Without this change, users that have both `initialHashedPassword` and
`hashedPassword` set will have `initialHashedPassword` take precedence,
but only for the first time `/etc/passwd` is generated. After that,
`hashedPassword` takes precedence. This is surprising behavior as it
would generally be expected for `hashedPassword` to win if both are set.
This wouldn't be a noticeable problem (and an assert could just be made
instead) if the users-groups module did not default the
`root.intialHashedPassword` value to `!`, to prevent login by default.
That means that users who set `root.hashedPassword` and use an ephemeral
rootfs (i.e. `/etc/passwd` is created every boot) are not able to log in
to the root account by default, unless they switch to a new generation
during the same boot (i.e. `/etc/passwd` already exists and
`hashedPassword` is used instead of `initialHashedPassword`) or they set
`root.initialHashedPassword = null` (which is unintuitive and seems
redundant).
Update protonmail-bridge to v3. This also rename the CLI executable from
protonmail-bridge to bridge to be more in line with upstream naming.
Co-authored-by: James Landrein <github@j4m3s.eu>
Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
It looks like the systemd-initrd variant of the systemd-shutdown test
(systemd-initrd-shutdown) did not actually enable the systemd-initrd and
so was just evaluating to the same store path before this change.
Since version 1.10.0 paperless-ngx depends on the NLTK library which is
used to pre-process data for machine learning. NLTK needs certain
data for stemming, stopword removal etc. This data has to be downloaded
first. This commit introduces a new systemd service that does the
downloading.
In general the man pages do not care what OS and manual they are shipped
with, so they don't get to choose the names of them. We were tempted to
do so, as we had inconsistently chosen OS names for the mandoc and
man-db/groff implementations. Since this has been rectified since, we
can just drop this boilerplate from the man pages.
Being able to override `boot.initrd.systemd.initrdBin` with `boot.initrd.systemd.extraBin` is a desirable behavior, so this PR changes the `ln -s` command to `ln -sf` to force link even if the file already exists.
We’ve been having trouble figuring out which kind of token to use and
why our setup would break every few system updates.
This should clarify which options there are, and which ones lead to
better results.
Ideally there would be a manual section that has a step-by-step guide
on how to set up the github runner, with screenshots and everything.
Purge contents of `workDir` as root to also allow the removal of files
marked as read-only. It is easy to create read-only files in `workDir`,
e.g., by copying files from the Nix store.
This builds on top of nixpkgs mainline 00d8347180
with the following two PRs cherry-picked:
- https://github.com/NixOS/nixpkgs/pull/192670
- https://github.com/NixOS/nixpkgs/pull/192668
using the following command:
```
nix build -f nixos -L \
-I nixos-config=nixos/modules/installer/sd-card/sd-image-powerpc64le.nix \
config.system.build.sdImage
```
I was able to successfully boot the image, although it boots to a login prompt
rather than a shell, and won't accept the empty password for `root`. I guess
I'll have to figure out why that is.
To boot the image: `zstd`-decompress the it, mount it, and use `kexec`:
```
cd boot/nixos
kexec -l \
*-vmlinux \
--initrd *-initrd \
--dt-no-old-root \
--command-line="$(grep APPEND ../extlinux/extlinux.conf | sed 's_^ *APPEND *__')"
```
The machine I used for testing has only one storage device which is completely
allocated to LVM. It appears that the NixOS ISO loader doesn't look for
partition tables within LVM volumes. To work aroundn this, I had to extract the
`ext4` image within the partition table within the `sd-card` image and put that
in its own LVM volume. This likely won't be an obstacle for users who write the
image to a USB stick or similar.
Upstream has officially abandoned the project as of 2021 [0], there's been
no release since 2016, it uses the EoL Qt 4, and alternatives like
KeePassXC exist.
Also move KeePassXC to its own directory -- it doesn't make sense to
have it in KeePassX's folder anymore.
[0]: https://www.keepassx.org/index.html%3Fp=636.html
GDM and LightDM are already using this approach. It also allows us to
enable Kwallet integration more globally without generating stray PAM
services.
The default configuration of login service includes both options sddm
was setting explicitly.
This removes two unused service configs from /etc/pam.d/ and, more
importantly, reduces confusion.
* kdm no longer exists in nixpkgs
* `pam.d/gdm` is not used by gdm
* `pam.d/lightdm` IS used by lightdm but hardcoded using .text rather
than attrset+template.
the old method of pasting parts of options.json into a markdown document
and hoping for the best no longer works now that options.json contains
more than just docbook. given the infrastructure we have now we can
actually render options.md properly, so we may as well do that.
Provide a module to configure Coqui TTS, available as `tts` in nixpkgs
for a few releases already.
The module supports multiple servers in parallel, so multiple languages
and testing scenarios can be covered, without affecting any production
usage.
The test was failing because it was timing out. Turns out it was waiting
for `foo.kdbx`, which couldn't be "seen" even if it actually existed
(probably some contrast issues with the theme and OCR couldn't find it).
Fixed it by delegating the check to the next screen, where the full path
to the file is displayed in a bigger size. The test seems to pass.
Injecting configuration specific dependencies into the
propagatedBuildInputs of the home-assistant package forces alot of
rebuilds while setting up home-assistant, which is annoying.
By passing optional dependencies into home-assistant via the systemd
units PYTHONPATH environment variable, only he concatenation of
library paths in the systemd unit requires a rebuild.
This also means users can rely heavily on the cached home-assistant
package and will rarely have to build from source, if ever.
Prepare the tests for a change in dependency handling, by not relying on
bespoke files dropped into the package output.
Instead we now check the journal log for whether a configured component
was setup, once for the initial specialisation another time for the one
introducing esphome configuration.
Also improve abstractions for getting journal data relative to a cursor
and generally make a few things more concise.
