3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

1274 commits

Author SHA1 Message Date
Leon Schuermann 415993d6b7 nixos-enter: silent activation script option
Also, fix a few shellcheck errors.
2019-08-13 23:48:58 +02:00
Aaron Andersen 6f6468bef3
Merge pull request #65728 from Infinisil/types-eithers
lib/types: Add oneOf, extension of either to a list of types
2019-08-13 11:48:42 -04:00
WilliButz 7a29431da9
Merge pull request #66561 from Ma27/document-user-services-on-rebuild
nixos/doc: document that services defined with `systemd.users` aren't restarted by nixos-rebuild
2019-08-13 16:43:40 +02:00
Maximilian Bosch 551230b7f6
nixos/doc: document that services defined with systemd.users aren't restarted by nixos-rebuild 2019-08-13 16:26:09 +02:00
WilliButz bab5455d80
Merge pull request #62914 from Ma27/improve-nixos-rebuild-manpage
doc/nixos-rebuild(8): add Nix options to summary
2019-08-13 15:54:51 +02:00
Marek Mahut c78fead206
Merge pull request #63735 from Ekleog/drop-old-kernels
manual: remind to drop kernels that will get EOL'd
2019-08-12 23:31:00 +02:00
worldofpeace 397c7d26fc installer: Don't run as root
There's many reason why it is and is going to
continue to be difficult to do this:

1. All display-managers (excluding slim) default PAM rules
   disallow root auto login.

2. We can't use wayland

3. We have to use system-wide pulseaudio

4. It could break applications in the session.
   This happened to dolphin in plasma5
   in the past.

This is a growing technical debt, let's just use
passwordless sudo.
2019-08-12 14:45:27 -04:00
worldofpeace e9e165fa23
Merge pull request #66449 from delroth/no-ibus-qt
nixos/ibus: do not default-install ibus-qt
2019-08-11 22:41:02 -04:00
Pierre Bourdon 67d1cf4707
nixos/ibus: do not default-install ibus-qt
ibus-qt has not seen a release in 5 years and is only relevant for Qt
4.x, which is becoming more and more rare. Using my current laptop as a
data point, ibus-qt is the only dependency left that drags in qt-4.8.7.
2019-08-10 19:37:12 +02:00
Domen Kožar 5ce8864c54
Merge pull request #66328 from domenkozar/nixos-options-doc
Extract NixOS options documentation generation to a function
2019-08-10 14:07:19 +02:00
Matthew Bauer ddf38a8241
Merge pull request #65002 from matthewbauer/binfmt-wasm
Add binfmt interpreter for wasm
2019-08-09 14:04:21 -04:00
Silvan Mosberger 013d403f30
nixos/dwm-status: add module (#51319)
nixos/dwm-status: add module
2019-08-09 15:39:50 +02:00
Domen Kožar 5cfd034af0
Extract NixOS options documentation generation to a function
Motivation is to support other repositories containing nixos
modules that would like to generate options documentation:

