1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 21:50:55 +00:00
Commit graph

4950 commits

Author SHA1 Message Date
Tristan Helmich e48580c083 graylog service: Initial graylog service 2016-04-28 23:27:57 +02:00
Nikolay Amiantov c4440c9c74 Revert "pulseaudio: select correct outputs"
This reverts commit 5e2bb0b31c.
2016-04-28 17:06:09 +03:00
Nikolay Amiantov 5e2bb0b31c pulseaudio: select correct outputs
Original fixes by ttuegel and peterhoeg.
2016-04-28 16:45:42 +03:00
Nikolay Amiantov d619a75da1 pulseaudio: select correct outputs
Original fixes by ttuegel and peterhoeg.
2016-04-28 16:42:16 +03:00
Alexander V. Nikolaev 36954ee405 rspamd: configurable bindSocket and bindUISocket 2016-04-28 14:21:19 +03:00
Alexander V. Nikolaev 5c260399e1 rmilter: correct paths to sockets 2016-04-28 14:21:18 +03:00
Alexander V. Nikolaev c84c174eb2 rmilter: socket activation in nixos 2016-04-28 14:21:04 +03:00
Tuomas Tynkkynen de0847c731 taskserver service: Really check that it is enabled 2016-04-28 01:14:17 +03:00
Tuomas Tynkkynen 4ff8f377af Merge remote-tracking branch 'upstream/master' into staging 2016-04-28 00:13:53 +03:00
Tuomas Tynkkynen 49d1acb50f Merge pull request #14896 from elitak/rtl8723bs
rtl8723bs: improved build and split off firmware
2016-04-28 00:04:44 +03:00
Graham Christensen 56f8206b85 Update etc example to not use a real config file
A user noticed the example for `hosts`, took the `mode` permissions literally, and ended up with surprising behavior on their system. Updating the documentation to not reference a real config file which might have real permissions requirements.
2016-04-27 10:27:52 -05:00
Nikolay Amiantov e6e7c1e914 logmein-hamachi: init at 2.1.0.139, add nixos service 2016-04-27 16:15:01 +03:00
Nikolay Amiantov c5fcab987b pulseaudio service: fix service path 2016-04-27 15:51:28 +03:00
Nikolay Amiantov 21f984f590 xfce service: add noDesktop option 2016-04-27 14:59:56 +03:00
Nikolay Amiantov 7ac1ef05fa networkmanager service: fixup 2016-04-27 13:51:43 +03:00
Nikolay Amiantov 16bdef1350 bluetooth service: fix w.r.t. multiple outputs 2016-04-27 13:48:06 +03:00
Nikolay Amiantov 5a40332d70 unix-odbc-drivers module: update for new unixODBCDrivers 2016-04-26 23:58:11 +03:00
Arnold Krille 3ae8810ffa containers: test imperative and ipv4 in small-release (#15015)
Test imperative containers and declarative containers with ipv4. These two
tests are basically the extraction of the containers test from before.
2016-04-26 22:38:47 +02:00
Nikolay Amiantov 89dfbd1215 Merge commit 'refs/pull/14936/head' of git://github.com/NixOS/nixpkgs 2016-04-26 23:14:47 +03:00
Alexander Ried fc941899a3 fail2ban: rework service 2016-04-26 20:34:41 +02:00
Nikolay Amiantov 23a093ebe8 dbus service: fix path to the launch helper 2016-04-26 16:10:30 +03:00
Nikolay Amiantov dfe608c8a2 symlinkJoin: accept set as an argument with additional options 2016-04-26 15:37:42 +03:00
Thomas Tuegel c25907d072 network-manager: multiple outputs 2016-04-25 19:04:24 -05:00
Thomas Tuegel 522ed7ce76 nixos/kde5: phonon-backend-gstreamer is not optional 2016-04-25 19:04:24 -05:00
Thomas Tuegel 5896befee0 nixos/kde5: install kactivitymanagerd 2016-04-25 19:04:24 -05:00
Christoph Ruegge 769a33bedd xsession: make updating DBus environment optional 2016-04-25 23:37:18 +02:00
Arseniy Seroka fd5ed06b0d Merge pull request #14977 from jerith666/crashplan-46-r3
Crashplan: 4.6.0-r2 -> 4.6.0-r3
2016-04-25 20:38:42 +03:00
Franz Pletz e16851b900 networking module: Add some missing literalExample 2016-04-25 18:15:52 +02:00
Matt McHenry 8262d7bdd4 crashplan: always overwrite binaries in /var/lib/ to ensure that updates are applied fully 2016-04-25 12:11:50 -04:00
Nikolay Amiantov 5f19542581 Merge commit 'refs/pull/14694/head' of git://github.com/NixOS/nixpkgs into staging 2016-04-25 18:02:23 +03:00
Nikolay Amiantov 09f02b918e Merge branch 'master' of git://github.com/NixOS/nixpkgs into staging 2016-04-25 18:02:10 +03:00
Tuomas Tynkkynen 1d4b21ef42 treewide: Use correct output of config.nix.package in non-string contexts 2016-04-25 16:44:38 +02:00
Tuomas Tynkkynen 60f5659dad treewide: Use correct output in ${config.nix.package}/bin 2016-04-25 16:44:37 +02:00
Tuomas Tynkkynen bee04a37ad amazon-init.nix: Use makeBinPath
This also fixes the incorrect use of 'dev' outputs from
config.nix.package and pkgs.systemd.
2016-04-25 16:44:37 +02:00
Tuomas Tynkkynen 70f5c840af nix-daemon service: Don't have the output in the `nix.package' option
1) It unnecessarily exposes implementation details.
2) It breaks all existing configs that have e.g.
   `nix.package = pkgs.nixUnstable;`.
2016-04-25 16:44:37 +02:00
Théophane Hufschmitt 201590fd97 zerobin service : init 2016-04-25 13:18:58 +02:00
Nikolay Amiantov 5ede7d4d92 octoprint: use makeSearchPathOutput 2016-04-25 13:24:40 +03:00
Nikolay Amiantov 5ff40ddedf add get* helper functions and mass-replace manual outputs search with them 2016-04-25 13:24:39 +03:00
Nikolay Amiantov ab0a0c004e makeSearchPathOutputs: refactor to makeSearchPathOutput 2016-04-25 13:24:39 +03:00
Vladimír Čunát 7cf8daa2bb nixos: rename chroot* to sandbox*
On Nix side this was done months ago:
https://github.com/NixOS/nix/pull/682
2016-04-25 11:04:08 +02:00
Eric Litak 4c415e59a4 rtl8723bs-firmware: init, split off from rtl8723bs 2016-04-25 00:41:25 -07:00
David Guibert 23e3cbeca4 kerberos_server: fix evaluation (closes #14928) 2016-04-24 22:05:45 +02:00
Tuomas Tynkkynen 1feed61164 NixOS installer tests: Add a test using Gummiboot
Issue #14956
2016-04-24 22:05:48 +03:00
Franz Pletz 8cca66f774 Merge pull request #14018 from kampfschlaefer/feature/hostbridge_and_ipv6_for_containers
containers: hostbridge and IPv6
2016-04-24 20:33:46 +02:00
Franz Pletz 882391a162 redshift service: run as user service
Fixes #14882.
2016-04-24 19:48:10 +02:00
Al Zohali fb6ea3dead postgresql service: initialScript fixup 2016-04-23 22:28:12 +03:00
Joachim Fasting 1dde66596f Merge pull request #14915 from elitak/unifi
unifi, mfi: closure-size fix, relocatable data dir
2016-04-23 19:06:51 +02:00
Joachim Fasting 343f444dba Merge pull request #14925 from mayflower/emby-upstream
emby: init at 3.0.5930
2016-04-23 18:09:32 +02:00
Graham Christensen 788122c3c5 facetimehd: Only unload module if it is loaded
The pre-sleep service exits if any command fails. Unloading facetimehd
without it being loaded blocks subsequent commands from running.

