The `platform` field is pointless nesting: it's just stuff that happens
to be defined together, and that should be an implementation detail.
This instead makes `linux-kernel` and `gcc` top level fields in platform
configs. They join `rustc` there [all are optional], which was put there
and not in `platform` in anticipation of a change like this.
`linux-kernel.arch` in particular also becomes `linuxArch`, to match the
other `*Arch`es.
The next step after is this to combine the *specific* machines from
`lib.systems.platforms` with `lib.systems.examples`, keeping just the
"multiplatform" ones for defaulting.
Judging from `"${pkgs.element-web}/config.sample.json"`,
this needs be a URL starting with `https://`; without it one gets:
Your Element is misconfigured
Invalid base_url for m.homeserver
Use new command-line flags of release 0.3.0 and always answer with the
expected XML in the VM test instead of using a test-specific fixed path.
Co-authored-by: ajs124 <git@ajs124.de>
In the default configuration we have timers for creating and deleting
snapper snapshots, and it looks like if we just create configs with
correct mountpoints we will get automatic snapshots (which either
used to be true, or seems to be only true on Archlinux according to
their wiki). In default snapper configuration TIMELINE_CREATE and
TIMELINE_CLEANUP are set to "no", so just providing configs won't
be enough for having automatic backups, which are the main usecase
for snapper. In other linux distributions you would use `snapper
create-config` to generate configs for partitions and you'd have a
chance to notice that TIMELINE_CREATE is set to no. Also, my guess is
that it might be set to no by default for safety reasons in regular distros,
so that the config won't be actioned upon until the user finishes
customizing it.
Added JWT_SECRET and INTERNAL_TOKEN to be persistent, like SECRET_KEY and LFS_JWT_SECRET do. Also renamed some vars belonging to SECRET_KEY and LFS_JWT_SECRET to get a consistent naming scheme over all secrets.
The comment at the top of git-and-tools/default.nix said:
/* All git-relates tools live here, in a separate attribute set so that users
* can get a fast overview over what's available.
but unfortunately that hasn't actually held up in practice.
Git-related packages have continued to be added to the top level, or
into gitAndTools, or sometimes both, basically at random, so having
gitAndTools is just confusing. In fact, until I looked as part of
working on getting rid of gitAndTools, one program (ydiff) was
packaged twice independently, once in gitAndTools and once at the top
level (I fixed this in 98c3490196).
So I think it's for the best if we move away from gitAndTools, and
just put all the packages it previously contained at the top level.
I've implemented this here by just making gitAndTools an alias for the
top level -- this saves having loads of lines in aliases.nix. This
means that people can keep referring to gitAndTools in their
configuration, but it won't be allowed to be used within Nixpkgs, and
it won't be presented to new users by e.g. nix search.
The only other change here that I'm aware of is that
appendToName "minimal" is not longer called on the default git
package, because doing that would have necessitated having a private
gitBase variable like before. I think it makes more sense not to do
that anyway, and reserve the "minimal" suffix only for gitMinimal.
Now that smtp_tls_security_level is using mkDefault, and therefore can
be overridden, there's no need for an option for overriding it to a
specific value.
I run Postfix on my workstation as a smarthost, where it only ever
talks to my SMTP server. Because I know it'll only ever connect to
this server, and because I know this server supports TLS, I'd like to
set smtp_tls_security_level to "encrypt" so Postfix won't fall back to
an unencrypted connection.
This commits deprecates `services.xserver.libinput` for multiple
settings, one for each kind of device:
- `services.xserver.libinput.mouse`
- `services.xserver.libinput.touchpad`
Looking at `man 4 libinput`, they basically have the same options so I
simply replicated them, even if some options doesn't make sense for
mouse (`tapping` for example).
With this commit this is now possible:
```nix
{
services.xserver.libinput = {
enable = true;
mouse = {
accelProfile = "flat";
};
touchpad = {
naturalScrolling = true;
};
};
}
```
And you will have a mouse with no natural scrolling but with accel
profile flat, while touchpad will have natural scrolling but accel
profile adaptative (default).
It is possible to support more device types
(tablets/keyboards/touchscreens), but at least looking at the
libinput manual for those devices it doesn't seem that it has any
configuration options for them. They can still be configured using
`services.xserver.inputClassSections` though, and this will work now
since there is no rule by default that matches them.
Closes issue #75007, while also making configuration of mouses and
touchpads using Nix attrs possible like said in PR #73785.
For in NixOS it is beneficial if both plasma5 and pam use the same Qt5
version. Because the plasma5 desktop may use a different version as the
default Qt5 version, we introduce plasma5Packages.