- nix-darwin
- private repos
- arion
- ??
2019-08-08 16:18:09 +02:00
Silvan Mosberger 9a44f44d4c
lib/types: Add oneOf, extension of either to a list of types 2019-08-06 14:08:42 +02:00
danbst 29ba0a0adf add release notes 2019-08-05 14:34:51 +03:00
Danylo Hlynskyi 7585496eff
Merge branch 'master' into flip-map-foreach 2019-08-05 14:09:28 +03:00
danbst 0f8596ab3f mass replace "flip map -> forEach"
See `forEach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /forEach /g'
```
2019-08-05 14:03:38 +03:00
danbst 91bb646e98 Revert "mass replace "flip map -> foreach""
This reverts commit 3b0534310c.
2019-08-05 14:01:45 +03:00
WilliButz 370370aa2c
nixos/release-notes: add note about prometheus-exporters 2019-08-02 18:50:02 +02:00
Susan Potter 6923b76eb5
nixos/doc+manual: change copyright year 2018->2019 2019-08-02 10:45:04 -05:00
Robin Gloster 30969073f0
Merge remote-tracking branch 'upstream/master' into openssl-1.1 2019-08-02 03:01:30 +02:00
adisbladis 9e9c6de50c
nodejs-8_x: Drop package
It will be EOL within the support period of 19.09
2019-08-02 02:34:47 +02:00
Aaron Andersen a1f738ba87
Merge pull request #62748 from aanderse/mediawiki
nixos/mediawiki: init service to replace httpd subservice
2019-07-31 22:12:23 -04:00
Robin Gloster 9b750c2474
shibboleth-sp: 2.6.1 -> 3.0.4.1 2019-07-30 00:06:12 +02:00
Silvan Mosberger d3dfe06c38
nixos/xserver: add option to install custom xkb layouts (#47764)
nixos/xserver: add option to install custom xkb layouts
2019-07-26 20:43:37 +02:00
rnhmjoj e91f0c38c0
docs/xserver: use <note> tag for notes 2019-07-26 18:08:05 +02:00
rnhmjoj 3effc55b5b
docs/xserver: document xserver.extraLayouts 2019-07-26 18:08:04 +02:00
Léo Gaspard 5f33bcd953
matrix-synapse: fix documentation better 2019-07-25 15:37:32 +02:00
Aaron Andersen ebd9067473 nixos/mediawiki: add release notes for 19.09 2019-07-23 22:03:20 -04:00
Aaron Andersen 72ef4786e1
Merge pull request #64151 from aanderse/httpd-extraSubservices
nixos/httpd: module cleanup
2019-07-23 21:58:40 -04:00
Maximilian Bosch 3944aa051c
nixos/nextcloud: write config to additional config file
One of the main problems of the Nextcloud module is that it's currently
not possible to alter e.g. database configuration after the initial
setup as it's written by their imperative installer to a file.

After some research[1] it turned out that it's possible to override all values
with an additional config file. The documentation has been
slightly updated to remain up-to-date, but the warnings should
remain there as the imperative configuration is still used and may cause
unwanted side-effects.

Also simplified the postgresql test which uses `ensure{Databases,Users}` to
configure the database.

Fixes #49783

[1] https://github.com/NixOS/nixpkgs/issues/49783#issuecomment-483063922
2019-07-22 18:29:52 +02:00
WilliButz 294bed66dc
nixos/release-notes: add note about nginx-exporter 2019-07-22 16:41:10 +02:00
Aaron Andersen 9b970d07f3 nixos/httpd: drop postgresql reference 2019-07-20 18:36:24 -04:00
Aaron Andersen 0fd69629c7 nixos/httpd: mark extraSubservices option as deprecated 2019-07-20 18:36:19 -04:00
Graham Christensen d51b522a6e
Merge pull request #64052 from aanderse/tomcat-connector
nixos/httpd: drop tomcat-connector httpd subservice
2019-07-19 15:25:44 -04:00
Matthew Bauer 857f7fb4af nixos/binfmt: update release notes and provide examples 2019-07-17 17:09:20 -04:00
Linus Heckemann a935eff7fa
Merge pull request #62835 from lheckemann/ipv6-privacy-extensions
Ipv6 privacy extensions
2019-07-14 19:27:54 +02:00
danbst 3b0534310c mass replace "flip map -> foreach"
See `foreach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /foreach /g'
```
2019-07-14 13:46:10 +03:00
Léo Gaspard 8f38f0341c
Merge pull request #63639 from Ekleog/fix-matrix-doc
matrix-synapse: fix documentation
2019-07-13 18:17:14 +02:00
Aaron Andersen c13fbe0551
Merge pull request #63844 from aanderse/zabbix-cleanup
nixos/zabbix: overhaul package & module
2019-07-12 06:12:51 -04:00
Aaron Andersen 08286b4f29 nixos/httpd: drop tomcat-connector httpd subservice 2019-07-11 20:58:55 -04:00
Aaron Andersen 649ec93c37 foswiki: drop package & httpd subservice 2019-07-11 19:46:30 -04:00
Aaron Andersen 6a1de5460b nixos/httpd: remove broken trac subservice 2019-07-11 19:19:27 -04:00
Aaron Andersen 6891fb4103 nixos/zabbixWeb: replace httpd subservice with new module 2019-07-11 18:45:46 -04:00
Aaron Andersen ca336ac985
Merge pull request #64050 from aanderse/mercurial
nixos/httpd: drop mercurial httpd subservice
2019-07-09 12:54:01 -04:00
Ben Wolsieffer d82840dbd1 nixos/release-notes: fix bad merge of cargo-vendor entry and overall indentation 2019-07-08 21:13:58 -04:00
adisbladis d614edeb32
Revert Nodejs-8_x deprecation
This was supposed to go through a pull request

Revert "nodePackages: Regenerate node packages for nodejs 10 & 12"
This reverts commit 6a17bdf397.

