| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
|
| |
align with upstream logrotate which added the minsize rule at some point.
This avoids needlessly rotating the files too often as brought up in
https://github.com/NixOS/nixpkgs/pull/159187#issuecomment-1052426774
|
|\
| |
| | |
logrotate service enhancements
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
wtmp and btmp are created by systemd, so the rules are more appropriate there.
They can be disabled explicitly with something like
services.ogrotate.paths = {
"/var/log/btmp".enable = false;
"/var/log/wtmp".enable = false;
};
if required.
|
|/ |
|
|\
| |
| | |
nixos/systemd: only use cryptsetup units if systemd was built with it
|
| | |
|
|/
|
|
|
|
| |
Add `shellDryRun` to the generic stdenv and substitute it for uses of
`${stdenv.shell} -n`. The point of this layer of abstraction is to add
the flag `-O extglob`, which resolves #126344 in a more direct way.
|
|\
| |
| | |
Move systemd-lib.nix and systemd-unit-options.nix into utils
|
| | |
|
|/
|
|
|
|
|
|
|
| |
it was removed in
https://github.com/NixOS/nixpkgs/commit/eb862c48ddc288243c5447e8decc623b10ef165c#diff-5ea4693beb4bdd8f7efcdd3204ceea67c86f59b3d1c28cde063ddf03e1d20fbfL66
without this change i get
Failed to list users: Unit dbus-org.freedesktop.login1.service not found.
when i update and rebuild
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
/etc/crypttab can contain the _netdev option, which adds crypto devices
to the remote-cryptsetup.target.
remote-cryptsetup.target has a dependency on cryptsetup-pre.target. So
let's add both of them.
Currently, one needs to manually ssh in and invoke `systemctl start
systemd-cryptsetup@<name>.service` to unlock volumes.
After this change, systemd will properly add it to the target, and
assuming remote-cryptsetup.target is pulled in somewhere, you can simply
pass the passphrase by invoking `systemd-tty-ask-password-agent` after
ssh-ing in, without having to manually start these services.
Whether remote-cryptsetup.target should be added to multi-user.target
(as it is on other distros) is part of another discussion - right now
the following snippet will do:
```
systemd.targets.multi-user.wants = [ "remote-cryptsetup.target" ];
```
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
```
activating the configuration...
warning: user ‘systemd-coredump’ has unknown group ‘systemd-coredump’
setting up /etc...
```
Oversight of #133166
|
| |
|
|\
| |
| | |
nixos/systemd: add namespaced (templated) journald sockets and service
|
| | |
|
|\ \
| | |
| | | |
nixos/journald: don't set nogroup
|
| | | |
|
|\ \ \
| | | |
| | | | |
nixos/systemd: provision a systemd-coredump user
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
systemd-coredump tries to drop privileges to a systemd-coredump user if
present (and falls back to the root user if it's not available).
Create that user, and recycle uid 151 for it. We don't really care about
the gid.
Fixes https://github.com/NixOS/nixpkgs/issues/120803.
|
|\ \ \ \
| |/ / /
|/| | | |
nixos/etc: Replace make-etc.sh with nix and bash
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The main goal of this commit is to replace the rather fragile passing of
multiple arrays which could break in cases like #130935.
While I could have just added proper shell escaping to the variables
being passed, I opted for the more painful approach of replacing the
fragile and somewhat strange construct with the 5 bash lists. While
there are currently no more problems present with the current approach
(at least none that I know of), the new approach seems more solid and
might get around problems that could arise in the future stemming from
either the multiple-lists situation or from the absence of proper shell
quoting all over the script.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- The order of NSS (host) modules has been brought in line with upstream
recommendations:
- The `myhostname` module is placed before the `resolve` (optional) and `dns`
entries, but after `file` (to allow overriding via `/etc/hosts` /
`networking.extraHosts`, and prevent ISPs with catchall-DNS resolvers from
hijacking `.localhost` domains)
- The `mymachines` module, which provides hostname resolution for local
containers (registered with `systemd-machined`) is placed to the front, to
make sure its mappings are preferred over other resolvers.
- If systemd-networkd is enabled, the `resolve` module is placed before
`files` and `myhostname`, as it provides the same logic internally, with
caching.
- The `mdns(_minimal)` module has been updated to the new priorities.
If you use your own NSS host modules, make sure to update your priorities
according to these rules:
- NSS modules which should be queried before `resolved` DNS resolution should
use mkBefore.
