3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

7314 commits

Author SHA1 Message Date
Joachim Fasting 06520c7fb7
nixos/dnscrypt-proxy: indicate update status
Make it easier for the user to tell when the list is updated
and, at their option, see what changed.
2017-03-08 19:07:53 +01:00
Joachim Fasting 5f27abec23
nixos/dnscrypt-proxy: more fs isolation for the updater
It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available.  We
filter mount syscalls to prevent the process from undoing the fs
isolation.
2017-03-08 19:07:51 +01:00
Joachim Fasting e72aaa73ea
nixos/dnscrypt-proxy: support updating before nss is up
Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.

We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
2017-03-08 19:07:50 +01:00
Joachim Fasting adf044e1fb
nixos/dnscrypt-proxy: refactoring
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...).  Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
2017-03-08 19:07:44 +01:00
Parnell Springmeyer 4c751ced37
security-wrapper: Don't remove the old paths yet as that can create migration pain 2017-03-08 08:57:52 -06:00
Profpatsch 22c265182f networking/bonds: fix examples
After the change of the bonding options, the examples were not quite correct.
The diff is over-the top because the new `let` needs everything indented.

Also add a small docstring to the `networkd` attr in the networking test.
2017-03-08 04:54:17 +01:00
Graham Christensen 9e6ae2f60a Merge pull request #23441 from oxij/pkg/pretty-xen
xen: modular expression
2017-03-07 18:52:40 -05:00
Franz Pletz 9ea35eae7a
nixos/users-groups: chown home on createHome
Fixes #23619.
2017-03-08 00:29:20 +01:00
Daniel Ehlers 0bd211d84f
ddclient: Make verbose logging deactivatable. 2017-03-07 22:03:22 +01:00
Franz Pletz d7674dabba
phpfpm service: fix phpOptions
Broken due to #23216.
2017-03-07 15:08:55 +01:00
Joachim Fasting 15da23d5c1
nixos/modules: use defaultText/literalExample where applicable
Primarily to fix rendering of default values/examples but also
to avoid unnecessary work.
2017-03-07 14:06:08 +01:00
Joachim Fasting 540163e4a4
search module: add missing types 2017-03-07 14:06:02 +01:00
Tom 9a7bad2c17 networkmanager service: support changing the mac-address (#23464)
Set `networking.networkmanager.wifi.macAddress` or `networking.networkmanager.ethernet.macAddress`
to one of these values to change your macAddress.

* "XX:XX:XX:XX:XX:XX": set the MAC address of the interface.
* "permanent": use the permanent MAC address of the device.
* "preserve": don’t change the MAC address of the device upon activation.
* "random": generate a randomized value upon each connect.
* "stable": generate a stable, hashed MAC address.

See https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/ for more information
2017-03-07 03:50:37 +01:00
Graham Christensen 2027f8e74a Merge pull request #23522 from oxij/nixos/mstpd-rstp
nixos: network-interfaces-scripted: don't require mstpd when rstp is off
2017-03-06 20:42:44 -05:00
Graham Christensen 710973e354 Merge pull request #23492 from zarelit/xfce_lockscreen
xfce: add screenLock option
2017-03-06 19:42:47 -05:00
Fernando J Pando 9f062c2c0b buildbot: 0.9.3 -> 0.9.4
- adds jwt
- adds module tests
- master.cfg as path in module
- fix systemd worker config
- builds on darwin
- tested on nixos
2017-03-07 00:45:37 +01:00
Graham Christensen 0705346de4 Merge pull request #23512 from matthiasbeyer/doc-fix-xfce
doc: Remove indention from program listings
2017-03-06 17:33:13 -05:00
Joachim Schiele f8ad48ea1d nixos/tests/leaps.nix: fixed race condition 2017-03-06 21:33:21 +01:00
Joachim Fasting f278793fdb
btsync module: remove redundant example
The default value already gives a good example of what values to
put here.
2017-03-06 15:59:23 +01:00
Eelco Dolstra d72a34311a
Remove nixFallback
This causes unintended schema upgrades, and is no longer needed now
that we have nixos/modules/installer/tools/nix-fallback-paths.nix.
2017-03-06 15:54:50 +01:00
Wei Tang 99013f853a
jenkins-job-builder: allow setting access tokens for reloading 2017-03-06 07:57:01 -05:00
Jörg Thalheim 4487a993b2 Merge pull request #23396 from mayflower/feature/zfs-auto-scrub
zfs.autoScrub service: init
2017-03-06 13:51:25 +01:00
timor f40b961378 couchdb: add support for version 2.0.0
Version 2.0.0 is installed as a separate package called "couchdb2".
When setting the config option "package" attribute to pkgs.couchdb2, a
corresponding service configuration will be generated.  If a previous
1.6 installation exists, the databases can still be found on the local
port (default: 5986) and can be replicated from there.

Note that single-node or cluster setup still needs to be configured
manually, as described in
http://docs.couchdb.org/en/2.0.0/install/index.html.
2017-03-06 11:42:02 +01:00
Jörg Thalheim 947815f59f
fcron: 3.1.2 -> 3.2.1
fixes #23320 #23413
2017-03-05 22:41:11 +01:00
Jesper Geertsen Jonsson 056e57678d
grsecurity docs: fix syntax and indentation errors
Closes https://github.com/NixOS/nixpkgs/pull/23515
2017-03-05 16:05:43 +01:00
Jan Malakhovski 55996b8daf nixos: network-interfaces-scripted: don't require mstpd when rstp is off 2017-03-05 14:40:59 +00:00
Jan Malakhovski 442b8d49d0 nixos: xen: make packages configurable 2017-03-05 14:01:17 +00:00
Matthias Beyer 87f57de8e5 Wrap command in <command> 2017-03-05 14:21:45 +01:00
Matthias Beyer 0a18a56375 nixos doc xfce: Tabs -> spaces 2017-03-05 14:20:49 +01:00
Matthias Beyer 1e3dec3baa nixos doc xfce: Fix missing space 2017-03-05 14:20:48 +01:00
Matthias Beyer c56587eb30 doc: Remove indention from program listings 2017-03-05 14:20:47 +01:00
Daiderd Jordan 35a65a6704
release-nodes: move disabledModules to 17.09 2017-03-05 14:17:00 +01:00
Bjørn Forsman 316e7d6764 nixos/nix-daemon: doc: use literalExample
Makes the example more readable by not squashed everything onto one
single line.
2017-03-05 14:07:23 +01:00
Jaka Hudoklin f5d81ed79b Merge pull request #20904 from offlinehacker/nixos/xserver/xpra
Add xpra display-manager
2017-03-05 01:32:23 +01:00
Thomas Tuegel cc7c3c6bb8
nixos/plasma5: set GST_PLUGIN_SYSTEM_PATH_1_0 to list of paths 2017-03-04 16:31:22 -06:00
Thomas Tuegel 286b007bd3
nixos/fontconfig: lift some settings out of fontconfig.ultimate 2017-03-04 14:59:24 -06:00
Thomas Tuegel 42cf524f2d
nixos/plasma5: set default fonts for Plasma desktop 2017-03-04 14:59:11 -06:00
David Costa fc6c50f1b5 xfce: add screenLock option
screenLock option is needed to provide at least one application for
xflock4 to lock the screen
2017-03-04 18:01:02 +01:00
Léo Gaspard 0e2bd7e248 openldap module: fix paths for example includes 2017-03-04 13:30:29 +01:00
Thomas Strobel b9a7aacef7 improve: modules/virtualisation/qemu-vm.nix
disk image for qemu VM with bootloader:
* remove redundant command
* improve readability
* improve execution speed
* make output more reproducible
2017-03-04 11:31:47 +01:00
Thomas Strobel 0a8d9779c5 fix: "nixos-rebuild build-vm-with-bootloader" 2017-03-03 19:14:20 +01:00
Eelco Dolstra 3971876585
nix-daemon: Remove a bunch of unnecessary environment variables 2017-03-03 16:50:37 +01:00
Eelco Dolstra 3070c88798
Fix incorrect $NIX_BUILD_HOOK on Nix 1.12 2017-03-03 16:50:26 +01:00
Eelco Dolstra 136f77b7b9
nixos-rebuild: Sync /nix/store only
We only care about /nix/store because its contents might be out of
sync with /nix/var/nix/db. Syncing other filesystems might cause
unnecessary delays or hangs (e.g. I encountered a case where an NFS
mount was taking a very long time to sync).
2017-03-03 16:50:25 +01:00
Thomas Tuegel 044c7d091b Merge pull request #23388 from ttuegel/nixos-plasma5
NixOS: Plasma 5 tests and warnings
2017-03-03 09:50:08 -06:00
Thomas Tuegel ecb65eceaa
nixos/doc/manual: rename plasma5 desktop 2017-03-03 07:29:16 -06:00
Thomas Tuegel d91637c546
nixos-generate-config: rename plasma5 desktop 2017-03-03 07:28:29 -06:00
Thomas Tuegel 8e6bdcc731
nixos: fix renaming warning in graphical profile 2017-03-03 07:27:41 -06:00
Thomas Tuegel 60817e4715
nixos/tests/trac: fix renaming warning 2017-03-03 07:26:51 -06:00
Thomas Tuegel e7b0b2bb66
nixos/tests/phabricator: fix renaming warning 2017-03-03 07:26:17 -06:00
Thomas Tuegel dcee54c935
nixos/tests/plasma5: fix test name 2017-03-03 07:25:45 -06:00
Thomas Tuegel 7755fcd543
nixos: fix renaming warning in KDE closure 2017-03-03 07:24:58 -06:00
Daiderd Jordan d88721e440
modules: add support for module replacement with disabledModules
This is based on a prototype Nicolas B. Pierron worked on during a
discussion we had at FOSDEM.