Revert "nodejs-8_x: Drop package"
This reverts commit e06c97b71d.
2019-07-05 12:23:27 +01:00
adisbladis e06c97b71d
nodejs-8_x: Drop package
It will be EOL within the support period of 19.09
2019-07-05 12:21:42 +01:00
Danylo Hlynskyi d0e3c02a49
Merge pull request #63954 from nh2/consul-1.5.2
consul: 1.4.2 -> 1.4.4 -> 1.5.2
2019-07-04 19:55:39 +03:00
Elis Hirwing 80c7463a92
php: drop 7.1
PHP 7.1 is currently on life support, as in only recieving security related patches.

This will only continue until: 2019-12-01

This date are in the middle of the 19.09 lifecycle. So it would be
nice to not have it in the 19.09 stable release. Dropping it now would
also result in less maintanance in updating them.

The death dates can be seen on following links:
 - https://endoflife.date/php
 - https://php.net/supported-versions.php
 - https://en.wikipedia.org/wiki/PHP#Release_history
2019-07-04 14:31:49 +02:00
Aaron Andersen b9e68389d1 nixos/wordpress: add release notes for 19.09 2019-07-03 11:50:34 -04:00
Aaron Andersen f2a499549f nixos/httpd: drop mercurial httpd subservice 2019-07-01 15:34:00 -04:00
Niklas Hambüchen 9d17e5e77c manual: Add consul upgrade notes 2019-06-30 17:08:08 +02:00
Matthias Beyer fe6bb17872 Add missing semicolon (#63919)
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
2019-06-29 15:52:21 +00:00
Léo Gaspard 6a2abeb6b4
Update nixos/doc/manual/development/releases.xml
Co-Authored-By: Alyssa Ross <hi@alyssa.is>
2019-06-24 18:57:24 +02:00
Léo Gaspard 980b5e0c88 manual: remind to drop kernels that will get EOL'd 2019-06-24 17:11:54 +02:00
Léo Gaspard 94acf13957
matrix-synapse: fix documentation 2019-06-22 02:32:29 +02:00
Frederik Rietdijk 41377252e5 Merge master into staging-next 2019-06-18 10:53:28 +02:00
Jan Tojnar a3f2131eb6 doc: Use prompt more often 2019-06-17 13:25:50 +02:00
Jan Tojnar 11cb382a4c
nixos/doc: Fix spurious indentation 2019-06-17 12:28:26 +02:00
Frederik Rietdijk 7adbdd9758 Merge master into staging-next 2019-06-16 09:04:24 +02:00
Frederik Rietdijk 395da1280e
Merge pull request #63100 from aanderse/phabricator-remove
drop unmaintained phabricator package, service, and httpd subservice
2019-06-15 13:08:48 +02:00
Aaron Andersen 3fabe1accb nixos/release-notes: add entry for phabricator 2019-06-15 07:02:11 -04:00
Frederik Rietdijk 7953a65269 Merge staging-next into staging 2019-06-12 09:24:00 +02:00
Frederik Rietdijk 7184efb40a Merge master into staging-next 2019-06-12 09:22:07 +02:00
Tobias Happ 003b42f332 nixos/dwm-status: add module 2019-06-12 00:15:10 +02:00
Robin Gloster 68c30f0d9b
Merge pull request #62153 from WilliButz/avahi-refactor
avahi: set service directory and refactor module
2019-06-11 14:04:33 +00:00
adisbladis 32b374f780
Merge pull request #62315 from adisbladis/pulseaudio/resample-method
nixos/pulseaudio: Set speex-float-5 as default resample-method
2019-06-10 15:05:44 +02:00
Maximilian Bosch 338a6e3f38
Merge pull request #62935 from danieldk/cargo-vendor-change-doc
nixos/release-notes: document changed CargoSha256 hashes
2019-06-10 10:56:33 +02:00
Frederik Rietdijk e58f0f6c99 Merge master into staging-next 2019-06-10 10:35:50 +02:00
Daniël de Kok b5b5648be8 nixos/release-notes: document changed CargoSha256 hashes
cargoSha256 hashes change as result of changes in cargo-vendor, as
discussed in #60668.
2019-06-10 08:42:19 +02:00
Maximilian Bosch eacd1b75dc
doc/nixos-rebuild(8): add Nix options to summary
It seems as the sentence at the bottom of the option summary about
Nix-specific options isn't enough, it's probably more helpful to list
those options in the synopsis as well.
2019-06-10 02:10:23 +02:00
Frederik Rietdijk d3afcac771 Merge master into staging-next 2019-06-09 12:28:52 +02:00
Elis Hirwing 40af20b472
php: Upgrade to php73 as default php 2019-06-09 11:18:44 +02:00
Izorkin 82ad143a51
nixos/zsh: move zsh setopt 2019-06-09 00:13:01 +02:00
Linus Heckemann ab225fc1ab release notes: document IPv6 privacy extensions change 2019-06-07 21:53:59 +02:00
worldofpeace 29cc54c383 rl-1909: add note about PulseAudio resample-method 2019-06-06 18:50:33 -04:00
Robin Gloster 2cca7180c1
Merge pull request #60029 from Ma27/configure-ipv4-for-imperative-container
nixos-container: allow setting custom local and host address
2019-06-06 07:35:07 +00:00
Vladimír Čunát c0ccf42c69
Merge branch 'staging-next' into staging 2019-06-05 11:12:34 +02:00
WilliButz 229e7834eb
nixos/doc: add section about avahi changes 2019-06-04 00:23:49 +02:00
Vladimír Čunát ee86a325dd
Merge branch 'staging-next' into staging
Conflicts (simple):
	nixos/doc/manual/release-notes/rl-1909.xml
2019-06-03 22:34:49 +02:00
Andreas Rammhold 9077623324
nixos/misc: warn when someone is using the nixops autoLuks module
The autoLuks module is not really compatible with the updated systemd
version anymore. We started dropping NixOS specific patches that caused
unwanted side effects that we had to work around otherwise.

