* Update attribute names in code examples (* -> settings.*).
* Use `nix-shell -p` rather than `nix run` because the example won't
work with the current default Nix.
* Update config values for `element-web`.
* Fix link to `element-web` security considerations.
* Make the synapse expression even smaller and use callout-lists to
explain the code.
* Document how to correctly deploy the shared registration secret.
[1] https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
Potential use cases for disabling `useDefaultFilesystems` include:
- Testing with uncommon filesystem layouts
- Testing scenarios where swapping occurs
- Testing with LUKS-encrypted disks
Closes#177963
Running `nixos/tests/keepassxc.nix` shows:
```
machine # [ 18.705390] xsession[985]: /nix/store/2g2jx5c6x3p152wbiijr0rmky7byqivc-xsession: line 13: nn: command not found
```
This garbled bash script runs without `set -o errexit` and thus skips
"\n\n" as invalid command:
```
$ cat -n /nix/store/2g2jx5c6x3p152wbiijr0rmky7byqivc-xsession
...
\n\n
if [ -e $HOME/.background-image ]; then
/nix/store/wq1d1ph8wj4alpx78akvpbd0a0m9qkd1-feh-3.8/bin/feh --bg-scale $HOME/.background-image
fi
...
```
KeePassXC uses it through
`nixos/modules/services/x11/display-managers/default.nix`:
```
...
# Script responsible for starting the window manager and the desktop manager.
xsession = dm: wm: pkgs.writeScript "xsession" ''
#! ${pkgs.bash}/bin/bash
# Legacy session script used to construct .desktop files from
# `services.xserver.displayManager.session` entries. Called from
# `sessionWrapper`.
# Start the window manager.
${wm.start}
# Start the desktop manager.
${dm.start}
...
'';
...
```
The bogus line was introduced in PR #160752:
```
commit 0bc0dc8090
Author: Shaw Vrana <shaw@vranix.com>
Date: Fri Feb 18 11:27:42 2022 -0800
desktop manager script: start properly
Adds a missing line feed when X is enabled to the start script name
and the appended if check. Resolves#160735
```
I have not tried to reproduce the original issue and thus don't know
why "\n\n" apparently gets interpreted fine in one place but remains
literal the `xsession` case.
However, using a literal newline must be valid for all cases and
certainly fixes the warning seen in KeePassXC tests.
Furthermore, starting the nix string (`''`) with a newline as usual also
fixes its overall indentation.
This patch follows an upstream commit[1].
Before this patch, if acme module is used, caddy will still use an old
cert even a new one is available. The cause is that without --force
flag, caddy will not reload an unchanged config.
Refer to that commit[1] message for more information.
[1]: 979e498d6d
Seems silly to install this for use with the local server, but to not
configure it to use the local server. Otherwise, out of the box we
just get an error about no server being configured.
The `nixos-rebuild` tool calls `get-version-suffix` to figure out the
git revision of the nixpkgs directory if there is a .git.
https://nvd.nist.gov/vuln/detail/CVE-2022-24765 made git throw an
error if the .git search logic is not turned off and a user
tries to access a `.git` directory they don’t own (otherwise a
different user could trick them into setting arbitrary git config).
So from now on we should always explicitely set `--git-dir`, which
turns this search logic (and thus the security check) off.
It was never meant to be used for anything other than testing
and setting it globally can cause weird loops in GTK-based portals,
where the portal will end up waiting for itself until it times out.
https://github.com/NixOS/nixpkgs/issues/135898
Or it can mess up fonts:
https://github.com/NixOS/nixpkgs/issues/155291#issuecomment-1166199585
Having the option in NixOS makes it look like it is okay or even
desirable to enable, when in fact it is a hack that can subtly break apps.
Some apps allow opting into using portal-based APIs, e.g. for Firefox,
you can set `widget.use-xdg-desktop-portal.file-picker` to `1` in about:config.
Otherwise, you can set the `GTK_USE_PORTAL` environment variable to 1
for individual apps.
People who really want it and aware of the downsides can just set
`environment.sessionVariables.GTK_USE_PORTAL = "1";` NixOS option
directly to set the environment variable globally.
- Add a module for the thunar file manager, which depends on the xfconf dbus service, and also has a dbus service and a systemd unit.
- Renames the option services.xserver.desktopManager.xfce.thunarPlugins to programs.thunar.plugins.
Riak have been updated a lot since the version 2.2 (now 3.0.10) but
has seen no updated to the package. This is at this point
a problem forcing us to maintain old versions of erlang.
We would be happy to re accept a newer version of Riak if someone want
to spend the time to set it up.
Use `networking.resolvconf.package` to allow DNS entries to be set using
the system-wide resolver implementation instead of hardcoding systemd or
openresolv.
Extend the tests by adding DNS entries and making one of the peers use
systemd-networkd (hence systemd-resolved).
Also add a few `networkd`-specific settings.
The substr solution assumed a newline to be present.
The new solution will not remove the newline if it goes missing in the future.
Apparently this is idiomatic perl.
Thanks pennae for the suggestion!
According to https://grafana.com/docs/agent/latest/upgrade-guide/#v0240,
this has been deprecated/moved to -server.http.address and
-server.grpc.address (accepting ip and port) config options in v0.24.0,
and already listens on localhost and not port 80 by default.
According to https://github.com/grafana/agent/pull/1540, -prometheus.*
flages were deprecated in 0.19.0 in favor of the -metrics.*
counterparts. Same applies to `loki` being renamed to `logs`.
I'm not sure if the config file format is still supported (it could be),
but we shouldn't use deprecated configs.
Run the device tree overlays through the preprocessor before compiling it, as
is done in the kernel. This helps make overlays easier to understand, and
improves compatibility with those found in the wild.
I found the correct command line by running the kernel build with V=1, and then
removing all the arguments related to dependency tracking.
Since dtc 1.4.7 (released in 2018), there has been a much nicer syntax for
device tree overlays. This commit converts the dtsText example to use this
syntax.
Qt4 is on it's way out, according to
https://github.com/NixOS/nixpkgs/pull/174634
Barco's ClickShare driver/client requires Qt4;
an update isn't in sight anywhere.
To prepare for the removal of Qt4,
the commit at hand removes the
ClickShare package and its NixOS module.
The release notes are appended with a hint about the
removal and some alternatives that might help users
that are still in need of the driver/client functionality.
The preStart script for the IPFS service will print parts of the configuration
to stdout (and therefore, the journal) when applying profiles on startup. This
may lead to unwanted disclosure of private information, such as remote pinning
service API keys. Fix by sending stdout to /dev/null.
Make secret replacement more robust and futureproof:
- Allow any attribute in `services.parsedmarc.settings` to be a
secret if set to `{ _secret = "/path/to/secret"; }`.
- Hash secret file paths before using them as a placeholders in the
config file to minimize the risk of conflicting file paths being
replaced instead.
Make secret replacement more robust and futureproof:
- Allow any attribute in `services.geoipupdate.settings` to be a
secret if set to `{ _secret = "/path/to/secret"; }`.
- Hash the license key path before using it as a placeholder in the
config file to minimize the risk of conflicting file paths being
replaced instead.
Commit 8109d8a set the `StateDirectory=` option of the systemd service
configuration to the value of `cfg.workDir` which is wrong, according
to dasJ [1]. This commit resolves this issue by stripping the
`/var/lib/` prefix from `cfg.workDir`.
[1] https://github.com/NixOS/nixpkgs/pull/172824#issuecomment-1130350412
