3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

748 commits

Author SHA1 Message Date
Austin Seipp a3155a0e2a nixos: add a UID for Hydra
Otherwise the Hydra module can't be used when mutableUsers = false;

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 21:20:18 -05:00
Austin Seipp 64efd184ed grsecurity: Fix GRKERNSEC_PROC restrictions
Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit
too strict. It doesn't allow a special group (e.g. the grsecurity group
users) to access /proc information - this requires
GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive.

This was also not in line with the default automatic grsecurity
configuration - it actually defaults to USERGROUP (although it has a
default GID of 1001 instead of ours), not USER.

This introduces a new option restrictProcWithGroup - enabled by default
- which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off
restrictProc by default and makes sure both cannot be enabled.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 11:16:05 -05:00
Austin Seipp 172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Shea Levy 0122697550 Revert "Merge branch 'postgresql-user' of git://github.com/ocharles/nixpkgs"
Reverting postgres superuser changes until after stable.

This reverts commit 6cc0cc7ff6, reversing
changes made to 3c4be425db.
2014-04-11 19:23:03 -04:00
Shea Levy 9b077bac58 Revert "postgresql: properly fix permissions issue by in postStart"
Reverting postgres superuser changes until after stable.

This reverts commit c66be6378d.
2014-04-11 19:22:43 -04:00
Shea Levy e9e60103de Revert "Create the 'postgres' superuser"
Reverting postgres superuser changes until after stable.

This reverts commit 7de29bd26f.
2014-04-11 19:22:39 -04:00
Shea Levy c23050e231 Revert "Use PostgreSQL 9.3's pg_isready to wait for connectivity"
Reverting postgres superuser changes until after stable.