This change points users towards the relevant PR and spits out a bit of
information on how to deal with the situation.
2019-06-03 15:05:23 +02:00
Andreas Rammhold 024a383d64
nixos/systemd: migrate systemd-timesync state when required
Somewhen between systemd v239 and v242 upstream decided to no longer run
a few system services with `DyanmicUser=1` but failed to provide a
migration path for all the state those services left behind.

For the case of systemd-timesync the state has to be moved from
/var/lib/private/systemd/timesync to /var/lib/systemd/timesync if
/var/lib/systemd/timesync is currently a symlink.

We only do this if the stateVersion is still below 19.09 to avoid
starting to have an ever growing activation script for (then) ancient
systemd migrations that are no longer required.

See https://github.com/systemd/systemd/issues/12131 for details about
the missing migration path and related discussion.
2019-06-03 15:05:19 +02:00
Andreas Rammhold 1b7b1dbe2f
nixos/networkd: rename GatewayOnlink to GatewayOnLink
This follows upstreams renaming of the option [1].

[1] 9cb8c55934
2019-06-03 15:05:17 +02:00
Daniël de Kok 344ccd0d6d nixos/release-notes: mention removal of Bittorrent Sync 2019-06-03 09:18:39 +02:00
Aaron Andersen ce778b8292 nixos: remove duplicate section from release notes 2019-06-02 10:14:16 -04:00
Matthew Bauer f21b846afe
Merge pull request #57752 from aanderse/limesurvey
limesurvey: 2.05_plus_141210 -> 3.17.1+190408, init module
2019-06-01 17:31:15 -04:00
Florian Klink 5ea7a3eb21 nixos/mysql: drop services.mysql.pidDir
mysql already has its socket path hardcoded to to
/run/mysqld/mysqld.sock.
There's not much value in making the pidDir configurable, which also
points to /run/mysqld by default.

We only seem to use `services.mysql.pidDir` in the wordpress startup
script, to wait for mysql to boot up, but we can also simply wait on the
(hardcoded) socket location too.

