3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

21576 commits

Author SHA1 Message Date
Silvan Mosberger 37e2fbda39
Merge pull request #121449 from endgame/metadata-fetcher-umask
metadata fetchers: use umask instead of fetch-and-chmod
2021-05-04 03:39:38 +02:00
github-actions[bot] 98d7aac597
Merge staging-next into staging 2021-05-04 00:49:43 +00:00
Aaron Andersen aebebb5752
Merge pull request #119325 from ymarkus/bookstack
bookstack: 0.31.7 -> 21.04.3 + nixos/bookstack: use umask before echoing & clear cache before starting
2021-05-03 20:19:39 -04:00
WilliButz a2adfae036
Merge pull request #121599 from Ma27/knot-exporter-patch
prometheus-knot-exporter: add patch to fix stats
2021-05-04 01:02:28 +02:00
Andreas Rammhold 7cb7620008
Merge pull request #121587 from hercules-ci/nixos-test-inline-doc
testing-python.nix: document runTests pos argument
2021-05-03 22:48:10 +02:00
Andreas Rammhold 3ec6977d30
Merge pull request #89572 from rissson/nixos/unbound
nixos/unbound: add settings option, deprecate extraConfig
2021-05-03 21:49:24 +02:00
Luke Granger-Brown 62f675eff6
Merge pull request #121558 from sumnerevans/fix-airsonic-service
airsonic: force use of jre8
2021-05-03 20:43:00 +01:00
Luke Granger-Brown 4e98ae6418
Merge pull request #120548 from minijackson/jellyfin-enhanced-test
nixos/tests/jellyfin: enhanced test
2021-05-03 20:38:22 +01:00
Sumner Evans 1ce3067c42
airsonic: add test for module 2021-05-03 13:27:23 -06:00
Marc 'risson' Schmitt 52f6733203
nixos/unbound: deprecate extraConfig in favor of settings
Follow RFC 42 by having a settings option that is
then converted into an unbound configuration file
instead of having an extraConfig option.

Existing options have been renamed or kept if
possible.

An enableRemoteAccess has been added. It sets remote-control setting to
true in unbound.conf which in turn enables the new wrapping of
unbound-control to access the server locally.  Also includes options
'remoteAccessInterfaces' and 'remoteAccessPort' for remote access.

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2021-05-03 21:27:15 +02:00
Luke Granger-Brown 0f39652cee
Merge pull request #120800 from MetaDark/undistract-me
undistract-me: init at unstable-2020-08-09
2021-05-03 20:22:04 +01:00
Silvan Mosberger a221e6c330
Merge pull request #121172 from eyJhb/bind-list-to-attrs
nixos/bind: refactor zones from a list to attrset
2021-05-03 21:21:22 +02:00
Minijackson 2ab88a31fe
nixos/tests/jellyfin: enhanced test 2021-05-03 20:48:13 +02:00
github-actions[bot] 5e177b16b1
Merge staging-next into staging 2021-05-03 18:25:49 +00:00
Kira Bruneau a24d0ab51b modules/programs/bash: add support for undistract-me 2021-05-03 14:25:02 -04:00
Kira Bruneau 62a78fc361 modules/programs/bash: move prompt plugins into separate modules 2021-05-03 14:24:24 -04:00
Jean-Baptiste Giraudeau 62f241d445 nixos/oauth2_proxy_nginx: add nginx config only if oauth2_proxy is enabled. 2021-05-03 11:23:03 -07:00
Silvan Mosberger 0111666954
Merge pull request #109561 from mjlbach/init_matrix_dendrite
matrix-dendrite: init at 0.3.11
2021-05-03 20:16:27 +02:00
eyjhb 757a455dde
nixos/bind: refactor zones from a list to attrset
This commit uses coercedTo to make zones a attrset instead of list.
Makes it easier to access/change zones in multiple places.
2021-05-03 20:04:42 +02:00
Michael Lingelbach ff43bbe53e matrix-dendrite: add nixos module 2021-05-03 10:12:24 -07:00
Luke Granger-Brown 049850341e
Merge pull request #121540 from lukegb/postfix-compat
nixos/tests/rspamd: fix OOM flakyness
2021-05-03 17:36:46 +01:00
Luke Granger-Brown 4e06e6e005
Merge pull request #121541 from lukegb/git-test
nixos/tests/gitdaemon: deflake by using systemd-tmpfiles
2021-05-03 17:36:01 +01:00
Luke Granger-Brown 4f9fe889b8
Merge pull request #121548 from lukegb/bios-usb-better
nixos/tests/installer: fix for i686-linux
2021-05-03 17:35:24 +01:00
Martin Weinelt d23610ae65
Merge pull request #121209 from mweinelt/pinnwand 2021-05-03 18:24:45 +02:00
Florian Klink d4e149c8ff
Merge pull request #120048 from flokli/inotify-max-user-instances
nixos/xserver: set fs.inotify.max_user_instances too
2021-05-03 17:45:41 +02:00
Sumner Evans 6dde6bf3bf
airsonic: force use of jre8 2021-05-03 09:41:04 -06:00
Maximilian Bosch 75c5a703ab
prometheus-knot-exporter: add patch to fix stats
This is a patch I filed against upstream[1] a while ago. As it isn't
merged yet and fixes configurations with all stats enabled in knot
(otherwise it'd crash when sending a request to `localhost:9433`), I
decided that it makes sense to add it to the package directly.

I extended the test to make sure that it only passes with this patch.

[1] https://github.com/ghedo/knot_exporter/pull/6
2021-05-03 17:27:36 +02:00
Florian Klink 9071cb3001
Merge pull request #121416 from primeos/nixos-tests-replace-QEMU_OPTS
nixos/tests: Replace QEMU_OPTS usages with virtualisation.qemu.options
2021-05-03 17:23:49 +02:00
Luke Granger-Brown a0da004326
Merge pull request #121376 from urbas/amazon-init-shell-script-support
nixos/amazon-init: add user-data shell script support
2021-05-03 16:01:26 +01:00
Martin Weinelt b208338c36
nixos/tests/pinnwand: use wait_for_open_port instead of direct sockstat call 2021-05-03 16:52:06 +02:00
Martin Weinelt 7b2bc43dba
nixos/tests/pinnwand: add negative-test for the reaper
The reaper, at this point, should not delete a freshly created paste.
2021-05-03 16:52:05 +02:00
Martin Weinelt f1c32c2809
nixos/tests/pinnwand: show systemd-analyze security
Easy way to revisit the hardening setup of the systemd unit.
2021-05-03 16:52:05 +02:00
Martin Weinelt fda2ff4edc
nixos/pinnwand: add reaper systemd unit/timer
The reap function culls expired pastes outside of the process serving
the pastes. Previously the database could accumulate a large number of
pastes and while they were expired they would not be deleted unless
accessed from the frontend.
2021-05-03 16:52:05 +02:00
Yannick Markus 336f3607d4
nixos/bookstack: use umask before echoing & clear cache before starting 2021-05-03 16:27:38 +02:00
Silvan Mosberger 3e930b7e4a
Merge pull request #121294 from nh2/issue-121288-wireguard-fix-chmod-race
wireguard module: generatePrivateKeyFile: Fix chmod security race
2021-05-03 16:24:42 +02:00
ajs124 891a83d948 nixosTests.couchdb: clean up 2021-05-03 15:42:36 +02:00
ajs124 29bcaf04cb couchdb2: drop 2021-05-03 15:41:42 +02:00
Martin Weinelt ac4b47f823
nixos/pinnwand: improve settings behaviour
Individual settings would previously overwrite the whole config, but
now individual values can be overwritten.

