This allows non-privileged users to configure local DNS
entries by editing hosts files read by NetworkManager's dnsmasq
instance.
Cherry-picked from e6c3d5a507 and
5a566004a2.
With a config like
{
networking.interfaces."lo".ip4 = [
{ address = "10.8.8.8"; prefixLength = 32; }
];
}
a nixos-rebuild switch would take a long time, and you'd see:
$ systemctl list-jobs
JOB UNIT TYPE STATE
734400 network-interfaces.target start waiting
734450 sys-subsystem-net-devices-lo.device start running
734449 network-link-lo.service start waiting
and:
systemd[1]: sys-subsystem-net-devices-lo.device: Job sys-subsystem-net-devices-lo.device/star>
systemd[1]: sys-subsystem-net-devices-lo.device: Job sys-subsystem-net-devices-lo.device/star>
systemd[1]: Timed out waiting for device sys-subsystem-net-devices-lo.device.
This removes the device dependency for `lo` and fixes this bug.
Closes #7227
The deep merge caused all the options to be unset when generating docs, unless quagga was enabled.
Using imports, instead, properly allows the documentation to be generated.
The `.service` file defining the `systemd` unit for `autorandr.service`
which is bundled with the package itself uses `--default default` in the
`ExecStart` section. This can be an issue when having multiple layouts
(e.g. `default` as workstation layout I mostly work on and `mobile` when
I go somewhere else).
When the service gets restarted and `--default` can't be applied,
however the current layout can't be detected (e.g. when working with an
unknown beamer) the service silently fails with a message like this:
```
Jun 22 18:44:46 hauptshuhle autorandr[3168]: /nix/store/h83b72ffm68nm8fyjnppljchp456a94r-xrandr-1.5.0/bin/xrandr: ca>
Jun 22 18:44:46 hauptshuhle autorandr[3168]: Failed to apply profile 'default' (line 718):
Jun 22 18:44:46 hauptshuhle autorandr[3168]: Command failed: /nix/store/h83b72ffm68nm8fyjnppljchp456a94r-xrandr-1.>
```
As discussed in the IRC (see https://botbot.me/freenode/nixos/2018-07-05/?msg=101791455&page=6)
it's a bad long-term solution in terms of maintenance to manually patch
the service file bundled with the derivation, instead the service shall
be configured declaratively. Additionally this makes possible overrides
from the user-space way easier.
The `udev` rule (in `$out/etc/udev/rules.d`) won't' be affected, it
simply runs `systemctl start autorandr.service` when e.g. a new display
is added, so now `udev` communicates with the NixOS systemd unit.
To update the plasma start menu `kbuildsyscoca5` needs to be executed.
There are several people complaining about missing applications in their
plasma start menu.
This patch adds a activationScript for plasma, that runs
`kbuildsyscoca5` for each user that has `isNormalUser` == `true`.
In fff5923686 all occurences of
users.extraUsers and users.extraGroups have been changed tree-wide to
users.users and users.group. In the meantime the hadoop modules were
introduced via #41381 (060a98e9f4).
Unfortunately those modules still use users.extraUsers, which has been
renamed a long time ago (14321ae243, about
three years from now), so let's actually rename it accordingly as well.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @matthewbauer, @aespinosa
The order of sudoers entries is significant. The man page for sudoers(5)
notes:
Where there are multiple matches, the last match is used (which is not
necessarily the most specific match).
This module adds a rule for group "wheel" matching all commands. If you
wanted to add a more specific rule allowing members of the "wheel" group
to run command `foo` without a password, you'd need to use mkAfter to
ensure your rule comes after the more general rule.
extraRules = lib.mkAfter [
{
groups = [ "wheel" ];
commands = [
{
command = "${pkgs.foo}/bin/foo";
options = [ "NOPASSWD" "SETENV" ];
}
]
}
];
Otherwise, when configuration options are merged, if the general rule
ends up after the specific rule, it will dictate the behavior even when
running the `foo` command.
If one of the certificates of the chain gets substituted from a binary
cache and the rest is generated locally it might turn out that we get
invalid certificates, which in turn cause tests using this module to
fail.
So let's set allowSubstitutes to false for all derivations that are
involved with certificate/key generation.