A much nicer way to accomplish that would be to properly describe a
dependency on mysqld.service. This however is not easily doable, due to
how the apache-httpd module was designed.
2019-05-31 22:27:55 +02:00
Florian Klink edd10c12f7 nixos/mysql: run as mysql user and group
As we don't need to setup data directories from ExecStartPre= scripts
anymore, which required root, but use systemd.tmpfiles.rules instead,
everything can be run as just the mysql user.
2019-05-31 22:27:55 +02:00
Aaron Andersen 5cf98d29e7 nixos/limesurvey: init module to replace apache subservice 2019-05-28 23:02:34 -04:00
Maximilian Bosch a9d67d54b0
hunspellDicts.fr-any: link fr-moderne to fr_FR
Some packages like `ibus-engines.typing-booster` require the dictionary
`fr_FR.dic` to provide proper support for the french language.

Until now the hunspell package set of nixpkgs didn't provide this
dictionary. It has been recommended to use `fr-moderne` as base and link
`fr_FR.dic` from it as done by other distros such as ArchLinux.

See https://github.com/NixOS/nixpkgs/issues/46940#issuecomment-423684570

Fixes #46940
2019-05-23 15:53:50 +02:00
Vladimír Čunát dd917dc71a nixos/release-notes: mention length of release support
I took the date for 19.03 from the announcement:
https://discourse.nixos.org/t/nixos-19-03-release/2652
2019-05-20 12:31:24 +01:00
Elis Hirwing 02cd2b00e7
emby: Drop package and module and refer to jellyfin 2019-05-01 17:47:32 +02:00
Florian Klink 033882e0b7
Merge pull request #60019 from aanderse/nzbget
nzbget: fix broken service, as well as some improvements
2019-04-27 18:26:50 +02:00
aszlig 7ba9b0a41b
nixos: Fix build of manual
The build error has been introduced by 56dcc319cf.

Using a <simplesect/> within a <para/> is not allowed and subsequently
fails to validate while building the manual.

So instead, I moved the <simplesect/> further down and outside of the
<para/> to fix this.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @aaronjanse, @Lassulus, @danbst
2019-04-27 12:39:37 +02:00
Lassulus f099d3d8b6
Merge pull request #57561 from aaronjanse/patch-5
nixos/manual: document auto-login
2019-04-27 16:07:06 +09:00
Aaron Andersen 5b76046db3 nixos/nzbget: fix broken service, add a nixos test, as well as some general improvements 2019-04-25 20:28:39 -04:00
Maximilian Bosch c957341ef5
nixos-container: allow setting custom local and host address
I have a nixops network where I deploy containers using the `container`
backend which uses `nixos-container` intenrally to deploy several
containers to a certain host.

During that time I removed and added new containers and while trying to
deploy those to a different host I realized that it isn't guaranteed
that each container gets the same IP address which is a problem as some
parts of the deployment need to know which container is using which IP
(i.e. to configure port forwarding on the host).

With this change you can specify the container's IP like this (and don't
have to use the arbitrarily used 10.233.0.0/16 subnet):

```
$ nixos-container create test --config-file test-container.nix \
    --local-address 10.235.1.2 --host-address 10.235.1.1
```
2019-04-22 18:13:45 +02:00
Bas van Dijk e7fadde7a7 nixos/doc: remove prometheus2 notes from the 19.09 release notes
prometheus2 has been backported to 19.03 so it won't be new for 19.09.
2019-04-16 09:47:45 +02:00
adisbladis 4b4caa9413
Merge pull request #59368 from suhr/tox-node
nixos/tox-node: init
2019-04-15 12:28:27 +03:00
Сухарик 6cb40f7b0b
nixos/tox-node: init 2019-04-15 09:27:27 +01:00
Sarah Brofeldt f839011719
Merge pull request #58512 from aanderse/solr
solr: init at 8.0.0
2019-04-14 11:16:28 +02:00
Danylo Hlynskyi eddb31be99
Merge pull request #55121 from Ma27/add-option-support-to-nixos-build-vms
nixos-build-vms: pass `--option` to `nix-build`
2019-04-14 02:57:57 +03:00
Matthew O'Gorman da035d3ad6
nixos/manual: update 17.03 -> 19.03 in upgrading section 2019-04-12 12:16:30 -04:00
Frederik Rietdijk 230c67f43b Merge master into staging-next 2019-04-11 07:50:23 +02:00
Aaron Andersen ee7565af9d solr: init at 8.0.0 2019-04-10 20:12:41 -04:00
Bas van Dijk cd4486ecc3 nixos/prometheus/alertmanager: use DynamicUser instead of nobody
See issue #55370
2019-04-10 20:38:40 +02:00
Linus Heckemann 4557373d68
Merge pull request #58858 from worldofpeace/pantheon/lightdm-gtk-greeter
nixos/pantheon: enable lightdm gtk greeter
2019-04-10 09:36:20 +02:00
aszlig f98b4b0fda
nixos: Fix build of manual
Commit 29d7d8f44d has introduced another
section with the ID "sec-release-19.09-incompatibilities", which
subsequently causes the build to fail.

