curl does not retry if it is unable to connect to the metadata server.
For some reason, when creating a new AMI with a recent nixpkgs, the
metadata server would not be available when fetch-ec2-data ran. Switching
to wget that can retry even on TCP connection errors solved this problem.
I also made the fetch-ec2-data depend on ip-up.target, to get it to start
a bit later.
Removed the 'wait for GCE metadata service' job, as it was causing
issues with the metadata service (likely some firewall or something).
In stead, use wget with retries (including connection refused) in
stead or curl for fetching the SSH keys. Also made the stdout/-err
of this job appear in the console.
/tmp cleaning is done by systemd rather than stage-2-init
enableEmergencyMode moved from systemd to seperate module
new option to mount tmp on tmpfs
new option to enable additional units shipped with systemd
This version of module has disabled socketActivation, because until
nixos upgrade systemd to at least 214, systemd does not support
SocketGroup. So socket is created with "root" group when
socketActivation enabled. Should be fixed as soon as systemd upgraded.
Includes changes from #3015 and supersedes #3028
It's more standard than $OPENSSL_X509_CERT_FILE (which I guess was a
totally unnecessary patch to OpenSSL). Since curl respects
$SSL_CERT_FILE, it's no longer needed to set $CURL_CA_BUNDLE. Git
unfortunately doesn't.
All activation scripts run in serial upon boot and nixos-rebuild switch
etc., in contrast to preStart which run before a service starts, and can
run in parallel with other services.
The munin(-node) activation script is particularly slow. Change it to a
preStart script so that it can run in parallel with other services and
not slow down boot (or nixos-rebuild switch).
This reduces (repeated) "nixos-rebuild test" time from ~16 seconds to ~8
on my (old) laptop.
We now track copied files in /etc/.clean. This is important, because
otherwise files that are removed from environment.etc will not
actually be removed from the file system. In particular, changing
users.extraUsers.<user>.openssh.authorizedKeys.keys to an empty list
would not cause /etc/ssh/authorized_keys.d/<user> to be removed, which
was a security issue.