3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

8655 commits

Author SHA1 Message Date
WilliButz 5e8d1757ef nixos/xautolock: rewrite and add some options 2017-10-10 19:02:27 +02:00
Yegor Timoshenko f9415cb621 desktop-managers: do not leak feh to PATH
feh is used to set background image for desktop managers that do not support it directly, however there is no need to include it in PATH.

Fixes #17450.
2017-10-10 15:46:33 +00:00
Frank Doepper 08bf000fe2 nix-daemon: mention speedFactor in example 2017-10-10 15:07:35 +02:00
Eelco Dolstra 9df79de1a1
Enable command-not-found
5a5db609e5 disabled it by default, which
may have been unintentional. mkEnableOption considered harmful.
2017-10-10 12:26:24 +02:00
Eelco Dolstra ee9a15b323
Set $NIX_DEBUG_INFO_DIRS when environment.enableDebugInfo is enabled
This allows it to co-exist with other debug info directories, such as
the one used by dwarffs
(https://github.com/edolstra/dwarffs/blob/master/module.nix).
2017-10-10 12:04:57 +02:00
Jörg Thalheim a61304e3cb Merge pull request #30261 from Ekleog/fcron-hardlink
fcron module: fix use with hardlink-optimized store
2017-10-09 23:12:40 +01:00
Léo Gaspard 1afd97aa8f
fcron module: fix use with hardlink-optimized store 2017-10-09 23:44:28 +02:00
WilliButz 7002ca7e1c nixos/zsh-syntax-highlighting: refactor 2017-10-09 23:30:10 +02:00
Benjamin Staffin b3df084c70 nixos: minor X11 option description improvements (#30035) 2017-10-09 12:07:19 -07:00
Sarah Brofeldt 7b81889394 nixos/config/timezone: Disallow spaces 2017-10-09 20:52:25 +02:00
Shea Levy f6858e55c2
Reserve uid/gids for kanboard 2017-10-09 07:44:32 -04:00
Joerg Thalheim e34e28e573 nixos/fcron: service needs fcron in PATH
otherwise fcronsighup is not found.
Set PATH to /run/current-system/sw/bin does not seems to be used by service file anyway.
2017-10-09 11:43:24 +01:00
Tim Steinbach c643759d41
kbfs: Add package in module 2017-10-08 12:49:58 -04:00
Jörg Thalheim 28db3ad7ae Merge pull request #30216 from bachp/minio-exporter
Minio exporter
2017-10-08 15:09:32 +01:00
Joerg Thalheim e7e4e0c3b6 nixos/prometheus-minio-exporter: only inherit keys from minio if set 2017-10-08 15:05:25 +01:00
Pascal Bach 8e10a4d862 prometheus-minio-exporter service: default to local minio server if enabled 2017-10-08 15:09:25 +02:00
Jörg Thalheim eefae49f6d Merge pull request #30183 from Mic92/openafs
openafs-client: don't remove kernel module on stop
2017-10-08 12:13:29 +01:00
Jörg Thalheim 62922af208 Merge pull request #29994 from bachp/minio-update
minio: 20170613 -> 2017-09-29T19-16-56Z
2017-10-08 12:12:32 +01:00
Pascal Bach aad88ddf5b prometheus-minio-exporter service: init version 2017-10-08 12:47:00 +02:00
Pascal Bach 1983e6c8cc minio: 20170613 -> 2017-09-29T19-16-56Z
The test was updated as minio now needs at least 1 GiB of free disk,
otherwise it won't start.
2017-10-08 12:24:29 +02:00
Bas van Dijk 5b8ff5ed49 graphite: 0.9.15 -> 1.0.2
Fixes: #29961

Also added the option:

  services.graphite.web.extraConfig

for configuring graphite_web.
2017-10-08 03:03:22 +02:00
Guillaume Maudoux 10dcf5897c 18.03 release notes: mention ZNC mutability change 2017-10-08 00:43:40 +01:00
Jörg Thalheim b256b2778a Merge pull request #30204 from lheckemann/powertop-fix
powertop module: add kmod to path
2017-10-07 22:06:46 +01:00
Linus Heckemann fadb906b2f powertop module: add kmod to path
powertop attempt to load some kernel modules like msr by calling
modprobe. This is the counterpart to
88e43eb39b which has the powertop
executable search PATH for modprobe rather than hardcoding /sbin, and
actually adds the directory containing modprobe to its PATH for the
systemd service.
2017-10-07 21:48:50 +01:00
Guillaume Maudoux 15b7e102b6 Safer defaults for immutable znc config (#30155)
* Safer defaults for immutable znc config

I just lost all the options I configured in ZNC, because the mutable config was overwritten.
I accept any suggestions on the way to implement this, but overwriting a mutable config by default seems weird. If we want to do this, we should ensure that ZNC does not allow to edit the config via the webmin when cfg.mutable is false.

* Do not backup old config files.

There seems to be little need for backups if mutable becomes a voluntary opt-out.

* fixup
2017-10-07 16:38:14 +01:00
Graham Christensen 30524ca860 Merge pull request #30171 from NeQuissimus/keybase_modules
keybase/kbfs: Fix modules
2017-10-07 09:51:44 -04:00
Joerg Thalheim 912ec467db openafs-client: don't remove kernel module on stop
Otherwise it cannot re-insert the kernel module after a kernel upgrade
when boot kernel != running kernel.
2017-10-07 10:11:30 +01:00
Tuomas Tynkkynen e86b78363d nixos/filesystems/ext: Don't try to load ext3 module
This module doesn't exist since v4.3, where the ext3 driver was removed
as ext4.ko can mount ext3 filesystems as well.
2017-10-07 11:01:01 +03:00
Franz Pletz 801c920e95
btrfs-progs: 4.8.2 -> 4.13.1 2017-10-07 04:04:20 +02:00
David Johnson 5b530d4568 oauth2_proxy: default address updated
Go will fail to parse this otherwise.
https://github.com/golang/go/issues/19297
2017-10-06 16:52:22 -07:00
Franz Pletz 3855b7977c
nixos: clean up kernel modules
* the keyboard modules in all-hardware.nix are already defaults of
   boot.initrd.availableKernelModules
 * ide modules, hid_lenovo_tpkbd and scsi_wait_scan have been removed
   because they're not available anymore
 * i8042 was a duplicate (see few lines abowe)
2017-10-07 01:48:03 +02:00
Franz Pletz 3df126dbf7
nixos/modules: clean up wireless firmware options
All available options were just enabling
hardware.enableRedistributableFirmware. There were nix files without
modules which weren't referenced anywhere.
2017-10-07 01:48:02 +02:00
Tim Steinbach 8840eaf223
keybase: Fix modules 2017-10-06 18:49:58 -04:00
michael bishop 0ee6f8612e
dd-agent: fix multiple tags in the config file 2017-10-05 19:33:18 -03:00
Orivej Desh 184f80aeb8 Merge pull request #29781 from rick68/softether
softether: 4.18 -> 4.20
2017-10-05 08:26:23 +00:00
Danylo Hlynskyi dc8500165c declarative containers: improve example config
Container config example code mentions `postgresql` service, but the correct use of that service involves setting `system.stateVersion` option (as discovered in https://github.com/NixOS/nixpkgs/issues/30056).

