3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

1057 commits

Author SHA1 Message Date
Bas van Dijk cd4486ecc3 nixos/prometheus/alertmanager: use DynamicUser instead of nobody
See issue #55370
2019-04-10 20:38:40 +02:00
Linus Heckemann 4557373d68
Merge pull request #58858 from worldofpeace/pantheon/lightdm-gtk-greeter
nixos/pantheon: enable lightdm gtk greeter
2019-04-10 09:36:20 +02:00
aszlig f98b4b0fda
nixos: Fix build of manual
Commit 29d7d8f44d has introduced another
section with the ID "sec-release-19.09-incompatibilities", which
subsequently causes the build to fail.

I just merged both sections and the manual is now building again.

Signed-off-by: aszlig <aszlig@nix.build>
2019-04-09 17:18:43 +02:00
Bas van Dijk 2f2e2971d6
Merge pull request #58255 from jbgi/prometheus2
Add Prometheus 2 service in parallel with 1.x version (continuation)
2019-04-09 14:14:18 +02:00
Bas van Dijk b423b73adc nixos/doc: add Prometheus stateDir handling to rl-1909.xml 2019-04-09 13:13:44 +02:00
Linus Heckemann 0ce382d868 rl-1903: pantheon notes phrasing/organisation 2019-04-08 16:22:58 -04:00
Bas van Dijk 29d7d8f44d nixos/doc: added the Prometheus changes to the 19.09 release notes 2019-04-08 19:39:22 +02:00
tobias pflug 0e296d5fcd
Remove nodejs-6_x which is about to enter EOL
- Remove nodejs-6_x
- Set nodejs / nodejs-slim to nodejs-8_x / nodejs-slim-8_x
- Re-generate node2nix generated files using nodejs-8_x instead
2019-04-04 18:43:06 +01:00
Florian Klink 8313a5dcd3
Merge pull request #58588 from shazow/fix/vlc
vlc: Add chromecast support; libmicrodns: Init at 0.0.10
2019-04-01 17:16:42 +02:00
Andrey Petrov c37aa79639 vlc: add chromecastSupport option
Enables Chromecast support by default in VLC.

Fixes #58365.

Includes release note.
2019-04-01 09:44:56 -04:00
worldofpeace 099cc0482b nixos/pantheon: enable lightdm gtk greeter
Pantheon's greeter has numerous issues that cannot be
fixed in a timely manner, and users are better off if they just
didn't use it by default.
2019-03-29 21:29:59 -04:00
aszlig dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Florian Klink 8817bbefdb nixos/ldap: set proper User= and Group= for nslcd service
eb90d97009 broke nslcd, as /run/nslcd was
created/chowned as root user, while nslcd wants to do parts as nslcd
user.

This commit changes the nslcd to run with the proper uid/gid from the
start (through User= and Group=), so the RuntimeDirectory has proper
permissions, too.

In some cases, secrets are baked into nslcd's config file during startup
(so we don't want to provide it from the store).

This config file is normally hard-wired to /etc/nslcd.conf, but we don't
want to use PermissionsStartOnly anymore (#56265), and activation
scripts are ugly, so redirect /etc/nslcd.conf to /run/nslcd/nslcd.conf,
which now gets provisioned inside ExecStartPre=.

This change requires the files referenced to in
users.ldap.bind.passwordFile and users.ldap.daemon.rootpwmodpwFile to be
readable by the nslcd user (in the non-nslcd case, this was already the
case for users.ldap.bind.passwordFile)

fixes #57783
2019-03-28 13:08:47 +01:00
aszlig ada3239253
nixos/release-notes: Add entry about confinement
First of all, the reason I added this to the "highlights" section is
that we want users to be aware of these options, because in the end we
really want to decrease the attack surface of NixOS services and this is
a step towards improving that situation.

The reason why I'm adding this to the changelog of the NixOS 19.03
release instead of 19.09 is that it makes backporting services that use
these options easier. Doing the backport of the confinement module after
the official release would mean that it's not part of the release
announcement and potentially could fall under the radar of most users.

These options and the whole module also do not change anything in
existing services or affect other modules, so they're purely optional.

