Group only needs limited access, while other users don't need access at
all. So set the UMask to 027.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
It was breaking knot-dns.tests.knot
New knotd uses fchown to cover cases where user changes during startup.
In typical Linux cases the user is kept the same and there are
capabilities instead, but the syscall still happens and got caught here.
systemd requires paths in `ReadWritePaths=` to exist before setting up
the service sandbox, so dhcpcd should be ordered after resolvconf.
Making resolvconf a oneshot service ensure `After=resolvconf.service`
works correctly.
This updates the ipu6 driver and firmware to a more recent version,
which seems to at least work in Chrom{e,ium}.
ipu6-drivers now relies on the in-kernel ipu6 kernel driver, so we
update our logic and metadata for it.
This allows settings multiple scripts in `.custom.start` and
`.custom.end`, as Gamemode reads them back out into a list.
This is slightly annoying, as *any* duplicate keys will appear multiple
times, while gamemode will only accept the last one for most keys
(clobbering previous ones). Ideally, it would be possible to only enable
`listsAsDuplicateKeys` for scripts, but this does not seem to be
possible in `pkgs.formats.ini`.
When installing NixOS on a machine with Windows, the "easiest" solution
to dual-boot is re-using the existing EFI System Partition (ESP), which
allows systemd-boot to detect Windows automatically.
However, if there are multiple ESPs, maybe even on multiple disks,
systemd-boot is unable to detect the other OSes, and you either have to
use Grub and os-prober, or do a tedious manual configuration as
described in the wiki:
https://wiki.nixos.org/w/index.php?title=Dual_Booting_NixOS_and_Windows&redirect=no#EFI_with_multiple_disks
This commit automates and documents this properly so only a single line
like
boot.loader.systemd-boot.windows."10".efiDeviceHandle = "HD0c2";
is required.
In the future, we might want to try automatically detecting this
during installation, but finding the correct device handle while the
kernel is running is tricky.
Currently if a timezone was selected explicitly, the service will
silently override the value, essentially ignoring what is meant to be a
a deliberate choice of option. This may cause confusion as to why the
option is not doing anything when this service is enabled, particularly
in more complex set-ups after some time.
This will simply make the choice deliberate from the user's part, either
by having to remove the option or lowering its priority as a recognition
that it may be ignored.
This change was inspired by the `services.tzupdate` module, which does
the same.
[1]: <https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/tzupdate.nix#L24>
