Guest operating systems inside VMs or containers can't update the host CPU's microcode for obvious security reasons, so setting the `hardware.cpu.*.updateMicrocode` options is pointless.
Updates the warnings message for statefully set up passwords, now that
weak algorithms have been removed from our libxcrypt package.
Additionall we now add proper validation for hashing schemes used in
`hashedPassword`.
Neither will prevent a rebuiild, but instead issue a warning, that this
requires immediate remediation, or else users will be unable to login.
Reuses the crypt scheme ids as provided by the libxcrypt package.
The module was allowing specific chown syscalls, which is brittle because
there are several and different ones are used by glibc on different
architectures. For example, fchownat was already added to the allowlist for
aarch64, while on armv6l chrony crashes because chown32 is not in the
allowlist.
systemd provides the @chown syscall set, which includes all the chown
syscalls and avoids this brittleness. I believe the syscalls would all be
equivalent from an attacker's perspective, so there is unlikely to be any
security impact.
The restic repository cache location defaults to ~/.cache/restic when
not overwritten either by the --cache-dir command line parameter or the
universal RESTIC_CACHE_DIR environment variable.
Currently, the --cache-dir variable is set to only some restic commands,
but, e.g., not to the unit's preStart command for the module's
initialize option. This results in two distinct cache locations, one at
~/.cache/restic for the initialize commands and one at the configured
--cache-dir location for the restic backup command.
By explicitly setting RESTIC_CACHE_DIR for the unit, only one cache at
the correct location will be used.
https://restic.readthedocs.io/en/v0.15.1/manual_rest.html#caching
This change adds an option to disable legacy BIOS boot support for ISO
images. The implementation uses syslinux package that currently does not
support non-x86 platforms and thus cannot be cross-compiled, e.g. from
AArch64 system.
Extension based matching for Windows targets define it '.exe' but kernel
documentation explicitly states it should be passed "without the .".
From https://docs.kernel.org/admin-guide/binfmt-misc.html
> * magic:
> [...] If you chose filename extension matching, this is the
> extension to be recognised (without the ., the \x0a specials are not
> allowed).
Headscale now supports passing the OIDC client secret via a file, as
added in [juanfont/headscale#1127][1127]. Lets use that.
The headscale option is `client_secret_path`; let's make it consistent
and rename the Nix option to this. Note that I wasn't able to do this:
mkRenamedOptionModule [ ... "client_secret_file" ] [ ... "client_secret_path" ]
I get such error:
error: evaluation aborted with the following error message: 'cannot find attribute `services.headscale.settings.oidc.client_secret_file''
[1127]: https://github.com/juanfont/headscale/pull/1127
This prevents issues I'm seeing with the hydra I'm running on my laptop.
Every time I reboot it I see eval errors like this:
```
error fetching latest change from git repo at `https://github.com/nixos/nixpkgs.git':
fatal: unable to access 'https://github.com/nixos/nixpkgs.git/': Could not resolve host: github.com
```
This is because the evaluator already starts before the network is
actually online. It should wait until the network is fully online before
starting evaluation to prevent evaluation errors like above.
`systemd-growfs@.service` and `systemd-growfs-root.service` became real units since:
50072ccf1b
we need to add them to the nixos module so growfs works again
systemd now requires the /tmp mount point in the initrd cpio archive
since https://github.com/systemd/systemd/pull/25723
setting `"/tmp/.keep".text` will create the directory.
this fixes a boot failure:
```
(sd-gens): Failed to overmount /tmp/: No such file or directory
```
It has no effect with `subpixel.lcdfilter = "none"`.
If the user overrides the module's default, the correct subpixel order
depends on their actual monitor, and cannot be known by this module.
This makes it so that alternative packages, such as `pkgs.forgejo` are
able to be used instead of the default `pkgs.gitea`.
Also adds myself as a maintainer of the module.
The varible `gitea`, which was used instead of `cfg.package`, has been
replaced with the variable `exe`, and is instead the value of the main
executable, as gotten from `lib.getExe`. `cfg.package` is used when this
value is not appropriate.
Gitea spawns `gpg` processes for commit signing related actions.
Those `gpg` processes need `mlock` (probably to prevent secrets
in the memory to swap).