Fix missing slash to make the database path an absolute path per
https://docs.sqlalchemy.org/en/14/core/engines.html#sqlite.

Drop preferred_lexers, it's not set to anything meaningful anyway.
2021-05-03 15:18:12 +02:00
Silvan Mosberger 1245d855b8
Merge pull request #119426 from onixie/master
nixos/kubernetes: allow merging multiple definitions of extraOpts
2021-05-03 14:32:00 +02:00
github-actions[bot] a4c3a2d732
Merge staging-next into staging 2021-05-03 12:26:48 +00:00
Robert Hensing 0cf3550c91
Merge pull request #121124 from hercules-ci/cassandra-tidy
cassandra: tidy
2021-05-03 13:41:41 +02:00
Robert Hensing 162b8fba12 testing-python.nix: document runTests pos argument 2021-05-03 13:33:41 +02:00
José Romildo Malaquias 8073df31a5
Merge pull request #121046 from romildo/fix.xfce
xfce: does not explicitly require a gvfs package
2021-05-03 08:14:56 -03:00
Robert Hensing b2f44e9aeb
Merge pull request #112504 from hercules-ci/fix-nixosTest-meta-position
nixosTest: fix meta.position
2021-05-03 11:50:57 +02:00
Luke Granger-Brown 2eddff5480
Merge pull request #120569 from abathur/yadm-3x-release-note
yadm: add release note for 3.x
2021-05-03 10:50:45 +01:00
Luke Granger-Brown 4b42da3d85
Merge pull request #120791 from mweinelt/babeld
babeld: 1.9.2 -> 1.10
2021-05-03 10:00:12 +01:00
Michele Guerini Rocco e5bbb1cf33
Merge pull request #121539 from lukegb/custom-ca-debug
nixos/tests/custom-ca: fix by setting Content-Type
2021-05-03 10:49:57 +02:00
Luke Granger-Brown d922cad4d6
Merge pull request #119172 from midchildan/package/trafficserver
nixos/trafficserver: init
2021-05-03 09:48:07 +01:00
rnhmjoj 9ea6c1979c
nixos/searx: set settings.yml permissions using umask
This should solve a leakage of secrets as suggested in #121293
2021-05-03 09:53:50 +02:00
Luke Granger-Brown b942e0f650 nixos/tests/installer: don't break under i686
Currently, the installer tests just hang after the initial install phase
on i686 because qemu just quits because of the gic parameter.

Fix this by doing x86 things for both x86-64 and i686.
2021-05-03 01:44:54 +00:00
github-actions[bot] afe3fd192f
Merge staging-next into staging 2021-05-03 00:53:51 +00:00
Martin Weinelt d67fc76603
Merge pull request #120536 from mweinelt/mosquitto 2021-05-03 00:41:21 +02:00
Martin Weinelt fb5b00d2eb
Merge pull request #120526 from mweinelt/home-assistant 2021-05-03 00:35:50 +02:00
Martin Weinelt f41349d30d
nixos/home-assistant: Restart systemd unit on restart service
Home-assistant through its `--runner` commandline flag supports sending
exit code 100 when the `homeassistant.restart` service is called.

With `RestartForceExitStatus` we can listen for that specific exit code
and restart the whole systemd unit, providing an actual clean restart
with fresh processes. Additional treat exit code 100 as a successful
termination.
2021-05-03 00:21:25 +02:00
Martin Weinelt 1dbb60f562
nixos/tests/home-assistant: update maintainership to home-assistant team 2021-05-03 00:21:25 +02:00
Martin Weinelt 8ab7fc1107
nixos/tests/home-assistant: test capability passing
Configures the emulated_hue component and expects CAP_NET_BIND_SERVICE
to be passed in order to be able to bind to 80/tcp.

Also print the systemd security analysis, so we can spot changes more
quickly.
2021-05-03 00:21:25 +02:00
Martin Weinelt 7d09d7f571
nixos/home-assistant: harden systemd service
This is what is still exposed, and it should still allow things to work
as usual.

✗ PrivateNetwork=                    Service has access to the host's …      0.5
✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc…      0.3
✗ DeviceAllow=                       Service has a device ACL with som…      0.1
✗ IPAddressDeny=                     Service does not define an IP add…      0.2
✗ PrivateDevices=                    Service potentially has access to…      0.2
✗ PrivateUsers=                      Service has access to other users       0.2
✗ SystemCallFilter=~@resources       System call allow list defined fo…      0.2
✗ RootDirectory=/RootImage=          Service runs within the host's ro…      0.1
✗ SupplementaryGroups=               Service runs with supplementary g…      0.1
✗ RestrictAddressFamilies=~AF_UNIX   Service may allocate local sockets      0.1

→ Overall exposure level for home-assistant.service: 1.6 OK :-)

This can grow to as much as ~1.9 if you use one of the bluetooth or nmap
trackers or the emulated_hue component, all of which required elevated
permisssions.
2021-05-03 00:21:24 +02:00
Luke Granger-Brown f2a91ec2b7 nixos/tests/gitdaemon: deflake by using systemd-tmpfiles
git-daemon won't start up if its project directory (here /git) doesn't
exist. If we try to create it using the test harness, then we're racing
whether we manage to connect to the backdoor vs. the startup speed of
git-daemon.

Instead, use systemd-tmpfiles, which is guaranteed(?) to run before
network.target and thus before git-daemon.service starts.
2021-05-02 21:58:43 +00:00
Luke Granger-Brown a6fb22a689 nixos/tests/rspamd: increase memory
rspamd seems to be consuming more memory now sometimes, causing OOMs in
the test.

Increase the memory given to these VMs to make the tests pass more
reliably.
2021-05-02 21:50:17 +00:00
Luke Granger-Brown 649672e76e nixos/postfix: fix compatibility level
Postfix has started outputting an error on startup that it can't parse
the compatibility level 9999.

Instead, just set the compatibility level to be identical to the current
version, which seems to be the (new) intent for the compatibility level.
2021-05-02 21:49:33 +00:00
Luke Granger-Brown da000ae239 nixos/tests/custom-ca: fix by setting Content-Type
This test was failing because Firefox was displaying a download prompt
rather than the page content, presumably because mumble mumble
content-type sniffing.

By explicitly setting a content-type, the test now passes.
2021-05-02 21:38:56 +00:00
Martin Weinelt d942d4473d neovim, neovimUtils, neovim-qt: drop python2 support
In 2a00e53bd pynvim support for python2 was disabled, this broke the
neovim build. I really think it is time to let go of python2 support in
neovim.
2021-05-02 22:43:53 +02:00
José Romildo Malaquias a611906544 xfce: add release note about dropping lighter gvfs package 2021-05-02 14:26:52 -03:00
github-actions[bot] e6037ce5fe
Merge staging-next into staging 2021-05-02 00:58:46 +00:00
Samuel Dionne-Riel cb5c4fcd3c iso-image: Hide rEFInd from menu in known non-working situations
Looks like GRUB has issues loading EFI binaries from (cd0), which is
what would be used in e.g. qemu with OVMF with `-cdrom`. Apparently also
what is used with AArch64 + U-Boot USB.
2021-05-01 19:53:14 -04:00
Samuel Dionne-Riel 9413da26fd iso-image: Provide the right rEFInd binary 2021-05-01 19:53:14 -04:00
Samuel Dionne-Riel 189507a35d iso-image: Make graphical output work properly on AArch64
The serial output (but it's named console, not serial actually) causes
issues on U-Boot's EFI, at the very least.

