This is deliberate because using the taskd binary to configure
Taskserver has a good chance of messing up permissions.
The nixos-taskserver tool now can manage even manual configurations, so
there really is no need anymore to expose the taskd binary.
If people still want to use the taskd binary at their own risk they can
still add taskserver to systemPackages themselves.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This subtest actually serves two purposes:
1. Test manual PKI configuration
2. Test changing of configuration files
In order to only test manual PKI configuration it would have been enough
to just add another server with a manual config.
But as the switch from automatic PKI config to manual config is probably
one of the most fundamental changes in configuration, so it serves
*very* well to also check whether changes in the NixOS configuration
actually have an impact in the real system.
So instead of adding another server, we now create a dummy "newServer"
machine, which is the new configuration for "server" and use
switch-to-configuration to switch "server" to the config of "newServer".
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Putting an include directive in the configuration file referencing a
store path with the real configuration file has the disavantage that
once we change the real configuration file the store path is also a
different one.
So we would have to replace that include directive with the new
configuration file, which is very much error-prone, because whenever
taskd modifies the configuration file on its own it generates a new one
with *only* the key/value options and without any include directives.
Another problem is that we only added the include directive on the first
initalization, so whenever there is *any* configuration change, it won't
affect anything.
We're now passing all the configuration options via command line,
because taskd treats everything in the form of --<name>=<value> to be a
configuration directive.
This also has the effect that we now no longer have extraConfig, because
configuration isn't a file anymore.
Instead we now have an attribute set that is mapped down to
configuration options.
Unfortunately this isn't so easy with the way taskd is configured,
because there is an option called "server" and also other options like
"server.cert", "server.key" and so on, which do not map very well to
attribute sets.
So we have an exception for the "server" option, which is now called
"server.listen", because it specifies the listening address.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #22705
The helper tool so far was only intended for use in automatic PKI
handling, but it also is very useful if you have an existing CA.
One of the main advantages is that you don't need to specify the data
directory anymore and the right permissions are also handled as well.
Another advantage is that we now have an uniform management tool for
both automatic and manual config, so the documentation in the NixOS
manual now applies to the manual PKI config as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The error message displays that a specific user doesn't exist in an
organisation, but uses the User object's name attribute to show which
user it was.
This is basically a very stupid chicken and egg problem and easily fixed
by using the user name provided on the command line.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
A long-time issue and one of the reasons I've never used that function
before. So let's remove that todo-comment and escape the contents
properly.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
reason: after the upgrade of iputils from 20151218 to 20161105
functionality of ping6 and tracepath6 was merged into ping and tracepath.
Ping is now mostly a drop-in replacment for ping6, except that selecting a
specific interface is done by encoding it into the address (ex.: fe80::1%eth0)
rather then specifing it with the `-I` flag.
To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:
programs.wireshark.enable = true;
The setuid wrapper is available for users in the 'wireshark' group.
Changes v1 -> v2:
- add "defaultText" to the programs.wireshark.package option (AFAIK,
that prevents the manual from being needlessly rebuilt when the
package changes)
Since the bonds interface changed to a lot more possible values we create a
mapping of kernel bond attribute names and values to networkd attributes.
Those match for the most part, but have to transformed slightly.
There is also an assert that unknown options won’t slip through silently.
Until now the four attributes available very selectively provided a small
subset, while copying upstream documentation.
We make driver options an arbitrary key-value set and point to kernel
documentation, which is always up-to-date. This way every option can be set.
The four already existing options are deprecated with a warning.
The initialization code is now a systemd service that explicitly
waits for network-online, so the occasional failure I was seeing
because the `nixos-rebuild` couldn't get anything from the binary
cache should stop. I hope!
* The source attribute is mandatory, not optional
* The program attribute is optional
* Move the info about the mandatory attribute first (most important,
IMHO)
Previously, netdev units for network interfaces defined in the nixos
configurations would bindTo the systemd device unit of the interface if
not in a container.
