1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-18 10:56:53 +00:00
Commit graph

11973 commits

Author SHA1 Message Date
Joachim Fasting ea4f371627
nixos/security/misc: expose SMT control option
For the hardened profile disable symmetric multi threading.  There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however.  This is in keeping with OpenBSD
defaults.

TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation.  Write to
/sys/devices/system/cpu/smt/control
2018-12-27 15:00:49 +01:00
Joachim Fasting e9761fa327
nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
2018-12-27 15:00:48 +01:00
Joachim Fasting 84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Joachim Fasting 9db84f6fcd
nixos/security/misc: use mkMerge for easier extension 2018-12-27 15:00:46 +01:00
Christian Kögler 987fdea1a8 nixos vdr: introduce option enableLirc
also introduce option socket for lirc, to have access to socket path
2018-12-26 22:59:06 +01:00
Léo Gaspard fa98337a15
system-path: set implicitly installed packages to be low-priority
The aim is to minimize surprises: when the user explicitly installs a
package in their configuration, it should override any package
implicitly installed by NixOS.
2018-12-26 23:16:17 +09:00
Samuel Dionne-Riel 302d53df2b nixos/sd-image-aarch64-new-kernel: Added to release
This, paired with the previous commit, ensures the channel won't be held
back from a kernel upgrade and a non-building sd image, while still
having a new-kernel variant available.
2018-12-26 11:03:32 +00:00
Samuel Dionne-Riel 207210660f nixos/sd-image-aarch64: Configures it to use the default kernel 2018-12-26 11:03:32 +00:00
Frederik Rietdijk e45ca47f14 Merge staging-next into staging 2018-12-26 09:30:32 +01:00
Dmitry Kalinkin c7f26a34e8
Merge pull request #52896 from veprbl/pr/gmane_wo_net-snmp
treewide: Fix broken Gmane URLs
2018-12-25 22:55:03 -05:00
Craig Younkins 8b12b17df3
treewide: Fix broken Gmane URLs 2018-12-25 22:34:55 -05:00
worldofpeace c1599d29d9 gcr: rename from gnome3.gcr 2018-12-25 20:14:28 -05:00
worldofpeace 3f6c81da4d
Merge pull request #52592 from worldofpeace/geoclue/correct-sysconf
geoclue2: correct sysconfdir
2018-12-25 19:03:22 -05:00
worldofpeace c65edd687f geoclue2: correct sysconfdir 2018-12-25 18:38:19 -05:00
Jan Tojnar c45e9d0fac
Merge branch 'master' into staging 2018-12-25 17:03:57 +01:00
Alexander Krupenkin 2f0c495c31
lib/make-ext4-fs: more efficient store maker 2018-12-24 23:21:15 +03:00
Sander van der Burg a27aa247c0
Merge pull request #50596 from svanderburg/mobile-updates
Mobile updates
2018-12-24 15:52:33 +01:00
Jan Tojnar ef935fa101
Merge branch 'master' into staging 2018-12-24 15:02:29 +01:00
zimbatm d06f798ce7
Merge pull request #51566 from adisbladis/google-oslogin
GCE OSLogin module: init
2018-12-24 14:11:49 +01:00
msteen 8d217ede58 fix infinite recursion caused by the unnecessary inspection of options + fix is parent of mount point check (#51541) 2018-12-24 14:05:55 +01:00
Samuel Dionne-Riel 772759173d
Merge pull request #52721 from samueldr/aarch64/limited-support
Fixes eval issues in hydra by setting AArch64 as limited support
2018-12-23 13:28:22 -05:00
Jörg Thalheim 044ff3dc66
nixos/vdr: don't delete recordings 2018-12-23 18:54:39 +01:00
Jörg Thalheim 633bc1d09b
Merge pull request #52686 from Mic92/vdr
vdr: revisited version of https://github.com/NixOS/nixpkgs/pull/32050
2018-12-23 16:19:27 +01:00
Emery Hemingway 124d8ccc69
Add IPFS warning 2018-12-22 20:04:19 +01:00
Jörg Thalheim 45986ec587
nixos/vdr: create video directory automatically 2018-12-22 15:13:35 +01:00
Christian Kögler dd3f755cf4
vdr: initial at 2.4.0 and nixos module
used same plugin mechanism as kodi does
2018-12-22 15:13:25 +01:00
worldofpeace 94af8ebde2 nixos/displayManager: only install wayland sessions if they exist in extraSessionFilePackages
Not everyone is using wayland just yet.
2018-12-22 01:15:09 -05:00
Samuel Dionne-Riel 1bfe8f189b nixos/release-combined.nix: makes aarch64-linux limited support
This is because it will not eval properly with `hydra-eval-jobs`.

```
$ ...hydra/result/bin/hydra-eval-jobs \
    --arg nixpkgs '{ outPath = ./.; revCount = 123; shortRev = "4567"; }' \
    -I "$PWD" \
    nixos/release-combined.nix
```

It fails with:

```
Too many heap sections: Increase MAXHINCR or MAX_HEAP_SECTS
```
2018-12-21 20:43:23 -05:00
Samuel Dionne-Riel 16316a1288 nixos/release-combined.nix: Adds missing aarch64 constituents
This will block channel advancing, even if it is limited support.
2018-12-21 20:28:04 -05:00
Florian Klink 3539f3875a release-notes/rl-1903: add security.googleOsLogin 2018-12-21 18:01:36 +01:00
Florian Klink 706efadcb6 nixos/modules/virtualisation/google-compute-config.nix: remove google-accounts-daemon
Use googleOsLogin for login instead.
This allows setting users.mutableUsers back to false, and to strip the
security.sudo.extraConfig.

security.sudo.enable is default anyhow, so we can remove that as well.
2018-12-21 17:52:37 +01:00
Florian Klink 0f46188ca1 nixos/tests: add google-oslogin test 2018-12-21 17:52:37 +01:00
Florian Klink 04f3562fc4 config.nsswitch: load cache_oslogin and oslogin nss modules if config.security.googleOsLogin.enable is set 2018-12-21 17:52:37 +01:00
Florian Klink c6de45c0d7 config.security.googleOsLogin: add module
The OS Login package enables the following components:
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
profile during ssh authentication phase.
NSS Module to provide user and group information
PAM Module for the sshd service, providing authorization and
authentication support, allowing the system to use data stored in
Google Cloud IAM permissions to control both, the ability to log into
an instance, and to perform operations as root (sudo).
2018-12-21 17:52:37 +01:00
Florian Klink be5ad774bf security.pam.services.<name?>.: add googleOsLogin(AccountVerification|Authentication) 2018-12-21 17:52:37 +01:00
Florian Klink d180bf3862 security.pam: make pam_unix.so required, not sufficient
Having pam_unix set to "sufficient" means early-succeeding account
management group, as soon as pam_unix.so is succeeding.

