alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity
299636 commits 217 branches 121 tags 4.5 GiB
Commit graph

17584 commits

Author SHA1 Message Date
regnat 113823669b Revert "nixos/nix-daemon: fix sandbox-paths option" 
This reverts commit aeeee447bc.
 2021-05-24 10:51:02 +02:00
FliegendeWurst b9e2b878c5 nixos/trilium-server: noBackup option 2021-05-24 09:55:49 +02:00
FliegendeWurst 7cb492fb13 nixos/trilium-server: add myself as maintainer 2021-05-24 09:55:49 +02:00
Ivan Kozik d95960e275 nixos/bitwarden_rs: fix startup on 32 thread machines 
LimitNPROC=64 is too low for bitwarden_rs to start on a 32 thread machine.
Remove the limit.

This fixes:

```
bitwarden_rs[38701]: /--------------------------------------------------------------------\
bitwarden_rs[38701]: |                       Starting Bitwarden_RS                        |
bitwarden_rs[38701]: |--------------------------------------------------------------------|
bitwarden_rs[38701]: | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
bitwarden_rs[38701]: | official channels to report bugs/features, regardless of client.   |
bitwarden_rs[38701]: | Send usage/configuration questions or feature requests to:         |
bitwarden_rs[38701]: |   https://bitwardenrs.discourse.group/                             |
bitwarden_rs[38701]: | Report suspected bugs/issues in the software itself at:            |
bitwarden_rs[38701]: |   https://github.com/dani-garcia/bitwarden_rs/issues/new           |
bitwarden_rs[38701]: \--------------------------------------------------------------------/
bitwarden_rs[38701]: [INFO] No .env file found.
bitwarden_rs[38701]: [2021-05-24 03:34:41.121][bitwarden_rs::api::core::sends][INFO] Initiating send deletion
bitwarden_rs[38701]: [2021-05-24 03:34:41.122][start][INFO] Rocket has launched from http://127.0.0.1:8222
bitwarden_rs[38701]: [2021-05-24 03:34:41.126][panic][ERROR] thread 'unnamed' panicked at 'failed to spawn thread: Os { code: 11, kind: WouldBlock, message: "Resource temporarily unavailable" }': /build/rustc-1.52.1-src/library/std/src/thread/mod.rs:620
bitwarden_rs[38701]:    0: bitwarden_rs::init_logging::{{closure}}
bitwarden_rs[38701]:    1: std::panicking::rust_panic_with_hook
bitwarden_rs[38701]:    2: std::panicking::begin_panic_handler::{{closure}}
bitwarden_rs[38701]:    3: std::sys_common::backtrace::__rust_end_short_backtrace
bitwarden_rs[38701]:    4: rust_begin_unwind
bitwarden_rs[38701]:    5: core::panicking::panic_fmt
bitwarden_rs[38701]:    6: core::result::unwrap_failed
bitwarden_rs[38701]:    7: hyper::server::listener::spawn_with
bitwarden_rs[38701]:    8: hyper::server::listener::ListenerPool<A>::accept
bitwarden_rs[38701]:    9: std::sys_common::backtrace::__rust_begin_short_backtrace
bitwarden_rs[38701]:   10: core::ops::function::FnOnce::call_once{{vtable.shim}}
bitwarden_rs[38701]:   11: std::sys::unix:🧵:Thread:🆕:thread_start
bitwarden_rs[38701]:   12: start_thread
bitwarden_rs[38701]:   13: __GI___clone
bitwarden_rs[38701]: [2021-05-24 03:34:41.126][panic][ERROR] thread 'main' panicked at 'internal error: entered unreachable code: the call to `handle_threads` should block on success': /build/bitwarden_rs-1.20.0-vendor.tar.gz/rocket/src/rocket.rs:751
bitwarden_rs[38701]:    0: bitwarden_rs::init_logging::{{closure}}
bitwarden_rs[38701]:    1: std::panicking::rust_panic_with_hook
bitwarden_rs[38701]:    2: std::panicking::begin_panic_handler::{{closure}}
bitwarden_rs[38701]:    3: std::sys_common::backtrace::__rust_end_short_backtrace
bitwarden_rs[38701]:    4: rust_begin_unwind
bitwarden_rs[38701]:    5: core::panicking::panic_fmt
bitwarden_rs[38701]:    6: rocket:🚀:Rocket::launch
bitwarden_rs[38701]:    7: bitwarden_rs::main
bitwarden_rs[38701]:    8: std::sys_common::backtrace::__rust_begin_short_backtrace
bitwarden_rs[38701]:    9: std::rt::lang_start::{{closure}}
bitwarden_rs[38701]:   10: std::rt::lang_start_internal
bitwarden_rs[38701]:   11: main
```
 2021-05-24 04:36:17 +00:00
Sandro fd26001ead
Merge pull request #123304 from SuperSandro2000/pihole-exporter 2021-05-24 04:27:16 +02:00
Sandro Jäckel 0724518919
nixos/prometheus: init pihole-exporter 2021-05-24 04:05:59 +02:00
Anderson Torres e445fc8661
Merge pull request #123583 from superherointj/module-libvirtd-ovmf-aarch64-fix 
libvirtd: fix ovmf for aarch64
 2021-05-23 19:56:27 -03:00
Michael Raskin ab51a2dbd6
Merge pull request #123926 from pschyska/master 
nixos/atop: Add defaultText to types.package options, Fix timing-related test failures.
 2021-05-23 18:08:46 +00:00
José Romildo Malaquias de84bd18d7
Merge pull request #121031 from romildo/fix.lxqt 
lxqt: does not explicitly require gvfs package
 2021-05-23 15:06:55 -03:00
superherointj 97d9e7849b nixos/firebird: updated firebird package 2021-05-23 10:53:00 -03:00
Matt Christ 14bf8f109b fix brscan5 config generation 
before this, the config utility was unable to locate the models folder
update tests to use a compatible model
 2021-05-23 08:08:31 -05:00
Guillaume Girol d7555732bc
Merge pull request #123902 from hyperfekt/mount-pstore-quiet 
nixos/filesystems: condition mount-pstore.service on unmounted /sys/fs/pstore
 2021-05-23 12:18:14 +00:00
Samuel Dionne-Riel 20b023b5ea iso-image: Improve disk detection 
This should help in rare hardware-specific situations where the root is
not automatically detected properly.

We search using a marker file. This should help some weird UEFI setups
where the root is set to `(hd0,msdos2)` by default.

Defaulting to `(hd0)` by looking for the ESP **will break themeing**. It
is unclear why, but files in `(hd0,msdos2)` are not all present as they
should be.

This also fixes an issue introduced with cb5c4fcd3c
where rEFInd stopped booting in many cases. This is because it ended up
using (hd0) rather than using the `search` which was happening
beforehand, which in turn uses (hd0,msdos2), which is the ESP.
Putting back the `search` here fixes that.
 2021-05-22 20:04:05 -07:00
Samuel Dionne-Riel c9bb054dd6 iso-image: unqualified root → ($root) 
This technically changes nothing. In practice `$root` is always the
"CWD", whether searched for automatically or not.

But this serves to announce we are relying on `$root`... I guess...
 2021-05-22 20:04:05 -07:00
Samuel Dionne-Riel 15eaed0718 iso-image: change date on all files 
It may be that in some conditions dates earlier than 1980 on FAT on GRUB
2.06~ish will cause failures

https://github.com/NixOS/nixpkgs/issues/123376#issuecomment-845515035
 2021-05-22 20:04:05 -07:00
Samuel Dionne-Riel f93f0e72e9 iso-image: Force gfxmode 
https://www.gnu.org/software/grub/manual/grub/html_node/gfxmode.html
 2021-05-22 20:04:05 -07:00
Jonathan Ringer 11a9ac00fc
Merge remote-tracking branch 'origin/master' into staging-next 
Conflicts:
 pkgs/tools/networking/xh/default.nix
 2021-05-22 18:19:10 -07:00
Martin Weinelt 84f649f693
Merge pull request #121626 from mweinelt/botamusique 2021-05-23 02:02:09 +02:00
Martin Weinelt 59e5ff4b29
nixos/botamusique: init 2021-05-23 01:01:51 +02:00
Jan Tojnar aea7b5f08e
Merge pull request #124073 from mkg20001/cinnamonpolkit 
nixos/cinnamon: add polkit_gnome to fix #124062
 2021-05-23 00:21:28 +02:00
Jan Tojnar 141e85cc69
Merge pull request #124056 from mkg20001/cinnamonlocale 
nixos/cinnamon: add cinnamon-translations to systemPackages
 2021-05-23 00:21:11 +02:00
Maciej Krüger eca2b05354
nixos/cinnamon: add cinnamon-translations to systemPackages 
This allows other cinnamon applications to use the locales

Without this the cinnamon UI is not properly translated
 2021-05-22 23:59:33 +02:00
Maciej Krüger 8664c2c743
nixos/cinnamon: add polkit_gnome to fix #124062 2021-05-22 23:58:06 +02:00
Maximilian Bosch 9cab80ce4d
Merge pull request #122203 from mohe2015/imperative-nixos-container-timeout 
nixos-containers: Increase startup timeout for imperative containers
 2021-05-22 23:04:12 +02:00
Maximilian Bosch 278bcdce1f
Merge pull request #123941 from mweinelt/matrix-synapse 
nixos/matrix-synapse: protect created files
 2021-05-22 22:20:16 +02:00
Martin Weinelt 79e675444c
nixos/matrix-synapse: protect created files 
Enforce UMask on the systemd unit to restrict the permissions of files
created. Especially the homeserver signing key should not be world
readable, and media is served through synapse itself, so no other user
needs access to these files.

