Fixes problems such as:
systemd[1]: Failed to put bus name to hashmap: File exists
systemd[1]: dbus-org.freedesktop.nm-dispatcher.service: Two services allocated for the same bus name org.freedesktop.nm_dispatcher, refusing operation.
Problem is that systemd treats symlinks to files outside the service
path differently, causing our old workaround to look like two separate services.
These symlinks are intended to be a means for manually emulating
the behavior of the `Alias=` directive in these services.
Unfortunately even making these symlinks relative isn't enough,
since they don't make it to where it matters--
that only makes the links in /etc/static/systemd/system/*
relative, with systemd still being shown non-relative links
in /etc/systemd/system/*.
To fix this, drop all of this at the package level
and instead simply specify the aliases in the NixOS modules.
Also handle the same for modemmanager,
since the networkmanager NixOS module also handles that.
During the last update, `hydra-notify` was rewritten as a daemon which
listens to postgresql notifications for each build[1]. The module
uses the `hydra-notify.service` unit from upstream's Hydra module and
the VM test ensures that email notifications are sent properly.
Also updated `hydra-init.service` to install `pg_trgm` on a local
database if needed[2].
[1] c7861b85c4
[2] 8a0a5ec3a3
Fixes problems such as:
systemd[1]: Failed to put bus name to hashmap: File exists
systemd[1]: dbus-org.freedesktop.nm-dispatcher.service: Two services allocated for the same bus name org.freedesktop.nm_dispatcher, refusing operation.
Problem is that systemd treats symlinks to files outside the service
path differently, causing our old workaround to look like two separate services.
These symlinks are intended to be a means for manually emulating
the behavior of the `Alias=` directive in these services.
Unfortunately even making these symlinks relative isn't enough,
since they don't make it to where it matters--
that only makes the links in /etc/static/systemd/system/*
relative, with systemd still being shown non-relative links
in /etc/systemd/system/*.
To fix this, drop all of this at the package level
and instead simply specify the aliases in the NixOS modules.
Also handle the same for modemmanager,
since the networkmanager NixOS module also handles that.
IE6 is long gone and this directive is not useful anymore. We can
spare a few CPU cycles (and maybe skip some bugs) by not trying to
disable gzip for MSIE6.
This option was added in 6336048c58 but it
is essentially a complete duplicate of the existing cfg.servers and
there seems to be no reason to keep maintaining it.
Furthermore, it requires annoying duplication if you try to do option
merging, e.g. merging in sets into your configuration.nix that add
`services.chrony.initstepslew` options will overwrite the servers option
unless you keep it, but that means you just have to duplicate
config.networking.timeServers again anyway which is an implementation
detail!
Signed-off-by: Austin Seipp <aseipp@pobox.com>
'iburst' allows chrony to make very quick adjustments to the clock by
doing a couple rapid measurements outside of the default 'minpoll'
option. This helps improve rapid time adjustment at boot, and is enabled
by default.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This is reckless, ill-advised, pointless, and I will be scorned for it,
but it makes me feel a lot better.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
When mailman-web restarts, it removes the generated "static" directory. This
breaks a currently running httpd process, which needs a re-start, too, to
obtain a new handle for the newly generated path.
Rules are a translation of what's done in the
GDM module and adjustments based of looking at
Arch Linux's configuration and upstream's.
A side effect of this change is that gnome-keyring
and kwallet modules should work as expected when in-
cluded.
Fixes #64259#62045
Adds the ability to make any parameter specified in extraConfig secret
by defining it an attrset containing the attr _secret, which in turn
is a path to a file containing the actual secret.
Use the postgresql module to provision a local db (if
databaseCreateLocally is true) instead of doing this locally.
Switch to using the local unix socket for db connections by default;
this is needed since dbs created by the postgresql module only support
peer authentication.
Instead of running the rake tasks db:schema:load, db:migrate and
db:seed_fu, run gitlab:db:configure, which in turn runs these tasks
when needed.
Solves issue #53852 for gitlab.
Add support for storing secrets in files outside the nix store, since
files in the nix store are world-readable and secrets therefore can't
be stored safely there.
The old string options are kept, since they can potentially be handy
for testing purposes, but their descriptions now state that they
shouldn't be used in production. The manual section is updated to use
the file options rather than the string options and the tests now test
both.