Note: `modprobe -r` works a bit better when unloading unused modules,
and is preferrable to `rmmod`. However, the facetimehd module does not
support suspending. In this case, it seems preferable to forcefully
unload the module. `modprobe` does not support a `--force` flag when
removing, so we are left with `rmmod`.

See:
 - https://github.com/NixOS/nixpkgs/pull/14883
 - https://github.com/patjak/bcwc_pcie/wiki#known-issues
2016-04-23 09:37:01 -05:00
Vladimír Čunát a1b39b9990 cups tests: finally fix them
Fixes #14748.
2016-04-23 16:17:22 +02:00
Tristan Helmich c145f6eaa7 emby service: new service 2016-04-23 16:13:53 +02:00
Domen Kožar db179647d6 make all boot tests release critical #14902
(cherry picked from commit 9d1662c6c9)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-04-23 13:12:57 +01:00
Tuomas Tynkkynen bd18cc3cdc Merge pull request #14888 from dezgeg/pr-kill-module-init-tools
Delete all usages of module_init_tools and remove the package
2016-04-23 14:29:41 +03:00
Eric Litak 032f3e721c unifi: relocatable data dir 2016-04-22 22:43:55 -07:00
Eric Litak 86357de0c8 mfi: relocatable data dir 2016-04-22 22:43:45 -07:00
Eric Litak 08546d3a20 unifi: fix for closure-size changes 2016-04-22 22:39:28 -07:00
Vladimír Čunát e9379f7416 Merge branch 'staging'
This includes a fix to closure-size regression that moved
share/doc/*/ to share/doc/
2016-04-22 16:49:09 +02:00
Thomas Tuegel b4ff81ffd6 phonon-backend-vlc: init at 0.9.0 2016-04-22 08:11:10 -05:00
Thomas Tuegel 8b585cc9f5 phonon: 4.8.3 -> 4.9.0
- Removed phonon-backend-vlc.
- Moved qt5.phonon to kde5.phonon.
2016-04-22 07:56:02 -05:00
Evgeny Egorochkin a05ba7375d quassel: use qt4 version of the daemon because as of now qt5 version fails to use proxies(connection refused) 2016-04-22 12:59:26 +03:00
Tuomas Tynkkynen d0c127487f qemu-img: Fix module paths
They are compressed nowadays.

Not sure if these are really needed since nobody noticed they were
broken, but anyway...
2016-04-22 10:42:31 +03:00
Tuomas Tynkkynen 01854a850a treewide: Replace module_init_tools -> kmod
The former is deprecated and doesn't handle compressed kernel modules,
so all current usages of it are broken.
2016-04-22 10:40:57 +03:00
Joachim Fasting 2e7b0bbd22
hoogle service: fixups
Basic hardening
- Run as nobody:nogroup with a private /tmp, /home & /run/user
- Create working directory under /run (hoogle insists on writing to cwd
  and otherwise returns "something went wrong" to every query)

Option tweaks
- Provide a default for the haskellPackage option
- Set text values for defaults
- Move hoogleEnv to the top-level & simplify it
2016-04-22 03:58:08 +02:00
William Casarin 9c0997a0ef
hoogle service: init 2016-04-22 03:58:07 +02:00
Alexander Ried 1d6990db06 boot.loader.grub: fix variable name (#14855) 2016-04-20 22:27:34 +02:00
Eelco Dolstra 25387a1bed nixos-checkout: Remove
This command was useful when NixOS was spread across multiple
repositories, but now it's pretty pointless (and obfuscates what
happens, i.e. "git clone git://github.com/NixOS/nixpkgs.git").
2016-04-20 20:57:02 +02:00
Thomas Tuegel b3317a020e nixos/pulseaudio: don't use dev output at runtime 2016-04-20 10:01:06 -05:00
Thomas Tuegel 2780894b1b kde5.startkde: init at 5.5.5 2016-04-20 10:01:06 -05:00
obadz d946a28c55 Revert "NixOS release: Don't depend on chromium"
This reverts commit 3135af2511.

