3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

25245 commits

Author SHA1 Message Date
datafoo 1d3f0903a8 nixos/mosquitto: add package option 2022-01-19 15:59:53 +01:00
Maciej Krüger 8f086db04f
nixos/cinnamon: fix gnome alias deperaction 2022-01-19 15:33:57 +01:00
Robert Hensing f22ffbc14e
Merge pull request #155598 from hercules-ci/cleanup-nixos-test-lorri
nixos/tests/lorri: Remove redundant stdout redirect
2022-01-19 13:25:28 +01:00
Sandro 42cbcca501
Merge pull request #125474 from jojosch/dnsdist-1.6.0 2022-01-19 11:55:12 +01:00
Robert Hensing 54a62ae266 nixos/tests/lorri: Remove redundant stdout redirect
Introduced accidentally in https://github.com/NixOS/nixpkgs/pull/144679
2022-01-19 11:22:23 +01:00
Johannes Schleifenbaum 612ad7776a
nixos/dnsdist: add test 2022-01-19 08:24:02 +01:00
Jörg Thalheim 966ea2c020
Merge pull request #150360 from Enzime/fix-netboot-cmdline
netboot: Support cmdline variable from netboot.xyz
2022-01-19 06:53:04 +00:00
sternenseemann 48965506a1 lib/asserts: use throw to display message for assertMsg
`assert` has the annoying property that it dumps a lot of code at the
user without the built in capability to display a nicer message. We have
worked around this using `assertMsg` which would *additionally* display
a nice message. We can do even better: By using `throw` we can make
evaluation fail before assert draws its conclusions and prevent it from
displaying the code making up the assert condition, so we get the nicer
message of `throw` and the syntactical convenience of `assert`.

Before:

    nix-repl> python.override { reproducibleBuild = true; stripBytecode = false; }
    trace: Deterministic builds require stripping bytecode.
    error: assertion (((lib).assertMsg  (reproducibleBuild -> stripBytecode))  "Deterministic builds require stripping bytecode.") failed at /home/lukas/src/nix/nixpkgs/pkgs/development/interpreters/python/cpython/2.7/default.nix:45:1

After:

    nix-repl> python.override { reproducibleBuild = true; stripBytecode = false; }
    error: Deterministic builds require stripping bytecode.
2022-01-19 00:50:06 +01:00
Robert Hensing ef6f8783ea nixos/doc/rl-2205.section.md: Hint to avoid merge conflicts 2022-01-18 23:40:28 +01:00
Nikolay Amiantov e5e160e08e
Merge pull request #155367 from talyz/keycloak-loadcredential
nixos/keycloak: Use LoadCredential to load secrets + module formatting
2022-01-19 00:47:58 +03:00
Sandro 5c4fa6964f
Merge pull request #138386 from Yarny0/tsm-client 2022-01-18 20:50:28 +01:00
bb2020 272fc86d2c nixos/mbpfan: convert to structural settings 2022-01-18 21:31:33 +03:00
bb2020 6f7bf7bc46 nixos/mbpfan: set aggressive default values 2022-01-18 21:26:52 +03:00
pennae 54fcd869d8
Merge pull request #155009 from domenkozar/cachix-agent
nixos: add cachix-agent service
2022-01-18 17:06:39 +00:00
Vladimír Čunát 24bb158cf0
Merge #143715: nixos/malloc: fix scudo on aarch64-linux 2022-01-18 17:39:33 +01:00
pennae 21115ea8f9
Merge pull request #155041 from tokudan/ssh-rename-optionCRA
openssh: Rename option, old option is deprecated upstream
2022-01-18 16:07:20 +00:00
Domen Kožar 91cc0cf63b
Update nixos/modules/services/system/cachix-agent/default.nix
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
2022-01-18 16:49:18 +01:00
talyz 07b64a2ad7
nixos/bookstack: Add option config to replace extraConfig
The `extraConfig` parameter only handles text - it doesn't support
arbitrary secrets and, with the way it's processed in the setup
script, it's very easy to accidentally unescape the echoed string and
run shell commands / feed garbage to bash.

