gyre-fonts provides high-quality TrueType substitutes for standard PostScript
fonts. Unlike most other distributions, NixOS does not install Ghostscript and
its Type 1 fonts by default, so we must get the standard fonts elsewhere.
For whatever reason, the OCR code is not detecting ALICE but is BOB.
OCR output from login screen (blank lines omitted):
> Session none + icewm
> 08:41 <
> Thursday, April 6, 2017
> BOB FOOBAR
> Select your user and enter password
The LUKS header can be on another device (e.g. a USB stick). In my case
it can take up to two seconds until the partition on my USB stick is
available (i.e. the decryption fails without this patch). This will also
remove some redundancy by providing the shell function `wait_target` and
slightly improve the output (one "." per second and a success/failure
indication after 10 seconds instead of always printing "ok").
Restarting them is useless since the filesystem is already
checked. Worse, restarting them causes the filesystem to be unmounted.
Also remove an override for systemd-rkill@.service which no longer
exists.
This reduces the time window during which IP addresses are gone during
switch-to-configuration. A complication is that with stopIfChanged =
true, preStop would try to delete the *new* IP addresses rather than
the old one (since the preStop script now runs after the switch to the
new configuration). So we now record the actually configured addresses
in /run/nixos/network/addresses/<interface>. This is more robust in
any case.
Issue https://github.com/NixOS/nixops/issues/640.
Unfortunately, somewhere between 16.09 and 17.03, paravirtualized
instances stopped working. They hang at the pv-grub prompt
("grubdom>"). I tried reverting to a 4.4 kernel, reverting kernel
compression from xz to bzip2 (even though pv-grub is supposed to
support xz), and reverting the only change to initrd generation
(5a8147479e). Nothing worked so I'm
giving up.
Docker socket is world writable. This means any user on the system is
able to invoke docker command. (Which is equal to having a root access
to the machine.)
This commit makes socket group-writable and owned by docker group.
Inspired by
https://github.com/docker/docker/blob/master/contrib/init/systemd/docker.socket
There was one confusing recent failure of this:
http://cache.nixos.org/log/myla8bc17j8spmifdxmrz9jswxwsf5w6-vm-test-run-hibernate.drv
I don't have any real ideas on what could cause the problem but there is
at least one theoretical one: the system starts hibernating before the
listener process manages to open the TCP port for listening, and it can't
open it after resuming because not enough pages from the netcat binary
have been paged in (and as the 9p filesystem holding it is now toast,
they can't be loaded anymore).
Commit 75f131da02 added
`chown 'nginx:nginx' '/var/lib/acme'` to the pre-start script,
but since it doesn't use `chown -R`, it is possible that there
are older existing subdirs (like `acme-challenge`)
that are owned to `root` from before that commit went it.
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.
This reverts commit 1a74eedd07. It
breaks NixOps, which expects that
rm -f /etc/ssh/ssh_host_ed25519_key*
systemctl restart sshd
cat /etc/ssh/ssh_host_ed25519_key.pub
works.
When a user or group is revived, this allows it to be allocated the
UID/GID it had before.
A consequence is that UIDs and GIDs are no longer reused.
Fixes#24010.
In order to use qt5ct (Qt5 Configuration Tool) to configure Qt5
settings (theme, font, icons, etc.) under DE/WM without Qt
integration, the environment variable QT_QPA_PLATFORMTHEME should be
set to "qt5ct".
It can be done automatically by this module, or by setting the
variable explicitly in the user or in the system configuration.
This has surfaced since f803270b7e.
The commit bumped bash to version 4.4, which caused to change the order
of --subst-var flags in substituteAll, which this test was relying on,
because it added a @shell@ to boot.initrd.postMountCommands.
Our substituter is currently working a bit like this:
original.replace('@var1@', 'val1').replace('@var2@', 'val2')...
Unfortunately, this means that if @var2@ occurs within @var1@ it is
replaced by the new value, so the order of the substvars actually
matter. I highly doubt that we want a behaviour like this and I'm
wondering why it didn't occur to me as a problem while writing the
initial implementation of the VirtualBox tests.
Whether to get rid of this and disallowing substitution of substvars
within substvars is another topic which I think needs discussion in a
different place.
As for now, I'm using stdenv.shell, because the closure size of this
should fit within the initrd, so it's fine especially because it's just
a test.
Tested with the net-hostonlyif and systemd-detect-virt tests and they
both succeed with this change.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: @globin on IRC
Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as
alternatives to apiKey and mysqlPassword, which still work, but are
deprecated with a warning message.
Related to #24288.
Having fixed the Google Compute Engine image build process's copying
of store paths in PR #24264, I ran `nixos-rebuild --upgrade switch`...
and the GCE image broke again, because it sets the NixOS configuration
option for the sysctl variable `kernel.yama.ptrace_scope` to
`mkDefault "1"`, i.e., with override priority 1000, and now the
`sysctl` module sets the same option to `mkDefault "0"` (this was
changed in commit 86721a5f78).