This corresponds to agetty's --login-options argument.
With this change, I can set
services.getty.autologinUser = "qyliss";
services.getty.loginOptions = "-- \\u";
and have my username prefilled, but with my password still
required (unlike the normal autologinUser behaviour).
b478e0043c removed every other instance of uwsgi.service and
httpd.service from Mailman before and requiredBy lists. This one
looks like it was just missed, since I can't see a reason to keep it
but remove the others.
Fixes: b478e0043c ("nixos/mailman: refactor")
* It should be made explicit in the eval-error that the CVE only affects
a component which is turned off by default.
* For more clarity, the default version used by the module is noted in
the manual.
Closes#108419
It's been 8.5 years since NixOS used mingetty, but the option was
never renamed (despite the file definining the module being renamed in
9f5051b76c ("Rename mingetty module to agetty")).
I've chosen to rename it to services.getty here, rather than
services.agetty, because getty is implemantation-neutral and also the
name of the unit that is generated.
By default in Nginx, if you want to override a single fastcgi_param,
you have to override all of them. This is less of a big deal if
you're editing the Nginx configuration directly, but when you're
generating the Nginx configuration with Nix it can be very annoying to
bloat your configuration repeating the default values of FastCGI
parameters every time.
This patch adds a fastcgiParams option to Nginx locations. If any
parameters are set through this, all the default values will be
included as well, so only the ones that are changing need to be
supplied. There's no way to use fastcgiParams to actually override
all parameters if that's what you want, but I think that's a niche use
case and it's still possible using extraConfig, which up until now was
the only option
Nginx allows the fastcgi_param directive in http and server scopes as
well as location, but here I only support location. It would be
possible to support the others, but I don't think it's worth it. It
would be a possible future enhancement if somebody has a need for it.
* Content of `programlisting` shouldn't be indented, otherwise it's
weirdly indented in the output.
* Use `<xref linkend=.../>` in the release notes: then users can
directly go to the option documentation when reading release notes.
* Don't use docbook tags in `mkRemovedOptionModule`: it's only used
during evaluation where docbook isn't rendered.
The service was failing with:
gunicorn[2192104]: [2020-12-31 13:35:28 +0000] [2192104] [ERROR] Exception in worker process
gunicorn[2192104]: Traceback (most recent call last):
gunicorn[2192104]: File "/nix/store/jmc14qf1sfnlhw27xyyj862ghkmdkj5a-python2.7-gunicorn-19.10.0/lib/python2.7/site-packages/gunicorn/arbiter.py", line 586, in spawn_worker
gunicorn[2192104]: worker.init_process()
gunicorn[2192104]: File "/nix/store/jmc14qf1sfnlhw27xyyj862ghkmdkj5a-python2.7-gunicorn-19.10.0/lib/python2.7/site-packages/gunicorn/workers/ggevent.py", line 196, in init_process
gunicorn[2192104]: self.patch()
gunicorn[2192104]: File "/nix/store/jmc14qf1sfnlhw27xyyj862ghkmdkj5a-python2.7-gunicorn-19.10.0/lib/python2.7/site-packages/gunicorn/workers/ggevent.py", line 65, in patch
gunicorn[2192104]: monkey.patch_all(subprocess=True)
gunicorn[2192104]: File "/nix/store/fysf67w3i8iv1hfvp536nl8jbzqyk1s7-python-2.7.18-env/lib/python2.7/site-packages/gevent/monkey.py", line 1160, in patch_all
gunicorn[2192104]: from gevent import events
gunicorn[2192104]: File "/nix/store/fysf67w3i8iv1hfvp536nl8jbzqyk1s7-python-2.7.18-env/lib/python2.7/site-packages/gevent/events.py", line 67, in <module>
gunicorn[2192104]: from zope.interface import Interface
gunicorn[2192104]: ImportError: No module named zope.interface
Instead of treating the sddm config a wall of text that doesn't allow us
to override anything, turn it into an attribute set.
We dump `extraConfig` and instead introduce `settings` that is merged
with the module defaults to provide the final configuration.
There is some additional noise in here due to nixpkgs-fmt.
* nixos/xmonad: xmonad config w/ghc+xmessage
When the "config" option isn't set, we use xmonad-with-packages to
provide xmonad with runtime access to an isolated ghc, ensuring it can
recompile and exec a user's local config (e.g. $HOME/.xmonad/xmonad.hs)
regardless of which ghc (if any) is on PATH.
When the "config" option is set, however, we compile a configured xmonad
executable upfront (during nixos-rebuild), and prior to this commit, it
was not provided with runtime access to an isolated ghc.