This is not sufficient. For example, nixos modules might install nss
modules for user lookup, so pam_unix.so succeeds, and we end the stack
successfully, even though other pam account modules might want to do
more extensive checks.

Other distros seem to set pam_unix.so to 'required', so if there are
other pam modules in that management group, they get a chance to do some
validation too.

For SSSD, @PsyanticY already added a workaround knob in
https://github.com/NixOS/nixpkgs/pull/31969, while stating this should
be the default anyway.

I did some thinking in what could break - after this commit, we require
pam_unix to succeed, means we require `getent passwd $username` to
return something.
This is the case for all local users due to the passwd nss module, and
also the case for all modules installing their nss module to
nsswitch.conf - true for ldap (if not explicitly disabled) and sssd.

I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss
module loaded? Should the pam account module be placed before pam_unix?

We don't drop the `security.pam.services.<name?>.sssdStrictAccess`
option, as it's also used some lines below to tweak error behaviour
inside the pam sssd module itself (by changing it's 'control' field).

This is also required to get admin login for Google OS Login working
(#51566), as their pam_oslogin_admin accounts module takes care of sudo
configuration.
2018-12-21 15:31:07 +01:00
Samuel Dionne-Riel 3c38cc8058
Merge pull request #51813 from samueldr/aarch64/disable-non-arm-builds-part-1
aarch64: ZHF for aarch64 (1/??)
2018-12-20 21:06:52 -05:00
Samuel Dionne-Riel 7b2b5b3f47
Merge pull request #52534 from samueldr/aarch64/supported
nixos/release-combined: adds aarch64-linux as supported
2018-12-20 20:58:59 -05:00
Sander van der Burg e37f0454ac Remove relatedPackages to fix ofborg evaluation 2018-12-20 19:29:00 +01:00
Maximilian Bosch 87ebc2ad0b
Merge pull request #52345 from r-ryantm/auto-update/clickhouse
clickhouse: 18.14.9 -> 18.14.18
2018-12-20 18:48:37 +01:00
Jörg Thalheim 2dd13d4ba0 nixos/glusterfs: remove unused PYTHONPATH
this directory does not exists
2018-12-20 14:54:56 +00:00
Michael Raskin ede54f9144
Merge pull request #52379 from erikarvstedt/tesseract
Major tesseract improvements
2018-12-20 14:41:48 +00:00
Maximilian Bosch 64d05bbdd2
clickhouse: fix module and package runtime
Although the package itself builds fine, the module fails because it
tries to log into a non-existant file in `/var/log` which breaks the
service. Patching to default config to log to stdout by default fixes
the issue. Additionally this is the better solution as NixOS heavily
relies on systemd (and thus journald) for logging.

Also, the runtime relies on `/etc/localtime` to start, as it's not
required by the module system we set UTC as sensitive default when using
the module.

To ensure that the service's basic functionality is available, a simple
NixOS test has been added.
2018-12-20 13:03:41 +01:00
Jeremy Apthorp 654c3124b2
shairport-sync: don't daemonize
This flag causes the shairport-sync server to attempt to daemonize, but it looks like systemd is already handling that. With the `-d` argument, shairport-sync immediately exits—it seems that something (systemd I'm guessing?) is sending it SIGINT or SIGTERM.

The [upstream systemd unit](https://github.com/mikebrady/shairport-sync/blob/master/scripts/shairport-sync.service.in#L10) doesn't pass `-d`.
2018-12-19 22:37:25 -08:00
Samuel Dionne-Riel 42e7e39cd3 nixos/release-combined.nix: Filters failing tests
And filters out JDK which can't be built on aarch64-linux.
2018-12-19 22:28:10 -05:00
Samuel Dionne-Riel 8ab5ef773b nixos/release: build iso_minimal_new_kernel for aarch64-linux too 2018-12-19 13:10:48 -05:00
Samuel Dionne-Riel 36a0c13cf3 nixos/release-combined: adds aarch64-linux as supported
This was previously removed in 74c4e30842.

