1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-21 05:00:16 +00:00
Commit graph

16834 commits

Author SHA1 Message Date
adisbladis 43f383c464
nixos.virtualisation.containers: Init common /etc/containers configuration module
What's happening now is that both cri-o and podman are creating
/etc/containers/policy.json.

By splitting out the creation of configuration files we can make the
podman module leaner & compose better with other container software.
2020-04-21 10:38:39 +01:00
adisbladis 650df709fb
nixos.virtualisation: Move containers.nix to nixos-containers.nix
In anticipation of the new containers module.
2020-04-21 10:36:56 +01:00
adisbladis f0a92ef1d9
nixos/podman: Add maintainer team & add myself to podman team 2020-04-21 10:03:22 +01:00
adisbladis b512a788a4
nixos/virtualisation.podman: Init module 2020-04-21 10:03:18 +01:00
Marek Mahut 60100a7c92
Merge pull request #83769 from dadada/nixos/dokuwiki-multi-server
nixos/dokuwiki: add support for multi-site, additional plugins and templates
2020-04-20 19:39:48 +02:00
worldofpeace e9e9582986
Merge pull request #85186 from worldofpeace/20.03-readme
README.md: 20.03 release
2020-04-20 11:57:45 -04:00
worldofpeace 6380be302a rl-2003: release date 2020-04-20 11:52:57 -04:00
Eelco Dolstra f76d7b5e41
Merge pull request #85620 from matthewbauer/use-modulesPath-for-nixos-generate-config
nixos/nixos-generate-config.pl: use modulesPath instead of <nixpkgs>
2020-04-20 17:25:17 +02:00
Matthew Bauer c45295d47e nixos/nixos-generate-config.pl: use modulesPath instead of <nixpkgs>
For imports, it is better to use ‘modulesPath’ than rely on <nixpkgs>
being correctly set. Some users may not have <nixpkgs> set correctly.
In addition, when ‘pure-eval=true’, <nixpkgs> is unset.
2020-04-20 09:57:17 -05:00
Léo Gaspard 203955fa0c
Merge pull request #82714 from delroth/s3tc
libtxc_dxtn{,_s2tc}: remove from nixpkgs + hardware.opengl options
2020-04-20 13:41:47 +02:00
Jörg Thalheim 2f0ee4bd0b
Merge pull request #85371 from Mic92/tmpfiles 2020-04-20 10:32:58 +01:00
adisbladis ab37d7e7ea
nixos-containers: Add support for custom nixpkgs argument 2020-04-20 07:33:46 +01:00
Pierre Bourdon 1b89bffcf4
libtxc_dxtn{,_s2tc}: remove from nixpkgs + hardware.opengl options
Context: discussion in https://github.com/NixOS/nixpkgs/pull/82630

Mesa has been supporting S3TC natively without requiring these libraries
since the S3TC patent expired in December 2017.
2020-04-20 03:19:41 +02:00
Florian Klink ab0da25762
Merge pull request #85503 from emilazy/acme-test-cleanups
ACME test cleanups
2020-04-19 23:57:03 +02:00
Florian Klink a88d17bc69
Merge pull request #83301 from evils/tuptime
Tuptime: Init Package, Module and Test
2020-04-19 23:38:53 +02:00
worldofpeace f882896cc8
Merge pull request #73934 from flokli/nixos-test-port-cockroachdb
nixosTests.cockroachdb: port to python
2020-04-19 16:30:45 -04:00
Yegor Timoshenko 4f7e4a6b59 nixos/release-small: drop latestKernel.login
This partially reverts e133e396df.
2020-04-19 22:20:07 +03:00
Yegor Timoshenko 6f1165a0cb
Merge pull request #84522 from emilazy/add-linux-hardened-patches
linux_*_hardened: use linux-hardened patch set
2020-04-19 20:01:35 +03:00
Michael Weiss 0e4417f118
Revert "nixos: Introduce nix.buildLocation option"
This reverts commit 5291925fd2.
Reason: This started to cause severe regressions, see:
- https://github.com/NixOS/nixpkgs/issues/85552
- https://github.com/NixOS/nixpkgs/pull/83166#pullrequestreview-395960588
Fixes #85552.
2020-04-19 15:16:08 +02:00
dadada 2d86cca35e
nixos/dokuwiki: change default of aclFile and usersFile
`aclFile` and `usersFile` will be set to a default value if `aclUse` is
specified and aclFile is not overriden by `acl`.
2020-04-18 23:37:19 +02:00
dadada 9460fb5788
nixos/dokuwiki: modify usersFile and aclFile
Use types.str instead of types.path to exclude private information from
the derivation.
Add a warinig about the contents of acl beeing included in the nix
store.
2020-04-18 23:37:19 +02:00
dadada 2b67a89f29
nixos/dokuwiki: dokuwiki user 2020-04-18 23:37:19 +02:00
dadada 2e699f1db1
nixos/dokuwiki: add option disableActions 2020-04-18 23:37:18 +02:00
dadada a58dc30d34
nixos/dokuwiki: set default value for usersFile
If usersFile is not set, a file is created along the stateDir that can
hold the users and supports dynamically adding users using the web GUI.
2020-04-18 23:37:18 +02:00
dadada 0228046eec
nixos/dokuwiki: add assertion for usersFile 2020-04-18 23:37:18 +02:00
dadada af6a7a0486
nixos/dokuwiki: add plugins and templates options
Adds support for additional plugins and templates similarly to how
wordpress.nix does it.