Blocking it (as part of the `@memlock` preset) causes any
commit signing related actions to error out as http/500
adding two graphical programs makes a strong assmuption that users will
use a graphical environment.
add a command line program as an alternative suggestion that is easy to
comment in as a first-steps measure.
trying to get all of the podman functionality to work with the wrapper
is becoming more complicated with each release, it isn't sustainable
removing the wrapper does mean that using extraPackages will need to build from source
- remove unnecessary serviceConfig overrides
- set HELPER_BINARIES_DIR to libexec/podman
- use install.bin target on linux for podman/tmpfiles
- also installs quadlet/rootlessport in libexec
- symlink binaries from helpersBin into HELPER_BINARIES_DIR
- remove unnecessary rootlessport output
- remove unnecessary substituteInPlace
* k3s: add environmentFile option
Enabling to include secrets through configuration such as 'sops'
* Update nixos/doc/manual/release-notes/rl-2305.section.md
Co-authored-by: Jairo Llopis <973709+yajo@users.noreply.github.com>
Nothing the script `config.sh` does prior to the final call to
`Runner.Listener configure` is relevant for the systemd service.
Particularly, we don't need (nor want) any of the artifacts the `env.sh`
script creates.
This reverts commit 2265160fc0 and
e56db577a1.
Ideally, we shouldn't cause friction for users that bump `stateVersion`,
and I'd consider having to switch and/or manually hardcode a UID/GID
to supress the warning friction. I think it'd be more beneficial to, in
this rare case of an ID being missed, just let it be until more
discussion happens surrounding this overall issue.
See https://github.com/NixOS/nixpkgs/pull/217785 for more context.
This reverts commits f5483464d5 and
6b9583e5e1.
Ideally, we shouldn't cause friction for users that bump `stateVersion`,
and I'd consider having to switch and/or manually hardcode a UID/GID
to supress the warning friction. I think it'd be more beneficial to, in
this rare case of an ID being missed, just let it be until more
discussion happens surrounding this overall issue.
See https://github.com/NixOS/nixpkgs/pull/217785 for more context.
Without this change, users that have both `initialHashedPassword` and
`hashedPassword` set will have `initialHashedPassword` take precedence,
but only for the first time `/etc/passwd` is generated. After that,
`hashedPassword` takes precedence. This is surprising behavior as it
would generally be expected for `hashedPassword` to win if both are set.
This wouldn't be a noticeable problem (and an assert could just be made
instead) if the users-groups module did not default the
`root.intialHashedPassword` value to `!`, to prevent login by default.
That means that users who set `root.hashedPassword` and use an ephemeral
rootfs (i.e. `/etc/passwd` is created every boot) are not able to log in
to the root account by default, unless they switch to a new generation
during the same boot (i.e. `/etc/passwd` already exists and
`hashedPassword` is used instead of `initialHashedPassword`) or they set
`root.initialHashedPassword = null` (which is unintuitive and seems
redundant).
Since version 1.10.0 paperless-ngx depends on the NLTK library which is
used to pre-process data for machine learning. NLTK needs certain
data for stemming, stopword removal etc. This data has to be downloaded
first. This commit introduces a new systemd service that does the
downloading.
Being able to override `boot.initrd.systemd.initrdBin` with `boot.initrd.systemd.extraBin` is a desirable behavior, so this PR changes the `ln -s` command to `ln -sf` to force link even if the file already exists.
The typo creates an empty directory 0755 in initrd rootfs rather than
create the Nix store directories with mode 0755.
I guess setting the mode is not strictly necessary if it worked before
this change, but I'll leave the `-m 0755` in just in case.
We’ve been having trouble figuring out which kind of token to use and
why our setup would break every few system updates.
This should clarify which options there are, and which ones lead to
better results.
Ideally there would be a manual section that has a step-by-step guide
on how to set up the github runner, with screenshots and everything.
Purge contents of `workDir` as root to also allow the removal of files
marked as read-only. It is easy to create read-only files in `workDir`,
e.g., by copying files from the Nix store.
This builds on top of nixpkgs mainline 00d8347180
with the following two PRs cherry-picked:
- https://github.com/NixOS/nixpkgs/pull/192670
- https://github.com/NixOS/nixpkgs/pull/192668
using the following command:
```
nix build -f nixos -L \
-I nixos-config=nixos/modules/installer/sd-card/sd-image-powerpc64le.nix \
config.system.build.sdImage
```
I was able to successfully boot the image, although it boots to a login prompt
rather than a shell, and won't accept the empty password for `root`. I guess
I'll have to figure out why that is.