This will allow hydra to build iso and sd images for aarch64-linux, and
share a common channel with the x86-based platforms.
2018-12-19 12:57:17 -05:00
Erik Arvstedt 8d1ba999cb
tesseract: rename to tesseract4, add alias
This is more consistent with the naming of the most popular versioned pkgs.
2018-12-19 18:09:56 +01:00
Matthew Bauer 92840ab944
Merge pull request #51600 from eburimu/fix/cross-extlinux-conf-builder
extlinux-conf: fix cross compilation
2018-12-19 11:01:31 -06:00
Robert Schütz 52b1973283 home-assistant-cli: init at 0.3.0 2018-12-19 15:54:28 +01:00
Frederik Rietdijk a06b90a7dc lapp: change postgresql version, fixes metrics 2018-12-19 10:04:00 +01:00
Frederik Rietdijk 9ab61ab8e2 Merge staging-next into staging 2018-12-19 09:00:36 +01:00
Maximilian Bosch 6c6341335b
nixos/test-driver: fix wording in error message about invalid node names
Since 113a6b9325 the test driver
explicitly ensures if the node names won't break the resulting Perl
script at runtime. This slightly improves the correctness of the error
message.
2018-12-18 23:46:54 +01:00
Maximilian Bosch 83fe20e57f
Merge pull request #52485 from pablode/master
nixos/oh-my-zsh: fix wrong manual information
2018-12-18 23:18:27 +01:00
Sander van der Burg 8122431953 Fix adb program module 2018-12-18 21:16:07 +01:00
volth fed7914539
Merge branch 'staging' into make-perl-pathd 2018-12-18 17:13:27 +00:00
Pablo Delgado Krämer 685c4f5608 nixos/oh-my-zsh: fix wrong manual information
Manual still refers to 'programs.ohMyZsh' although it should be 'programs.zsh.ohMyZsh'.
2018-12-18 14:31:35 +01:00
Jörg Thalheim f2180a5367
Merge pull request #52458 from tadfisher/emacs-bash-prompt
nixos/bash: Fix prompt regression in Emacs term mode
2018-12-18 09:19:48 +00:00
markuskowa 5289fcc422
Merge pull request #47297 from greydot/bladerf
Introduce hardware/bladeRF module
2018-12-18 09:29:32 +01:00
Lana Black 7112cd8822 nixos/hardware/bladeRF: init at 2.0.2
This allows to easily enable bladerf-related udev rules with nixos
configuration.
2018-12-18 08:11:18 +00:00
Franz Pletz 670c5ac8ef
Merge pull request #46806 from Ma27/disallow-dash-separators-in-machine-declarations
nixos/testing: disallow special chars in machine names in network expressions
2018-12-18 01:03:34 +00:00
Maximilian Bosch 113a6b9325
nixos/testing: disallow special chars in machine names in network expressions
These names are referenced by Perl variables inside the testing
frameworks which don't allow chars like `-` as character inside. An exemplary
expression may look like this:

```
{
  x11-vm = {
    services.xserver.enable = true;
  };
}
```

This expression evaluates, e.g. when running `nixos-build-vms`, but when
trying to run `./result/bin/nixos-run-vms`, an error like this occurs:

```
starting VDE switch for network 1
running the VM test script
error: Can't modify subtraction (-) in scalar assignment at (eval 17) line 1, at EOF
Bareword "test" not allowed while "strict subs" in use at (eval 17) line 1.
Can't modify subtraction (-) in scalar assignment at (eval 17) line 1, at EOF
Bareword "test" not allowed while "strict subs" in use at (eval 17) line 1.
vde_switch: EOF on stdin, cleaning up and exiting
cleaning up
```

This can be very confusing for beginners, this change breaks evaluation
if such names are used for machines.
2018-12-18 01:58:56 +01:00
Samuel Dionne-Riel 321d48d5db
Merge pull request #51397 from samueldr/feature/aarch64-uefi
installer: Adds AArch64 UEFI installer support. (Work towards SBBR and EBBR support)
2018-12-17 18:56:57 -05:00
Tad Fisher b4b67177b5 nixos/bash: Fix prompt regression in Emacs term mode 2018-12-17 15:42:41 -08:00
Michael Peyton Jones f64bc036a5
nixos: add XDG sounds module 2018-12-18 00:32:13 +01:00
Jan Tojnar aacb244889
Merge pull request #51520 from michaelpj/imp/appstream
nixos: add AppStream module
2018-12-18 00:27:23 +01:00
Franz Pletz 58db4c1a7e
Revert "nixos/tests: add clamav test"
This reverts commit 6433f3b13b.

Fixes #52446.
2018-12-17 19:24:44 +01:00
Silvan Mosberger 9673380261
Merge pull request #52168 from cdepillabout/add-bluezFull-package
Add bluez full package
2018-12-17 03:01:49 +01:00
Satoshi Shishiku 5a93f6149a
prosody service: set cafile
Fix s2s_secure_auth.
2018-12-17 01:01:41 +01:00
Jan Tojnar aead6e12f9
Merge remote-tracking branch 'upstream/master' into staging 2018-12-16 22:55:06 +01:00
Florian Klink a9eae44ee5 gitlab: run test with 4096 bits if on 64bit, else the the maximum for 32bit 2018-12-16 19:47:35 +01:00
Franz Pletz 6433f3b13b
nixos/tests: add clamav test 2018-12-16 19:04:07 +01:00
Florian Klink 91c65721f7 owncloud: remove server
pkgs.owncloud still pointed to owncloud 7.0.15 (from May 13 2016)

Last owncloud server update in nixpkgs was in Jun 2016.
At the same time Nextcloud forked away from it, indicating users
switched over to that.

