The split of Ethereum into Execution Layer and Consensus Layer adds a
requirement for communication between execution client and consensus
client using secur JWT tokens. In Geth this is configurable using the
`--authrpc.*` CLI flags which are currently not exposed by this service.
For more details read the following article:
https://geth.ethereum.org/docs/interface/consensus-clients
Signed-off-by: Jakub Sokołowski <jakub@status.im>
These are now required otherwise startup fails with:
> TypeError: 'NoneType' object is not subscriptable
The chosen levels are stricter than default but don't require unsupported signing or DB editing so seem like a reasonable high bar for now. It is easy for users to lower the levels so it is better to be stricter by default.
Default levels: 0ce0588725/mautrix_facebook/example-config.yaml (L247-L263)
So far, we have been building Systemd without `BPF_FRAMEWORK`. As a
result, some Systemd features like `RestrictNetworkInterfaces=` cannot
work. To make things worse, Systemd doesn't even complain when using a
feature which requires `+BPF_FRAMEWORK`; yet, the option has no effect:
# systemctl --version | grep -o "\-BPF_FRAMEWORK"
-BPF_FRAMEWORK
# systemd-run -t -p RestrictNetworkInterfaces="lo" ping -c 1 8.8.8.8
This commit enables `BPF_FRAMEWORK` by default. This is in line with
other distros (e.g., Fedora). Also note that BPF does not support stack
protector: https://lkml.org/lkml/2020/2/21/1000. To that end, I added a
small `CFLAGS` patch to the BPF building to keep using stack protector
as a default.
I also added an appropriate NixOS test.
This make the process of applying overlays more reliable by:
1. Ignoring dtb files that are not really device trees. [^1]
2. Adding a `filter` option (per-overlay, there already is a global one)
to limit the files to which the overlay applies. This is useful
in cases where the `compatible` string is ambiguous and multiple
unrelated files match.
Previously the script would fail in both cases.
[^1]: For example, there is dtbs/overlays/overlay_map.dtb in the
Raspberry Pi 1 kernel.
using regular strings works well for docbook because docbook is not as
whitespace-sensitive as markdown. markdown would render all of these as
code blocks when given the chance.
a lot of markdown syntax has already snuck into option docs, many of it
predating the intent to migrate to markdown. we don't convert all of it
here, just that which is accompanied by docbook tags as well. the rest
can be converted by simply adding the mdDoc marker.
this renders the same in the manpage and a little more clearly in the
html manual. in the manpage there continues to be no distinction from
regular text, the html manual gets code-type markup (which was probably
the intention for most of these uses anyway).
In version 1.5.5 of fwupd the uefi plugin was renamed to
uefi-capsule. As part of those changes the configuration file was
renamed and changed.
This modules configuration mismatch was generally hidden because
when udisks2 is enabled fwupd will use that instead. Without
udisks2 the following warning is seen:
WARNING: UEFI ESP partition not detected or configured
While it might seem odd, 0.0.0.0/0 or ::/0 gateways are valid and
commonly used on point-to-point links (e.g. a wireguard tunnel) to
indicate that all traffic needs to be sent to a given interface.
systemd-networkd actually documents this as a valid configuration in its
man pages [1].
Tested to do the right thing in one of my NixOS containers using
a Wireguard tunnel as its default route.
[1] https://www.freedesktop.org/software/systemd/man/systemd.network.html#DefaultRouteOnDevice=
This does make the out-of-the-box install perhaps a bit worse, since
networking may need to be manually configured. However, it makes it less
frustrating that upon every start of this service, a *removed* autostart
network will be re-added when removed by the user. See
https://github.com/NixOS/nixpkgs/issues/73418 for details.
Behavior from other distros:
- Adds autostart net on install: Fedora
- Does not add autostart net : Debian, Arch
This does not break any existing installs since it does not affect any
autostart network already in-place.
Enable keter module
Keter is an apploader which:
1. has the old app running on a port.
2. loads a new one, and wait for that to complete
3. switches the old with the new one once the new one finished loading.
It supports more functionality but this use case
is the primary one being used by supercede.
Adds keter as a module to nixos.
Currently keter is unusable with nix,
because it relies on bundeling of a tar and uploading that to a specific folder.
These expressions automate these devops tasks,
with especially nixops in mind.
This will work with versions above 1.8
The test seems to work.
This uses a new version of keter which has good
support for status code on error pages.
We're using this config at production at supercede
so it should be fine.
Squash log:
==========
mention keter in changelog
Update generated release notes
Always restart keter on failure
This is a little bit of extra stability in case keter crashes.
Which can happen under extreme conditions (DoS attacks).
Update nixos/doc/manual/release-notes/rl-2205.section.md
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/module-list.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Remove sanitization
don't put domain in as a string
Update nixos/tests/keter.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
add jappie as module maintainer
Use type path instead of two seperate options
Fix generated docs
added test machinery to figure out why it's failing
Fix the test, use console output
run nixpkgs-fmt on all modules
Inline config file.
