- Fix --no-bootloader which didn't do what it advertised
- Hardcode nixbld GID so that systems which do not have a nixbld user
can still run nixos-install (only with --closure since they can't
build anything)
- Cleanup: get rid of NIX_CONF_DIR(=/tmp)/nix.conf and pass arguments instead
- Cleanup: don't assume that the target system has '<nixpkgs/nixos>' or
'<nixos-config>' to see if config.users.mutableUsers. Instead check if
/var/setuid-wrappers/passwd is there
Installing NixOS now works from a Ubuntu host (using --closure).
nix-build -A tests.installer.simple '<nixpkgs/nixos/release.nix>' succeeds ✓
While useless, some builds may dabble with setuid bits (e.g.,
util-linux), which breaks under grsec. In the interest of user
friendliness, we once again compromise by disabling an otherwise useful
feature ...
Closes https://github.com/NixOS/nixpkgs/issues/17501
It uses import-from-derivation, which is a bad thing, because this
causes hydra-evaluator to build Cassandra at evaluation time.
$ nix-instantiate nixos/release.nix -A tests.cassandra.i686-linux --dry-run
error: cannot read ‘/nix/store/c41blyjz6pfvk9fnvrn6miihq5w3j0l4-cassandra-2.0.16/conf/cassandra-env.sh’, since path ‘/nix/store/0j9ax4z8xhaz5lhrwl3bwj10waxs3hgy-cassandra-2.0.16.drv’ is not valid, at /home/eelco/Dev/nixpkgs/nixos/modules/services/databases/cassandra.nix:373:11
Also, the module is a mess (bad option descriptions, poor indentation,
a gazillion options where a generic "config" option would suffice, it
opens ports in the firewall, it sets vm.swappiness, ...).
- Agent now takes a full URL to the Go.CD server
- Instruct the agent to attempt restart every 30s upon failure
- Test's Accept header did not match the server's expectation
- Replace the tests' complex Awk matches with calls to `jq`
Update gocd-agent package version to 16.6.0-3590 including new sha. Modify heapSize
and maxMemory mkOption to accurately reflect their intended purpose of configuring
initial java heap sizes.
Addresses #17218 in a better way in that it doesn't create a
".git-revision" file on every nixos-rebuild, because we already have
".git" available. Even if we don't nixos-rebuild can't create the
"git-revision" file.
Tested via:
nix-build -E '(import ./nixos/tests/make-test.nix {
name = "foo";
machine = {};
testScript = "startAll; $machine->execute(\"nixos-version >&2\");";
})'
Closes: #17610
Acked-by: @bennofs
Let's first try if we can determine the Git revision from the .git
directory and if that fails, fall back to get the info from the
".git-revision" file... and after that use something generic like
"master".
This should address #17218 in better way, because we don't need to
create another redundant file in the source checkout of nixpkgs.
I'm not going to route of falling back to using .git, because after
55d881e, we already have ".git-revision" files in people's Git
repositories, which in turn means that nixos-version will report that
old file every time even if the working tree has updated.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @bennofs, Profpatsch
Reported-by: @devhell
Fixes: #17218
This reverts commit 1e534e234b.
We already should have a .git directory if it is managed via Git,
otherwise there is no way to get the Git revision if neither
.git-revision or .git is present.
But having .git-revision _and_ .git present seems very much redundant to
me.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @bennofs, @Profpatsch
Issue: #17218
The builder has this convoluted `while` loop which just replicates
`readlink -e`. I'm sure there was a reason at one point, because the
loop has been there since time immemorial. It kept getting copied
around, I suspect because nobody bothered to understand what it actually
did.
Incidentally, this fixes#17513, but I have no idea why.
From @fpletz: Keep poolConfigs option for backwards-compatibility.
The original commit 6b3f5b5a42 was previously
reverted by c7860cae1a but the issues were
resolved.
Closes#17460
Changed the wrapper derivation to produce a second output containing the sandbox.
Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store).
This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it.
Does not trigger a Chromium rebuild.
cc @cleverca22 @joachifm @jasom
The varnish tools (varnishstat, varnishlog, ...) tried to load the VSM
file from a spurious var directory in the Nix store. Fix the default so
the tools "just work" when also keeping services.varnish.stateDir at the
default.
Notes:
- The tools use $localstatedir/$HOSTNAME so I've adapted the default for
stateDir as well to contain hostName.
- Added postStop action to remove the localstatedir. There is no point
in keeping it around when varnish does not run, as it regenerates it
on startup anyway.