I just merged both sections and the manual is now building again.

Signed-off-by: aszlig <aszlig@nix.build>
2019-04-09 17:18:43 +02:00
Frederik Rietdijk d108b49168 Merge master into staging-next 2019-04-09 16:38:35 +02:00
Bas van Dijk 2f2e2971d6
Merge pull request #58255 from jbgi/prometheus2
Add Prometheus 2 service in parallel with 1.x version (continuation)
2019-04-09 14:14:18 +02:00
Bas van Dijk b423b73adc nixos/doc: add Prometheus stateDir handling to rl-1909.xml 2019-04-09 13:13:44 +02:00
Linus Heckemann 0ce382d868 rl-1903: pantheon notes phrasing/organisation 2019-04-08 16:22:58 -04:00
Bas van Dijk 29d7d8f44d nixos/doc: added the Prometheus changes to the 19.09 release notes 2019-04-08 19:39:22 +02:00
Jan Tojnar cb1a20499a
Merge branch 'master' into staging 2019-04-05 11:37:15 +02:00
tobias pflug 0e296d5fcd
Remove nodejs-6_x which is about to enter EOL
- Remove nodejs-6_x
- Set nodejs / nodejs-slim to nodejs-8_x / nodejs-slim-8_x
- Re-generate node2nix generated files using nodejs-8_x instead
2019-04-04 18:43:06 +01:00
Florian Klink 8313a5dcd3
Merge pull request #58588 from shazow/fix/vlc
vlc: Add chromecast support; libmicrodns: Init at 0.0.10
2019-04-01 17:16:42 +02:00
Andrey Petrov c37aa79639 vlc: add chromecastSupport option
Enables Chromecast support by default in VLC.

Fixes #58365.

Includes release note.
2019-04-01 09:44:56 -04:00
John Ericson 4ccb74011f Merge commit '18aa59b0f26fc707e7313f8467e67159e61600c2' from master into staging
There was one conflict in the NixOS manual; I checked that it still
built after resolving it.
2019-04-01 00:40:03 -04:00
worldofpeace 099cc0482b nixos/pantheon: enable lightdm gtk greeter
Pantheon's greeter has numerous issues that cannot be
fixed in a timely manner, and users are better off if they just
didn't use it by default.
2019-03-29 21:29:59 -04:00
aszlig dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Florian Klink 8817bbefdb nixos/ldap: set proper User= and Group= for nslcd service
eb90d97009 broke nslcd, as /run/nslcd was
created/chowned as root user, while nslcd wants to do parts as nslcd
user.

This commit changes the nslcd to run with the proper uid/gid from the
start (through User= and Group=), so the RuntimeDirectory has proper
permissions, too.

In some cases, secrets are baked into nslcd's config file during startup
(so we don't want to provide it from the store).

This config file is normally hard-wired to /etc/nslcd.conf, but we don't
want to use PermissionsStartOnly anymore (#56265), and activation
scripts are ugly, so redirect /etc/nslcd.conf to /run/nslcd/nslcd.conf,
which now gets provisioned inside ExecStartPre=.

This change requires the files referenced to in
users.ldap.bind.passwordFile and users.ldap.daemon.rootpwmodpwFile to be
readable by the nslcd user (in the non-nslcd case, this was already the
case for users.ldap.bind.passwordFile)

fixes #57783
2019-03-28 13:08:47 +01:00
aszlig ada3239253
nixos/release-notes: Add entry about confinement
First of all, the reason I added this to the "highlights" section is
that we want users to be aware of these options, because in the end we
really want to decrease the attack surface of NixOS services and this is
a step towards improving that situation.

The reason why I'm adding this to the changelog of the NixOS 19.03
release instead of 19.09 is that it makes backporting services that use
these options easier. Doing the backport of the confinement module after
the official release would mean that it's not part of the release
announcement and potentially could fall under the radar of most users.