This reverts commit e206684110.
2014-04-11 19:21:50 -04:00
Eelco Dolstra e2bc9a3d14 Include Archive::Cpio in the installation CD
http://hydra.nixos.org/build/10268978
2014-04-11 17:16:44 +02:00
Eelco Dolstra 13185280fe Fix tests broken due to the firewall being enabled by default 2014-04-11 17:16:44 +02:00
Eelco Dolstra 017408e048 Use iptables' ‘-w’ flag
This prevents errors like "Another app is currently holding the
xtables lock" if the firewall and NAT services are starting in
parallel.  (Longer term, we should probably move to a single service
for managing the iptables rules.)
2014-04-11 17:16:44 +02:00
Eelco Dolstra b9281e6a2d Fix NAT module 2014-04-11 17:16:44 +02:00
Eelco Dolstra 2da09363bf nix: Update to 1.7 2014-04-11 12:24:48 +02:00
Peter Simons ad65a1e064 Revert "nixos: fix shell on conatiners"
This reverts commit c69577b7d6.
See https://github.com/NixOS/nixpkgs/pull/2198 for further details.
2014-04-11 12:07:00 +02:00
Eelco Dolstra d2155649af Merge branch 'containers'
Fixes #2105.
2014-04-10 15:55:51 +02:00
Eelco Dolstra 6a7a8a144f Document NixOS containers 2014-04-10 15:07:29 +02:00
Eelco Dolstra a34bfbab4c Add option networking.nat.internalInterfaces
This allows applying NAT to an interface, rather than an IP range.
2014-04-10 15:07:29 +02:00
Eelco Dolstra ac8c924c09 nixos-container: Add ‘run’ and ‘root-login’ commands
And remove ‘root-shell’.
2014-04-10 15:07:29 +02:00
Eelco Dolstra da4f180252 Bring back ‘nixos-container update’ 2014-04-10 15:07:29 +02:00
Eelco Dolstra 3dca6b98cb Fix permissions on /var/lib/startup-done 2014-04-10 15:07:28 +02:00
Peter Simons 26d8f54587 Merge pull request #2198 from offlinehacker/nixos/shadow/login_containers_fix
nixos: fix shell on conatiners
2014-04-10 12:39:19 +02:00
Peter Simons 0e147530ef Merge pull request #2199 from offlinehacker/nixos/ntp/containers_fix
nixos: disable ntp on containers by default
2014-04-10 12:33:35 +02:00
Jaka Hudoklin 0b170187e3 nixos: disable ntp on containers by default 2014-04-10 12:30:03 +02:00
Jaka Hudoklin c69577b7d6 nixos: fix shell on conatiners 2014-04-10 12:28:09 +02:00
aszlig 5dd14a1059
nixos/phpfpm: Add option to set PHP package.
This allows to easily override the used PHP package, especially for
example if you want to use PHP 5.5 or if you want to override the
derivation.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-04-10 07:52:26 +02:00
Shea Levy 9dcffe951d Merge branch 'cjdns' of git://github.com/ehmry/nixpkgs
cjdns: update to 20130303
2014-04-09 20:34:32 -04:00
Bjørn Forsman e856584e1a nixos/jenkins-service: fix 'group' option documentation
Both for master and slave.
2014-04-09 21:52:46 +02:00
Emery Hemingway 316e809ff8 cjdns: update to 20130303
build system is now nodejs based
new nixos module to start cjdns
2014-04-09 10:30:57 -04:00
Domen Kožar e5e27cfd64 Merge pull request #2153 from lethalman/gnome3
accounts-daemon service, fix gnome-shell, add libgnomekbd, musicbrainz5, sushi, gnome-contacts
2014-04-09 15:01:17 +02:00
Luca Bruno a3115707dd Add environment.gnome3.excludePackages
Give the user a full desktop, and the possibility to exclude
non-base packages from the default list of packages.
2014-04-09 00:36:53 +02:00
Luca Bruno c56af6102a at-spi2-core: add dbus module, enabled on gnome3 by default 2014-04-09 00:36:53 +02:00
Luca Bruno 8553993887 telepathy-mission-control: add dbus service, enabled by default on gnome3 2014-04-09 00:36:52 +02:00
Luca Bruno 2bc0f7b701 evolution-data-server: fix gsettings schemas and add dbus service 2014-04-09 00:36:51 +02:00
Shea Levy 452a1f9318 Revert "Turn on user-controlled wpa-cli on the livecd"
user-controlled wpa-cli requires explicit interface setting for some
reason

This reverts commit c6797b373f.
2014-04-08 18:26:52 -04:00
Eelco Dolstra 2bb8d963b1 Die tabs die 2014-04-09 00:17:16 +02:00
Eelco Dolstra e09250d41c Disable allowUnfree by default
Fixes #2134.
2014-04-09 00:09:31 +02:00
Eelco Dolstra caf98828bb nixos-generate-config: Fix PCI/USB checks
As reported by Kirill Elagin, read_file doesn't chomp its output. So
the equality tests on PCI/USB vendor and device IDs were failing.
2014-04-08 15:13:27 +02:00
Luca Bruno ea3644cb09 sushi: new package
A quick previewer for Nautilus

http://en.wikipedia.org/wiki/Sushi_(software)
2014-04-08 13:41:29 +02:00
Luca Bruno 06614031d6 accountservice: add dbus and systemd services
Enable by default with gnome3.
2014-04-08 13:39:48 +02:00
Eelco Dolstra 2ba552fb2e Revert "Fix services.udisks.enable."
This reverts commit 02a30bea44,
necessary after reverting to udisks 1.0.4.