Use a prestart chmod to fixup the permissions on the signing key.
 2021-05-22 20:30:49 +02:00
Sandro 7be85b5090
Merge pull request #104420 from danielfullmer/syncoid-perm-fix 2021-05-22 17:57:56 +02:00
Kira Bruneau cd4780fab4
maintainers: rename metadark -> kira-bruneau (#124035) 2021-05-22 16:47:40 +02:00
Domen Kožar fdd42cb68c
Merge pull request #123211 from mdevlamynck/pipewire-plasma-pa 
nixos/plasma5: also add plasma-pa when using pipewire with pulseaudio support
 2021-05-22 15:20:50 +02:00
github-actions[bot] 563389a7fd
Merge master into staging-next 2021-05-22 12:27:09 +00:00
Paul Schyska 9cb76c21ee
nixos/atop: Add defaultText for types.package options 
see: https://github.com/NixOS/nixpkgs/pull/123053#discussion_r637205826
 2021-05-22 14:11:45 +02:00
sohalt be01cb8b97 nixos/spacenavd: run as user service 2021-05-22 12:48:12 +02:00
Domen Kožar 3a28f72e7b
Merge pull request #123970 from kisik21/nix-fix-sandbox-paths 
nixos/nix-daemon: fix sandbox-paths option
 2021-05-22 12:05:11 +02:00
Vika aeeee447bc
nixos/nix-daemon: fix sandbox-paths option 
In newer versions of Nix (at least on 2.4pre20201102_550e11f) the
`extra-` prefix for config options received a special meaning and the
option `extra-sandbox-paths` isn't recognized anymore. This commit fixes
it.

It doesn't cause a behavior change when using older versions of Nix but
does cause an extra newline to appear in the config, thus changing the
hash.
 2021-05-22 05:14:56 +00:00
github-actions[bot] 901fb5e64e
Merge master into staging-next 2021-05-22 00:56:03 +00:00
Jonathan Ringer ced04640c7 nixos/video: remove obsolete ati modules 2021-05-21 16:16:48 -07:00
Martin Weinelt 71fb79ee6b
Merge pull request #123828 from Lassulus/solanum2 
nixos/solanum: init
 2021-05-21 23:23:01 +02:00
Maximilian Bosch a2379c69a4
Merge pull request #122833 from helsinki-systems/feat/prometheus-metric-relabel 
nixos/prometheus: Add support for metric relabeling
 2021-05-21 23:13:41 +02:00
lassulus 48c16e48aa nixos/solanum: init 2021-05-21 23:06:38 +02:00
Maximilian Bosch 5dbd28d754
Merge pull request #123009 from deviant/fix-mailman-doc-links 
nixos/mailman: fix documentation option links
 2021-05-21 22:00:47 +02:00
Matt Christ a9b7300f6f brscan5: init at 1.2.6-0 2021-05-21 12:59:30 -05:00
Jonathan Ringer 5cd5b9b97f
Merge remote-tracking branch 'origin/master' into staging-next 
Conflicts:
 pkgs/development/tools/kubie/default.nix
 2021-05-21 10:39:34 -07:00
eyJhb 6000f420e8
nixos/znc: fixed chown not working after hardening (#123883) 2021-05-21 19:07:53 +02:00
hyperfekt ef991f9b8b nixos/filesystems: condition mount-pstore.service on unmounted /sys/fs/pstore 
For unknown reasons, switching to a system that first introduces this
service has it fail with /sys/fs/pstore already having been mounted.
 2021-05-21 17:49:23 +02:00
Elis Hirwing e9cca93bf9
Merge pull request #121778 from talyz/keycloak-security 
nixos/keycloak: Security fixes + misc
 2021-05-21 16:55:26 +02:00
Kerstin Humm 224df6940f nixos/mastodon: use rails command instead of rake 
Co-Authored-By: Izorkin <izorkin@elven.pw>
 2021-05-21 15:04:12 +02:00
github-actions[bot] 929b12e7b5
Merge master into staging-next 2021-05-21 12:28:43 +00:00
ajs124 c455f3ccaf
Merge pull request #123084 from Yarny0/hylafax 
hylafaxplus & nixos/hylafax: small improvements
 2021-05-21 14:20:57 +02:00
talyz ba00b0946e
nixos/keycloak: Split certificatePrivateKeyBundle into two options 
Instead of requiring the user to bundle the certificate and private
key into a single file, provide separate options for them. This is
more in line with most other modules.
 2021-05-21 13:09:38 +02:00
talyz dbf91bc2f1
nixos/keycloak: keycloak.database* -> keycloak.database.* 
Move all database options to their own group / attribute. This makes
the configuration clearer and brings it in line with most other modern
modules.
 2021-05-21 13:09:32 +02:00
talyz 83e406e97a
nixos/keycloak: frontendUrl always needs to be suffixed with / 
In some places, Keycloak expects the frontendUrl to end with `/`, so
let's make sure it always does.
 2021-05-21 13:09:25 +02:00
talyz 58614f8416
nixos/keycloak: Add myself to maintainers 2021-05-21 13:09:19 +02:00
talyz d748c86389
nixos/keycloak: Improve readablility by putting executables in PATH 2021-05-21 13:09:14 +02:00
talyz 8309368e4c
nixos/keycloak: Set umask before copying sensitive files 
`install` copies the files before setting their mode, so there could
be a breif window where the secrets are readable by other users
without a strict umask.
 2021-05-21 13:09:09 +02:00
talyz c2bebf4ee2
nixos/keycloak: Improve bash error handling 2021-05-21 13:09:03 +02:00
talyz d6727d28e1
nixos/keycloak: Set the postgresql database password securely 
Feeding `psql` the password on the command line leaks it through the
`psql` process' `/proc/<pid>/cmdline` file. Using `echo` to put the
command in a file and then feeding `psql` the file should work around
this, since `echo` is a bash builtin and thus shouldn't spawn a new
process.
 2021-05-21 13:08:53 +02:00
Jonathan Ringer 6b15fdce86
Merge remote-tracking branch 'origin/master' into staging-next 
Conflicts:
 pkgs/shells/ion/default.nix
 pkgs/tools/misc/cicero-tui/default.nix
 2021-05-20 22:11:42 -07:00
Thiago Kenji Okada c96586d63f nixos/noisetorch: init 
NoiseTorch needs setcap set to 'cap_sys_resource=+ep' to work correctly
accordingly to the README.md:

https://github.com/lawl/NoiseTorch#download--install

So this PR adds it.
 2021-05-20 14:15:20 -07:00
Ning Shang 657e924ad8
iso-image: More concise code for fixed order mmd and mcopy operations 
Thanks @misuzu for the suggestions.
 2021-05-20 12:17:04 -07:00
legendofmiracles af0a54285e nixos/terraria: open ports in the firewall 2021-05-20 12:11:08 -07:00
Guillaume Girol 0d5fa1cff3
Merge pull request #120622 from symphorien/duplicity-master 
nixos/duplicity: enable to prevent backup from growing infinitely
 2021-05-20 19:00:59 +00:00
Jonas Chevalier 30c021fa15
Merge pull request #123744 from hercules-ci/init-ghostunnel 
ghostunnel: init
 2021-05-20 20:58:41 +02:00
Ning Shang 4db7eb476f
iso-image: Workaround for better determinism in du output 
The value of du output depends on the underlying file system, and thus is not fully deterministic. This workaround rounds up the disk usage size to the nearest multiple of 1MB, to increase the probability that two du output values on two different file systems fall within the same 1MB window. Note that this workaround won't make du output 100% reproducible, but will increase the probability of getting deterministic builds across different file systems.
 2021-05-20 11:01:17 -07:00
Jonathan Ringer 14f3686af1
Merge remote-tracking branch 'origin/master' into staging-next 
Conflicts:
  pkgs/applications/terminal-emulators/alacritty/default.nix
  pkgs/servers/clickhouse/default.nix
 2021-05-20 09:12:42 -07:00
Emery Hemingway 520b4a8496 nixos: convert netatalk to settings-style configuration 
Also, set StateDirectory in systemd.….serviceConfig.
 2021-05-20 17:39:28 +02:00
Robert Hensing dc9cb63de4 nixos/ghostunnel: init 2021-05-20 10:41:52 +02:00
Christoph Hrdinka 57acb6f9f7
Merge pull request #123598 from pschyska/master 
nixos/nsd: make nsd-checkconf work when configuration contains keys (#118140)
 2021-05-20 10:41:30 +02:00
Maximilian Bosch 3f3cec6d9e clickhouse: 20.11.4.13-stable -> 21.3.11.5-lts 
Failing Hydra build: https://hydra.nixos.org/build/143269865
ZHF #122042
 2021-05-19 14:08:46 -07:00
Gabriel Gonzalez 8e9d803bac
Fix description for services.kubernetes.addonManager.enable (#71448) 
`mkEnableOption` already prefixes the description with
"Whether to enable"
 2021-05-19 13:49:27 -07:00
Jonathan Ringer c1f8a15dac
Merge remote-tracking branch 'origin/master' into staging-next 
Conflicts:
  nixos/doc/manual/release-notes/rl-2105.xml
  pkgs/tools/security/sequoia/default.nix
 2021-05-19 10:39:54 -07:00
Paul Schyska 69202853ea
nixos/nsd: make nsd-checkconf work when configuration contains keys 2021-05-19 18:21:10 +02:00
Martin Weinelt 446c97f96f
Merge pull request #123355 from Ma27/bump-matrix-synapse 2021-05-19 18:12:14 +02:00
Jan Tojnar a858f1a90d
Merge pull request #123507 from jtojnar/no-flatpak-guipkgs 
nixos/flatpak: Remove `guiPackages` internal option
 2021-05-19 16:33:56 +02:00
Tomas Antonio Lopez b922fa959b nixos/swap: add discardPolicy option 
Add option for activating discards on swap partitions (none, once, pages and both).
 2021-05-19 21:23:35 +09:00
Guillaume Girol 41c7fa448f nixos/duplicity: add options to exercise all possible verbs 
except restore ;)
 2021-05-19 12:00:00 +00:00
Michele Guerini Rocco 376eabdac3
Merge pull request #123254 from rnhmjoj/ipsec 
libreswan: 3.2 -> 4.4
 2021-05-19 13:36:04 +02:00
talyz 380b52c737
nixos/keycloak: Use replace-secret to avoid leaking secrets 
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
 2021-05-19 09:32:28 +02:00
talyz 88b76d5ef9
nixos/mpd: Use replace-secret to avoid leaking secrets 
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead.
 2021-05-19 09:32:22 +02:00
talyz 3a29b7bf5b
nixos/mpdscribble: Use replace-secret to avoid leaking secrets 
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
 2021-05-19 09:32:17 +02:00
talyz 7842e89bfc
nixos/gitlab: Use replace-secret to avoid leaking secrets 
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
 2021-05-19 09:32:12 +02:00
talyz 38398fade1
nixos/discourse: Use replace-secret to avoid leaking secrets 
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
 2021-05-19 09:32:06 +02:00
Jörg Thalheim 5b4915fb7a
Merge pull request #110927 from Izorkin/fix-qemu-ga 
nixos/qemu-guest-agent: fix start service
 2021-05-19 05:42:06 +01:00
Aaron Andersen 58ddbfa71d
Merge pull request #118395 from jwygoda/grafana-google-oauth2 
grafana: add google oauth2 config
 2021-05-18 23:11:24 -04:00
github-actions[bot] 7000ae2b9a
Merge master into staging-next 2021-05-19 00:55:36 +00:00
Martin Weinelt a8f71f069f
Merge pull request #123006 from mweinelt/postgresqlbackup-startat 
nixos/postgresqlBackup: allow defining multiple times to start at
 2021-05-19 01:54:38 +02:00
Martin Weinelt 4c798857e2
Merge pull request #100274 from hax404/prometheus-xmpp-alerts 2021-05-19 01:36:28 +02:00
Georg Haas 03c092579a
prometheus-xmpp-alerts: apply RFC 42 2021-05-19 01:08:38 +02:00
superherointj 4e3060d488 libvirtd: fix ovmf for aarch64 2021-05-18 17:27:37 -03:00
Jonathan Ringer ca46ad3762
Merge remote-tracking branch 'origin/master' into staging-next 
Conflicts:
  pkgs/tools/package-management/cargo-release/default.nix
 2021-05-18 11:03:38 -07:00
Pamplemousse 037e51702e
nixos/services/foldingathome: Add an option to set the "nice level" (#122864) 
Signed-off-by: Pamplemousse <xav.maso@gmail.com>
 2021-05-18 18:44:52 +02:00
Maciej Krüger 7458dcd956
Merge pull request #75242 from mkg20001/cjdns-fix 
services.cjdns: add missing, optional login & peerName attribute
 2021-05-18 18:22:29 +02:00
Jonathan Ringer f7a112f6c4
Merge remote-tracking branch 'origin/master' into staging-next 
Conflicts:
  pkgs/applications/graphics/emulsion/default.nix
  pkgs/development/tools/misc/texlab/default.nix
  pkgs/development/tools/rust/bindgen/default.nix
  pkgs/development/tools/rust/cargo-udeps/default.nix
  pkgs/misc/emulators/ruffle/default.nix
  pkgs/tools/misc/code-minimap/default.nix
 2021-05-18 08:57:16 -07:00
Robert Schütz d189df235a
Merge pull request #122241 from dotlambda/znc-harden 
nixos/znc: harden systemd unit
 2021-05-18 17:44:14 +02:00
Maciej Krüger 7409f9bab3
services.cjdns: add missing, optional login & peerName attribute 2021-05-18 17:39:04 +02:00
Ashlynn Anderson 903665f31c
nixos/self-deploy: init (#120940) 
Add `self-deploy` service to facilitate continuous deployment of NixOS
configuration from a git repository.
 2021-05-18 08:29:37 -07:00
Maciej Krüger 362ca08510
Merge pull request #123448 from mweinelt/phosh-pam 
nixos/phosh: Fix PAM configuration
 2021-05-18 17:26:21 +02:00
Martin Weinelt ec9cfba2d3
nixos/phosh: Fix unrestricted login because of insecure PAM config 
The PAM config deployed would not check anything meaningful. Remove it
and rely on the defaults in the security.pam module to fix login with
arbitrary credentials.

Resolves: #123435
 2021-05-18 16:39:03 +02:00
Jan Tojnar 1b1faeb2db
Merge pull request #86288 from worldofpeace/gnome-doc 
nixos/gnome3: add docs
 2021-05-18 14:19:33 +02:00
Jan Tojnar ed47351533
nixos/flatpak: Remove guiPackages internal option 
It was basically just a `environment.systemPackages` synonym,
only GNOME used it, and it was stretching the responsibilities
of the flatpak module too far.

It also makes it cleaner to avoid installing the program
using GNOME module’s `excludePackages` option.

Partially reverts: https://github.com/NixOS/nixpkgs/pull/101516
Fixes: https://github.com/NixOS/nixpkgs/issues/110310
 2021-05-18 14:06:23 +02:00
Michael Raskin 02ba3238d2
Merge pull request #123053 from pschyska/master 
atop, netatop, nixos/atop: improve packaging and options
 2021-05-18 10:54:13 +00:00
rnhmjoj 1a4db01c84
nixos/libreswan: update for version 4.x 
- Use upstream unit files
- Remove deprecated config options
- Add option to disable redirects
- Add option to configure policies
 2021-05-18 08:13:36 +02:00
Ning Shang e3cd644458
iso-image: Use fixed-order mcopy instead of file globbing 
mcopy file globbing is non-deterministic with respect to the underlying file
system. As a result, the current mcopy approach is less likely to reproduce
efi.img on different machines. We replace mcopy file globbing with
fixed-order mmd and mcopy operations for better determinism. We also use
faketime on mmd for the same reason. We use faketime, mmd, and mcopy
directly, becase they are already in PATH.

Thank misuzu@ for the feedback.
 2021-05-17 09:56:51 -07:00
Vincent Haupert faeb9e3233
nixos/networkd: add missing [DHCPServer] options 
`systemd.network.networks.*.dhcpServerConfig` did not accept all of
the options which are valid for networkd's [DHCPServer] section. See
systemd.network(5) of systemd 247 for details.
 2021-05-17 18:30:37 +02:00
ajs124 e2cf342ba9 nixos/security/apparmor: utillinux -> util-linux 2021-05-17 17:14:08 +02:00
Jonathan Ringer c227fb4b17
Merge remote-tracking branch 'origin/master' into staging-next 
Conflicts:
	pkgs/development/tools/rust/cargo-cache/default.nix
	pkgs/development/tools/rust/cargo-embed/default.nix
	pkgs/development/tools/rust/cargo-flash/default.nix
	pkgs/servers/nosql/influxdb2/default.nix
 2021-05-17 07:01:38 -07:00
Robert Schütz a22ebb6d6d
Merge pull request #123017 from DavHau/davhau-scikitlearn 
python3Packages.scikitlearn: rename to scikit-learn
 2021-05-17 15:13:33 +02:00
Michael Francis 80830373f0
Update openvswitch.nix 2021-05-17 21:11:07 +08:00
Michael Francis adc368d2fc
Only include ipsecTools if using ipsec 2021-05-17 21:00:57 +08:00
ajs124 8e78793029 nixos/tasks/filesystems: utillinux -> util-linux 2021-05-17 14:47:57 +02:00
Maximilian Bosch 2addab5fd6
nixos/matrix-synapse: room_invite_state_types was deprecated and room_prejoin_state is used now 
See https://github.com/matrix-org/synapse/blob/release-v1.34.0/UPGRADE.rst#upgrading-to-v1340
 2021-05-17 13:45:28 +02:00
Jörg Thalheim b900661f6e
Merge pull request #122825 from Izorkin/update-duplicates-systemcallfilters 
treewide: remove duplicates SystemCallFilters
 2021-05-17 12:06:06 +01:00
DavHau cd8f3e6c44 python3Packages.scikitlearn: rename to scikit-learn 2021-05-17 17:41:36 +07:00
Eelco Dolstra c3b27282d7
Merge pull request #123272 from kini/nixos/security.pki/pems-without-final-newline 
nixos/security.pki: handle PEMs w/o a final newline
 2021-05-17 11:14:03 +02:00
Richard Marko 16b0f07890 nixos/nginx: fix comment about acme postRun not running as root 
As of 67a5d66 this is no longer true, since acme postRun runs as root.
The idea of the service is good so reword a comment a bit.
 2021-05-17 18:03:04 +09:00
Richard Marko 7423afb5e4 nixos/molly-brown: fix description of certPath 
`allowKeysForGroup` is no longer available so this drops

```
security.acme.certs."example.com".allowKeysForGroup = true;
```

line. `SupplementaryGroups` should be enough for
allowing access to certificates.
 2021-05-17 18:03:04 +09:00
Richard Marko 29158fc0ac nixos/postgresql: fix description of ensureUsers.ensurePermissions 
`attrName` and `attrValue` are now in correct order.
 2021-05-17 18:03:04 +09:00
Jan Tojnar 354e005d6c nixos/dconf: fix d-bus activation 
dconf now supports autostarting the d-bus service using systemd's d-bus activation.

