3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

5314 commits

Author SHA1 Message Date
Joachim F 772a7bb49b Merge pull request #17425 from joachifm/grsec-efi
grsecurity module: disable EFI runtime services by default
2016-08-03 10:48:25 +02:00
Rodney Lorrimar 6711e62d51 nixos manual: add Emacs section (fixes #13217)
In light of Emacs packaging improvements such as those mentioned
in #11503, and with the addition of a systemd service (#15807
and #16356), and considering that the wiki page is completely
out of date (#13217), it seems that some documentation is in order.
2016-08-02 11:17:52 +01:00
Joachim Fasting 43fc394a5c
grsecurity module: disable EFI runtime services by default
Enabling EFI runtime services provides a venue for injecting code into
the kernel.

When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services.  The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).

This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
2016-08-02 10:24:49 +02:00
Joachim Fasting 79ac02ed64
dnscrypt-proxy service: update resolver list 2016-08-02 09:36:22 +02:00
Franz Pletz c90a43f4c5 nginx module: fix evaluation of root location option 2016-08-01 19:38:10 +02:00
Joachim Fasting d1572d06fe
grsecurity module: correct internal note 2016-08-01 16:27:14 +02:00
Rok Garbas 34237beca6 Merge pull request #15862 from mayflower/nginx-module
Declarative nginx module with ACME support
2016-08-01 13:10:06 +02:00
Joachim Fasting c91d07b668
dnscrypt-proxy module: types.string should be types.str 2016-08-01 12:55:42 +02:00
Eric Sagnes c7bd26e537 version module: refactor with fileContents 2016-08-01 18:40:36 +09:00
Eric Sagnes 1114ab41e6 release.nix: refactor with fileContents 2016-08-01 18:35:26 +09:00
Eelco Dolstra 0804f67024 Fix epub generation
* Hydra doesn't like spaces in filenames.

* The zip file contained nix/store/.../OEBPS rather than OEBPS at
  top-level, causing some programs (like okular) to barf.

* Remove the redundant $dst/epub directory.
2016-08-01 11:10:22 +02:00
Eelco Dolstra d5756cdf0a Remove the PDF manual
PDF is very 20th century and nobody reads technical documentation this
way anymore.
2016-08-01 11:10:21 +02:00
Eelco Dolstra 83eb49220b Manual: Only include the release number (e.g. 16.03)
This prevents gratuitous rebuilds of the manual every time the Git
revision changes.

Should help a bit with #17261.
2016-08-01 11:10:21 +02:00
Eelco Dolstra 2a05368ff3 Remove $NIXOS_LABEL and $NIXOS_VERSION
Relying on environment variables to override configuration options is
ugly, and there is no reason for them.
2016-08-01 11:10:02 +02:00
Gabriel Ebner dbd856d724 Merge pull request #17387 from cko/redis
redis: 3.0.7 -> 3.2.2
2016-08-01 08:13:08 +02:00
Franz Pletz d7f7ef4c21 Merge pull request #15496 from kampfschlaefer/containers_more_veth_interfaces
Declarative containers: more veth interfaces
2016-07-31 19:13:59 +02:00
Langston Barrett a28273df32 mopidy service: add default value for configuration (#17385)
Mopidy will start if the configuration is empty.

Fixes #17381.
2016-07-31 18:35:09 +02:00
Christine Koppelt 07ca9bd4bc Redis: add entry to release notes 2016-07-31 15:28:56 +02:00
Franz Pletz 76b21b7adb nixos/firewall: Refactor rpfilter, allow DHCPv4 (#17325)
Adds a new chain in the raw table for reverse path filtering and optional
logging. A rule to allow serving DHCPv4 was also added as it is commonly
needed and poses no security risk even when no DHCPv4 server is running.