- NSS modules which should be queried after `resolved`, `files` and
`myhostname`, but before `dns` should use the default priority
- NSS modules which should come after `dns` should use mkAfter.
|
| |
| |
| | |
As per https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html the current description is missleading as it fails to mention volatile files and creation with deletion
|
| |
| |
| |
| |
| | |
As described in issue #81138, the Install section of upstream units is
currently ignored, so we make it part of the sysinit.target manually.
|
| | |
|
|\| |
|
| | |
|
|/
|
|
| |
It is broken: it looks for /sbin/modprobe, but it works anyway??
|
|
|
|
|
|
|
|
| |
Declaring them as lists enables the concatenation, supporting
lib.mkBefore, lib.mkOrder, etc.
This is useful when you need to extend a service with a pre-start
script that needs to run as root.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for
details on why this is desirable, and how it impacts containers.
Users that need to keep using the old cgroup hierarchy can re-enable it
by setting `systemd.unifiedCgroupHierarchy` to `false`.
Well-known candidates not supporting that hierarchy, like docker and
hidepid=… will disable it automatically.
Fixes #73800
|
|
|
|
|
| |
This implements
https://github.com/NixOS/nixpkgs/issues/45786#issuecomment-440091879
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These were broken since 2016:
https://github.com/systemd/systemd/commit/f0367da7d1a61ad698a55d17b5c28ddce0dc265a
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.
NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.
I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(https://github.com/systemd/systemd/blob/ad16158c10dfc3258831a9ff2f1a988214f51653/src/basic/ratelimit.c#L16)
|
|
|
|
|
| |
When not using apply, other modules can use $PATH as a list instead of
getting a colon-separated list to each /bin directory.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#96766)
This allows the user to configure systemd tmpfiles.d via
`environment.etc."tmpfiles.d/X.conf".text = "..."`, which after #93073
causes permission denied (with new X.conf):
```
ln: failed to create symbolic link '/nix/store/...-etc/etc/tmpfiles.d/X.conf': Permission denied
builder for '/nix/store/...-etc.drv' failed with exit code 1
```
or collision between environment.etc and systemd-default-tmpfiles
packages (with existing X.conf, such as tmp.conf):
```
duplicate entry tmpfiles.d/tmp.conf -> /nix/store/...-etc-tmp.conf
mismatched duplicate entry /nix/store/...-systemd-246/example/tmpfiles.d/tmp.conf <-> /nix/store/...-etc-tmp.conf
builder for '/nix/store/...-etc.drv' failed with exit code 1
```
Fixes #96755
|
|\
| |
| | |
systemd: 245.6 -> 246
|
| |
| |
| |
| |
| |
| | |
These are now only installed by systemd if HAVE_SYSV_COMPAT is true,
which only is the case if you set sysvinit-path and sysvrcnd-path (which
we explicitly unset in the systemd derivation for quite some time)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From the systemd release notes:
nss-mymachines lost support for resolution of users and groups, and now
only does resolution of hostnames. This functionality is now provided by
nss-systemd. Thus, the 'mymachines' entry should be removed from the
'passwd:' and 'group:' lines in /etc/nsswitch.conf (and 'systemd' added
if it is not already there).
|
|\ \
| |/
|/| |
|
| |\
| | |
| | | |
nixos/systemd: don't try to install systemd-initctl.{service,socket}
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Since systemd 246, these are only installed by systemd if
HAVE_SYSV_COMPAT is true, which only is the case if you set
sysvinit-path and sysvrcnd-path (which we explicitly unset in the
systemd derivation for quite some time)
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
symlinkJoin can break (silently) when the passed paths contain symlinks
to directories. This should work now.
Down-side: when lib/tmpfiles.d doesn't exist for some passed package,
the error message is a little less explicit, because we never get
to the postBuild phase (and symlinkJoin doesn't provide a better way):
/nix/store/HASH-NAME/lib/tmpfiles.d: No such file or directory
Also, it seemed pointless to create symlinks for whole package trees
and using only a part of the result (usually very small part).
|
|\| |
|
| |
| |
| |
| | |
This works exactly analogously to the existing `listenStreams`.
|
|\| |
|
| |
| |
| | |
in LXC container /dev/net/tun is pre-available, "dev-net-tun.device" always fails
|
|/
|
|
|
|
|
|
|
| |
There's a circular dependency to systemd via cryptsetup and lvm2
(systemd -> cryptsetup -> lvm2 -> udev=systemd).
However, cryptsetup only really needs the devmapper component shipped
with lvm2. So build `pkgs.cryptsetup` with a lvm2 that doesn't come with
udev.
|