately, this is not exploitable, because QCoreApplication
immediately aborts if it detects setuid. The wrapper is still
incorrect and pointless, so remove it.
* start_kdeinit can optionally use setuid root or setcap
CAP_SYS_RESOURCE to reduce its OOM killer score. However, with systemd
startup, start_kdeinit does not get used at all. So in this case, the
setuid wrapper is pointless, and so is removed as well. Ideally, the
case where systemd startup is not enabled would use a capability
wrapper instead, but since systemd startup is the default in NixOS and
kinit is deprecated upstream for KF6, I don't bother any more.
With this commit, the validation of `sshd_config`
is performed with `sshd -G` instead of `sshd -t`.
The former does not require a valid host key.
Checking the host key was never useful for us:
We just generated a dummy host key to
make the validation mechanism happy.
With this change the dummy key is no longer needed.
This change not only saves some CPU cycles
(avoid the generation of an RSA key),
but it also permits to set `RequiredRSASize` to a value
larger than the current rsa key default size (3072).