The actual system state version is set randomly to 17.03 because I have no preferences here
2017-10-05 00:42:50 +00:00
Joerg Thalheim c2c843adf7 nixos/traefik: guard example path 2017-10-04 14:51:20 +01:00
WilliButz 3539e16cfa
nixos/tests: clean up pgjwt test
- removed unneeded initscript
- use default postgres version for the test
2017-10-04 13:04:49 +02:00
Joerg Thalheim a3200348b7 nixos/traefik: owner/group should be changed recursivly 2017-10-04 11:59:38 +01:00
Joachim F 0625110d1a Merge pull request #29927 from WilliButz/fix-pgjwt-test
nixos/tests: fix pgjwt test
2017-10-04 10:57:43 +00:00
Jörg Thalheim b8288f137f Merge pull request #29865 from hamhut1066/traefik-module
nixos/traefik create service
2017-10-04 11:53:11 +01:00
Joerg Thalheim 3468c9e5cc nixos/traefik: create /var/lib/traefik with correct permissions 2017-10-04 11:49:42 +01:00
Hamish Hutchings 2e5297217d nixos/traefik create service 2017-10-04 11:26:39 +01:00
Franz Pletz d6f7e2f6f6 Merge pull request #29942 from elitak/ipfs
Ipfs: prepare for autoMigrate fix
2017-10-04 03:07:25 +02:00
Alexander Foremny 03a5d729ef
nixos/gitlab: fix gitlab service
Fix GitLab service and update documentation. Fixes #30059.
2017-10-04 02:40:07 +02:00
Franz Pletz eb59961855
Revert "pinentry: make GTK3 the default front-end"
This reverts commit 3f7e3db744.

This broke the gpg-agent user service. See #27468.
2017-10-04 02:16:37 +02:00
Eelco Dolstra 9b3aa19a88
Add NixOS 17.09 AMIs
Fixes #29976.
2017-10-03 16:56:59 +02:00
Jörg Thalheim 0b18fa4f09 Merge pull request #30014 from eqyiel/krb5-fixes
nixos/krb5: complete rewrite
2017-10-03 11:04:58 +01:00
Joerg Thalheim 1406e249b3 krb5: add deprecation date for old configuration 2017-10-03 11:01:05 +01:00
Joachim F cb3d443787 Merge pull request #29452 from jerith666/pfix-srsd-1709
nixos/pfix-srsd: add module
2017-10-03 00:51:59 +00:00
Bob van der Linden 9d841295f3 gogs: avoid creating symlinks each run 2017-10-02 22:11:46 +02:00
Wei-Ming Yang 7e4e2667ae softether: 4.18 -> 4.20 2017-10-03 01:35:20 +08:00
The-M1k3y 0f2b46cdba nixos/gogs: fixed user creation if non-default user 2017-10-02 15:53:30 +02:00
Graham Christensen 5af263c2af Merge pull request #27468 from jtojnar/fix/pinentry-gnome
pinentry: add GNOME frontend
2017-10-02 07:29:23 -04:00
Jörg Thalheim 2354e0f05a cloud-utils: 0.29 -> 0.30 2017-10-02 09:11:20 +01:00
Ruben Maher 06e15e59f9 nixos/krb5: complete rewrite
The `krb5` service was a bit lacking.

Addresses NixOS/nixpkgs#11268, partially addresses NixOS/nixpkgs#29623.
2017-10-02 14:30:19 +10:30
WilliButz 7d09fc6ea7
nixos/tests: rewrite pgjwt test
- now using the test contained in the pgjwt source repo
- also compatible with the new `superUser` option of the
  `postgresql` service
2017-10-01 20:12:58 +02:00
Pascal Bach 2239dc6234 glusterfs service: fix issues with useRpcbind 2017-10-01 19:39:22 +02:00
Nikita Uvarov a2ce4f25fe 17.09 release notes: fix typo 2017-10-01 12:44:06 +02:00
Jan Tojnar 3f7e3db744
pinentry: make GTK3 the default front-end
See: https://github.com/NixOS/nixpkgs/issues/18559
2017-10-01 01:40:03 +02:00
Robin Gloster 40ed226507 treewide: mark a bunch of failing builds as broken
(cherry picked from commit 23fdbaa375)
[dezgeg: Un-mark shotcut, tokei & uchiwa that do build on master]
2017-10-01 00:26:52 +03:00
Joachim F 74db6fabcb Merge pull request #29868 from nh2/nh2-glusterfs-improvements-for-17.09-master
glusterfs service: a few fixes and improvements
2017-09-30 12:19:19 +00:00
Eric Litak f46616db5a ipfs: disable autoMigrate option for now 2017-09-29 18:07:55 -07:00
Rok Garbas 748ef34f09 assertion should check for encrypted.label of the defined fileSystem 2017-09-29 19:55:28 +02:00
Joerg Thalheim 44b6a1509d nixos/bcc: init module
Looks trival, but it is easy to make the mistake
to add linuxPackages.bcc to systemPackages,
which breaks if the not the default kernel is used.
2017-09-29 15:18:25 +01:00
Joerg Thalheim 5572062674 nixos/sysdig: init module 2017-09-29 15:01:21 +01:00
Franz Pletz 5b8a798137
17.09 release notes: mention KDE upgrades 2017-09-29 01:52:17 +02:00
Franz Pletz c22d717c75
17.09 release notes: fix typos & ordering 2017-09-29 01:52:17 +02:00
Peter Hoeg 963435a462 Merge pull request #29748 from fadenb/security.pam.usb_link_fix
security.pam.usb: fix url
2017-09-29 07:49:10 +08:00
Franz Pletz 49f175cd0c
17.09 release notes: add network interface rename note
Fixes #29197.
2017-09-29 00:07:37 +02:00
Robin Gloster 83405798e6
17.09 release notes: update information on gitlab 2017-09-28 23:14:31 +02:00
Robin Gloster 57ed9e7e1d
gitlab: 9.5.5 -> 10.0.2 2017-09-28 23:14:31 +02:00
Jörg Thalheim 12ac88af1d Merge pull request #29890 from mbrgm/nullmailer-fix
nixos/nullmailer: fixes and `remotesFile` option
2017-09-28 21:29:37 +01:00
Cray Elliott d4bdf302a3 nvidia-x11: fix eval error from 4ef82339c9 2017-09-28 13:11:16 -07:00
Eelco Dolstra 6c72efe0ba
Don't generate instance-store AMIs
These are obsolete, use EBS AMIs instead.
2017-09-28 17:33:13 +02:00
Jan Tojnar dfdfb97f0f nixos/tests/gnome3-gdm: Increase memory limit
The test was failing on x86_64 prematurely due to memory being exhausted.

