diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2305.section.xml | 42 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2305.section.md | 8 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/throttled.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/network-filesystems/kubo.nix | 57 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 20 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/amazon-options.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/openstack-options.nix | 4 | ||||
| -rw-r--r-- | nixos/tests/apfs.nix | 8 |
8 files changed, 111 insertions, 34 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index dd0e6a5d068d..3f1816e8e769 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -211,6 +211,18 @@ </listitem> <listitem> <para> + The <literal>services.kubo.settings</literal> option is now no + longer stateful. If you changed any of the options in + <literal>services.kubo.settings</literal> in the past and then + removed them from your NixOS configuration again, those + changes are still in your Kubo configuration file but will now + be reset to the default. If you’re unsure, you may want to + make a backup of your configuration file (probably + /var/lib/ipfs/config) and compare after the update. + </para> + </listitem> + <listitem> + <para> The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and @@ -699,6 +711,36 @@ </listitem> <listitem> <para> + Updated recommended settings in + <literal>services.nginx.recommendedGzipSettings</literal>: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Enables gzip compression for only certain proxied + requests. + </para> + </listitem> + <listitem> + <para> + Allow checking and loading of precompressed files. + </para> + </listitem> + <listitem> + <para> + Updated gzip mime-types. + </para> + </listitem> + <listitem> + <para> + Increased the minimum length of a response that will be + gzipped. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> <link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link> version is based on <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>, diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index de455c1293bf..a2c4b038d7f1 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -60,6 +60,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `git-bug` has been updated to at least version 0.8.0, which includes backwards incompatible changes. The `git-bug-migration` package can be used to upgrade existing repositories. +- The `services.kubo.settings` option is now no longer stateful. If you changed any of the options in `services.kubo.settings` in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config) and compare after the update. + - The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service` @@ -179,6 +181,12 @@ In addition to numerous new and upgraded packages, this release has the followin - A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md). +- Updated recommended settings in `services.nginx.recommendedGzipSettings`: + - Enables gzip compression for only certain proxied requests. + - Allow checking and loading of precompressed files. + - Updated gzip mime-types. + - Increased the minimum length of a response that will be gzipped. + - [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion). - `hip` has been separated into `hip`, `hip-common` and `hipcc`. diff --git a/nixos/modules/services/hardware/throttled.nix b/nixos/modules/services/hardware/throttled.nix index 2d801a7e838f..afca24d976e1 100644 --- a/nixos/modules/services/hardware/throttled.nix +++ b/nixos/modules/services/hardware/throttled.nix @@ -20,7 +20,7 @@ in { config = mkIf cfg.enable { systemd.packages = [ pkgs.throttled ]; # The upstream package has this in Install, but that's not enough, see the NixOS manual - systemd.services.lenovo_fix.wantedBy = [ "multi-user.target" ]; + systemd.services.throttled.wantedBy = [ "multi-user.target" ]; environment.etc."throttled.conf".source = if cfg.extraConfig != "" diff --git a/nixos/modules/services/network-filesystems/kubo.nix b/nixos/modules/services/network-filesystems/kubo.nix index 13a062c32128..4d423c905986 100644 --- a/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixos/modules/services/network-filesystems/kubo.nix @@ -5,6 +5,23 @@ let settingsFormat = pkgs.formats.json {}; + rawDefaultConfig = lib.importJSON (pkgs.runCommand "kubo-default-config" { + nativeBuildInputs = [ cfg.package ]; + } '' + export IPFS_PATH="$TMPDIR" + ipfs init --empty-repo --profile=${profile} + ipfs --offline config show > "$out" + ''); + + # Remove the PeerID (an attribute of "Identity") of the temporary Kubo repo. + # The "Pinning" section contains the "RemoteServices" section, which would prevent + # the daemon from starting as that setting can't be changed via ipfs config replace. + defaultConfig = builtins.removeAttrs rawDefaultConfig [ "Identity" "Pinning" ]; + + customizedConfig = lib.recursiveUpdate defaultConfig cfg.settings; + + configFile = settingsFormat.generate "kubo-config.json" customizedConfig; + kuboFlags = utils.escapeSystemdExecArgs ( optional cfg.autoMount "--mount" ++ optional cfg.enableGC "--enable-gc" ++ @@ -161,9 +178,9 @@ in }; }; description = lib.mdDoc '' - Attrset of daemon configuration to set using {command}`ipfs config`, every time the daemon starts. + Attrset of daemon configuration. See [https://github.com/ipfs/kubo/blob/master/docs/config.md](https://github.com/ipfs/kubo/blob/master/docs/config.md) for reference. - Keep in mind that this configuration is stateful; i.e., unsetting anything in here does not reset the value to the default! + You can't set `Identity` or `Pinning`. ''; default = { }; example = { @@ -211,6 +228,21 @@ in ###### implementation config = mkIf cfg.enable { + assertions = [ + { + assertion = !builtins.hasAttr "Identity" cfg.settings; + message = '' + You can't set services.kubo.settings.Identity because the ``config replace`` subcommand used at startup does not support modifying any of the Identity settings. + ''; + } + { + assertion = !