cc @matej (original maintainer)
2018-12-16 15:05:53 +01:00
Florian Klink 50500219af apache-httpd/limesurvey.nix: fix copypasta from owncloud 2018-12-16 15:05:53 +01:00
Johan Thomsen d2048b0d7e nixos/kubernetes: don't enable all alpha feature gates for the test cases 2018-12-16 13:41:48 +01:00
Florian Klink 34d45007e2
Merge pull request #51053 from Ma27/draft-nextcloud-module-docs
nixos/nextcloud: add basic module documentation and warn about current upgrading issues
2018-12-16 12:16:47 +01:00
Rickard Nilsson b20fcce195 nixos/nm-setup-hostsdir: RemainAfterExist -> RemainAfterExit 2018-12-15 08:33:28 +01:00
(cdep)illabout 9039cc3f28
Add explanation of using the bluezFull package in nixos documentation. 2018-12-15 14:49:41 +09:00
volth bb9557eb7c lib.makePerlPath -> perlPackages.makePerlPath 2018-12-15 03:50:31 +00:00
Florian Klink da6a3271bb
Merge pull request #51624 from dasJ/slapd-log
nixos/openldap: Support configuring the log level
2018-12-14 11:12:43 +01:00
Elis Hirwing 6fa51fe5cf
nixos/lightdm: Fix spelling of option in docs 2018-12-13 22:26:12 +01:00
Elis Hirwing c974813b92
nixos/sddm: Fix spelling of option in docs 2018-12-13 22:25:19 +01:00
Bas van Dijk 5d970e740e pythonPackages.elasticsearch-curator: 5.5.4 -> 5.6.0 2018-12-13 20:58:58 +01:00
Janne Heß 3c54d6b2f8 nixos/openldap: Support configuring the log level 2018-12-13 15:14:59 +01:00
Renaud 562b7a7702
Merge pull request #51922 from hedning/fix-xmonad-test
nixos/tests/xmonad: fix terminal title
2018-12-13 14:02:23 +01:00
Sarah Brofeldt 7a57774158
Merge pull request #51938 from johanot/nixos-kubernetes-test-fix
nixos/kubernetes: fix import path of default nixpkgs
2018-12-13 13:05:25 +01:00
Samuel Dionne-Riel ad27b068d7 installer: Adds AArch64 UEFI installer support. 2018-12-12 19:26:34 -05:00
Jörg Thalheim 5feba458a2
Merge pull request #50316 from arianvp/fix-dynamic-user
Disable nscd caching
2018-12-12 23:18:09 +00:00
Tor Hedin Brønner d776b224da nixos/tests/xmonad: fix terminal title
bash now sets a different title.
2018-12-12 21:30:47 +01:00
Johan Thomsen 1a00b86334 nixos/kubernetes: fix import path of default nixpkgs 2018-12-12 21:30:32 +01:00
Svein Ove Aas 4e5b365644
nvidia: Improve assertion documentation 2018-12-12 15:25:39 +00:00
Arian van Putten 1d5f4cbb78 nixos/nscd: Add a descriptive comment to the nscd configuration 2018-12-12 15:35:46 +01:00
Arian van Putten ef6ed03e2f nixos/nscd: Address doc feedback 2018-12-12 15:35:40 +01:00
Arian van Putten a74619c1ae nixos/nscd: also add netgroup to the config
It was the last database that wasn't listed.
2018-12-12 15:35:40 +01:00
Arian van Putten de76c16f9c nixos/nscd: Merge nscd and sssd-nscd config 2018-12-12 15:35:40 +01:00
Arian van Putten 335b41b3fb nixos/nscd: Add release note entry about nscd changes 2018-12-12 15:35:40 +01:00
Arian van Putten 99d3279952 nixos/nscd: Disable negative caching of hosts
Hopefully fixes #50290
2018-12-12 15:35:40 +01:00
Arian van Putten e712417936 nixos/nscd: Disable caching of group and passwd
Systemd provides an option for allocating DynamicUsers
which we want to use in NixOS to harden service configuration.
However, we discovered that the user wasn't allocated properly
for services. After some digging this turned out to be, of course,
a cache inconsistency problem.

When a DynamicUser creation is performed, Systemd check beforehand
whether the requested user already exists statically. If it does,
it bails out. If it doesn't, systemd continues with allocating the
user.

However, by checking whether the user exists,  nscd will store
the fact that the user does not exist in it's negative cache.
When the service tries to lookup what user is associated to its
uid (By calling whoami, for example), it will try to consult
libnss_systemd.so However this will read from the cache and tell
report that the user doesn't exist, and thus will return that
there is no user associated with the uid. It will continue
to do so for the cache duration time.  If the service
doesn't immediately looks up its username, this bug is not
triggered, as the cache will be invalidated around this time.
However, if the service is quick enough, it might end up
in a situation where it's incorrectly reported that the
user doesn't exist.

Preferably, we would not be using nscd at all. But we need to
use it because glibc reads  nss modules from /etc/nsswitch.conf
by looking relative to the global LD_LIBRARY_PATH.  Because LD_LIBRARY_PATH
is not set globally (as that would lead to impurities and ABI issues),
glibc will fail to find any nss modules.
Instead, as a hack, we start up nscd with LD_LIBRARY_PATH set
for only that service. Glibc will forward all nss syscalls to
nscd, which will then respect the LD_LIBRARY_PATH and only
read from locations specified in the NixOS config.
we can load nss modules in a pure fashion.

However, I think by accident, we just copied over the default
settings of nscd, which actually caches user and group lookups.
We already disable this when sssd is enabled, as this interferes
with the correct working of libnss_sss.so as it already
does its own caching of LDAP requests.
(See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/usingnscd-sssd)

Because nscd caching is now also interferring with libnss_systemd.so
and probably also with other nsss modules, lets just pre-emptively
disable caching for now for all options related to users and groups,
but keep it for caching hosts ans services lookups.

Note that we can not just put in /etc/nscd.conf:
enable-cache passwd no

As this will actually cause glibc to _not_ forward the call to nscd
at all, and thus never reach the nss modules. Instead we set
the negative and positive cache ttls  to 0 seconds as a workaround.
This way, Glibc will always forward requests to nscd, but results
will never be cached.

Fixes #50273
2018-12-12 15:35:40 +01:00
Arian van Putten eb88005130 nixos/systemd: Add a regression test for #50273 2018-12-12 15:35:39 +01:00
Vladimír Čunát ad3e9191d1
nixos/nvidia: improve the assertion again
/cc ac19d5e34 #51836.
2018-12-12 00:26:09 +01:00
Benjamin Staffin 1181d6153e
logind: make killUserProcesses an option (#51426)
Right now it's not at all obvious that one can override this option
using `services.logind.extraConfig`; we might as well add an option
for `killUserProcesses` directly so it's clear and documented.
2018-12-11 16:51:16 -05:00
Vladimír Čunát ac19d5e34f
Merge #51836: nixos/nvidia: fix inverted assertion 2018-12-11 21:41:20 +01:00
Kai Wohlfahrt 337bc20e5f kerberos: Add tests/kerberos to release.nix 2018-12-11 13:33:10 +00:00
Kai Wohlfahrt ade842f51a kerberos: move user binaries to default output
The intention of the previous change was to move krb5-config to .dev (it
gives the locations of headers), but it grabbed all of the user-facing
binaries too. This puts them back.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt d752677b1b kerberos: explicitly install krb5Full.dev for tests
This contains all of the user binaries as of 13e6a5c.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt f5b4918de4 kerberos_server: ensure only one realm configured
Leave options for multiple realms for similarity to krb5, and future
expansion. Currently not tested because I can't make it work and don't need
it.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt 4e4a599e7e kerberos_server: Keep ACL file in store
Could also move kdc.conf, but this makes it inconvenient to use command line
utilities with heimdal, as it would require specifying --config-file with every
command.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt 6cca9c0f9f kerberos-server: add kerberos option
Allow switching out kerberos server implementation.

