Add a virtual user system based around pam and a Berkeley
user database.
Adding the:
- localRoot
- userDbPath
- allowWriteableChroot
- virtualUseLocalPrivs
Vsftpd options.
Ever since setting up bonding the `wpa_supplicant-unit-start` script has
been failing. This is because the file `bonding_masters` in
`/sys/class/net/` is *not* a directory containing `uevent`.
Adding a test to verify the `uevent` path to be sourced exists resolves
the problem.
The SLIM project is abandoned and their last release was in 2013.
Because of this it poses a security risk to systems, no one is working
on it or picked up maintenance. It also lacks compatibility with systemd
and logind sessions. For users, there liikely isn't anything like slim
that's as lightweight in terms of dependencies.
Slurmdbd requires a password database which is stored in slurmdbd.conf.
A seperate config file avoids that the password ends up in the nix store.
Slurmdbd does 19.5 does not support MySQL socket conections.
Adapated the slurm test to provide username and password.
* Fix path in module for slurm to find plugstack.conf
* Fix configure flags so that slurm can be compiled
without internal X11 support (required for spank-x11).
This prevents services to be started before they're initialized, and
renders the `systemd.targets.ceph.wantedBy = lib.mkForce [];` hack in
the vm tests obsolete - The config now starts up ceph after a reboot,
too.
Let's take advantage of that, crash all VMs, and boot them up again.
Don't pass user and group to ceph, and rely on it to drop ceps, but let
systemd handle running it as the appropriate user.
This also inlines the extraServiceConfig into the makeService function,
as we have conditionals depending on daemonType there anyways.
Use StateDirectory to create directories in
/var/lib/ceph/${daemonType}/${clusterName}-${daemonId}.
There previously was a condition on daemonType being one of mds,mon,rgw
or mgr. We only instantiate makeServices with these types, and "osd" was
special.
In the osd case, test examples suggest it'd be in something like
/var/lib/ceph/osd/ceph-${cfg.osd0.name} - so it's not special at all,
but exactly like the pattern for the others.
During initialization, we also need these folders, before the unit is
started up. Move the mkdir -p commands in the vm tests to the line
immediately before they're required.
The two new options make it possible to create the interface in one namespace
and move it to a different one, as explained at https://www.wireguard.com/netns/.
In cases where you boot up really quickly (like in the VM test on a
non-busy host), tinydns might want to bind before the loopback interface
is fully up. Order tinydns after network.target to fix that.
Add --use-remote-sudo option. When set, remote commands will be prefixed
with 'sudo'. This allows using sudo remotely _without_ having to use
sudo locally (when using --build-host/--taget-host).
Incorrect merging of modules resulted in dhcpcd being enabled causing flaky network connection.
https://github.com/NixOS/nixpkgs/pull/64364
Fixing it uncovered an infinite recursion from the same commit, previously masked by the incorrect merge.
We can just drop the `mkDefault` for `networking.wireless.enable` as it is already `false` by default.
Closes: https://github.com/NixOS/nixpkgs/issues/72416
When we did the revert of adding gnome-flashback to systemd.packages [0]
I forgot to test with other display managers. If we use GDM with gnome-flashback
it appears it doesn't try to fallback to non-systemd startup and always fails and
starts the regular gnome-session. So adding gnome-flashback to systemd.packages
was perfectly fine, but we did forgot one detail. We need systemd targets for the
customSessions which is added using mkSystemdTargetForWm in the gnome-
flashback package.
[0]: 42f567b30d
When the option services.vault.storageBackend is set to "file", a
systemd.tmpfiles.rules was added, with extraneous []. These are not
needed and have been removed.
This is a good example of a package/module that should be distributed
externally (e.g. as a flake [1]): it's not stable yet so anybody who
seriously wants to use it will want to use the upstream repo. Also,
it's highly specialized so NixOS is not really the right place at the
moment (every NixOS module slows down NixOS evaluation for everybody).
[1] https://github.com/edolstra/jormungandr/tree/flake
Automated consumers can use 'sed 1d' or similar to remove this header.
This probably makes this output *easier* to consume correctly. Having
this header show up in consumers' terminal or log output is probably not
useful, but hiding it without hiding all error messages would have been
more troublesome that just stripping it from stdout.
I.e., previously, unsophisticated use would show undesired output:
$ some-other-tool
This attribute set contains:
This attribute set contains:
This attribute set contains:
This attribute set contains:
<Actual some-other-tool output>
The simplest way to hide this undesired output would have been
nixos-option ... 2>/dev/null, which would hide all error messages.
We do not wish to encourage that.
Correct use would have been something like:
nixos-option ... 2> >( grep --line-buffered -v 'This attribute set contains:')
After this change, correct use is simpler:
nixos-option ... | sed 1d
or
nixos-option ... | sed '1/This attribute set contains:/d'
if the caller don't know if this invocation of nixos-option will yield
an attribute listing or an option description.
Switch from convention "appease clang-tidy --checks='*'" to
"References are like non-nullptr pointers". The clang-tidy check
"google-runtime-references" complains about non-const reference
arguments, but this is not a convention used in Nix.