Closes #14732
2016-04-19 18:20:49 +01:00
Benjamin Staffin 850ffee9fa Merge pull request #14212 from aneeshusa/add-mosh-service
mosh service: init
2016-04-18 14:31:59 -07:00
Eelco Dolstra b4bf432709 nghttp2: 1.8.0 -> 1.9.2, unify with libnghttp2, and use multiple outputs
Note: I ignored the C++ libraries, but it appears we're not currently
using them. Once we do, we'll probably want to put them in a separate
output as well (to prevent non-C++ users from depending on Boost).
2016-04-18 21:13:18 +02:00
Eelco Dolstra 21a2f2ba3b nix: Add a "dev" output
This gets rid of boehm-dev in the closure (as well as Nix's own
headers).
2016-04-18 21:13:18 +02:00
Eelco Dolstra 0729f60697 Remove "which" from base.nix 2016-04-18 14:20:49 +02:00
Eelco Dolstra cd396076ec Revert "Revert "Remove which -> type -P alias.""
This reverts commit ddd480ac30. Gave it
some more thought.
2016-04-18 14:20:49 +02:00
Eelco Dolstra 0c5e837b66 acme.nix: Fix unit descriptions
Unit descriptions should be capitalized, and timer units don't have
to describe that they're timers.
2016-04-18 14:20:49 +02:00
Joachim Fasting 55a82158e2
Revert "nixos.tests.printing: fix"
This reverts commit 49894ac857.

Reverting in deference to https://github.com/NixOS/nixpkgs/issues/14782
2016-04-18 13:40:35 +02:00
Aneesh Agrawal 77a4bd1a58 mosh program: init 2016-04-18 06:31:11 +00:00
Joachim Fasting 49894ac857
nixos.tests.printing: fix
Two fixes:

Not really sure why removing `--fail` from the curl calls is necessary,
but with that option, curl erronously reports 404 (which it shouldn't
per my interactive vm testing).

Fix paths to example files used for the printing test

Toghether, these changes allow the test to run to completion on my machine.
2016-04-18 02:21:12 +02:00
Benjamin Staffin f06c5d5757 Merge pull request #14728 from Baughn/patch-4
zfs: Update devNodes description
2016-04-16 16:07:50 -07:00
Joachim Fasting 9de93be6cd
cups service: use cups.out everywhere
Seeing as the dev output is the default, we probably want cups.out
everywhere.
2016-04-16 21:26:33 +02:00
Eric Sagnes cfe062f2b6 input methods: fix gtk cache 2016-04-16 17:51:32 +09:00
Joachim Fasting 47330b1732
cups service: fix missing upstream systemd units caused by output splitting
Need to pass `cups.out` to `systemd.packages`, lest we end up with an invalid
generated unit containing only directives set in the service module.

This patch gives us a valid cups.service unit but, vexingly, does not fix the
test failure at NixOS/nixpkgs#14748
2016-04-16 09:47:17 +02:00
Christoph Ruegge f270af1acd xsession: Update DBus activation environment
`dbus-launch` is executed early in the script, before desktop managers
had a chance to setup the environment. If DBus activation is used,
applications launched by this may therefore lack necessary environment
variables. This patch sends the complete environment to DBus after
launching the desktop manager.
2016-04-15 21:43:42 +02:00
Svein Ove Aas f03dc59803 zfs: Update devNodes description 2016-04-15 17:25:32 +01:00
Joachim Fasting 83aae072f8
dnscrypt-proxy service: fix references to libcap & attr 2016-04-15 17:44:10 +02:00
joachifm 8b3c4348ab Merge pull request #14579 from elitak/factorio
factorio: 0.12.29 headless + server module
2016-04-15 16:14:14 +02:00
Domen Kožar 1834e72555 fix eval (explicit is better than implicit) 2016-04-15 10:39:11 +01:00
Eric Litak 13577e8785 factorio: headless server module 2016-04-14 23:03:36 -07:00
Tuomas Tynkkynen ab428dce14 stage-1: Remove doublePatchelf hack
No longer needed with the new patchelf version.
2016-04-15 01:53:34 +03:00
aszlig 1f46decba7
nixos/taskserver: Fix reference to certtool.
With the merge of the closure-size branch, most packages now have
multiple outputs. One of these packages is gnutls, so previously
everything that we needed was to reference "${gnutls}/bin/..." and now
we need to use "${gnutls.bin}/bin/...".

So it's not a very big issue to fix.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-15 00:28:57 +02:00
aszlig 9ed9e268a2
Merge pull request #14476 (taskserver)
This adds a Taskserver module along with documentation and a small
helper tool which eases managing a custom CA along with Taskserver
organisations, users and groups.

Taskserver is the server component of Taskwarrior, a TODO list
application for the command line.

The work has been started by @matthiasbeyer back in mid 2015 and I have
continued to work on it recently, so this merge contains commits from
both of us.

Thanks particularly to @nbp and @matthiasbeyer for reviewing and
suggesting improvements.

I've tested this with the new test (nixos/tests/taskserver.nix) this
branch adds and it fails because of the changes introduced by the
closure-size branch, so we need to do additional work on base of this.
2016-04-15 00:21:49 +02:00
aszlig c36d6e5964
nixos/doc: Revert allowing olinks from options
This reverts commit 1d77dcaed3.

It will be reintroduced along with #14700 as a separate branch, as
suggested by @nbp.

I added this to this branch because I thought it was a necessary
dependency, but it turns out that the build of the manual/manpages still
succeeds and merely prints a warning like this:

warning: failed to load external entity "olinkdb.xml"
Olink error: could not open target database 'olinkdb.xml'.
Error: unresolved olink: targetdoc/targetptr = 'manual/module-taskserver'.