Sharing config is probably sensible, but implementation is different enough to
be worth splitting into two files. Not sure this is the correct way to split an
implementation, but it works for now.

Uses the switch from config.krb5 to select implementation.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt fe8f2b8813 kerberos-server: switch to ExecStart
script causes problems for forking services like MIT Kerberos.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt 4f9af77287 kerberos-server: cleanup of kerberos.nix
General cleanup before adding more options.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt ee3bd730d4 kerberos-server: move kadmind to systemd
Don't use socket activation, as inetd is discouraged by heimdal documentation.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt dfdd348206 kerberos-server: Fix sbin paths
tcpd doesn't have sbin anymore (so it was broken), and heimdal just symlinks to
bin.
2018-12-11 13:33:10 +00:00
Jappie Klooster e576c3b385 doc: Fix insecure nginx docs (#51840) 2018-12-11 11:02:56 +00:00
markuskowa 9fba490258
Merge pull request #50862 from markuskowa/fix-slurm-module
nixos/slurm: set slurmd KillMode and add extraConfigPaths
2018-12-11 00:45:47 +01:00
Samuel Dionne-Riel abcb25bd8d aerospike: Disables build on aarch64
The issue with its inclusion in the manual has been side-stepped by
matching on the platforms in supports.
2018-12-10 14:55:19 -05:00
Andrew Childs f2332809fd nixos/nvidia: fix inverted assertion 2018-12-11 02:04:10 +09:00
Tor Hedin Brønner 59d1fb6151
Merge pull request #44497 from hedning/gnome-upstream-wayland
Add gnome wayland support
2018-12-10 16:53:27 +01:00
Tim Steinbach 97ad321e42
zsh-autosuggestions: Fix module for 0.5.0
The update for zsh-autosuggestions in #51752 broke the module.
This fix reflects the required changes.
2018-12-10 10:11:33 -05:00
Vladimír Čunát 3946d83a3c
nixos tests: disable kafka for now
They consistently fail since openjdk bump with some out-of-space errors.
That's not a problem by itself, but each test instance ties a build slot
for many hours and consequently they also delay channels as those wait
for all builds to finish.

Feel free to re-enable when fixed, of course.
2018-12-10 13:19:00 +01:00
Tor Hedin Brønner 75e223bf7a nixos/tests/gnome3-gdm: port to wayland
The test now runs wayland, which means we can no longer use X11 style testing.
Instead we get gnome shell to execute javascript through its dbus interface.
2018-12-10 10:36:25 +01:00
Tor Hedin Brønner 116c16d9e2 nixos/tests/gnome3: select X11 gnome shell explicitely
This isn't strictly necessary yet as LightDM doesn't read the wayland sessions,
but there's no harm in being explicit.
2018-12-10 10:36:25 +01:00
Tor Hedin Brønner 3c0e70402f nixos/displayManager: Note that sessionCommands aren't run on Wayland 2018-12-10 10:36:25 +01:00
Tor Hedin Brønner cdd266c73b nixos/gnome3: Implement sessionPath through environment.extraInit
This will simply make the `sessionPath` more likely to work.
2018-12-10 10:36:25 +01:00
Tor Hedin Brønner 48a9a24910 nixos/sddm: Enable wayland-sessions
LightDM is unable to separate between `wayland-sessions/gnome.desktop` and
`xsessions/gnome.desktop` so I ommitted adding this to LightDM.
2018-12-10 10:36:24 +01:00
markuskowa c362f98ba0
Merge pull request #51791 from dotlambda/borgbackup-1.1.8
borgbackup: 1.1.7 -> 1.1.8
2018-12-09 22:34:02 +01:00
Tor Hedin Brønner 80fdafb373 nixos/tests/gnome3: fix terminal title
The tests passes, but that's just because a race condition where the window is
titled `Terminal` long enough.
2018-12-09 19:27:06 +01:00
Tor Hedin Brønner 373be8207a nixos/tests/i3wm: fix terminal title
Probably due to #51678 which makes bash set the terminal title.
2018-12-09 18:29:51 +01:00
Robert Schütz 3cbf18f32b nixos/tests/borgbackup: test borg mount 2018-12-09 18:17:27 +01:00
Markus Kowalewski 8eee1ec2a9
tests/slurm: wait for open DBD port
This makes tests more reliable. It seems
that waitForUnit(slurmdbd.service) is not sufficient
on some systems.
2018-12-09 13:36:53 +01:00
Tor Hedin Brønner 9895ce24b4 nixos/displayManager: Install wayland sessions from extraSessionFilePackages 2018-12-09 11:04:42 +01:00
Yegor Timoshenko 5c685feca1
Merge pull request #51678 from NixOS/yegortimoshenko-patch-1
nixos/bash: set title in PS1
2018-12-08 21:35:05 +03:00
markuskowa 9a7ce7d69a
Merge pull request #51728 from ck3d/fix-lirc-runtime-owner-ship
nixos lirc: fix owner-ship of runtime directory
2018-12-08 18:08:14 +01:00
Jörg Thalheim 91a7848fe2
nixos/release-notes: mention removal of quassel-webserver 2018-12-08 16:31:28 +00:00
Jörg Thalheim da4e257fce
Merge pull request #51670 from Mic92/quassel-webserver
quassel-webserver: remove
2018-12-08 16:26:45 +00:00
Frederik Rietdijk 3e950d584c Merge staging-next into master 2018-12-08 16:29:21 +01:00
markuskowa 86d80a7b78
Merge pull request #51583 from WilliButz/grafana-update
grafana: 5.3.4 -> 5.4.0
2018-12-08 15:42:15 +01:00
Renaud 53218d4a39
nixos/systemd-nspawn: accept all Exec and Files options
See: https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html
Closes #49712
2018-12-08 14:41:37 +01:00
Christian Kögler 4bb55815be nixos lirc: fix owner-ship of runtime directory 2018-12-08 14:37:02 +01:00
Frederik Rietdijk e0950ae9ad Merge master into staging-next 2018-12-08 12:40:13 +01:00
Graham Christensen ca3f089a83
Merge pull request #51314 from Izorkin/mariadb-my.cnf
mariadb: change location configuration file to /etc/my.cnf
2018-12-07 15:37:53 -05:00
Yegor Timoshenko d53077b20c
nixos/bash: set title in PS1 2018-12-07 22:42:55 +03:00
Jörg Thalheim 40c8969b4c
quassel-webserver: remove
Package is broken and the original maintainer does not respond.
Unless someone wants to pick it up, I propose the removal.

