The following changes are included:
1) install user unit files from upstream dbus
2) use absolute paths to config for --system and --session instances
3) make socket activation of user units configurable
There has been a number of PRs to address this, so this one does the
bare minimum, which is to make the functionality available and
configurable but defaults to off.
Related PRs:
- #18382
- #18222
(cherry picked from commit f7215c9b5b47dfb0a6dbe87ff33d7730729a32e5)
Signed-off-by: Domen Kožar <domen@dev.si>
4.1.12
======
Bugfixes
--------
Fix malformed edns query assertion failure, reported by Michal Kepien (NASK).
4.1.11
======
Features
--------
* When tcp is more than half full, use short timeout for tcp session.
* Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
* Fix#790: size-limit-xfr can stop NSD from downloading infinite zone transfer data size, from Toshifumi Sakaguchi. Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865.
Bugfixes
--------
* Fix build without IPv6, patch from Zdenek Kaspar.
* Fix#783: Trying to run a root server without having configured it silently gives wrong answers.
* Fix#782: Serve DS record but parent zone has no NS record.
* Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.
4.1.10
======
Features
--------
* ip-freebind: yesno option in nsd.conf sets IP_FREEBIND socket option for Linux, binds to interfaces and addresses that are down.
* NSD includes AAAA before A for queries over IPV6 (in delegations). And TC is set if no glue can be provided with a delegation because of packet size.
* print notice that nsd is starting before taking off.
Bugfixes
--------
* Fix for openssl 1.1.0, HMAC_CTX size not exported from openssl.
* Fix#751: NSD fails to occlude names below a DNAME.
* If set without nsd.db print "" as the default in the man pages.
* Fix#755: NSD spins after a zone update and a lot of TCP queries.
* Fix for NSEC3 with zone signed without exact match for empty nonterminals, the answer for that domain gets closest encloser.
* #772 Document that recvmmsg has IPv6 problems on some linux kernels.
4.1.9
=====
Bugfixes
--------
* Change the nsd.db file version because of nanosecond precision fix.
The services/networking directory is already quite polluted and the
first point where I was looking for the offlineimap module was in
services/mail and didn't find it there.
Offlineimap already has IMAP in its name and clearly belongs to the
"mail" category so let's move it there.
Tested by evaluating a configuration with services.offlineimap enabled.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @DamienCassou
Coercing the derivation to string causes the package to be built during
evaluation rather than during actual realization which is completely
unnecessary because we don't need additional Nix expression information
for the package (nor do we need it for the service).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @DamienCassou
Cc: @Profpatsch (stumbled on this because of him)
This commit removes all references to emacs24 with the exception of
emacs24-macports. The two folders in `pkgs/applications/editors` named
`emacs-24` and `emacs-24` are consolidated to a new `emacs` folder.
Various parts in nixpkgs also referenced `emacs24Packages` (pinned to
`emacs24`) explicitly where `emacsPackages` (non-pinned) is more
appropriate. These references get fixed by this commit too.
* influxdb module: add postStart
* cadvisor module: increase TimeoutStartSec
Under high load, the cadvisor module can take longer than the default 90
seconds to start. This change should hopefully fix the test on Hydra.
Regression introduced by bccd75094f.
The mentioned commit removed the pkgs.gtk attribute, but forgot to
change this within the xfce module.
Tested using the xfce NixOS test and it has passed on my machine.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
While entering the chroot should provide the same amount of isolation,
the preStart script will run with full root privileges and so would
benefit from some isolation as well (in particular due to
unbound-anchor, which can perform network I/O).
1. The preStart script ensures consistent ownership, even if the unbound
user's uid has changed
2. The unbound daemon does not generate data that needs to be private to
it, so it would not matter that a different service would end up
owning its data (as long as unbound remains enabled, it should reclaim
ownership soon enough anyway).
Thus, there's no clear benefit to allocate a dedicated uid for the
unbound service. This releases uid/gid 48.
Also, because the preStart script creates the data directory, there's no
need to specify a homedir or ask for its creation.
/dev/random is an exhaustible resource. Presumably, unbound will not be
used to generate long-term encryption keys and so allowing it to use
/dev/random only increases the risk of entropy exhaustion for no
benefit.
Switches from the forking service type to simple by running haveged in
the foreground. Also restricts the execution environment a bit (these
are inspired by the Debian service file).
See #18319 for details. Starting network-online.target manually does not
work as it hangs indefinitely.
Additionally, don't treat avahi and dhcpcd special and sync their systemd units
with the respective upstream suggestion.
The extraOptions option has default values which seems surprising. This
moves those values to startupOptions (which is what gocd-agent uses) and
empties out the default extraOptions.
The gocd-agent startupOptions description was also changed to remove the
mention of the example (given there isn't one).
Systemd upstream provides targets for networking. This also includes a target network-online.target.
In this PR I remove / replace most occurrences since some of them were even wrong and could delay startup.
Radicale can run as a foreground service and will then emits logging and
errors on the standard output. This helps the logging end up in the
systemd journal.
Follow-up to the following commits:
abdc5961c3: Fix starting the firewall
e090701e2d: Order before sysinit
Solely use sysinit.target here instead of multi-user.target because we
want to make sure that the iptables rules are applied *before* any
socket units are started.
The reason I've dropped the wantedBy on multi-user.target is that
sysinit.target is already a part of the dependency chain of
multi-user.target.
To make sure that this holds true, I've added a small test case to
ensure that during switch of the configuration the firewall.service is
considered as well.
Tested using the firewall NixOS test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
Probably as a result of 992c514a20, it
was not being started anymore.
My understanding of systemd.special(7) (section "Special passive
system units") is that the firewall should want network-pre.target,
rather than the other way around (not very intuitive...). This in
itself does not cause the firewall to be wanted, which is why the
wanted-by relationship with multi-user.target is necessary.
http://hydra.nixos.org/build/39965589
We were pulling in 44 MiB of fonts in the default configuration, which
is a bit excessive for headless configurations like EC2
instances. Note that dejavu_minimal ensures that remote X11-forwarded
applications still have a basic font regardless.
It appears that packageOverrides no longer overrides aliases, so
aliases like
dbus_tools = self.dbus.out;
dbus_daemon = self.dbus.daemon;
now use the old, non-overriden version of dbus. That seems like a
pretty serious regression in general, but for this particular problem,
I've fixed it by replacing dbus_daemon by dbus.daemon and dbus_tools
by dbus.
Fixes#15512 and #16032
With the multi output, postgresql cannot find at runtime what is its
basedir when looking for libdir and pkglibdir. This commit fixes that.
Add code to accountsservice that returns an error if the environment
variable NIXOS_USERS_PURE is set. This variable is set from the nixos
accountsservice module if mutableUsers = false
This was one of the ways to build packages, we are trying
hard to minimize different ways so it's easier for newcomers
to learn only one way.
This also:
- removes texLive (old), fixes#14807
- removed upstream-updater, if that code is still used it should be in
separate repo
- changes a few packages like gitit/mit-scheme to use new texlive
Previously it was only set once, now it is enforced on each start-up of
redis.service. Also set _ownership_ recursively, so that the
/var/lib/redis/dump.rdb file is guaranteed to be accessible by the
currently configured redis user.
Fixes issue #9687, where redis wouldn't start because /var/lib/redis had
wrong owner.