...by using `replace-secret` instead of `sed` when injecting the
password into the ddclient config file. (Verified with `execsnoop`.)
Ref https://github.com/NixOS/nixpkgs/issues/156400.
* Update to the latest upstream version of pass-secret-service that includes
systemd service files.
* Add patch to fix use of a function that has been removed from the Python
Cryptography library in NixOS 22.05
* Install systemd service files in the Nix package.
* Add NixOS test to ensure the D-Bus API activates the service unit.
* Add myself as a maintainer to the package and NixOS test.
* Use checkTarget instead of equivalent custom checkPhase.
The `bash` binary is needed for running some plugins, notably the alarm notify plugins. If the binary isn't in the path, alarms notifications aren't sent and the netdata error log instead contains `/usr/bin/env: 'bash': No such file or directory`.
The FUSE mount functionality of IPFS was broken by the update to v0.13.0, so disable it. Hopefully it will be fixed soon.
See https://github.com/ipfs/kubo/issues/9044.
The ${opt.*} syntax will print the full path when NixOS is used
as a submodule.
nixpkgs.system / nixpkgs.localSystem must not be read by any
other module because its meaning is ambiguous in cross vs
non-cross contexts. hostPlatform is generally what you need.
*Where* you build something generally doesn't matter in a
system _configuration_ context like NixOS.
Due to lack of maintenance. It is not compatible with the default
Python version (due to the tornado 5) dependency, and doesn't look
like it will be any time soon.
Install Parallel Tools updated for version 17 of Parallels for macOS. This
fixes clipboard sharing, so that copy and paste works between the host
macOS and the guest NixOS VM. Support for guests on M1 Apple Silicon-based
Macs (aarch64-linux) is also added.
Co-authored-by: Paul Smith <paulsmith@gmail.com>
Co-authored-by: Weijia Wang <9713184+wegank@users.noreply.github.com>
- support librewolf in the firefox nixos test
- use the correct binary name
- ensure autoplay is always on for the audio test, since
librewolf disables it by default
This was broken by a bad merge, where the same attribute was added
separately in two different places.
Fixes: ef895f6b43 ("Merge pull request #173239 from jojosch/mjolnir-update")
Since 831024e2b9 ("nixos/dhcpcd: assert if privSep && alternative
malloc"), this test has an assertion failure because dhcpcd (with
privsep enabled) is not compatible with the allocator used by the
hardened profile.
Since it's unclear[1] what to do about this for the hardened profile,
I propose doing the simplest thing possible to make the test eval,
which is to just disable dhcpcd privsep. It's very inconvenient when
trying to refactor the NixOS test infrastructure to have a test that
doesn't evaluate. Once the correct solution is found for using dhcpcd
with privsep with the hardened profile, this patch can be reverted.
[1]: https://github.com/NixOS/nixpkgs/pull/157430
This commit fixes the following error:
Failed assertions:
- Setting xdg.portal.enable to true requires a portal implementation in xdg.portal.extraPortals such as xdg-desktop-portal-gtk or xdg-desktop-portal-kde.
I was under the impression that setting `services.redis.servers.<name>.save = []` would disable RDB persistence as no schedule would mean no persistence. However since the code did not handle this case specially it actually results in no `save` setting being written and the internal Redis default is used.
This patch handles the empty case to disable RDB persistence.
Disabling RDB persistence is useful in a number of scenarios:
1. Using Redis in a pure-cache mode where persistence is not desired.
2. When using the (generally superior) AOF persistence mode this file is never read so there is little point to writing it.
3. When saving is handled manually
For more information see https://redis.io/docs/manual/persistence/
This is a breaking change as the user may have been relying on `[]` using Redis defaults. However I believe that updating the behaviour for the next release is beneficial as IMHO it is less surprising and does what the user would expect. I have added release notes to warn about this change.
* nixos/vault: add option to start in dev mode.
This is not only useful for nixos tests i.e. when testing vault agent
setups but also when playing around with vault in local setups. In our
tests we can now make use of this option to test more vault features.
i.e. adding this feature has uncovered the need for a `StateDirectory`.