2781a86848

On NixOS, that requires making systemd aware of the package.

Fixes: https://github.com/NixOS/nixpkgs/issues/123265
 2021-05-17 09:46:07 +02:00
Evils 7641769055 nixos/fancontrol: back to running as root 
regular users don't have write access to /sys/devices
  which is where the kernel endpoints are to control fan speed
 2021-05-17 00:00:01 -07:00
github-actions[bot] 3ff6965554
Merge master into staging-next 2021-05-17 06:22:23 +00:00
Jonathan Ringer d8e62d8e41
Merge remote-tracking branch 'origin/master' into staging-next 
Fix cargo-flash build
 2021-05-16 18:27:14 -07:00
Sandro ec1dd62608
Merge pull request #118521 from SuperSandro2000/nginx-proxy-timeout 
nixos/nginx: add option to change proxy timeouts
 2021-05-17 03:15:54 +02:00
Sandro 700942d2a5
Merge pull request #121119 from SuperSandro2000/remove-gnidorah 
treewide: remove gnidorah
 2021-05-17 02:42:24 +02:00
Sandro Jäckel 51166f90c6
nixos/nginx: add option to change proxy timeouts 2021-05-17 02:37:44 +02:00
Keshav Kini 348858f297 nixos/security.pki: handle PEMs w/o a final newline 
According to the ABNF grammar for PEM files described in [RFC
7468][1], an eol character (i.e. a newline) is not mandatory after the
posteb line (i.e. "-----END CERTIFICATE-----" in the case of
certificates).

This commit makes our CA certificate bundler expression account for
the possibility that files in config.security.pki.certificateFiles
might not have final newlines, by using `awk` instead of `cat` to
concatenate them. (`awk` prints a final newline from each input file
even if the file doesn't end with a newline.)

[1]: https://datatracker.ietf.org/doc/html/rfc7468#section-3
 2021-05-16 17:23:11 -07:00
Martin Weinelt 7bd65d54f7 treewide: remove nand0p as maintainer 
While looking at the sphinx package I noticed it was heavily
undermaintained, which is when we noticed nand0p has been inactive for
roughly 18 months. It is therefore prudent to assume they will not be
maintaining their packages, modules and tests.

- Their last contribution to nixpkgs was in 2019/12
- On 2021/05/08 I wrote them an email to the address listed in the
  maintainer-list, which they didn't reply to.
 2021-05-17 01:50:49 +02:00
Florian Klink 6c0058f47f
Merge pull request #85073 from hyperfekt/systemd-pstore 
nixos/systemd|filesystems: mount and evacuate /sys/fs/pstore using systemd-pstore
 2021-05-17 00:00:52 +02:00
Aaron Andersen 21f5dd5c6e
Merge pull request #122647 from onny/caddy 
nixos/caddy: support user and group options
 2021-05-16 17:23:57 -04:00
Johan Thomsen 7e310dd8e8 nixos/containerd: StartLimit* options must be in the unit-section 
also, raise limits to ensure reasonable startup time, now that StartLimits are actually enforced
 2021-05-17 06:17:18 +10:00
Johan Thomsen 2142f88526 nixos/containerd: sanitize StateDirectory and RuntimeDirectory 2021-05-17 06:17:18 +10:00
Paul Schyska 563ba07543
nixos/atop: Split up restart triggers between atop and netatop 2021-05-16 22:00:24 +02:00
Paul Schyska 526bc6a4d5
nixos/atop: Add a note about netatop tainting the kernel 2021-05-16 21:43:20 +02:00
Niklas Hambüchen 357cf46c8d wireguard module: Add dynamicEndpointRefreshSeconds option. 
See for an intro:
https://wiki.archlinux.org/index.php/WireGuard#Endpoint_with_changing_IP
 2021-05-16 20:11:51 +02:00
Paul Schyska b87c366046
nixos/atop: Never enable setuidWrapper by default, rename service/timer enabling options 2021-05-16 18:22:03 +02:00
Paul Schyska 8f3d2e5c3b
nixos/atop: Add configuration for atop services, allow to enable netatop, gpuatop, allow setuid wrapper 2021-05-16 18:22:03 +02:00
Matthias Devlamynck 2a217314f2 nixos/plasma5: also add plasma-pa when using pipewire with pulseaudio support 2021-05-16 10:51:11 +02:00
github-actions[bot] 9911b1c75b
Merge staging-next into staging 2021-05-16 01:01:01 +00:00
github-actions[bot] b484cef365
Merge master into staging-next 2021-05-16 01:00:58 +00:00
Pasquale 42af3b3ab7 nixos: add programs.kdeconnect option 2021-05-16 01:43:42 +02:00
Michael Weiss a542827c9b
nixos/sway: Update the module documentation 
Most programs already run natively under Wayland so extraSessionCommands
isn't as important anymore. XWayland is already covered by
"programs.xwayland.enable = mkDefault true;" in the module.
 2021-05-15 20:30:53 +02:00
github-actions[bot] c10600230e
Merge staging-next into staging 2021-05-15 18:30:31 +00:00
github-actions[bot] f1b78f8618
Merge master into staging-next 2021-05-15 18:30:28 +00:00
Michael Weiss 73e0dd4b29
Merge pull request #123034 from primeos/sway-simplify-screen-sharing 
sway: Simplify screen sharing
 2021-05-15 18:38:52 +02:00
Jonathan Ringer 5a6540c49c nixos/factorio: update admin setting 2021-05-15 09:04:35 -07:00
Jonas Heinrich fff9cf00fd caddy: support user and group options 2021-05-15 10:32:49 +02:00
github-actions[bot] 78ae7ac75e
Merge staging-next into staging 2021-05-15 06:22:25 +00:00
github-actions[bot] c48794dcef
Merge master into staging-next 2021-05-15 06:22:22 +00:00
Aaron Andersen fc63be7ac8
Merge pull request #122658 from aanderse/httpd-reload 
nixos/httpd: provide a stable path stable path to the configuration f…
 2021-05-14 23:50:43 -04:00
Yarny0 c2af1ff281 nixos/hylafax: enable ProtectKernelLogs for most services 
Also document that `ProtectClock` blocks access to serial line.
I couldn't found out why this is the case,
but faxgetty complains about the device file
not being accessible with `ProtectClock=true`.
 2021-05-14 22:55:50 +02:00
Michael Weiss 3f31c0edef
sway: Simplify screen sharing 
This should make it easier to get started.
The xdg-desktop-portal backend for wlroots is required and one needs to
"make sure WAYLAND_DISPLAY and XDG_CURRENT_DESKTOP are imported into
D-Bus." [0]

[0]: efcbcb60aa/README.md (running)
 2021-05-14 22:42:19 +02:00
Vladimír Čunát c48eaa70e3
Merge branch 'master' into staging-next 2021-05-14 22:27:34 +02:00
Martin Weinelt 21746a7c80
nixos/postgresqlBackup: allow defining multiple times to start at 
Or … none! Because forcing a string always results in an OnCalender=
setting, but an empty string leads to an empty value.

>  postgresqlBackup-hass.timer: Timer unit lacks value setting. Refusing.

or

> postgresqlBackup-miniflux.timer: Cannot add dependency job, ignoring: Unit postgresqlBackup-miniflux.timer has a bad unit file setting.

I require the postgresqlBackup in my borgbackup unit, so I don't
strictly need the timer and could previously set it to an empty list.
 2021-05-14 20:41:08 +02:00
V f4c5ebea50 nixos/mailman: fix documentation option links 2021-05-14 18:33:24 +02:00
Robert Schütz e611d663f4
Merge pull request #120440 from dotlambda/radicale-settings 
nixos/radicale: add settings option
 2021-05-14 15:37:26 +02:00
WilliButz 94b2848559
Merge pull request #91663 from mweinelt/kea-exporter 
prometheus-kea-exporter: init at 0.4.1
 2021-05-14 14:38:08 +02:00
Eelco Dolstra b08e223a04 nix: 2.3.10 -> 2.3.11 
The patch is included in the new release, so can be dropped.

Co-authored-by: Alyssa Ross <hi@alyssa.is>
 2021-05-14 12:24:54 +00:00
Alyssa Ross 195d532a63
Revert "Revert "Revert "nix: 2.3.10 -> 2.3.11""" 
This reverts commit 66fc303070.

There is still a patch that doesn't apply.
 2021-05-14 11:35:18 +00:00
Eelco Dolstra 66fc303070
Revert "Revert "nix: 2.3.10 -> 2.3.11"" 
This reverts commit 1872bbdae5.
 2021-05-14 13:33:05 +02:00
Alyssa Ross 1872bbdae5
Revert "nix: 2.3.10 -> 2.3.11" 
This reverts commit 6f6b2cdc98.