This get's rid of a lot of inderection as well.
Run nix format
remove comment
simplify executable for test
delete config file
add config for keter root
Remove after redis clause
set keter root by default to /var/lib/keter
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
fix nit
add newlines
add default text and move description in a long description
Delete rather obvious comment
fix release db thing
remove longDescription and put it in a comment instead
change description of mkEnalbeOption
explain what keter does by using the hackage synopsis
set domain to keterDomain and same for executable
move comment to where it's happening
fix type error
add formatting better comment
try add seperate user for keter
Revert "try add seperate user for keter"
This reverts commit d3522d36c96117335bfa072e6f453406c244e940.
Doing this breaks the setup
set default to avoid needing cap_net_bind_service
remove weird comment
use example fields
eleborated on process leakage
Update nixos/modules/services/web-servers/keter/default.nix
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
run nixpkgs-fmt
update docs
Fix formatting, set keter package by default
format our little nixexpr
replace '' -> " where possible
drop indent for multiline string
make description much shorter
regen docs database
Introduced by fd7d901133. The openldap
module now expects the database directory to be below
`/var/lib/openldap`, oterhwise it'll fail evaluation like this:
Failed assertions:
- Database dc=example,dc=org has `olcDbDirectory` (/var/db/openldap) that is not a subdirectory of
`/var/lib/openldap/`.
Other popular distros (OpenSuse, Ubuntu, Gentoo, Arch) read $HOME/.profile when starting X11 display managers.
When moving to nixOS, that is then broken leading to unpredictable behavior (probably programs not working).
This adds similar behavior to https://github.com/sddm/sddm/blob/develop/data/scripts/Xsession
Related to #185979
The `runsvc.sh` script wraps a JavaScript script which starts
`Runner.Listener` and also handles failures. This has the downside that
the service _always_ exits with status code 0, i.e., success. This
causes frequent service restarts when running in ephemeral mode with a
faulty config as Systemd always sees a success exit status. To prevent
this, this commit changes the service config to call `Runner.Listener`
directly. The JavaScript wrapper stops the process with a SIGINT, hence,
the Systemd unit now sends a SIGINT to stop the service.
Adds the module option `ephemeral`. If set to true, configures the
runner registration with the `--ephemeral` option. This causes the
runner to exit after processing a single job, to de-register itself, and
to delete its configuration. Afterward, systemd restarts the service
which triggers a new ephemeral registration with a clean state.
This commit introduces support for runner registrations through a
personal access token (PAT). To use a PAT instead of a registration
token, place an appropriately scoped PAT in `tokenFile`. If the file
contains a PAT, the configuration script queries a new runner
registration token. Using a runner registration token directly continues
to work as before.
Using the runtime directory as `RUNNER_ROOT` is wrong. We should always
use the state directory like we already do when invoking the runner
configure script. Otherwise, the runner constructs the wrong path for
some files (.credentials, .runner, ...).
This is to ensure the targets are stopped when nscd is stopped to
prevent races on switch. Example interaction: nscd is stopped, some
service that requires nss-user-lookup.target is restarted. Without this
PR, nss-user-lookup.target would still be active, hence the service
would start without nscd running.
This is image media, so use the override level designed for it. As
detailed in the definition for mkImageMediaOverride:
> image media profiles can be derived by inclusion into host config,
> hence needing to override host config, but do allow user to mkForce
Plausible fails on start because clickhouse is not ready,
when clickhouse has low CPU available, eg.
```nix
{systemd.services.clickhouse.serviceConfig.CPUWeight = 20;}
```
Fixed with
```nix
{systemd.services.plausible.after = [ "clickhouse.service" ];}
```
This was enabled by default in 18a7ce76fc
with the reason that it would be "useful regardless of the desktop
environment.", which I'm not arguing against.
The reason why this should not be enabled by default is that there are a
lot of systems that NixOS runs on that are not desktop systems.
Users on such systems most likely do not want or need this feature and
could even consider this an antifeature.
Furthermore, it is surprising to them to find out that they have this
enabled on their systems.
They might be even more surprised to find that they have polkit enabled
by default, which was a default that was flipped in
a813be071c. For some discussion as to why
see https://github.com/NixOS/nixpkgs/pull/156858.
Evidently, this default is not only surprising to users, but also module
developers, as most if not all modules for desktop environments already
explicity set services.udisks2.enable = true; which they don't need to
right now.
Currently, it is not possible to supply sensitive credentials like
`ldap_default_authtok` without writing them to the nix store. This
This commit introduces a new option `environmentFile` where those
credentials can be supplied via environment substitution.
commit 0507725061 ("setup-hooks/strip.sh: run RANLIB on static
archives after stripping") added an extra argument to `stripDirs()`
helper.
I did not realize it's used outside the strip hook itself. Restore
stripping by passing $RANLIB as a new argument.
