| 9 Jul 2025 |
 hexa | * so we hack around with chmod in prestart for now | 00:44:09 |
 Zhaofeng Li | yeah, looks like the least dramatic option, though not ideal | 00:45:06 |
| Zhaofeng Li | maybe we can migrate to a static user, but force everyone with stateVersion <= 25.11 to explicitly set stateDir to acknowledge the migration | 00:46:41 |
| Zhaofeng Li | * maybe we can migrate to a static user in unstable, but force everyone with stateVersion <= 25.11 to explicitly set stateDir to acknowledge the migration | 00:47:13 |
| hexa | diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix
index 6e0af62425a4..6f815659f567 100644
--- a/nixos/modules/services/networking/kea.nix
+++ b/nixos/modules/services/networking/kea.nix
@@ -272,12 +272,13 @@ in
};
commonServiceConfig = {
- ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+ ExecStartPre = "${lib.getExe' pkgs.coreutils "chmod"} 0750 /run/kea";
+ ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID";
DynamicUser = true;
User = "kea";
ConfigurationDirectory = "kea";
RuntimeDirectory = "kea";
- RuntimeDirectoryMode = "750";
+ RuntimeDirectoryMode = "0750";
RuntimeDirectoryPreserve = true;
StateDirectory = "kea";
UMask = "0077";
| 00:47:46 |
| hexa | this change nothing | 00:47:56 |
| hexa | * this changes nothing | 00:48:38 |
| Zhaofeng Li | it seems racy... I added the chmod to script (not ExecStartPre) and it failed once but worked the next two tries? | 00:52:03 |
| Zhaofeng Li | what even is going on | 00:52:11 |
| hexa | can only be systemd doing this | 00:52:45 |
| Zhaofeng Li | this is beyond cursed | 00:54:40 |
| Zhaofeng Li | how about we patch kea to skip the permission check if NIXPKGS_HACK_ASSUME_THAT_THE_SOCKET_DIR_IS_PROTECTED_BY_SYSTEMD is set | 00:55:22 |
| hexa | but it isn't protected, it is 0755 😄 | 00:56:04 |
| hexa | * but it isn't protected, it is fucking 0755 😄 | 00:56:09 |
| Zhaofeng Li | /var/run/private is protected, right? | 00:57:42 |
| hexa | uhhh yeah | 00:58:46 |
| hexa | I think so | 00:58:54 |
| hexa | Zhaofeng Li: Restart = "on-failure" 🫣 | 01:14:38 |
| Zhaofeng Li | do we need to disable the start limit as well? | 01:15:32 |
| Zhaofeng Li | * do we need to disable the restart limit as well? | 01:16:32 |
| hexa | both services only failed once, so I don't think we do 😄 | 01:16:43 |
| Zhaofeng Li | * do we need to disable the restart limit as well? also Restart = "on-failure" should be the default? | 01:16:48 |
| hexa | yeah, they fail just the first time round | 01:17:28 |
| * hexa screams | 01:17:32 |
| Zhaofeng Li | * do we need to disable the restart limit as well? also Restart = "on-failure" should be the default? no, it isn't aaaa | 01:18:27 |
| Zhaofeng Li | theoretically there is still a chance that systemd will keep fighting against itself forever 🤓 | 01:19:59 |
|  alina arielle amelie🏳️⚧️🐾 changed their profile picture. | 21:01:32 |
| alina arielle amelie🏳️⚧️🐾 changed their display name from alina to alina arielle amelie🏳️⚧️🐾. | 21:02:18 |
| 10 Jul 2025 |
|  maciel310 joined the room. | 02:58:34 |
| maciel310 | Hey all, hoping someone might be able to help with an issue I'm hitting configuring VLANs. Use case is pretty simple, the only connection should be over the vlan, no untagged traffic or IP assigned. Following the docs (https://nixos.wiki/wiki/Systemd-networkd#VLAN) I came up with this systemd-networkd config, but pinging even local addresses returns unreachable. Any thoughts, or ideas on how to debug?
systemd.network = {
enable = true;
netdevs = {
"20-vlan30" = {
netdevConfig = {
Kind = "vlan";
Name = "vlan30";
};
vlanConfig.Id = 30;
};
};
networks = {
"30-enp0s20f0u1u2" = {
matchConfig.Name = "enp0s20f0u1u2";
vlan = [ "vlan30" ];
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "carrier";
};
"40-vlan30" = {
matchConfig.Name = "vlan30";
address = [ "192.168.30.7/24" ];
routes = [
{ Gateway = "192.168.30.1"; }
];
linkConfig.RequiredForOnline = "routable";
};
};
};
| 04:43:33 |
