Age | Commit message (Collapse) | Author |
|
treewide: fix mkEnableOption usage
|
|
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
|
|
This was discussed and agreed on in [1].
[1]: https://github.com/NixOS/nixpkgs/pull/310580#discussion_r1597284693
|
|
|
|
|
|
|
|
|
|
Since https://github.com/redis/redis/pull/4001 included in 6.2.0
transparent hugepages works when being set to madvise which is the NixOS
and upstream recommended default.
|
|
> WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition.
> Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328.
> To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
|
|
postgresql: more cleanup
|
|
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
|
|
keydb: init at 6.3.4
|
|
|
|
|
|
The enableJIT = true case was fixed in #221851 or
e2fb65175228a992f196f3b1700a53e18602e7f6 respectively.
However this did not take the case into consideration, when doing this:
services.postgresql = {
enable = true;
enableJIT = false;
package = pkgs.postgresql_15_jit;
};
If enableJIT is treated as the source of truth, then this should indeed
cause JIT to be disabled, which this commit does.
|
|
The main idea behind that was to be able to do more sophisticated
merging for stuff that goes into `postgresql.conf`:
`shared_preload_libraries` is a comma-separated list in a `types.str`
and thus not mergeable. With this change, the option accepts both a
comma-separated string xor a list of strings.
This can be implemented rather quick using `coercedTo` +
freeform modules. The interface still behaves equally, but it allows to
merge declarations for this option together.
One side-effect was that I had to change the `attrsOf (oneOf ...)` part into
a submodule to allow declaring options for certain things. While at it,
I decided to move `log_line_prefix` and `port` into this structure as
well.
|
|
This allows for correct highlighting and maybe future automatic
formatting. The AST was verified to work with nixfmt only.
|
|
This should help us with highlighting and future formatting.
|
|
This was proposed by abbradar in #150801, but left out of the follow up PR
#221851 by Ma27 to reduce the size of the diff. Compared to the initial
proposal this includes the callPackage call in the recursion, which avoids
breaking the withJIT/withoutJIT helpers.
In terms of nixpkgs, this is a pure refactor, no derivations change. However,
this makes downstream expressions like the following possible:
(postgresql.override { jitSupport = true; }).pkgs.postgis
This would have not worked before without passing another "this" argument,
which is error prone as can be seen in this example:
https://github.com/PostgREST/postgrest/pull/3222/files
|
|
This makes it less error-prone to use the llvm package in extensions, because
it will always match the package used by the postgresql derivation itself.
Previously, you could've accidentally used llvm instead of postgresql.llvm
with a different result.
|
|
While `/var/lib/lldap` isn't technically accessible by unprivileged
users thanks to `DynamicUser=true`, a user might prefer and change it to
`DynamicUser=false`.
There is currently also a PR open that intends to make `DynamicUser`
configurable via module option.
As such, `jwt_secret_file`, if bootstrapped by the service start
procedure, might be rendered world-readable due to its permissions
(`0644/-rw-r--r--`) defaulting to the service's umask (`022`) and
`/var/lib/lldap` to `0755/drwxr-xr-x` due to `StateDirectoryMode=0755`.
This would usually be fixed by using `(umask 027; openssl ...)` instead
of just `openssl ...`.
However, it was found that another file (`users.db`), this time
bootstrapped by `lldap` itself, also had insufficient permissions
(`0644/-rw-r--r--`) inherited by the global umask and would be left
world-readable as well.
Due to this, we instead change the service's to `027`.
And to lower the impact for already bootstrapped files on existing
instances like `users.db`, set `StateDirectoryMode=0750`.
|
|
If not provided, lldap defaults to `secretjwtsecret` as value which is
hardcoded in the code base.
See https://github.com/lldap/lldap/blob/v0.5.0/server/src/infra/configuration.rs#L76-L77
This is really bad, because it is trivially easy to generate an admin
access token/cookie as attacker, if a `jwt_secret` is known.
|
|
nixos/memcached: clarify behaviour of `enableUnixSocket`
|
|
nixos/postgresql: drop ensurePermissions option
|
|
Let's make it clear that enabling this option will disable listening on an IP address and port.
|
|
|
|
|
|
See also the upstream service file: https://github.com/pgbouncer/pgbouncer/blob/e6ce619785c93392794976c1e936e8c9f589a5ad/etc/pgbouncer.service
|
|
...effectively what was planned already in #266270, but it was too late
because the branches were restricted and didn't allow any breaking
changes anymore.
It also suffers from the same issue that we already had when discussing
this the last time[1] when `ensureDBOwnership` was ultimately introduced
as band-aid fix: newly created users don't get CREATE permission on
the `public` schema anymore (since psql 15), even with `ALL PRIVILEGES`.
If one's use-case is more sophisticated than having a single owner, it's
questionable anyways if this module is the correct tool since
permissions aren't dropped on a change to this option or a removal which
is pretty surprising in the context of NixOS.
[1] https://github.com/NixOS/nixpkgs/pull/266270
|
|
|
|
Removed hard coded timeout in postScript, allow using
more general systemd TimeoutStartSec instead.
|
|
nixos/etcd: fixes etcd failing to start at boot and add openFirewall option
|
|
neo4j: 4.4.11 -> 5.9.0
|
|
|
|
nixos/tigerbeetle: init module
|
|
|
|
nixos/firebird: fix coerce error
|
|
This was done by generating a truly hilarious configuration:
rg 'services\.[^.]+\.enable\t' opts-tags | cut -f1 > allonconfig.nix
The following were not tested due to other evaluation errors. They
should probably be manually audited.
services.amule
services.castopod
services.ceph
services.chatgpt-retrieval-plugin
services.clamsmtp
services.clight
services.dante
services.dex
services.discourse
services.dwm-status
services.engelsystem
services.foundationdb
services.frigate
services.frp
services.grocy
services.guacamole-client
services.hedgedoc
services.home-assistant
services.honk
services.imaginary
services.jitsi-meet
services.kerberos_server
services.limesurvey
services.mastodon
services.mediawiki
services.mobilizon
services.moodle
services.mosquitto
services.nextcloud
services.nullmailer
services.patroni
services.pfix-srsd
services.pgpkeyserver-lite
services.postfixadmin
services.roundcube
services.schleuder
services.self-deploy
services.slskd
services.spacecookie
services.statsd
services.step-ca
services.sympa
services.tsmBackup
services.vdirsyncer
services.vikunja
services.yandex-disk
services.zabbixWeb
|
|
nixos/influxdb: restart on failure
|
|
|
|
Since 2c5abd89c7e917acde9077fc4d12596e35b73e17 setting the option `boot.kernel.sysctl."net.core.rmem_max"` no longer has any downsides compared to what was previously used. Since 439350753ed2e27b0aa4fa1cfdf3ea80ea344644 the same is also true for `boot.kernel.sysctl."net.core.wmem_max"`.
|
|
nixos/postgresql: point doc link to current like all others
|
|
This allows to reuse the extraPlugins option in other context's for
example an upgrade script.
|
|
|
|
|
|
treewide: use `mkPackageOption`
|
|
nixos/redis: loosen systemd address family restrictions
|
|
This commit replaces a lot of usages of `mkOption` with the package
type, to be `mkPackageOption`, in order to reduce the amount of code.
|
|
|
|
|