users.users.*.createHome makes home only owner-readable.
This breaks nginx reading static assets from nextcloud's home,
after a nixos-rebuild that did not restart nextcloud-setup.
Closes#112639
When no devices are given the exporter tries to autodiscover available
disks. The previous DevicePolicy was however preventing the exporter
from accessing any device at all, since only explicitly mentioned ones
were allowed.
This commit adds an allow rule for several device classes that I could
find on my machines, that gets set when no devices are explicitly
configured.
There is an existing problem with nvme devices, that expose a character
device at `/dev/nvme0`, and a (namespaced) block device at
`/dev/nvme0n1`. The character device does not come with permissions that
we could give to the exporter without further impacting the hardening.
crw------- 1 root root 247, 0 27. Jan 03:10 /dev/nvme0
brw-rw---- 1 root disk 259, 0 27. Jan 03:10 /dev/nvme0n1
The autodiscovery only finds the character device, which the exporter
unfortunately does not have access to.
However a simple udev rule can be used to resolve this:
services.udev.extraRules = ''
SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk"
'';
Unfortunately I'm not fully aware of the security implications this
change carries and we should question upstream (systemd) why they did
not include such a rule.
The disk group has no members on any of my machines.
❯ getent group disk
disk❌6:
Chrome, Chromium, VSCode, Slack, Signal, Discord, element-desktop,
schildichat.
For the latter two, the feature flag useWayland was removed and a
wrapper script was provided.
* fix MTP support on KDE Plasma and Dolphin
* Update pkgs/applications/kde/kio-extras.nix
Co-authored-by: ElXreno <elxreno@gmail.com>
Co-authored-by: Peter Hoeg <peter@hoeg.com>
Co-authored-by: ElXreno <elxreno@gmail.com>
The `nix.*` options, apart from options for setting up the
daemon itself, currently provide a lot of setting mappings
for the Nix daemon configuration. The scope of the mapping yields
convience, but the line where an option is considered essential
is blurry. For instance, the `extra-sandbox-paths` mapping is
provided without its primary consumer, and the corresponding
`sandbox-paths` option is also not mapped.
The current system increases the maintenance burden as maintainers have to
closely follow upstream changes. In this case, there are two state versions
of Nix which have to be maintained collectively, with different options
avaliable.
This commit aims to following the standard outlined in RFC 42[1] to
implement a structural setting pattern. The Nix configuration is encoded
at its core as key-value pairs which maps nicely to attribute sets, making
it feasible to express in the Nix language itself. Some existing options are
kept such as `buildMachines` and `registry` which present a simplified interface
to managing the respective settings. The interface is exposed as `nix.settings`.
Legacy configurations are mapped to their corresponding options under `nix.settings`
for backwards compatibility.
Various options settings in other nixos modules and relevant tests have been
updated to use structural setting for consistency.
The generation and validation of the configration file has been modified to
use `writeTextFile` instead of `runCommand` for clarity. Note that validation
is now mandatory as strict checking of options has been pushed down to the
derivation level due to freeformType consuming unmatched options. Furthermore,
validation can not occur when cross-compiling due to current limitations.
A new option `publicHostKey` was added to the `buildMachines`
submodule corresponding to the base64 encoded public host key settings
exposed in the builder syntax. The build machine generation was subsequently
rewritten to use `concatStringsSep` for better performance by grouping
concatenations.
[1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
Empty parantheses are not supported in regular expressions on
Darwin/macOS. The old regular expression produces an error during
evaluation. This commit fixes that.
Nix‘s `builtins.match` works with extend POSIX regular expressions. The
specification for these regular expression states[^1] that the result
for a left paranthesis immediately followed by a right paranthesis
outside of a bracket expression is undefined.
[^1]: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_04_03
Currently it's rather difficult to install tmux plugins. The process involves two steps:
1. Specify the correct `pkg.tmuxPlugins` package in `environment.systemPackages`
2. Adding to the configuration file to instantiate the plugin.
This commit allows the user to specify a list of plugins under `programs.tmux.plugins`.
Update nixos/modules/programs/tmux.nix
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Tor waits ShutdownWaitLength seconds (30s by default) before actually shutting down. Since the systemd timeout is also set to 30 seconds, this results in a race condition that ends up killing Tor most of the time on my machine during shutdown.
To fix this, add the ShutdownWaitLength setting and tell systemd to wait 30 seconds more than that.
Arch Linux also has `TimeoutSec` set to 60 seconds: 6df716fe19/trunk/tor.service.
This option behaves exactly like `boot.extraModprobeConfig`, except that it also includes the generated modprobe.d file in the initrd.
Many years ago, someone tried to include the normal modprobe.d/nixos.conf file generated by `boot.extraModprobeConfig` in the initrd: 0aa2c1dc46. This file contains a reference to a directory with firmware files inside. Including firmware in the initrd made it too big, so the commit was reverted again in 4a4c051a95.
The `boot.extraModprobeConfig` option not changing the initrd caused me much confusion because I tried to set the maximum cache size for ZFS and it didn't work.
Closes https://github.com/NixOS/nixpkgs/issues/25456.