A new version with a workaround for problems of the reverted original.
Discussion: https://github.com/NixOS/nixpkgs/commit/3f2566689
2017-03-03 13:45:22 +01:00
Dan Peebles 3f116702cc buildbot-master module: fix overly restrictive option type for masterCfg 2017-03-03 01:33:18 +00:00
Florian Jacob 518e5c09a8 avahi-daemon service: Add option to enable point-to-point interfaces. 2017-03-02 23:52:08 +01:00
Franz Pletz 7566b36259
zfs.autoScrub service: init 2017-03-02 17:13:54 +01:00
Thomas Tuegel 0da421ce17
nixos/tests: fix Plasma 5 test 2017-03-02 07:01:42 -06:00
Thomas Tuegel 80e883a7c3
iso_graphical: fix warning about Plasma 5 desktop module name 2017-03-02 07:01:34 -06:00
Gregor Kleen 3deb85bc63 locate: fix security.wrappers 2017-03-02 13:41:31 +01:00
Vladimír Čunát 45344fdf19
tested job: drop the hibernate test on i686 for now
/cc #23107.
2017-03-02 07:28:47 +01:00
Vladimír Čunát fcec3e1c72
Revert "modules: add support for module replacement with disabledModules"
This reverts commit 3f2566689d for now.
Evaluation of the tested job got broken, blocking nixos-unstable.
2017-03-01 21:56:01 +01:00
Nikolay Amiantov 516a7fc7bd kmscon service: disable systemd-vconsole-setup
cc #22470.
2017-03-01 13:47:34 +03:00
Vladimír Čunát b43614a6bb
Merge branch 'staging'
(Truly, this time :-)
2017-03-01 11:34:44 +01:00
Nikolay Amiantov a6c6d08430 samba test: fix race condition 2017-03-01 03:16:35 +03:00
Nikolay Amiantov 2e80b50a7e cura, curaengine: 14.04 -> 2.4.0
Move old Cura to {cura,curaengine}_stable
2017-03-01 02:23:18 +03:00
Susan Potter 251b9ca0e7
nginx service: add commonHttpConfig option 2017-02-28 09:36:56 -06:00
Daiderd Jordan 3f2566689d modules: add support for module replacement with disabledModules
This is based on a prototype Nicolas B. Pierron worked on during a
discussion we had at FOSDEM.
2017-02-28 00:14:48 +01:00
Franz Pletz ec4ead0bfe
phpfpm service: add target and slice 2017-02-28 00:00:57 +01:00
Franz Pletz e3d58dae7f
phpfpm service: one service per pool for isolation 2017-02-27 23:38:53 +01:00
Vladimír Čunát 81b43ccd57
17.09 release notes: fix typos 2017-02-27 23:03:16 +01:00
Robin Gloster 755902b543
release-notes: add 17.09 2017-02-27 20:46:34 +01:00
Robin Gloster b7d15edd9e
bump version to 17.10
This will be the Hummingbird release
2017-02-27 20:21:13 +01:00
Vladimír Čunát a1919db7cd
Merge branch 'master' into staging 2017-02-27 20:15:27 +01:00
Dan Peebles 8def08a56c apache-kafka.service: pass in log4j config more explicitly
The implicit behavior of pulling it out of the classpath seemed not
to work properly and could be thrown off by other things on the
classpath also providing the properties file. This guarantees that
our settings stick.
2017-02-27 18:32:12 +00:00
Thomas Tuegel 127bf18a35
extra-cmake-modules: Lift Qt dependency 2017-02-27 11:49:46 -06:00
Thomas Tuegel f21d4d0015
nixos/plasma5: Rename Plasma 5 desktop
- There is no such thing as KDE 5
2017-02-27 11:49:31 -06:00
Thomas Tuegel 8eb4d2afbc
Remove top-level kde5 attribute
- There is no such thing as KDE 5
2017-02-27 11:49:10 -06:00
Dan Peebles 6018cf4a69 amazon-init.service: fix starting services at startup
We now make it happen later in the boot process so that multi-user
has already activated, so as to not run afoul of the logic in
switch-to-configuration.pl. It's not my favorite solution, but at
least it works. Also added a check to the VM test to catch the failure
so we don't break in future.

Fixes #23121
2017-02-27 16:51:36 +00:00
Franz Pletz bccac381b2
microcode updates: prepend first in initrd
Prevents crashing the kernel on boot if other blobs are prepended
before the microkernel update image.

Fixes #22674.
2017-02-27 17:12:33 +01:00
Edward Tjörnhammar fa367c2d02
nixos, dhcpd: make machines assignable 2017-02-27 10:52:21 +01:00
Domen Kožar c013f9240e Merge pull request #23168 from nlewo/nova-image-refactoring
Nova image refactoring and partition resizing
2017-02-27 10:03:13 +01:00
Fabian Schmitthenner ae67f060f2 phpfpm: eliminate build at evaluation time
phpfpm currently uses `readFile` to read the php.ini file from the
phpPackage. This causes php to be build at evaluation time.

This eliminates the use of readFile and builds the php.ini at build
time.
2017-02-26 23:35:12 +01:00
Graham Christensen 4f3d06dc7d Merge pull request #23214 from grahamc/mcelog-service
mcelog: init Machine Check Exception Logging Daemon service
2017-02-26 11:42:56 -05:00
Graham Christensen 1430506666
mcelog: init Machine Check Exception Logging Daemon service 2017-02-26 11:42:00 -05:00
obadz 4b6f021251 Revert "lightdm: obbey services.xserver.{window/desktop}Manager.default"
This reverts commit 29caa185a7.