To fix this, implement a new option, `config`, which instead takes a
typed attribute set, generates the `.env` file in nix and does
arbitrary secret replacement. This option is then used to provide the
configuration for all other options which change the `.env` file.
2022-01-18 15:16:23 +01:00
talyz a0b54a0626
nixos/bookstack: Simplify the nginx setup
Use the recommended defaults and remove unnecessary configuration.
2022-01-18 15:16:17 +01:00
talyz df607c1d1f
nixos/bookstack: Make the hostname configurable...
...and set a reasonable default `appURL` based on it.

This is pretty much required when configuring ACME, and useful in
general.
2022-01-18 15:16:11 +01:00
talyz e7fa7fdffc
nixos/bookstack: Clear the cache more reliably
When upgrading bookstack, if something in the cache conflicts with the
new installation, the artisan commands might fail. To solve this, make
the cache lifetime bound to the setup service. This also removes the
`cacheDir` option, since the path is now handled automatically by
systemd.
2022-01-18 15:16:04 +01:00
Franz Pletz 70630b4a19
Merge pull request #155299 from numinit/mattermost-6.3 2022-01-18 14:27:54 +01:00
Daniel Frank d851c11a9f
openssh: add release-notes entry for services.openssh.{challengeResponseAuthentication -> kbdInteractiveAuthentication} 2022-01-18 14:01:20 +01:00
Daniel Frank 11b2191b74
openssh: Update tests to use new option name 2022-01-18 13:58:33 +01:00
Daniel Frank 6d985ef174
openssh: Rename option, old option is deprecated upstream 2022-01-18 13:58:29 +01:00
pennae 363577461d
Merge pull request #153346 from Stunkymonkey/borg-persistent
nixos/borgbackup: Add a persistentTimer option.
2022-01-18 12:29:17 +00:00
Janne Heß 44cb0a4c67
Merge pull request #155443 from vs49688/sy
nixos/modules/syncthing: add 22000/udp to firewall
2022-01-18 13:27:06 +01:00
Franz Pletz 76aa0af628
Merge branch 'master' into mattermost-6.3 2022-01-18 13:23:38 +01:00
Felix Buehler 7caa6f4de4 nixos/borgbackup: move systemd.timers logic into single block 2022-01-18 12:53:36 +01:00
pennae 42d6774dc7
Merge pull request #155295 from InternetUnexplorer/nix-serve-open-firewall
nixos/nix-serve: add openFirewall option
2022-01-18 09:36:12 +00:00
Domen Kožar 42994be64b nixos: add cachix-agent service 2022-01-18 10:26:47 +01:00
Artturi 78ff70f529
Merge pull request #153762 from Artturin/ananicymod1 2022-01-18 10:49:13 +02:00
Zane van Iperen f533a6d2bd
nixos/modules/syncthing: add 22000/udp to firewall 2022-01-18 11:40:06 +10:00
piegames 71358dd070
Merge pull request #154659: nixos/heisenbridge: Improve hardening 2022-01-18 01:30:12 +01:00
InternetUnexplorer ecda6429f2 nixos/nix-serve: add openFirewall option 2022-01-17 15:14:02 -08:00
Bernardo Meurer eaf7be02b9
Merge pull request #150859 from helsinki-systems/feat/redo-restart-by-activation-script 2022-01-17 21:11:09 +00:00
Martin Weinelt e5b47c5c21
Merge pull request #155407 from pennae/mosquitto-startup 2022-01-17 21:29:37 +01:00
pennae dc101d9fef nixos/mosquitto: wait for network-online.target, not network.target
network.target is reached earlier, but with much fewer services
available. DNS is likely to be not functional before
network-online.target, so waiting for that seems better for that reason
alone. the existing backends for network-online.target all seem to do
reasonable things (wait until all links are in *some* stable state), so
we shouldn't lose anything from waiting.
2022-01-17 20:58:50 +01:00
legendofmiracles 59a07c683a
Merge pull request #154791 from CRTified/fix-154775-adguardhome-settings 2022-01-17 12:45:24 -06:00
Janne Heß 2cf157c781
nixos/switch-to-configuration: Rework activation script restarts
This removes `/run/nixos/activation-reload-list` (which we will need in
the future when reworking the reload logic) and makes
`/run/nixos/activation-restart-list` honor `restartIfChanged` and
`reloadIfChanged`. This way activation scripts don't have to bother with
choosing between reloading and restarting.
2022-01-17 17:57:23 +01:00
Felix Buehler 91dfaa5453 nixos/borgbackup: start remote backup only if network is available 2022-01-17 15:42:39 +01:00
blargg 697198834c nixos/borgbackup: Add a persistentTimer option.
Persistent starts the backup service on power on if it was missed while
the system was powered down, for example.
2022-01-17 15:42:37 +01:00
Spencer Janssen ed5883c1b6 zrepl: 0.4.0 -> 0.5.0 2022-01-17 15:35:45 +01:00
talyz 95430e31f5
nixos/keycloak: Reformat the code with nixpkgs-fmt 2022-01-17 12:47:53 +01:00
talyz 21b1de2bcd
nixos/keycloak: Inherit library functions and builtins
Instead of referencing all library functions through `lib.` and
builtins through `builtins.` at every invocation, inherit them into
the appropriate scope.
2022-01-17 12:42:30 +01:00
Yarny0 f6dca95c5d tsm-client: add test derivation and a module test
The tsm-client needs a tsm-server to do anything useful.
Without a server, automated tests can just
check diagnostic outputs for plausibility.