Version wasn't updated, and apparently a patch didn't apply.  Let's do
this upgrade properly, in a PR, but for now I'm reverting so we don't
have a broken nix package in master.
 2021-05-14 11:30:55 +00:00
Eelco Dolstra 6f6b2cdc98
nix: 2.3.10 -> 2.3.11 2021-05-14 13:11:26 +02:00
zowoq 004f8cd986 Merge staging-next into staging 2021-05-14 16:32:43 +10:00
Yarny0 4415846d5c nixos/hylafax: use runtimeShell where possible 
According to
https://github.com/NixOS/nixpkgs/pull/84556
this effort helps with cross-compilation.

This commit also renames a substituted variable `hylafax`
to `hylafaxplus` to permit substitution with `inherit`.
 2021-05-14 05:42:18 +02:00
Yarny0 89df33f882 nixos/hylafax: replace a nested expression with lib.pipe 
This avoids a tripple-nested function call,
and it looks slightly simpler (at least to me).
 2021-05-14 05:42:18 +02:00
Yarny0 449647daf5 nixos/hylafax: use lib.types.ints.positive 
I haven't realized earlier that there is
already an option type for postive integers.
 2021-05-14 05:42:17 +02:00
github-actions[bot] bf5d8bb531
Merge master into staging-next 2021-05-14 00:58:11 +00:00
Jan Tojnar ac6a4f7cf5
Merge branch 'staging-next' into staging 2021-05-14 01:40:09 +02:00
Samuel Dionne-Riel 12ede41735
Merge pull request #110435 from superloach/patch-2 
nixos/modules: add "sdhci_pci" to availableKernelModules
 2021-05-13 17:45:22 -04:00
Jens Nolte 22e797947b
nixos/zfs: Add defaultText for 'boot.zfs.package'-option (#122002) 2021-05-13 17:40:10 -04:00
Maximilian Bosch bfd4c121ff
Merge pull request #122637 from mayflower/prometheus-2.26.0 
Prometheus 2.26.0 + exporter updates
 2021-05-13 23:05:29 +02:00
Michael Weiss 60f2af5938
Merge pull request #122605 from primeos/nixos-sway-extend-default-configuration 
nixos/sway: Extend the default configuration for NixOS
 2021-05-13 20:48:55 +02:00
github-actions[bot] 39e3f7c2cc
Merge master into staging-next 2021-05-13 18:32:50 +00:00
Janne Heß 672e64701c
nixos/prometheus: Add support for metric relabeling 2021-05-13 15:59:46 +02:00
Izorkin feebe402f5
treewide: remove duplicates SystemCallFilters 2021-05-13 15:44:56 +03:00
Luke Granger-Brown ca6255bf0b nixos/docker: fix evaluation when NAT is enabled too 
Both networking.nat.enable and virtualisation.docker.enable now want to
make sure that the IP forwarding sysctl is enabled, but the module
system dislikes that both modules contain this option.

Realistically this should be refactored a bit, so that the Docker module
automatically enables the NAT module instead, but this is a more obvious
fix.
 2021-05-13 10:26:45 +00:00
Martin Weinelt bc4a80979b
nixos/prometheus-kea-exporter: init 2021-05-12 21:51:44 +02:00
github-actions[bot] b057978bb2
Merge staging-next into staging 2021-05-12 18:32:29 +00:00
github-actions[bot] f214722172
Merge master into staging-next 2021-05-12 18:32:26 +00:00
midchildan 6567031111
nixos/mirakurun: add polkit rule for smart card access (#122066) 
Fixes #122039
 2021-05-12 13:57:49 -04:00
Sheng Wang e0adda4113
nixos/pam: prioritize safer auth methods over fingerprints 
Currently if fprintd is enabled, pam will ask for fingerprint
regardless of other configured authentication modules (e.g. yubikey).

This change make fingerprint the last resort of authentication before asking for password.
 2021-05-12 13:25:08 +09:00
Aaron Andersen f20aa073e1 nixos/httpd: provide a stable path stable path to the configuration file for reloads 2021-05-11 22:36:55 -04:00
Robin Gloster 9438b12f99
prometheus-collectd-exporter: fix options for new version 2021-05-11 17:57:46 -05:00
Robin Gloster b2956ce654
prometheus-bind-exporter: fix options for new version 2021-05-11 17:57:46 -05:00
Robin Gloster da85657a6c
prometheus-rspamd-exporter: fix for new json exporter syntax 2021-05-11 17:57:46 -05:00
Thomas Tuegel 799f351997
KDE Applications 20.12.3 -> KDE Gear 21.04.0 2021-05-11 12:14:58 -05:00
Michael Weiss 00e8e5b123
nixos/sway: Extend the default configuration for NixOS 
The default config.in template contains
"include @sysconfdir@/sway/config.d/*" but we've dropped it to better
support non-NixOS (which seems like a mistake in retrospect).
This restores that behaviour and extends the default configuration via
nixos.conf to fix #119445.

Note: The security configurations (security.d) where dropped entirely
(but maybe they'll return).
 2021-05-11 18:53:49 +02:00
Jan Tojnar 8380ceb766
nixos/gnome: Allow disabling sysprof 2021-05-11 18:11:01 +02:00
worldofpeace 8ad5d65d09
nixos/gnome: add user docs 
Co-Authored-By: Jan Tojnar <jtojnar@gmail.com>
 2021-05-11 18:10:53 +02:00
github-actions[bot] 1e7a48b474
Merge master into staging-next 2021-05-11 12:24:28 +00:00
Tom 33a4c43126
nixos/tor: fix HidServAuth (#122439) 
* add an example for services.tor.settings.HidServAuth

* fix HidServAuth validation to require ".onion"
  Per https://manpages.debian.org/testing/tor/torrc.5.en.html :
  > Valid onion addresses contain 16 characters in a-z2-7 plus ".onion"
 2021-05-11 10:10:32 +02:00
github-actions[bot] 10e16ec9ab
Merge master into staging-next 2021-05-11 06:20:33 +00:00
Jörg Thalheim 8af4bf61fd
Merge pull request #122423 from Izorkin/update-netdata 
nixos/netdata: update configuration
 2021-05-11 06:07:48 +01:00
github-actions[bot] 49b8e6f7d4
Merge master into staging-next 2021-05-11 00:48:15 +00:00
Robert Schütz 7217b2d85e
Merge pull request #121785 from dotlambda/dendrite-rename 
matrix-dendrite: rename to dendrite
 2021-05-10 23:30:12 +02:00
Joe DeVivo bf92d0ec37 nixos/ssm-agent: conf files written to /etc 
ssm-agent expects files in /etc/amazon/ssm. The pkg substitutes a location in
the nix store for those default files, but if we ever want to adjust this
configuration on NixOS, we'd need the ability to modify that file.