fixes #51614
2018-12-07 16:46:36 +00:00
Frederik Rietdijk 5f554279ec Merge master into staging-next 2018-12-07 15:22:35 +01:00
Jean-Philippe Braun 764f16461b test: set machines fqdn in /etc/hosts 2018-12-07 14:22:21 +01:00
Renaud 0eb2f4b5f5
Merge pull request #50809 from sorki/wireguard_containers_wont_modprobe
wireguard: don't modprobe if boot.isContainer is set
2018-12-07 11:06:28 +01:00
lewo f7e67be1dc
Merge pull request #51528 from grahamc/buildImage-on-layered-image
dockertools buildImage: support new-style image specs
2018-12-07 09:44:58 +01:00
aszlig 776f084cf1
nixos/tests: Fix wrong arch in runInMachine test
Since 83b27f60ce, the tests were moved
into all-tests.nix and some of the tooling has changed so that
subattributes of test expressions are now recursively evaluated until a
derivation with a .test attribute has been found.

Unfortunately this isn't the case for all of the tests and the
runInMachine doesn't use the makeTest function other tests are using but
instead uses runInMachine, which doesn't generate a .test attribute.

Whener a .test attribute wasn't found by the new handleTest function, it
recurses down again until there is no value left that is an attribute
set and subsequently returns its unchanged value. This however has the
drawback that instead of getting different attributes for each
architecture we only get the last architecture in the supportedSystems
list.

In the case of the release.nix, the last architecture in
supportedSystems is "aarch64-linux", so the runInMachine test is always
built on that architecture.

In order to work around this, I changed runInMachine to emit a .test
attribute so that it looks to handleTest like it was a test created via
makeTest.

Signed-off-by: aszlig <aszlig@nix.build>
2018-12-07 05:56:53 +01:00
Peter Hoeg 728aaf4af6
Merge pull request #51622 from dotlambda/home-assistant-0.83
home-assistant: 0.82.1 -> 0.83.3
2018-12-07 09:24:16 +08:00
Samuel Dionne-Riel 70488665fa
Merge pull request #51207 from samueldr/fix/sd-image-slimming
sd-image: Slims the ext4 filesystem even more.
2018-12-06 23:35:09 +00:00
Robert Schütz b63bb15612 home-assistant: 0.82.1 -> 0.83.3 2018-12-06 14:59:27 +01:00
eburimu f17dd04f12 extlinux-conf: fix cross compilation 2018-12-06 03:42:02 +03:00
WilliButz 60eff0eecb
nixos/grafana: use new default for connMaxLifetime 2018-12-05 20:49:45 +01:00
Graham Christensen c88337c9ac
dockerTools.buildImage: support using a layered image in fromImage
Docker images used to be, essentially, a linked list of layers. Each
layer would have a tarball and a json document pointing to its parent,
and the image pointed to the top layer:

    imageA  ----> layerA
                    |
                    v
                  layerB
                    |
                    v
                  layerC

The current image spec changed this format to where the Image defined
the order and set of layers:

    imageA  ---> layerA
            |--> layerB
            `--> layerC

For backwards compatibility, docker produces images which follow both
specs: layers point to parents, and images also point to the entire
list:

    imageA  ---> layerA
            |      |
            |      v
            |--> layerB
            |      |
            |      v
            `--> layerC

This is nice for tooling which supported the older version and never
updated to support the newer format.

Our `buildImage` code only supported the old version, so in order for
`buildImage` to properly generate an image based on another image
with `fromImage`, the parent image's layers must fully support the old
mechanism.

This is not a problem in general, but is a problem with
`buildLayeredImage`.

`buildLayeredImage` creates images with newer image spec, because
individual store paths don't have a guaranteed parent layer. Including
a specific parent ID in the layer's json makes the output less likely
to cache hit when published or pulled.

This means until now, `buildLayeredImage` could not be the input to
`buildImage`.

The changes in this PR change `buildImage` to only use the layer's
manifest when locating parent IDs. This does break buildImage on
extremely old Docker images, though I do wonder how many of these
exist.

This work has been sponsored by Target.
2018-12-05 14:25:54 -05:00
Jean-Philippe Braun 691932bba6 cassandra: add option to configure logging
As cassandra start script hardcodes the location of logback
configuration to `CASSANDRA_CONF_DIR/logback.xml` there is no way to
pass an alternate file via `$JVM_OPTS` for example.

Also, without logback configuration DEBUG level is used which is not
necessary for standard usage.

With this commit a default logback configuration is set with log level
INFO.

Configuration borrowed from:
https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/configLoggingLevels.html
2018-12-05 15:17:37 +01:00
Pierre Bourdon 3873f43fc3 prometheus/exporters: fix regression in DynamicUser behavior
Instead of setting User/Group only when DynamicUser is disabled, the
previous version of the code set it only when it was enabled. This
caused services with DynamicUser enabled to actually run as nobody, and
services without DynamicUser enabled to run as root.

Regression from fbb7e0c82f.
2018-12-05 11:26:38 +01:00
Pierre Bourdon 199b4c4743 prometheus/exporters/tor: make CPython happy by defining $HOME 2018-12-05 11:26:38 +01:00
Florian Klink 5c82aa8854 pkgsi686Linux.nixosTests.gitlab: fix 32 bit tests
GitLab 11.5.1 dropped the dependency to posix_spawn, which is broken on
32bit. (See https://gitlab.com/gitlab-org/gitlab-ce/issues/53525)

The only part missing is decreasing virtualisation.memorySize to
something that a 32 bit qemu still executes.