This is inspired by OpenSUSE's approach:

 * https://build.opensuse.org/package/view_file/Base:System/grub2/grub2-SUSE-Add-the-t-hotkey.patch

Where they add a hidden menu entry, which can be used to force the
console output.

The `echo` will be visible on the serial terminal (grub "console"),
while the graphical interface is shown. Note that input in the serial
terminal (grub "console") will continue controlling the graphical
interface. Useful if you have an SBC connectedinto an HDMI monitor, but
no keyboard connected to it.
2021-05-01 19:53:13 -04:00
Samuel Dionne-Riel 20d0824b15 iso-image: Fix grub file load location
With U-Boot UEFI, (hd0) is not the USB drive, it is (cd0).

Though, it turns out we never needed to prefix the path!
2021-05-01 19:48:57 -04:00
Jack Kelly 5ea55e4ed0 metadata fetchers: use umask instead of fetch-and-chmod 2021-05-02 08:28:59 +10:00
Maximilian Bosch 040f0acccd
Merge pull request #121299 from Ma27/gitea-umask
nixos/gitea: set umask for secret creation
2021-05-02 00:06:20 +02:00
José Romildo Malaquias 472f5a976d xfce: does not explicitly require a gvfs package
- In order to use GIO/GVFS it is enough to enable the gvfs service.

- The module option services.gvfs.package can be used to choose a
  variation of the gvfs package, if desired.
2021-05-01 18:21:57 -03:00
github-actions[bot] 49721bed32
Merge staging-next into staging 2021-05-01 18:26:21 +00:00
Michael Weiss c6325c8325
nixos/tests: Replace QEMU_OPTS usages with virtualisation.qemu.options
See [0]: "QEMU_OPTS is something that should be set by people running VM
tests interactively, to do port forwardings etc.
We really should not poke with it from the test script - that's what
virtualisation.qemu.options is for."

[0]: https://github.com/NixOS/nixpkgs/pull/119615#discussion_r624145020

Co-authored-by: Florian Klink <flokli@flokli.de>
2021-05-01 20:20:29 +02:00
Luke Granger-Brown 152fa5414c
Merge pull request #120209 from considerate/considerate/multiple-tags-buildkite-agents
services.buildkite-agents: support multi-tags
2021-05-01 19:07:56 +01:00
Martin Weinelt a2d1d16af8
nixos/mosquitto: Migrate away from bind_address/port config keys
Fixes these two deprecation warnings, by moving away from these options
towards a simple listener configuration.

> The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true.
> The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead.

Fixes: #120860
2021-05-01 19:46:48 +02:00
Martin Weinelt 33e867620e
nixos/mosquitto: harden systemd unit
It can still network, it can only access the ssl related files if ssl is
enabled.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                  0.1

→ Overall exposure level for mosquitto.service: 1.1 OK 🙂
2021-05-01 19:46:48 +02:00
Jan Tojnar 1733bade1a
Merge pull request #121226 from zhaofengli/librem-take2
phosh: init at 0.10.2
2021-05-01 18:41:50 +02:00
Luke Granger-Brown be598f3980
Merge pull request #120541 from pennae/fail2ban
nixos/fail2ban: add maxretry/extraPackages options
2021-05-01 15:09:24 +01:00
Bjørn Forsman 5d47dc750f nixos/wpa_supplicant: prefer 'install' over 'touch/chmod/mkdir/chgrp'
Ref #121293.
2021-05-01 15:34:04 +02:00
Bjørn Forsman 225d915e5c nixos/atd: prefer 'install' over 'mkdir/chmod/chown'
I don't think there was a security issue here, but using 'install' is
preferred.

Ref #121293.
2021-05-01 15:16:19 +02:00
Sandro ac72d9acfe
Merge pull request #91955 from c00w/expand
sd-image: Add option to control sd image expansion on boot.
2021-05-01 14:52:07 +02:00
Luke Granger-Brown d76b075e3c
Merge pull request #121246 from thblt/master
nixos/pcscd: ensure polkit rules are loaded (fix #121121)
2021-05-01 13:30:45 +01:00
Zhaofeng Li 31a32eeed3 nixos/phosh: init
Co-authored-by: Blaž Hrastnik <blaz@mxxn.io>
Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
Co-authored-by: Jordi Masip <jordi@masip.cat>
2021-05-01 06:55:02 +00:00
Zhaofeng Li 3086335f04 nixos/feedbackd: init 2021-05-01 06:52:35 +00:00
github-actions[bot] 5c9b6baa63
Merge staging-next into staging 2021-05-01 06:21:43 +00:00
lewo 85aef7706e
Merge pull request #120620 from mweinelt/empty-capability-bounding-sets
nixos/{opendkim,rspamd}: Fix CapabilityBoundingSet option
2021-05-01 08:17:19 +02:00
Luke Granger-Brown c58f60b41b
Merge pull request #121352 from lukegb/debug-hydra
amazonImage: make statically sized again
2021-05-01 04:06:34 +01:00
Luke Granger-Brown 733d682cc3 nixos/release: add amazonImageAutomaticSize
This allows us to continue to have the automatically sized image attempt
to build on Hydra, which should give us a good indication of when we've
got this fixed.
2021-05-01 02:43:45 +00:00
Luke Granger-Brown 87c3b7e767 amazonImage: make statically sized again
For reasons we haven't been able to work out, the aarch64 EC2 image now
regularly exceeds the output image size on hydra.nixos.org. As a
workaround, set this back to being statically sized again.

The other images do seem to build - it's just a case of the EC2 image
now being too large (occasionally non-determinstically).
2021-05-01 02:19:42 +00:00
Colin L Rice bef4bda8dd sd-image: Add option to control sd image expansion on boot.
This is supeer useful to allow the normal sd-image code to be used by
someone who wants to setup multiple partitions with a sd-image.

Currently I'm manually copying the sd-image file and modifying it
instead.
2021-04-30 22:12:07 -04:00
github-actions[bot] ef6416a6ba
Merge staging-next into staging 2021-05-01 00:54:32 +00:00
Martin Weinelt 326f86d8cd
Merge pull request #121222 from mweinelt/nginx
nixos/nginx: update hardening settings
2021-05-01 00:36:16 +02:00
Markus Kowalewski d07185f986
nixos/slurm: fix creation of slurmdbd config file
replace cp/chmod by install to avoid security issues.
See https://github.com/NixOS/nixpkgs/issues/121293
2021-05-01 00:15:55 +02:00
Martin Weinelt efb30a191e
Merge pull request #120529 from mweinelt/zigbee2mqtt 2021-04-30 21:59:22 +02:00
Maximilian Bosch 02c3bd2187
nixos/gitea: set umask for secret creation
This ensures that newly created secrets will have the permissions
`0640`. With this change it's ensured that no sensitive information will
be word-readable at any time.