http://hydra.nixos.org/build/10194840
2014-04-08 13:28:24 +02:00
Rickard Nilsson 604306c34a Don't add users if createUser is false 2014-04-08 12:36:03 +02:00
Eelco Dolstra 694cc6172a Enable the firewall by default
Fixes #2135.
2014-04-08 09:44:01 +02:00
Shea Levy efdb8a10ed Merge branch 'postgresql-user-fix' of git://github.com/ocharles/nixpkgs into fix-new-conduit
Create 'postgres' user and use pg_isready
2014-04-07 16:37:43 -04:00
Bjørn Forsman 8cd95471d7 nixos: add type definitions to virtualisation.libvirtd.* options 2014-04-07 21:31:29 +02:00
Eelco Dolstra eb22e5f026 Remove ignored argument to sync 2014-04-07 13:22:12 +02:00
Eelco Dolstra 2f51ca9609 Add a regression test for udisks 2014-04-07 13:22:12 +02:00
Eelco Dolstra 1f6bfa19ad Gnome 3 should not be a release blocker 2014-04-07 12:24:17 +02:00
Luca Bruno 5174e6db80 gnome-backgrounds: new package 2014-04-06 15:23:11 +02:00
Oliver Charles e206684110 Use PostgreSQL 9.3's pg_isready to wait for connectivity
The postgresql module has a postStart section that waits for a database
to accept connections before continuing. However, this assumes various
properties about the database - specifically the database user
and (implicitly) the database name. This means that for old
installations, this command fails because there is no 'postgres' user,
and the service never starts.

While 7deff39 does create the 'postgres' user, a better solution is to
use `pg_isready`, who's sole purpose is to check if the database is
accepting connections. This has no dependency on users, so should be
more robust.
2014-04-06 12:38:02 +01:00
Oliver Charles 7de29bd26f Create the 'postgres' superuser
Old PostgreSQL installations were created using the 'root' database
user. In this case, we need to create a new 'postgres' account, as we
now assume that this is the superuser account.

Unfortunately, these machines will be left with a 'root' user as
well (which will have ownership of some databases). While PostgreSQL
does let you rename superuser accounts, you can only do that when you
are connected as a *different* database user. Thus we'd have to create a
special superuser account to do the renaming. As we default to using
ident authentication, we would have to create a system level user to do
this. This all feels rather complex, so I'm currently opting to keep the
'root' user on these old machines.
2014-04-06 12:38:01 +01:00
Rickard Nilsson bf129a2c23 Allow undefined uids and gids when mutableUsers = true
Groups and users without gid/uid are created with
useradd/groupadd after the passwd/group merge phase
if mutableUsers = true.

This should fix #2114.
2014-04-06 12:42:55 +02:00
Austin Seipp 8d0259caf4 nixos: reserve some uids/gids
I have some NixOS modules that I keep out of tree, and having UIDs/GIDs
reserved is quite helpful.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 01:05:56 -05:00
Shea Levy d35619429a Merge branch 'cache.su' of git://github.com/wkennington/nixpkgs
su: Make the su package a provider of only the su binary

Fixes #1877
2014-04-05 18:49:30 -04:00
William A. Kennington III 28ab3acb58 su: Make the su package a provider of only the su binary
Additionally, provide su with the base system and remove su from the
util-linux package as it is now provided by shadow.
2014-04-05 16:01:52 -05:00
Shea Levy ad4965f54c Merge branch 'master.xauth' of git://github.com/wkennington/nixpkgs
ssh: Don't set xuth if not running xserver
2014-04-05 15:32:31 -04:00
Shea Levy a46d2e3150 Merge branch 'murmur' of git://github.com/thoughtpolice/nixpkgs
nixos: add Murmur module (Mumble chat)

Conflicts:
	nixos/modules/misc/ids.nix
2014-04-05 15:18:14 -04:00
Shea Levy ea9c8d6a13 Merge branch 'rippled' of git://github.com/ehmry/nixpkgs
rippled: initial pkg and module expressions

Had to change the rippled uid.

