Previously, we would only set a default value, on the theory that
`boot.kernelPackages` could be used to sanely configure a custom grsec
kernel. Regrettably, this is not the case and users who expect e.g.,
`boot.kernelPackages = pkgs.linuxPackages_latest` to work will end up
with a non-grsec kernel (this problem has come up twice on the bug
tracker recently).
With this patch, `security.grsecurity.enable = true` implies
`boot.kernelPackages = linuxPackages_grsec_nixos` and any customization
must be done via package override or by eschewing the module.
Fixes#20713, though I'm certain nixpkgs contains loads of places
without proper quoting, as (ba)sh unfortunately encourages that.
The only plus side is that most of such problems in nixpkgs aren't
actually security problems but mere annoyance to those who are foolish
enough to use "weird" characters in critical names.
Allows one or more directories to be mounted as a read-only file system.
This makes it convenient to run volatile containers that do not retain
application state.
The configuration { services.openssh.enable = true;
services.openssh.forwardX11 = false; } caused
programs.ssh.setXAuthLocation to be set to false, which was not the
intent. The intent is that programs.ssh.setXAuthLocation should be
automatically enabled if needed or if xauth is already available.
riak-cs: added to all-packages
Added Riak CS nix file to pkgs
Added service file for Riak CS
Removed Erlang_basho specific bindings from the Riak CS repo
riak-cs: changed description
riak-cs: added license
riak-cs: added maintainer
riak_cs: chgned indentations
riak-cs: removed overly complex srcs mechanism
riak-cs: added systemd module
riak-cs: changed Erlang module to Basho-specific version
riak-cs: made modular form
riak-cs: Added a default package in service options
riak-cs: Fixed default package in service options
riak-cs: Patched Makefile
riak_cs: added to module-list
riak_cs: changed from string to actual package in modules
riak-cs: changed example
riak-cs: removed default
riak-cs: changed to defaultText
stanchion: changed default option to defaultText
riak-cs: added defaults; changed types to str
riak-cs: added to all-packages
Added Riak CS nix file to pkgs
Added service file for Riak CS
Removed Erlang_basho specific bindings from the Riak CS repo
riak-cs: changed description
riak-cs: added license
riak-cs: added maintainer
riak_cs: chgned indentations
riak-cs: removed overly complex srcs mechanism
riak-cs: added systemd module
riak-cs: changed Erlang module to Basho-specific version
riak-cs: made modular form
riak-cs: Added a default package in service options
riak-cs: Fixed default package in service options
riak-cs: Patched Makefile
riak_cs: added to module-list
riak_cs: changed from string to actual package in modules
Using a custom package set with the NixOS module is no longer
something I wish to support. It's still *possible* but not
advertised. Secondly, the requiredKernelConfig didn't really
do anything (setting kernelPackages to a non-grsec kernel would
just silently let the user boot into a non-grsec setup ...).
Network Manager calls dhclient on container interfaces and fails
which locks you out of the container after a few seconds, unless
you tell it not to manage these interfaces.
Fix automatic mouse grabbing/releasing when running as a vmware guest.
1. The xf86inputvmmouse is not loaded by default. Add it.
2. InptutDevice sections for which specify a driver are ignored if
AutoAddDevices is enabled (which it is by default). See [1]. Instead use
an InputClass to load the vmmouse driver.
[1] https://www.x.org/archive/X11R7.7/doc/man/man5/xorg.conf.5.xhtml#heading8
The reason to patch QEMU is that with latest Nix, tests like "printing"
or "misc" fail because they expect the store paths to be owned by uid 0
and gid 0.
Starting with NixOS/nix@5e51ffb1c2, Nix
builds inside of a new user namespace. Unfortunately this also means
that bind-mounted store paths that are part of the derivation's inputs
are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534.
This in turn causes things like sudo or cups to fail with errors about
insecure file permissions.
So in order to avoid that, let's make sure the VM always gets files
owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store
path.
In addition, this adds a virtualisation.qemu.program option so that we
can make sure that we only use the patched version if we're *really*
running NixOS VM tests (that is, whenever we have imported
test-instrumentation.nix).
Tested against the "misc" and "printing" tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It was lacking the dbus configuration to bind to
org.freedesktop.DisplayManager, and it was passing fixed TTY/display
numbers to the X server (see 9be012f0d4).
Using the example before this commit resulted in the following error:
```
error: value is a string while a list was expected, at /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/services/misc/nix-daemon.nix:349:37
```
* Sync systemd units with upstream. Upstream uses SIGUSR2 instead of SIGHUP
to reload the clamd service.
* Convert freshclam service to a oneshot service activated by a systemd timer.
