/run/opengl-drivers should contain only libGL-related libraries, not
stuff like udev. Injecting anything into LD_LIBRARY_PATH is dangerous
because it can break applications that expect a different version of
the library.
Caused by eef9a8ac2a. Fixes #5371.
- Move lgi to luaPackages
- Use luaPackages in awesome and passthru lua
- Allow to pass lua modules to the awesome WM so that those can be used in the configuration
This is useful for adding extra functionality or defaults to _every_
nixos evaluation.
My use case is overriding behaviour for all nixos tests, for example
setting packageOverrides to newer versions and changing some default
dependencies/settings.
By making this accessible through an environment variable, this can now
be fully accomplished externally. No more need to fork
nixos/nixpkgs (which becomes a maintenance burden), just use the channel
instead and plug in via this envvar.
The warning was displayed whenever services.virtualboxHost.enable was
true, but if people were to enable hardening, they'd still get that
annoying message.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Creates unnecessary cruft in the root users home directory, which we
really don't need. Except the log, but therefore we now cat the log to
stderr and the private temporary directory is cleaned up afterwards.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The current options for the XServer produce a huge amount of log messages. The
server produces around 70-80 messages per minute. The most messages look like
this:
display-manager-start[1846]: GetModeLine - scrn: 0 clock: 75200
display-manager-start[1846]: GetModeLine - hdsp: 1366 hbeg: 1414 hend: 1478 httl: 1582
display-manager-start[1846]: vdsp: 768 vbeg: 772 vend: 779 vttl: 792 flags: 9
Since theses messages aren't very useful, I propose to remove the `-logverbose`
and `-verbose` options from the XServer arguments.
This should display a big fat warning that people can hardly miss until
we have fixed the issues with the host-only-interfaces that persist when
hardining is enabled.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Essentially adds two more VirtualBox VMs to the test and also increases
the memory size of the qemu VM to 768 MB to make sure we don't run out
of memory too soon.
We're testing whether those two VMs can talk to either each other
(currently via ICMP only) or to/from the host via TCP/IP.
Also, this restructures the VM test a bit, so that we now pass in a
custom stage2Init script that has access to the store via a private
mount over the /nix/store that's already in the initrd. The reason why
this is a private mount is that we don't want to shadow the Nix store of
the initrd, essentially breaking cleanup functionality after the custom
stage 2 script (currently this is only "poweroff -f").
Note that setting the hostname inside the VirtualBox VM is *not* for
additional fanciness but to produce a different store path for the VM
image, so that VirtualBox doesn't bail out when trying to use an image
which is already attached to another VM.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Hardening mode in VirtualBox is quite restrictive and on some systems it
could make sense to disable hardening mode, especially while we still
have issues with hostonly networking and other issues[TM] we don't know
or haven't tested yet.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We're going to create more than one VirtualBox VM, so let's dynamically
generate subs specific to a particular VirtualBox VM, merging everything
into the testScript and machine expressions.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It turns out that installing therubytracer, with dependency on old v8, even
when using source libv8 version is problematic.
(see
http://stackoverflow.com/questions/21666379/problems-installing-gitlab-on-odroid-v8-lib-not-available).
But wait, rails does not even need therubytracer, just any kind of javascript
server side execution framework like nodejs. Well just use that, as also
suggested from different internet sources (look link above), it works just
fine.
Currently it pretty much tests starting up virtual machines and just
shutting down afterwards, but for both VBoxManage and the VirtualBox
GUI.
This helps catching errors in hardened mode, however we still need to
test whether networking works the way intended (and I fear that this is
broken at the moment).
The VirtualBox VM is _not_ using hardware virtualization support (thus
we use system = "i686-linux", because x86_64 has no emulation support),
because we're already within a qemu VM, which means it's going to be
slow as hell (that's why I've written own subs just for testing
startup/shutdown/whatnot with respective timeouts).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We only need to have setuid-root wrappers for VBox{Headless,SDL} and
VirtualBox, otherwise VBoxManage will run as root and NOT drop
privileges!
Fixes #5283.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I had to make several adjustments to make it work with nixos:
* Replace relative config file lookups with ENV variable.
* Modify gitlab-shell to not clear then environment when running
pre-receive.
* Modify gitlab-shell to write some environment variables into
the .authorized_keys file to make sure gitlab-shell reads the
correct config file.
* Log unicorn output to syslog.
I tried various ways of adding a syslog package but the bundler would
not pick them up. Please fix in a better way if possible.
* Gitlab-runner program wrapper.