See also 3b9f0c6a46
2017-09-28 17:20:23 +02:00
Robin Gloster 4ca4d6afca
18.03 release notes: reformat 2017-09-28 16:41:20 +02:00
Robin Gloster a19c52a101
17.09 release notes: reformat and generate added services 2017-09-28 16:41:20 +02:00
Tristan Helmich c6761f8578 security.pam.usb: link to wiki on github.com
pamusb.org no longer serves the intended content.
2017-09-28 16:00:28 +02:00
Robin Gloster 990b5a5388
release.nix: add mesos test back
This is working now again
2017-09-28 14:25:17 +02:00
Robin Gloster 4aeb38e5b9
Revert "kubernetes: fix hashes after dockerTools change"
This reverts commit 9ba024f6d8.
2017-09-28 14:09:49 +02:00
Robin Gloster 69344de783
Revert "dockerTools.pullImage: release note regarding sha256 argument value"
This reverts commit ea6d37c2bb.
2017-09-28 14:09:49 +02:00
Joerg Thalheim 91eb6cf82c nullmailer: simplify config generation 2017-09-28 11:04:39 +01:00
Marius Bergmann e741cc4881 nullmailer: add remotesFile option
The current `remotes` option is a string option containing nullmailer remote
definitions. However, those definitions may contain secret credentials and
should therefore not be put world-readable in the nix store.

I added a `remotesFile` option, which allows to specify a path to the remotes
definition file instead. This way, the definitions can be kept outside of the
nix store with more secure file permissions.
2017-09-28 08:52:21 +02:00
Marius Bergmann 02e89de71c nullmailer: use proper description for remotes option 2017-09-28 08:52:21 +02:00
Marius Bergmann f9d64a068b nullmailer: fix relative -> absolute path in preStart script 2017-09-28 08:52:21 +02:00
Franz Pletz d0435ba032
network-interfaces: device routes for default gateway
Iff interface is set, it makes sense to add device route by default.
2017-09-28 02:14:07 +02:00
Jörg Thalheim 0a6fca15fd Merge pull request #29881 from volth/patch-67
nixos/tinc: add "restartTriggers" back
2017-09-28 00:57:26 +01:00
Ryan Mulligan c6f513b56a nixos/monit: install monit as system package, use default config file path 2017-09-28 01:20:20 +02:00
volth ddd13e1375 nixos/tinc: add "restartTriggers" back
Add "restartTriggers" back to restart the Tinc daemon when its peer is removed.
Reverted #27660
2017-09-27 23:16:02 +00:00
Robin Gloster d05b0b6b70
mesos test: fix python handling
Still does not succeed but advances further

(cherry picked from commit 30d09f717a)
2017-09-28 01:15:41 +02:00
Bjørn Forsman 3c6eb3a247 nixos/iso-image.nix: add top-level /version.txt file
This makes it easy to identify which NixOS version is written to an USB
stick without actually booting it.
2017-09-28 00:54:28 +02:00
Niklas Hambüchen f4c53f1940 consul service: Restart on failure.
Consul is a service you typically want to have running all the time;
it's not supposed to quit by itself.
2017-09-28 00:41:15 +02:00
Franz Pletz 8237fa43d3 Merge pull request #29697 from zimbatm/gdm-on-nvidia
GDM fixes
2017-09-28 00:20:18 +02:00
Rostislav Beneš 0cad98dde1
nixos/xserver,gdm: let GDM handle X server verbosity. 2017-09-28 00:18:57 +02:00
Rostislav Beneš 4ef82339c9
nixos/gdm,nvidia: new options to enable GDM on Wayland and disabling it for nvidia drivers. 2017-09-28 00:18:57 +02:00
Rostislav Beneš 4f91397c98
nixos/nvidia: populating /dev with nvidia devices at boot 2017-09-28 00:18:57 +02:00
Jörg Thalheim 2b8cba2ff5 Merge pull request #29874 from mbrgm/znc-fix
znc: fix openFirewall option
2017-09-27 23:08:51 +01:00
Joachim Fasting a06f839439
nixos/release-notes: notable changes to the dnscrypt-proxy service 2017-09-27 23:47:15 +02:00
Franz Pletz 0ee866ed72
kbd service: systemd-vconsole-setup is triggered by udev
cc #22470
2017-09-27 23:38:29 +02:00
Franz Pletz 725dee203a
wpa_supplicant service: restart instead of stop & start
We now wait for dhcpcd to acquire a lease but dhcpcd is restarted on
system activation. As wpa_supplicant is stopped while dhcpcd is
restarting a significant delay is introduced on systems with wireless
network connections only. This changes the wpa_supplicant service to
also be restarted together with dhcpcd in case both services were
changed.
2017-09-27 23:38:03 +02:00
Alexander Ried 4a2442032e Revert "kbd service: use /dev/tty1 for systemd-vconsole-setup"
This reverts commit 0c81594a29.

It's no longer needed since systemd-vconsole-setup enumerates all ttys
until it finds a suitable one since systemd v234.
2017-09-27 23:37:24 +02:00
Joerg Thalheim 23f398012b nixos: skip restarting systemd-logind to not break x11 2017-09-27 22:28:27 +01:00
Marius Bergmann dd50575d5a znc: fix openFirewall option
The current version is broken:
- there's no `openFirewall` attribute directly in the `cfg` set
- the `port` option is an attribute of the `confOptions` set

I used the proper attribute for the firewall port and moved the `openFirewall`
option directly up to the `services.znc` set, as it's rather a general option
for the whole service than a znc-specific option (which are located inside the
`confOptions` set).
2017-09-27 22:18:03 +02:00
Robin Gloster 34750bb51c
17.09 release notes: redis cluster mass-restart needed
see #29516
2017-09-27 22:15:13 +02:00
Niklas Hambüchen 18eecae4b6 glusterfs service: Change default killMode to "control-group".
This is a better default for NixOS because it ensures that config
changes happen fully when NixOS users expect it.
2017-09-27 20:54:13 +02:00
Niklas Hambüchen 08f7e4516c glusterfs service: Ensure log directory exists for glustereventsd.
Prevents glustereventsd failing at startup in case it starts
before glusterd has started (whose `preStart` would also
create the needed directory).
2017-09-27 20:53:42 +02:00
Niklas Hambüchen e233a518bd glusterfs service: Add killMode and stopKillTimeout options 2017-09-27 20:53:39 +02:00
Vladimír Čunát f2955e4fde
manuals: fixup steam note, as the change is in 17.09
I didn't notice the cherry-pick, but Globin found out immediately.
/cc #29180.
2017-09-27 20:33:24 +02:00
Vladimír Čunát 4013b381b3
manuals: document removal of newStdcpp from steam
/cc #29180.
2017-09-27 20:12:06 +02:00
Niklas Hambüchen bd54b72676 glusterfs service: Add settings to disable rpcbind and the events daemon.
See also https://github.com/NixOS/nixpkgs/pull/22225#pullrequestreview-26459886
2017-09-27 19:51:42 +02:00
Niklas Hambüchen 5e2815dfb7 glusterfs service: Don't make it a prerequisite of network-online.target.
This introduces dependency cycles.

