It was brought up that the restricted file-system access breaks
tablespaces[1]. I'd argue that this is the desired behavior, the whole
point of the hardening is the lock the service down and I don't consider
tablespaces common enough to elevate privileges again. Especially since
the workaround is trivial as shown in the diff.
For completeness sake, this adds the necessary `ReadWritePaths` change
to the postgresql section of the manual.
This also adds a small correction about the state of
`ensurePermissions`.
[1] https://github.com/NixOS/nixpkgs/pull/344925#issuecomment-2521188907
This requires all datasets for the pool specified in `fileSystems` to be
marked noauto.
Note that this implicitly skips some tasks for the pool, such as
`expandOnBoot`, as the pool will not be imported at that time.
I don't know the reason for rtkit only getting enabled by
hardware.pulseaudio.enable and not services.pipewire.enable, as they
both use it to get real-time priority, but we can at least help users by
mentioning pipewire in the rtkit option.
From hosts(5):
> For each host a single line should be present with the following
> information:
>
> IP_address canonical_hostname [aliases...]
With lines like "::1 localhost ahost.adomin ahost", we were saying
that the canonical name for "ahost" was "localhost", the opposite of a
canonical name. This is why a second loopback address (127.0.0.2) is
used for hostnames with IPv4 — if they were put after "localhost" on
the 127.0.0.1 line, the same thing would happen. With IPv6 we can't
do the same thing as there's only a single loopback address, so
instead the right thing to do is to simply not list the hostnames in
/etc/hosts, and rely on the myhostname NSS plugin, which will handle
this correctly.
(Note that the examples in hosts(5) also do not include IPv6 FQDN or
hostname entries.)
Enabling networking.wireguard.useNetworkd currently requires users to
modify the permissions of their private key files. Since that is a bad
upgrade experience, the module should be disabled by default for now.
Once systemd credential support is added to the module, it should be
safe to once again enable it by default for networkd users.
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
As it helps making deps easier to discover - as we don't currently
render submodule options in the module correctly - and is arguably
more technical correct: When using nixos-install to install nixos
into a chroot in i.e. /mnt, there's no gurantee that /mnt/dev exists
before the specialfs phase ran.