...if cfgExpandOnBoot == "all", otherwise it fails during runtime:
```
Aug 06 19:38:05 nixos zpool-expand-pools-start[981]: /nix/store/ka3vivdray82mi9dql12yf258gkw643l-unit-script-zpool-expand-pools-start/bin/zpool-expand-pools-start: line 3: zpool: command not found
```
This commit prevents warning messages like
```
systemd-fstab-generator: Checking was requested for "/path/to/device", but it is not a device.
```
in `dmesg` when one of the filesystems 9p, cifs, prl_fs or vmhgfs is added to the list of `fileSystems`.
This happens because the generated /etc/fstab entry contains a non-zero fsck pass number, which doesn't make sense for these filesystems.
- improve some descriptions
- device -> devices
- add options
- extraArgs
- port
- create a symlink in RUNTIME_DIRECTORY
- grant it read permission of /dev/uinput
- relax network-related restrictions when port is used
- change type of some hardening options to list to align with systemd
- CapabilityBoundingSet
- IPAddressDeny
- SystemCallArchitectures
now nix-doc-munge will not introduce whitespace changes when it replaces
manpage references with the MD equivalent.
no change to the manpage, changes to the HTML manual are whitespace only.
A warning regarding enabling NixOS containers and
virtualisation.containers at the same time with state versions < 22.05
had been added in commit 3c49151f15. But
this warning had accidentally been defined in the wrong place, and the
warning has therefore not actually been in effect. This commit fixes
that.
Upstream XMonad was using our xmonad patch file for their flake build to
support our nixos module. This would of course break the build upstream
if the version we patched and their master branch diverged. We
[discussed] that it'd make sense to upstream the environment var code.
In the process it seemed sensible to rename the NIX_GHC variable as
well, since it isn't really Nix-specific – it's just a way to set the
GHC binary to execute. This change has been [implemented] upstream in an
unreleased version of xmonad now – meaning we'll be able to drop the
xmonad patch soon!
This also clarifies the situation in nixpkgs a bit: NIX_GHC is easy to
confuse with the environment variable used in the ghcWithPackages
wrapper where it is used to set an alternative prefix for a GHC-wrapper
for applications trying to discover it via e.g. ghc-paths. It is an
implementation detail in this context, as it is in the case of the
xmonad module. Since they are different implementations doing different
things, different names also make sense.
[discussed]: 36d5761b3e
[implemented]: 23f36d7e23
A larger number of bluetooth components were introduced in 2022.8.0. To
make them work we need to add a hardening exception, so they can
discover and use bluetooth devices.
Call dbus by using `$cur_systemd/busctl --json=...` and core modules
JSON::PP and IPC::Cmd to slim down dependencies for baseSystem.
perlPackages.NetDBus pulls in quite a few other dependencies, like
XML::Twig, LWP, and HTTP::Daemon. These are not really neccecary for
s-t-c, and some of them have caused issues particularly with cross
builds after updates to perlPackages.
make (almost) all links appear on only a single line, with no
unnecessary whitespace, using double quotes for attributes. this lets us
automatically convert them to markdown easily.
the few remaining links are extremely long link in a gnome module, we'll
come back to those at a later date.
we can't embed syntactic annotations of this kind in markdown code
blocks without yet another extension. replaceable is rare enough to make
this not much worth it, so we'll go with «thing» instead. the module
system already uses this format for its placeholder names in attrsOf
paths.
markdown can't represent the difference without another extension and
both the html manual and the manpage render them the same, so keeping the
distinction is not very useful on its own. with the distinction removed
we can automatically convert many options that use <code> tags to markdown.
the manpage remains unchanged, html manual does not render
differently (but class names on code tags do change from "code" to "literal").
our xslt already replaces double line breaks with a paragraph close and
reopen. not using explicit para tags lets nix-doc-munge convert more
descriptions losslessly.
only whitespace changes to generated documents, except for two
strongswan options gaining paragraph two breaks they arguably should've
had anyway.
Enabling soju without providing a value for tlsCertificate currently
results in:
error: The option `services.soju.tlsCertificate' is used but not
defined.
Since tlsCertificate is intended to be optional, set default to null.
Additionally, add assertions to ensure that both tlsCertificate and
tlsCertificateKey are either set or unset.
Now the tool will only strip binaries if a strip executable is passed
via the STRIP environment variable. This is exposed via the strip
option for makeInitrdNG and the NixOS option boot.initrd.systemd.strip.
The systemd-coredump module required systemd to be built with
withCoredump=true, even if the module was disabled.
- allow systemd to be missing systemd-coredump if the module is disabled
- switch to mkDefault for the sysctl config to allow user overrides when
the module is disabled
- add nixos tests for both the enabled and disabled cases
`cosigned` is no more part of the cosign repository and it has been moved
into a `sigstore/policy-controller` repository. A new package should probably
be created to replace it.
https://github.com/sigstore/cosign/releases/tag/v1.10.0
Instead of enabling the PAM modules based on config.krb5.enable,
introduce a new option to control the PAM modules specifically.
Users may want to turn on config.krb5.enable, to get a working Kerberos
client config with tools like kinit, while letting pam_sss or something
else handle Kerberos password lookups.