The systemd.tmpfiles.settings.<name>.<path>.<type>.argument option may
contain arbitrary strings. This could allow intentional or unintentional
introduction of new configuration lines.
The argument field cannot be quoted, C‐style \xNN escape sequences are
however permitted. By escaping whitespace and newline characters, the
issue can be mitigated.
Follow-up on #169733
For `data`, Nextcloud checks on its own if everything is readable.
However, for `config` it's crucial that the ownership is actually
correct: otherwise, systemd-tmpfiles will refuse any operations inside
because of unsafe path transitions.
This can result in a subtly broken setup by the `override.config.php`
not being updated, but also not part of the system closure anymore
(another override.config.php is referenced now) which means it'll be
GCed eventually even though Nextcloud relies on it.
If this precondition is not met, the following error will be printed:
nextcloud-setup-start[972]: /var/lib/nextcloud/config is not owned by user 'nextcloud'!
nextcloud-setup-start[972]: Please check the logs via 'journalctl -u systemd-tmpfiles-setup'
nextcloud-setup-start[972]: and make sure there are no unsafe path transitions.
nextcloud-setup-start[972]: (https://nixos.org/manual/nixos/stable/#module-services-nextcloud-pitfalls-during-upgrade)
There was a systemd-tmpfiles warning about not being able to remove the
'plugins' directory. Squash this warning through removal of unnecessary
systemd-tmpfiles options, and write a test for it.
Add the {option}`services.mattermost.pluginsBundle` option to allow
overriding the plugin directory and also using it for tests. Update
wording in option documentation so it is more clear.
Use formats.json instead of builtins.toJSON so module merging works.
Make the tests go faster by pipelining shutdowns of nodes.
- Change `folder.devices` type into `oneOf [(listOf str) (attrsOf
(submodule { ... }))]`.
- Expose `encryptionPassord` within the attrSet of the devices option.
This allows the user to set the encrpyption password use to share the
folder's data with. We do this by file path, as opposed to string
literal, because we do not want to embed the encrpyption password into
the nix store.
Rewrite the syncthing config update script to embed secrets into the
json request. Specifically, we handle the `encryptionPassword` secret.
With this code, the user can embed path to the encrpyption password for
a given device the folder is shared with, and have it loaded in, without
touching the nix store.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
This was a workaround to begin with, as hardened kernel didn't support tracing.
Back then kernel level tracing was only available through debugfs, and now that
tracefs has been available on NixOS for a while now, enabled in
Link: https://github.com/NixOS/nixpkgs/pull/388751
This workaround can be removed and bpf can be used with tracefs.
Link: https://github.com/NixOS/nixpkgs/issues/360957
Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
this assertion broke gnome sessions in very hard to debug way:
- gdm starts, but on successful login just returns to login screen
- journalctl isn't exactly helpful in this condition:
- a typical gnome login will involve many warnings and errors, that
aren't actually preventing login, but will lead affected users
on a merry chase for many hours
- the actual indicators in the log arent't even an errors, only info and warning
- graphical-session.target: Starting requested but asserts failed.
- Assertion failed for Current graphical user session.
startx is a power tool for power users, needing a certain level of
expertise for the user to even want it, let alone use correctly.
However, the expectation is, that the necessary expertise will be
contained within the domain of startx and that it not break tools for
regular users.
This partially reverts commit e1c3082085.
e-imzo: (fix, to be squashed) formatted accordingly using `nixfmt`
e-imzo: (fix, to be squashed) removed lib from options by @ FliegendeWurst
e-imzo: (fix, to be squashed) use lib.getExe as mainProgram is defined by @FliegendeWurst
e-imzo: (fix, to be squashed) formatted with `nixfmt-rfc-style` suggestion by @FliegendeWurst
Co-Authored-By: Arne Keller <arne.keller@posteo.de>