These options and the whole module also do not change anything in
existing services or affect other modules, so they're purely optional.

Adding this "last minute" to the 19.03 release doesn't hurt and is
probably a good preparation for the next months where we hopefully
confine as much services as we can :-)

I also have asked @samueldr and @lheckemann, whether they're okay with
the inclusion in 19.03. While so far only @samueldr has accepted the
change, we can still move the changelog entry to the NixOS 19.09 release
notes in case @lheckemann rejects it.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 21:07:07 +01:00
Matthew Bauer 38c6c7c8a3
Merge pull request #57617 from aaronjanse/patch-20190313a
nixos/manual: clarify declarative packages section
2019-03-25 22:16:47 -04:00
Danylo Hlynskyi 40cc269561
Merge branch 'master' into postgresql-socket-in-run 2019-03-25 01:06:59 +02:00
Dmitry Kalinkin 6f95ac3588
Merge pull request #57988 from lopsided98/buildbot-update
buildbot: 1.8.1 -> 2.1.0
2019-03-23 20:38:20 -04:00
Frederik Rietdijk 23e431387b Merge staging-next into staging 2019-03-23 09:20:09 +01:00
Ben Wolsieffer b2e11e0cdf buildbot: 1.8.1 -> 2.1.0 2019-03-22 18:43:15 -04:00
Florian Klink 9aa57902cc
Merge pull request #57938 from flokli/network-manager-rename-changelog
network-manager: move para about service rename to 19.09 changelog
2019-03-22 19:18:47 +01:00
Vladimír Čunát 1ad3f34a99
nixos manual Makefile: improve purity
And be quiet when building/downloading the required tools.
2019-03-22 14:48:08 +01:00
Vladimír Čunát 4c3ec0e325
nixos docs: run the formatting tool (no content change)
As documented in the docs themselves :-)
2019-03-22 14:44:11 +01:00
Vladimír Čunát 11d204a9c4
nixos docs: improve GPU driver documentation
I'm not 100% sure about the incompatibility lines,
but I believe it's better to discourage these anyway.
If you find better information, feel free to amend...

The 32-bit thing is completely GPU-agnostic, so I can't see why we had
it separately for proprietary drivers and missing for the rest.
2019-03-22 14:31:17 +01:00
Wael M. Nasreddine 5af0780492
Merge remote-tracking branch 'origin/master' into staging
* origin/master: (693 commits)
  buildGoModule: use go_1_12 instead of go_1_11 (#58103)
  gitAndTools.lab: 0.15.2 -> 0.15.3 (#58091)
  signal-desktop: 1.22.0 -> 1.23.0
  added missing semicolon to documentation
  terminus_font_ttf: 4.46.0 -> 4.47.0
  buildGoModule: remove SSL env vars in favor of cacert in buildInputs (#58071)
  dav1d: init at 0.2.1
  dropbox-cli: 2018.11.28 -> 2019.02.14
  atlassian-confluence: 6.14.1 -> 6.14.2
  maintainers: update email for dywedir
  python.pkgs.hglib: use patch to specify hg path (#57926)
  chkrootkit: 0.52 -> 0.53
  radare2-cutter: 1.7.2 -> 1.8.0
  autorandr: 1.7 -> 1.8
  pythonPackages.pyhepmc: fix build
  llvm-polly/clang-polly: use latest llvm
  apulse: 0.1.11.1 -> 0.1.12, cleanup
  factorio: experimental 0.17.14 → 0.17.16 (#58000)
  sequeler: 0.6.7 -> 0.6.8
  nasc: 0.5.1 -> 0.5.2
  ...
2019-03-21 21:01:25 -07:00
Dmitry Moskowski 7e4ca152a4 added missing semicolon to documentation 2019-03-21 22:22:13 +00:00
Florian Klink a54e41a673 network-manager: move para about service rename to 19.09 changelog 2019-03-20 03:09:59 +01:00
Jörg Thalheim b488c60cdb network-manager: rename systemd service back to match upstream
Compatibility with other distributions/software and expectation
of users coming from other systems should have higher priority over consistency.
In particular this fixes #51375, where the NetworkManager-wait-online.service
broke as a result of this.
2019-03-19 23:48:08 +01:00
Léo Gaspard 59c5630f60
Merge branch 'pr-57699'
* pr-57699:
  nixos/matrix: add manual section about self-hosting a matrix client and server
2019-03-16 14:48:39 +01:00
Florian Jacob ef52869ef1 nixos/matrix: add manual section
about self-hosting a matrix client and server
2019-03-16 14:26:07 +01:00
aszlig 116bdc9f55
nixos/manual: Document PostgreSQL socket change
This is a backwards-incompatible change and while it won't probably
affect a whole lot of users, it makes sense to give them a heads-up
anyway.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-16 03:03:21 +01:00
Aaron Janse 0258cff887
nixos/manual: reword note in declarative packages section 2019-03-14 21:11:27 -07:00
Aaron Janse bd9b82dece
nixos/manual: fix typo 2019-03-14 02:17:31 +00:00
Aaron Janse f67eb111ac
nixos/manual: clarify declarative packages section 2019-03-13 18:40:00 -07:00
Aaron Janse 56dcc319cf
nixos/manual: document auto-login
fix #29526
2019-03-12 22:23:05 -07:00
Andreas Rammhold c55427ca43
nixos/doc: add types prefix to addCheck example
The function `addCheck` resides within the attrset `types`. We should be
explicit about this since otherwise people might be confused where it
does come from / why it doesn't work for them.
2019-03-11 22:56:56 +01:00
Graham Christensen 777e94d903
Merge pull request #55436 from layus/warn-manual-ids
Nixos manual: error out on missing IDs
2019-03-09 08:21:07 -05:00
Danylo Hlynskyi 60e8fcf0e5
module system: revert "remove types.optionSet", just deprecate (#56857)
The explicit remove helped to uncover some hidden uses of `optionSet`
in NixOps. However it makes life harder for end-users of NixOps - it will
be impossible to deploy 19.03 systems with old NixOps, but there is no
new release of NixOps with `optionSet` fixes.