Related to #121293.

Strictly speaking this is a breaking change since each new directory
(including data-files) aren't world-readable anymore, but actually these
shouldn't be, unless there's a good reason for it.
2021-04-30 21:39:11 +02:00
Florian Klink 44a0debca7
Merge pull request #121021 from pennae/container-sigterm
nixos/nix-containers: use SIGTERM to stop containers
2021-04-30 21:35:16 +02:00
lunik1 248a57d61a
nixos/adguardhome: init (#120568) 2021-04-30 20:55:31 +02:00
Martin Weinelt 62de527dc3
nixos/zigbee2mqtt: start maintaing the module 2021-04-30 20:40:04 +02:00
Martin Weinelt 2b61d9ea01
nixos/zigbee2mqtt: create migration path from config to settings 2021-04-30 20:39:21 +02:00
github-actions[bot] 20ebbe6b59
Merge staging-next into staging 2021-04-30 18:26:34 +00:00
Martin Weinelt f1e7183f69
nixos/tests/zigbee2mqtt: relax DevicePolicy and log systemd-analye security 2021-04-30 19:42:26 +02:00
Martin Weinelt a691549f7e
nixos/zigbee2mqtt: harden systemd unit
This is what is still exposed, and it allows me to control my lamps from
within home-assistant.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                  0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                              0.1
✗ MemoryDenyWriteExecute=                                     Service may create writable executable memory mappings                              0.1

→ Overall exposure level for zigbee2mqtt.service: 1.3 OK 🙂
2021-04-30 19:42:26 +02:00
Martin Weinelt e0f1e1f7bf
nixos/zigbee2mqtt: convert to rfc42 style settings 2021-04-30 19:42:26 +02:00
Niklas Hambüchen a874a8a98b release notes: Mention wireguard generatePrivateKeyFile permission changes 2021-04-30 19:28:04 +02:00
Niklas Hambüchen 0dc08b4138 wireguard module: generatePrivateKeyFile: Fix chmod security race. Fixes #121288
Until now, the `touch + chmod 600 + write` approach made it possible for
an unprivileged local user read the private key file, by opening
the file after the touch, before the read permissions are restricted.

This was only the case if `generatePrivateKeyFile = true` and the parent
directory of `privateKeyFile` already existed and was readable.

This commit fixes it by using `umask`, which ensures kernel-side that
the `touch` creates the file with the correct permissions atomically.

This commit also:

* Removes `mkdir --mode 0644 -p "${dirOf values.privateKeyFile}"`
  because setting permissions `drw-r--r--` ("nobody can enter that dir")
  is awkward. `drwx------` would perhaps make sense, like for `.ssh`.
  However, setting the permissions on the private key file is enough,
  and likely better, because `privateKeyFile` is about that file
  specifically and no docs suggest that there's something special
  about its parent dir.
* Removes the `chmod 0400 "${values.privateKeyFile}"`
  because there isn't really a point in removing write access from
  the owner of the private key.
2021-04-30 18:55:38 +02:00
Martin Weinelt 506bc7ba02
nixos/nginx: update hardening settings
- Set an explicit umask that allows u+rwx and g+r.
- Adds `ProtectControlGroups` and `ProtectKernelLogs`, there should be
  no need to access either.
- Adds `ProtectClock` to prevent write-access to the system clock.
- `ProtectProc` hides processes from other users within the /proc
  filesystem and `ProcSubSet` hides all files/directories unrelated to
  the process management of the units process.
- Sets `RemoveIPC`, as there is no SysV or POSIX IPC within nginx that I
  know of.
- Restricts the creation of arbitrary namespaces
- Adds a reasonable `SystemCallFilter` preventing calls to @privileged,
  @obsolete and others.

And finally applies some sorting based on the order these options appear
in systemd.exec(5).
2021-04-30 18:49:43 +02:00
Travis A. Everett 5fb284dda6 yadm: add release note for 3.x 2021-04-30 11:07:35 -05:00
Kim Lindberger fdd6ca8fce
Merge pull request #118898 from talyz/gitlab-memory-bloat
nixos/gitlab: Add options to tame GitLab's memory usage somewhat
2021-04-30 16:58:30 +02:00
Michael Weiss 28b8cff301
nixos/tests/cage: Fix the test with wlroots 0.13
See #119615 for more details. The aarch64-linux test failed with
"qemu-system-aarch64: Virtio VGA not available" so I've restricted the
test to x86_64-linux (the virtio paravirtualized 3D graphics driver is
likely only available on very few platforms).
2021-04-30 15:57:04 +02:00
pennae 317a2c9f26 nixos/nix-containers: add tests for early/no-machined container stop 2021-04-30 15:43:27 +02:00
github-actions[bot] d7882499f8
Merge staging-next into staging 2021-04-30 12:26:14 +00:00
Sandro a73342b7ce
Merge pull request #120637 from andreisergiu98/ombi-update 2021-04-30 12:57:15 +02:00
Thibault Polge 71d9291742
nixos/pcscd: Correctly install pcsclite (fix #121121)
This makes sure that the polkit policies for pcsclite are correcly loaded.
2021-04-30 10:33:03 +02:00
github-actions[bot] c6548b2832
Merge staging-next into staging 2021-04-30 06:21:40 +00:00
Peter Hoeg 82c31a83b8 nixos/module: example referenced old ffmpeg 2021-04-30 09:43:18 +08:00
github-actions[bot] b4766e97ee
Merge staging-next into staging 2021-04-30 00:52:06 +00:00
Sandro Jäckel ae02415ee8
treewide: remove gnidorah
due to github account removal/deletion and not other mean of contact.
2021-04-30 01:48:19 +02:00
Michael Weiss af99194379
nixos/tests/cage: Increase the xterm font size to fix the test
The result still looks far from ideal but at least it gets recognized
now. "-fa Monospace" is required to switch to a font from the FreeType
library so that "-fs 24" works.