Not clear what the proper thing to do is. cf94cdb59b renders this
question mostly moot. Reverting before 17.03 branch to avoid a repeat
of #19054.
2017-02-26 16:22:21 +00:00
Jörg Thalheim 6c36d9fa20
nftables: make default configuration null
reason:
 - We currently have an open discussion regarding a more modular
   firewall (https://github.com/NixOS/nixpkgs/issues/23181) and
   leaving null makes future extension easier.
 - the current default might not cover all use cases (different ssh port)
   and might break setups, if applied blindly
2017-02-26 16:24:20 +01:00
Frederik Rietdijk f69292ddc0 Python: explain deterministic builds in release notes 2017-02-26 14:51:26 +01:00
Jookia e2c95b46e5
nftables module: Add new module for nftables firewall settings
fixes #18842
2017-02-26 13:41:14 +01:00
Tomasz Czyż 0b27c74eb2 pgjwt: init at 0.0.1 (#22644) 2017-02-26 11:14:32 +01:00
Daniel Peebles 2f36be3816 Merge pull request #23190 from primeos/os-release
[RFC] version: Extend /etc/os-release
2017-02-26 00:03:33 -05:00
Dan Peebles e798f573f0 make-disk-image.nix: set last fsck time on ext4 images to enable resize-on-startup 2017-02-26 02:02:22 +00:00
Michael Weiss 7e97cbe5a4 version: Extend /etc/os-release
- Provide additional link for support and bug reporting.
- Use HTTPS links (related: "The IAB encourages all web servers to
employ TLS to protect their content, and use OCSP stapling to improve
the efficiency and privacy of revocation checking." [0].
- Add VERSION_CODENAME

[0]: https://www.iab.org/documents/correspondence-reports-documents/2017-2/iab-statement-on-ocsp-stapling/
2017-02-25 22:24:34 +01:00
Franz Pletz 26a2822cf0
nginx service: restart instead of stop to reduce downtime
cc #23127
2017-02-25 20:12:37 +01:00
Thomas Tuegel a1431f35db Merge pull request #23169 from Kendos-Kenlen/kde-hack
kde5: Install default monospace font, Hack
2017-02-25 11:59:33 -06:00
Franz Pletz 3a4dd97c55
nginx module: fix acme if vhost name != serverName
cc #21931 @bobvanderlinden
2017-02-25 08:04:38 +01:00
Peter Hoeg e4d8cb8dab iio-sensor-proxy: init at 2.2 and nixos module
This PR adds support for ```iio-sensor-proxy``` used by GNOME v3 and
others for reading data from the accelerometer, gps, compass and similar sensors
built into some relatively recent laptops.

Additionally, there is a NixOS module exposed via hardware.sensor.iio
for enabling services, udev rules and dbus services.
2017-02-25 08:46:46 +08:00
Gauthier POGAM--LE MONTAGNER b65cc5c59e kde5: add hack font dependency (fix #22975) 2017-02-25 00:35:59 +01:00
Antoine Eiche 386c19a224 nova-image: support partition resizing 2017-02-24 22:19:53 +01:00
Antoine Eiche dec7ecbbbc nova-image: refactoring
The nova image configuration is separated from the image build.
2017-02-24 22:17:52 +01:00
Benjamin Staffin 1c555e772e Merge pull request #23155 from doshitan/fix-prometheus-basic-auth
prometheus service: fix basic auth option
2017-02-24 15:08:35 -05:00
Tanner Doshier b846ce5243 prometheus service: fix basic auth option
If some configuration is provided, we need to filter out the `_module` key or
else it breaks prometheus.
2017-02-24 13:32:01 -06:00
Ryan Mulligan 41b56b4b8a f2fs module: add crc32 dependency to initrd kernel modules, closes #23093
f2fs.fsck depends on crc32 module being present in the initrd system,
otherwise, if f2fs is used as the root disk, the system is unbootable.
2017-02-24 18:32:50 +01:00
Robin Gloster 8f60b43d9c Merge pull request #23130 from grahamc/insecure-packages-with-docs
nixpkgs: allow packages to be marked insecure (this time with docs)
2017-02-24 13:44:28 +01:00
Graham Christensen a9c875fc2e
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-24 07:41:05 -05:00
Eelco Dolstra 8e1fa01f3a
nix: 1.11.6 -> 1.11.7 2017-02-24 12:53:53 +01:00
Franz Pletz 4730993ca6 Merge pull request #23109 from dtzWill/update/neo4j
neo4j: update and fix JVM parameters in NixOS module
2017-02-23 19:02:32 +01:00
Franz Pletz d508ef88f7 Merge pull request #23082 from mayflower/graylog_update
graylog: update + module plugin support
2017-02-23 17:42:57 +01:00
Robin Gloster 940492cef5 Merge pull request #22634 from Ekleog/dhparams
dhparams module: initialize
2017-02-23 17:16:04 +01:00
Franz Pletz 4905c1c54f
prosody service: needs working network connectivity 2017-02-23 16:07:41 +01:00
Franz Pletz 66f553974b
dhcpcd service: fix network-online.target integration
When dhcpcd instead of networkd is used, the network-online.target behaved
the same as network.target, resulting in broken services that need a working
network connectivity when being started.

This commit makes dhcpcd wait for a lease and makes it wanted by
network-online.target. In turn, network-online.target is now wanted by
multi-user.target, so it will be activated at every boot.
2017-02-23 16:07:40 +01:00
Will Dietz bc15b4222b nixos/neo4j: Update to default JVM options from current release.
The options previously listed here were the defaults back in 2.1.x.
2017-02-23 08:41:29 -06:00
Robin Gloster 274994785d
networking module: remove reference to removed ip-up.target 2017-02-23 15:25:19 +01:00
Tristan Helmich 7420922806 graylog module: add plugin support 2017-02-23 15:21:29 +01:00
Dan Peebles 15c05ad213 google-compute-image.nix: fix evaluation failure 2017-02-22 23:51:57 +00:00
Dan Peebles 49641e0de0 make-disk-image.nix: support additional filesystem contents
This makes make-disk-image.nix slightly more consistent with other image
builders we have. Unfortunately I duplicated some code in doing so, but
this is temporary duplication on the path to consolidating everything.
See https://github.com/NixOS/nixpkgs/issues/23052 for more details on that.

I'm also exposing the option in the amazon-image.nix maintainer module.
2017-02-22 23:49:49 +00:00
Vladimír Čunát 4509487e82
nixos polkit: fixup setuid wrapper of pkexec
Broken in 628e6a8.  Fixes #23083.
2017-02-22 23:04:21 +01:00
Franz Pletz 9b81dcfda2
nixos/release-notes: fix typos 2017-02-22 08:45:30 +01:00
Jörg Thalheim 27d4f8c717 Merge pull request #23046 from Zimmi48/patch-2
nixos/manual/networkmanager: add info on nm-applet
2017-02-22 01:40:50 +01:00
Jörg Thalheim 6a044f1841 Merge pull request #23045 from Zimmi48/patch-1
nixos/manual/xserver: propose more alternatives
2017-02-22 01:38:25 +01:00
Jörg Thalheim 5b14e91717 Merge pull request #22822 from Mic92/iputils
iputils: 20151218 -> 20161105
2017-02-22 00:37:13 +01:00
Jörg Thalheim 45719174c3
nixos/release-notes: mention iputils changes 2017-02-22 00:32:52 +01:00
Tomasz Czyż ab22a08039 test all postgresql versions, test server restart (#1735) 2017-02-21 22:48:39 +00:00
Tristan Helmich 1d64f5f41b
libvirt: expose libvirt qemu configuration file
fixes #22823
2017-02-21 19:20:22 +01:00
Robin Gloster f1e6dc8750
networking.defaultGateway{,6}: fix example 2017-02-21 15:46:00 +01:00
Théo Zimmermann 0994d6af9d nixos/manual/networkmanager: add info on nm-applet 2017-02-21 15:20:10 +01:00
Théo Zimmermann 361d730f35 nixos/manual/xserver: propose more alternatives 2017-02-21 14:56:26 +01:00
Jörg Thalheim 0338817f62 vnstat: provide full path of "kill" in ExecReload 2017-02-21 09:26:25 +00:00
Nikolay Amiantov 2cc4703a2d wrappers service: make /run/wrappers a mountpoint
Also remove some compatibility code because the directory in question would be
shadowed by a mountpoint anyway.
2017-02-21 12:13:35 +03:00
Peter Hoeg 8e5b630b49 Merge pull request #22264 from peterhoeg/m/modeswitch
usb-modeswitch: 2.2.1 -> 2.5.0 and nixos module
2017-02-21 16:49:04 +08:00
Peter Hoeg 0789a2a4d6 usb-wwan: nixos module 2017-02-21 16:35:27 +08:00
Franz Pletz 05c2c13182 Merge pull request #22715 from phi-gamma/fix-22709-xen-domU
xen: update domU config for pvgrub2
2017-02-21 06:14:12 +01:00
Anders Papitto 3d963c3e8f herbstluftwm module: add configFile option
based on the equivalent for i3
2017-02-21 05:46:13 +01:00
Kevin Cox da33c8a19d
systemd: Properly escape environment options.
Using toJSON on a string value works because the allowed JSON escape
sequences is almost a subset of the systemd allowed escape sequences.
The only exception is `\/` which JSON allows but systemd doesn't.
Luckily this sequence isn't required and toJSON don't produce it making
the result valid for systemd consumption.