The maximum seems to be 2047, and tests passed with that value for me.
2018-12-05 10:47:18 +01:00
Austin Seipp 2a22554092 nixos/cockroachdb: simplify dataDir management, tweaks
This cleans up the CockroachDB expression, with a few suggestions from
@aszlig.

However, it brought up the note of using systemd's StateDirectory=
directive, which is a nice feature for managing long-term data files,
especially for UID/GID assigned services. However, it can only manage
directories under /var/lib (for global services), so it has to introduce
a special path to make use of it at all in the case someone wants a path
at a different root.

While the dataDir directive at the NixOS level is _occasionally_ useful,
I've gone ahead and removed it for now, as this expression is so new,
and it makes the expression cleaner, while other kinks can be worked out
and people can test drive it.

CockroachDB's dataDir directive, instead, has been replaced with
systemd's StateDirectory management to place the data under
/var/lib/cockroachdb for all uses.

There's an included RequiresMountsFor= clause like usual though, so if
people want dependencies for any kind of mounted device at boot
time/before database startup, it's easy to specify using their own
mount/filesystems clause.

This can also be reverted if necessary, but, we can see if anyone ever
actually wants that later on before doing it -- it's a backwards
compatible change, anyway.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-04 19:44:16 -06:00
Florian Klink 0834e98ece
Merge pull request #51393 from arianvp/container-names
nixos/containers: Add assertion for container name length
2018-12-05 01:25:16 +01:00
Tim Steinbach 16f42b3694 kafka: Add 2.1 2018-12-05 00:06:07 +00:00
Tim Steinbach 7c5d43f4f5 kafka: Add test for 2.0 2018-12-05 00:06:07 +00:00
Michael Peyton Jones 656b74f021
nixos: add AppStream module 2018-12-04 20:26:25 +00:00
Jörg Thalheim 7dbb64aca4
Merge pull request #51493 from marsam/feature/docs-remove-nix-repl-references
docs: Remove nix-repl references
2018-12-04 10:53:09 +00:00
Renaud 68b17ada12
Merge pull request #51475 from redvers/update/mediawiki
mediawiki: 1.29.1 -> 1.31.1
2018-12-04 08:06:57 +01:00
Mario Rodas f1dd6faaaa
docs: Remove nix-repl references
nix-repl has been deprecated
2018-12-03 21:37:54 -05:00
Jörg Thalheim 958d8e625e
Merge pull request #49392 from uvNikita/nixos/containers/veths
nixos/containers: don't create veths if not configured
2018-12-03 23:44:50 +00:00
Red Davies 4173b845ca mediawiki: 1.29.1 -> 1.31.1
1.29.1 is out of support and has security vulnerabilities. 1.31.1 is current LTS.
2018-12-03 21:04:08 +00:00
Bjørn Forsman bb94d419fb nixos/jenkins-job-builder: add accessTokenFile option
The new option allows storing the secret access token outside the world
readable Nix store.
2018-12-03 17:07:29 +01:00
Bjørn Forsman 8ebfd5c45c nixos/jenkins-job-builder: stop reloadScript on error
Currently there are two calls to curl in the reloadScript, neither which
check for errors. If something is misconfigured (like wrong authToken),
the only trace that something wrong happened is this log message:

  Asking Jenkins to reload config
  <h1>Bad Message 400</h1><pre>reason: Illegal character VCHAR='<'</pre>

The service isn't marked as failed, so it's easy to miss.

Fix it by passing --fail to curl.

While at it:
* Add $curl_opts and $jenkins_url variables to keep the curl command
  lines DRY.
* Add --show-error to curl to show short error message explanation when
  things go wrong (like HTTP 401 error).
* Lower-case the $CRUMB variable as upper case is for exported environment
  variables.

The new behaviour, when having wrong accessToken:

  Asking Jenkins to reload config
  curl: (22) The requested URL returned error: 401

And the service is clearly marked as failed in `systemctl --failed`.
2018-12-03 17:07:29 +01:00
Frederik Rietdijk a510aa2672 Merge master into staging-next 2018-12-03 12:18:43 +01:00
Piotr Bogdan 9ca3414e05 nixos/cockroachdb: supply defaultText for the package option 2018-12-02 20:50:57 -06:00
Austin Seipp 4594b18070 nixos/chrony: fix misplaced ConditionCapability= directive
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-02 20:32:47 -06:00
Michael Weiss fa5b8f82c5
Merge pull request #51316 from primeos/sway
nixos/sway-beta: Improve the wrapper
2018-12-02 22:03:31 +01:00
Izorkin 953be3e283 mariadb: change location configuration file to /etc/my.cnf 2018-12-02 22:15:02 +03:00
Silvan Mosberger 4afae70e2b
Merge pull request #48423 from charles-dyfis-net/bees
bees: init at 0.6.1; nixos/modules: services.bees init
2018-12-02 18:38:47 +01:00
Jörg Thalheim 50071c4475
Revert "nixos/luksroot: Check whether the device already exists"
This reverts commit 9cd4ce98bf.

This might be broken for some people: https://github.com/NixOS/nixpkgs/pull/50281#issuecomment-443516289
2018-12-02 17:27:35 +00:00
markuskowa 506d4c7e44
Merge pull request #51329 from c0bw3b/cleanup/gnu-https
Favor HTTPS URLs - the GNU edition
2018-12-02 16:52:33 +01:00
c0bw3b 0498ccd076 Treewide: use HTTPS on GNU domains
HTTP -> HTTPS for :
- http://gnu.org/
- http://www.gnu.org/
- http://elpa.gnu.org/
- http://lists.gnu.org/
- http://gcc.gnu.org/
- http://ftp.gnu.org/ (except in fetchurl mirrors)
- http://bugs.gnu.org/
2018-12-02 15:51:59 +01:00
Arian van Putten bf102825ef nixos/containers: Add assertion for container name length
When privateNetwork is enabled, currently the container's interface name
is derived from the container name. However, there's a hard limit
on the size of interface names. To avoid conflicts and other issues,
we set a limit on the container name when privateNetwork is enabled.