To boot the image: `zstd`-decompress the it, mount it, and use `kexec`:
```
cd boot/nixos
kexec -l \
*-vmlinux \
--initrd *-initrd \
--dt-no-old-root \
--command-line="$(grep APPEND ../extlinux/extlinux.conf | sed 's_^ *APPEND *__')"
```
The machine I used for testing has only one storage device which is completely
allocated to LVM. It appears that the NixOS ISO loader doesn't look for
partition tables within LVM volumes. To work aroundn this, I had to extract the
`ext4` image within the partition table within the `sd-card` image and put that
in its own LVM volume. This likely won't be an obstacle for users who write the
image to a USB stick or similar.
GDM and LightDM are already using this approach. It also allows us to
enable Kwallet integration more globally without generating stray PAM
services.
The default configuration of login service includes both options sddm
was setting explicitly.
This removes two unused service configs from /etc/pam.d/ and, more
importantly, reduces confusion.
* kdm no longer exists in nixpkgs
* `pam.d/gdm` is not used by gdm
* `pam.d/lightdm` IS used by lightdm but hardcoded using .text rather
than attrset+template.
{manpage} already exapnds to a link but akkoma wants to link to
a specific setting. split the mention for clarity.
networkd just straight up duplicated what {manpage} generates anyway, so
that link can go away completely.
Provide a module to configure Coqui TTS, available as `tts` in nixpkgs
for a few releases already.
The module supports multiple servers in parallel, so multiple languages
and testing scenarios can be covered, without affecting any production
usage.
The option `LinkLocalTCPPort` does not exist anymore in recent versions
of Yggdrasil. The port for incoming link-local connections is now
configured as part of the `MulticastInterfaces` option. Our
documentation should reflect that.
As far as I can tell the configFile option cannot have worked as
intended. The Yggdrasil systemd service uses a dynamic user. As it was,
there was no way to set the correct permissions on a config file
beforehand which would allow the dynamic user to read the config file
without making it readable for all users. But since the config file can
contain a private key it *must not* be world-readable.
The file must only be readable by root. The file has to be copied and
the permissions have to be fixed during service startup. This can either
be done in a ExecStartPre directive with the '+' prefix (which executes
that command with elevated privileges), or it can be done more
declarative with the LoadCredential directive. I have chosen the latter
approach because it delegates more work to systemd itself. It should be
noted that this has the minor tradeoff that the config file must not be
larger than 1 MB. This is a limit which systemd imposes on credential
files. But I think 1 MB ought to be enough for anybody ;).
Injecting configuration specific dependencies into the
propagatedBuildInputs of the home-assistant package forces alot of
rebuilds while setting up home-assistant, which is annoying.
By passing optional dependencies into home-assistant via the systemd
units PYTHONPATH environment variable, only he concatenation of
library paths in the systemd unit requires a rebuild.
This also means users can rely heavily on the cached home-assistant
package and will rarely have to build from source, if ever.
Since 1.2.0, kanata handles missing keyboards well:
- only one keyboard need to be present when kanata starts;
- if linux-continue-if-no-devs-found is set to yes, all keyboards can
be missing at the beginning;
- all keyboards can be (un)pluged when kanata is running.
For simplicity, linux-continue-if-no-devs-found is set to yes and
systemd patch activation is removed.
using readFile instead of fileContents (or using indented strings) can
leave a trailing newline that causes build errors in systemd units and
has previously caused runtime errors in wireguard scripts. use
singleLineStr to strip a trailing newline if it exists, and to fail if
more than one is present.
...but still allow for setting `dataDir` to a custom path. This gets
rid of the use of the deprecated option PermissionsStartOnly. Also, add
the ability to customize user and group, since that could be useful
with a custom `dataDir`.
trying to get all of the podman functionality to work with the wrapper
is becoming more complicated with each release, it isn't sustainable
removing the wrapper does mean that using extraPackages will need to build from source
- include pkgs.zfs by default in the wrapped podman used by the module so it is cached
- anyone using zfsUnstable will need to build from source
- remove unnecessary serviceConfig overrides
- set HELPER_BINARIES_DIR during build
- use install.bin target on linux for podman/tmpfiles
- also installs quadlet/rootlessport in libexec
- remove unnecessary rootlessport output
- remove unnecessary substituteInPlace
