Make the whole file system read-only except the directories related to
Murmur, like the state or runtime directories.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
This service exists to avoid extra instance restarts. While its dependencies
are slim, there are still some, so disable restartIfChanged to avoid any
switches from affecting instances.
Change type of services.privoxy.settings.listen-address from str to
either str (listOf str). The latter allows providing a list which
results in multiple list-address entries in privoxy.conf.
The commit 01e8f570c6 unpinned the
LLVM version, which led to the following warnings whenever Scudo
is loaded (basically whenever a command is started when used
system-wide):
Scudo WARNING: found 3 unrecognized flag(s):
DeleteSizeMismatch=0:DeallocationTypeMismatch=0
DeallocationTypeMismatch=0
ZeroContents=1
According to the current Scudo documentation [1] the options are
now spelled differently. This commit keeps all existing options
and only updates the spelling.
[1] https://llvm.org/docs/ScudoHardenedAllocator.html
Reported-by: CUB3D <callumthom11@gmail.com>
The commit 01e8f570c6 unpinned the
LLVM version, which led to building errors similar to this when
Scudo is used:
building the system configuration...
error: builder for '/nix/store/1f9z73haq6avvv19glifalfnmpw3gsbx-malloc-provider-scudo.drv' failed with exit code 1;
last 1 log lines:
> cp: cannot stat '/nix/store/s43991isxhvknqmk53q7pqmkdrfvj1p4-compiler-rt-libc-19.1.7/lib/linux/libclang_rt.scudo-x86_64.so': No such file or directory
For full logs, run:
nix log /nix/store/1f9z73haq6avvv19glifalfnmpw3gsbx-malloc-provider-scudo.drv
It seems in the new LLVM version the Scudo library was moved:
$ ls /nix/store/*-compiler-rt-libc-20.1.8/lib/linux/libclang_rt.scudo*
/nix/store/z98mwyi0w8f4kgk3rw6av946azh28hc9-compiler-rt-libc-20.1.8/lib/linux/libclang_rt.scudo_standalone_cxx-x86_64.a
/nix/store/z98mwyi0w8f4kgk3rw6av946azh28hc9-compiler-rt-libc-20.1.8/lib/linux/libclang_rt.scudo_standalone-x86_64.a
/nix/store/z98mwyi0w8f4kgk3rw6av946azh28hc9-compiler-rt-libc-20.1.8/lib/linux/libclang_rt.scudo_standalone-x86_64.so
This commit adjusts the library path.
Co-authored-by: CUB3D <callumthom11@gmail.com>
Prevent implicitly disabling a negative-sized ZRAM because disabling the
ZRAM should probably always be done by disabling the zrawmSwap.enable
option.
Fixes: cd1b48bc35 ("nixos: Add zram swap module")
The immich-machine-learning service can fail with
RuntimeError: Data processing error: I/O error: Operation not permitted (os error 1)
because huggingface attempts to download files to $HOME/.cache (which
doesn't exist in this case) unless $XDG_CACHE_HOME or $HF_HOME is set.
In systems without initrd (e.g. containers) that also use system.replaceDependencies, we'd get:
error: attribute 'initialRamdisk' missing
at /nix/store/8vfhnwmmzqqzy97q9c5m4bzyaqqf63zy-source/nixos/modules/system/activation/top-level.nix:286:21:
285| cutoffPackages = mkOption {
286| default = [ config.system.build.initialRamdisk ];
| ^
Make that initialRamdisk reference conditional on the initrd being enabled.
SSH key generation was split out into its own systemd service in
https://github.com/NixOS/nixpkgs/pull/372979, but dependent service
definitions weren't updated.
The `apply-ec2-data` service needs to run before SSH key generation,
as it fetches host keys defined in ec2 user data and these keys should
take priority over generating new ones. Currently, the ordering
doesn't specify which should run first of `apply-ec2-data` and
`sshd-keygen`; in practice it seems that `sshd-keygen` often wins the
race, though.
Update the dependencies so that `apply-ec2-data` always runs first.
This disables the hard, not overridable, dependency on `runc`.
It also sharpens the description of `extraPackages` to highlight the
difference between those options.
Fixes#443274.