Adding this "last minute" to the 19.03 release doesn't hurt and is
probably a good preparation for the next months where we hopefully
confine as much services as we can :-)

I also have asked @samueldr and @lheckemann, whether they're okay with
the inclusion in 19.03. While so far only @samueldr has accepted the
change, we can still move the changelog entry to the NixOS 19.09 release
notes in case @lheckemann rejects it.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 21:07:07 +01:00
Matthew Bauer 38c6c7c8a3
Merge pull request #57617 from aaronjanse/patch-20190313a
nixos/manual: clarify declarative packages section
2019-03-25 22:16:47 -04:00
Danylo Hlynskyi 40cc269561
Merge branch 'master' into postgresql-socket-in-run 2019-03-25 01:06:59 +02:00
Dmitry Kalinkin 6f95ac3588
Merge pull request #57988 from lopsided98/buildbot-update
buildbot: 1.8.1 -> 2.1.0
2019-03-23 20:38:20 -04:00
Ben Wolsieffer b2e11e0cdf buildbot: 1.8.1 -> 2.1.0 2019-03-22 18:43:15 -04:00
Vladimír Čunát 1ad3f34a99
nixos manual Makefile: improve purity
And be quiet when building/downloading the required tools.
2019-03-22 14:48:08 +01:00
Vladimír Čunát 4c3ec0e325
nixos docs: run the formatting tool (no content change)
As documented in the docs themselves :-)
2019-03-22 14:44:11 +01:00
Vladimír Čunát 11d204a9c4
nixos docs: improve GPU driver documentation
I'm not 100% sure about the incompatibility lines,
but I believe it's better to discourage these anyway.
If you find better information, feel free to amend...

The 32-bit thing is completely GPU-agnostic, so I can't see why we had
it separately for proprietary drivers and missing for the rest.
2019-03-22 14:31:17 +01:00
Dmitry Moskowski 7e4ca152a4 added missing semicolon to documentation 2019-03-21 22:22:13 +00:00
Léo Gaspard 59c5630f60
Merge branch 'pr-57699'
* pr-57699:
  nixos/matrix: add manual section about self-hosting a matrix client and server
2019-03-16 14:48:39 +01:00
Florian Jacob ef52869ef1 nixos/matrix: add manual section
about self-hosting a matrix client and server
2019-03-16 14:26:07 +01:00
aszlig 116bdc9f55
nixos/manual: Document PostgreSQL socket change
This is a backwards-incompatible change and while it won't probably
affect a whole lot of users, it makes sense to give them a heads-up
anyway.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-16 03:03:21 +01:00
Aaron Janse 0258cff887
nixos/manual: reword note in declarative packages section 2019-03-14 21:11:27 -07:00
Aaron Janse f67eb111ac
nixos/manual: clarify declarative packages section 2019-03-13 18:40:00 -07:00
Andreas Rammhold c55427ca43
nixos/doc: add types prefix to addCheck example
The function `addCheck` resides within the attrset `types`. We should be
explicit about this since otherwise people might be confused where it
does come from / why it doesn't work for them.
2019-03-11 22:56:56 +01:00
Graham Christensen 777e94d903
Merge pull request #55436 from layus/warn-manual-ids
Nixos manual: error out on missing IDs
2019-03-09 08:21:07 -05:00
Danylo Hlynskyi 60e8fcf0e5
module system: revert "remove types.optionSet", just deprecate (#56857)
The explicit remove helped to uncover some hidden uses of `optionSet`
in NixOps. However it makes life harder for end-users of NixOps - it will
be impossible to deploy 19.03 systems with old NixOps, but there is no
new release of NixOps with `optionSet` fixes.

Also, "deprecation" process isn't well defined. Even that `optionSet` was
declared "deprecated" for many years, it was never announced. Hence, I
leave "deprecation" announce. Then, 3 releases after announce,
we can announce removal of this feature.

This type has to be removed, not `throw`-ed in runtime, because it makes
some perfectly fine code to fail. For example:
```
$ nix-instantiate --eval -E '(import <nixpkgs/lib>).types' --strict
trace: `types.list` is deprecated; use `types.listOf` instead
error: types.optionSet is deprecated; use types.submodule instead
(use '--show-trace' to show detailed location information)
```
2019-03-07 21:28:09 +02:00
Michael Raskin 500d61560f Release notes: switch to modesetting: mention backlight problem 2019-03-07 13:38:19 +01:00
Danylo Hlynskyi ef1911d045 zram: revert "change default algorithm to zstd" (#56856)
19.03 default kernel is still 4.14, which doesn't support zstd. So,
zramSwap in current fasion fails on default kernel.
2019-03-07 02:11:20 +02:00
Jan Malakhovski ca496b194f nixos: doc: increase maxdepth for xsltproc
See https://github.com/NixOS/nixpkgs/issues/37903#issuecomment-376618117
for details. With the previous patch and some custom modules included in
`configuration.nix` the above bug is very easy to trigger.