Signed-off-by: aszlig <aszlig@nix.build>
- Introduce new "server" output holding the server binaries
- Adapt tsmbac.patch to new build environment
- Adapt openafs nixos server module accordingly
- Update upstream CellServDB: 2017-03-14 -> 2018-05-14
- Introduce package attributes to refer to the openafs packages to use for
server, programs and kernel module
Rather than special-casing the dns options in networkmanager.nix, use
the module system to let unbound and systemd-resolved contribute to
the newtorkmanager config.
fixes #41838
At the moment it works fine for "file://" keys, but does not work for
dataPools with "prompt" keys, because the passphrase cannot be entered
(yet).
Commit 401370287a introduced a small error
where the closing tag of <literal/> was an opening tag instead.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @basvandijk, @xeji
Forcibly restarting NSCD is unnecessary and breaks setups that use SSSD for
authentication. NSCD is capable of detecting changes to /etc/resolv.conf and
invalidating its caches internally. Restarting NSCD/SSSD breaks user name and
UID resolution.
The freeradius service was merged with #34587
but the module was not added to module-list.
This commit fixes that and enables the use of
services.freeradius in nixos configuration.
Peviously only the timesyncd systemd unit was disabled. This meant
that when you activate a system that has chronyd enabled the following
strange startup behaviour takes place:
systemd[1]: Starting chrony NTP daemon...
systemd[1]: Stopping Network Time Synchronization...
systemd[1]: Stopped chrony NTP daemon.
systemd[1]: Starting Network Time Synchronization...
For now check that the default client config boots.
Ideas for the future:
- Expand on control via netcat
- Configure a circuit of nodes exercise various configs (e.g., check
that a client node can access a hidden www service). Needs setting up
authoritative directory servers &c.
find-libs is currently choking when it finds the dynamic linker
as a DT_NEEDED dependency (from glibc) and bails out like this
(as glibc doesn't have a RPATH):
Couldn't satisfy dependency ld-linux-x86-64.so.2
Actually the caller of find-libs ignores the exit status, so the issue
almost always goes unnoticed and happens to work by chance. But
additionally what happens is that indirect .so dependencies are
left out from the dependency closure calculation, which breaks
latest cryptsetup as libssl.so isn't found anymore.
This change adds NixOS tests for the MPD (Music Player Daemon) module.
Tests include:
- Playing audio locally using ALSA directly.
- Playing audio locally using PulseAudio (backed by ALSA).
- Playing audio from an external client.
- Rejecting an external client when it's not explicitly allowed (default configuration).
refs #41772
Kubernetes dashboard currently has cluster admin permissions,
which is not recommended.
- Renamed option "services.kubernetes.addons.dashboard.enableRBAC" to "services.kubernetes.addons.dashboard.rbac.enable"
- Added option "services.kubernetes.addons.dashboard.rbac.clusterAdmin", default = false.
- Setting recommended minimal permissions for the dashboard in accordance with https://github.com/kubernetes/dashboard/wiki/Installation
- Updated release note for 18.09.
Adds a module for running the journaldriver log forwarding agent via
systemd.
The agent can be deployed on both GCP instances and machines hosted
elsewhere to forward all logs from journald to Stackdriver Logging.
Consult the module options and upstream documentation for more
information.
Implementation notes:
* The service unit is configured to use systemd's dynamic user feature
which will let systemd set up the state directory and appropriate
user configuration at unit launch time instead of hardcoding it.
* The module depends on `network-online.target` to prevent a situation
where journaldriver is failing and restarting multiple times before
the network is online.
- Added option 'cni.configDir' to allow for having CNI config outside of nix-store
Existing behavior (writing verbatim CNI conf-files to nix-store) is still available.
- Removed unused option 'apiserver.publicAddress' and changed 'apiserver.address' to 'bindAddress'
This conforms better to k8s docs and removes existing --bind-address hardcoding to 0.0.0.0
- Fixed c/p mistake in apiserver systemd unit description
- Updated 18.09 release notes to reflect changes to existing options
And fixed some typos from previous PR
- Make docker images for Kubernetes Dashboard and kube-dns configurable
The usage of nixpkgs.config.packageOverrides is deprecated and we do
have overlays since quite a while.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @edolstra
This reverts a part of 5bd12c694b.
