Since the update to wlroots 0.13 (e03dde82a7) the default VGA card
isn't supported anymore and we needed to switch to virtio (qxl didn't
work either). However, as it turned out "-vga virtio" (28b8cff301)
broke the test on AArch64. Luckily there's a third option that works on
all three supported platforms: virtio-gpu-pci
According to [0] "This device lacks VGA compatibility mode but is
otherwise identical to the virtio vga device. UEFI firmware can handle
this, and if your guests has drivers too you can use this instead of
virtio-vga. This will reduce the attack surface (no complex VGA
emulation support) and reduce the memory footprint by 8 MB (no pci
memory bar for VGA compatibility). This device can be placed in a PCI
Express slot."
So in the end this seems like the ideal choice :)
See also [1].
[0]: https://www.kraxel.org/blog/2019/09/display-devices-in-qemu/#virtio-gpu-pci
[1]: https://patches.openembedded.org/patch/164351/
The tests timeout on AArch64 (e.g. [0] and [1]), likely because the QEMU
option "-vga virtio" isn't supported there (unfortunately I currently
lack access to an AArch64 system with NixOS to investigate).
This also affects the test for Cage but that one is already limited to
x86_64-linux.
[0]: https://hydra.nixos.org/build/144148809
[1]: https://hydra.nixos.org/build/144103034
Sway is a Wayland compositor. It should have a smaller userbase than
Gnome and KDE but Sway plays an important role in the Wayland ecosystem
(it is e.g. maintained by Simon Ser who also maintains wlroots, Wayland,
and Weston (the reference compositor) and contributes to a lot of
important packages in the Wayland ecosystem). Sway also comes with much
fewer dependencies than large desktop environments.
This should make the Sway VM test an ideal choice for testing updates to
core packages (e.g. wayland, wayland-protocols, wlroots, libdrm, mesa,
and xwayland - I maintain all but XWayland in Nixpkgs) and test failures
should be much easier to debug.
The test is fairly new but so far all 18 Hydra builds on x86_64-linux
have succeeded [0]. I'm actively maintaining the test and can look into
build failures if I'm pinged.
[0]: https://hydra.nixos.org/job/nixos/trunk-combined/nixos.tests.sway.x86_64-linux/all
The absence of current-context in the right place resulted in obscure
bugs. The reason this has not been detected before can only be that
it was unused.
Adds includeStorePaths, allowing the omission of the store paths.
You generally want to leave it on, but tooling may disable this
to insert the store paths more efficiently via other means, such
as bind mounting the host store.
This should help in rare hardware-specific situations where the root is
not automatically detected properly.
We search using a marker file. This should help some weird UEFI setups
where the root is set to `(hd0,msdos2)` by default.
Defaulting to `(hd0)` by looking for the ESP **will break themeing**. It
is unclear why, but files in `(hd0,msdos2)` are not all present as they
should be.
This also fixes an issue introduced with cb5c4fcd3c
where rEFInd stopped booting in many cases. This is because it ended up
using (hd0) rather than using the `search` which was happening
beforehand, which in turn uses (hd0,msdos2), which is the ESP.
Putting back the `search` here fixes that.
This technically changes nothing. In practice `$root` is always the
"CWD", whether searched for automatically or not.
But this serves to announce we are relying on `$root`... I guess...
Enforce UMask on the systemd unit to restrict the permissions of files
created. Especially the homeserver signing key should not be world
readable, and media is served through synapse itself, so no other user
needs access to these files.
Use a prestart chmod to fixup the permissions on the signing key.
In newer versions of Nix (at least on 2.4pre20201102_550e11f) the
`extra-` prefix for config options received a special meaning and the
option `extra-sandbox-paths` isn't recognized anymore. This commit fixes
it.
It doesn't cause a behavior change when using older versions of Nix but
does cause an extra newline to appear in the config, thus changing the
hash.
Instead of requiring the user to bundle the certificate and private
key into a single file, provide separate options for them. This is
more in line with most other modules.
`install` copies the files before setting their mode, so there could
be a breif window where the secrets are readable by other users
without a strict umask.
Feeding `psql` the password on the command line leaks it through the
`psql` process' `/proc/<pid>/cmdline` file. Using `echo` to put the
command in a file and then feeding `psql` the file should work around
this, since `echo` is a bash builtin and thus shouldn't spawn a new
process.
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead.
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
The PAM config deployed would not check anything meaningful. Remove it
and rely on the defaults in the security.pam module to fix login with
arbitrary credentials.
Resolves: #123435
It was basically just a `environment.systemPackages` synonym,
only GNOME used it, and it was stretching the responsibilities
of the flatpak module too far.
It also makes it cleaner to avoid installing the program
using GNOME module’s `excludePackages` option.
Partially reverts: https://github.com/NixOS/nixpkgs/pull/101516
Fixes: https://github.com/NixOS/nixpkgs/issues/110310
Starting Cagebreak as X11 client doesn't work anymore as wlroots 0.13
started to require the DRI3 extension which isn't supported by LLVMpipe:
machine # [ 13.508284] xsession[938]: 00:00:00.003 [ERROR] [backend/x11/backend.c:433] X11 does not support DRI3 extension
machine # [ 13.666989] show_signal_msg: 62 callbacks suppressed
machine # [ 13.666993] .cagebreak-wrap[938]: segfault at 8 ip 0000000000408574 sp 00007ffef76f2440 error 4 in .cagebreak-wrapped[407000+d000]
machine # [ 13.670483] Code: f4 ff ff 4c 8b 84 24 70 01 00 00 8d 45 01 48 89 c5 49 8b 3c c0 48 85 ff 75 e4 4c 89 c7 e8 84 f4 ff ff 48 8b bc 24 18 01 00 00 <48> 8b 47 08 4c 8d 6f d8 48 8d 68 d8 48 39 df 75 0e eb 36 66 0f 1f
machine # [ 13.518274] xsession[938]: 00:00:00.006 [ERROR] [../cagebreak.c:313] Unable to create the wlroots backend
The test broke after updating Cagebreak in #121652 (bf8679ba94).
XWayland still fails for unknown reasons:
Modifiers specified, but DRI is too old
libEGL warning: DRI2: failed to create dri screen
libEGL warning: NEEDS EXTENSION: falling back to kms_swrast
glamor: No eglstream capable devices found
glamor: 'wl_drm' not supported
Missing Wayland requirements for glamor GBM backend
Missing Wayland requirements for glamor EGLStream backend
Failed to initialize glamor, falling back to sw
00:00:03.534 [ERROR] [xwayland/server.c:252] waitpid for Xwayland fork
failed: No child processes
(EE) failed to write to XWayland fd: Broken pipe
/nix/store/kcm3x8695fgycf31grzl9fy5gggwpram-xterm-367/bin/xterm: Xt
error: Can't open display: :0
The fallback to software rendering is to be expected but it looks like
XWayland is crashing with "failed to write to XWayland fd: Broken pipe".
`systemd.network.networks.*.dhcpServerConfig` did not accept all of
the options which are valid for networkd's [DHCPServer] section. See
systemd.network(5) of systemd 247 for details.