((builtins.hasAttr "Pinning" cfg.settings) && (builtins.hasAttr "RemoteServices" cfg.settings.Pinning)); + message = '' + You can't set services.kubo.settings.Pinning.RemoteServices because the ``config replace`` subcommand used at startup does not work with it. + ''; + } + ]; + environment.systemPackages = [ cfg.package ]; environment.variables.IPFS_PATH = cfg.dataDir; @@ -262,21 +294,26 @@ in preStart = '' if [[ ! -f "$IPFS_PATH/config" ]]; then - ipfs init ${optionalString cfg.emptyRepo "-e"} --profile=${profile} + ipfs init ${optionalString cfg.emptyRepo "-e"} else # After an unclean shutdown this file may exist which will cause the config command to attempt to talk to the daemon. This will hang forever if systemd is holding our sockets open. rm -vf "$IPFS_PATH/api" '' + optionalString cfg.autoMigrate '' ${pkgs.kubo-migrator}/bin/fs-repo-migrations -to '${cfg.package.repoVersion}' -y '' + '' - ipfs --offline config profile apply ${profile} >/dev/null fi - '' + '' - ipfs --offline config show \ - | ${pkgs.jq}/bin/jq '. * $settings' --argjson settings ${ - escapeShellArg (builtins.toJSON cfg.settings) - } \ - | ipfs --offline config replace - + ipfs --offline config show | + ${pkgs.jq}/bin/jq -s '.[0].Pinning as $Pinning | .[0].Identity as $Identity | .[1] + {$Identity,$Pinning}' - '${configFile}' | + + # This command automatically injects the private key and other secrets from + # the old config file back into the new config file. + # Unfortunately, it doesn't keep the original `Identity.PeerID`, + # so we need `ipfs config show` and jq above. + # See https://github.com/ipfs/kubo/issues/8993 for progress on fixing this problem. + # Kubo also wants a specific version of the original "Pinning.RemoteServices" + # section (redacted by `ipfs config show`), such that that section doesn't + # change when the changes are applied. Whyyyyyy..... + ipfs --offline config replace - ''; serviceConfig = { ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${kuboFlags}" ]; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index c0b90997ae9b..20750d87c3a1 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -184,25 +184,17 @@ let brotli_window 512k; brotli_min_length 256; brotli_types ${lib.concatStringsSep " " compressMimeTypes}; - brotli_buffers 32 8k; ''} + # https://docs.nginx.com/nginx/admin-guide/web-server/compression/ ${optionalString cfg.recommendedGzipSettings '' gzip on; - gzip_proxied any; - gzip_comp_level 5; - gzip_types - application/atom+xml - application/javascript - application/json - application/xml - application/xml+rss - image/svg+xml - text/css - text/javascript - text/plain - text/xml; + gzip_static on; gzip_vary on; + gzip_comp_level 5; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private auth; + gzip_types ${lib.concatStringsSep " " compressMimeTypes}; ''} ${optionalString cfg.recommendedProxySettings '' diff --git a/nixos/modules/virtualisation/amazon-options.nix b/nixos/modules/virtualisation/amazon-options.nix index 926fe43b0ffe..3ea4a6cf7818 100644 --- a/nixos/modules/virtualisation/amazon-options.nix +++ b/nixos/modules/virtualisation/amazon-options.nix @@ -28,13 +28,13 @@ in { options = { mount = lib.mkOption { description = lib.mdDoc "Where to mount this dataset."; - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; }; properties = lib.mkOption { description = lib.mdDoc "Properties to set on this dataset."; - type = types.attrsOf types.string; + type = types.attrsOf types.str; default = {}; }; }; diff --git a/nixos/modules/virtualisation/openstack-options.nix b/nixos/modules/virtualisation/openstack-options.nix index c71b581b02ca..52f45de92ecb 100644 --- a/nixos/modules/virtualisation/openstack-options.nix +++ b/nixos/modules/virtualisation/openstack-options.nix @@ -29,13 +29,13 @@ in options = { mount = lib.mkOption { description = lib.mdDoc "Where to mount this dataset."; - type = types.nullOr types.string; + type = types.nullOr types.str; default = null; }; properties = lib.mkOption { description = lib.mdDoc "Properties to set on this dataset."; - type = types.attrsOf types.string; + type = types.attrsOf types.str; default = { }; }; }; diff --git a/nixos/tests/apfs.nix b/nixos/tests/apfs.nix index a8841fe93046..ac0459b57e9c 100644 --- a/nixos/tests/apfs.nix +++ b/nixos/tests/apfs.nix @@ -21,9 +21,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { with subtest("Enable case sensitivity and normalization sensitivity"): machine.succeed( "mkapfs -s -z /dev/vdb", - # Triggers a bug, see https://github.com/linux-apfs/linux-apfs-rw/issues/15 - # "mount -o cknodes,readwrite /dev/vdb /tmp/mnt", - "mount -o readwrite /dev/vdb /tmp/mnt", + "mount -o cknodes,readwrite /dev/vdb /tmp/mnt", "echo 'Hello World 1' > /tmp/mnt/test.txt", "[ ! -f /tmp/mnt/TeSt.TxT ] || false", # Test case sensitivity "echo 'Hello World 1' | diff - /tmp/mnt/test.txt", @@ -36,13 +34,13 @@ import ./make-test-python.nix ({ pkgs, ... }: { with subtest("Disable case sensitivity and normalization sensitivity"): machine.succeed( "mkapfs /dev/vdb", - "mount -o readwrite /dev/vdb /tmp/mnt", + "mount -o cknodes,readwrite /dev/vdb /tmp/mnt", "echo 'bla bla bla' > /tmp/mnt/Test.txt", "echo -n 'Hello World' > /tmp/mnt/test.txt", "echo ' 1' >> /tmp/mnt/TEST.TXT", "umount /tmp/mnt", "apfsck /dev/vdb", - "mount -o readwrite /dev/vdb /tmp/mnt", + "mount -o cknodes,readwrite /dev/vdb /tmp/mnt", "echo 'Hello World 1' | diff - /tmp/mnt/TeSt.TxT", # Test case insensitivity "echo 'Hello World 2' > /tmp/mnt/\u0061\u0301.txt", "echo 'Hello World 2' | diff - /tmp/mnt/\u0061\u0301.txt", |