The olink itself will be replaced by "???", so users looking at the
description of the option in question will still see the reference to
the NixOS manual, like this:

More instructions about NixOS in conjuction with Taskserver can be found
in the NixOS manual at ???.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-14 21:31:02 +02:00
aszlig 41f170f439
nixos/doc: Allow refs from options to the manual
My first attempt to do this was to just use a conditional <refsection/>
in order to not create exact references in the manpage but create the
reference in the HTML manual, as suggested by @edolstra on IRC.

Later I went on to use <olink/> to reference sections of the manual, but
in order to do that, we need to overhaul how we generate the manual and
manpages.

So, that's where we are now:

There is a new derivation called "manual-olinkdb", which is the olinkdb
for the HTML manual, which in turn creates the olinkdb.xml file and the
manual.db. The former contains the targetdoc references and the latter
the specific targetptr elements.

The reason why I included the olinkdb.xml verbatim is that first of all
the DTD is dependent on the Docbook XSL sources and the references
within the olinkdb.xml entities are relative to the current directory.

So using a store path for that would end up searching for the manual.db
directly in /nix/store/manual.db.

Unfortunately, the <olinks/> that end up in the output file are
relative, so for example if you're clicking on one of these within the
PDF, the URL is searched in the current directory.

However, the sections from the olink's text are still valid, so we could
use an alternative URL for that in the future.

The manual doesn't contain any links, so even referencing the relative
URL shouldn't do any harm.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
2016-04-14 21:24:50 +02:00
aszlig 940120a711
nixos/taskserver/doc: Improve example org name
Suggested by @nbp:

"Choose a better organization name in this example, such that it is less
confusing. Maybe something like my-company"

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-14 21:16:14 +02:00
Nikolay Amiantov cb0b0190cb syncthing service: fix mkEnableOption call 2016-04-14 17:44:02 +03:00
Nikolay Amiantov c9f2753c7b syncthing service: fix invalid conflict resolution 2016-04-14 17:38:25 +03:00
Peter Hoeg 32bc5cfa24 syncthing service: support running from systemd --user instance 2016-04-14 21:22:31 +08:00
Peter Simons acaf255687 Merge pull request #14686 from wizeman/u/fix-updatedb
nixos.locate: fix update-locatedb service failure
2016-04-14 15:17:06 +02:00
joachifm ca2e555793 Merge pull request #14646 from peterhoeg/flexget
flexget nixos module: run the service and specify configuration
2016-04-14 14:16:04 +02:00
Ricardo M. Correia f5951c55f7 nixos.locate: fix update-locatedb service failure
It was failing with a `Read-only filesystem` failure due to the systemd
service option `ReadWriteDirectories` not being correctly configured.

Fixes #14132
2016-04-14 13:51:17 +02:00
obadz 079e1c76cf Revert "dbus nixos module: add units for systemd user session"
This reverts commit 83cb6ec399.

Was breaking: nix-build '<nixos/release.nix>' -A tests.xfce.x86_64-linux
2016-04-14 12:38:36 +01:00
Eelco Dolstra 840f3230a2 Restore default core limit of 0:infinity
Continuation of 79c3c16dcb. Systemd 229
sets the default RLIMIT_CORE to infinity, causing systems to be
littered with core dumps when systemd.coredump.enable is disabled.

This restores the 15.09 soft limit of 0 and hard limit of infinity.
2016-04-14 13:18:09 +02:00
Tuomas Tynkkynen b3df6530f7 treewide: Mass replace 'sqlite}/bin' to refer to the correct outputs 2016-04-14 08:32:20 +03:00
Tuomas Tynkkynen 897e0d1224 treewide: Mass replace 'openssl}/bin' to refer to the correct outputs 2016-04-14 08:32:20 +03:00
Tuomas Tynkkynen 4d90f2d73d treewide: Mass replace 'ffmpeg}/bin' to refer to the correct outputs 2016-04-14 08:32:20 +03:00
Tuomas Tynkkynen b9eb944990 treewide: Mass replace 'dbus_daemon}/bin' to refer to the correct outputs 2016-04-14 08:32:20 +03:00
Nikolay Amiantov 8b7ebaffeb replace makeSearchPath tree-wise to take care of possible multiple outputs 2016-04-13 22:09:41 +03:00
zimbatm 04267ed630 Merge pull request #14647 from MostAwesomeDude/tahoe
Tahoe-LAFS improvements
2016-04-13 16:39:53 +01:00
Vladimír Čunát 39ebb01d6e Merge branch 'staging', containing closure-size #7701 2016-04-13 09:25:28 +02:00
Peter Hoeg 34afbea236 flexget nixos module: run the service and specify configuration
This module adds support for defining a flexget service.

Due to flexget insisting on being able to write all over where it finds
its configuration file, we use a ExecStartPre hook to copy the generated
configuration file into place under the user's home. It's fairly ugly
and I'm very open to suggestions
2016-04-13 12:08:02 +08:00
Corbin d5c9a80ccd services/tahoe: Add tub.location for specifying external IPs.
Invaluable for wiring up clouds.
2016-04-12 18:44:25 -07:00
Joachim Fasting cba5ccb67b nixos: fix incorrect rename for input-methods options
Hotfix for e6ae05dd8a
2016-04-13 02:32:53 +02:00
joachifm 852c85f547 Merge pull request #14602 from ericsagnes/doc/input-methods
input-methods: add documentation
2016-04-12 23:48:14 +02:00
Eelco Dolstra a42698d2a4 Add a regression test for #14623 2016-04-12 19:13:52 +02:00
Eelco Dolstra 9153d8ed64 Fix X11 tests broken by the removal of -ac
Probably missed a few. Also adding xauth to the system path (it was
already in the closure).
2016-04-12 19:13:47 +02:00
Eelco Dolstra 1541fa351b X server: Enable local access control
For the last ten years we have been passing -ac to the X server, which
is very bad idea.