Fixes #10101.
2016-07-31 13:49:24 +02:00
Profpatsch 8a6047a525 nixos/pulseaudio: increase service restart time
Pulseaudio doesn’t like being restarted too quickly.
2016-07-30 23:42:54 +02:00
Profpatsch 5074a79937 nixos/pulseaudio: tcp streaming & zeroconf
Adds options for tcp streaming and avahi zeroconf support (so that the
server can be easily found by clients).
There is also an option to allow anonymous clients to stream to the
server (by default pulseaudio uses a cookie mechanism, see manpage).
2016-07-30 23:42:54 +02:00
Thomas Tuegel d5bec1a145 kde5: rename extra-cmake-modules variants
Instead of one package `extra-cmake-modules`, there is now `ecm` and
`ecmNoHooks`. The latter is used when one does not want to incur a Qt 5
dependency; it is also available as a top-level package
`extra-cmake-modules`.
2016-07-30 14:06:43 -05:00
Gabriel Ebner 07fc65289a nixos/x11: remove unneccessary special cases 2016-07-30 17:03:16 +02:00
Gabriel Ebner 5c9309c231 xorg.xorgserver: enable glamor support 2016-07-30 13:37:51 +02:00
Thomas Tuegel 3dea00d90e nixos/kde: phonon moved to qt5 2016-07-29 10:29:15 -05:00
Rob Vermaas 9494b764d2 dd-agent: support jmx, needs a separate daemon nowadays.
(cherry picked from commit 1425a1f964)
2016-07-29 12:42:07 +00:00
Arnold Krille 07de11f165 containers: add myself to the maintainers of the tests
Seems like the right thing to do.
2016-07-28 23:06:41 +02:00
Arnold Krille 9045a8e24c declarative containers: additional veths
With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network.

The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers.

Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing.
2016-07-28 23:06:41 +02:00
Eelco Dolstra fd5bbdb436 nixos-containers: Set DevicePolicy=closed
This makes the container a bit more secure, by preventing root
creating device nodes to access the host file system, for
instance. (Reference: systemd-nspawn@.service in systemd.)
2016-07-28 17:58:55 +02:00
Eelco Dolstra bf3edfbb3c nixos-containers: Use systemd 231's --notify-ready flag 2016-07-28 17:58:52 +02:00
Robin Gloster a193fecf0e nginx module: improve statusPage generated code
Adds ::1 as allowed host and turns of access_log for the status page.
2016-07-28 11:59:13 +00:00
Robin Gloster 3ccfca7d6b nginx module: httpConfig backward compatibility
Revert httpConfig its old behaviour and make it mutually exclusive to
the new structured configuration. Adds appendHttpConfig to have the
ability to write custom config in the generated http block.
2016-07-28 11:59:13 +00:00
Robin Gloster 511410789b nginx module: make client_max_body_size configurable 2016-07-28 11:59:13 +00:00
Tristan Helmich 8c61b3af03 nginx: fixed duplicate http declaration 2016-07-28 11:59:13 +00:00
Robin Gloster 91680de317 nginx module: add statusPage option 2016-07-28 11:59:13 +00:00
Robin Gloster a294ad01b3 nginx module: make recommended settings optional 2016-07-28 11:59:13 +00:00
Robin Gloster 186a8400ed nginx module: make httpConfig backward compatible 2016-07-28 11:59:13 +00:00
Robin Gloster 5dd7cf964a nginx module: improve documentation 2016-07-28 11:59:13 +00:00
Franz Pletz de8008a1b1 nginx module: Enable http2 2016-07-28 11:59:13 +00:00
Franz Pletz e982aeae6a nginx module: Add default proxy headers for tomcat 2016-07-28 11:59:13 +00:00
Robin Gloster 3830a890ab nginx module: add option to make vhost default 2016-07-28 11:59:13 +00:00
Robin Gloster 138945500e nginx module: implement basic auth 2016-07-28 11:59:13 +00:00
Robin Gloster ff12ee35b7 nginx module: redirect to same protocol 2016-07-28 11:59:13 +00:00
Robin Gloster e18f8e8b66 nginx module: turn off basic auth on acme locations 2016-07-28 11:59:13 +00:00
Franz Pletz 4e5c7913e9 nginx module: Add acmeFallbackHost vhost option 2016-07-28 11:59:13 +00:00
Franz Pletz 811f243ce6 nginx module: Add extraConfig for locations 2016-07-28 11:59:13 +00:00
Franz Pletz d5a097fdb6 nginx module: Don't create acme certs if acme is not enabled 2016-07-28 11:59:13 +00:00
Tristan Helmich c61157b7e6 nginx module: Add dhParams option 2016-07-28 11:59:13 +00:00
Tristan Helmich 35d76a72ab nginx module: Add sslCiphers option 2016-07-28 11:59:13 +00:00
Tristan Helmich 8bd1f401bb nginx module: Add sslProtocols option 2016-07-28 11:59:13 +00:00