The commit at hand adds two tests:

1.
The command line interface `dsmc` is called,
then it is verified that the program does

* report the correct client version,
* find its configuration file,
* report a connection error.

2.
To check the GUI (and the tsm-client nixos module), we add a
vm test which uses the module to install `tsm-client-withGui`.
To verify that the GUI's basic functionality is present,
we skip over all connection failure related error
messages and open the "Connection Information"
dialog from the main application window.
This dialog presents the node name and the client version;
both are verified by the test.

Note: Our `tsm-client` build recipe consists of two packages:
The "unwrapped" package and the final package.
This commit puts the unwrapped one into the final
package's `passthru` so that tests can access
the original version string that is needed to check
the client version reported by the application.
2022-01-17 12:09:27 +01:00
Yarny0 c2192ed77a nixos/tsm-{client,backup}: use new type nonEmptyStr
The module option type `nonEmptyStr` was introduced in commit

a3c5f0cba8

The tsm modules previously simply used
`strMatching ".+"` to prevent empty option strings,
but the new type is more thorough as
it also catches space-only strings.
2022-01-17 12:09:27 +01:00
Yarny0 c5effcaaea nixos/tsm-backup: enable most systemd sandboxing options
This enables some systemd sandboxing
options for the `tsm-backup.service`.
Those settings have been determined by expermentation.
This commit tries hard to protect the filesystem from
write access, but not to hide anything from read access,
so users can backup all files they choose to backup.
An exception are API filesystems (`/dev`, `/proc`, `/sys`):
As their "files" are not stored on persistent storage,
they are sandboxed away as much as possible.

Note that the service still has to run with root
privileges to reach files with limited access permissions.
The obvious alternative to use a dedicated user account and
the `CAP_DAC_READ_SEARCH` capability to permit system-wide
read access while blocking write access does not work.
Experiments have shown that `dsmc` verifies access permissions
for each file before attempting to open it for reading.
Hence `dsmc` refuses to copy files where the file permission
mode blocks read access -- even if process capabilities
would allow it to proceed irrespective of permissions.
2022-01-17 12:09:27 +01:00
Yarny0 3f6d1f5f60 nixos/tsm-{client,backup}: update links in module comments
IBM has changed the URL structures of their support web pages.
The commit at hand updates URLs in two comments
so they follow the new structure.
2022-01-17 12:09:27 +01:00
talyz 5010f4fff9
nixos/keycloak: Use LoadCredential to load secrets
Use systemd's LoadCredential mechanism to make the secret files
available to the service.

This gets rid of the privileged part of the ExecPreStart script which
only served to copy these files and assign the correct
permissions. There's been issues with this approach when used in
combination with DynamicUser, where sometimes the user isn't created
before the ExecPreStart script runs, causing the error

install: invalid user ‘keycloak’

This should fix that issue.

Unfortunately, all of the ExecPreStart script had to be moved to
ExecStart, since credentials aren't provided to ExecPreStart. See
https://github.com/systemd/systemd/issues/19604.
2022-01-17 11:46:51 +01:00