In situations where you switch to a new nixos configration with changes
to network-setup.service (like nameservers) and have stacked interfaces
like vlans on a bond, it would fail to propagate restarts to the netdevs
correctly resulting with broken networking. The bond would be present
but no vlan interfaces rendering the machine unreachable.
My fear is that the udev events fail to propagate correctly while a systemd
transaction that is also restarting the triggered netdev service is running.
This commit changes this behaviour so netdev services bindTo other netdev
services if present and otherwise fall back to the previous behaviour.
We also noticed that stacked interfaces would sometimes seemingly be stopped
in the wrong order. For instance in the above example, the bond interface
would be deleted before the vlan interfaces resulting in the vlan interfaces
not being present when their service is being stopped. This would cause the
systemd transaction to fail and thus break networking. Their postStop hooks
are now allowed to fail as we have reached the desired state.
fix #22709
Recent pvgrub (from Grub built with “--with-platform=xen”) understands
the Grub2 configuration format. Grub legacy configuration (menu.lst) is
ignored.
The GeoIP databases from MaxMind have no stable URLs and change every
month (or so). Our current method of packaging these database in Nix and
playing catch-up with ever-changing file hashes is a bad idea. For
instance, it makes it impossible to realize old NixOS configurations.
This patch adds a NixOS service that periodically updates the GeoIP
databases in /var/lib/geoip-databases. Moving NixOS modules over can be
done in later patches.
I tried adding MD5 check, but not all databases have them, so i skipped
it. We are downloading over HTTPS though, it should be good. I also
tried adding zip support, but the first zip file I extracted had a
different filename inside than the archive name, which breaks an
assumption in this service, so I skipped that too.
Changes v9 -> v10:
- Pass "--max-time" to curl to set upper bound on downloads (ensures
no indefinite hanging if there's problem with networking).
Timeout for network connectivity check: 60s.
Timeout for geoip database (each): 15m.
Changes v8 -> v9:
- Mention the random timer delay in the documentation for the
'interval' option.
Changes v7 -> v8:
- Add "RemainAfterExit=true" for the setup service, so it won't be
restarted needlessly. (Thanks @danbst!)
Changes v6 -> v7:
- Add --skip-existing flag to geoip-updater, which skips updating
existing database files. Pass that flag when we run the service on
boot (and on any NixOS configuration change).
(IMHO, this is somewhat a workaround for systemd persistent timers
not being triggered immediately when a timer has never expired
before. But it does have the nice side effect of ensuring that the
installed databases always correspond to the configured ones, since
the service is now always run after configuration changes.)
Changes v5 -> v6:
- Update database files atomically (per DB)
- If a database is removed from the configuration, it'll be removed
from /var/lib/geoip-databases too (on next run).
- Add NixOS module assertion so that if user inputs non- .gz or .xz
file there will be a build time error instead of runtime.
- Run updater as user "nobody" instead of "root".
- Rename NixOS service from "geoip-databases" to "geoip-updater".
- Drop RemainAfterExit, or else the timer won't trigger the unit.
- Bring back "curl --fail", or else we won't catch and log curl
failures.
Changes v4 -> v5:
- Add "GeoLite2-City.mmdb.gz" to default database list.
Changes v3 -> v4:
- Remove unneeded geoip-updater-setup.service after adding
'wantedBy = [ "multi-user.target" ]' directly to
geoip-updater.service
- Drop unneeded "Service" name from service descriptions.
Changes v2 -> v3:
- Network may be down when starting from a cold boot, so try a few
times. Possibly, if using systemd-networkd, it'll pass on the first
try. But with default DHCP on NixOS, the service is started before
hostnames can be resolved and thus we need a few extra seconds.
- Add error handling and mark service as failed if fatal error.
- Add proper syslog log levels.
- Add RandomizedDelaySec=3600 to the timer to not put high load on the
MaxMind servers. Suggested by @Mic92.
