most modules can be evaluated for their documentation in a very
restricted environment that doesn't include all of nixpkgs. this
evaluation can then be cached and reused for subsequent builds, merging
only documentation that has changed into the cached set. since nixos
ships with a large number of modules of which only a few are used in any
given config this can save evaluation a huge percentage of nixos
options available in any given config.
in tests of this caching, despite having to copy most of nixos/, saves
about 80% of the time needed to build the system manual, or about two
second on the machine used for testing. build time for a full system
config shrank from 9.4s to 7.4s, while turning documentation off
entirely shortened the build to 7.1s.
this set almost certainly shouldn't be touched by users, nor listed in
the manual. make it internal and use it only through the option path to
make clear that this should not be modified.
It breaks something inside of influxdb2, which results in flurry of errors like these:
> ts=2021-12-21T18:19:35.513910Z lvl=info msg="Write failed" log_id=0YZYwvV0000 service=storage-engine service=write shard=50 error="[shard 50] unlinkat ./L1-00000055.tsi: read-only file system"
I believe this is somehow caused by a mount namespace that systemd creates for
the service, but I didn't investigate this deeper.
Fix a typo in the kea-dhcp-ddns-server unit definition, and add a
KEA_LOCKFILE_DIR environment variable without which kea daemons try to
access a lockfile under /var/run/kea path, which is prevented by
systemd's ProtectSystem (or one of the other Protect*) mechanism.
kea-dhcp-ddns-server doesn't react to updates from dhcp4 server at all
without it.
- Added defaultText for all inheritable options.
- Add docs on using new defaults option to configure
DNS validation for all domains.
- Update DNS docs to show using a service to configure
rfc2136 instead of manual steps.
Allows configuring many default settings for certificates,
all of which can still be overridden on a per-cert basis.
Some options have been moved into .defaults from security.acme,
namely email, server, validMinDays and renewInterval. These
changes will not break existing configurations thanks to
mkChangedOptionModule.
With this, it is also now possible to configure DNS-01 with
web servers whose virtualHosts utilise enableACME. The only
requirement is you set `acmeRoot = null` for each vhost.
The test suite has been revamped to cover these additions
and also to generally make it easier to maintain. Test config
for apache and nginx has been fully standardised, and it
is now much easier to add a new web server if it follows
the same configuration patterns as those two. I have also
optimised the use of switch-to-configuration which should
speed up testing.
One of the valid values for the fan speed is "level disengaged",
however, it is represented as "level disengage" and does not match
what thinkfan expects.
When accessing the Audit log, I get an HTTP 502 when the frontend
requests `/audit` and I get the following error in my `nginx`-log:
Dec 20 22:12:48 ldap nginx[336]: 2021/12/20 22:12:48 [error] 336#336: *8421 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 10.237.0.1, server: _, request: "GET /audit/?action=**&action_detail=**&administrator=**&client=**&date=**&duration=**&info=**&page=1&page_size=10&policies=**&privacyidea_server=**&realm=**&resolver=**&serial=**&sortorder=desc&startdate=**&success=**&tokentype=**&user=** HTTP/1.1", upstream: "uwsgi://unix:/run/privacyidea/socket:", host: "ldap.ist.nicht-so.sexy", referrer: "https://ldap.ist.nicht-so.sexy/"
This is because of an "invalid request block size"-error according to
`journalctl -u privacyidea.service`:
Dec 20 22:12:48 ldap uwsgi[10721]: invalid request block size: 4245 (max 4096)...skip
Increasing the buffer to 8192 fixes the problem for me.
openFirewall is the much more common name for an option with this
effect. since the default was `true` all along, renaming it doesn't hurt
much and only improves consistency with other modules.