Note: Using linuxPackages_latest is not required anymore.
2021-04-29 21:08:10 +02:00
github-actions[bot] 3ad64733d9
Merge staging-next into staging 2021-04-29 18:28:08 +00:00
Lassulus addfd88117
Merge pull request #117072 from em0lar/keycloak-module-dbuser
nixos/keycloak: use db username in db init scripts
2021-04-29 20:15:19 +02:00
Leo Maroni d9e18f4e7f
nixos/keycloak: use db username in db init scripts 2021-04-29 19:36:29 +02:00
Kim Lindberger abecdfea73
Merge pull request #120833 from talyz/pipewire-0.3.26
pipewire: 0.3.25 -> 0.3.26
2021-04-29 18:46:35 +02:00
Florian Klink 7f9a5ad257
cage: drop maintainership (#121174)
I cannot currently maintain this, as I don't have access to the hardware
running it anymore.
2021-04-29 18:07:13 +02:00
github-actions[bot] 54e69b71cd
Merge staging-next into staging 2021-04-29 12:26:05 +00:00
WilliButz 674cea17a7
Merge pull request #120492 from SuperSandro2000/prometheus-unbound-exporter
Prometheus unbound exporter
2021-04-29 10:54:22 +02:00
Vladimír Čunát 5b0871bd97
Merge #120493: nixos/kresd: allow package to be configured 2021-04-29 10:41:12 +02:00
Andrei Pampu e88bf5f13b
nixos/ombi: set ombi as system user 2021-04-29 10:52:02 +03:00
Robert Hensing 58117bc220 nixos/cassandra: extraUsers -> users 2021-04-29 08:51:40 +02:00
Robert Hensing 472d3b710d nixos/cassandra: add myself as maintainer 2021-04-29 08:46:51 +02:00
Robert Hensing 6ad6271d82 nixos/cassandra: remove unnecessary literalExample calls 2021-04-29 08:43:58 +02:00
Robert Hensing 726669ace8 cassandra: use Nix scope checking 2021-04-29 08:40:12 +02:00
Robert Hensing 19ba3d97d2 cassandra: format 2021-04-29 08:40:12 +02:00
github-actions[bot] 01105a117a
Merge staging-next into staging 2021-04-29 06:21:55 +00:00
Sandro Jäckel d3fe53a8a6
nixos/tests/prometheus-exporters: nixpkgs-fmt 2021-04-29 06:19:31 +02:00
Sandro Jäckel da858b16b8
nixos/tests/prometheus-exporters: add unbound test
Author: WilliButz <willibutz@posteo.de>
2021-04-29 06:19:30 +02:00
Sandro Jäckel ba13dc0652
nixos/prometheus: add unbound exporter 2021-04-29 06:19:29 +02:00
Peter Hoeg 6d23cfd56b nixos/pcscd: fix #121088 2021-04-29 10:10:18 +08:00
Peter Hoeg ce93de4f62 nixos/hyperv: bail gracefully if device is missing 2021-04-29 09:37:17 +08:00
Jan Tojnar 76c3a6aafd
Merge branch 'staging-next' into staging 2021-04-29 02:35:54 +02:00
Luke Granger-Brown f64e68e09b
Merge pull request #120071 from johanot/ceph-16
ceph: 15.2.10 -> 16.2.1
2021-04-29 00:03:45 +01:00
Alyssa Ross a8afbb45c1 treewide: use lib.warnIf where appropriate 2021-04-28 21:44:21 +00:00
Martin Weinelt de5a69c918
nixos/promtail: Set TimeoutStopSec=10
On reboots and shutdowns promtail blocks for at least 90 seconds,
because it would still try to deliver log messages for loki, which isn't
possible when the network has already gone down.

Upstreams example unit also uses a ten seconds timeout, something which
has worked pretty well for me as well.
2021-04-28 21:02:11 +02:00
pennae 82931ea446 nixos/nix-containers: use SIGTERM to stop containers
systemd-nspawn can react to SIGTERM and send a shutdown signal to the container
init process. use that instead of going through dbus and machined to request
nspawn sending the signal, since during host shutdown machined or dbus may have
gone away by the point a container unit is stopped.

to solve the issue that a container that is still starting cannot be stopped
cleanly we must also handle this signal in containerInit/stage-2.
2021-04-28 14:07:35 +02:00
github-actions[bot] 70093bbd44
Merge staging-next into staging 2021-04-28 06:05:49 +00:00
John Ericson 74f3ae80dc
Merge pull request #120439 from wamserma/arg-usage-release-nix
nixos: use supportedSystems instead of hardcoded list for netboot
2021-04-28 00:11:22 -04:00
Aaron Andersen 45eb9c21ee
Merge pull request #119672 from chessai/init-duckling-service
init duckling service
2021-04-27 20:58:28 -04:00
github-actions[bot] 655989d7b3
Merge staging-next into staging 2021-04-28 00:15:29 +00:00
Samuel Dionne-Riel 1f4dedfa64
Merge pull request #120667 from samueldr/fix/grub1-test
nixosTests.installer: Fix grub1 test being unreliable
2021-04-27 19:32:13 -04:00
Izorkin 8723d226b4 nixos/mastodon: update SystemCallFilters 2021-04-28 00:44:25 +02:00
Vladimír Čunát a4749b11d4
nixos/kresd.package: improve the generated docs 2021-04-27 21:38:30 +02:00
github-actions[bot] 97889a52e1
Merge staging-next into staging 2021-04-27 18:14:28 +00:00
chessai e47e2a1b9f init duckling service 2021-04-27 10:41:07 -07:00
talyz 1215bd4ea9
Revert "nixos/tests/gitlab: add 32 byte secrets"
This reverts commit d6e0d38b84.

We need shorter secrets to continue working, since the earlier
recommendation was too short and there's no way to rotate the them.
2021-04-27 18:08:59 +02:00
talyz 7a67a2d1a8
gitlab: Add patch for db_key_base length bug, fix descriptions
The upstream recommended minimum length for db_key_base is 30 bytes,
which our option descriptions repeated. Recently, however, upstream
has, in many places, moved to using aes-256-gcm, which requires a key
of exactly 32 bytes. To allow for shorter keys, the upstream code pads
the key in some places. However, in many others, it just truncates the
key if it's too long, leaving it too short if it was to begin
with. This adds a patch that fixes this and updates the descriptions
to recommend a key of at least 32 characters.

See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
2021-04-27 17:49:43 +02:00
talyz fb86d324d1
pipewire: Add update script 2021-04-27 16:50:22 +02:00
Linus Heckemann 4c4ac4bb20 nixos/network: allow configuring tempaddr for undeclared interfaces 2021-04-27 16:43:30 +02:00
ajs124 39a51c9923
Merge pull request #118338 from Izorkin/update-nginx-zlib-ng
nginx: update to 1.20.0, replace zlib to zlib-ng
2021-04-27 16:36:25 +02:00
Martin Weinelt 4e66e9aea5
nixos/babeld: start maintaining the module 2021-04-27 14:12:07 +02:00
talyz 6edd102013
pipewire: Fix tests 2021-04-27 12:41:35 +02:00
talyz 24320ba1dd
pipewire: 0.3.25 -> 0.3.26 2021-04-27 12:41:30 +02:00
github-actions[bot] f0290a5d27
Merge staging-next into staging 2021-04-26 18:14:28 +00:00
Luke Granger-Brown 825a9ad1f9
Merge pull request #120286 from lukegb/hibernate-install
nixos/tests/hibernate: install a system instead
2021-04-26 18:00:41 +01:00
Robert Schütz e22d76fe34
Merge pull request #120520 from minijackson/jellyfin-remove-10.5
jellyfin_10_5: remove unmaintained version
2021-04-26 17:16:43 +02:00
midchildan 5bfb427b15
nixos/tests/trafficserver: init 2021-04-27 00:02:19 +09:00
midchildan 28e608f84b
nixos/trafficserver: init 2021-04-27 00:02:16 +09:00
Minijackson 2ad8aa72ae
jellyfin_10_5: remove unmaintained version
This version contains a vulnerability[1], and isn't maintained. The
original reason to have two jellyfin versions was to allow end-users to
backup the database before the layout was upgraded, but these backups
should be done periodically.