This is useful to run e.g. backups etc. with the correct
environment set up.
Since we're using HTTPS for the binary cache (introduced in faf0797) by
default, the binary cache should also be available during installation.
The file that is defined in SSL_CERT_FILE outside of the chroot is
copied over to /tmp/ca-cert.crt inside the chroot, so we have an
absolute path we can reference during nixos-install. However, this might
end up with the file not being cleaned up properly from outside of the
store, but neither would be /tmp/root so the cleanup issue needs to be
solved in another place (or commit to be more exact).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The current nixos module for VirtualBox unconditionally configures a vboxnet0
network interface at boot. This may be undesired, especially when the user wants
to manage network interfaces in a centralized manner.
- Create container nixos profile
- Create lxc-container nixos config using container nixos profile
- Docker nixos image, use nixos profile for its base config
The default configuration installed the Bitstream Vera fonts, but DejaVu
is a superior replacement, and the default Fontconfig settings need it
now for the generic faces monospace, sans-serif, and serif.
Details:
* The option `fonts.fontconfig.ultimate.enable` can be used to disable
the fontconfig-ultimate configuration.
* The user-configurable options provided by fontconfig-ultimate are
exposed in the NixOS module: `allowBitmaps` (default: true),
`allowType1` (default: false), `useEmbeddedBitmaps` (default: false),
`forceAutohint` (default: false), `renderMonoTTFAsBitmap` (default:
false).
* Upstream provides three substitution modes for substituting TrueType
fonts for Type 1 fonts (which do not render well). The default,
"free", substitutes free fonts for Type 1 fonts. The option "ms"
substitutions Microsoft fonts for Type 1 fonts. The option "combi"
uses a combination of Microsoft and free fonts. Substitutions can also
be disabled.
* All 21 of the Infinality rendering modes supported by fontconfig-ultimate
or by the original Infinality distribution can be selected through
`fonts.fontconfig.ultimate.rendering`. The default is the medium style
provided by fontconfig-ultimate. Any of the modes may be customized,
or Infinality rendering can be disabled entirely.
Details:
* The option `fonts.enableFontConfig` has (finally) been renamed
`fonts.fontconfig.enable`.
* Configurations are loaded in this order: first the Fontconfig-upstream
configuration is loaded, then the NixOS-specific font directories are
set, the system-wide default configuration is loaded, and finally the
user configuration is loaded (if enabled).
* The NixOS options `fonts.fontconfig.defaultFonts.monospace`,
`fonts.fontconfig.defaultFonts.sansSerif` and
`fonts.fontconfig.defaultFonts.serif` are added to allow setting the
default system-wide font used for these generic faces. The defaults
are the appropriate faces from the DejaVu collection because of their
comprehensive Unicode coverage, clean rendering, and excellent
legibility.
* The NixOS option `fonts.fontconfig.antialias` can be used to disable
antialiasing (it is enabled by default).
* The options `fonts.fontconfig.subpixel.rgba` and
`fonts.fontconfig.subpixel.lcdfilter` control the system-wide default
settings for subpixel order and LCD filtering algorithm,
respectively.
* `fonts.fontconfig.hinting.enable` can be used to disable TrueType font
hinting (it is enabled by default).
`fonts.fontconfig.hinting.autohint` controls the FreeType autohinter.
`fonts.fontconfig.hinting.style` controls the hint style; it is "full"
by default.
* User configurations can be disabled system-wide by setting
`fonts.fontconfig.includeUserConf = false`. They are enabled by
default so users can set Fontconfig options in the desktop environment
of their choice.
This overhauls the Tor module in a few ways:
- Uses systemd service files, including hardening/config checks
- Removed old privoxy support; users should use the Tor Browser
instead.
- Remove 'fast' circuit/SOCKS port; most users don't care (and it adds
added complexity and confusion)
- Added support for bandwidth accounting
- Removed old relay listenAddress option; taken over by portSpec
- Formatting, description, code cleanups.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Rather than trying to override the 'torsocks' executable in $PATH, the
new module instead properly configures `/etc/tor/torsocks.conf` and puts
the normal `torsocks` executable in $PATH so it can work out of the box.
As a bonus, I think this module actually works now, because the torsocks
configuration has changed a lot from when this was written, it seems...
Signed-off-by: Austin Seipp <aseipp@pobox.com>
'torify' now ships with the tor bundle itself; and using torsocks is
recommended over tsocks (torify will use torsocks automatically.)
Signed-off-by: Austin Seipp <aseipp@pobox.com>