Fixes #38509
2018-12-02 15:26:39 +01:00
Bas van Dijk 7035598251
Merge pull request #51225 from LumiGuide/elk-6.5.1
elk: 6.3.2 -> 6.5.1
2018-12-02 14:44:47 +01:00
Jörg Thalheim 31f67bed5b
Merge pull request #51379 from Gerschtli/add/programs-nm-applet
nixos/nm-applet: add nm-applet program
2018-12-02 11:49:45 +00:00
Jan Tojnar a51a99c690
gobject-introspection: rename package
camelCase package name was a huge inconsistency in GNOME package set.
2018-12-02 12:42:29 +01:00
Jörg Thalheim b3662053b3
nixos/nm-applet: make the module smaller
more readable imho
2018-12-02 11:38:47 +00:00
Tobias Happ 95cbb71abe nixos/nm-applet: add nm-applet program 2018-12-02 12:18:47 +01:00
John Boehr 4226ddc034 nixos/cockroachdb: create new service
This also includes a full end-to-end CockroachDB clustering test to
ensure everything basically works. However, this test is not currently
enabled by default, though it can be run manually. See the included
comments in the test for more information.

Closes #51306. Closes #38665.

Co-authored-by: Austin Seipp <aseipp@pobox.com>
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-01 19:07:49 -06:00
Janne Heß 9cd4ce98bf nixos/luksroot: Check whether the device already exists
The new reuse behaviour is cool and really useful but it breaks one of
my use cases. When using kexec, I have a script which will unlock the
disks in my initrd. However, do_open_passphrase will fail if the disk is
already unlocked.
2018-12-01 23:42:51 +01:00
Renaud 947be9e992
Merge pull request #51199 from samueldr/fix/iso-image-fat32
iso-image: Verifies the FAT partition at build.
2018-12-01 16:14:55 +01:00
Michael Weiss 062602d81e nixos/sway-beta: Improve the wrapper
According to the dbus-launch documentation [0] "--exit-with-session"
shouldn't be used: "This option is not recommended, since it will
consume input from the terminal where it was started; it is mainly
provided for backwards compatibility." And it also states: "To start a
D-Bus session within a text-mode session, do not use dbus-launch.
Instead, see dbus-run-session(1)."

The new wrapper also avoids starting an additional D-Bus session if
DBUS_SESSION_BUS_ADDRESS is already set.

Fix #51303.

[0]: https://dbus.freedesktop.org/doc/dbus-launch.1.html
[1]: https://dbus.freedesktop.org/doc/dbus-run-session.1.html
2018-12-01 15:15:27 +01:00
Bas van Dijk fbf0efc6a7 elk: 6.3.2 -> 6.5.1 2018-12-01 12:47:12 +01:00
Austin Seipp ee14496ae2 nixos/dhcpcd: (try to) restart chrony in the exitHook
As the comment notes, restarts/exits of dhcpcd generally require
restarting the NTP service since, if name resolution fails for a pool of
servers, the service might break itself. To be on the safe side, try
restarting Chrony in these instances, too.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-11-30 18:50:33 -06:00
Austin Seipp 7b8d9700e1 nixos/chrony: don't emit initstepslew when servers is empty
Setting the server list to be empty is useful e.g. for hardware-only
or virtualized reference clocks that are passed through to the system
directly. In this case, initstepslew has no effect, so don't emit it.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-11-30 18:50:32 -06:00
Samuel Dionne-Riel 61bdaad9a9 sd-image: Slims the ext4 filesystem even more.
This is to try and squeeze more lost space from the image, so that hydra
starts building it again.

The fsck previous to the resize2fs is required so resize2fs works.

The one afterwards is a sanity check.

Using `-M` from resize2fs will not give much saved space due to a known
(in the manual) issue.

```
[samueldr@aarch64:~/nixpkgs]$ ls -lh result-*/*/*.img
-r--r--r-- 1 root root 2.2G Jan  1  1970 result-original/sd-image/nixos-sd-image-18.09.git.a7fd431-aarch64-linux.img
-r--r--r-- 1 root root 2.1G Jan  1  1970 result-M/sd-image/nixos-sd-image-18.09.git.a7fd431-aarch64-linux.img
-r--r--r-- 1 root root 1.9G Jan  1  1970 result-slimmed/sd-image/nixos-sd-image-18.09.git.a7fd431-aarch64-linux.img
```

```
[samueldr@aarch64:~/nixpkgs]$ nix path-info -S ./result-original
/nix/store/c8k9n78gylx293rjh762fr05a069kxp2-nixos-sd-image-18.09.git.a7fd431-aarch64-linux.img   3844125000

[samueldr@aarch64:~/nixpkgs]$ nix path-info -S ./result-slimmed
/nix/store/962238skj5mnzhrsmjy23dyzmxk77sp4-nixos-sd-image-18.09.git.a7fd431-aarch64-linux.img   3447473208
```
2018-11-30 19:11:49 -05:00
Jan Tojnar e02516db75
nixos/gnome3: enable remote desktop on wayland 2018-11-30 21:35:21 +01:00
Jan Tojnar d359635ab4
gnome3.gnome-remote-desktop: init at 0.1.6 2018-11-30 21:35:21 +01:00
Tor Hedin Brønner 2c8565a3ce
nixos/gdm: use XDG_DATA_DIRS to find sessions
Gdm now searches for session files in XDG_DATA_DIRS so we no longer need the
sessions_dir.patch.
2018-11-30 21:34:47 +01:00
Edmund Wu ea1be31262
nvidia: expose nvidia_x11_legacy390 2018-11-30 13:58:22 -05:00
Robert Schütz 74e283403c
nixos/borgbackup: allow paths to be empty or relative (#51275)
This former necessary in order to exclusively use `--pattern` or `--patterns-from`.
Fixes #51267.
2018-11-30 17:37:50 +01:00
Florian Klink aa490a543e
Merge pull request #48049 from Vskilet/roundcube-module
nixos/roundcube: add roundcube module
2018-11-30 13:29:00 +01:00
Charles Duffy f50bfe267a
nixos.tests.bees: init 2018-11-29 20:27:47 -06:00
Charles Duffy 86db2f394c
nixos/modules: services.bees init 2018-11-29 20:27:45 -06:00