Examples of things that this fixes are environment variables with double
quotes or newlines.
2017-02-20 22:20:13 -05:00
Robin Gloster 2f8aaf0c0a Merge pull request #22941 from mayflower/systemd-tmpfiles
systemd: setup tmpfiles on switching configuration
2017-02-20 23:14:31 +01:00
Ricardo M. Correia d9ae886946 nixos.openntpd: don't spam systemd journal
Starting `ntpd` with the `-d` option spams the systemd journal.
Instead, let the server fork.
2017-02-20 22:35:51 +01:00
aszlig dc31a1ea29
systemd-boot: Unlink loader.conf if it exists
Since systemd version 232 the install subcommand of bootctl opens the
loader.conf with fopen() modes "wxe", where the "e" stands for
exclusive, so the call will fail if the file exists.

For installing the boot loader just once this is fine, but if we're
using NIXOS_INSTALL_BOOTLOADER on a systemd where the bootloader is
already present this will fail.

Exactly this is done within the simpleUefiGummiboot installer test,
where nixos-install is called twice and thus the bootloader is also
installed twice, resulting in an error during the fopen call:

Failed to open loader.conf for writing: File exists

Removing the file prior to calling bootctl should fix this.

I've tested this using the installer.simpleUefiGummiboot test and it now
succeeds.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22925
2017-02-20 14:54:48 +01:00
aszlig 4daccf208f
systemd-boot: Make sure /etc/machine-id exists
This leads to the following error when trying to install a new machine
where the machine ID wasn't yet initialized during boot:

Failed to get machine did: No such file or directory

In addition this was also detected by the simpleUefiGummiboot installer
test.

So let's generate a fallback machine ID by using
systemd-machine-id-setup before actually running bootctl.

Tested this by running the installer.simpleUefiGummiboot test, it still
fails but not because of the machine ID.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22561
2017-02-20 14:54:44 +01:00
Lorenzo Manacorda 2c4d9c9228
manual: Add link to config section (#22994)
Add link to "Configuration" chapter from "Changing the Configuration" section.

Also, fix grammar error.
(cherry picked from commit a585f987fa)
2017-02-20 14:32:49 +01:00
Nikolay Amiantov d8fb60d1d4 Merge pull request #23014 from zraexy/zraexy-bumblebee-pmmethod
bumblebee service: Fix pmMethod bbswitch check
2017-02-20 16:18:45 +03:00
Robin Gloster 12b4556642 Merge pull request #22882 from bjornfor/wireshark
nixos: add programs.wireshark option
2017-02-20 14:03:30 +01:00
zraexy 5abca15f21 bumblebee service: Fix pmMethod bbswitch check
Made useBbswitch work when pmMethod is "auto" and removed invalid pmMethod option "nouveau".
2017-02-19 22:46:47 -09:00
florianjacob c23c2c50de munin service: listen on IPv6 loopback as well (#23012)
munin service: listen on IPv6 loopback as well
2017-02-20 06:13:48 +01:00
Arian van Putten 252fbbf2d2 mattermost sevice: JoinsNamespaceOf for local pgsql (#22899) 2017-02-20 04:43:04 +01:00
Franz Pletz 60555c7c0a Merge pull request #22969 from symphorien/extrainitrd
grub module: add extraInitrd option
2017-02-20 04:32:48 +01:00
Eelco Dolstra 4b833facf1 Add ca-central-1 AMIs 2017-02-19 23:46:08 +01:00
Eelco Dolstra a2b8ceb83a Create AMIs for ca-central-1 (Canada) 2017-02-19 23:19:07 +01:00
Nikolay Amiantov 22750b36fd nvidia: support application profiles
Closes #22666.
2017-02-19 19:46:01 +03:00
Joachim F 6dbe55ca68 Merge pull request #20456 from ericsagnes/feat/loaf-dep-1
Use attrsOf in place of loaOf when relevant
2017-02-19 15:49:25 +01:00
Joachim F ecdfffd9fc Merge pull request #22433 from laMudri/xfwm-option
xfce: make xfwm optional
2017-02-19 15:26:07 +01:00
Symphorien Gibol 9ed2846e04 grub module: add extraInitrd option 2017-02-19 10:50:22 +01:00
Ricardo M. Correia f78f207f17 nixos.samba: add enableNmbd and enableWinbindd options
This allows for disabling these services, in case they are not needed.
2017-02-18 19:29:06 +03:00
Profpatsch 2b0469c48f modules/mpd: factor out name & mention man 5 mpd.conf 2017-02-18 16:03:16 +01:00
Franz Pletz 313ccd5be3
network-interfaces service: fix typo in bonding options 2017-02-18 15:51:52 +01:00
Cray Elliott 5e0b978eff mwprocapture: init at 1.2.3269 (#22160) 2017-02-18 15:44:31 +01:00
Robin Gloster 4e4161c212
systemd: setup tmpfiles on switching configuration
This fixes systemd.tmpfiles.rules on switching configuration so that
does not only get applied on a fresh boot. This e.g. fixes kubernetes.
2017-02-18 15:04:52 +01:00
Franz Pletz c4c23f36ca Merge pull request #22727 from mayflower/fix/netdev-master-bindsto
network-interfaces service: fix bindsTo deps for masters
2017-02-18 13:37:50 +01:00
Franz Pletz 741770c99a
network-interface service: tuntap ifs have netdev services 2017-02-18 13:36:37 +01:00
Brice Waegeneire 47c214cc2a fix comments about nixos-hardware-scan
It has been renamed to nixos-generate-config in 3ed4173
2017-02-18 13:29:47 +01:00
Vladimír Čunát 432dba859e
Merge branch 'staging'
A security update of libxml2 is within.
2017-02-18 08:59:29 +01:00
Léo Gaspard e2c78910d1
dhparams module: initialize 2017-02-18 00:07:03 +01:00
Robin Gloster bd0d8ed807
programs.mtr: init setcap-wrapper 2017-02-17 20:18:19 +01:00
Nikolay Amiantov 213356c927 activation-script service: add utillinux to path 2017-02-17 21:54:58 +03:00
aszlig 08881b8cbe
taskserver: Remove taskserver from systemPackages
This is deliberate because using the taskd binary to configure
Taskserver has a good chance of messing up permissions.

The nixos-taskserver tool now can manage even manual configurations, so
there really is no need anymore to expose the taskd binary.

If people still want to use the taskd binary at their own risk they can
still add taskserver to systemPackages themselves.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:46:05 +01:00
aszlig 5af8b120a6
nixos/tests/taskserver: Add test for manual config
This subtest actually serves two purposes:

  1. Test manual PKI configuration
  2. Test changing of configuration files

In order to only test manual PKI configuration it would have been enough
to just add another server with a manual config.