[1]: <https://nvd.nist.gov/vuln/detail/CVE-2021-21402>
2021-04-26 14:11:29 +02:00
github-actions[bot] e30742adc3
Merge staging-next into staging 2021-04-26 12:06:35 +00:00
Lassulus ee04d772e4
Merge pull request #120489 from samueldr/fix/make-disk-image-auto-size
Fix make disk image automatic size
2021-04-26 10:34:15 +02:00
Lassulus cdddbf59ea
Merge pull request #120251 from mschwaig/fix-make-disk-image-for-efi-2
make-disk-image: fix broken EFI image builds
2021-04-26 10:04:00 +02:00
github-actions[bot] 8634c6f7d1
Merge staging-next into staging 2021-04-26 00:17:03 +00:00
Samuel Dionne-Riel 7d112134de nixosTests.installer: Fix grub1 test being unreliable
The kernel sometimes assigns `/dev/sdb` to the 8GiB disk. This, in turn,
means the test will fail because we're targeting the wrong disk.

```
machine # [    0.000000] sd 2:0:0:0: [sda] 16777216 512-byte logical blocks: (8.59 GB/8.00 GiB)
machine # [    0.000000] sd 3:0:0:0: [sdb] 1048576 512-byte logical blocks: (537 MB/512 MiB)
```

```
machine # [    0.000000] sd 2:0:0:0: [sdb] 16777216 512-byte logical blocks: (8.59 GB/8.00 GiB)
machine # [    0.000000] sd 3:0:0:0: [sda] 1048576 512-byte logical blocks: (537 MB/512 MiB)
```

Note how the "sd x:0:0:0:` ID is stable. That is because QEMU **is**
told to give specific identifiers to the disks. So using the
dev/disk/by-id/ identifiers is stable.

* * *

Tested by forcing the sda/sdb swap this way:

    diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix
    index 24c55081f9a..2eee224351b 100644
    --- a/nixos/tests/installer.nix
    +++ b/nixos/tests/installer.nix
    @@ -702,12 +702,19 @@ in {
               + " mkpart primary linux-swap 1M 1024M"
               + " mkpart primary ext2 1024M -1s",
               "udevadm settle",
    +      )
    +      print(machine.succeed("find /dev/disk/ '!' -type d -printf '%p → %l\n' | sort"))
    +      machine.succeed(
               "mkswap ${grubDevice}-part1 -L swap",
               "swapon -L swap",
               "mkfs.ext3 -L nixos ${grubDevice}-part2",
               "mount LABEL=nixos /mnt",
               "mkdir -p /mnt/tmp",
           )
    +      machine.succeed("echo success")
    +      machine.succeed(
    +          'if [[ "$(find ${grubDevice} -printf \'%l\')" != "../../sdb" ]]; then exit 22; else true; fi'
    +      )
         '';
         grubVersion = 1;
         # /dev/sda is not stable, even when the SCSI disk number is.

And ran this way:

     $ until (clear; tmux clear ; time env -i nix-build nixos/release-combined.nix -A nixos.tests.installer.grub1.x86_64-linux); do echo derp; done
2021-04-25 19:59:29 -04:00
Martin Schwaighofer f20ae954d5 make-disk-image: fix broken EFI image builds
Work around missing /dev files inside runInLinuxVM by creating a
symlink before calling nixos-enter.

This fixes https://github.com/NixOS/nixpkgs/issues/93381.
I ran into this issue when trying to create a VMware image that boots from EFI.

Thanks @colemickens for reporting this and @danielfullmer for fixing the same thing in in qemu-vm.nix (37676e77cb) and explaining what the issue was.
2021-04-26 01:12:10 +02:00
Samuel Dionne-Riel 7b8b3fab6d make-disk-image: Round image size to the next mebibyte
This ensures the following gptfdisk warning won't happen:

```
Warning: File size is not a multiple of 512 bytes! Misbehavior is likely!
```

Additionally, helps towards aligning the partition to be more optimal
for the underlying storage.

It is actually impossible to align for the actual underlying storage
optimally because we don't know what the block device will be!

But aligning on 1MiB should help.
2021-04-25 15:24:45 -04:00
Michele Guerini Rocco e035c1b417
Merge pull request #119952 from attila-lendvai/extraLayouts
nixos/doc/manual: refine extraLayouts, add warnings an test commands
2021-04-25 21:06:49 +02:00
Martin Weinelt 6f358fa1d4
nixos/rspamd: Fix CapabilityBoundingSet option
An empty list results in no CapabilityBoundingSet at all, an empty
string however will set `CapabilityBoundingSet=`, which represents a
closed set.

Related: #120617
2021-04-25 20:26:22 +02:00
Martin Weinelt 3a9609613d
nixos/opendkim: Fix CapabilityBoundingSet option
An empty list results in no CapabilityBoundingSet at all, an empty
string however will set `CapabilityBoundingSet=`, which represents a
closed set.

Related: #120617
2021-04-25 20:24:39 +02:00
github-actions[bot] 9a945aac72
Merge staging-next into staging 2021-04-25 18:14:18 +00:00
Luke Granger-Brown ed83f6455c
Merge pull request #119443 from ambroisie/add-podgrab
Add podgrab package and module
2021-04-25 14:12:40 +01:00
github-actions[bot] 1626c4772a
Merge staging-next into staging 2021-04-25 12:06:12 +00:00
Frederik Rietdijk c648f7ee2a Merge master into staging-next 2021-04-25 13:54:29 +02:00
Luke Granger-Brown 0cc25061b0
Merge pull request #114240 from sorki/containers/nested
nixos/nixos-containers: default boot.enableContainers to true
2021-04-25 11:37:01 +01:00
Luke Granger-Brown 2136e90fa3
Merge pull request #114637 from KaiHa/pr/fix-systemd-boot-builder
systemd-boot-builder.py: ignore profile names with invalid chars
2021-04-25 11:35:00 +01:00
Luke Granger-Brown 30ab5fb006
Merge pull request #107604 from pkern/exim
nixos/exim: Make queue runner interval configurable and reduce it to 5m by default
2021-04-25 11:15:17 +01:00
Luke Granger-Brown 2fa2e63932
Merge pull request #103902 from pkern/spamassassin
nixos/spamassassin: Avoid network dependency on boot
2021-04-25 11:14:57 +01:00
Jan Tojnar c1f851b2ee
Merge branch 'staging-next' into staging 2021-04-25 08:22:13 +02:00
Jörg Thalheim 6e90599166
Merge pull request #120508 from Mic92/nixos-install
nixos-install: fix flake command
2021-04-25 07:17:06 +01:00
github-actions[bot] a956f62ea4
Merge master into staging-next 2021-04-25 06:05:34 +00:00
Jan Tojnar 0f1c4558d3
Merge branch 'master' into staging-next
Choose binwalk 2.3.1, 27 is legacy version for Python 2.
2021-04-25 02:50:48 +02:00
Martin Weinelt ceb26b53d8 nixos/tests/babeld: drop forwarding sysctls
They are now set as part of the babeld module.
2021-04-25 00:55:05 +02:00
Martin Weinelt e8988f7a30 nixos/babeld: run as DynamicUser
The last bits to prevent babeld from running unprivileged was its
kernel_setup_interface routine, that wants to set per interface
rp_filter. This behaviour has been disabled in a patch that has been
submitted upstream at https://github.com/jech/babeld/pull/68 and reuses
the skip-kernel-setup config option.