Fixes#7495
The name gitlab-runner clashes with a component of Gitlab CI with the
same name and only confuses people. It's now called gitlab-bundle and
a convenience-script gitlab-rake for easier invocation of rake tasks
was added. This was the primary use case of gitlab-runner.
The module will configure a Cassandra server with common options being
tweakable. Included is also a test which will spin up 3 nodes and
verify that the cluster can be formed, broken, and repaired.
In light of Emacs packaging improvements such as those mentioned
in #11503, and with the addition of a systemd service (#15807
and #16356), and considering that the wiki page is completely
out of date (#13217), it seems that some documentation is in order.
Enabling EFI runtime services provides a venue for injecting code into
the kernel.
When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services. The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).
This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
* Hydra doesn't like spaces in filenames.
* The zip file contained nix/store/.../OEBPS rather than OEBPS at
top-level, causing some programs (like okular) to barf.
* Remove the redundant $dst/epub directory.
Adds a new chain in the raw table for reverse path filtering and optional
logging. A rule to allow serving DHCPv4 was also added as it is commonly
needed and poses no security risk even when no DHCPv4 server is running.
Fixes#10101.
Adds options for tcp streaming and avahi zeroconf support (so that the
server can be easily found by clients).
There is also an option to allow anonymous clients to stream to the
server (by default pulseaudio uses a cookie mechanism, see manpage).
Instead of one package `extra-cmake-modules`, there is now `ecm` and
`ecmNoHooks`. The latter is used when one does not want to incur a Qt 5
dependency; it is also available as a top-level package
`extra-cmake-modules`.
With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network.
The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers.
Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing.
This makes the container a bit more secure, by preventing root
creating device nodes to access the host file system, for
instance. (Reference: systemd-nspawn@.service in systemd.)
Revert httpConfig its old behaviour and make it mutually exclusive to
the new structured configuration. Adds appendHttpConfig to have the
ability to write custom config in the generated http block.
This reverts commit 6b3f5b5a42 because it
introduced a non-backwards compatible change in the phpfpm interface,
without really needing to. The new interface, if needed, can be re-added
alongside the old interface.
Commit 98e419c0e2 ("tt-rss service: init at 16.3")
depends on the new interface, so this commit updates the tt-rss service
to work with the old services.phpfpm.poolConfigs interface.
Update gocd-server package version to 16.6.0-3590 including new sha. Modify heapSize
and maxMemory mkOption to accurately reflect their intended purpose of configuring
initial java heap sizes.
Note: the option to configure the watchdog timeout seems to be gone
in the 2.3 series of Logstash. It complains about an unknown option
and it is not in the source anymore. I am thus removing this
configuration option to adjust the service to these changes, too.
This patch adds handling of a directory becoming a symlink in
/etc. Before this patch, the directory wasn't removed and then
symlinking failed, which caused directory not being updated at all.
The idea for the patch goes to @abbradar at
https://github.com/NixOS/nixpkgs/issues/16978#issuecomment-232921903:
> A heuristic idea for this -- a function `isStatic :: Path -> Bool`:
>
> * if path `/etc/foo` is a file, return True iff it's a symlink to `/etc/static/foo`.
> * if path is a directory, return True iff for all items in it `isStatic` is True.
>
> On any conflicts, if old path is static, it's safe to replace and/or
> delete stale. Otherwise make a backup and notify the user via a
> journal entry and console output.
The only difference here -- it will not replace user configs.
This also fixes https://github.com/NixOS/nixpkgs/issues/16978.
GoCD is an open source continuous delivery server specializing in advanced workflow
modeling and visualization. Update maintainers list to include swarren83. Update
module list to include gocd agent and server module. Update packages list to include
gocd agent and server package. Update version, revision and checksum for GoCD
release 16.5.0.
We currently only allow upstream's default of "reboot.target" due to the
way the symlinks are initialized. I made this configurable similar to the
default unit.
This moves nixos-containers into its own package so that it can be
relied upon by other packages/systems. This should make development
using dynamic containers much easier.
KDM and LightDM (at least with autologin) call the xsession-script with
two arguments: the first is the path of the xsession script itself,
while the second one are the actual arguments. The line to re-exec the
script under systemd-cat only forwarded a single argument, therefore
breaking LightDM and KDM login. This commit fixes the issue by always
forwarding all the arguments.
This reverts commit c69c76ca7e.
This patch was messed up during a rebase -- the commit title doesn't match what
it really does at all (it is actually a broken attempt to get LUKS passphrase
prompts in Plymouth).
The LUKS passphrase prompt has changed from "Enter passphrase" to "Enter
LUKS Passphrase" in c69c76ca7e, so the OCR
detection of the test fails indefinitely.