But as the switch from automatic PKI config to manual config is probably
one of the most fundamental changes in configuration, so it serves
*very* well to also check whether changes in the NixOS configuration
actually have an impact in the real system.

So instead of adding another server, we now create a dummy "newServer"
machine, which is the new configuration for "server" and use
switch-to-configuration to switch "server" to the config of "newServer".

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:46:01 +01:00
aszlig c7bbb93878
taskserver: Pass configuration via command line
Putting an include directive in the configuration file referencing a
store path with the real configuration file has the disavantage that
once we change the real configuration file the store path is also a
different one.

So we would have to replace that include directive with the new
configuration file, which is very much error-prone, because whenever
taskd modifies the configuration file on its own it generates a new one
with *only* the key/value options and without any include directives.

Another problem is that we only added the include directive on the first
initalization, so whenever there is *any* configuration change, it won't
affect anything.

We're now passing all the configuration options via command line,
because taskd treats everything in the form of --<name>=<value> to be a
configuration directive.

This also has the effect that we now no longer have extraConfig, because
configuration isn't a file anymore.

Instead we now have an attribute set that is mapped down to
configuration options.

Unfortunately this isn't so easy with the way taskd is configured,
because there is an option called "server" and also other options like
"server.cert", "server.key" and so on, which do not map very well to
attribute sets.

So we have an exception for the "server" option, which is now called
"server.listen", because it specifies the listening address.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #22705
2017-02-17 19:45:58 +01:00
aszlig 78fe00da7c
taskserver: Allow helper tool in manual config
The helper tool so far was only intended for use in automatic PKI
handling, but it also is very useful if you have an existing CA.

One of the main advantages is that you don't need to specify the data
directory anymore and the right permissions are also handled as well.

Another advantage is that we now have an uniform management tool for
both automatic and manual config, so the documentation in the NixOS
manual now applies to the manual PKI config as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:45:55 +01:00
aszlig 32c2e8f4ae
taskserver/helpertool: Fix error message on export
The error message displays that a specific user doesn't exist in an
organisation, but uses the User object's name attribute to show which
user it was.

This is basically a very stupid chicken and egg problem and easily fixed
by using the user name provided on the command line.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:45:52 +01:00
aszlig a5e9668c5c
nixos/test: Fix escaping for copyFileFromHost
A long-time issue and one of the reasons I've never used that function
before. So let's remove that todo-comment and escape the contents
properly.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
2017-02-17 19:45:49 +01:00
Michele Guerini Rocco 5231d0ac29 bluetooth module: add option to power up bluetooth controller (#22685) 2017-02-17 19:44:04 +01:00
Jörg Thalheim fd78ff23f7
replace ping6 with ping
reason: after the upgrade of iputils from 20151218 to 20161105
functionality of ping6 and tracepath6 was merged into ping and tracepath.

Ping is now mostly a drop-in replacment for ping6, except that selecting a
specific interface is done by encoding it into the address (ex.: fe80::1%eth0)
rather then specifing it with the `-I` flag.
2017-02-17 16:04:49 +01:00
Robin Gloster 7ec5faa8a4
programs.wireshark: use setcap wrapper 2017-02-17 15:42:55 +01:00
Bjørn Forsman 8f3e6fdd8c
nixos: add programs.wireshark option
To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:

  programs.wireshark.enable = true;

The setuid wrapper is available for users in the 'wireshark' group.

Changes v1 -> v2:
  - add "defaultText" to the programs.wireshark.package option (AFAIK,
    that prevents the manual from being needlessly rebuilt when the
    package changes)
2017-02-17 15:42:54 +01:00
Robin Gloster 070825d443
setcapWrapper: add support for setting permissions 2017-02-17 15:42:54 +01:00
Matthew Daiter 336d6cc513 stanchion: remove ssl option 2017-02-17 13:24:51 +01:00
Nikolay Amiantov 8ecd5c4019 Merge pull request #22864 from abbradar/dbus-etc
Redo DBus configuration
2017-02-17 11:47:51 +03:00
Robin Gloster 6e12406e30
Revert "nginx: Format the config file"
This reverts commit e362a3d5c9.

See #22883
2017-02-16 22:45:00 +01:00
Profpatsch bb797c1390 networking.networkd: adjust autmatic mapping of bonds
Since the bonds interface changed to a lot more possible values we create a
mapping of kernel bond attribute names and values to networkd attributes.
Those match for the most part, but have to transformed slightly.

There is also an assert that unknown options won’t slip through silently.
2017-02-16 21:24:40 +01:00
Profpatsch 9debdaf512 networking.bonds: add support for arbitrary driverOptions
Until now the four attributes available very selectively provided a small
subset, while copying upstream documentation.