This way we can make clamd wait for freshclam to finish fetching the virus
database before failing to start if the database doesn't exist yet.
* Fixes console tools to work as expected as they require hardcoded config
file locations.
This reverts commit daf3ba426b.
This is an alternative to 0ba3d429a7,
which disables the test outright. Briefly, exercising builders which
rely on import-from-derivation can cause Hydra jobsets to time out.
The old etcd port 4001 is no longer enabled by default in etcd 3.
The new port is 2379 and is officially assigned by IANA.
There were still some services left that expect etcd on port 4001 by default.
This changes the default to 2379 everywhere.
It should not cause problems for users as the etcd by nix does listen on the new port only by default anyway.
This brings in the new stable version 54 which also introduces a lot of
security fixes:
CVE-2016-5198: Out of bounds memory access in V8
CVE-2016-5181: Universal XSS in Blink
CVE-2016-5182: Heap overflow in Blink
CVE-2016-5183: Use after free in PDFium
CVE-2016-5184: Use after free in PDFium
CVE-2016-5185: Use after free in Blink
CVE-2016-5187: URL spoofing
CVE-2016-5188: UI spoofing
CVE-2016-5192: Cross-origin bypass in Blink
CVE-2016-5189: URL spoofing
CVE-2016-5186: Out of bounds read in DevTools
CVE-2016-5191: Universal XSS in Bookmarks
CVE-2016-5190: Use after free in Internals
CVE-2016-5193: Scheme bypass
Detailed announcements about these changes can be found here (latest to
oldest):
https://googlechromereleases.blogspot.de/2016/11/stable-channel-update-for-desktop.htmlhttps://googlechromereleases.blogspot.de/2016/10/stable-channel-update-for-desktop_20.htmlhttps://googlechromereleases.blogspot.de/2016/10/stable-channel-update-for-desktop.html
The update process of Chromium has been a bit bumpy on our side, because
version 54 also did the switch from GYP to GN so it wasn't just a matter
of updating the upstream-info file.
I've tested the Flash plugin (which runs fine) and WideVine manually,
although I couldn't get WideVine to work (I was running this within a VM
though).
So if people want to use WideVine they need to use Chrome instead until
we got this sorted out.
VM test results along with builds for all platforms can be found here:
https://headcounter.org/hydra/eval/339328
I'm going to backport these changes to stable as soon as the
tests/builds succeed there as well.
Closes: #19565Closes: #20120
Sometimes it happens that the "Type to search or enter a URL to
navigate" popup doesn't show, but all we need to know at this time is
whether Chromium has finished starting up.
So checking for the "startup done" page is a better option here.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Since 8180922d23, the cjdns module
imports from a derivation, which is very bad. It causes all of stdenv
to be built at evaluation time. Since we have a hard 3600 second limit
on Hydra evaluations, this was causing NixOS jobsets to time out.
@joachifm
This needs to be included for VirtualBox to detect that it needs to start the video driver. "modesetting" is also set in virtualbox-image.nix but this line seems to take precedence over that one (even though the virtualbox-image.nix has a higher override?) This should fix the problems that I and a few others have been having with the .ova files built for nixos.org.
Fixes#20007.
Using the --force option on GRUB isn't recommended, but there are very
specific instances where it makes sense. One example is installing on a
partitionless disk.
The current default probe config uses the unwrapped fping binary, which
leads to an error because fping must be executed with elevated
permissions.
I fixed this by changing the path to the default binary to the
setuid-wrapped version.
This commit includes two changes:
1. A new `extraConfig` option to allow administrators to set any
vsftpd configuration option that isn't directly supported by this
derivation.
2. Correctly set the `anon_root` vsftpd option to `anonymousUserHome`
In the prestart config of the smokeping service, smokeping is executed
initially. This happens as the user root and writes some files to
$smokepingHome, which can't be overwritten by the smokeping user. This
gives an error message.
I fixed this by moving the chown step after the initial smokeping runs,
so that it also affects the generated files.
The matrix-synapse user has `createHome = true;` which runs before the
`preStart` script, so the home directory will always exist and the block
will never execute.
Also don't include default path to keys in the configuration file,
because synapse will choke if it tries to open them before they
exist (even with `--generate-keys`).
The motivation for this change is the following: As gnu-netcat,
e. g. does not support ipv6, it is not suitable as default netcat.
This commit also fixes all obvious build issues caused by this change.
Thanks to @NeQuissimus in a5c1985fef for
updating busybox, which since version 1.25 doesn't allow local variables
outside of functions anymore (which is the desired behaviour).
See the following upstream commit of busybox which is the change that
let's this problem surface:
https://git.busybox.net/busybox/commit/?id=ef2386b80abfb22ccb697ddbdd4047aacc395c50
So this has been an error I've made on my end in
67223ee205, because I originally had a
function for killing the processes but desired to inline it because it's
only used in one place.