A network file system to be running is not required for a network
connection to be available.

19759cfeab (commitcomment-22044519)
2017-09-27 19:17:23 +02:00
Rodney Lorrimar 34eefdfb9d nixos/release-notes: MySQL backup service breaking changes 2017-09-27 18:44:49 +02:00
Rodney Lorrimar 56eba66f77 mysqlBackup service: let it work with default settings
* Grants enough privileges to the configured user so that it can run
  mysqldump.

* Adds a nixos test.

* Use systemd timers instead of a cronjob (by @fadenb).

* Creates a new user for backups by default, instead of using mysql
  user.

* Ensures that backup user has write permissions on backup location.

* Write backup to a temporary file before renaming so that a failed
  backup won't overwrite the previous backup, and so that the backup
  location will never contain a partial backup.

Breaking changes:

 * Renamed period to calendar to reflect the change in how to
   configure the backup time.

 * A failed backup will no longer result in cron sending an e-mail --
   users' monitoring systems must be updated.

Resolves #24728
2017-09-27 18:44:49 +02:00
Joerg Thalheim 75ba415fbc nixos/tinc: remove useless script argument
ExecStart is sufficient and more transparent to the user.
2017-09-27 17:57:39 +02:00
Joerg Thalheim ad8cb0917f nixos/tinc: do not add Device= by default
tinc can figure this out based on DeviceType.
I also got `/dev/net/tun FD in bad state` after a particular upgrade.
2017-09-27 17:57:39 +02:00
Eelco Dolstra 79d547b4bb
nix-daemon: Bump the default number of build users
While it's annoying to pollute the user database with a lot of nixbld*
users, 10 users is really too low for many modern systems.
2017-09-27 17:13:16 +02:00
Peter Simons 99e24590cb nixos(spamassassin): fix trailing whitespace 2017-09-27 14:50:52 +02:00
Peter Simons bfab392e6e nixos(spamassassin): provide /etc/spamassassin to fix sa-learn et al
Spamassassin expects its system-wide configuration at /etc/spamassassin, and
some user tools (like sa-learn) need to read those configuration files.
Therefore, we provide a symlink from /etc/spamassassin to the appropriate Nix
store path to make sure those tools work without the user having to pass an
elaborate --siteconfig path that, potentially, changes every time the system
updates.

Fixes https://github.com/NixOS/nixpkgs/issues/29414.
2017-09-27 14:50:52 +02:00
Robin Gloster 6ab200b066
17.09 release notes: fix typo 2017-09-26 22:40:02 +02:00
Daniel Peebles 79d8ccf4f0 Merge pull request #28777 from copumpkin/installer-chroot
nixos-install: re-enable --chroot option
2017-09-26 12:23:19 -07:00
Dan Peebles 186c120bed nixos-install: re-enable --chroot option
I forgot to implement it the first time around. Whoops!
2017-09-26 07:25:14 -07:00
Jörg Thalheim c74418a4e6 Merge pull request #29426 from Mic92/zfsUnstable
nixos/zfs: import encrypted datasets by default for zfsUnstable
2017-09-26 09:10:44 +01:00
Jörg Thalheim 9164517c18 nixos/zfs: import encrypted datasets by default for zfsUnstable 2017-09-26 09:08:53 +01:00
Jörg Thalheim b303aa0155 Merge pull request #29762 from samueldr/pr/update-mediawiki
mediawiki: 1.27.3 -> 1.29.1
2017-09-26 08:04:08 +01:00
Robin Gloster 3414265efa
17.09 release notes: add module changes 2017-09-26 03:28:05 +02:00
Rodney Lorrimar 151b34460c nixos/release-notes: MySQL declarative users/databases
Documents a possible migration step required to use the new options.
2017-09-26 02:22:31 +02:00
Jörg Thalheim bda2d25a50 Merge pull request #28856 from jtojnar/at-spi2-core
gnome3.at-spi2-core: fix service not found error
2017-09-26 00:39:49 +01:00
Pavel Goran cee657f9a3 nixos/gitolite: add enableGitAnnex option 2017-09-25 22:03:00 +02:00
Joerg Thalheim 194c4002b6 wireguard: fix function for adding routes 2017-09-25 20:42:03 +01:00
Jörg Thalheim 08b827ae8e Merge pull request #29753 from andir/wireguard-allowed-ips-as-route-optional
networking.wireguard: added `allowedIpsAsRoutes` boolean to control p…
2017-09-25 20:32:11 +01:00
Andreas Rammhold 846070e028
networking.wireguard: added allowedIpsAsRoutes boolean to control peer routes
Sometimes (especially in the default route case) it is required to NOT
add routes for all allowed IP ranges. One might run it's own custom
routing on-top of wireguard and only use the wireguard addresses to
exchange prefixes with the remote host.
2017-09-25 21:30:52 +02:00
Joachim F ffd6cbe3d1 Merge pull request #28503 from phile314/fusion-inventory
Fusion inventory: Init at 2.3.18
2017-09-25 12:58:44 +00:00
Franz Pletz 263185aa68
nixos/network-interfaces: ensure slave interfaces are up
Fixes #28620.
2017-09-25 14:06:38 +02:00
Franz Pletz 13a110e696
nixos/network-interfaces: cannot delay device units
Systemd is complaining that it can't delay the startup of device units.
We have a before dependency on the respective device unit for every
netdev service, which doesn't make any sense because we create the
actual interface in this service.
2017-09-25 14:06:38 +02:00
Franz Pletz 3a670daa98
nixos/network-interfaces: IPs must always be set
Previously, depending on the environment and the type of interface that
was created, the configured IPs of an interface wouldn't be applied on a
nixos-rebuild switch. It works after a reboot.

This patch ensures that the network-addresses service is started
either via the network-link service or if the networking target is
activated (i.e. on system activation).