* Update nixos/modules/services/security/vault.nix
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
Co-authored-by: Jonas Chevalier <zimbatm@zimbatm.com>
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
Simon passed away in December 2021.
Simon, it was a pleasure to work with you, to learn things together
and to share good times. It ended too soon. You will be missed.
When using the example without the square brackets, nginx fails to start:
```
nginx-pre-start: nginx: [emerg] invalid port in "::1:80" of the "listen" directive in /nix/store/xyz-nginx.conf:29
nginx-pre-start: nginx: configuration file /nix/store/xyz-nginx.conf test failed
```
* Update attribute names in code examples (* -> settings.*).
* Use `nix-shell -p` rather than `nix run` because the example won't
work with the current default Nix.
* Update config values for `element-web`.
* Fix link to `element-web` security considerations.
* Make the synapse expression even smaller and use callout-lists to
explain the code.
* Document how to correctly deploy the shared registration secret.
[1] https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
Potential use cases for disabling `useDefaultFilesystems` include:
- Testing with uncommon filesystem layouts
- Testing scenarios where swapping occurs
- Testing with LUKS-encrypted disks
Closes#177963
we can't add 'nixpkgs.curl.tests' to hydra jobs due to 'tests' (and 'passthru') being stripped
TODO: add a function in lib-release.nix to get derivations and add `.x86_64-linux` to them
then we can just point release files to nixpkgs.tests.packageTestsForChannelBlockers instead of
nixpkgs.tests.packageTestsForChannelBlockers.curl.withCheck
Running `nixos/tests/keepassxc.nix` shows:
```
machine # [ 18.705390] xsession[985]: /nix/store/2g2jx5c6x3p152wbiijr0rmky7byqivc-xsession: line 13: nn: command not found
```
This garbled bash script runs without `set -o errexit` and thus skips
"\n\n" as invalid command:
```
$ cat -n /nix/store/2g2jx5c6x3p152wbiijr0rmky7byqivc-xsession
...
\n\n
if [ -e $HOME/.background-image ]; then
/nix/store/wq1d1ph8wj4alpx78akvpbd0a0m9qkd1-feh-3.8/bin/feh --bg-scale $HOME/.background-image
fi
...
```
KeePassXC uses it through
`nixos/modules/services/x11/display-managers/default.nix`:
```
...
# Script responsible for starting the window manager and the desktop manager.
xsession = dm: wm: pkgs.writeScript "xsession" ''
#! ${pkgs.bash}/bin/bash
# Legacy session script used to construct .desktop files from
# `services.xserver.displayManager.session` entries. Called from
# `sessionWrapper`.
# Start the window manager.
${wm.start}
# Start the desktop manager.
${dm.start}
...
'';
...
```
The bogus line was introduced in PR #160752:
```
commit 0bc0dc8090
Author: Shaw Vrana <shaw@vranix.com>
Date: Fri Feb 18 11:27:42 2022 -0800
desktop manager script: start properly
Adds a missing line feed when X is enabled to the start script name
and the appended if check. Resolves#160735
```
I have not tried to reproduce the original issue and thus don't know
why "\n\n" apparently gets interpreted fine in one place but remains
literal the `xsession` case.
However, using a literal newline must be valid for all cases and
certainly fixes the warning seen in KeePassXC tests.
Furthermore, starting the nix string (`''`) with a newline as usual also
fixes its overall indentation.
This improves security, by starting the service as an unprivileged user,
rather than starting as root and relying on the service to drop
privileges. This requires a significant cleanup of pre-init scripts, to
make use of StateDirectory and RuntimeDirectory for permissions.
By default, this is /run/ldapi, which is not compatible with systemd's
runtime directories. Change it to /run/slapd/ldapi (in library and
server). This makes `ldapi:///` work as a default socket again.
This patch follows an upstream commit[1].
Before this patch, if acme module is used, caddy will still use an old
cert even a new one is available. The cause is that without --force
flag, caddy will not reload an unchanged config.