Plugins and templates need to be packaged as in the example.
2020-04-18 23:37:18 +02:00
dadada 71baf4801c
nixos/dokuwiki: refactor 2020-04-18 23:37:18 +02:00
dadada dc7ed06615
nixos/dokuwiki: add <name?> option
Enables multi-site configurations.

This break compatibility with prior configurations that expect options
for a single dokuwiki instance in `services.dokuwiki`.
2020-04-18 23:37:18 +02:00
Vladimír Čunát e233a9d4dd
Merge #84442: staging-next branch 2020-04-18 23:11:00 +02:00
Jan Tojnar 09c4736405
Merge pull request #83755 from jtojnar/jcat-0.1 2020-04-18 20:38:24 +02:00
Jörg Thalheim 35eb7793a3
Merge pull request #83166 from avnik/nix-build-location 2020-04-18 18:37:15 +01:00
Alexander V. Nikolaev 5291925fd2 nixos: Introduce nix.buildLocation option
Allow to specify where package build will happens.
It helps big packages (like browsers) not to overflow tmpfs.
2020-04-18 20:31:04 +03:00
worldofpeace 996ae856b6
Merge pull request #85365 from immae/fix_acme_postrun
nixos/acme: Fix postRun in acme certificate being ran at every run
2020-04-18 13:16:16 -04:00
Alyssa Ross 1b0d8015fe nixos/rss2email: globally install rss2email
For man pages.
2020-04-18 14:16:00 +00:00
Pavol Rusnak fadcfc3ea4
treewide: per RFC45, remove more unquoted URLs 2020-04-18 14:04:37 +02:00
Edmund Wu 4727e95eb6
manual/rl-2009.xml: fix build (#85478)
16a4332d60 (diff-43de86228df91216c5cfc9446cb041feL249)
2020-04-18 07:51:06 +02:00
Vladimír Čunát d96487b9ca
Merge branch 'master' into staging-next
Hydra nixpkgs: ?compare=1582510
2020-04-18 07:42:26 +02:00
Emily 21f183a3fe nixos/tests/common/acme: don't set nameservers for client
The resolver is mainly useful for the ACME server, and acme.nix uses its
own DNS server to test DNS-01 challenges.
2020-04-18 05:15:47 +01:00
Emily e6d5e83cf1 nixos/tests/common/acme: enable Pebble strict mode
This lets us get early warning about any bugs or backwards-compatibility
hazards in lego.

Pebble will default to this in the future, but doesn't currently;
see https://github.com/letsencrypt/pebble/blob/v2.3.0/README.md#strict-mode.
2020-04-18 05:15:47 +01:00
Emily 695fd78ac4 nixos/tests/acme: use CAP_NET_BIND_SERVICE 2020-04-18 05:15:47 +01:00
Emily d0f04c1623 nixos/tests/acme: use *.test domains
Shimming out the Let's Encrypt domain name to reuse client configuration
doesn't work properly (Pebble uses different endpoint URL formats), is
recommended against by upstream,[1] and is unnecessary now that the ACME
module supports specifying an ACME server. This commit changes the tests
to use the domain name acme.test instead, and renames the letsencrypt
node to acme to reflect that it has nothing to do with the ACME server
that Let's Encrypt runs. The imports are renamed for clarity:

* nixos/tests/common/{letsencrypt => acme}/{common.nix => client}
* nixos/tests/common/{letsencrypt => acme}/{default.nix => server}

The test's other domain names are also adjusted to use *.test for
consistency (and to avoid misuse of non-reserved domain names such
as standalone.com).

[1] https://github.com/letsencrypt/pebble/issues/283#issuecomment-545123242

Co-authored-by: Yegor Timoshenko <yegortimoshenko@riseup.net>
2020-04-18 05:15:47 +01:00
Emily 352e30df8a nixos/tests/acme: don't restrict to x86_64
This was added in aade4e577b, but the
implementation of the ACME module has been entirely rewritten since
then, and the test seems to run fine on AArch64.
2020-04-18 05:15:47 +01:00
Milan Pässler 16a4332d60 nixos/deluge: support 2.x 2020-04-18 02:00:04 +02:00
Ismaël Bouya 8e88b8dce2
nixos/acme: Fix postRun in acme certificate being ran at every run 2020-04-17 22:16:50 +02:00
worldofpeace 40f3faedbd nixos/manual: 19.09 -> 20.03 2020-04-17 12:41:24 -04:00
Emily 2e31fb407e nixos/release-combined: add {,latestKernel.}hardened
These now depend on an external patch set; add them to the release tests
to ensure that the build doesn't break silently as new kernel updates
are merged.
2020-04-17 16:13:39 +01:00
Emily e133e396df nixos/release-{small,combined}: add latestKernel.login
Seems like a good idea to ensure that you can always use the latest
stable upstream kernel.
2020-04-17 16:13:39 +01:00
Emily fe031d07f8 nixos/tests/hardened: add latestKernel argument 2020-04-17 16:13:39 +01:00
Emily b0d5032ee4 nixos/hardened: add emily to maintainers 2020-04-17 16:13:39 +01:00
Emily ad9bfe2254 nixos/hardened: enable user namespaces for root
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f.

This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.

We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.

Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:

    boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
2020-04-17 16:13:39 +01:00