Fixes #28474 #16230.
2017-09-25 14:06:38 +02:00
Silvan Mosberger a8c97ad23e nixos/radicale: fix default version (#29743) 2017-09-25 10:18:42 +00:00
Philipp Hausmann 1a23ff8a13 FusionInventory: Code cleanup 2017-09-25 10:39:11 +02:00
Philipp Hausmann 6b788e36df FusionInventory: Add NixOS module. 2017-09-25 10:39:11 +02:00
Samuel Dionne-Riel 0b1c73f4da mediawiki: 1.27.3 -> 1.29.1 2017-09-24 22:49:22 -04:00
Jörg Thalheim 975c7b2204 Merge pull request #29450 from jerith666/djb-1709
Add modules for tinydns and dnscache from djbdns
2017-09-24 15:39:29 +01:00
Joerg Thalheim 735b41c34f nixos/tinydns: default data to empty string
(not strictly required to start the service)
2017-09-24 15:38:25 +01:00
Kranium Gikos 412fa16bff influxdb sevice: make postStart test work with non-localhost configurations (#29734)
make postStart test work with non-localhost configurations
2017-09-24 15:37:17 +01:00
Jörg Thalheim d20bd77c93 Merge pull request #29717 from fare-patches/nfsd
nfsd: add extraNfsdConfig
2017-09-24 15:13:42 +01:00
Robin Gloster 43404d9acf
systemd-tmpfiles: fix docs
We have been doing this since 4e4161c212
2017-09-24 13:17:46 +02:00
Jan Tojnar 69698ec11c gnome3: only maintain single GNOME 3 package set (#29397)
* gnome3: only maintain single GNOME 3 package set

GNOME 3 was split into 3.10 and 3.12 in #2694. Unfortunately, we barely have the resources
to update a single version of GNOME. Maintaining multiple versions just does not make sense.
Additionally, it makes viewing history using most Git tools bothersome.

This commit renames `pkgs/desktops/gnome-3/3.24` to `pkgs/desktops/gnome-3`, removes
the config variable for choosing packageset (`environment.gnome3.packageSet`), updates
the hint in maintainer script, and removes the `gnome3_24` derivation from `all-packages.nix`.

Closes: #29329

* maintainers/scripts/gnome: Use fixed GNOME 3 directory

Since we now allow only a single GNOME 3 package set, specifying
the working directory is not necessary.

This commit sets the directory to `pkgs/desktops/gnome-3`.
2017-09-24 12:15:50 +01:00
Robin Gloster 9ba024f6d8
kubernetes: fix hashes after dockerTools change 2017-09-24 12:09:07 +02:00
Matej Cotman 6ef8cad2a7 kubernetes: fix tests 2017-09-24 11:44:25 +02:00
Matej Cotman 6ea272ced4 kubernetes: fix dns addon hashes, fix clusterDns, enable proxy on master 2017-09-24 11:44:25 +02:00
Jaka Hudoklin ddf5de5de0 kubernetes module: refactor module system, kube-dns as module 2017-09-24 11:44:25 +02:00
Jaka Hudoklin 2beadcf181 kubernetes module: seedDockerImages option for seeding docker images built with nix 2017-09-24 11:44:25 +02:00
Jaka Hudoklin 9d97c92d68 kubernetes module: webhook authorization for kubelet 2017-09-24 11:44:25 +02:00
Jaka Hudoklin 7c893623d4 kubernetes module: fix documentation links 2017-09-24 11:44:25 +02:00
Jaka Hudoklin 74f99525e0 kubernetes module: add featureGates option 2017-09-24 11:44:25 +02:00
Jaka Hudoklin 55dbbfd899 kubernetes module: kubelet, add socat to path for kubectl portforward 2017-09-24 11:44:25 +02:00
Jaka Hudoklin 8e48fff268 kubernetes module: enable leader elect by default 2017-09-24 11:44:25 +02:00
Jaka Hudoklin 856ca7347f kubernetes module: add storage and tolerations addmission controllers 2017-09-24 11:44:25 +02:00
Jaka Hudoklin d842d539d9 kubernetes module: fix cidr ranges 2017-09-24 11:44:25 +02:00
Jaka Hudoklin b25d155976 kubernetes module: default auth mode to only RBAC 2017-09-24 11:44:25 +02:00
Jaka Hudoklin c2622910ab kubernetes module: add support for common CA file 2017-09-24 11:44:25 +02:00
Jaka Hudoklin c96ca5f3bd kubernetes module: per service kubeconfig support 2017-09-24 11:44:25 +02:00
Jaka Hudoklin 7dfeac88ac kubernetes module: flannel support, minor fixes
- add flannel support
- remove deprecated authorizationRBACSuperAdmin option
- rename from deprecated poratalNet to serviceClusterIpRange
- add nodeIp option for kubelet
- kubelet, add br_netfilter to kernelModules
- enable firewall by default
- enable dns by default on node and on master
- disable iptables for docker by default on nodes
- dns, restart on failure
- update tests

and other minor changes
2017-09-24 11:44:25 +02:00
Matej Cotman 8e14e978c8 kubernetes: fix minor issues 2017-09-24 11:44:25 +02:00
Matej Cotman 7f9d1a7aaf kubernetes: add tests 2017-09-24 11:44:25 +02:00
Matej Cotman ed322f4235 kubernetes: update service 2017-09-24 11:44:25 +02:00
Jaka Hudoklin 90d5468ad6 kubernetes module: authorization improvements 2017-09-24 11:44:25 +02:00
Matej Cotman c3cfd92d24 kubernetes: 1.5.6 -> 1.6.4 2017-09-24 11:44:25 +02:00
Graham Christensen f3b9ac73e2
nixos/rabbitmq: fix restarts and sasl logs
1. The chmod 400 with the preset cookie prevented restarts, as
on the second boot it would fail to write to the cookie. Oops.

2. As far as I can tell, sasl logs were disabled because of the
following error:

{error,{cannot_log_to_tty,sasl_report_tty_h,not_installed}}

Not because we actually wanted to disable them. This meant the
management plugin wasn't usable due to a bug set to be fixed in
3.7.0.
2017-09-23 17:58:43 -04:00
Francois-Rene Rideau 62983f5cae nfsd: add extraNfsdConfig 2017-09-23 16:22:27 -04:00
Jaka Hudoklin ac775ac6dd Merge pull request #21077 from xtruder/nixos/programs/npm/add
npm module: add npm module for global npm config
2017-09-23 20:35:58 +02:00
Jaka Hudoklin 948f4a9c6d npm module: add npm as nixos program 2017-09-23 20:34:55 +02:00
Franz Pletz 0f5cd17f2c
nixos-generate-config: add programs options examples 2017-09-23 20:03:19 +02:00
Franz Pletz 3d040f9305
nixos/install: disable kernel debug console logging
Add another option for debugging instead. Lots of users have been
complaining about this default behaviour.

This patch also cleans up the EFI bootloader entries in the ISO.
2017-09-23 20:03:19 +02:00
Silvan Mosberger eca23233b2 encrypted devices: add label set assertion (#29651) 2017-09-23 19:02:16 +01:00
Robin Gloster 08b09fdc5c
fanctl, fan module: remove
This has been broken nearly all the time due to the patches needed to
iproute2 not being compatible with the newer versions we have been
shipping. As long as Ubuntu does not manage to upstream these changes
so they are maintained with iproute2 and we don't have a maintainer
updating these patches to new iproute2 versions it is not feasible to
have this available.
2017-09-23 17:55:33 +02:00
Peter Simons 99f759de1c Revert "nixos: add option for bind to not resolve local queries (#29503)"
This reverts commit 670b4e29ad. The change
added in this commit was controversial when it was originally suggested
in https://github.com/NixOS/nixpkgs/pull/29205. Then that PR was closed
and a new one opened, https://github.com/NixOS/nixpkgs/pull/29503,
effectively circumventing the review process. I don't agree with this
modification. Adding an option 'resolveLocalQueries' to tell the locally
running name server that it should resolve local DNS queries feels
outright nuts. I agree that the current state is unsatisfactory and that
it should be improved, but this is not the right way.