→ Overall exposure level for babeld.service: 1.7 OK 🙂
2021-04-25 00:54:52 +02:00
Lassulus ea5759474a
Merge pull request #119803 from SuperSandro2000/SuperSandro2000-patch-1
nixos/nginx: set isSystemUser
2021-04-24 22:37:46 +02:00
Maximilian Bosch 7b2982e22e
Merge pull request #119498 from mweinelt/tests-bird
nixos/test/prometheus-exporters/bird: fix race condition
2021-04-24 21:13:09 +02:00
lassulus 5aa4273e4f treewide: use auto diskSize for make-disk-image
(cherry picked from commit f3aa040bcb)
2021-04-24 14:49:07 -04:00
Samuel Dionne-Riel ba666011a6 make-disk-image: Account for reserved disk space
This is a bit of a thorny issue. See, the actual `diskSize` variable is
for the *total* disk size, not for the filesystem!

The automatic numbers are meant to compute the *filesystem* required
space. So we have to add any other reserved space!

We have different requirements for reserved space. E.g. there could be
none (when it's actually a filesystem image). There could also be 1MiB
for alignment for an MBR image, legacy+gpt needs 2MiB, then GPT with an
ESP ("bootSize") needs to take the boot partition and GPT size into
account too!

Though luckily(?) for this latter situation we can cheat! As noted in the
change, `bootSize` is NOT the boot partition size. It is actually the
offset where the target filesystem starts.
2021-04-24 14:49:05 -04:00
Samuel Dionne-Riel 9b18a78c73 make-disk-image: Account for the ext4 reserved space
Reserved space includes:

 - inodes space in use (2 blocks per)
 - about 5.2% of the space

The 5.2% reserved space was computed empirically when working on a
previous EXT4 image builder. It seems to stabilize around 5% even for
much larger filesystems.
2021-04-24 14:49:04 -04:00
Samuel Dionne-Riel 05c13a03e2 make-disk-image: Get proper size for automatic size
On some filesystems, `du` without `--apparent-size` will not give the
actual size for a file. Using `--apparent-size` will give us the actual
file size.

Though, this is not actually correct still. 1000 × 1 bytes is not 1000
bytes. It is 1000 × ceil(filesize/blockSize)*blockSize.

So instead of adding up the actual file sizes. We are adding up the
block sizes.

Note that this also changes the builder to work with *bytes*, rather
than with any other units. Doing maths on bytes is less likely to go
awry than doing it on other units.
2021-04-24 14:49:04 -04:00
Guillaume Girol 1c62c0f370
Merge pull request #120537 from symphorien/nagios-restart
nixos/nagios: use the correct option to restart on config change
2021-04-24 17:58:19 +00:00
Lassulus 118485230c
Merge pull request #119725 from helsinki-systems/feat/flexoptix-app
flexoptix-app: Init at 5.9.0
2021-04-24 19:34:18 +02:00
Izorkin 47d3e955fc nixos/mastodon/sandbox: add @privileged and @raw-io to SystemCallFilter 2021-04-24 19:12:10 +02:00
pennae afb6fe2fff nixos/fail2ban: add extraPackages option
some ban actions need additional packages (eg ipset). since actions can be
provided by the user we need something general that's easy to configure.

we could also enable ipset regardless of the actual configuration of the system
if the iptables firewall is in use (like sshguard does), but that seems very
clumsy and wouldn't easily solve the binary-not-found problems other actions may
also have.
2021-04-24 18:14:56 +02:00
pennae 25c827b3cc nixos/fail2ban: add maxretry option
it's not possible to set a different default maxretry value in the DEFAULT jail
because the module already does so. expose the maxretry option to the
configuration to remedy this. (we can't really remove it entirely because
fail2ban defaults to 5)
2021-04-24 17:55:56 +02:00
Symphorien Gibol ddf567cd5a nixos/nagios: use the correct option to restart on config change
X-ReloadIfChanged is incorrect, apparently https://github.com/NixOS/nixpkgs/pull/120324#discussion_r619472321
We restart instead of reloading because nagios unit file has no
ExecReload.
2021-04-24 17:12:51 +02:00
Michael Raskin d04f1c4314
Merge pull request #101071 from ju1m/apparmor
apparmor: try again to fix and improve
2021-04-24 11:24:26 +00:00
Jörg Thalheim c534a8434f
nixos-install: fix flake command 2021-04-24 11:49:59 +02:00
Attila Lendvai 603707a137 nixos/doc/manual: refine extraLayouts, add warnings an test commands 2021-04-24 09:52:43 +02:00
Sandro Jäckel 8ee00e6ca2
nixos/kresd: allow package to be configured 2021-04-24 09:18:45 +02:00
github-actions[bot] f9e9e425fc
Merge staging-next into staging 2021-04-24 06:05:32 +00:00
github-actions[bot] d8d6ba0d2e
Merge master into staging-next 2021-04-24 06:05:30 +00:00
Luke Granger-Brown 4fb91cbafe Revert "treewide: use auto diskSize for make-disk-image"
This reverts commit f3aa040bcb.
2021-04-24 02:38:36 +00:00
Luke Granger-Brown f521b12b0e Revert "nixos/amazon-image: (temporarily) use fixed disk size again"
This reverts commit 6a8359a92a.
2021-04-24 02:38:25 +00:00
Luke Granger-Brown d97478e369
Merge pull request #120481 from lukegb/temp-ec2-fixed-disk
nixos/amazon-image: (temporarily) use fixed disk size again
2021-04-24 03:32:58 +01:00
Sandro e3e6b73701
Merge pull request #119706 from nyanotech/master
nixos/printers: fix ensureDefaultPrinter
2021-04-24 03:49:09 +02:00
Luke Granger-Brown 6a8359a92a nixos/amazon-image: (temporarily) use fixed disk size again
As a temporary workaround for #120473 while the image builder is patched
to correctly look up disk sizes, partially revert
f3aa040bcb for EC2 disk images only.

We retain the type allowing "auto" but set the default back to the
previous value.
2021-04-24 00:43:47 +00:00
github-actions[bot] 944e32775d
Merge staging-next into staging 2021-04-24 00:16:20 +00:00
github-actions[bot] 6e7c70d02d
Merge master into staging-next 2021-04-24 00:16:17 +00:00
Aaron Andersen d734de7e7e
Merge pull request #119914 from evils/vnstat
nixos.vnstat: homedir -> statedir
2021-04-23 19:23:17 -04:00
Evils 7ff0ccc324 nixos/vnstat: homedir -> statedir
before, a nixos update that didn't trigger the chmod would break vnstat

and use a vnstatd group
2021-04-24 00:31:58 +02:00
Martin Weinelt fc55a1bdd4
nixos/tests/prometheus-exporters/bird: set router id
Previously bird would refuse to start up because the router id wasn't
set.