Now that the terraform 0.12 compatibility is not needed anymore, the
`terraform.withPlugins` and `terraform-providers.mkProvider`
implementations can be simplified.
Instead of building a bunch of bin wrappers on instantiation, the
providers are now stored in
`$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>`
and then a simple `buildEnv` can be used to merge them.
This breaks back-compat so it's not possible to mix-and-match with
previous versions of nixpkgs. In exchange, it now becomes possible to
use the providers from
[nixpkgs-terraform-providers-bin](https://github.com/numtide/nixpkgs-terraform-providers-bin)
directly.
It looks like "make-bcache" also registers the devices, so the separate
registration afterwords is unnecessary.
Previously, the separate registration right afterwords didn't cause
a problem, presumably because it won the race with make-bcache's
registration. After 1640359f33 slightly
changed the timing of command execution in tests, the separate
registration often fails with the error message "device already
registered", stopping the test.
Modules that do not depend on e.g. toplevel should not have to include it just to set
things in `system.build`. As a general rule, this keeps tests simple, usage flexible
and evaluation fast. While one module is insignificant, consistency and good practices
are.
This is a squashed commit. These are the original commit messages:
lib/option: Improve comment
better comment
Update documentation
Updated nixos/doc/manual/development/options-declarations.md with info on mkEnableOption and mkPackageOption.
Updated the comment on mkEnableOption in lib/options.nix
remove trailing whitespace
nixos/doc/option-declarations: Update IDs & formatting
nixos/docs/option-declarations: Escape angle brackets
Build DB from MD
(Amended) Fix typo
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
(Amended) Build DB from MD (again)
Release notes: https://github.com/swaywm/sway/releases/tag/1.7
Notable (backward incompatible) changes:
- The default terminal changed from Alacritty to foot
Known issues:
- `swaynag` will crash when Sway 1.6.1 is still running while the Nix
package (and thus `swaynag`) is already updated to version 1.7.
- The experimental Ozone/Wayland support of Electron apps will be broken
for a while. Electron version 17 should work but the Chromium fixes
haven't yet been backported to Electron version 16.
NixOS module: programs.sway.extraPackages: The "alacritty" package was
replaced with "foot".
VM test: We switched from the OpenGL ES 2.0 renderer to Pixman. The
terminal was also changed to foot but Alacritty is still used for the
XWayland test (since foot doesn't support X11).
Co-authored-by: Patrick Hilhorst <git@hilhorst.be>
`register_new_matrix_user` is a script provided by the matrix-synapse
package to create a new matrix user on the command line.
This commit provides a wrapper around `register_new_matrix_user` that
automatically passes the url (and `registration_shared_secret`, if
present) as CLI arguments.
Some tests from the `nixos/tests` folder were missing in the `all-tests.nix`
file. This meant they couldn't be run from the `nixosTests` attribute
set and therefore not be linked to their packages.
- regenerate everything
- hardcode to build with node 14 (upstream doesn't support 16 yet)
- remove optional deps to make things build without python2
- set HOME in service environment to prevent crashing
Changes in node-*.nix are autogenerated.
Commit ca58bd0a50 broke the test networking.networkd.static. This happened because the test sets `networking.defaultGateway`. This is implemented by adding the gateway to the list of `routes` using `mkDefault`. The `routes` are then overridden by an empty list in the newly added code. Replace `mkDefault` with `id` so the two lists are merged and everything (hopefully) works as expected.
See https://github.com/NixOS/nixpkgs/pull/144590 for a more context.
LXC containers like those used by VPSAdminOS might want to install a bootloader
so passing `true` to `system.build.installBootLoader` without any priority specified,
causes a conflict for such systems with the recent `system.build` changes:
4014fb6a64
Fixes: https://github.com/NixOS/nixpkgs/issues/155839
If the Nix daemon has never been enabled (nix.enable has always been
set to false), the gcroots directory won't exist. If the Nix daemon
is later enabled, the GC roots for booted-system and current-system
will be missing, and they might end up being garbage collected. Since
it's cheap to add GC roots even if the daemon will never be enabled,
let's just always add them so we're okay in the case where the daemon
is enabled later.
As written, the nixos/quorum module will simply run forever, and has
been timing out in Hydra. Implement a fix for such by changing the final
statement from a wait_until_succeeds to simply succeed, forcing the test
to succeed or fail instead of run indefinitely.
- Fully get rid of `parseKeyValues` and use systemctl features for that
- Add some regex modifiers recommended by perlcritic
- Get rid of a postfix if
- Sort units when showing their status
- Clean the logic for showing what failed from `elif` to `next`
- Switch from `state` to `substate` for `auto-restart` because that's
actually where the value is stored
- Show status of units with one single systemctl call and get rid of
COLUMNS in favor of --full
- Add a test for failing units
Replace sleep() calls where possible, using wait_for_* methods. This
should provide more robustness in cases where tests are running on a
congested system.
Since dhcpd has been hardened (DynamicUser → NoNewPrivileges) it can't
use a setcap wrapper. Instead, we add the net_admin capability to it's
ambient set and run `ip route` directly. This is also safer that giving
everyone permisison to change the routing table.