(cherry picked from commit 23a021d12e)
2017-09-23 16:41:34 +02:00
Bjørn Forsman 3a58e41e43 nixos/gitolite: use group 'gitolite' instead of 'nogroup'
Having files (git repositories) owned by 'nogroup' is a bad idea.
2017-09-23 16:33:52 +02:00
Joachim Fasting 1df6cf5d1d
nixos/lock-kernel-modules: fix deferred fileSystem mounts
Ensure that modules required by all declared fileSystems are explicitly
loaded.  A little ugly but fixes the deferred mount test.

See also https://github.com/NixOS/nixpkgs/issues/29019
2017-09-22 23:55:04 +02:00
Joachim Fasting bccaf63067
nixos/hardened test: add failing test-case for deferred mounts 2017-09-22 23:53:27 +02:00
Joachim Fasting 15a4f9d8ef
nixos/hardened: simplify script 2017-09-22 23:53:06 +02:00
Pavel Goran c73a3813fa nixos/gitolite: customize .gitolite.rc declaratively
Add the `extraGitoliteRc` option to customize the `.gitolite.rc`
configuration file declaratively.

Resolves #29249.
2017-09-22 18:29:35 +02:00
Jörg Thalheim 42be8dbe15 Merge pull request #29344 from Moredread/fix/fileystem-encrypted-keyfile-missing-initrd-support
nixos/fileystems: Fix boot fails with encrypted fs
2017-09-22 12:46:17 +01:00
Matt McHenry 0ece5fc509 nixos/pfix-srsd: add module 2017-09-21 21:44:55 -04:00
Jörg Thalheim 743848bb46 Merge pull request #29581 from eqyiel/fix-rpc-gssd
nixos/nfs: allow setting the path to krb5.keytab
2017-09-22 01:41:10 +01:00
Michael Weiss 351f5fc585 fuse3: init at 3.1.1
This includes fuse-common (fusePackages.fuse_3.common) as recommended by
upstream. But while fuse(2) and fuse3 would normally depend on
fuse-common we can't do that in nixpkgs while fuse-common is just
another output from the fuse3 multiple-output derivation (i.e. this
would result in a circular dependency). To avoid building fuse3 twice I
decided it would be best to copy the shared files (i.e. the ones
provided by fuse(2) and fuse3) from fuse-common to fuse (version 2) and
avoid collision warnings by defining priorities. Now it should be
possible to install an arbitrary combination of "fuse", "fuse3", and
"fuse-common" without getting any collision warnings. The end result
should be the same and all changes should be backwards compatible
(assuming that mount.fuse from fuse3 is backwards compatible as stated
by upstream [0] - if not this might break some /etc/fstab definitions
but that should be very unlikely).

My tests with sshfs (version 2 and 3) didn't show any problems.

See #28409 for some additional information.

[0]: https://github.com/libfuse/libfuse/releases/tag/fuse-3.0.0
2017-09-21 23:59:46 +02:00
Joachim F c913f7155f Merge pull request #27340 from bachp/glusterfs-tls
glusterfs service: add support for TLS communication
2017-09-21 20:27:25 +00:00
Jörg Thalheim ba174fc5a7 Merge pull request #29285 from bachp/node-exporter-docs
node-exporter service: fix documentation for enabledCollectors
2017-09-21 21:04:09 +01:00
Pascal Bach 8ed758696c gluster service: use str instead of path for private key
This pervents the user from accidently commiting the key to the nix store.
If providing a path instead of a string.
2017-09-21 20:35:35 +02:00
Robin Gloster e2822f6384
gitlab: 9.5.2 -> 9.5.5 2017-09-21 20:26:12 +02:00
Peter Hoeg 6558f81bc9 kmscon: reset ExecStart to allow override
The getty@.service unit already has an ExecStart so we cannot simply set a new
one in order to override it or we will get this error:

systemd[1]: getty@tty1.service: Service has more than one ExecStart= setting, which is only allowed for Type=oneshot services. Refusing.

Instead "reset" ExecStart by setting it to empty which is the systemd way of
doing it.
2017-09-21 10:02:03 +08:00
aszlig a75265924f
nixos/tests/virtualbox: Fix netcat invocation
This is a backwards-incompatibility in netcat-openbsd introduced due to
bumping the netcat version to 1.130 in
a72ba661ac.

Version 1.130 no longer exits on EOF but now needs to be passed the -N
flag in order to exit on EOF.

The upstream change reads[1] like this:

  Don't shutdown nc(1)'s network socket when stdin closes. Matches
  *Hobbit*'s original netcat and GNU netcat; revert to old behaviour
  with the new -N flag if needed. After much discussion with otto
  deraadt tedu and Martin Pelikan.  ok deraadt@

Here is the diff of this change:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/nc/netcat.c.diff?r1=1.110&r2=1.111&f=h

[1]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/nc/netcat.c?rev=1.111&content-type=text/x-cvsweb-markup

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-21 03:49:46 +02:00
Raphael Das Gupta 42d6e933d6 xonsh: fix typo ("xnosh") in "enable" description 2017-09-21 00:47:57 +02:00
Robin Gloster 370ac6275e
gitlab module: fix shell hook path 2017-09-20 23:51:26 +02:00
Ruben Maher 98a2316166 nfs-utils: set /etc/krb5.keytab as default path for rpc-gssd
Currently the `rpc-gssd.service` has a `ConditionPathExists` clause that can
never be met, because it's looking for stateful data inside `/nix/store`.

`auth-rpcgss-module.service` also only starts if this file exists.

Fixes NixOS/nixpkgs#29509.
2017-09-20 15:36:26 +01:00
Rob Vermaas 1b71376cf2
Make sure dummy kernel module is loaded for hologram-agent.
(cherry picked from commit eb873f6c78)
2017-09-20 10:58:24 +00:00
Matt McHenry 1b7e5eaa79 nixos/dnscache: add module
with improvements suggested by Jörg Thalheim <joerg@thalheim.io>
2017-09-19 21:24:58 -04:00
Matt McHenry ab851b63da nixos/tinydns: add module
with improvements suggested by Jörg Thalheim <joerg@thalheim.io>
2017-09-19 20:57:41 -04:00
Franz Pletz 406c7a0731 Merge pull request #29521 from aneeshusa/ease-radicale-upgrade
Ease radicale upgrade
2017-09-18 23:13:53 +02:00
gwitmond bd52618c9d
nixos: add option for bind to not resolve local queries (#29503)
When the user specifies the networking.nameservers setting in the
configuration file, it must take precedence over automatically
derived settings.