Conflicts:
	nixos/modules/misc/ids.nix
2014-04-05 14:23:29 -04:00
Domen Kožar 13bef7f403 Merge pull request #2127 from lethalman/gnome3
Gnome3 session changes, gnome-control-center icons
2014-04-05 00:35:06 +02:00
Luca Bruno 671e346eb2 gnome3: add glib-networking gio modules
With glib-networking, epiphany and other gnome apps
can access https and other networking protocols.
2014-04-04 23:45:06 +02:00
Shea Levy c6797b373f Turn on user-controlled wpa-cli on the livecd
Fixes #1204
2014-04-04 17:05:57 -04:00
Eelco Dolstra 6905aa1cf4 Merge pull request #2095 from geo-kollias/master
Added MonetDB NixOS module.
2014-04-04 13:55:24 +02:00
Domen Kožar f530ead0ba syncthing: add preStart script to create dataDir 2014-04-04 10:46:30 +02:00
Matej Cotman 7df1ce5088 syncthing: new package and nixos module 2014-04-04 10:46:29 +02:00
Shea Levy 8b5c617237 Add fuse to env by default
Fixes #458
2014-04-03 21:36:13 -04:00
Domen Kožar 52fbaee8d7 solr: add extraJars option 2014-04-03 22:46:45 +02:00
William A. Kennington III 6c6d7dc11d ssh: Don't set xauth if not running xserver 2014-04-03 14:28:45 -05:00
Eelco Dolstra 6e086caa8a xterm: Don't enable unless X11 is enabled 2014-04-03 20:44:57 +02:00
Eelco Dolstra 819e7c9fbd Add a test for NixOS containers 2014-04-03 16:36:24 +02:00
Eelco Dolstra 1e4fa227fe nixos-container: Don't destroy declarative containers 2014-04-03 16:36:24 +02:00
Eelco Dolstra b0b3fa928a Disable container support in containers
Systemd-nspawn doesn't support nesting, so providing nixos-container
inside a container doesn't make sense.
2014-04-03 16:36:23 +02:00
Eelco Dolstra 1ad9a654be Make starting a container synchronous
So now "systemctl start container@foo" will only return after the
container has reached multi-user.target.
2014-04-03 16:36:23 +02:00
Eelco Dolstra 269926df0d container-login.nix -> container-config.nix 2014-04-03 16:36:16 +02:00
Eelco Dolstra fee81c3739 Always enable container logins 2014-04-03 16:35:36 +02:00
Austin Seipp 788354cc34 nixos: add mumble test
This tests that both the client and server work. With screenshots!

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-02 03:55:37 -05:00
Austin Seipp f61110d65d nixos: murmur service
Murmur is the headless server component of the Mumble chat system.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-02 00:11:00 -05:00
George Kollias ec1acce4e9 fixed monetdb's gid to be the same with its id. 2014-04-01 20:41:37 +03:00
George Kollias 0ded8e6de3 Added MonetDB NixOS module. 2014-04-01 20:20:33 +03:00
Vladimír Čunát 6445ac90ad Merge master into x-updates 2014-04-01 10:49:31 +02:00
Emery Hemingway def448f127 rippled: added comment on commented out config options 2014-03-31 22:59:01 -04:00
Shea Levy c37bbda4a3 Merge branch 'psql-fix' of git://github.com/proger/nixpkgs
postgresql: properly fix permissions issue by in postStart
2014-03-31 21:45:11 -04:00
Eelco Dolstra 6da72a4456 nixos-container: Rewrite in Perl
Also fix race condition when multiple containers are created
simultaneously (as NixOps tends to do).
2014-03-31 19:49:15 +02:00
Eelco Dolstra 7ebd856a38 Provide nixos-container unconditionally 2014-03-31 19:49:01 +02:00
aszlig 9d8a8126e9
systemd: Add support for path units.
This allows to define systemd.path(5) units, for example like this:

{
  systemd = let
    description = "Set Key Permissions for xyz.key";
  in {
    paths.set-key-perms = {
      inherit description;
      before = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      pathConfig.PathChanged = "/run/keys/xyz.key";
    };

    services.set-key-perms = {
      inherit description;
      serviceConfig.Type = "oneshot";
      script = "chown myspecialkeyuser /run/keys/xyz.key";
    };
  };
}