- Set RemainAfterExit on geoip-updater.service instead of
geoip-updater-setup.service. (The latter is only a proxy that pulls
in the former service).
Changes v1 -> v2:
From Данило Глинський (Danylo Hlynskyi) <abcz2.uprola@gmail.com>:
nixos/geoip-databases: add `databases` option and fix initial setup
There were two great issues when using this service:
- When you just enable service, databases aren't downloaded, they are
downloaded when timer triggers. Fixed this with automatic download on
first system activation.
- When there is no internet, updater outputs nothing to logs, which is
IMO misbehavior. Fixed this with removing `--fail` option, better be
explicit here.
The Raspberry Pi boot loader was deleting all xx-initrd text files
(which simply contain the path to the actual initrd files) just after
having created them. The code was actually trying to delete real,
obsolete initrd files, which are named <hash>-initrd-initrd (after path
cleaning), but the glob was catching the other files as well.
Turns out all variants of start.elf and fixup.dat are needed (depending
on what's in config.txt). I was under the mistaken impression that you
were supposed to rename one of the variants to switch using them, but
nope.
A very simple skeleton for now that doesn't attempt to model any of
the agent configuration, but we can grow it later. Tested and works
on an EC2 instance with ECS.
Recent versions of libreswan seem to omit this file, but it may be added/changed in the future. It is silly to have the service fail because a file is missing that only enriches the environment.
This fixes an issue where `nixops deploy` wouldn't restart the chrony
service when the chrony configuration changed, because it wouldn't
detect that `/etc/chrony.conf` was a dependency of the chrony service.
The tests have failed because Chromium has started up displaying the
following error message in a dialog window:
Chromium can not be run as root.
Please start Chromium as a normal user. If you need to run as root for
development, rerun with the --no-sandbox flag.
So let's run as user "alice" and pass all commands using the small
helper function "ru" (to keep it short, it's for "Run as User").
Tested it by running the "stable" test on x86_64-linux.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: @globin
Regression introduced by 0cb487ee04.
This changed the result for defaultGateway to be a submodule instead of
just a plain string, so instead of using just cfg.defaultGateway we need
to pass cfg.defaultGateway.address now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
From Postfix documentation:
With this setting, the Postfix SMTP server will not reject mail with "User
unknown in local recipient table". Don't do this on systems that receive mail
directly from the Internet. With today's worms and viruses, Postfix will become
a backscatter source: it accepts mail for non-existent recipients and then
tries to return that mail as "undeliverable" to the often forged sender
address.
20e81f7c0d prevented key generation in
`preStart`, leaving the service broken for the case where the user has
no pre-existing key.
Eventually, we ought to store the state elsewhere so that `/etc` can be
read-only but for now we fix this the easy way.
Pushing to gogs only works if the `gogs` user's shell is `bash`. For error and
solution, refer to [this SO thread](http://stackoverflow.com/a/22315659)
DBus daemon now loads its config from /run/current-system/dbus.
Reloading the daemon makes it re-read that file and catch the updates
after a system upgrade.
Offline mode: When adding a lot of data, start this service.
It will will not flood the DHT since it only exposes the API.
When you are done simply reverse the process.
The tag wasn't properly closed which caused the manual build to fail.
Tested with: nix-build nixos/release.nix -A manual.x86_64-linux
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Allow password login to the installation this allows doing remote installation
via SSH. All that need to be done on the local machine is:
1. Boot from the installation media
2. Set a password with passwd
3. Enable SSH with systemctl start sshd
It is safe as root doesn't have a password by default
and SSH is disabled by default.
Fixes #20718
This allows overriding the `server_name` attribute of virtual
hosts. By doing so it is possible to have multiple virtualHost
definitions that share the same `server_name`. This is useful in
particular when you need a HTTP as well as a HTTPS virtualhost: same
server_name, different port.
