verbose is a debugging setting one step noisier than debug and should only be turned on when debugging because it leaks quite some credentials and tokens in the journalctl.
This should be a significant disk space saving for most NixOS
installations. This method is a bit more complicated than doing it in
the postInstall for the firmware derivations, but this way it's
automatic, so each firmware package doesn't have to separately
implement its compression.
Currently, only xz compression is supported, but it's likely that
future versions of Linux will additionally support zstd, so I've
written the code in such a way that it would be very easy to implement
zstd compression for those kernels when they arrive, falling back to
xz for older (current) kernels.
I chose the highest possible level of compression (xz -9) because even
at this level, decompression time is negligible. Here's how long it took
to decompress every firmware file my laptop uses:
i915/kbl_dmc_ver1_04.bin 2ms
regulatory.db 4ms
regulatory.db.p7s 3ms
iwlwifi-7265D-29.ucode 62ms
9d71-GOOGLE-EVEMAX-0-tplg.bin 22ms
intel/dsp_fw_kbl.bin 65ms
dsp_lib_dsm_core_spt_release.bin 6ms
intel/ibt-hw-37.8.10-fw-22.50.19.14.f.bseq 7ms
And since booting NixOS is a parallel process, it's unlikely (but
difficult to measure) that the time to user interaction was held up at
all by most of these.
Fixes (partially?) #148197
automysqldump passes the --events flag, but without the EVENTS permission a error occures:
> mysqldump: Couldn't execute 'show events': Access denied for user 'automysqlbackup'@'localhost' to database 'mysql' (1044)
Add support for enabling confinement
but does not enable it by default yet
because so far no module within NixOS uses confinement
hence that would set a precedent.
Tailscale uses policy routing to enable certain traffic to bypass
routes that lead into the Tailscale mesh. NixOS's reverse path
filtering setup doesn't understand the policy routing at play,
and so incorrectly interprets some of this traffic as spoofed.
Since this only breaks some features of Tailscale, merely warn
users about it, rather than make it a hard error.
Updates tailscale/tailscale#4432
Signed-off-by: David Anderson <dave@natulte.net>
For some features, tailscaled uses getent(1) to get the shell
of OS users. getent(1) is in the glibc derivation. Without this
derivation in the path, tailscale falls back to /bin/sh for all
users.
Signed-off-by: David Anderson <dave@natulte.net>
network-manager-applet uses differrent naming scheme from the VPN plug-ins.
Let’s revert to the previous state, for now, to fix eval. We can do the rename later.
This reverts commit cecb014d5d.
In a previous PR [1], the conditional to generate a new host key file
was changed to also include the case when the file exists, but has zero
size. This could occur when the system is uncleanly powered off shortly
after first boot.
However, ssh-keygen prompts the user before overwriting a file. For
example:
$ touch hi
$ ssh-keygen -f hi
Generating public/private rsa key pair.
hi already exists.
Overwrite (y/n)?
So, lets just try to remove the empty file (if it exists) before running
ssh-keygen.
[1] https://github.com/NixOS/nixpkgs/pull/141258
Release notes available at https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-18-0-0.
The way the database port is configured changed in Keycloak 18 and the
old way of including it in the `db-url-host` setting no longer
works. Use the new `db-url-port` setting instead.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Signed-off-by: Kim Lindberger <kim.lindberger@gmail.com>
See https://blog.prosody.im/prosody-0.12.0-released for more
informations.
We remove the various lua wrappers introduced by
6799a91843 and
16d0b4a69f. It seems like we don't need
them anymore. I'm not brave enough to dig into the Lua machinery to
see what resolved that. Sorry, you'll have to trust me on that one.
We should probably think about the migration from http_upload to
http_file_share for the NixOS module. It's not trivial, we need to
make sure we don't break the already uploaded URLs.
This commit refactors the way how configuration files are deployed to
the `/etc/asterisk` directory.
The current solution builds a Nix derivation containing all config files
and symlinks it to `/etc/asterisk`. The problem with that approach is
that it is not possible to provide additional configuration that should
not be written to the Nix store, i.e. files containing credentials.
The proposed solution changes the creation of configuration files so
that each configuration file gets symlinked to `/etc/asterisk`
individually so that it becomes possible to provide additional config
files to `/etc/asterisk` as well.
First, add the builtin udev rules to /etc/udev/rules.d so they are used.
Then, add all networkd .link units to the initrd. This is done in the
old stage 1 as well so I assume this is needed even when networkd is not
used. I assume this is for things like changing the MAC address.
Also limit the number of udev/lib binaries that is put into the initrd
because the old initrd doesn't use all units either.
The NixOS evaluation would complain:
trace: warning: literalExample is deprecated, use literalExpression instead, or use literalDocBook for a non-Nix description.