Switch from convention "appease clang-tidy --checks='*'" to
"References are like non-nullptr pointers". The clang-tidy check
"google-runtime-references" complains about non-const reference
arguments, but this is not a convention used in Nix.
Switch from convention "appease clang-tidy --checks='*'" to
"References are like non-nullptr pointers". The clang-tidy check
"google-runtime-references" complains about non-const reference
arguments, but this is not a convention used in Nix.
I don't think this matters. As long as one or the other of these is
a std::string, I get an operator== that looks at content rather than
pointer equality. I picked casting the constant over casting the dynamic
thing in hopes that the compiler would have a better chance at optimizing
away any runtime cost.
Deferring to reviewer.
This is important because this contains some code copied from nix (as an
interim expediency until that functionality can be exported via nix's
API). The license specified here must be compatible with this borrowing.
Select the same license that nix is released under: lgpl2Plus.
Specifically, with
clang-format --style='{ IndentWidth: 4, BreakBeforeBraces: Mozilla, ColumnLimit: 120, PointerAlignment: Middle }'
which was the clang-format invocation that produced the fewest diffs on
the nix source out of ~20 that I tried.
Also add --all, which shows the value of all options. Diffing the --all
output on either side of contemplated changes is a lovely way to better
understand what's going on inside nixos.
Instead of assign the libinput options to touchpad devices only, it
should be appied by any device using libinput.
Due to the fact that `40-libinput.conf` already defines libinput as
driver for any detected input device, we can use `MatchDriver` to appy
options.
I've noticed a similar issue in Pantheon, without this
sound theme installed there's no system sounds.
I believe it's because the gnome theme and the pantheon
theme inherit this one.
Change order of pam_mount.conf.xml so that users can override the preset configs.
My use case is to mount a gocryptfs (a fuse program) volume. I can not do that in current order.
Because even if I change the `<fusermount>` and `<fuserumount>` by add below to extraVolumes
```
<fusemount>${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"</fusemount>
<fuseumount>${pkgs.fuse}/bin/fusermount -u %(MNTPT)</fuseumount>
```
mount.fuse still does not work because it can not find `fusermount`. pam_mount will told stat /bin/fusermount failed.
Fine, I can add a `<path>` section to extraVolumes
```
<path>${pkgs.fuse}/bin:${pkgs.coreutils}/bin:${pkgs.utillinux}/bin</path>
```
but then the `<path>` section is overridden by the hardcoded `<path>${pkgs.utillinux}/bin</path>` below. So it still does not work.
Adding `systemd-importd` to the build, so that `machinectl`s `import-.*`
may actually do anything. Currently they fail with
```
Failed to transfer image: The name org.freedesktop.import1 was not provided by any .service files
```
as `systemd-importd` is not built. Also registers the regarding dbus
api and service in the systemd module.
Invoke xrandr to actually connect the device.
Additionally, we let systemd create the logs directory and use our module loader
instead of handling it manually.
It seems that dnsdist doesn't actually request CAP_NET_BIND_SERVICE, which is why normally it's executed and root and setuids to another, unprivileged, user. This means that as it is, dnsdist will be unable to bind to any port under 1024 and will fail with access denied.
Removing CAP_SETGID and CAP_SETUID is also related to this as we don't actually change the uid or gid after the fact as we use DynamicUser. (That part isn't strictly NEEDED but there's no reason to have those capabilities if we don't use them).
There are also some additional sandboxing we can remove from the service definition as they are assumed true or strict by DynamicUser: specifically PrivateTmp and ProtectSystem respectively.
ProtectHome is still there, despite being assumed read-only as setting it to true means they are seen as empty. I don't think it really matters as I don't know if systemd will ignore it or not, but I didn't see any reason to go hunting for excuses to make it a bigger change.
Add a new option permitting to point certbot to an ACME Directory
Resource URI other than Let's Encrypt production/staging one.
In the meantime, we are deprecating the now useless Let's Encrypt
production flag.
- spawn the geoclue-agent directly instead of running it via bash
- document why we cannot use DynamicUser = true
- have systemd create the home directory instead of using an explicit
tmpfiles.d fragment
* lm_sensors: add fancontrol module + nixos test
fancontrol is a small script that checks temperature sensors and adapts
fan speeds accordingly. It reads a text config file that can be
auto-generated by running the pwmconfig wizard on the live system.
Both options were introduced in systemd v243[1]. Those options can be
used to ensure that LinkLocalAddressing is only configured for a given
interface if DHCPv4 fails. To quote `systemd.network(5)`:
```
If "fallback" or "ipv4-fallback" is specified, then an IPv4
link-local address is configured only when DHCPv4 fails. If "fallback", an IPv6 link-local
address is always configured, and if "ipv4-fallback", the address is not configured. Note
that, the fallback mechanism works only when DHCPv4 client is enabled, that is, it requires
"DHCP=yes" or "DHCP=ipv4".
```
[1] 8bc17bb3f7