We make driver options an arbitrary key-value set and point to kernel
documentation, which is always up-to-date. This way every option can be set.
The four already existing options are deprecated with a warning.
2017-02-16 21:24:40 +01:00
Daniel Peebles 19a9099eb2 Merge pull request #22869 from copumpkin/amazon-init-fix
amazon-init NixOS module: fix (I think) race condition with network
2017-02-16 12:44:49 -05:00
Thomas Tuegel 7c260ad2cc Merge pull request #22813 from benley/pam-kwallet
nixos: add optional pam_kwallet5 integration
2017-02-16 10:20:47 -06:00
Dan Peebles b172684c17 amazon-init NixOS module: fix (I think) race condition with network
The initialization code is now a systemd service that explicitly
waits for network-online, so the occasional failure I was seeing
because the `nixos-rebuild` couldn't get anything from the binary
cache should stop. I hope!
2017-02-16 16:03:58 +00:00
Nikolay Amiantov 0c81594a29 kbd service: use /dev/tty1 for systemd-vconsole-setup
Fixes #22470
2017-02-16 17:08:14 +03:00
Nikolay Amiantov 109ee2a338 kbd service: use systemd-vconsole-setup even with early setup
This way we have fonts reloaded on switches.
2017-02-16 17:08:13 +03:00
Nikolay Amiantov ac0cdc1952 dbus service: use makeDBusConf 2017-02-16 15:41:23 +03:00
Benjamin Staffin 463e90273f pam: add optional pam_kwallet5 integration 2017-02-16 02:26:42 -05:00
Kier Davis 5e3a26e07b
Fix typo introduced by #22677 2017-02-15 23:44:11 +00:00
Bjørn Forsman d4e5bb34b7 nixos/geoip-updater: run as user 'geoip' instead of 'nobody'
That way 'nobody' is prevented from messing with the databases.
2017-02-15 23:25:27 +01:00
Bjørn Forsman ce0a52f9bf nixos/security.wrappers: improve documentation
* The source attribute is mandatory, not optional
* The program attribute is optional
* Move the info about the mandatory attribute first (most important,
  IMHO)
2017-02-15 20:05:27 +01:00
Profpatsch 91d0260feb modules/filesystems: disallow non-empty fstab fields (#22803)
It was possible to pass empty strings / strings with only separator characters;
this lead to broken fstab formatting.
2017-02-15 13:22:48 +01:00
Franz Pletz 188526da3d
prometheus.blackboxExporter service: add CAP_NET_RAW
The blackbox-exporter for prometheus needs CAP_NET_RAW for sending icmp
probes.
2017-02-15 09:35:27 +01:00
Bjørn Forsman f9cb2b5640 nixos/security.wrappers: use literalExample in documentation
It's much more readable when the example attrset is pretty printed
instead of written as one line.
2017-02-15 09:08:41 +01:00
Bjørn Forsman a45821e7a8 nixos/cron: unbreak since new security.wrapper 2017-02-15 08:30:58 +01:00
Bjørn Forsman aaac02f6c4 nixos/atd: unbreak after new security.wrappers
* convert list -> attrset
* 'atd' doesn't exist, 'at' does
2017-02-15 08:25:59 +01:00
Bjørn Forsman b1bfe9d3db nixos: hint about security.setuidOwners/Programs -> security.wrappers
Let users know about the option rename / change during nixos-rebuild
with a useful message instead of an error (with no way forward).
2017-02-15 07:25:33 +01:00
Bjørn Forsman 34c1b74421 nixos/virtualbox: unbreak wrt. new security.wrappers
The new option takes an attrset, not a list.
2017-02-15 07:25:33 +01:00
Bjørn Forsman 448acd8e5e nixos: remove remaining reference to setuidPrograms
The option doesn't exist anymore.
2017-02-15 07:25:33 +01:00
Ian-Woo Kim b7a24e0a2b nixos-container: added test for port forwarding ( nixos/tests/containers-portforward.nix ) 2017-02-15 05:12:46 +01:00
Ian-Woo Kim 5ca0f72472 nixos-container: break lines in description of forwardPorts. 2017-02-15 05:12:46 +01:00
Ian-Woo Kim 4f0b663c2e nixos-container: hostPort -> forwardPort and forwardPort is now a list of (protocol,hostPort,containerPort). 2017-02-15 05:12:46 +01:00
Ian-Woo Kim 0bfc631de2 nixos-container: support multiple port forwarding. change type of hostPort from 'string' to 'listOf str' 2017-02-15 05:12:46 +01:00
Ian-Woo Kim 8684285251 nixos-container: introduce hostPort in declarative container options. 2017-02-15 05:12:46 +01:00
Ian-Woo Kim a238c8a575 nixos-container: add --port option for nixos-container (forward network ports to systemd-nspawn container) 2017-02-15 05:12:46 +01:00
Parnell Springmeyer 1f83f1c878
security-wrapper: Wrap <para> tags in a <note> tag 2017-02-14 21:30:04 -06:00
Graham Christensen 7483ba0932
Revert "nix-daemon: default useSandbox to true"
This reverts commit d0a086770a.
2017-02-14 14:13:39 -05:00
Graham Christensen 3be1388963 Merge pull request #22767 from grahamc/sandbox-by-default
nix-daemon: default useSandbox to true
2017-02-14 13:57:44 -05:00
Eelco Dolstra 14c47bd546 Merge pull request #22758 from dezgeg/pr-nixos-rebuild
nixos-rebuild: Don't rebuild nixos-rebuild when --fast is used
2017-02-14 16:35:43 +01:00
Parnell Springmeyer 69794e333a
Using para tags for manual formatting 2017-02-14 08:53:30 -06:00
Parnell Springmeyer 794b3721bc
Syntax wibble 2017-02-14 08:42:08 -06:00
Parnell Springmeyer e856d6efe8
Default should be to set owner and group to root on setcap wrappers too 2017-02-14 08:40:12 -06:00
Parnell Springmeyer c01689f8da
Fixing ref to old-wrappersDir 2017-02-14 08:33:07 -06:00
Parnell Springmeyer f8b8c353ff
Simplifying the wrapper program derivation 2017-02-14 08:27:40 -06:00
Parnell Springmeyer fb6d13c01a
Addressing feedback and fixing a bug 2017-02-14 07:38:45 -06:00
Parnell Springmeyer 467bb3f674
/run/wrapper is not a filesystem, no need to skip it 2017-02-14 07:32:24 -06:00
Parnell Springmeyer ba499e3aa0
Removing unused module option old-wrapperDir 2017-02-14 07:30:21 -06:00
Parnell Springmeyer a27f35993d
Derp, correctly write the source program's path 2017-02-13 18:28:13 -06:00
Parnell Springmeyer cca2e11556
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00
Parnell Springmeyer 9e36a58649
Merging against upstream master 2017-02-13 17:16:28 -06:00
Graham Christensen d0a086770a
nix-daemon: default useSandbox to true 2017-02-13 18:06:01 -05:00
Rickard Nilsson cda4a4dcfc nixos/grafana: Don't print password warning if no password has been set 2017-02-13 23:11:40 +01:00
Robin Gloster 7e5424ac09
php: default to php71 2017-02-13 22:48:45 +01:00
Tuomas Tynkkynen 2000f0941e nixos-rebuild: Don't build nixos-rebuild with --fast 2017-02-13 21:52:32 +02:00
Tuomas Tynkkynen 23fee8bfbd nixos-rebuild: Support passing e.g. '-j8'
Where there is no space between '-j' and the number.
2017-02-13 21:52:30 +02:00
Graham Christensen 1d2548772e Merge pull request #22724 from grahamc/pam-oath-fixup
pam_oath: require OATH and pam_unix credentials to be valid
2017-02-13 09:36:35 -05:00
Robin Gloster af9f44dd57
grub: fix capitalisation
Missed this occurence while renaming the option
2017-02-13 14:55:36 +01:00
symphorien 0b87efacb1 grub: add grub.useOSProber option (#22558) 2017-02-13 14:53:15 +01:00
Linus Heckemann b4cd251c54 Manual: document users.users.<name>.hashedPassword 2017-02-13 13:54:40 +01:00
Eelco Dolstra a4ec1841da
VM tests: veryloose -> cache=loose 2017-02-13 12:18:10 +01:00
Rob Vermaas af3732b6c6
Azure: switch back to qemu 2.2.0 for generating image. Seems to work best.
(cherry picked from commit 2da8a5dac8)
2017-02-13 09:55:03 +00:00
Rob Vermaas eff0752dbc
Use default qemu for azure image generation, and use option to enforce sizing of image to be compliant with Azure/HyperV.
(cherry picked from commit e16db5666a)
2017-02-13 08:54:41 +00:00
Dan Peebles e63d15f173 ecs-agent NixOS module: enable docker 2017-02-13 04:06:31 +00:00
Dan Peebles e928cb1c63 ssm-agent NixOS module: init 2017-02-13 04:01:38 +00:00
Franz Pletz 76a3c30471
network-interfaces service: fix bindsTo deps for masters
Previously, netdev units for network interfaces defined in the nixos
configurations would bindTo the systemd device unit of the interface if
not in a container.

In situations where you switch to a new nixos configration with changes
to network-setup.service (like nameservers) and have stacked interfaces
like vlans on a bond, it would fail to propagate restarts to the netdevs
correctly resulting with broken networking. The bond would be present
but no vlan interfaces rendering the machine unreachable.

My fear is that the udev events fail to propagate correctly while a systemd
transaction that is also restarting the triggered netdev service is running.
This commit changes this behaviour so netdev services bindTo other netdev
services if present and otherwise fall back to the previous behaviour.

We also noticed that stacked interfaces would sometimes seemingly be stopped
in the wrong order. For instance in the above example, the bond interface
would be deleted before the vlan interfaces resulting in the vlan interfaces
not being present when their service is being stopped. This would cause the
systemd transaction to fail and thus break networking. Their postStop hooks
are now allowed to fail as we have reached the desired state.
2017-02-13 01:57:25 +01:00
Graham Christensen 84d4e4277c Merge pull request #22723 from benley/fix-sessions-with-sddm
Fix sessions with sddm.
2017-02-12 19:01:15 -05:00
Franz Pletz f5a82e4714
gitlab service: fix database creation
Providing custom a username and database name was broken. They were
hardcoded to "gitlab".
2017-02-13 00:57:22 +01:00
Graham Christensen 96d767de62
pam_oath: require OATH and pam_unix credentials to be valid 2017-02-12 18:27:11 -05:00
Graham Christensen 59e77daf5b
nixos tests: make getTTYText smart about tty size 2017-02-12 18:27:06 -05:00
Karn Kallio 8a1fcaf5bd Fix sessions with sddm. 2017-02-12 18:19:20 -05:00
Vladimír Čunát 31eba21d1d
virtualbox: force xorg-server-1.18 for now
This is getting a little hacky, but hopefully it won't break anything.
2017-02-12 21:07:49 +01:00
Philipp Gesang 3dad33227f
xen: update domU config for pvgrub2
fix #22709

Recent pvgrub (from Grub built with “--with-platform=xen”) understands
the Grub2 configuration format. Grub legacy configuration (menu.lst) is
ignored.
2017-02-12 20:53:54 +01:00
georgewhewell 94b28a8072 fix systemd.services.kube-proxy to use correct extraOpts 2017-02-12 15:06:59 +00:00
Bjørn Forsman 824d82fa0f nixos/geoip-updater: new service
The GeoIP databases from MaxMind have no stable URLs and change every
month (or so). Our current method of packaging these database in Nix and
playing catch-up with ever-changing file hashes is a bad idea. For
instance, it makes it impossible to realize old NixOS configurations.