A default of 0 means that if you deploy two NixOS boxes with the default
configuration, the second will fail because the brokerId was already in
use. Using -1 instead tells it to pick one automatically at first start.
This provides a default console_cmd for the slim display-manager.
When the user enters "console" as the user name, slim will run this
command.
Having a default is rather important; the virtual terminals don't work
with some display drivers, so having a broken X session can leave you
locked out of your machine.
Without it, the following error is shown in the "Add Printer" window:
Failed to group devices: 'The name org.fedoraproject.Config.Printing was not provided by any .service files'
* Fix the FW names
FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw.
* Update the comment (documentation) at the top
Order the chains of the main table alphabetically (like in the rest of
the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop
(used while reloading the firewall).
* Refactor the module (mainly comments)
- Move some attributes to the top for better visibility (that should
hopefully make it easier to read and understand this module without
jumping around too much).
- Add some missing examples and improve some descriptions.
- Reorder the mkOption attributes for consistency.
- Wrap lines at 72 characters.
- Use two spaces between sentences.
This patch add a new argument to Nixpkgs default expression named "overlays".
By default, the value of the argument is either taken from the environment variable `NIXPKGS_OVERLAYS`,
or from the directory `~/.nixpkgs/overlays/`. If the environment variable does not name a valid directory
then this mechanism would fallback on the home directory. If the home directory does not exists it will
fallback on an empty list of overlays.
The overlays directory should contain the list of extra Nixpkgs stages which would be used to extend the
content of Nixpkgs, with additional set of packages. The overlays, i-e directory, files, symbolic links
are used in alphabetical order.
The simplest overlay which extends Nixpkgs with nothing looks like:
```nix
self: super: {
}
```
More refined overlays can use `super` as the basis for building new packages, and `self` as a way to query
the final result of the fix-point.
An example of overlay which extends Nixpkgs with a small set of packages can be found at:
https://github.com/nbp/nixpkgs-mozilla/blob/nixpkgs-overlay/moz-overlay.nix
To use this file, checkout the repository and add a symbolic link to
the `moz-overlay.nix` file in `~/.nixpkgs/overlays` directory.
This adds pulseaudio.daemon.config, which is a set of keys to values
which are directly translated to keys and values of pulseaudio's
daemon.conf, e. g.
hardware.pulseaudio.daemon.config = { flat-volumes = "no"; }
becomes
flat-volumes=no
in pulse/daemon.conf.
The reason being less mental overhead when reading upstream
documentation. Examples can be pasted right into the configuration
instead of translating to Nix attrset first.
Make sure that the output of the sieve compiler produces files that
have a newer time stamp than the source sieve script. Otherwise you
get errors in the logs about Dovecot not being able to compile do to a
permission issue.
ckb is a driver for Corsair keyboards/mice. It also contains a graphical tool for configuring their LED backlight settings.
The driver is implemented as a userland daemon. A NixOS module is included that runs this as a systemd service.
The content of programs.zsh.interactiveShellInit was
inserted too soon in the generated zshrc
This caused some settings related to autocompletion to be ignored
This reverts commit 712e62c260.
This commit broke NixOS containers. Systemd wouldn't detect if a container
started successfully and would kill it again after a grace period.
Additionally this prints mount errors due to already mounted filesystems
at boot.
I have left in 2 NixOS custom config directives, so the configuration
should be the same with the only change in behaviour being that the
service is not eagerly loaded but in fact only socket activated, which
it should be.
Using outputsToInstall the intended behaviour of including host and dnsutils
when bind is installed can be implemented instead of using symlinks to fix
installing all outputs individually with nix-env.
Fixes #19761.
It hides bugs and do you ever actually want to serve up an empty directory?
It was pretty confusing to me when it tried to write into a read-only store
path because I accidentally pointed it to the wrong store path.
Until now nixos only delivered the latest zfs release. This release is often not
compatible with the latest mainline kernel. Therefor an unstable variant is
added, which might be based on testing releases or git revisions.
fixes #21359