The culprit was services.bind that made the resolver set to
127.0.0.1 and ignore the nameserver setting.

This patch adds a flag to services.bind to override the nameserver
to localhost. It defaults to true. Setting this to false prevents the
service.bind and dnsmasq.resolveLocalQueries settings from
overriding the users' settings.

Also, when the user specifies a domain to search, it must be set in
the resolver configuration, even if the user does not specify any
nameservers.

(cherry picked from commit 670b4e29ad)

This commit was accidentally merged to 17.09 but was intended for
master. This is the cherry-pick to master.
2017-09-18 22:54:29 +02:00
Franz Pletz dc08dcf6e7
ssh service: add sftpFlags option 2017-09-18 21:52:07 +02:00
WilliButz 9198ad65ef tests: add initrd-network-ssh test
starts two VMs:
- one with dropbear listening from initrd,
  waiting for a file
- another connecting via ssh, creating the file
2017-09-18 19:51:46 +02:00
Aneesh Agrawal 28c2cea847 radicale: Test migration functionality
This also provides an example of how to migrate.
2017-09-18 09:11:36 -07:00
WilliButz 0b2d9bbbd2 nixos/tests: add grafana test (#29531) 2017-09-18 16:59:50 +02:00
Robert Klotzner a9f60224f8 coturn service: Fix coturn to properly come up (#29415)
properly also in case dhcpcd being used.

Without network-online.target, coturn will fail to listen on addresses that
come up with dhcpcd.
2017-09-18 14:54:32 +02:00
Franz Pletz b179908414
nixos/networking: network is online if default gw set
Previously services depending on network-online.target would wait until
dhcpcd times out if it was enabled and a static network address
configuration was used. Setting the default gateway statically is enough
for the networking to be considered online.

This also adjusts the relevant networking tests to wait for
network-online.target instead of just network.target.
2017-09-18 14:51:38 +02:00
Franz Pletz decaa2e7bf Merge pull request #29133 from elitak/ipfs
ipfs: workaround for upstream bug; other small fixes
2017-09-18 13:26:39 +02:00
Florian Jacob 839e3c7666 nixos/mysql: declarative users & databases
using Unix socket authentication, ensured on every rebuild.
2017-09-18 13:10:26 +02:00
Kranium Gikos 662b409b72 influxdb service: fixup postStart script to handle TLS 2017-09-18 11:56:30 +02:00
Justin Humm b5a5d0ba84 gollum service: init 2017-09-18 11:55:00 +02:00
Aneesh Agrawal fcd590d116 radicale: Add extraArgs option to assist in data migration 2017-09-18 00:29:01 -07:00
Maximilian Güntner 44475cae27 tests: ipfs: enable autoMount tests 2017-09-18 00:05:35 -07:00
Eric Litak 1a15c5d8c6 ipfs: autoMount working without root 2017-09-17 23:57:25 -07:00
Eric Litak 6324317c76 ipfs: workaround for upstream bug; doc fixes 2017-09-17 23:57:25 -07:00
Pascal Bach c68118ce65 glusterfs service: add support for TLS communication
TLS settings are implemented as submodule.
2017-09-17 18:53:14 +02:00
Franz Pletz 275914323b Merge pull request #27256 from bachp/squid-service
squid service: initial service based on default config
2017-09-17 18:52:53 +02:00
Rodney Lorrimar 6460e459de nixos/gogs: Fix module when no passwords provided
If neither database.password or database.passwordFile were provided,
it would try and fail to coerce null to a string.

This fixes the situation where there is no password for the database.

Resolves #27950
2017-09-17 18:41:53 +02:00
Joachim F 149307476e Merge pull request #29479 from florianjacob/fix-tinc-stable
nixos/tinc: Fix tinc cli wrapper for tinc 1.0
2017-09-17 13:40:20 +00:00
Florian Jacob 8cea87c1eb nixos/tinc: Fix tinc cli wrapper for tinc 1.0.
tinc prior to 1.1 doesn't have the `tinc` executable,
and `tincd` isn't of any use while the daemon already runs.
2017-09-17 10:46:12 +02:00
Antoine Eiche ea6d37c2bb dockerTools.pullImage: release note regarding sha256 argument value 2017-09-17 08:26:02 +01:00
aszlig 3ba2095a42
nixos/dovecot: Fix createMailUser implementation
This option got introduced in 7904499542
and it didn't check whether mailUser and mailGroup are null, which they
are by default.

Now we're only creating the user if createMailUser is set in conjunction
with mailUser and the group if mailGroup is set as well.

I've added a NixOS VM test so that we can verify whether dovecot works
without any additional options set, so it serves as a regression test
for issue #29466 and other issues that might come up with future changes
to the Dovecot service.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #29466
Cc: @qknight, @abbradar, @ixmatus, @siddharthist
2017-09-17 04:57:20 +02:00
Joachim F 8ceb209830 Merge pull request #29462 from joachifm/trivial-misc-tests
nixos/tests: move kernel-params & sysctl test to misc
2017-09-16 19:51:58 +00:00
Jaka Hudoklin 1adaad1371 Merge pull request #28927 from xtruder/nixos/logkeys/init
logkeys module: init
2017-09-16 16:23:13 +02:00
Joachim F c0616a3234 Merge pull request #28892 from ryantm/matterbridge2
matterbridge, modules/matterbridge: init at 1.1.0
2017-09-16 12:43:35 +00:00
Joachim Fasting 586d04c588
nixos/tests: expand hardened tests 2017-09-16 13:14:07 +02:00
Matt McHenry cfbac1beb4 systemd: better document enabled, wantedBy, and requiredBy (#29453)
the systemd.unit(5) discussion of wantedBy and requiredBy is in the
[Install] section, and thus focused on stateful 'systemctl enable'.
so, clarify that in NixOS, wantedBy & requiredBy are still what most
users want, and not to be confused with enabled.
2017-09-16 12:48:16 +02:00
Joachim Fasting e05459584e
nixos/release-combined: remove basic kernel tests
Arguably, breaking linux-latest should not block a release.  Also, booting
the kernel + basic sanity checking is implicitly exercised by every other
vm test.
2017-09-16 12:45:30 +02:00
Joachim Fasting ffd56ba4f6
nixos/tests: move kernel-params test to misc 2017-09-16 12:45:28 +02:00
Joachim Fasting c85cf60c83
nixos/tests: move sysctl test to misc 2017-09-16 12:45:23 +02:00
Silvan Mosberger fea9e081a9
namecoin service: fix typo 2017-09-15 23:08:53 +02:00
Tuomas Tynkkynen c8e7aab0c8 sd-image-aarch64: Increase CMA memory so RPi3 virtual console works again 2017-09-15 23:15:16 +03:00
Bjørn Forsman 6b7a9376f1 nixos/wpa_supplicant: use literalExample
For various reasons, big Nix attrsets look ugly in the generated manual
page[1]. Use literalExample to fix it.