Unfortunately, this doesn't fix the test because we have a real problem
here:
Enter LUKS Passphrase:
killall: cryptsetup: no process killed
Enter LUKS Passphrase:
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
We need to pass certain environment variables through the wrapper, but I
don't know how to do that yet. The setuid-root feature serves only to
hide kdeinit from the OOM killer, so this is not critical.
As pointed out by @danbst, the tomcat NixOS module expects packages
listed in services.tomcat.webapps to either be direct .war file paths or
have .war files inside a "webapps" directory.
Commit 4075c10a59
("jenkins: move .war file from $out to $out/lib/jenkins.war") broke
jenkins + tomcat. Fix it by moving jenkins.war to $out/webapps/.
Fixes#14137, also known as:
$ nix-shell -p jenkins
bash: source: /nix/store/ln1yw6c2v8bb2cjqfr1z5aqcssw054wa-jenkins-2.3:
cannot execute binary file
[nix-shell exited with error]
The problem is that jenkins.war is not installed inside the directory
$out, but rather _as the file_ $out. Fix it by moving the file to
$out/lib/jenkins.war.
While at it, move buildCommand so that the "meta" section is at the end
of the expression (standard style), and quote shell variables.
systemd[11376]: caddy.service: Failed at step EXEC spawning /nix/store/ghpcwj6paccc92l1gk7ykb6gf2i2w6fi-go1.6-caddy-0.8.3/bin/caddy: No such file or directory
Every period, sa1 collects and stores data.
Every 24 hours, sa2 aggregates the previous day's data in to a
report.
Timers and unit configurations were lifted from Fedora's default
units.
A disabled systemd service with a "startAt" attribute, like this:
systemd.services.foo-service = {
enable = false;
startAt = "*-*-* 05:15:00";
...
};
will cause the following errors in the system journal:
systemd[1]: foo-service.timer: Refusing to start, unit to trigger not loaded.
systemd[1]: Failed to start foo-service.timer.
Fix it by not generating the corresponding timer unit when the service
is disabled.
Previously, the value from stdenv.platform.kernelDTB was used. That
doesn't work well if both kinds (DTB and non-DTB) of generations exist
in the system profile.
The shairport-sync service currently fails to start with the error
shairport avahi_entry_group_new failed
This problem seems to have been introduced by
cdd7310a50
After some trial and error I concluded that the attached commit is a minimal
fix.
Currently NixOS creates the swapfile (with the specified size) only if
it doesn't already exist. Changing the swapfile size afterwards will not
have any effect.
This commit changes that so the swapfile will be recreated whenever
swapDevices.*.size is changed (or more precisely, whenever the actual
file size differs from the configured one), allowing both growing and
shrinking the swapfile.
The service unit has "restartIfChanged = false", so we don't have to
worry about the swapfile being in use at the time this code is run (you
have to reboot for swapfile changes).
fallocate doesn't shrink files, use truncate for that. truncate can also
be used to grow files, but it creates "holes" in the file which doesn't
work with swapfiles.
':' is currently used as separator in /boot/grub/state for the list of
devices GRUB should be installed to. The problem is that ':' itself may
appear in a device path:
/dev/disk/by-id/usb-SanDisk_Cruzer_20043512300546C0B317-0:0
With such a path, NixOS will install GRUB *every* time, because it
thinks the configuration differs from the state file (due to the wrong
list split). Fix it by using ',' as separator.
For existing systems with GRUB installed on multiple devices, this
change means that GRUB will be installed one extra time.
- init gnome-software for gnome3 at 3.18.3
- list gnome-software as an "optional package" for gnome3
- enable packagekit service when gnome3 is enabled
- currently pulled in from Git until the next release of PackageKit
has Nix support
- also: add in a service module to start packagekit properly
- nixos service can be enabled via services.packagekit.enable
- packagekit requires nixunstable to build properly
Fixup regression introduced in commit 1bbcd91b2e
("spacefm: sudo and gksu fixes#15758 and license update").
A missing </filename> end tag caused this:
$ nixos-rebuild build
...
options-db.xml:4402: parser error : Opening and ending tag mismatch: filename line 4401 and para
</para><para><emphasis>Type:</emphasis> boolean</para><para><emphasis>Default:</
^
options-db.xml:4406: parser error : Opening and ending tag mismatch: filename line 4401 and listitem
</filename></member></simplelist></listitem></varlistentry><varliste
^
options-db.xml:4406: parser error : Opening and ending tag mismatch: para line 4401 and varlistentry
</filename></member></simplelist></listitem></varlistentry><varliste
^
options-db.xml:28430: parser error : Opening and ending tag mismatch: listitem line 4401 and variablelist
</filename></member></simplelist></listitem></varlistentry></variablelist
^
options-db.xml:28432: parser error : Premature end of data in tag varlistentry line 4401
- RPi3 successfully gets to U-Boot, but then fails to boot the kernel
due to a missing device tree file. This should get added to the 4.8
kernel release once this patch is merged: https://lkml.org/lkml/2016/6/1/841
- RPi2 is not tested, but it should successfully boot the NixOS image.