Refer to that commit[1] message for more information.
[1]: 979e498d6d
Seems silly to install this for use with the local server, but to not
configure it to use the local server. Otherwise, out of the box we
just get an error about no server being configured.
By writing the unchecked outputs before checking them, they will
be written to a store path, which appears in the log, and which
sticks around even if the build fails. Eventually it is GCed, but
until then, you can open the file.
If you run it in a terminal+editor combination like VSCode, the
failure location is just one Ctrl+click away.
The `nixos-rebuild` tool calls `get-version-suffix` to figure out the
git revision of the nixpkgs directory if there is a .git.
https://nvd.nist.gov/vuln/detail/CVE-2022-24765 made git throw an
error if the .git search logic is not turned off and a user
tries to access a `.git` directory they don’t own (otherwise a
different user could trick them into setting arbitrary git config).
So from now on we should always explicitely set `--git-dir`, which
turns this search logic (and thus the security check) off.
I have read the full diff[0] between the previous owner and the new
maintained fork that I'm switching to, and could not find any suspicious
code. The new fork includes fixes that are otherwise crashing as of
Python 3.10.
This commit also fixes the PYTHONPATH which prevents the client from
starting.
This commit also adds a test that the client can successfully query the
server, testing the two components at once.
[0] https://github.com/SystemRage/py-kms/compare/master...Py-KMS-Organization:master
It was never meant to be used for anything other than testing
and setting it globally can cause weird loops in GTK-based portals,
where the portal will end up waiting for itself until it times out.
https://github.com/NixOS/nixpkgs/issues/135898
Or it can mess up fonts:
https://github.com/NixOS/nixpkgs/issues/155291#issuecomment-1166199585
Having the option in NixOS makes it look like it is okay or even
desirable to enable, when in fact it is a hack that can subtly break apps.
Some apps allow opting into using portal-based APIs, e.g. for Firefox,
you can set `widget.use-xdg-desktop-portal.file-picker` to `1` in about:config.
Otherwise, you can set the `GTK_USE_PORTAL` environment variable to 1
for individual apps.
People who really want it and aware of the downsides can just set
`environment.sessionVariables.GTK_USE_PORTAL = "1";` NixOS option
directly to set the environment variable globally.
dhclient is no longer built by default in the dhcp package, so this
test has been broken since that change was made. To fix, switch to
dhcpcd. dhcpcd insists on writing into /var/run, so we need to ensure
that exists.
Fixes: a2c379d4b6 ("dhcp: make client and relay component optional")
This used to be StandardOutput=syslog, which was removed because
syslog is deprecated, but that caused the test to fail. So bring it
back, but set it to the non-deprecated "journal" value instead (which
is what systemd interprets "syslog" as now anyway).
Fixes: 962e15aebc ("nixos: remove StandardOutput=syslog, StandardError=syslog lines")
Otherwise, since the update to Virtualbox 6.1.22, the test would fail
due to the shared directory not existing.
Fixes: ba0da8a076 ("virtualbox: 6.1.18 -> 6.1.22")
Nested KVM has been enabled by default on Linux on Intel for a long
time now, and since Virtualbox 6.1.0, the test won't run without it
because Virtualbox now only supports running hardware-accelerated VMs.
Additionally, this means we can 64-bit guests by default. The 32-bit
guest additions don't currently build, so this is important to have
the tests work with the default options.
- Add a module for the thunar file manager, which depends on the xfconf dbus service, and also has a dbus service and a systemd unit.
- Renames the option services.xserver.desktopManager.xfce.thunarPlugins to programs.thunar.plugins.
Riak have been updated a lot since the version 2.2 (now 3.0.10) but
has seen no updated to the package. This is at this point
a problem forcing us to maintain old versions of erlang.
We would be happy to re accept a newer version of Riak if someone want
to spend the time to set it up.
`boot.initrd.systemd.emergencyAccess` expects passwd(5) formatted
strings, hence `singleLineStr` is too broad.
Use the same type as `users.users.*.hashedPassword` to ensure
consistency across all options where password hashes are used.