This change to the nixos module writes copies of the default files from the nix
store to /etc/amazon/ssm. Future versions can add config, but right now this
would allow users to at least write out a text value to
environment.etc."amazon/ssm/amazon-ssm-agent.json".text to provide
their own config.
 2021-05-10 13:16:41 -07:00
Samuel Dionne-Riel 37f14fa4d9
Merge pull request #121450 from samueldr/feature/cross-uefi-iso 
iso-image: Fixes for cross-compilation
 2021-05-10 14:42:59 -04:00
github-actions[bot] 61fa3fdde8
Merge master into staging-next 2021-05-10 18:28:17 +00:00
Samuel Dionne-Riel 79752e2310
Merge pull request #121834 from samueldr/feature/raspberrypi4-image-cleanup 
sd_image_raspberrypi4: Remove, as planned initially
 2021-05-10 14:05:02 -04:00
Sandro f0bb4f066a
Merge pull request #95050 from paumr/bind-fmt 2021-05-10 19:06:00 +02:00
Julien Moutinho 7e794a1da2 nixos/davfs2: wrap {,u}mount.davfs with setuid=true 2021-05-10 15:54:52 +02:00
github-actions[bot] 115881e756
Merge master into staging-next 2021-05-10 12:24:32 +00:00
Izorkin 85914bc01d
nixos/netdata: change wrappers permissions 2021-05-10 10:35:51 +03:00
Izorkin 859633ee43
nixos/netdata: use cgroup v2 2021-05-10 10:24:31 +03:00
Izorkin 58497175be
nixos/netdata: cgroup-network: don't use AmbientCapabilities 2021-05-10 10:19:57 +03:00
Michele Guerini Rocco 4cbe186a8a
Merge pull request #121394 from bjornfor/atd-file-creation 
nixos/atd: prefer 'install' over 'mkdir/chmod/chown'
 2021-05-10 08:43:57 +02:00
github-actions[bot] f4d69ad1f2
Merge master into staging-next 2021-05-10 06:20:28 +00:00
Michele Guerini Rocco d0cbcce8d4
Merge pull request #121395 from bjornfor/nixos-wpa-supplicant 
nixos/wpa_supplicant: prefer 'install' over 'touch/chmod/mkdir/chgrp'
 2021-05-10 08:16:39 +02:00
hyperfekt 3e3e763a07 nixos/systemd: enable systemd-pstore.service 
As described in issue #81138, the Install section of upstream units is
currently ignored, so we make it part of the sysinit.target manually.
 2021-05-09 23:21:51 +02:00
hyperfekt 870fa77ff6 nixos/filesystems: mount persistent storage to /sys/fs/pstore 2021-05-09 23:21:32 +02:00
github-actions[bot] bc1f4b790e
Merge master into staging-next 2021-05-09 12:23:16 +00:00
Luke Granger-Brown 491216df02
Merge pull request #122099 from alekna/fix/docker 
nixos/docker: ensure ipv4 forwarding is enabled
 2021-05-09 12:15:16 +01:00
Michele Guerini Rocco e5452226af
Merge pull request #121791 from dotlambda/sudo-execWheelOnly 
nixos/sudo: add option execWheelOnly
 2021-05-09 10:04:15 +02:00
Vladimír Čunát 5663b2b2d3
Merge branch 'master' into staging-next 
(a trivial conflict in transmission)
 2021-05-09 09:31:55 +02:00
Robert Schütz 5624aa9f81 nixos/sudo: add option execWheelOnly 
By setting the executable's group to wheel and permissions to 4510, we
make sure that only members of the wheel group can execute sudo.
 2021-05-08 23:48:00 +02:00
paumr 5390d4b946 nixos/bind: formatted with nixpkgs-fmt 2021-05-08 23:13:58 +02:00
Robert Schütz 314a64a026 nixos/znc: fix example 2021-05-08 22:54:19 +02:00
Robert Schütz 5986f233a6 nixos/znc: remove trailing slash from dataDir 2021-05-08 22:54:19 +02:00
Robert Schütz 4400ee83ec nixos/znc: harden systemd unit 2021-05-08 22:54:15 +02:00
Robert Hensing 4433ba90aa
Merge pull request #121927 from rissson/nixos-unbound-fix-top-level-include 
nixos/unbound: allow list of strings in top-level settings option type
 2021-05-08 22:00:57 +02:00
github-actions[bot] 6d46d8a9b9
Merge master into staging-next 2021-05-08 18:22:46 +00:00
Hedtke, Moritz 7a80d281ed
nixos/containers: Increase startup timeout for imperative containers 
Changed the startup timeout from 15 seconds to one minute as 15 seconds is really low.
Also it's currently not possible to change it without editing your system configuration.
 2021-05-08 19:59:20 +02:00
Laurynas Alekna 9317570735 nixos/docker: ensure ipv4 forwarding is enabled 
Fixes #118656
 2021-05-08 18:58:24 +01:00
Marc 'risson' Schmitt 0340cd2abe
nixos/unbound: allow list of strings in top-level settings option type 
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
 2021-05-08 19:55:17 +02:00
Aaron Andersen 9254b82706
Merge pull request #121746 from j0hax/monero-options 
nixos/monero: add dataDir option
 2021-05-08 11:43:49 -04:00
Martin Weinelt 9651084620 Merge remote-tracking branch 'origin/master' into staging-next 2021-05-08 14:43:43 +02:00
Vladimír Čunát 080cd658ca
Merge #121780: treewide meta.maintainers tweaks 2021-05-08 10:47:08 +02:00
Gemini Lasswell 28f51d7757 nixos/yggdrasil: set directory permissions before writing keys 
Remove the opportunity for someone to read the keys in between when
they are written and when the chmod is done.  Addresses #121293.
 2021-05-08 09:49:19 +02:00
Jan Tojnar 468cb5980b gnome: rename from gnome3 
Since GNOME version is now 40, it no longer makes sense to use the old attribute name.
 2021-05-08 09:47:42 +02:00
github-actions[bot] e21fb16f9a
Merge master into staging-next 2021-05-08 06:20:05 +00:00
Silvan Mosberger 08d94fd2b0
Merge pull request #114374 from oxalica/lib/platform-support-check 
lib.meta: introduce `availableOn` to check package availability on given platform
 2021-05-08 03:54:36 +02:00
github-actions[bot] b4416b52c5
Merge master into staging-next 2021-05-08 00:46:50 +00:00
Johannes Arnold c0853b6e2c nixos/monero: use isSystemUser = true 2021-05-08 02:13:25 +02:00
Michele Guerini Rocco 4e4869b92b
Merge pull request #114745 from rnhmjoj/brltty 
brltty: 6.1 -> 6.3; nixos/brltty: use upstream units
 2021-05-07 23:35:57 +02:00
Domen Kožar 8ecb0344a0
Merge pull request #121720 from samueldr/feature/arm-stage-1-modules 
installer images: Add available modules to stage-1 on ARM platforms
 2021-05-07 22:01:09 +02:00
Evils 5ae90276c3 nixos/fancontrol: clean up module 
set a group and user for the service
remove default null config
  it's required, now it throws an error pointing to the option

set myself (module author) as maintainer
 2021-05-07 11:46:40 -07:00
github-actions[bot] 1ae6d3d02f
Merge master into staging-next 2021-05-07 18:24:29 +00:00
Robin Gloster 29e92116d1
Merge pull request #118037 from mayflower/privacy-extensions-configurable 
nixos/network: allow configuring tempaddr for undeclared interfaces
 2021-05-07 13:01:29 -05:00
ajs124 cd609e7a1c
Merge pull request #117094 from helsinki-systems/drop/spidermonkey_1_8_5 
spidermonkey_1_8_5: drop
 2021-05-07 18:55:49 +02:00
Robert Hensing 316b82563a
Merge pull request #121702 from hercules-ci/nixos-hercules-ci-agent-update 
nixos/hercules-ci-agent: updates
 2021-05-07 15:48:33 +02:00
Vladimír Čunát 9f054b5e1a
treewide: remove worldofpeace from meta.maintainers 
(It was requested by them.)
I left one case due to fetching from their personal repo:
pkgs/desktops/pantheon/desktop/extra-elementary-contracts/default.nix
 2021-05-07 15:36:40 +02:00
github-actions[bot] 12193913a1
Merge staging-next into staging 2021-05-07 12:23:21 +00:00
Jan Tojnar 9468b07326
Merge branch 'gnome-40' 2021-05-07 12:12:40 +02:00
github-actions[bot] e5f4def056
Merge staging-next into staging 2021-05-07 00:46:58 +00:00
Robert Hensing 0633b6aa74
Merge pull request #121870 from Pacman99/pass-specialargs 
lib/modules: pass specialArgs to modules
 2021-05-07 01:54:48 +02:00
Pacman99 87c659ab94 nixos/top-level: specialArgs to specialisations 2021-05-06 16:04:08 -07:00
John Ericson a3e54cb582 Merge remote-tracking branch 'upstream/staging-next' into staging 2021-05-06 15:48:25 -04:00
Sander van der Burg 77295e7e6b nixos/disnix: configure the remote client by default, if multi-user mode has been enabled 2021-05-06 19:33:02 +02:00
Martin Weinelt 6a09bc4405
Merge pull request #121865 from mweinelt/home-assistant 2021-05-06 18:05:00 +02:00
Martin Weinelt 24adc01e2e
nixos/home-assistant: allow netlink sockets and /proc/net inspection 
Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf
component to enumerate network interfaces via netlink. Since discovery
is all over the place lets allow AF_NETLINK unconditionally.

It also relies on pyroute2 now, which additionally tries to access files
in /proc/net, so we relax ProtectProc a bit by default as well.

This leaves us with these options unsecured:

✗ PrivateNetwork=                                             Service has access to the host's network                                                                 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                                                    0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                                       0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                                         0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                                       0.2
✗ PrivateUsers=                                               Service has access to other users                                                                        0.2
✗ SystemCallFilter=~@resources                                System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed)      0.2
✗ RestrictAddressFamilies=~AF_NETLINK                         Service may allocate netlink sockets                                                                     0.1
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                                            0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                                                   0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                                       0.1
✗ ProcSubset=                                                 Service has full access to non-process /proc files (/proc subset=)                                       0.1

→ Overall exposure level for home-assistant.service: 1.6 OK 🙂
 2021-05-06 16:55:53 +02:00
Jörg Thalheim 4e783a4cb7
Merge pull request #121724 from Izorkin/update-netdata 
netdata: 1.29.3 -> 1.30.1
 2021-05-06 14:58:33 +01:00
github-actions[bot] c63e69cd89
Merge staging-next into staging 2021-05-06 12:23:32 +00:00
Maximilian Bosch a50b9e6c23
Merge pull request #113716 from Ma27/wpa_multiple 
wpa_supplicant: allow both imperative and declarative networks
 2021-05-06 11:01:35 +02:00
Simon Thoby 1bdda029cd nixos/services/torrent/transmission.nix: add a missing apparmor rule 
libbrotli wasn't listed as a dependency for the AppArmor profile of the transmission-daemon binary.
As a result, transmission wouldn't run and would fail, logging this audit message to dmesg:
audit[11595]: AVC apparmor=DENIED operation=open profile=/nix/store/08i1rmakmnpwyxpvp0sfc5hcm106am7w-transmission-3.00/bin/transmission-daemon name=/proc/11595/environ pid=11595 comm=transmission-da requested_mask=r denied_mask=r fsuid=70 ouid=70
 2021-05-05 22:47:52 +02:00
Jan Tojnar 878abc6488
nixos/gnome3: Install GNOME Tour 
It will be run after startup.
 2021-05-05 22:43:02 +02:00
Jan Tojnar 316928e8c1
nixos/gnome3: Enable power-profiles-daemon 
GNOME 40 added support for it in Control Center.
 2021-05-05 22:43:01 +02:00
Jan Tojnar 49ae2e4c26
gnome3.gnome-getting-started-docs: drop 
It has been retired

https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/353
 2021-05-05 22:43:01 +02:00
Jan Tojnar d2e141e412
gnome3.gdm: 3.38.2.1 → 40.0 2021-05-05 22:42:32 +02:00
Samuel Dionne-Riel 6cb46a3897 sd_image_raspberrypi4: Remove, as planned initially 
The replacement is the generic AArch64 image.