* remove kinetic
* release note
* add johanot as maintainer
nixos/ceph: create option for mgr_module_path
- since the upstream default is no longer correct in v14
* fix module, default location for libexec has changed
* ceph: fix test
* maintain only one version
* ceph-client: init
* include ceph-volume python tool in output
nixos/ceph: extraConfig, fix test, wait for ceph-mgr to become active
* run ceph with disk group permission
* add extraConfig option for the global section
needed per cluster
* clear up how ceph.conf is generated
* fix ceph testcase
Since we moved gsettings-desktop-schemas to top-level, gnome3.glib-networking was the same as glib-networking.
We could try to make the top-level variant not depend on gsettings-desktop-schemas again but that is probably
pointless, as the dependency is rather small compared to things like libproxy. Instead, we will just drop
the package in gnome3 attr set and always rely on the top-level expression.
Since https://github.com/NixOS/nixpkgs/pull/61321, local-fs.target is
part of sysinit.target again, meaning units without
DefaultDependencies=no will automatically depend on it, and the manual
set dependencies can be dropped.
The redis module currently fails to start up, most likely due to running
a chown as non-root in preStart.
While at it, I hardcoded it to use systemd's StateDirectory and
DynamicUser to manage directory permissions, removed the unused
appendOnlyFilename option, and the pidFile option.
We properly tell redis now it's daemonized, and it'll use notify support
to signal readiness.
Adds:
- gnome-color-manager
- services.avahi
It appears that GeoClue requires its daemon and IIRC has
been default enabled in other distros for a while.
- orca
It's the default screen-reader.
Any system uid will do, so we let the system allocate
one for us. The 'mailman' group is gone entirely since
we don't need it. Users who wish to run the 'mailman'
administration utility can do so via 'sudo':
$ sudo -u mailman mailman info
Also, simplify the syntax of our user.users entry to
rely on an attribute set rather than a list.
* nixos/acme: Fix ordering of cert requests
When subsequent certificates would be added, they would
not wake up nginx correctly due to target units only being triggered
once. We now added more fine-grained systemd dependencies to make sure
nginx always is aware of new certificates and doesn't restart too early
resulting in a crash.
Furthermore, the acme module has been refactored. Mostly to get
rid of the deprecated PermissionStartOnly systemd options which were
deprecated. Below is a summary of changes made.
* Use SERVICE_RESULT to determine status
This was added in systemd v232. we don't have to keep track
of the EXITCODE ourselves anymore.
* Add regression test for requesting mutliple domains
* Deprecate 'directory' option
We now use systemd's StateDirectory option to manage
create and permissions of the acme state directory.
* The webroot is created using a systemd.tmpfiles.rules rule
instead of the preStart script.
* Depend on certs directly
By getting rid of the target units, we make sure ordering
is correct in the case that you add new certs after already
having deployed some.
Reason it broke before: acme-certificates.target would
be in active state, and if you then add a new cert, it
would still be active and hence nginx would restart
without even requesting a new cert. Not good! We
make the dependencies more fine-grained now. this should fix that
* Remove activationDelay option
It complicated the code a lot, and is rather arbitrary. What if
your activation script takes more than activationDelay seconds?
Instead, one should use systemd dependencies to make sure some
action happens before setting the certificate live.
e.g. If you want to wait until your cert is published in DNS DANE /
TLSA, you could create a unit that blocks until it appears in DNS:
```
RequiredBy=acme-${cert}.service
After=acme-${cert}.service
ExecStart=publish-wait-for-dns-script
```
The custom session script is always executed (when it exists). This change
passes the selected session script and select session name to the custom session
script, so that it can defer to the selected session script based on the value
of the selected session name.
The `keys.target` is used to indicate whether all NixOps keys were
successfully uploaded on an unattended reboot. However this can cause
startup issues e.g. with NixOS containers (see #67265) and can block
boots even though this might not be needed (e.g. with a dovecot2
instance running that doesn't need any of the NixOps keys).
As described in the NixOps manual[1], dependencies to keys should be
defined like this now:
``` nix
{
systemd.services.myservice = {
after = [ "secret-key.service" ];
wants = [ "secret-key.service" ];
};
}
```
However I'd leave the issue open until it's discussed whether or not to
keep `keys.target` in `nixpkgs`.
[1] https://nixos.org/nixops/manual/#idm140737322342384