[1] Quotes around attribute names are lost, newlines inside multi-line
strings are shown as '\n' and attrs written on multiple lines are joined
into one.
2017-09-15 20:27:48 +02:00
joachim schiele 7904499542 dovecot2: added quota, changed pop3 default 2017-09-15 18:01:29 +02:00
Jörg Thalheim 1ecf3e862f zfsUnstable: init at 2017-09-12 2017-09-15 17:59:37 +02:00
Jörg Thalheim 7d5633ea7a Merge pull request #27342 from lheckemann/installer-changes
Installer changes
2017-09-15 16:19:11 +01:00
Eelco Dolstra 6dad1f70ce
nix: 1.11.14 -> 1.11.15 2017-09-15 16:38:33 +02:00
Rob Vermaas 0783efb41c
google-instance-setup: add openssh to path 2017-09-15 10:43:09 +00:00
aszlig b5fbb4f362
nixos/tests/acme: Use overridePythonAttrs
Quoting from @FRidh:

  Note overridePythonAttrs exists since 17.09. It overrides the call to
  buildPythonPackage.

While it's not strictly necessary to do this, because postPatch ends up
in drvAttrs anyway, it's probably better to use overridePythonAttrs so
we don't run into problems when the underlying implementation of
buildPythonPackage changes.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-14 23:18:52 +02:00
Peter Hoeg 4b78d44ab6 mtr nixos module: wrap the proper binary 2017-09-14 19:09:54 +08:00
André-Patrick Bubel 2000fba561
nixos/fileystems: Fix boot fails with encrypted fs
Boot fails when a keyfile is configured for all encrypted filesystems
and no other luks devices are configured. This is because luks support is only
enabled in the initrd, when boot.initrd.luks.devices has entries. When a
fileystem has a keyfile configured though, it is setup by a custom
command, not by boot.initrd.luks.

This commit adds an internal config flag to enable luks support in the
initrd file, even if there are no luks devices configured.
2017-09-14 05:27:41 +02:00
Jörg Thalheim bb5b084986 tor: skip ControlPort in torrc, if not set. 2017-09-13 23:33:46 +01:00
Tuomas Tynkkynen 0c368ef02f treewide: Escape backslash in strings properly
"\." is apparently the same as "." wheras the correct one is "\\."
2017-09-14 01:03:39 +03:00
aszlig 01fffd94e5
nixos/tests/acme: Patch certifi with cacert
Since 67651d80bc the requests package now
depends on certifi, which in turn provides the CA root certificates that
we need to replace.

It might also be a good idea to actually patch certifi with our version
of cacert by default so that if we want to override and/or add something
we only need to do it once.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @fpletz, @k0ral, @FRidh
2017-09-13 23:16:43 +02:00
aszlig bda38317eb
nixos/tests/letsencrypt: Fix nginx options
The enableSSL option has been deprecated in
a912a6a291, so we switch to using onlySSL.

I've also explicitly disabled enableACME, because this is the default
and we don't actually want to have ACME enabled for a host which runs an
actual ACME server.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-13 23:16:40 +02:00
aszlig 11b3ae74e1
nixos/tests: Add a basic test for ACME
The test here is pretty basic and only tests nginx, but it should get us
started to write tests for different webservers and different ACME
implementations.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-13 23:16:37 +02:00
aszlig b3162a1074
nixos/tests: Add common modules for letsencrypt
These modules implement a way to test ACME based on a test instance of
Letsencrypt's Boulder service. The service implementation is in
letsencrypt.nix and the second module (resolver.nix) is a support-module
for the former, but can also be used for tests not involving ACME.

The second module provides a DNS server which hosts a root zone
containing all the zones and /etc/hosts entries (except loopback) in the
entire test network, so this can be very useful for other modules that
need DNS resolution.

Originally, I wrote these modules for the Headcounter deployment, but
I've refactored them a bit to be generally useful to NixOS users. The
original implementation can be found here:

https://github.com/headcounter/deployment/tree/89e7feafb/modules/testing

Quoting parts from the commit message of the initial implementation of
the Letsencrypt module in headcounter/deployment@95dfb31110:

    This module is going to be used for tests where we need to
    impersonate an ACME service such as the one from Letsencrypt within
    VM tests, which is the reason why this module is a bit ugly (I only
    care if it's working not if it's beautiful).

    While the module isn't used anywhere, it will serve as a pluggable
    module for testing whether ACME works properly to fetch certificates
    and also as a replacement for our snakeoil certificate generator.

Also quoting parts of the commit where I have refactored the same module
in headcounter/deployment@85fa481b34:

    Now we have a fully pluggable module which automatically discovers
    in which network it's used via the nodes attribute.

    The test environment of Boulder used "dns-test-srv", which is a fake
    DNS server that's resolving almost everything to 127.0.0.1. On our
    setup this is not useful, so instead we're now running a local BIND
    name server which has a fake root zone and uses the mentioned node
    attribute to automatically discover other zones in the network of
    machines and generate delegations from the root zone to the
    respective zones with the primaryIPAddress of the node.

    ...

    We want to use real letsencrypt.org FQDNs here, so we can't get away
    with the snakeoil test certificates from the upstream project but
    now roll our own.

    This not only has the benefit that we can easily pass the snakeoil
    certificate to other nodes, but we can (and do) also use it for an
    nginx proxy that's now serving HTTPS for the Boulder web front end.

The Headcounter deployment tests are simulating a production scenario
with real IPs and nameservers so it won't need to rely on
networking.extraHost. However in this implementation we don't
necessarily want to do that, so I've added auto-discovery of
networking.extraHosts in the resolver module.

Another change here is that the letsencrypt module now falls back to
using a local resolver, the Headcounter implementation on the other hand
always required to add an extra test node which serves as a resolver.

I could have squashed both modules into the final ACME test, but that
would make it not very reusable, so that's the main reason why I put
these modules in tests/common.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-13 23:16:33 +02:00
Robin Gloster f5e0e94b2a
nixos/redmine: fix create role
postgresql create role no longer supports NOCREATEUSER option. See
https://www.postgresql.org/docs/9.6/static/release-9-6.html for
details.
2017-09-13 21:55:50 +02:00
Joachim F c9200f8d9c Merge pull request #28874 from ryantm/mattermost
nixos/mattermost: fix create role
2017-09-13 19:41:25 +00:00
Jörg Thalheim 13edd9765a Merge pull request #29125 from geistesk/firehol-3.1.4
firehol: init at 3.1.4, iprange: init at 1.0.3
2017-09-13 18:10:22 +01:00
Vladimír Čunát 97ac29cafc
hpsa service: fallout from #28557 merge and revert 2017-09-13 07:55:48 +02:00
Pascal Bach a217d73381 node-exporter service: fix documentation for enabledCollectors 2017-09-12 22:38:17 +02:00