Fixes #14623.
2016-04-12 18:39:40 +02:00
Tuomas Tynkkynen 87b49397bf installer tests: Use different package for testing nix-env -iA
Coreutils is multi-output and the `info` output doesn't seem to be
included on the install disk, failing like this (because now nix-env
wants to build coreutils):

````
machine# these derivations will be built:
machine#   /nix/store/0jk4wzg11sa6cqyw8g7w5lb35axji969-bison-3.0.4.tar.gz.drv
...
machine#   /nix/store/ybjgqwxx63l8cj1s7b8axx09wz06kxbv-coreutils-8.25.drv
machine# building path(s) ‘/nix/store/4xvdi5740vq8vlsi48lik3saz0v5jsx0-coreutils-8.25.tar.xz’
machine# downloading ‘http://ftpmirror.gnu.org/coreutils/coreutils-8.25.tar.xz’...
machine# error: unable to download ‘http://ftpmirror.gnu.org/coreutils/coreutils-8.25.tar.xz’: Couldn't resolve host name (6)
machine# builder for ‘/nix/store/5j3bc5sjr6271fnjh9gk9hrid8kgbpx3-coreutils-8.25.tar.xz.drv’ failed with exit code 1
machine# cannot build derivation ‘/nix/store/ybjgqwxx63l8cj1s7b8axx09wz06kxbv-coreutils-8.25.drv’: 1 dependencies couldn't be built
machine# error: build of ‘/nix/store/ybjgqwxx63l8cj1s7b8axx09wz06kxbv-coreutils-8.25.drv’ failed
````
2016-04-12 17:29:15 +03:00
Eric Sagnes e6ae05dd8a input-method module: fix folder case 2016-04-12 19:50:26 +09:00
Eric Sagnes de78fe8f2d manual: add chapter on input methods 2016-04-12 19:50:16 +09:00
Eelco Dolstra dddb62d3e3 Merge pull request #14178 from the-kenny/systemd-cryptsetup-external-generator
Systemd: Allow specifying external generators
2016-04-12 11:26:22 +02:00
Vladimír Čunát 5c04313451 nixos-generate-config: lower priority of nix.maxJobs
Fixes #6429.
2016-04-12 08:09:52 +02:00
aszlig 394e64e4fb
nixos/taskserver/helper: Fix docstring of add_user
We have already revamped the CLI subcommands in commit
e2383b84f8.

This was just an artifact that was left because of this.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 07:13:43 +02:00
aszlig e06dd999f7
nixos/taskserver: Fix wrong option doc references
The options client.allow and client.deny are gone since the commit
8b793d1916, so let's fix that.

No feature changes, only fixes the descriptions of allowedClientIDs and
disallowedClientIDs.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 07:03:19 +02:00
aszlig 980f557c46
nixos/taskserver: Restart service on failure
This is the recommended way for long-running services and ensures that
Taskserver will keep running until it has been stopped manually.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:43:21 +02:00
aszlig cf46256bbb
nixos/taskserver: Improve service dependencies
Using requiredBy is a bad idea for the initialisation units, because
whenever the Taskserver service is restarted the initialisation units
get restarted as well.

Also, make sure taskserver-init.service will be ordered *before*
taskserver.service.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:33:04 +02:00
aszlig bb7a819735
nixos/taskserver: Set up service namespaces
The Taskserver doesn't need access to the full /dev nor does it need a
shared /tmp. In addition, the initialisation services don't need network
access, so let's constrain them to the loopback device.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:30:05 +02:00
aszlig dd0d64afea
nixos/taskserver: Finish module documentation
Apart from the options manual, this should cover the basics for setting
up a Taskserver. I am not a native speaker so this can and (probably)
should be improved, especially the wording/grammar.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:19:59 +02:00
aszlig e2383b84f8
nixos/taskserver/helper: Improve CLI subcommands
Try to match the subcommands to act more like the subcommands from the
taskd binary and also add a subcommand to list groups.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:38:37 +02:00
aszlig ce0954020c
nixos/taskserver: Set allowedTCPPorts accordingly
As suggested by @matthiasbeyer:

"We might add a short note that this port has to be opened in the
firewall, or is this done by the service automatically?"

This commit now adds the listenPort to
networking.firewall.allowedTCPPorts as soon as the listenHost is not
"localhost".

In addition to that, this is now also documented in the listenHost
option declaration and I have removed disabling of the firewall from the
VM test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:16:15 +02:00
aszlig 5be76d0b55
nixos/taskserver: Reorder into one mkMerge
No changes in functionality but rather just restructuring the module
definitions to be one mkMerge, which now uses mkIf from the top-level
scope of the CA initialization service so we can better abstract
additional options we might need there.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:07:52 +02:00
aszlig 5062bf1b84
nixos/taskserver/helper: Assert CA existence
We want to make sure that the helper tool won't work if the automatic CA
wasn't properly set up. This not only avoids race conditions if the tool
is started before the actual service is running but it also fails if
something during CA setup has failed so the user can investigate what
went wrong.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:57:03 +02:00
aszlig 2ced6fcc75
nixos/taskserver: Setup CA before main service
We need to explicitly make sure the CA is created before we actually
launch the main Taskserver service in order to avoid race conditions
where the preStart phase of the main service could possibly corrupt
certificates if it would be started in parallel.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:53:53 +02:00
aszlig 9279ec732b
nixos/taskserver: Introduce an extraConfig option
This is simply to add configuration lines to the generated configuration
file. The reason why I didn't went for an attribute set is that the
taskdrc file format doesn't map very well on Nix attributes, for example
the following can be set in taskdrc:

server = somestring
server.key = anotherstring

In order to use a Nix attribute set for that, it would be way too
complicated, for example if we want to represent the mentioned example
we'd have to do something like this:

{ server._top = somestring;
  server.key = anotherstring;
}

Of course, this would work as well but nothing is more simple than just
appending raw strings.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:21:55 +02:00
aszlig 9f1e536948
nixos/taskserver: Allow to specify expiration/bits
At least this should allow for some customisation of how the
certificates and keys are created. We now have two sub-namespaces within
PKI so it should be more clear which options you have to set if you want
to either manage your own CA or let the module create it automatically.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:14:33 +02:00
aszlig a41b109bc1
nixos/taskserver: Don't change imperative users
Whenever the nixos-taskserver tool was invoked manually for creating an
organisation/group/user we now add an empty file called .imperative to
the data directory.