Instead of showing this output from "nixos-rebuild switch":
warning: not applying GID change of group ‘munin’
warning: not applying UID change of user ‘ntp’
print this:
warning: not applying GID change of group ‘munin’ (95 -> 102)
warning: not applying UID change of user ‘ntp’ (3 -> 179)
This makes it possible for users to take action and fixup the UIDs/GIDs
that NixOS won't touch.
Fixes issue when upgrading from very old NixOS systems that don't have
systemd-escape in $PATH:
$ sudo nixos-rebuild switch
...
building the system configuration...
updating GRUB 2 menu...
Can't exec "systemd-escape": No such file or directory at /nix/var/nix/profiles/system/bin/switch-to-configuration line 264.
Unable to escape /!
Fixes this (line wrapped):
$ gnome-control-center
[... click on the "Color" item ...]
(gnome-control-center:3977): color-cc-panel-WARNING **: \
The name org.freedesktop.ColorManager was not provided by any .service files
With this patch applied, the above warnings are not printed and the GUI
shows some devices that can be managed (my printer and display). Without
this patch the GUI is empty (non-functional).
(cups will also complain in the journal with a similar message when
doing print jobs, without this patch.)
The docstring for the `services.dbus.packages` configuration option only
mentioned one directory, but the implementation actually looked for DBus
config files in four separate places within the target packages. This
commit updates the docstring to reflect the actual implementation
behaviour.
stripHash uses a global variable to communicate it's computation
results, but it's not necessary. You can just pipe to stdout in a
subshell. A function mostly behaves like just another command.
baseHash() also introduces a suffix-stripping capability since it's
something the users of the function tend to use.
...by adding system-config-printer to services.dbus.packages (if
services.printing.enable is true).
Without this patch, trying to add a printer will result in a little dialog
saying "Failed to add new printer" and gnome-control-center will print this to
the terminal (line wrapped):
(gnome-control-center:3546): printers-cc-panel-WARNING **: \
GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: \
The name org.fedoraproject.Config.Printing was not provided by any .service files
system-config-printer supplies the "org.fedoraproject.Config.Printing" dbus
service, thus fixing the problem.
The tests need to expand passed variable and very carefully.
I could see no other easy way than to change single-quoting in
makeWrapper to double-quoting.
The tests now fail with the same problem as on master...
wpa_supplicant fails to start if the wireless interfaces aren't ready yet,
so we need to add a system ordering directive here to start wpa_supplicant
after the interfaces are ready. Note that Requires= is not enough since
it does not imply ordering.
I've failed to figure out what why `paxtest blackhat` hangs the vm, and
have resigned to running individual `paxtest` programs. This provides
limited coverage, but at least verifies that some important features are
in fact working.
Ideas for future work includes a subtest for basic desktop
functionality.
This GID was used to exempt users from Grsecurity's
`/proc` restrictions; we now prefer to rely on
`security.hideProcessInformation`, which uses the `proc` group
for this purpose. That leaves no use for the grsecurity GID.
More generally, having only a single GID to, presumably, serve as the
default for all of grsecurity's GID based exemption/resriction schemes
would be problematic in any event, so if we decide to enable those
grsecurity features in the future, more specific GIDs should be added.
The new module is specifically adapted to the NixOS Grsecurity/PaX
kernel. The module declares the required kernel configurations and
so *should* be somewhat compatible with custom Grsecurity kernels.
The module exposes only a limited number of options, minimising the need
for user intervention beyond enabling the module. For experts,
Grsecurity/PaX behavior may be configured via `boot.kernelParams` and
`boot.kernel.sysctl`.
The module assumes the user knows what she's doing (esp. if she decides
to modify configuration values not directly exposed by the module).
Administration of Grsecurity's role based access control system is yet
to be implemented.
We need to use wrapped modprobe, so that it finds the right
modules. Docker needs modprobe to load overlay kernel module
for example.
This fixes an an error starting docker if the booted system's kernel
version is different from the /run/current-system profile's one.
The update-resolve-conf script from the update-resolv-conf
package is very useful and should work in most of the common
cases, so this adds an option to enable it. The option is
disabled by default for backwards compatibility.
