Removing a network from the joinNetworks list does not make the machine leave the network which is confusing.
This behavior is now clarified via the options description
For non-interactive installation it's quite handy to be able to nix copy additional dependencies to the system.
While this is possible for the root user, we cannot easily ssh into it, as we don't allow root login with a password.
By making nixos a trusted user, we can do "passwd && sudo systemctl start sshd" and than run nixos-anywhere
This option only has an effect on the initial setup of Nextcloud and
changes later won't have any effect.
Same issue as with `adminpassFile` - it's only passed to the installer
command - but even worse because the username is frequently used as
unique ID in the database, so there's no trivial way to change it, even
imperatively.
As suggested by @nickcao this commit moves the defaults back to the
options. Only `homeserver.domain` stays in the config section since the
documentation module does not support referencing attributes of other
modules.
The upstream default for the thumbnail font is set to "Liberation Serif
Regular" located at /usr/share/fonts which is inaccessible under nix.
(2a2bf3bf55/src/paperless/settings.py (L894))
Paperless throws an error when parsing plaintext files without a valid
font. This change sets a nix default using the liberation_ttf package.
Netdata creates its control socket at /tmp/netdata-ipc by default, which
is insecure and actually inaccessible with systemd's PrivateTmp enabled.
Originally we patched its source code to move the socket to
/run/netdata/ipc. However, it was removed due to incompatibility when
upgrading to v1.41.0: 1d2a2dc7d0
Fortunately, this new version of netdata adds support for setting the
location of the control socket via the environment variable
NETDATA_PIPENAME. So let's set it for the netdata service and the
command line utility so that they can communicate properly.
Right now, the settings aren't additive which means that when I do
services.nextcloud.phpOptions."opcache.interned_strings_buffer = "23";
all other options are discarded because of how the module system works.
This isn't very nice in this case, though because wanting to override
a single option doesn't mean I want to discard the rest of the -
reasonable - defaults. Hence, the settings are showed as default in the
option's manual section, but are added with normal priority.
That means, to override _all_ options at once, an expression like
services.nextcloud.phpOptions = mkForce {
/* ... */
};
is needed. This is also way more intuitive IMHO because the `mkForce`
explicitly tells that everything will be modified.
Also, APCu enable and the memory & file-size limits are also written
into `services.nextcloud.phpOptions` rather than adding them
silently before passing all options to the PHP package. This has the
benefit that users will realize on evaluation time that they configured
options that would otherwise be set by the module on its own.
Allow giving a custom package containing the `systemd-repart` binary.
Defaults to `pkgs.systemd`. This option opens up the possibility to use
a different package for the image builder and the system configuration.
For example, someone could use this option to build an image with a
patched systemd while still using the upstream nixpkgs systemd package
(i.e., `pkgs.systemd`) for the system configuration installed to the
created image.
This avoids creating a build-time reference on `boot.kernelParams` if
the configuration does not use a kernel, i.e., `boot.kernel.enable` is
set to `false`.
Output the amended repart definitions to a well-known directory in
$TMPDIR instead of using a temporary directory with a random directory
name.
The output file `repart-output.json` also contains the full path to the
repart definition file used to create the partition. As
`amend-repart-definitions.py` uses `tempfile.mkdtemp`, this introduces
an impurity:
```json
{
"type" : "root-x86-64",
"label" : "rootfs",
"uuid" : "f2fa2e49-e443-45d2-a2e2-c3754cab6363",
"file" : "/build/tmppjo7kv5o/rootfs.conf",
"node" : "image.raw2",
"offset" : 135266304,
"old_size" : 0,
"raw_size" : 1651101696,
"old_padding" : 0,
"raw_padding" : 0,
"activity" : "create",
}
```
This commit changes the parent directory of the amended repart
definitions to `/build/amended-repart.d/`.
NOTES:
@jakeschurch did not realize that is was already updated on master, but not
backported to 23.05 channel
Signed-off-by: Jake Schurch <jakeschurch@gmail.com>
After building the target system, `nixos-install` tries to remove `/mnt`
on the target filesystem. And the script may fail without any explanation,
if `/mnt` isn't empty.
This commit makes the installation process carry on even if there are
files under `/mnt`.