As a result, with the "config" option set, it was not possible
to recompile and exec a user's local config unless there was a
compatible version of ghc on PATH with the necessary packages (xmonad,
xmonad-contrib, etc.) in its package database. Adding such a ghc to
environment.systemPackages, e.g.
(haskellPackages.ghcWithPackages (ps: with ps; [xmonad xmonad-contrib]))
is problematic because it adds both ghc and an unconfigured xmonad to
PATH, e.g.
$ ls -l $(which xmonad ghc)
lrwxrwxrwx ... /run/current-system/sw/bin/ghc -> /nix/store/...-ghc-8.10.2-with-packages/bin/ghc
lrwxrwxrwx ... /run/current-system/sw/bin/xmonad -> /nix/store/...-ghc-8.10.2-with-packages/bin/xmonad
Having the unconfigured xmonad on PATH is particularly bad because
restarting xmonad will dump the user into the unconfigured version, and
if no local config exists (e.g. in $HOME/.xmonad/xmonad.hs), they'll be
left in this unconfigured state.
In this commmit, we give the configured xmonad runtime access to ghc
like xmonad-with-packages does for the unconfigured version. The aim
is to allow the user to switch between the nixos module's config and a
local config (e.g. $HOME/.xmonad/xmonad.hs) at will, so they can try out
config changes without performing a nixos-rebuild.
Since the xmonad on PATH is the configured executable, there's no
danger a user could unwittingly restart into the unconfigured version,
and because xmonad will refuse to recompile when no local config
exists, there's no danger a user could unwittingly recompile into an
unconfigured version.
Given that a local config exists, the recompile/restart behavior depends
on two factors:
- which entry point is used
* 'XMonad.xmonad' (default)
* 'XMonad.launch' (recommended in "config" option description)
- what operation is triggered (i.e. via mod+q)
* `spawn "xmonad --recompile && xmonad --restart"` (default)
* `restart "xmonad" True`
* custom function
If the default 'XMonad.xmonad' entrypoint and default mod+q operation
are used, hitting mod+q will compile and exec the local config, which
will remain in use until next time the display manager is restarted.
If the entrypoint is changed to 'XMonad.launch' but mod+q left with its
default operation, hitting mod+q will have no visible effect. The logs
(as seen by running `journalctl --identifier xmonad --follow`) will show
an error,
X Error of failed request: BadAccess (attempt to access private resource denied)
which indicates that the shell was unable to start xmonad because
another window manager is already running (namely, the nixos-configured
xmonad).
https://wiki.haskell.org/Xmonad/Frequently_asked_questions#X_Error_of_failed_request:_BadAccess_.28attempt_to_access_private_resource_denied.29
Changing the mod+q operation to `restart "xmonad" True` (as recommended
in the "config" option's description) will allow a restart of the
nixos-configured xmonad to be triggeredy by hitting mod+q.
Finally, if the entrypoint is 'XMonad.launch', mod+q has been
bound to `restart "xmonad" True` and another key bound to a custom
recompile/restart function (e.g. `compileRestart` as shown in the
"config" option example), the user can switch between the nixos module's
config and their local config, with the custom key switching to the
local config and mod+q switching back.
* nixos/xmonad: refactor let binding
* nixos/xmonad: refactor (eliminate duplicate code)
* nixos/xmonad: install man pages
Prior to this commit, man pages were not installed if the "config"
option was set.
* nixos/xmonad: comment grammar fixups
* nixos/xmonad: writeStateToFile in example config
Calling writeStateToFile prior to recompiling and restarting allows
state (workspaces, etc.) to be preserved across the restart.
* nixos/xmonad: add ivanbrennan to maintainers
* nixos/xmonad: adjust compileRestart example
* nixos/xmonad: add missing import to example config
Since version 5.2.0 there's non-empty stop phase:
ExecStopPost=/usr/bin/env rm -f "/run/knot-resolver/control/%i"
but it's perfectly OK to run that from a different version
(and typically it's no-op anyway). Real-life example where this helps:
https://github.com/NixOS/nixpkgs/issues/49528#issuecomment-747723198
This allows to use files containing only the mpd password without the
permissions, making it easier for other programs connecting to mpd to read the
password from the same password file.
This reverts commit 8f177612b1.
Attempting to start any service from udev when systemd-udev-settle is
used at all hangs the boot for 2min. See issue #107341.
Since slurm-20.11.0.1 the dbd server requires slurmdbd.conf to be
in mode 600 to protect the database password. This change creates
slurmdbd.conf on-the-fly at service startup and thus avoids that
the database password ends up in the nix store.
