The whole option set was recommended against since mid-2019, and never
worked with the Raspberry Pi 4 family of devices.
We should have deprecated it in early 2020 for removal by 2021. At the
time I did not feel confident in making such a decision, and never
ended-up getting around to it.
The ***only*** supported-by-NixOS boot methods for AArch64 are
standards-based boot methods, namely UEFI or the pragmatically
almost-standard extlinux-compatible for U-Boot.
You can quote me on that.
Unfortunately the config is not compatible; data itself looks like it was compatible
from an up to date python ankisyncd but I wouldn't assume anything with the older
service (which didn't work for me with either ankidroid or recent desktop version)
At this point this is basically a full rewrite of this module, which
is a breaking change and was necessary to properly expose the useful
parts of hostapd's config. The notable changes are:
- `hostapd` is now started with additional systemd sandbox/hardening options
- A single-daemon can now manage multiple distinct radios and BSSs, which is
why all configuration had to be moved into `hostapd.radios`
- By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are
supported, too
- Added passwordFile-like options for wpa and sae
- Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration
- Implements RFC42 as far as reasonable for hostapd
- Removes `with lib;`
These changes are important to support modern APs configurations.
Short overview:
- CONFIG_IEEE80211AX support (WiFi6)
- CONFIG_SAE_PK (pubkey authenticated WPA3)
- CONFIG_DRIVER_NONE (standalone RADIUS server)
- CONFIG_OCV (Operating Channel Validation)
- Enable epoll on linux systems
- Remove deprecated TKIP support
- Fix misspelling (CONFIG_INTERNETWORKING != CONFIG_INTERWORKING)
- The .config was restructured into sections to reflect the
upstream defconfig order and for easier updating in the future
Also, make `python3Packages.sequoia` throw a message regarding it's
replacement of `python3Packages.sequoia`. The main sequoia-pgp/sequoia
repository doesn't ship Python code since 0.25.0, just a binary.
This change removes the bespoke logic around identifying block devices.
Instead of trying to find the right device by iterating over
`qemu.drives` and guessing the right partition number (e.g.
/dev/vda{1,2}), devices are now identified by persistent names provided
by udev in /dev/disk/by-*.
Before this change, the root device was formatted on demand in the
initrd. However, this makes it impossible to use filesystem identifiers
to identify devices. Now, the formatting step is performed before the VM
is started. Because some tests, however, rely on this behaviour, a
utility function to replace this behaviour in added in
/nixos/tests/common/auto-format-root-device.nix.
Devices that contain neither a partition table nor a filesystem are
identified by their hardware serial number which is injecetd via QEMU
(and is thus persistent and predictable). PCI paths are not a reliably
way to identify devices because their availability and numbering depends
on the QEMU machine type.
This change makes the module more robust against changes in QEMU and the
kernel (non-persistent device naming) and by decoupling abstractions
(i.e. rootDevice, bootPartition, and bootLoaderDevice) enables further
improvement down the line.
they're no longer necessary for us and will almost definitely start to
rot now (like commonmark and asciidoc outputs did previously). most
existing users seem to take the docbook output and run it through pandoc
to generate html, those can easily migrate to use commonmark instead.
other users will hopefully pipe up when they notice that things they rely
on are going away.
optionsUsedDocbook has only been around for one release and only exposed
to allow other places to generate warnings, so that does not deserve
such precautions.
it's been long in the making, and with 23.05 out we can finally disable
docbook option docs and default to markdown instead. this brings a
massive speed boost in manual and manpage builds, so much so that we may
consider enabling user module documentation by default.
we don't remove the docbook support code entirely yet because it's a lot
all over, and probably better removed in multiple separate changes.
epub manuals are holding back the transition away from docbook, and
cursory research does not suggest that they are used very much. it's
still very early in the 23.11 release cycle, so if we're going to find
out just how many people do use the epub manuals it should be now.
this need not be the end of epub manuals. nixos-render-docs could be
extended to also export epubs, but that has not been done yet since it's
going to be some effort with unknown real-world usefulness.
The nixos/caddy module is somewhat old by now
and has undergone quite some refactors.
This specific module option (originally named
`ca`) used to make a bit more sense when
Caddy did not have multiple ACME CAs as
fallback (LE & ZeroSSL) by configured by
default yet (ZeroSSL came with v2.3.0).
I also rephrased the description slightly,
to mention Caddy's automatic issuer fallback
and a note which this option maps to in the
Caddyfile, to provide a bit more context and
a more up-to-date recommendation.
Specifically that "fine-grained configuration"
section comes from a time when this module did
some custom tls/issuer config json merging
with the templated Caddyfile using `jq`.
The "The URL to the ACME CA's directory"
section is a word-for-word copy from the
official Caddy docs, which also include a link
to LE's docs to the referenced staging
endpoint. So I added that as well.
fontconfig before version 2.13.1 was apparently implicitly not using
subpixel antialiasing. The fontconfig NixOS module deviated from this,
using subpixel antialiasing with `rgb` layout by default. In fontconfig
2.14.1, subpixel antialiasing was inadvertently enabled as the default:
2b6afa02ab
According to https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/337,
that deviates from GNOME/GTK’s defaults, which resulted in apps taking the
settings directly from fontconfig (e.g. Firefox) from diverging from GNOME
programs.
The change was subsequently reverted in 2.14.2, choosing the greyscale
antialiasing explicitly: 030759b74f
Let’s reflect this default setting in the NixOS module.
Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
PROXY protocol is a convenient way to carry information about the
originating address/port of a TCP connection across multiple layers of
proxies/NAT, etc.
Currently, it is possible to make use of it in NGINX's NixOS module, but
is painful when we want to enable it "globally".
Technically, this is achieved by reworking the defaultListen options and
the objective is to have a coherent way to specify default listeners in
the current API design.
See `mkDefaultListenVhost` and `defaultListen` for the details.
It adds a safeguard against running a NGINX with no HTTP listeners (e.g.
only PROXY listeners) while asking for ACME certificates over HTTP-01.
An interesting usecase of PROXY protocol is to enable seamless IPv4 to
IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is
demonstrated how to achieve this in the tests, using sniproxy.
Finally, the tests covers:
- NGINX `defaultListen` mechanisms are not broken by these changes;
- NGINX PROXY protocol listeners are working in a final usecase
(sniproxy);
- uses snakeoil TLS certs from ACME setup with wildcard certificates;
In the future, it is desirable to spoof-attack NGINX in this scenario to
ascertain that `set_real_ip_from` and all the layers are working as
intended and preventing any user from setting their origin IP address to
any arbitrary, opening up the NixOS module to bad™ vulnerabilities.
For now, it is quite hard to achieve while being minimalistic about the
tests dependencies.
Adds a new option to the virtualisation modules that enables specifying explicitly named network interfaces in QEMU VMs.
The existing `virtualisation.vlans` option is still supported for cases where the name of the network interface is irrelevant.
For GPT partition tables, there is no primary/logical/extended
partition type, and the layout of the mkpart command options slightly
differs depending on whether parted operates on an MBR or a GPT
partition table.
This has so far resulted in the string `primary` being assigned to the
GUID partition name field, which is probably unintended.
Rectify this by giving the GUID partitions sensible names and setting
`fs-type` where applicable.
it is now possible to supply a stratis pool uuid
for every filesystem, and if that filesystem
is required for boot, the relevant pool will be
started in the initramfs.