This patch raises the override priority of the Google Compute Engine
image configuration's definition of the Yama sysctl option to 500
(still lower than the priority of an unmodified option definition).
I have tested that this patch allows the Google Compute Engine image
to again build successfully for me.
And adopt the tests to add an interface and remove it again.
It should work when deactivating rstp, it will not work when activating
rstp for the first bridge as then the userspace daemon is not yet
available. But once one bridge is active with stp, it should work with
the reload for any further bridge.
Fixes#21745. Also see #22547.
Currently, if you try to build a NixOS config including channel.nix, e.g.:
nix-build -I nixpkgs=. -I nixos-config=nixos/modules/installer/cd-dvd/installation-cd-minimal.nix nixos -A config.system.build.isoImage
twice in a row, you end up with two different build results. This is
caused by the 'result' symlink of the first build affecting the channel
contents of the second build.
If we use filterSource with a predicate that ignores the 'result'
symlinks, the problem is gone. Do the same thing for VIM/Emacs
swap/backup files to avoid even more 'spurious' rebuilds.
Additionally, filter out the '.git' directory at the same time, as we
'rm -rf' it from the result anyway. This avoids a considerable amount of
unnecessary file I/O copying and deleting the .git directory.
In `nixos/modules/virtualisation/google-compute-image.nix`, copy store
paths with `rsync -a` rather than `cp -prd`, because `rsync` seems
better able to handle the hard-links that may be present in the store,
whereas `cp` may fail to copy them.
I have tested that the Google Compute Engine image builds successfully
for me with this patch, whereas it did not without this patch.
This is the same fix applied for Azure images in commit
097ef6e435.
Fixes#23973.
The inability to run strace or gdb is the kind of
developer-unfriendliness that we're used to from OS X, let's not do it
on NixOS.
This restriction can be re-enabled by setting
boot.kernel.sysctl."kernel.yama.ptrace_scope" = 1;
It might be nice to have a NixOS module for enabling hardened defaults.
Xref #14392.
Thanks @abbradar.
kimpanel does not show installed IBus engines or allow switching input
methods. kimpanel does show configured keyboard layouts through kxkb, so I
believe there is some problem communicating with IBus. No error messages are
produced in the log and I have been unable to discover the cause. I have no
intention of continuing to work on kimpanel at this time, so it should be
disabled. The GTK+ 3-based panel provided by IBus is perfectly serviceable in
the interim.
This reverts commit b806e25d65.
This seems to push Hydra's memory usage out of the roof fail nixos
evaluating with:
Too many heap sections: Increase MAXHINCR or MAX_HEAP_SECTS
Let's revert this for now. It's not a big deal at all since the
nixpkgs-unstable jobset is still building the packages.
In the absence of XCURSOR_PATH, the function XcursorLibraryPath
in libXcursor will return a hardcoded value unsuitable for NixOS.
Some desktops as well as display managers in NixOS currently do
set XCURSOR_PATH, but there are combinations where neither does
(e.g. SDDM+XFCE), resulting in no cursor themes being available.
The new definition if XCURSOR_PATH is effectively the same as what
KDE's startkde currently does.
Fixes issue #21442.
* The module uses `stringSplit` but it should be `splitString`
* `rmilter` doesn't actually support binding to multiple sockets.
Therefore, bind to the last one specified if `socketActivation` is
`false`.
I also believe there is a bug in this module related to systemd
`ListenStream`. If `socketActivation` is true, Postfix gets
connection timeouts trying to connect to one of the `ListenStream`
inet addresses. I don't know enough about `ListenStream` passing
connections on to `fd:3` to understand what's going on.
These changes are in production (with `socketActivation = false`) via NixOps.
This `tsocks` wrapper leaks DNS requests to clearnet, meanwhile Tor comes with
`torsocks` which doesn't.
Previous commits to this file state that all of this still useful somehow.
Assuming that it's true, at least let's not confuse users with two different tools
and don't clash with the `tsocks` binary from nixpkgs by disabling this by default.
Run Firefox inside an XTerm, it doesn't crash mysteriously this way.
Also try opening developer tools and checking that Firefox doesn't
crash in the process.
This option was initially added to make it easier to use an
up-to-date list, but now that we always use an up-to-date list
from upstream, there's no point to the option.
From now on, you can either use a resolver listed by dnscrypt
upstream or a custom resolver.
Removes tcpOnly and ephemeralKeys: reifying them as nixos
options adds little beyond improved discoverability. Until
17.09 we'll automatically translate these options into extraArgs
for convenience.
Unless reifying an option is necessary for conditional
computation or greatly simplifies configuration/reduces risk of
misconfiguration, it should go into extraArgs instead.