From `modules/config/users-groups.nix`:
```
hashedPassword = mkOption {
type = with types; nullOr (passwdEntry str);
...
};
```
More nixpkgs code such as `boot.initrd.systemd.emergencyAccess` defines
options that takes hashed passwords, so move the type definition from
modules/ into lib/.
The type definition itself stays unchanged.
The original implementation did a simple string-comparison against the
output of `ip route`. This is problematic because
* if the details in the string-output change, the test breaks. This is
less likely with JSON because the relevant values (i.e. destination,
interface etc) aren't supposed to be changed.
* this is causing issues with formatters[1][2].
[1] #161703
[2] #154818
With multiple specialization changes this isn't very helpful anymore,
but no biggie since we check the log for errors anyway and the log is
not too verbose anyway.
`console.{font,keyMap}` may be a path or a string to a store path,
which should be added to initrd for `systemd-vconsole-setup` before
the prompt for the LUKS password.
Use `networking.resolvconf.package` to allow DNS entries to be set using
the system-wide resolver implementation instead of hardcoding systemd or
openresolv.
Extend the tests by adding DNS entries and making one of the peers use
systemd-networkd (hence systemd-resolved).
Also add a few `networkd`-specific settings.
The substr solution assumed a newline to be present.
The new solution will not remove the newline if it goes missing in the future.
Apparently this is idiomatic perl.
Thanks pennae for the suggestion!
According to https://grafana.com/docs/agent/latest/upgrade-guide/#v0240,
this has been deprecated/moved to -server.http.address and
-server.grpc.address (accepting ip and port) config options in v0.24.0,
and already listens on localhost and not port 80 by default.
According to https://github.com/grafana/agent/pull/1540, -prometheus.*
flages were deprecated in 0.19.0 in favor of the -metrics.*
counterparts. Same applies to `loki` being renamed to `logs`.
I'm not sure if the config file format is still supported (it could be),
but we shouldn't use deprecated configs.
Run the device tree overlays through the preprocessor before compiling it, as
is done in the kernel. This helps make overlays easier to understand, and
improves compatibility with those found in the wild.
I found the correct command line by running the kernel build with V=1, and then
removing all the arguments related to dependency tracking.
Since dtc 1.4.7 (released in 2018), there has been a much nicer syntax for
device tree overlays. This commit converts the dtsText example to use this
syntax.
Qt4 is on it's way out, according to
https://github.com/NixOS/nixpkgs/pull/174634
Barco's ClickShare driver/client requires Qt4;
an update isn't in sight anywhere.
To prepare for the removal of Qt4,
the commit at hand removes the
ClickShare package and its NixOS module.
The release notes are appended with a hint about the
removal and some alternatives that might help users
that are still in need of the driver/client functionality.
The preStart script for the IPFS service will print parts of the configuration
to stdout (and therefore, the journal) when applying profiles on startup. This
may lead to unwanted disclosure of private information, such as remote pinning
service API keys. Fix by sending stdout to /dev/null.
Make secret replacement more robust and futureproof:
- Allow any attribute in `services.parsedmarc.settings` to be a
secret if set to `{ _secret = "/path/to/secret"; }`.
- Hash secret file paths before using them as a placeholders in the
config file to minimize the risk of conflicting file paths being
replaced instead.
Make secret replacement more robust and futureproof:
- Allow any attribute in `services.geoipupdate.settings` to be a
secret if set to `{ _secret = "/path/to/secret"; }`.
- Hash the license key path before using it as a placeholder in the
config file to minimize the risk of conflicting file paths being
replaced instead.
Commit 8109d8a set the `StateDirectory=` option of the systemd service
configuration to the value of `cfg.workDir` which is wrong, according
to dasJ [1]. This commit resolves this issue by stripping the
`/var/lib/` prefix from `cfg.workDir`.
[1] https://github.com/NixOS/nixpkgs/pull/172824#issuecomment-1130350412
Previously, the location logic was hardcoded, supporting only
Nixpkgs and NixOps properly, leaving other uses of the module
system without good location support.