It's very surprising that services.tor.client.enable would set
services.privoxy.enable. This violates the principle of least
astonishment, because it's Privoxy that can integrate with Tor, rather
than the other way around.
So this patch moves the Privoxy Tor integration to the Privoxy module,
and it also disables it by default. This change is documented in the
release notes.
Reported-by: V <v@anomalous.eu>
Mailman can now work with MTAs other than Postfix. You'll have to configure
it yourself using the options in `services.mailman.settings.mta`.
This addition is reflected in the release notes for 21.03.
This partially reverts bf3d3dd19b.
I don't know why we weren't getting a default logfile back then but Xorg
definitely provides one now ($XDG_DATA_HOME for regular users and /var/log for
root, see `man Xorg`)
Dnscrypt-proxy needs some options to be set before it can do anything useful.
Currently, we only apply what the user configured which, by default, is nothing.
This leads to the dnscrypt-proxy2 service failing to start when you only set
`enable = true;` which is not a great user experience.
This patch makes the module take the example config from the upstream repo as a
base on top of which the user-specified settings are applied (it contains sane
defaults).
An option has been added to restore the old behaviour.
`file_exists` also returns `FALSE` if the file is in a directory that
can't be read by the user. This e.g. happens if permissions for
`nixops(1)`-deployment keys aren't configured correctly.
This patch improves the error message for invalid files to avoid
confusion[1].
[1] https://discourse.nixos.org/t/nixops-deploy-secrets-to-nextcloud/10414/4
This patch:
* Removes an invalid/useless classpath element;
* Removes an unnecessary environment variable;
* Creates the required '/version-2' data subdirectory;
* Redirects audit logging to the "console" (systemd) by default.
Unbound throws the following error:
--8<---------------cut here---------------start------------->8---
error: failed to list interfaces: getifaddrs: Address family not supported by protocol
fatal error: could not open ports
--8<---------------cut here---------------end--------------->8---
The solution is pulled from upstream:
https://github.com/NLnetLabs/unbound/pull/351
Unfortunately, I had a use-case where `services.nginx.config` was
necessary quite recently. While working on that config I had to look up
the module's code to understand which options can be used and which
don't.
To slightly improve the situation, I changed the documentation like
this:
* Added `types.str` as type since `config` is not mergeable on purpose.
It must be a string as it's rendered verbatim into `nginx.conf` and if
the type is `unspecified`, it can be confused with RFC42-like options.
* Mention which config options that don't generate config in
`nginx.conf` are NOT mutually exclusive.
There was some issues with the fallback to passive mode on 2.3, but on
2.4 adaptive mode is always enabled upstream and thermald will fallback
to passive if necessary.
a6e68a65b5/data/thermald.service.in (L9)
This simplifies testing changes to the tailscale service on a local
machine. You can use this as such:
```nix
let
tailscale_patched = magic {};
in {
services.tailscale = {
enable = true;
package = tailscale_patched;
};
};
```
Signed-off-by: Christine Dodrill <me@christine.website>
I've also removed PrivateTmp = true because this is implied by dynamic user.
I've left ProtectHome = true because I believe this is stronger than
ProtectHome = "read-only" which DynamicUser implies.
This resolves issue #101963.
When the service is started and no interface is ready yet, wpa_supplicant
is being exec'd with no `-i` flags, thus failing. Once the interfaces
are ready, the udev rule would fire but wouldn't restart the unit because
it wasn't currently running (see systemctl(1) try-restart).
The solution is to exit (with a clear error message) but always restart
wpa_supplicant when the interfaces are modified.
This release replaces the libpulseaudio shim with a pipewire module that acts as a fake pulseaudio server along with a systemd service that loads that module on demand.
The old slapd.conf is deprecated. Replace with slapd.d, and use this
opportunity to write some structured settings.
Incidentally, this fixes the fact that openldap is reported up before
any checks have completed, by using forking mode.
This gets automatically disabled by docker if the docker backend is
used, but the bundled containerd also doesn't seem to support cgroupsv2,
so disable it explicitly here, too.
Whenever I try to scan from another computer it has to establish >2
connections in order to succeed. With the connections being limited to 1
I can not scan any document.
This is also what other distributions ([Debian], [ArchLinux], …) have
done in one way or another.
[Debian]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850649#5
[ArchLinux]: no limit: 99cba454bb/trunk/saned.socket (L4)
This adds a `package` option to allow for easier overriding of the used
CodiMD version and `runCommandLocal` with `nativeBuildInputs` is now
used to pretty print the configuration.