From there, you can customize an image that works better for your
needs, if need be.
 2021-05-05 16:19:13 -04:00
Izorkin 53651179b9
nixos/netdata: update capabilities 2021-05-05 20:46:07 +03:00
github-actions[bot] af9d9374fa
Merge staging-next into staging 2021-05-05 12:23:47 +00:00
Robert Schütz f82c6fdfd5 nixos/matrix-dendrite: rename to dendrite 2021-05-05 12:38:02 +02:00
Robert Schütz 007cab9644 matrix-dendrite: rename to dendrite 
No other distro calls it matrix-dendrite:
https://repology.org/project/matrix-dendrite
 2021-05-05 12:37:04 +02:00
Robert Hensing ce93c98ce2
Merge pull request #99132 from Infinisil/recursive-type-deprecation 
Recursive type deprecation
 2021-05-05 11:13:37 +02:00
Jörg Thalheim 503b937542
nixos/buildkite-agents: fix race-condition when installing secrets 2021-05-05 06:56:06 +02:00
Silvan Mosberger 0a377f11a5 nixos/treewide: Remove usages of deprecated types.string 2021-05-05 03:31:41 +02:00
github-actions[bot] 68e3ba2b1d
Merge staging-next into staging 2021-05-05 00:46:07 +00:00
Samuel Dionne-Riel 1cb977c858 sd-image: Rely on profiles/all-hardware.nix 
This ensures that SD images and UEFI installers don't drift in
compatibility with regards to early initrd.
 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel cb9b46a3cd profiles/all-hardware.nix: Add vc4 for broadcom hardware 
Namely, early KMS on raspberry pi
 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel f5b7687d26 profiles/all-hardware.nix: Share some config for all ARM 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel 14ac6de024 profiles/all-hardware.nix: Fix for arvmv7l-linux 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel 82625705c6 profiles/all-hardware.nix: Add analogix-dp 
While it's being brought in implicitly by the other analogix driver,
let's be explicit, in case things change.
 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel 9fa3e2c2a3 profiles/all-hardware.nix: Add regulator needed for rockchip 
But not exclusive to rockchip
 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel 535d463cf9 profiles/all-hardware.nix: Add rockchip modules 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel 70205bd13c profiles/all-hardware.nix: Add support for Raspberry Pi 4 USB 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel a846d19831 profiles/all-hardware.nix: Add power regulator modules 
This is used on some allwinner platforms, and is a weak dependency for
USB to work.
 2021-05-04 19:42:12 -04:00
Samuel Dionne-Riel a8af02fe6d profiles/all-hardware.nix: Add modules for integrated displays 
Namely, this is used by the pinebook's display
 2021-05-04 19:42:12 -04:00
Samuel Dionne-Riel 5bc36c1b30 profiles/all-hardware.nix: Add support for Allwinner hardware 2021-05-04 19:42:12 -04:00
Samuel Dionne-Riel c60de92917 profiles/all-hardware.nix: Add simplefb for AArch64 2021-05-04 19:42:12 -04:00
Samuel Dionne-Riel 556fc32d69 iso-image: Build using strictDeps 2021-05-04 19:37:49 -04:00
Samuel Dionne-Riel f1100e1506 iso-image: Add support for armv7l-linux 2021-05-04 19:37:49 -04:00
Samuel Dionne-Riel d053c05d19 iso-image: Fixes for cross-compilation 
Note that here, since it's not a in a callPackage call, splicing won't
work on nativeBuildInputs.
 2021-05-04 19:37:48 -04:00
Samuel Dionne-Riel 385dc32fa8
Merge pull request #119974 from samueldr/feature/grub-gfx-aarch64 
iso-image: Fix GRUB graphical menu on AArch64
 2021-05-04 19:36:40 -04:00
Johannes Arnold ff65166f44 nixos/monero: fix typo 2021-05-04 21:57:21 +00:00
Johannes Arnold 7cf3ffbddd nixos/monero: add dataDir option 2021-05-04 21:56:45 +00:00
github-actions[bot] 4cbb35eba8
Merge staging-next into staging 2021-05-04 18:21:27 +00:00
Izorkin 9aad915539
nixos/netadata: add required packages 2021-05-04 21:02:23 +03:00
talyz deb58f6486 nixos/keycloak: Document how to use a custom local database 2021-05-04 19:27:08 +02:00
talyz fdf6bb5b95 Revert "nixos/keycloak: use db username in db init scripts" 
This reverts commit d9e18f4e7f.

This change is broken, since it doesn't configure the proper database
username in keycloak when provisioning a local database with a custom
username. Its intended behavior is also potentially confusing and
dangerous, so rather than fixing it, let's revert to the old one.
 2021-05-04 19:27:08 +02:00
Robert Schütz 762be5c86d nixos/radicale: harden systemd unit 2021-05-04 17:43:26 +02:00
Robert Hensing 519a435b08 nixos/hercules-ci-agent: Set default labels 2021-05-04 16:29:05 +02:00
Robert Hensing 4abd56732e nixos/hercules-ci-agent: Set default concurrency to auto 2021-05-04 16:28:31 +02:00
github-actions[bot] dfafc173e0
Merge staging-next into staging 2021-05-04 12:23:31 +00:00
Michele Guerini Rocco 93c5837be5
Merge pull request #121512 from rnhmjoj/searx 
searx: set settings.yml permissions using umask
 2021-05-04 11:43:12 +02:00
markuskowa 741ed21bea
Merge pull request #121336 from markuskowa/upd-slurm 
nixos/slurm: 20.11.5.1 -> 20.11.6.1, improve security
 2021-05-04 11:00:35 +02:00
Robert Schütz 022c5b0922 nixos/radicale: add settings option 
The radicale version is no longer chosen automatically based on
system.stateVersion because that gave the impression that old versions
are still supported.
 2021-05-04 10:22:05 +02:00
github-actions[bot] 77c79724e3
Merge staging-next into staging 2021-05-04 06:20:26 +00:00
Silvan Mosberger 37e2fbda39
Merge pull request #121449 from endgame/metadata-fetcher-umask 
metadata fetchers: use umask instead of fetch-and-chmod
 2021-05-04 03:39:38 +02:00
github-actions[bot] 98d7aac597
Merge staging-next into staging 2021-05-04 00:49:43 +00:00
Aaron Andersen aebebb5752
Merge pull request #119325 from ymarkus/bookstack 
bookstack: 0.31.7 -> 21.04.3 + nixos/bookstack: use umask before echoing & clear cache before starting
 2021-05-03 20:19:39 -04:00
Andreas Rammhold 3ec6977d30
Merge pull request #89572 from rissson/nixos/unbound 
nixos/unbound: add settings option, deprecate extraConfig
 2021-05-03 21:49:24 +02:00
Luke Granger-Brown 62f675eff6
Merge pull request #121558 from sumnerevans/fix-airsonic-service 
airsonic: force use of jre8
 2021-05-03 20:43:00 +01:00
Marc 'risson' Schmitt 52f6733203
nixos/unbound: deprecate extraConfig in favor of settings 
Follow RFC 42 by having a settings option that is
then converted into an unbound configuration file
instead of having an extraConfig option.

Existing options have been renamed or kept if
possible.

An enableRemoteAccess has been added. It sets remote-control setting to
true in unbound.conf which in turn enables the new wrapping of
unbound-control to access the server locally.  Also includes options
'remoteAccessInterfaces' and 'remoteAccessPort' for remote access.

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
 2021-05-03 21:27:15 +02:00
Luke Granger-Brown 0f39652cee
Merge pull request #120800 from MetaDark/undistract-me 
undistract-me: init at unstable-2020-08-09
 2021-05-03 20:22:04 +01:00
Silvan Mosberger a221e6c330
Merge pull request #121172 from eyJhb/bind-list-to-attrs 
nixos/bind: refactor zones from a list to attrset
 2021-05-03 21:21:22 +02:00
github-actions[bot] 5e177b16b1
Merge staging-next into staging 2021-05-03 18:25:49 +00:00
Kira Bruneau a24d0ab51b modules/programs/bash: add support for undistract-me 2021-05-03 14:25:02 -04:00
Kira Bruneau 62a78fc361 modules/programs/bash: move prompt plugins into separate modules 2021-05-03 14:24:24 -04:00
Jean-Baptiste Giraudeau 62f241d445 nixos/oauth2_proxy_nginx: add nginx config only if oauth2_proxy is enabled. 2021-05-03 11:23:03 -07:00
Silvan Mosberger 0111666954
Merge pull request #109561 from mjlbach/init_matrix_dendrite 
matrix-dendrite: init at 0.3.11
 2021-05-03 20:16:27 +02:00
eyjhb 757a455dde
nixos/bind: refactor zones from a list to attrset 
This commit uses coercedTo to make zones a attrset instead of list.
Makes it easier to access/change zones in multiple places.
 2021-05-03 20:04:42 +02:00
Michael Lingelbach ff43bbe53e matrix-dendrite: add nixos module 2021-05-03 10:12:24 -07:00
Luke Granger-Brown 049850341e
Merge pull request #121540 from lukegb/postfix-compat 
nixos/tests/rspamd: fix OOM flakyness
 2021-05-03 17:36:46 +01:00
Martin Weinelt d23610ae65
Merge pull request #121209 from mweinelt/pinnwand 2021-05-03 18:24:45 +02:00
Florian Klink d4e149c8ff
Merge pull request #120048 from flokli/inotify-max-user-instances 
nixos/xserver: set fs.inotify.max_user_instances too
 2021-05-03 17:45:41 +02:00
Sumner Evans 6dde6bf3bf
airsonic: force use of jre8 2021-05-03 09:41:04 -06:00
Luke Granger-Brown a0da004326
Merge pull request #121376 from urbas/amazon-init-shell-script-support 
nixos/amazon-init: add user-data shell script support
 2021-05-03 16:01:26 +01:00
Martin Weinelt fda2ff4edc
nixos/pinnwand: add reaper systemd unit/timer 
The reap function culls expired pastes outside of the process serving
the pastes. Previously the database could accumulate a large number of
pastes and while they were expired they would not be deleted unless
accessed from the frontend.
 2021-05-03 16:52:05 +02:00
Yannick Markus 336f3607d4
nixos/bookstack: use umask before echoing & clear cache before starting 2021-05-03 16:27:38 +02:00
Silvan Mosberger 3e930b7e4a
Merge pull request #121294 from nh2/issue-121288-wireguard-fix-chmod-race 
wireguard module: generatePrivateKeyFile: Fix chmod security race
 2021-05-03 16:24:42 +02:00
ajs124 29bcaf04cb couchdb2: drop 2021-05-03 15:41:42 +02:00
Martin Weinelt ac4b47f823
nixos/pinnwand: improve settings behaviour 
Individual settings would previously overwrite the whole config, but
now individual values can be overwritten.

