The commit c6f7d43678 changed the system
attribute to be below config.nixpkgs.localSystem, but the test still
uses the old attribute.
I have not tested whether the test actually succeeds but just checked
whether evaluation works and it evaluates successfully now.
Signed-off-by: aszlig <aszlig@nix.build>
- mkfs.fat needs `-n` to set a partition label, not `-L`.
- create /mnt/boot before mounting
- leave out detailed LVM example as advanced users already how to create
LVs while it is detracting for novices.
Re #38674
This is needed because simp_le expects two certificates in fullchain.pem, leading to error:
> Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1.
We now create a CA and sign the key with it instead, providing correct fullchain.pem.
Also cleanup service a bit -- use PATH and a private temporary directory (which
is more suitable).
Introduced in 286b007bd3 and then
in 2e6b796761.
This a proper fix for what 70c6f6572d tried to do.
Removing the "config" prefix triggers the bug on pure nixos too, not only
on nixops.
These don't have affect the default Hydra setup (you need to pass
the relevant system in the supportedSystem list) but let's add it for
completeness and convenience.
Nothing probably uses this, but let's be pedantic and have the
pre-included channel on the install media be as close as possible to
what 'nix-channel --update' will give them.
The only remaining difference is that the channel adds programs.sqlite,
which is fundamentally unfixable.
a) Some providers can update multiple domains - support that.
b) Make "zone" and "script" configurable. Some providers require these.
c) Instead of leaving the ddclient daemon running all the time, use a systemd
timer to kick it off.
d) Don't use a predefined user - run everything via DynamicUser
e) Add documentation
Because it improves out-of-the-box user experience a lot (IMHO).
(zsh completion is already on by default.)
Remove "programs.bash.enableCompletion = true" from
nixos-generate-config.pl, which feels superflous now.
exportReferencesGraph is deprecated and doesn't have the generated
initial Nix database contain the SHA256 of the contents of the store
paths, which breaks various things under Nix 2.0.
Expose the path to a lesskey file as a module option. This makes it
possible to maintain a single lesskey file, used for both NixOS and
non-nix systems. An example of how this can be done follows.
1. Write a derivation that fetches lesskey from a known location:
{ stdenv, fetchgit }:
stdenv.mkDerivation {
name = "foo";
src = fetchgit { .. };
phases = [ "unpackPhase" "installPhase" ];
installPhase = "mkdir -p $out && cp $src/lesskey $out/lesskey";
}
2. Set programs.less.configFile to the corresponding path:
programs.less = {
enable = true;
configFile = "${pkgs.foo}/lesskey";
};
With #36556, a check was introduced to make sure the user and group
names do not exceed their respective maximum length. This is in part
because systemd also enforces that length, but only at runtime.
So in general it's a good idea to catch as much as we can during
evaluation time, however the maximum length of the group name was set to
16 characters according groupadd(8).
The maximum length of the group names however is a compile-time option
and even systemd allows more than 16 characters. In the mentioned pull
request (#36556) there was already a report that this has broken
evaluation for people out there.
I have also checked what other distributions are doing and they set the
length to either 31 characters or 32 characters, the latter being more
common.
Unfortunately there is a difference between the maximum length enforced
by the shadow package and systemd, both for user name lengths and group
name lengths. However, systemd enforces both length to have a maximum of
31 characters and I'm not sure if this is intended or just a off-by-one
error in systemd.
Nevertheless, I choose 32 characters simply to bring it in par with the
maximum user name length.
For the NixOS assertion however, I use a maximum length of 31 to make
sure that nobody accidentally creates services that contain group names
that systemd considers invalid because of a length of 32 characters.
Signed-off-by: aszlig <aszlig@nix.build>
Closes: #38548
Cc: @vcunat, @fpletz, @qknight
This patch is heavily inspired by bd0d8ed807 which added
a setcap wrapper for `mtr` in order to allow running `mtr` without
`sudo`. The need for the capability `cap_net_raw` that can be registered using
`setcap` has been documented in the Arch Wiki: https://wiki.archlinux.org/index.php/Capabilities#iftop
A simple testcase has been added which starts two machines, one with a
setcap wrapper for `iftop`, one without. Both testcases monitor the
bandwidth usage of the machine using the options `-t -s 1` once, the
machine with setcap wrapper is expected to succeed, the `iftop` on the
machine without setcap wrapper is expected to return a non-zero exit
code.