During the preStart of the Taskserver service, we use process-json which
in turn now checks whether those .imperative files exist and if so, it
doesn't do anything with it.

This should now ensure that whenever there is a manually created user,
it doesn't get killed off by the declarative configuration in case it
shouldn't exist within that configuration.

In addition, we also add a small subtest to check whether this is
happening or not and fail if the imperatively created user got deleted
by process-json.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 03:42:13 +02:00
aszlig 9586795ef2
nixos/taskserver: Silence certtool everywhere
We only print the output whenever there is an error, otherwise let's
shut it up because it only shows information the user can gather through
other means. For example by invoking certtool manually, or by just
looking at private key files (the whole blurb it's outputting is in
there as well).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 02:16:35 +02:00
aszlig cfb6ce2abe
nixos/tests/taskserver: Make tests less noisy
We were putting the whole output of "nixos-taskserver export-user" from
the server to the respective client and on every such operation the
whole output was shown again in the test log.

Now we're *only* showing these details whenever a user import fails on
the client.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:49:47 +02:00
aszlig 7889fcfa41
nixos/taskserver/helper: Implement deletion
Now we finally can delete organisations, groups and users along with
certificate revocation. The new subtests now make sure that the client
certificate is also revoked (both when removing the whole organisation
and just a single user).

If we use the imperative way to add and delete users, we have to restart
the Taskserver in order for the CRL to be effective.

However, by using the declarative configuration we now get this for
free, because removing a user will also restart the service and thus its
client certificate will end up in the CRL.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:41:41 +02:00
aszlig 3008836fee
nixos/taskserver: Add a command to reload service
Unfortunately we don't have a better way to check whether the reload has
been done successfully, but at least we now *can* reload it without
figuring out the exact signal to send to the process.

Note that on reload, Taskserver will not reload the CRL file. For that
to work, a full restart needs to be done.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:04:34 +02:00
aszlig b6643102d6
nixos/taskserver: Generate a cert revocation list
If we want to revoke client certificates and want the server to actually
notice the revocation, we need to have a valid certificate revocation
list.

Right now the expiration_days is set to 10 years, but that's merely to
actually get certtool to actually generate the CRL without trying to
prompt for user input.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 23:07:58 +02:00
aszlig d0ab617974
nixos/taskserver: Constrain server cert perms
It doesn't do much harm to make the server certificate world readable,
because even though it's not accessible anymore via the file system,
someone can still get it by simply doing a TLS handshake with the
server.

So this is solely for consistency.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:59:30 +02:00
aszlig 6e10705754
nixos/taskserver: Handle declarative conf via JSON
We now no longer have the stupid --service-helper option, which silences
messages about already existing organisations, users or groups.

Instead of that option, we now have a new subcommand called
"process-json", which accepts a JSON file directly from the specified
NixOS module options and creates/deletes the users accordingly.

Note that this still has a two issues left to solve in this area:

 * Deletion is not supported yet.
 * If a user is created imperatively, the next run of process-json will
   delete it once deletion is supported.

So we need to implement deletion and a way to mark organisations, users
and groups as "imperatively managed".

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:24:58 +02:00
aszlig cf0501600a
nixos/taskserver/helper: Factor out program logic
The Click functions really are for the command line and should be solely
used for that.

What I have in mind is that instead of that crappy --service-helper
argument, we should really have a new subcommand that is expecting JSON
which is directly coming from the services.taskserver.organisations
module option.

That way we can decrease even more boilerplate and we can also ensure
that organisations, users and groups get properly deleted if they're
removed from the NixOS configuration.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:19:50 +02:00
aszlig 7875885fb2
nixos/taskserver: Link to manual within .enable
With <olink/> support in place, we can now reference the Taskserver
section within the NixOS manual, so that users reading the manpage of
configuration.nix(5) won't miss this information.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 18:45:09 +02:00
aszlig 1d77dcaed3
nixos/doc: Allow refs from options to the manual
My first attempt to do this was to just use a conditional <refsection/>
in order to not create exact references in the manpage but create the
reference in the HTML manual, as suggested by @edolstra on IRC.

Later I went on to use <olink/> to reference sections of the manual, but
in order to do that, we need to overhaul how we generate the manual and
manpages.

So, that's where we are now:

There is a new derivation called "manual-olinkdb", which is the olinkdb
for the HTML manual, which in turn creates the olinkdb.xml file and the
manual.db. The former contains the targetdoc references and the latter
the specific targetptr elements.

The reason why I included the olinkdb.xml verbatim is that first of all
the DTD is dependent on the Docbook XSL sources and the references
within the olinkdb.xml entities are relative to the current directory.

So using a store path for that would end up searching for the manual.db
directly in /nix/store/manual.db.

Unfortunately, the <olinks/> that end up in the output file are
relative, so for example if you're clicking on one of these within the
PDF, the URL is searched in the current directory.

However, the sections from the olink's text are still valid, so we could
use an alternative URL for that in the future.