The example here is actually useful in order to set permissions for the
NixOps keys target to ensure those permisisons aren't reset whenever the
key file is reuploaded.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-03-31 12:33:25 +02:00
Vladimir Kirillov c66be6378d postgresql: properly fix permissions issue by in postStart
as per postgresql manual, interactions with psql should be carried
out with the postgresql system user and postgresql db user by default.

ensure it happens in postStart.
2014-03-31 18:06:06 +08:00
Eelco Dolstra 5ba0d51f68 Fix VirtualBox image generation
http://hydra.nixos.org/build/9905410
2014-03-31 11:15:11 +02:00
Eelco Dolstra c20383e756 Another fix to the installer tests 2014-03-31 11:10:56 +02:00
Eelco Dolstra 0469f92faf Bring back mkOrder 2014-03-30 20:35:25 +02:00
Eelco Dolstra 0fdd641b21 Ensure that slim's theme applies to slimlock 2014-03-30 19:33:28 +02:00
Eelco Dolstra 075168ca81 nixos-hardware-scan: Detect QEMU 2014-03-30 17:27:18 +02:00
Eelco Dolstra aaf01268ff Revert "slim: remove duplicate code"
This reverts commit f7d5e83abb.  It
breaks the Firefox and Xfce tests:

  in job ‘tests.firefox.x86_64-linux’:
  cannot coerce a boolean to a string

  in job ‘tests.xfce.x86_64-linux’:
  infinite recursion encountered
2014-03-30 17:06:01 +02:00
Eelco Dolstra 1c192e1fea Another attempt to fix the installer test
http://hydra.nixos.org/build/9904133
2014-03-30 16:53:23 +02:00
Emery Hemingway 6c77690b28 rippled: initial pkg and module expressions
rippled is the Ripple P2P payment network reference server
https://ripple.com
2014-03-29 15:31:37 -04:00
Shea Levy ac68dc6dc6 Merge branch 'minecraft-server' of git://github.com/thoughtpolice/nixpkgs
nixpkgs: add Minecraft Server & a service module
2014-03-29 12:51:49 -04:00
Austin Seipp 1acca1c396 nixos: add minecraft-server service
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-29 05:31:27 -05:00
Jaka Hudoklin 227997d8ca nixos/rabbitmq: rewrite
- rewrite from old jobs options to new services
- add simple test
- add dataDir option
2014-03-29 10:56:07 +01:00
Shea Levy c23464672e sloppy sloppy Shea 2014-03-29 05:28:37 -04:00
Shea Levy 38cc80f4d8 D'oh 2014-03-29 05:25:16 -04:00
Shea Levy 1aa5589eef Merge branch 'virtualbox' of git://github.com/Calrama/nixpkgs
Update VirtualBox (and implicitly VirtualBox Guest Additions) to 4.3.6
and Oracle VM VirtualBox Extension Pack to 91406

Conflicts due to minor upgrade in the mean time

Conflicts:
	nixos/modules/virtualisation/virtualbox-guest.nix
	pkgs/applications/virtualization/virtualbox/default.nix
	pkgs/applications/virtualization/virtualbox/guest-additions/default.nix
2014-03-29 00:23:54 -04:00
Shea Levy 63f97fe9db Merge branch 'slim_fix' of git://github.com/jagajaga/nixpkgs
add normal theme support for slim and slimlock
2014-03-29 00:17:52 -04:00
Shea Levy a82ca6a7f9 Merge branch 'disable-acpid' of git://github.com/ambrop72/nixpkgs
power-management: Don't enable acpid.
2014-03-28 23:52:56 -04:00
Shea Levy 7cebcb995d Merge branch 'cache.pcscd' of git://github.com/wkennington/nixpkgs
Update Smartcard Utils + Fix Daemon Expression
2014-03-28 23:45:00 -04:00