Also, "deprecation" process isn't well defined. Even that `optionSet` was
declared "deprecated" for many years, it was never announced. Hence, I
leave "deprecation" announce. Then, 3 releases after announce,
we can announce removal of this feature.

This type has to be removed, not `throw`-ed in runtime, because it makes
some perfectly fine code to fail. For example:
```
$ nix-instantiate --eval -E '(import <nixpkgs/lib>).types' --strict
trace: `types.list` is deprecated; use `types.listOf` instead
error: types.optionSet is deprecated; use types.submodule instead
(use '--show-trace' to show detailed location information)
```
2019-03-07 21:28:09 +02:00
Michael Raskin 500d61560f Release notes: switch to modesetting: mention backlight problem 2019-03-07 13:38:19 +01:00
Danylo Hlynskyi ef1911d045 zram: revert "change default algorithm to zstd" (#56856)
19.03 default kernel is still 4.14, which doesn't support zstd. So,
zramSwap in current fasion fails on default kernel.
2019-03-07 02:11:20 +02:00
Jan Malakhovski ca496b194f nixos: doc: increase maxdepth for xsltproc
See https://github.com/NixOS/nixpkgs/issues/37903#issuecomment-376618117
for details. With the previous patch and some custom modules included in
`configuration.nix` the above bug is very easy to trigger.

This is a simplest workaround I have. A proper solution would look like
https://github.com/NixOS/nixpkgs/issues/37903#issuecomment-376980838.
2019-03-05 09:41:40 +00:00
Arian van Putten 2e75a7b516 nixos: doc: optionally include all modules in manual generation
Before this change `man 5 configuration.nix` would only show options of modules in
the `baseModules` set, which consists only of the list of modules in
`nixos/modules/module-list.nix`

With this change applied and `documentation.nixos.includeAllModules` option enabled
all modules included in `configuration.nix` file will be used instead.

This makes configurations with custom modules self-documenting. It also means
that importing non-`baseModules` modules like `gce.nix` or `azure.nix`
will make their documentation available in `man 5 configuration.nix`.

`documentation.nixos.includeAllModules` is currently set to `false` by
default as enabling it usually uncovers bugs and prevents evaluation.
It should be set to `true` in a release or two.

This was originally implemented in #47177, edited for more configurability,
documented and rebased onto master by @oxij.
2019-03-05 09:41:40 +00:00