This patch adds a NixOS service that periodically updates the GeoIP
databases in /var/lib/geoip-databases. Moving NixOS modules over can be
done in later patches.

I tried adding MD5 check, but not all databases have them, so i skipped
it. We are downloading over HTTPS though, it should be good. I also
tried adding zip support, but the first zip file I extracted had a
different filename inside than the archive name, which breaks an
assumption in this service, so I skipped that too.

Changes v9 -> v10:
  - Pass "--max-time" to curl to set upper bound on downloads (ensures
    no indefinite hanging if there's problem with networking).
    Timeout for network connectivity check: 60s.
    Timeout for geoip database (each): 15m.

Changes v8 -> v9:
  - Mention the random timer delay in the documentation for the
    'interval' option.

Changes v7 -> v8:
  - Add "RemainAfterExit=true" for the setup service, so it won't be
    restarted needlessly. (Thanks @danbst!)

Changes v6 -> v7:
  - Add --skip-existing flag to geoip-updater, which skips updating
    existing database files. Pass that flag when we run the service on
    boot (and on any NixOS configuration change).
    (IMHO, this is somewhat a workaround for systemd persistent timers
    not being triggered immediately when a timer has never expired
    before. But it does have the nice side effect of ensuring that the
    installed databases always correspond to the configured ones, since
    the service is now always run after configuration changes.)

Changes v5 -> v6:
  - Update database files atomically (per DB)
  - If a database is removed from the configuration, it'll be removed
    from /var/lib/geoip-databases too (on next run).
  - Add NixOS module assertion so that if user inputs non- .gz or .xz
    file there will be a build time error instead of runtime.
  - Run updater as user "nobody" instead of "root".
  - Rename NixOS service from "geoip-databases" to "geoip-updater".
  - Drop RemainAfterExit, or else the timer won't trigger the unit.
  - Bring back "curl --fail", or else we won't catch and log curl
    failures.

Changes v4 -> v5:
  - Add "GeoLite2-City.mmdb.gz" to default database list.

Changes v3 -> v4:
  - Remove unneeded geoip-updater-setup.service after adding
    'wantedBy = [ "multi-user.target" ]' directly to
    geoip-updater.service
  - Drop unneeded "Service" name from service descriptions.

Changes v2 -> v3:
  - Network may be down when starting from a cold boot, so try a few
    times. Possibly, if using systemd-networkd, it'll pass on the first
    try. But with default DHCP on NixOS, the service is started before
    hostnames can be resolved and thus we need a few extra seconds.
  - Add error handling and mark service as failed if fatal error.
  - Add proper syslog log levels.
  - Add RandomizedDelaySec=3600 to the timer to not put high load on the
    MaxMind servers. Suggested by @Mic92.
  - Set RemainAfterExit on geoip-updater.service instead of
    geoip-updater-setup.service. (The latter is only a proxy that pulls
    in the former service).

Changes v1 -> v2:
From Данило Глинський (Danylo Hlynskyi) <abcz2.uprola@gmail.com>:
  nixos/geoip-databases: add `databases` option and fix initial setup

  There were two great issues when using this service:
  - When you just enable service, databases aren't downloaded, they are
    downloaded when timer triggers. Fixed this with automatic download on
    first system activation.
  - When there is no internet, updater outputs nothing to logs, which is
    IMO misbehavior. Fixed this with removing `--fail` option, better be
    explicit here.
2017-02-12 15:07:34 +01:00
Tuomas Tynkkynen 9e04b57dde nixos top-level: Add 'dtbs' symlink when kernel uses device trees
Currently e.g. extlinux-conf-builder.sh uses
`readlink -m "$toplevel/kernel/../dtbs"` to figure out the directory.
That is obscenely ugly.
2017-02-12 15:47:49 +02:00
Graham Christensen 4f34e030a5 Merge pull request #22677 from grahamc/drop-kdm-kde4-modules
Drop kdm and kde4 modules
2017-02-12 08:36:33 -05:00
Vladimír Čunát 3348905cde
xorg-server: major bump 1.18.4 -> 1.19.1
I encountered no problems with it.  Nvidia binary drivers are tested,
and AMD ones now both set `abiCompat` to use older server versions.
2017-02-12 13:24:44 +01:00
Ricardo M. Correia 123cbd40c2 raspberryPi boot loader: don't remove xx-initrd files
The Raspberry Pi boot loader was deleting all xx-initrd text files
(which simply contain the path to the actual initrd files) just after
having created them. The code was actually trying to delete real,
obsolete initrd files, which are named <hash>-initrd-initrd (after path
cleaning), but the glob was catching the other files as well.
2017-02-12 02:48:57 +02:00
Ricardo M. Correia c19b17d14f raspberryPi boot loader: fix booting Raspberry Pi 3
The Raspberry Pi 3 seems to need the .DTB file when booting the kernel,
so we must copy it to /boot when installing a new kernel.
2017-02-12 02:48:57 +02:00
Graham Christensen b1a05a0865
nixos: drop references to kde4
Excluding modules/programs/environment.nix for PATHand QT_PLUGIN_PATH to allow the programs to continue running.
2017-02-11 14:01:13 -05:00
Graham Christensen 3cec7d10df
kdm: drop service 2017-02-11 13:55:09 -05:00
Graham Christensen c09004fba0 Merge pull request #22642 from grahamc/kde4-deprecate
kde4, kdm: mark services as deprecated
2017-02-11 10:17:15 -05:00
Vladimír Čunát d4bf624f96
nixos manual: add grub option to avoid #21830
Close #22659.  vcunat edited this slightly.
2017-02-11 12:47:15 +01:00
Tuomas Tynkkynen 607be4d88e sd-image-*: Copy all RPi firmware files
Turns out all variants of start.elf and fixup.dat are needed (depending
on what's in config.txt). I was under the mistaken impression that you
were supposed to rename one of the variants to switch using them, but
nope.
2017-02-11 12:23:16 +02:00
Franz Pletz 3fd44e2912
network-interfaces service: add metric option for defaultGateways 2017-02-11 04:53:56 +01:00
Graham Christensen d9ab783f58
nixos manual: correct reference to sddm 2017-02-10 22:52:08 -05:00
davidak d4766e789b caddy: set file descriptor limit to 8192, fixes #22454
the value is recommended for production use
a warning is produced when not set
2017-02-11 01:44:29 +01:00
Graham Christensen 564e0c120b
kde4, kdm: mark services as deprecated 2017-02-10 17:35:52 -05:00
Profpatsch ed8a0d8e5e modules/searx: add package option (#22636)
The user should be able to specify a patched version of searx.
2017-02-10 22:44:10 +01:00
Eelco Dolstra 1b1138d3e7 Merge pull request #22610 from grahamc/switch-to-kde5-by-default
nixos: update default cases from KDM/KDE4 to SDDM/KDE5
2017-02-10 22:06:21 +01:00
Nikolay Amiantov 442b4d65c3 Merge pull request #22304 from abbradar/nvidia
Refactor NVidia drivers
2017-02-10 23:53:34 +03:00
Dan Peebles 3809938208 ecs-agent module: remove debug print
Whoops :)
2017-02-10 15:16:17 -05:00
Tuomas Tynkkynen a14ef4ad52 open-vm-tools: 10.0.7 -> 10.1.0
Also add an option to disable all the X11 stuff.
2017-02-10 20:12:00 +02:00
Dan Peebles a0ebb1497f ecs-agent NixOS module: init
A very simple skeleton for now that doesn't attempt to model any of
the agent configuration, but we can grow it later. Tested and works
on an EC2 instance with ECS.
2017-02-10 05:37:38 +00:00
Graham Christensen b12564cc1b
nixos: update default cases from KDM/KDE4 to SDDM/KDE5 2017-02-09 21:52:00 -05:00
afranchuk a5e041ac08 libreswan service: make EnvironmentFile optional (#22591)
Recent versions of libreswan seem to omit this file, but it may be added/changed in the future. It is silly to have the service fail because a file is missing that only enriches the environment.
2017-02-10 00:53:44 +01:00
Joachim F ca8fb930b1 Merge pull request #22356 from Ekleog/redsocks
Redsocks
2017-02-09 22:39:43 +01:00
Edward Tjörnhammar 2f5fdaefec
nixos, doc: dictd dbs move 2017-02-09 22:23:11 +01:00
Edward Tjörnhammar 3c9d73f100
nixos, doc: named nylons 2017-02-09 21:18:57 +01:00
Vladimír Čunát 378662bbba
Merge #22491: Add documentation for Xfce 2017-02-09 18:39:36 +01:00
Vladimír Čunát a0505989c9
Xfce docs nitpicks
- fix validity
- XFCE -> Xfce, as that seems to be upstream preference
2017-02-09 18:38:01 +01:00
Léo Gaspard 7a32b96697 redsocks module: initialize
redsocks module: use separate user for redsocks daemon
2017-02-09 18:01:14 +01:00
Daniel Peebles 7439fe083f Merge pull request #22297 from nand0p/buildbot-0.9.3
buildbot: 0.9.0.post1 -> 0.9.3
2017-02-09 11:15:03 -05:00
Joachim Fasting 28b5cc7dca
grsecurity test: adapt to changes in tinycc outputs 2017-02-09 16:23:04 +01:00
Franz Pletz 65a1762a9b
nginx module: make acme group overrideable easily 2017-02-08 23:50:59 +01:00
Nikolay Amiantov 5ff9a2a2cb kbd service: don't restart systemd-vconsole-setup
Fixes #22470. Also remove non-relevant comment (we don't deviate from upstream
systemd unit anymore).
2017-02-08 21:50:33 +03:00
Nikolay Amiantov 6f7811143d systemd service: don't install systemd-hwdb-update 2017-02-08 21:42:07 +03:00
Nikolay Amiantov 504774e223 release notes: mention JRE changes and jre_headless 2017-02-08 21:36:22 +03:00
Andrew Cann 3082647e74 trezord: init at 1.2.0 (#22054) 2017-02-08 17:18:22 +01:00
Graham Christensen 7db1f727f3
moodle: Remove due to continued security issues. 2017-02-08 09:10:45 -05:00
Nikolay Amiantov 2fd2fcf54d linuxPackages.nvidia_x11: refactor, build more from source
* Use libglvnd;
* Compile nvidia-settings, nvidia-persistenced from source;
* Generalize builder.
2017-02-08 16:57:46 +03:00
Antoine Eiche 9d30099b7f nixos/systemd: set r-x group permissions on /var/log/journal
This allows services such as systemd-journal-gateway to access the
systemd journal.