This fixes the boot-stage1 NixOS test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The old version would export two lists to a bash builder and do pairwise
processing on the bash side. In the new version we instead generate a
logic free builder on the Nix side. This is not only conceptually
simpler but reduces the amount of code and intermediate values.
`head -cNUM ... | tr -dc SET` might generate output containing fewer
than NUM characters. Given the limited alphabet, this could result in a
fairly weak passphrase. The construction `tr </dev/urandom | head
-cNUM`, however, is sure to give us the full `NUM`.
The dnsmasq instance run by the xen-bridge.service errorenously
hands out 172.16.0.0 as the netmask over DHCP to the VMs. This
commit removes the option responsible for that from dnsmasq.conf,
so that the proper netmask is inferred by dnsmasq instead.
Addresses https://github.com/NixOS/nixpkgs/issues/19883
The test complains[1][2] that
Failed to start message bus: Failed to bind socket "/run/dbus/system_bus_socket": No such file or directory
In 639e5401ff, the dbus socket dir is set
to `/run/dbus`; in the test vm `/var/run/dbus` is used, but the standard
`/run -> /var/run` link is typically not created until stage 2 init, not
in the minimal init used here. Thus, dbus fails to run within the test
environment . Fix by changing `/var/run/dbus` to simply `/run/dbus`.
[1]: https://hydra.nixos.org/build/42534725
[2]: https://hydra.nixos.org/build/42523834
The calls to iptables in xen-bridge.service were missing the -w switch,
which caused them to fail if another script was calling iptables
at the same time. Fix it by adding the -w switch.
Addresses https://github.com/NixOS/nixpkgs/issues/19849 .
`startAt = ""` as in `startAt = optionalString false ...` results
in an invalid timer unit (due to "" being promoted to a singleton
list and not filtered out).
Ref: c9941c4b5e
`startAt = ""` as in `startAt = optionalString false ...` results
in an invalid timer unit (due to "" being promoted to a singleton
list and not filtered out).
Ref: c9941c4b5e
* gnome3: default to 3.22
* zuki-themes: add src for gnome 3.22, remove 3.18
* gnome3_22.vte_290: copy from gnome3.20
* termite: use vte-select-text from gnome3_20
For some reason, between Linux 4.4.19 and 4.4.20, the atkbd and libps2
kernel modules lost their dependency on i8042 in modules.dep, causing
i8042 not to be included in the initrd. This breaks keyboard in the
initrd, in turn breaking LUKS.
This only happens on the 16.03 branch; on 16.09, it appears i8042 is
pulled into the initrd anyway (through some other dependency,
presumably). But let's include it explicitly.
http://hydra.nixos.org/build/40468431
It was already ordered after systemd-udev-settle.service, but that
doesn't do anything if no other units require
systemd-udev-settle.service. This was causing random failures during X
server startup, e.g.
machine# [ 12.691372] display-manager[607]: (EE) open /dev/dri/card0: No such file or directory
http://hydra.nixos.org/build/41062823
Currently only for the user services as NixOS handles the named system
instances slightly differently.
syncthing and syncthing-inotify are done the same way.
There are 4 parts to this:
1) Copy in the upstream unit files
2) Make the nixos module use the definition from upstream
3) Enable restarting of all instances (system and user) on resume
4) Allow the traffic in the firewall on default ports if wanted
fixes#18973
* Add extraOptions option, to pass arbitrary command line options to
atftp. Especially useful to specify which address to bind to
(--bind-addres ...).
* Improve descriptions (fix a typo, document default bind address,
don't repeat service name in systemd description + capitalize)
* Change default server directory from /var/empty to /srv/tftp, and
change types.str to types.path.
Commits
351d12437 ("nixos/release-notes: PHP config-file-scan-dir /etc -> /etc/php.d")
41c8aa8d6 ("php: change config-file-scan-dir from /etc to /etc/php.d")
were merged to master _after_ NixOS 16.09. Commit 351d12437 then wrongly
updated the NixSO 16.09 release notes. Fix by moving the entry to NixOS
17.03.
The new units mirror the upstream systemd units as closely as possible.
I could not find a reason why the service would need to be restarted on
resuming from suspend, and the upstream units also do not contain such a
restriction, so I removed the `partOf = [ "post-resume.target"]`.
This fixes#19525.
gnome-x-session provides good defaults which we really should not
override.
We have to add assertions to gdm.nix if the user specified one of those.
enableTCP must be configured through a gnome setting
dunno why we have terminate but it probably breaks stuff
We should expose configFile so we can use it from gdm module.