Apparently there's no way to specify user for RuntimeDirectory in systemd
service file (it's always root) but tor won't create control socket if the dir
is owned by anybody except the tor user.
These hardenings were adopted from the upstream service file, checked
against systemd.service(5) and systemd.exec(5) manuals, and tested to
actually work with all the options enabled.
`PrivateDevices` implies `DevicePolicy=closed` according to systemd.exec(5),
removed.
`--RunAsDaemon 0` is the default value according to tor(5), removed.
The `zsh-autosuggestions` package provides several configuration options
such as a different highlight style (like `fg=cyan` which is easier to
read).
With `rename.nix` the old `programs.zsh.enableAutosuggestions` is still
functional, but yields the following warning like this during evaluation:
```
trace: warning: The option `programs.zsh.enableAutosuggestions' defined in `<unknown-file>' has been renamed to `programs.zsh.autosuggestions.enable'.
```
The module provides the most common `zsh-autosuggestions` (highlight
style and strategy) as options that will be written into the interactive
shell init (`/etc/zshrc` by default). Further configuration options can
be declared using the `extraConfig` attr set:
```
{
programs.zsh.autosuggestions.extraConfig = {
"ZSH_AUTOSUGGEST_BUFFER_MAX_SIZE" = "buffer_size";
};
}
```
A full list of available configuration options for `zsh-autosuggestions`
can be viewed here: https://github.com/zsh-users/zsh-autosuggestions/blob/v0.4.3/README.md
[x] Support transparent proxying. This means services behind sslh (Apache, sshd and so on) will see the external IP and ports as if the external world connected directly to them.
[x] Run sslh daemon as unprivileged user instead of root (it is not only for security, transparent proxying requires it)
[x] Removed pidFile support (it is not compatible with running sslh daemon as unprivileged user)
[x] listenAddress default changed from "config.networking.hostName" (which resolves to meaningless "127.0.0.1" as with current /etc/hosts production) to "0.0.0.0" (all addresses)
Adds programs.mosh.withUtempter (default: true).
The option enables -with-utempter for mosh, allowing it to write to
/var/run/utmp and thus making connected sessions appear in the output
of `who -a`.
For that, a guid-wrapper is required. Also, the path to the `utempter` was
hardcoded in the resulting binary until now (so it could never been found),
thus, libutempter was patched accordingly to point to
/run/wrappers/bin/utempter which at least works when the wrapper is
configured.
Presents the options available (linuxManualConfig versus overriding
extraConfig, ignoreConfigErrors, autoModules, kernelPreferBuiltin.
For advanced hostPlatform customization refer to the commands shared by ericson1234 at
https://github.com/NixOS/nixpkgs/pull/33813 but it is too advanced to
put in the doc.
Currently minio logs with enhanced tty data and journalctl does not include anything useful as a result:
```
Jun 08 11:03:28 alpha minio[17813]: [78B blob data]
Jun 08 11:03:28 alpha minio[17813]: [49B blob data]
Jun 08 11:03:28 alpha minio[17813]: [19B blob data]
Jun 08 11:03:28 alpha minio[17813]: [88B blob data]
Jun 08 11:03:28 alpha minio[17813]: [45B blob data]
Jun 08 11:03:28 alpha minio[17813]: [44B blob data]
Jun 08 11:03:28 alpha minio[17813]: [57B blob data]
```
Indicating that it detected some binary output. With the `--json` flag it logs:
```
Jun 08 11:14:58 alpha minio[18573]: {"level":"FATAL","time":"2018-06-07T23:14:58.770637778Z","error":{"message":"--address input is invalid: address 127.0.0.1: missing port in address","source":["/build/go/src/github.com/minio/minio/cmd/server-main.go:121:cmd.serverHandleCmdArgs()"]}}
```
DBus seems to resolve user IDs directly via glibc, circumventing nscd. In more
advanced setups this leads to user's coming from LDAP or SSSD not being
resolved by the dbus system bus daemon. The effect for such users is, that all
access to the system bus (e.g. busctl or nmcli) is denied.
Adding the respective NSS modules to the service's environment solves the issue
the same way it does for nscd.
A script is used to create a project, and configure a jobset. This
jobset fetches a local file containing a trivial Nix expression. The
test script makes sure this derivation has been successfully built by
Hydra.