See https://github.com/NixOS/nixpkgs/issues/244643.
There is only other `with` with a somewhat broad scope, `with pkgs`, but
it's used in a place where it would become awkward to change out. And
anyway its scope is rather limited still.
With a limited testing of all packaged GRUB 2 themes (pkgs.nixos-grub2-theme)
this is tested to work.
Without this change, the theme loading will error out (waiting for a key press).
With this change, the theme loads and works as expected.
The intent was to not pass the flag when installing as removable. In
reality there is a third case, where you may not want to touch EFI
variables, and not want to install as removable.
In that case, it would install to the generic \EFI\grub\grubx64.efi,
which is not a good choice in any cases. The operating system should
"own" their path under \EFI\ to be a good citizen [citation needed].
With this change, there can be only two paths GRUB can be installed to:
- \EFI\NixOS-boot\grubx64.efi
- \EFI\BOOT\bootx64.efi
This removes the surprising behaviour where GRUB may be installed to a
different location only because we configured NixOS not to touch EFI
variables.
It may be necessary under some configurations to install GRUB without
touching EFI variables, but to the NixOS-owned location.
Write the output of `systemd-repart` as a JSON file to
`$out/repart-output.json`.
Depending on the repart configuration, the output of `systemd-repart`
contains important information, for example, when creating verity
partitions:
> The verity root hash itself will be included in the output of
> systemd-repart.
See `Verity=` in repart.d(5).
https://github.com/kanidm/kanidm/releases/tag/v1.1.0-beta.13
The kanidmd process now creates a unix socket, over which admin tasks
can be done, without having to shut kanidm down first.
The kanidm_unixd process now wants access to /etc/shadow and /etc/group,
so it can rule out collisions with the host system.
Now migrations are run only on upgrade / downgrade and first start,
which makes netbox much faster on a normal start.
add the reindex for NetBox > 3.5.0, to populate the index, preventing
empty search results.
Migrations were moved out of netbox-migration.service into
netbox.service, to prevent service dependency issues when upgrading
NixOS.
This commit updates the binfmt magic-patterns using
f5e6786de4/scripts/qemu-binfmt-conf.sh
The patterns prior to this commit did not understand the difference
between mips32-*-* (32-bit void*,int) and mips64-*-*abin32 (32-bit
void*, 64-bit int). This commit corrects that.
Unfortunately there's no test for me to confirm that it works,
so all I can do is ask for maintainers, unfortunately -- I mean...
This is your opportunity!
When extending this module, it might be necessary to run something
from the package that's used in `matrix-synapse.service` (e.g. for
workers).
Now this can be trivially done by using
`config.services.matrix-synapse.package`. Previously it was necessary to
reuse the `PYTHONPATH` from the environment of `matrix-synapse.service`,
but that one doesn't exist anymore.
In some setups, and especially with sytemd-networkd becoming more widely
used, networking.useDHCP is set to false. Despite this, it may be useful
to have dhcp in the initramfs.
https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.0
* This release drops support for Node 16. The minimum required version is now 18+.
* Moved from NPM to Yarn
https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1
* Fixes for GHSA-vc7j-h8xg-fv5x.
* Fixes for GHSA-3pmj-jqqp-2mj3.
* Fixes for GHSA-c7hh-3v6c-fj4q
* Update matrix-appservice-bridge to 9.0.1
while there was an effort to make this package with `mkYarnPackage`, in the end it
was suggested to just use `stdenv.mkDerivation` instead
nixos/matrix-appservice-irc:
* fix path to config.schema.yml directory stucture of the package changed
* use remarshal instead of python and pyyaml
to convert the config schema from yaml to json
When a dependency, like postgresql.service or redis-gitlab.service, had
been stopped and started at switch-to-configuration time, gitlab.service
and its helper units had been stopped but not started again.
`multi-user.target` only has a `Wants` relation to gitlab.target, but
once gitlab.target has been successfully started once and is not stopped/
restarted again, it does not cause all its dependencies to stay activated
the whole time.
This commit fixes this by upgrading the dependy relationship of
gitlab.service towards gitlab.target from a "Wants" to a "Requires". It
should be enough to do this for this single unit part of gitlab.target
only, as all other units wantedBy gitlab.target are pulled in by
gitlab.service as well or have bindsTo relations.