This replaces the naive K=V unit parser with a proper INI parser from a
library and adds proper support for override files. Also adds a bunch of
comments about parsing, I hope this makes it easier to understand and
maintain in the future.
There are multiple reasons to do so, the first one is just general
correctness with is nice imo. But to get to more serious reasons (I
didn't put in all that effort for nothing) is that this is the first
step torwards more clever restart/reload handling. By using a library
like Data::Compare a future PR could replace the current way of
fingerprinting units (which is to compare store paths) by comparing the
hashes. This is more precise because units won't get restarted because
the order of the options change, comments are added, some dependency of
writeText changes, .... Also this allows us to add a feature like
`X-Reload-Triggers` so the unit can either be reloaded when these change
or restarted when everything else changes, giving module authors the
ability to have their services reloaded without having to fear that
updates are not applied because the service doesn't get restarted.
Another reason why this feature is nice is that now that the unit files
are parsed correctly (and values are just extracted from one section),
potential future rewrites can just rely on some INI library without
having to implement their own weird parser that is compatible with this
script.
This also comes with a new subroutine to handle systemd booleans because
I thought the current way of handling it was just ugly. This also allows
overriding values this script reads in an override file.
Apart from making this script more compatible with the world around it,
this also fixes two issues I saw bugging exactly 0 (zero) people. First
is that this script now supports multiple override files, also ones that
are not called override.conf and the second one is that `1` and `on` are
treated as bools by systemd but were previously not parsed as such by
switch-to-configuration.
Add test coverage for the enableConfiguredRecompile option, checking
that we can compile and exec a new xmonad from a user's local config, as
well as restart the originally configured xmonad.
As I needed a reliable way to wait for recompilation to finish before
proceeding with subsequent test steps, I adjusted the startup behavior
to write a file ("oldXMonad" or "newXMonad") to /etc upon startup, and
replaced some "sleep" calls with "wait_for_file".
Update the example config to show a working example for xmonad 0.17.0, which
added an argument to the `launch` function and adjusted the location of the
recompiled binary.
Since release 1.18.4, the ModemManager daemon no longer automatically
performs the FCC unlock procedure by default. The user must, under their
own responsibility, enable the automatic FCC unlock as shipped by
ModemManager.
Webclient only allows serving a web directory under /_matrix/client
This only incentivizes running the client under the same domain as the homeserver.
Which is not recommended due to CORS.
`assert` has the annoying property that it dumps a lot of code at the
user without the built in capability to display a nicer message. We have
worked around this using `assertMsg` which would *additionally* display
a nice message. We can do even better: By using `throw` we can make
evaluation fail before assert draws its conclusions and prevent it from
displaying the code making up the assert condition, so we get the nicer
message of `throw` and the syntactical convenience of `assert`.
Before:
nix-repl> python.override { reproducibleBuild = true; stripBytecode = false; }
trace: Deterministic builds require stripping bytecode.
error: assertion (((lib).assertMsg (reproducibleBuild -> stripBytecode)) "Deterministic builds require stripping bytecode.") failed at /home/lukas/src/nix/nixpkgs/pkgs/development/interpreters/python/cpython/2.7/default.nix:45:1
After:
nix-repl> python.override { reproducibleBuild = true; stripBytecode = false; }
error: Deterministic builds require stripping bytecode.
Add a new type, inheriting 'types.str' but checking whether the value
doesn't contain any newline characters.
The motivation comes from a problem with the
'users.users.${u}.openssh.authorizedKeys' option.
It is easy to unintentionally insert a newline character at the end of a
string, or even in the middle, for example:
restricted_ssh_keys = command: keys:
let
prefix = ''
command="${command}",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding
'';
in map (key: "${prefix} ${key}") keys;
The 'prefix' string ends with a newline, which ends up in the middle of
a key entry after a few manipulations.
This is problematic because the key file is built by concatenating all
the keys with 'concatStringsSep "\n"', with result in two entries for
the faulty key:
''
command="...",options...
MY_KEY
''
This is hard to debug and might be dangerous. This is now caught at
build time.
This commit introduces a new option
`services.nextcloud.nginx.recommendedHttpHeaders` that can be used to
optionally disable serving recommended HTTP Response Headers in nginx.
This is especially useful if some headers are already configured
elsewhere to be served in nginx and thus result in duplicate headers.
Resolves#120223
The `extraConfig` parameter only handles text - it doesn't support
arbitrary secrets and, with the way it's processed in the setup
script, it's very easy to accidentally unescape the echoed string and
run shell commands / feed garbage to bash.
To fix this, implement a new option, `config`, which instead takes a
typed attribute set, generates the `.env` file in nix and does
arbitrary secret replacement. This option is then used to provide the
configuration for all other options which change the `.env` file.
When upgrading bookstack, if something in the cache conflicts with the
new installation, the artisan commands might fail. To solve this, make
the cache lifetime bound to the setup service. This also removes the
`cacheDir` option, since the path is now handled automatically by
systemd.