The manual doesn't contain any links, so even referencing the relative
URL shouldn't do any harm.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
2016-04-11 18:38:04 +02:00
Valérian Galliat 26dc7e503d Shout: fix infinite loop in service configuration
Fixes #14594.
2016-04-11 09:58:52 -04:00
aszlig b19fdc9ec9
nixos/taskserver: Set server.crl for automatic CA
Currently, we don't handle this yet, but let's set it so that we cover
all the options.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 13:38:33 +02:00
aszlig 05a7cd17fc
nixos/taskserver: Rename .pki options
We're now using .pki.server.* and .pki.ca.* so that it's entirely clear
what these keys/certificates are for. For example we had just .pki.key
before, which doesn't really tell very much about what it's for except
if you look at the option description.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 13:33:48 +02:00
aszlig 6395c87d07
nixos/taskserver: Improve doc for PKI options
The improvement here is just that we're adding a big <note/> here so
that users of these options are aware that whenever they're setting one
of these the certificates and keys are _not_ created automatically.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:58:29 +02:00
aszlig 6df374910f
nixos/taskserver: Move .trust out of .pki
This is clearly a server configuration option and has nothing to do with
certificate creation and signing, so let's move it away from the .pki
namespace.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:47:39 +02:00
aszlig 3affead91b
nixos/taskserver: Move .pki.fqdn to .fqdn
It's not necessarily related to the PKI options, because this is also
used for setting the server address on the Taskwarrior client.

So if someone doesn't have his/her own certificates from another CA, all
options that need to be adjusted are in .pki. And if someone doesn't
want to bother with getting certificates from another CA, (s)he just
doesn't set anything in .pki.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:42:20 +02:00
aszlig 6de94e7d24
nixos/taskserver: Rename .server options to .pki
After moving out the PKI-unrelated options, let's name this a bit more
appropriate, so we can finally get rid of the taskserver.server thing.

This also moves taskserver.caCert to taskserver.pki.caCert, because that
clearly belongs to the PKI options.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:38:16 +02:00
aszlig d6bd457d1f
nixos/taskserver: Rename server.{host,port}
Having an option called services.taskserver.server.host is quite
confusing because we already have "server" in the service name, so let's
first get rid of the listening options before we rename the rest of the
options in that .server attribute.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:26:34 +02:00
aszlig 636e0e552d
nixos/tests/taskserver: Test imperative users
As the nixos-taskserver command can also be used to imperatively manage
users, we need to test this as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:03:16 +02:00
aszlig 2acf8677fa
nixos/taskserver: Rewrite helper-tool in Python
In the comments of the pull request @nbp wrote:

"Why is it implemented in 3 different languages: Nix, Bash and C?"

And he's right, it doesn't make sense, because we were using C as a
runuser replacement and used Nix to generate the shellscript
boilerplates.

Writing this in Python gets rid of all of this and we also don't need
the boilerplate as well, because we're using Click to handle all the
command line stuff.

Note that this currently is a 1:1 implementation of what we had before.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:02:52 +02:00
joachifm 9c484f29ce Merge pull request #14564 from valeriangalliat/shout/config
Shout: configure with attrs
2016-04-11 09:56:10 +02:00
joachifm 245f200dd8 Merge pull request #11987 from angus-g/caddy
Add Caddy and its NixOS module
2016-04-11 09:20:21 +02:00
aszlig 85832de2e8
nixos/taskserver: Remove client.cert option
The option is solely for debugging purposes (particularly the unit tests
of the project itself) and doesn't make sense to include it in the NixOS
module options.

If people want to use this, we might want to introduce another option so
that we can insert arbitrary configuration lines.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-10 21:37:12 +02:00
aszlig c1178f171c
nixos/xserver: Use null as default for dpi option
Commit 98d9bba introduced this option as a nullOr type and it actually
checks whether null has been set and only appends -dpi if that's the
case. So let's actually set the default to null instead of 0.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-10 17:46:17 +02:00
Valérian Galliat b0d1eb4579 Shout: configure with attrs 2016-04-10 10:49:32 -04:00
Joachim Fasting cef2814a4f nixos: add optional process information hiding
This module adds an option `security.hideProcessInformation` that, when
enabled, restricts access to process information such as command-line
arguments to the process owner.  The module adds a static group "proc"
whose members are exempt from process information hiding.

Ideally, this feature would be implemented by simply adding the
appropriate mount options to `fileSystems."/proc".fsOptions`, but this
was found to not work in vmtests. To ensure that process information
hiding is enforced, we use a systemd service unit that remounts `/proc`
after `systemd-remount-fs.service` has completed.

To verify the correctness of the feature, simple tests were added to
nixos/tests/misc: the test ensures that unprivileged users cannot see
process information owned by another user, while members of "proc" CAN.

Thanks to @abbradar for feedback and suggestions.
2016-04-10 12:27:06 +02:00
Vladimír Čunát 30f14243c3 Merge branch 'master' into closure-size
Comparison to master evaluations on Hydra:
  - 1255515 for nixos
  - 1255502 for nixpkgs
2016-04-10 11:17:52 +02:00
Franz Pletz b667040c7c Merge pull request #14543 from groxxda/fix/minidlna
minidlna: logging via journalctl, use systemd runtimedirectory, install manpages
2016-04-10 01:14:48 +02:00
Tuomas Tynkkynen 03c6434756 Merge pull request #14526 from Profpatsch/fish-completions
fish: pick up completion files from other packages
2016-04-09 20:08:46 +03:00
joachifm 079c03a2c9 Merge pull request #14539 from colemickens/update-plex
Plex: update plex, plexpass; fix plex module to restart
2016-04-09 18:01:58 +02:00
Brandon Edens 98d9bbaec2 Add DPI option to xserver invocation. 2016-04-08 18:53:42 -07:00
Profpatsch a011083cda fish: pick up completion files from other packages
Some packages bring their own completions in
/share/fish/vendor_completions.d. Now they are picked up by fish from
every path in NIX_PROFILES.
2016-04-09 00:08:48 +02:00
Alexander Ried 72cd570421 minidlna: use journalctl for logging, systemd for runtimedir 2016-04-08 23:04:12 +02:00
Alexander Ried 4d87926795 minidlna: use hostname in DLNA friendly name 2016-04-08 23:04:12 +02:00
Cole Mickens db9640b032 plex module: restart on failure 2016-04-08 10:55:59 -07:00
Joachim Fasting 678e1955b1 manual: delete dangling pointer to real-world NixOS configs
At some point we probably want to replace this with a curated list
of configurations or even an upstreamed repository of examples, but
for now this is just noise.