This is a simplest workaround I have. A proper solution would look like
https://github.com/NixOS/nixpkgs/issues/37903#issuecomment-376980838.
2019-03-05 09:41:40 +00:00
Arian van Putten 2e75a7b516 nixos: doc: optionally include all modules in manual generation
Before this change `man 5 configuration.nix` would only show options of modules in
the `baseModules` set, which consists only of the list of modules in
`nixos/modules/module-list.nix`

With this change applied and `documentation.nixos.includeAllModules` option enabled
all modules included in `configuration.nix` file will be used instead.

This makes configurations with custom modules self-documenting. It also means
that importing non-`baseModules` modules like `gce.nix` or `azure.nix`
will make their documentation available in `man 5 configuration.nix`.

`documentation.nixos.includeAllModules` is currently set to `false` by
default as enabling it usually uncovers bugs and prevents evaluation.
It should be set to `true` in a release or two.

This was originally implemented in #47177, edited for more configurability,
documented and rebased onto master by @oxij.
2019-03-05 09:41:40 +00:00
matix2267 6ab2aea003 nixos/doc: Small updates about wireless configuration. (#55918)
* Reference networking section from installation
* Add info about pskRaw option in networking.wireless.networks
2019-03-05 04:27:15 +02:00
Andreas Rammhold 768336a74b
Merge pull request #56233 from jtojnar/nginx-tlsv13
nixos/nginx: Enable TLS 1.3 support
2019-03-03 14:19:38 +01:00
Tristan Helmich (omniIT) 9efddfa2c1 graylog: 2.5.1 -> 3.0.0 2019-03-02 17:03:40 +00:00
Piotr Bogdan b01302b85e nixos/manual: fix build 2019-03-02 10:32:24 +00:00
Sarah Brofeldt ecd5ec3521
Merge pull request #56377 from LnL7/nixos-rebuild-edit
nixos-rebuild: add changelog/docs for edit subcommand
2019-03-02 10:12:07 +01:00
Frederik Rietdijk 2fcb11a244 Merge staging-next into master 2019-03-01 09:06:20 +01:00
Danylo Hlynskyi 79cc48cdbb
Revert "Merge pull request #54980 from danbst/etc-relative" (#56507)
This reverts commit 0b91fa43e4, reversing
changes made to 183919a0c0.
2019-02-28 07:48:40 +02:00
Domen Kožar 0fd85a1f99
nixos release: there's a wildcard protection now for release-* on github 2019-02-26 14:12:46 +07:00
Linus Heckemann bd018946eb 19.09 is Loris.
https://en.wikipedia.org/wiki/Loris
2019-02-25 23:21:14 +01:00
Daiderd Jordan ad0b82d067
nixos-rebuild: add changelog/docs for edit subcommand 2019-02-25 19:36:23 +01:00
Jan Tojnar f93ff28c62 nixos/nginx: Enable TLS 1.3 support 2019-02-25 16:47:19 +01:00
Silvan Mosberger 02db11d369
Merge pull request #55792 from sdier/fix/pam-update
Allow duosec to be used in nixos as a pam module.
2019-02-25 01:38:51 +01:00
Scott Dier a11ad16bd7 nixos/security: Add release note for duosec pam support for 19.03. 2019-02-24 22:49:01 +00:00
Frederik Rietdijk c2eac6741b Merge master into staging-next 2019-02-24 09:19:12 +01:00
Frederik Rietdijk 1fccd25595 buildPythonPackage: always export LANG=C.UTF-8 2019-02-23 20:08:26 +01:00
Austin Seipp c193b9c158
nixos/manual: fix missed <listitem> in highlights section
Otherwise, the "Kubernetes" note shows up inside the "Pantheon Desktop
Environment" highlight section.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2019-02-23 09:59:43 -06:00