Simplify the SystemcallFilter by employing an explicit allow list, and
an explicit block list.
Node since version 18 requires syscalls in the @pkey group.
Excluding @privileged and @resources is a recommendation in
systemd-analyze.
If emacs starts before the graphical session is initialised, clients won't be
able to open new frames in the session. Start emacs with the graphical session
to avoid this issue.
Fixes https://github.com/NixOS/nixpkgs/issues/224512
Frigate does string prefix matching for paths, which isn't exactly
compatible with dynamically provisioned directories of systemd, where
/var/cache/frigate is actually a symlink to /var/cache/private/frigate.
Because we are unlikely to get this fixed upstream, this is one of the
reason we should stop using DynamicUser= here.
The other being, that nginx needs to be able to serve clips and
recordings from both the CacheDirectory and the StateDirectory, and
nginx being a member on a group that may only exist after it was started
up doesn't work reliably.
This is also why we relax the umask to allow g+r/g+rx for newly created
files. Existing installs may need the following permissions fix to get
things going.
```
find /var/lib/frigate/recordings -type d -exec chmod g+rx {} \;
find /var/lib/frigate/recordings -type f -exec chmod g+r {} \;
find /var/cache/frigate -type f -exec chmod g+r {} \;
```
Co-Authored-By: Daniel Barlow <dan@telent.net>
Because the local database is used by the osquery deamon, running
osqueri fails with:
IO error: While lock file: /var/lib/osquery/osquery.db/LOCK: Resource temporarily unavailable
Being wanted by and ordered before local-fs.target isn't strictly
correct. And in systemd initrd, it's very incorrect because
local-fs.target is for the initrd file system, not the real root file
system.
If one sets either of `override{Device,folder}s` to false, the jq `*`
operator doesn't merge well the devices and folders, creating duplicate
IDs for folders as observed in #230146. This PR makes the script iterate
via Nix / Bash loop the devices and folders IDs and merges the keys
using upstream's `curl -X POST` support for single objects.
Hence this commit fixes#230146.
Although 'lib' isn't needed by the default configuration, new NixOS uses
can get confused when being recommended configuration.nix snippets like
systemd.services.NetworkManager-wait-online.enable = lib.mkForce false;
and have `sudo nixos-rebuild switch` fail with
error: undefined variable 'lib'
This checks the validity of both NAT64 and SIIT configurations
at build time. An error produces something like this:
Validating Jool configuration... Error: Cannot parse '283.0.113.1' as an IPv4 address.
Build logs show:
> configure: WARNING: non-linux system; not building mount
> configure: WARNING: non-linux system; not building swapon
So skip these on non-Linux
Using getOutput prevents eval failures on other platforms.
Things should stay eval'able with NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1
Co-authored-by: Artturin <Artturin@artturin.com>
got broken in 6ea1a2a1be which changed
runCommandCC to runCommand but was not
noticed because it was failing silently
runCommand doesn't include CC or bintools
This patch adds an `authType` option to enable configuring FreshRSS's
`auth_type` parameter.
Upstream documentation for this feature is located here:
https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html
An accompanying NixOS test is provided to confirm this feature works
as expected.
Upstream supports php 8.0/8.1 for the 3.3.0 release. The upgrade to 8.2
caused a type mismatch in carbon.
> PHP message: Exception: Code: 0, Message: Carbon\Carbon::setLastErrors(): Argument #1 ($lastErrors) must be of type array, bool given, called in /nix/store/2prnw9qya9kaks2rwvd6fkrz0c7l5ygd-engelsystem-3.3.0/share/engelsystem/vendor/nesbot/carbon/src/Carbon/Traits/Creator.php on line 98, File: vendor/nesbot/carbon/src/Carbon/Traits/Creator.php:928
With this change we allow the user to configure extras, exposed as
optional-dependencies on the matrix-synapse package.
The vertical integration between package, user configuration and
deployment is a huge boon which then allows us to dynamically adapt the
python environment the service runs in, by inspecting the configuration
and autodiscovering certain used extras from config paths.