Fix missing slash to make the database path an absolute path per
https://docs.sqlalchemy.org/en/14/core/engines.html#sqlite.

Drop preferred_lexers, it's not set to anything meaningful anyway.
 2021-05-03 15:18:12 +02:00
Silvan Mosberger 1245d855b8
Merge pull request #119426 from onixie/master 
nixos/kubernetes: allow merging multiple definitions of extraOpts
 2021-05-03 14:32:00 +02:00
github-actions[bot] a4c3a2d732
Merge staging-next into staging 2021-05-03 12:26:48 +00:00
Robert Hensing 0cf3550c91
Merge pull request #121124 from hercules-ci/cassandra-tidy 
cassandra: tidy
 2021-05-03 13:41:41 +02:00
José Romildo Malaquias 8073df31a5
Merge pull request #121046 from romildo/fix.xfce 
xfce: does not explicitly require a gvfs package
 2021-05-03 08:14:56 -03:00
Luke Granger-Brown 4b42da3d85
Merge pull request #120791 from mweinelt/babeld 
babeld: 1.9.2 -> 1.10
 2021-05-03 10:00:12 +01:00
Luke Granger-Brown d922cad4d6
Merge pull request #119172 from midchildan/package/trafficserver 
nixos/trafficserver: init
 2021-05-03 09:48:07 +01:00
rnhmjoj 9ea6c1979c
nixos/searx: set settings.yml permissions using umask 
This should solve a leakage of secrets as suggested in #121293
 2021-05-03 09:53:50 +02:00
github-actions[bot] afe3fd192f
Merge staging-next into staging 2021-05-03 00:53:51 +00:00
Martin Weinelt d67fc76603
Merge pull request #120536 from mweinelt/mosquitto 2021-05-03 00:41:21 +02:00
Martin Weinelt f41349d30d
nixos/home-assistant: Restart systemd unit on restart service 
Home-assistant through its `--runner` commandline flag supports sending
exit code 100 when the `homeassistant.restart` service is called.

With `RestartForceExitStatus` we can listen for that specific exit code
and restart the whole systemd unit, providing an actual clean restart
with fresh processes. Additional treat exit code 100 as a successful
termination.
 2021-05-03 00:21:25 +02:00
Martin Weinelt 7d09d7f571
nixos/home-assistant: harden systemd service 
This is what is still exposed, and it should still allow things to work
as usual.

✗ PrivateNetwork=                    Service has access to the host's …      0.5
✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc…      0.3
✗ DeviceAllow=                       Service has a device ACL with som…      0.1
✗ IPAddressDeny=                     Service does not define an IP add…      0.2
✗ PrivateDevices=                    Service potentially has access to…      0.2
✗ PrivateUsers=                      Service has access to other users       0.2
✗ SystemCallFilter=~@resources       System call allow list defined fo…      0.2
✗ RootDirectory=/RootImage=          Service runs within the host's ro…      0.1
✗ SupplementaryGroups=               Service runs with supplementary g…      0.1
✗ RestrictAddressFamilies=~AF_UNIX   Service may allocate local sockets      0.1

→ Overall exposure level for home-assistant.service: 1.6 OK :-)

This can grow to as much as ~1.9 if you use one of the bluetooth or nmap
trackers or the emulated_hue component, all of which required elevated
permisssions.
 2021-05-03 00:21:24 +02:00
Luke Granger-Brown 649672e76e nixos/postfix: fix compatibility level 
Postfix has started outputting an error on startup that it can't parse
the compatibility level 9999.

Instead, just set the compatibility level to be identical to the current
version, which seems to be the (new) intent for the compatibility level.
 2021-05-02 21:49:33 +00:00
github-actions[bot] e6037ce5fe
Merge staging-next into staging 2021-05-02 00:58:46 +00:00
Samuel Dionne-Riel cb5c4fcd3c iso-image: Hide rEFInd from menu in known non-working situations 
Looks like GRUB has issues loading EFI binaries from (cd0), which is
what would be used in e.g. qemu with OVMF with `-cdrom`. Apparently also
what is used with AArch64 + U-Boot USB.
 2021-05-01 19:53:14 -04:00
Samuel Dionne-Riel 9413da26fd iso-image: Provide the right rEFInd binary 2021-05-01 19:53:14 -04:00
Samuel Dionne-Riel 189507a35d iso-image: Make graphical output work properly on AArch64 
The serial output (but it's named console, not serial actually) causes
issues on U-Boot's EFI, at the very least.

This is inspired by OpenSUSE's approach:

 * https://build.opensuse.org/package/view_file/Base:System/grub2/grub2-SUSE-Add-the-t-hotkey.patch

Where they add a hidden menu entry, which can be used to force the
console output.

The `echo` will be visible on the serial terminal (grub "console"),
while the graphical interface is shown. Note that input in the serial
terminal (grub "console") will continue controlling the graphical
interface. Useful if you have an SBC connectedinto an HDMI monitor, but
no keyboard connected to it.
 2021-05-01 19:53:13 -04:00
Samuel Dionne-Riel 20d0824b15 iso-image: Fix grub file load location 
With U-Boot UEFI, (hd0) is not the USB drive, it is (cd0).

Though, it turns out we never needed to prefix the path!
 2021-05-01 19:48:57 -04:00
Jack Kelly 5ea55e4ed0 metadata fetchers: use umask instead of fetch-and-chmod 2021-05-02 08:28:59 +10:00
Maximilian Bosch 040f0acccd
Merge pull request #121299 from Ma27/gitea-umask 
nixos/gitea: set umask for secret creation
 2021-05-02 00:06:20 +02:00
José Romildo Malaquias 472f5a976d xfce: does not explicitly require a gvfs package 
- In order to use GIO/GVFS it is enough to enable the gvfs service.

- The module option services.gvfs.package can be used to choose a
  variation of the gvfs package, if desired.
 2021-05-01 18:21:57 -03:00
github-actions[bot] 49721bed32
Merge staging-next into staging 2021-05-01 18:26:21 +00:00
Luke Granger-Brown 152fa5414c
Merge pull request #120209 from considerate/considerate/multiple-tags-buildkite-agents 
services.buildkite-agents: support multi-tags
 2021-05-01 19:07:56 +01:00
Martin Weinelt a2d1d16af8
nixos/mosquitto: Migrate away from bind_address/port config keys 
Fixes these two deprecation warnings, by moving away from these options
towards a simple listener configuration.

> The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true.
> The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead.

Fixes: #120860
 2021-05-01 19:46:48 +02:00
Martin Weinelt 33e867620e
nixos/mosquitto: harden systemd unit 
It can still network, it can only access the ssl related files if ssl is
enabled.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                  0.1

→ Overall exposure level for mosquitto.service: 1.1 OK 🙂
 2021-05-01 19:46:48 +02:00
Jan Tojnar 1733bade1a
Merge pull request #121226 from zhaofengli/librem-take2 
phosh: init at 0.10.2
 2021-05-01 18:41:50 +02:00
Luke Granger-Brown be598f3980
Merge pull request #120541 from pennae/fail2ban 
nixos/fail2ban: add maxretry/extraPackages options
 2021-05-01 15:09:24 +01:00
Bjørn Forsman 5d47dc750f nixos/wpa_supplicant: prefer 'install' over 'touch/chmod/mkdir/chgrp' 
Ref #121293.
 2021-05-01 15:34:04 +02:00
Bjørn Forsman 225d915e5c nixos/atd: prefer 'install' over 'mkdir/chmod/chown' 
I don't think there was a security issue here, but using 'install' is
preferred.

Ref #121293.
 2021-05-01 15:16:19 +02:00
Sandro ac72d9acfe
Merge pull request #91955 from c00w/expand 
sd-image: Add option to control sd image expansion on boot.
 2021-05-01 14:52:07 +02:00
Luke Granger-Brown d76b075e3c
Merge pull request #121246 from thblt/master 
nixos/pcscd: ensure polkit rules are loaded (fix #121121)
 2021-05-01 13:30:45 +01:00
Zhaofeng Li 31a32eeed3 nixos/phosh: init 
Co-authored-by: Blaž Hrastnik <blaz@mxxn.io>
Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
Co-authored-by: Jordi Masip <jordi@masip.cat>
 2021-05-01 06:55:02 +00:00