> bird[682]: Cannot determine router ID, please configure it manually
2021-04-23 23:34:26 +02:00
Maximilian Bosch f62b42f405
Merge pull request #120125 from BBBSnowball/pr-add-config-nextcloud-imagick-rename-option
nixos/nextcloud: Rename option disableImagemagick to enableImagemagick
2021-04-23 23:27:34 +02:00
Alyssa Ross 0d0e7ca769
Merge remote-tracking branch 'nixpkgs/master' into staging-next
Conflicts:
	pkgs/top-level/python-packages.nix
2021-04-23 21:18:11 +00:00
Aaron Andersen 5f2a8deb17
Merge pull request #120324 from pennae/restart-sshguard
nixos/sshguard: restart sshguard when services/backend changes
2021-04-23 16:56:30 -04:00
Luke Granger-Brown 6e4f8b06f5
Merge pull request #120349 from lukegb/debug-release-2009
nixos/test-driver: use a variety of different Tesseract settings for OCR
2021-04-23 21:04:02 +01:00
Luke Granger-Brown 4de343cccf nixos/test-driver: use a variety of different Tesseract settings for OCR
When performing OCR, some of the Tesseract settings perform better than
others on a variety of different workloads, but they mostly take
~negligible incremental time to run compared to the overhead of running
the ImageMagick filters.

After this commit, we try using all three of the current Tesseract
models (classic, LSTM, and classic+LSTM) to generate output text. This
fixes chromium-90's tests at release-20.09, and should make cases where
you're looking for *specific* text better, with the tradeoff of running
Tesseract multiple times.

To make it sensible to cherrypick this into release-20.09, this doesn't
change the existing API surface for the test driver. In particular,
get_screen_text continues to have the existing behaviour.
2021-04-23 18:42:35 +00:00
Markus S. Wamser 44a994ff9e nixos: use supportedSystems argument instead of hardcoded list for netboot
The default value for the argument is identical to the hardcoded list,
but using the argument allows to build other netboot images easily.
2021-04-23 18:34:51 +02:00
Jörg Thalheim 4230f632cc
Merge pull request #120254 from Luflosi/ipfs-simplify-systemd-unit
nixos/ipfs: remove separate ipfs-init systemd unit
2021-04-23 17:00:37 +01:00
davidak 513143fe4e kbd: add tests and update them 2021-04-23 16:41:11 +02:00
davidak fabdd46503 kbdKeymaps: remove
dvp and neo are now included in kbd

includes documentation in release notes and alias
2021-04-23 16:41:06 +02:00
pennae 265d31bcbd nixos/sshguard: restart sshguard when services/backend changes
backends changing shouldn't be very likely, but services may well change. we
should restart sshguard from nixos-rebuild instead of merely plopping down a new
config file and waiting for the user to restart sshguard.
2021-04-23 16:16:37 +02:00
Julien Moutinho b42a0e205d nixos/apparmor: disable killUnconfinedConfinables by default 2021-04-23 07:20:20 +02:00
Julien Moutinho 76887d750b nixos/apparmor: add test for apparmorRulesFromClosure 2021-04-23 07:20:20 +02:00
Julien Moutinho 45e5d726b2 nixos/apparmor: improve code readability 2021-04-23 07:20:19 +02:00
Julien Moutinho b280e64078 transmission: move apparmor profile to Nixpkgs 2021-04-23 07:20:14 +02:00
Julien Moutinho 03b2156d26 nixos/apparmor: move release note to 21.05 2021-04-23 07:19:32 +02:00
Julien Moutinho 8f9b29d168 apparmor: 2.13.5 -> 3.0.0 2021-04-23 07:17:56 +02:00
Julien Moutinho 27032f4dd6 nixos/apparmor: fix logprof.conf generation 2021-04-23 07:17:56 +02:00
Tony Olagbaiye fca06b142a nixos/apparmor: remove an IFD
First because IFD (import-from-derivation) is not allowed on hydra.nixos.org,
and second because without https://github.com/NixOS/hydra/pull/825
hydra-eval-jobs crashes instead of skipping aggregated jobs which fail
(here because they required an IFD).
2021-04-23 07:17:55 +02:00
Julien Moutinho 05d334cfe2 Revert "Revert "apparmor: fix and improve the service""
This reverts commit 420f89ceb2.
2021-04-23 07:17:55 +02:00
Luke Granger-Brown 32d80aaaa5 nixos/tests/hibernate: install a system instead
Rather than relying on carefully avoiding touching the 9P-mounted
/nix/store, we instead install a small NixOS system, similar to
the installer tests, and boot from that.

This avoids the various pitfalls associated with trying to unsuspend
properly and trades off a bunch of boilerplate for what will hopefully
be a more reliable test.

Additionally, this test now actually tests booting the system using a
bootloader, rather than the previous method of just booting the kernel
directly.
2021-04-23 01:30:38 +00:00
Luflosi b32b56cd54
nixos/ipfs: remove separate ipfs-init systemd unit
There is no need for a separate unit. Simplify the NixOS module by adding the shell code to preStart of the main unit, where the other initialization code already is.
2021-04-22 21:13:05 +02:00
github-actions[bot] b95da5efb6
Merge master into staging-next 2021-04-22 18:14:27 +00:00
Lassulus bdf8e0fc31
Merge pull request #120195 from Mic92/quagga
quagga: remove
2021-04-22 20:10:08 +02:00
lassulus f3aa040bcb treewide: use auto diskSize for make-disk-image 2021-04-22 19:52:49 +02:00
Alyssa Ross 9e400a8b93 nixos/users-groups: check format of passwd entries
Things will get quite broken if an /etc/passwd entry contains a
colon (which terminates a field), or a newline (which terminates a
record).  I know because I just accidentally made a user whose home
directory path contained a newline!

So let's make sure that can't happen.
2021-04-22 13:18:38 +00:00
Viktor Kronvall c01046b022 services.buildkite-agents: support multi-tags
The buildkite agent supports multiple tags with the same key. This
functionality is used to have a [single agent listen on multiple
queues](https://buildkite.com/docs/agent/v3/queues#setting-an-agents-queue).

However, having the tags be of type `attrsOf str` means that
we cannot suport this use case. This commit modifies the type
of tags to be `attrsOf (either str (listOf str))` where the list
is expanded into multiple tags with the same key.

Example:
```
{tags = {queue = ["default", "testing"];};}
```
generates
```
tags="queue=default,queue=testing"
```
in the buildkite agent configuration.
2021-04-22 21:23:52 +09:00
github-actions[bot] 120744d620
Merge master into staging-next 2021-04-22 12:06:24 +00:00
Johan Thomsen 8a6e130c71 nixos/ceph: fix tests
- 512 -> 1024MB vm memory (had sporadic oom-failures with the lower setting)

- set "auth_allow_insecure_global_id_reclaim=false" as described here: https://docs.ceph.com/en/latest/security/CVE-2021-20288/
2021-04-22 13:17:57 +02:00
Jörg Thalheim 40945d399d
quagga: remove
Upstream repositories do no longer exists. There has been no release in
a while. - Not a good combination for a network daemon running as root
in C that parses network packets...
2021-04-22 12:48:48 +02:00
Michael Weiss 3e01d42024
maintainers: remove tavyc
Their last commit was dcc84d8 from 2017.
Thank you for your contributions.
2021-04-22 11:34:25 +02:00
Jörg Thalheim 63f8170ca4
Merge pull request #120023 from Mic92/nano
configuration template: improve docs on nano
2021-04-22 07:14:01 +01:00
github-actions[bot] 8248f4db36
Merge master into staging-next 2021-04-22 06:05:51 +00:00