Closes #22288
2017-02-08 16:06:14 +03:00
Franz Pletz 626540e32e Merge pull request #22524 from wizeman/u/chrony-impr
nixos.chrony: add extraFlags config option
2017-02-07 21:50:58 +01:00
Vladimír Čunát ce9d30e734
Merge #22241: amdgpu-pro: 16.50 -> 16.60 2017-02-07 20:49:58 +01:00
Peter Simons bfd7fe8ba5 nixos: fix taskserver module to evaluate properly when keys are managed manually 2017-02-07 18:35:41 +01:00
Ricardo M. Correia 9293f86bf2 nixos.chrony: remove generatecommandkey option
It's deprecated and no longer used.
2017-02-07 18:01:58 +01:00
Ricardo M. Correia e3fce56047 nixos.chrony: add extraFlags config option 2017-02-07 18:01:57 +01:00
Matthias Beyer de592483d1 Add xfce documentation 2017-02-07 17:55:40 +01:00
Jörg Thalheim 3aff6c07ab Merge pull request #22518 from wizeman/u/fix-chrony-conf
nixos.chrony: pass config file directly to daemon
2017-02-07 17:17:17 +01:00
Fernando J Pando 34b5c9a4de buildbot: 0.9.0.post1 -> 0.9.3
- Fixes unneeded patching
- Adds worker to build inputs now needed for tests
- Replaces enableworker option with worker configuration module
- Openssh required for tests
- Fixes worker hardcoded paths
- Tested on Nixos Unstable
2017-02-07 11:14:42 -05:00
Svein Ove Aas e362a3d5c9 nginx: Format the config file 2017-02-07 16:19:11 +01:00
Ricardo M. Correia af4e6f155e nixos.chrony: pass config file directly to daemon
This fixes an issue where `nixops deploy` wouldn't restart the chrony
service when the chrony configuration changed, because it wouldn't
detect that `/etc/chrony.conf` was a dependency of the chrony service.
2017-02-07 13:48:58 +01:00
aszlig cd10e3c4ff
nixos/tests/chromium: Run tests as normal user
The tests have failed because Chromium has started up displaying the
following error message in a dialog window:

  Chromium can not be run as root.

  Please start Chromium as a normal user. If you need to run as root for
  development, rerun with the --no-sandbox flag.

So let's run as user "alice" and pass all commands using the small
helper function "ru" (to keep it short, it's for "Run as User").

Tested it by running the "stable" test on x86_64-linux.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: @globin
2017-02-07 07:36:56 +01:00
aszlig 87cc20eddb
nixos/networkd: Fix eval error for defaultGateway
Regression introduced by 0cb487ee04.

This changed the result for defaultGateway to be a submodule instead of
just a plain string, so instead of using just cfg.defaultGateway we need
to pass cfg.defaultGateway.address now.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
2017-02-07 07:05:31 +01:00
David McFarland 905627c7c5 xorg-server: fglrxCompat -> abiCompat
Allows it to be used for fglrx (1.17) and amdgpu-pro (1.18)
2017-02-06 23:16:21 -04:00
Matthew Bauer 3a9a707fd4
emacs24macport: remove 2017-02-06 16:46:05 -06:00
Shea Levy 714fdb425a firewall: Fix check for rpfilter on manual-config kernels 2017-02-06 16:43:23 -05:00
Matthias Beyer bf56d17b2c fixup! Add documentation for XFCE 2017-02-06 09:17:52 +01:00
Matthias Beyer 4b5a230d1d Add documentation for XFCE 2017-02-06 09:10:05 +01:00
Nikolay Amiantov 9beeee2717 Merge pull request #22431 from abbradar/postfix-local
postfix service: don't empty local_recipient_maps
2017-02-06 03:50:05 +03:00
Joachim Schiele d491728653 httpd: added serviceExpression which extends the serviceType concept -> allows that httpd services can live outside of nixpkgs (#22269) 2017-02-06 01:08:58 +01:00
Nikolay Amiantov 52c7e647ab postfix service: don't empty local_recipient_maps
From Postfix documentation:

With this setting, the Postfix SMTP server will not reject mail with "User
unknown in local recipient table". Don't do this on systems that receive mail
directly from the Internet. With today's worms and viruses, Postfix will become
a backscatter source: it accepts mail for non-existent recipients and then
tries to return that mail as "undeliverable" to the often forged sender
address.
2017-02-06 01:41:27 +03:00
Joachim F 4459f26ad8 Merge pull request #22175 from dancek/illum
illum: init at 0.4
2017-02-05 16:41:30 +01:00