Since there are now variants of tpm2-pkcs11 with and without ABRMD
support (for the kernel resource manager), ensure we pick the correct
default.
Fixes an accidental backwards incompatibility with the module.
(cherry picked from commit 9c1564e395)
`gitlab` >= 18.0 requires at least `postgresql` >= 16. GitLab users
are advised to follow the mentioned steps in the manual to upgrade their
PostgreSQL installation.
(cherry picked from commit c46cc8a67a)
This patch resolves an issue where systemd-udevd outputs events like:
/nix/store/jm9paymkapbi6pzwbjgmi634vaf2y5va-udev-rules/49-brother-mfp-brscan5-1.0.2-2.rules:17 Invalid key 'SYSFS'.
(cherry picked from commit ff62fe4136)
Without this, the greeter is unable to see `orca` program on `PATH`
and so `${gdm}/share/gdm/greeter/autostart/orca-autostart.desktop`
will fail to start it. As a result, screen reader would not work
on the login screen.
(cherry picked from commit 9af27f1cb5)
Containers did not have *systemd-journald-audit.socket* in *additionalUpstreamSystemUnits*, which meant that the unit was not provided.
However the *wantedBy* was added without any additional check, therefore creating an empty unit with just the *WantedBy* on *boot.isContainer* machines.
This caused `systemd-analyze verify` to fail:
```text
systemd-journald-audit.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
```
The upstream unit already contains the following, which should make it safe to include regardless:
```ini
[Unit]
ConditionSecurity=audit
ConditionCapability=CAP_AUDIT_READ
```
For reference, this popped up in the context of #[360426](https://redirect.github.com/NixOS/nixpkgs/issues/360426) as well as #[407696](https://redirect.github.com/NixOS/nixpkgs/pull/407696).
Co-authored-by: Bruce Toll <4109762+tollb@users.noreply.github.com>
Signed-off-by: benaryorg <binary@benary.org>
(cherry picked from commit e434130d0b)
Fix regression from https://github.com/NixOS/nixpkgs/pull/379629.
The systemd-journal test has been failing on hydra since 2025-02-10.
See, for instance: https://hydra.nixos.org/build/290855155.
This commit enables auditing, as expected by the tests. It also
addresses an issue where audit messages were getting dropped due to
rate limits.
(cherry picked from commit 22d51e08cf)
Partially revert #179194 which first filtered
`extraLocaleSettings.LANGUAGE`. Indeed this environment variable is
given precedence according to:
https://www.gnu.org/software/gettext/manual/html_node/Locale-Environment-Variables.html
So using it will simply make all other `extraLocaleSettings` be ignored
in practice, but the OS shouldn't ignore it when aggregating the locales
required in general, as this setup should still be legitimate, and it
may even be useful if you wish to set it by default and use `env -u
LANGUAGE` for some programs.
(cherry picked from commit 263297b4e5)
Disk usage of the image has risen considerably since last release. We
still need to investigate the cause in detail. Increasing it for now
prevents build failures at least.
(cherry picked from commit 813d0ba1fb)
By default, `system.nixos.label` includes `system.nixos.tags` which
historically was not set for the amazon image.
Keeping the tag in the label of the generated disk image inside the
derivation (i.e. `image.filePath`) makes it easier to tell that the
file is for amazon (i.e.
`nixos-image-amazon-25.11pre-git-x86_64-linux.vpc`) while the "label"
in `image-info.json` for users of the AWS api stays stable (i.e.
`/25.05pre-git-x86_64-linux`).
`
(cherry picked from commit 8ccd7e5d9a)
Also makes it so that we only set `meta.platforms` in cases where we need
to restrict it; otherwise, we go with the default.
(cherry picked from commit f3db57edfa)
This patch fixes a failure in the Selenium UI testing
script by waiting for an element to be clickable.
This allows the Angular to render properly.
(cherry picked from commit 94e7e3f350)
Consider a user wanting to set up the Linux builder for the first time,
but with a slightly more generous allocation of resources compared to
the default. They'll do something like this:
```
{
virtualisation.cores = 3;
virtualisation.darwin-builder = {
diskSize = 40 * 1024;
memorySize = 4 * 1024;
};
}
```
This will fail with an error like this:
```
error: a 'aarch64-linux' with features {} is required to build '/nix/store/3acpgmwqwnk8g2gc5r05ar2lvmn01b8a-builder.pl.drv', but I am a 'aarch64-darwin' with features {apple-virt, benchmark, big-parallel, nixos-test}
```
But why would they have to rebuild the NixOS system?! All they did was
change the arguments passed to QEMU, and nothing those options control
would affect the NixOS configuration itself... right?
`config.system.build.toplevel` is defined with `allowSubstitutes` set to
`false` by default, which makes it so that the toplevel can't be
substituted if Nix is trying to use it "directly." So because the above
example would have to rebuild the VM runner, which references toplevel
directly, Nix refuses to substitute it, unless `always-allow-substitutes
= true` is set as a Nix option. (In the case where the QEMU options
aren't changed at all, Nix just substitutes the runner, which sidesteps
this issue as the runner itself doesn't use toplevel as an input.)
(cherry picked from commit 747c55e702)
We use a NixOS VM test to execute the upstream tests of curl-impersonate
because they require networking which cannot be mocked easily in the
sandbox.
Of those upstream tests, test_http2_headers spawns nghttpd2, makes
request against it and then tries to parse the logs it emits.
The last step, the parsing of the logs, it extremely fragile and version
dependent. The version of nghttp2 that we carry in nixpkgs is newer than
the one curl-impersonate expects and happens to emit a different log
format.
So to fix the remaining test suite of curl-impersonate, we simply skip
test_http2_headers.
(cherry picked from commit 9266b72424)
Prevent the specialisation names from containing a forward slash.
Also escape them to allow for spaces in specialisation names.
(cherry picked from commit 2b9fc0ccc5)