Fixes NixOS/nixpkgs#14522
2016-04-08 19:34:57 +02:00
Emery Hemingway c7379b30dc u9fs service: switch user with systemd
Drop the broken fsRoot option.
2016-04-08 16:32:30 +02:00
Moritz Ulrich e366d8294e systemd.generators: Generate folders via environment.etc. 2016-04-08 14:50:20 +02:00
Moritz Ulrich 88e2cc480f systemd.generator-packages: Option to specify packages providing generators. 2016-04-08 14:50:20 +02:00
joachifm 6d2df6d578 Merge pull request #14222 from Pleune/fix/iodined-client-mode
iodine service: add client mode implimentation
2016-04-08 02:19:32 +02:00
Eelco Dolstra 133e6e1ea6 httpd.service: Support reload
This is useful when ACME has generated a new TLS certificate.
2016-04-07 17:53:46 +02:00
Vladimír Čunát 710573ce6d Merge #12653: rework default outputs 2016-04-07 16:00:09 +02:00
Vladimír Čunát 9a824f2f1d treewide: rename extraOutputs{ToLink,ToInstall}
This is to get more consistent with `meta.outputsToInstall`.
2016-04-07 15:59:44 +02:00
Vladimír Čunát 2995439003 buildEnv: respect meta.outputsToInstall
As a result `systemPackages` now also respect it.
Only nix-env remains and that has a PR filed:
    https://github.com/NixOS/nix/pull/815
2016-04-07 15:59:44 +02:00
Thomas Tuegel 4ac323d924 kde5: enable libmtp udev rules 2016-04-07 07:44:26 -05:00
Vladimír Čunát d1df28f8e5 Merge 'staging' into closure-size
This is mainly to get the update of bootstrap tools.
Otherwise there were mysterious segfaults:
https://github.com/NixOS/nixpkgs/pull/7701#issuecomment-203389817
2016-04-07 14:40:51 +02:00
aszlig 64e566a49c
nixos/taskserver: Add module documentation
It's not by any means exhaustive, but we're still going to change the
implementation, so let's just use this as a starting point.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:26:12 +02:00
aszlig 8b793d1916
nixos/taskserver: Rename client.{allow,deny}
These values match against the client IDs only, so let's rename it to
something that actually reflects that. Having client.cert in the same
namespace also could lead to confusion, because the client.cert setting
is for the *debugging* client only.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:26:11 +02:00
aszlig 04fa5dcdb8
nixos/taskserver: Fix type/description for ciphers
Referring to the GnuTLS documentation isn't very nice if the user has to
use a search engine to find that documentation. So let's directly link
to it.

The type was "str" before, but it's actually a colon-separated string,
so if we set options in multiple modules, the result is one concatenated
string.

I know there is types.envVar, which does the same as separatedString ":"
but I found that it could confuse the reader of the Taskserver module.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:22:25 +02:00
aszlig 33f948c88b
nixos/taskserver: Fix type for client.{allow,deny}
We already document that we allow special values such as "all" and
"none", but the type doesn't represent that. So let's use an enum in
conjuction with a loeOf type so that this becomes clear.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:21:42 +02:00
Lluís Batlle i Rossell e1bcc27f1a Making trac/ldap handle httpd 2.4.
The option authzldapauthoritative had been removed in 2.4

I pushed this into 16.03 instead of master first. My fault.
(cherry picked from commit 516f47efef)
2016-04-07 11:40:22 +02:00
Angus Gibson bb6408ba16 caddy service: initial implementation 2016-04-05 23:45:54 +00:00
joachifm 97c8bf61ef Merge pull request #14474 from MatrixAI/fixed-stage1
nixos/stage-1: Removed logCommands conditional for resetting the file descriptors after completion of logging
2016-04-05 22:39:14 +02:00
aszlig 2d89617052
nixos/taskserver: Rename nixos-taskdctl
Using nixos-taskserver is more verbose but less cryptic and I think it
fits the purpose better because it can't be confused to be a wrapper
around the taskdctl command from the upstream project as
nixos-taskserver shares no commonalities with it.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig 78925e4a90
nixos/taskserver: Factor out nixos-taskdctl
With a cluttered up module source it's really a pain to navigate through
it, so it's a good idea to put it into another file.

No changes in functionality here, just splitting up the files and fixing
references.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig 61b8d9ebe0
nixos/tests: Add a test for the Taskserver service
A small test which checks whether tasks can be synced using the
Taskserver.

It doesn't test group functionality because I suspect that they're not
yet implemented upstream. I haven't done an in-depth check on that but I
couldn't find a method of linking groups to users yet so I guess this
will get in with one of the text releases of Taskwarrior/Taskserver.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig 0141b4887d
nixos/taskserver: Use nixos-taskdctl in preStart
Finally, this is where we declaratively set up our organisations and
users/groups, which looks like this in the system configuration:

services.taskserver.organisations.NixOS.users = [ "alice" "bob" ];

This automatically sets up "alice" and "bob" for the "NixOS"
organisation, generates the required client keys and signs it via the
CA.

However, we still need to use nixos-taskdctl export-user in order to
import these certificates on the client.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig 227229653a
nixos/taskserver: Add a nixos-taskdctl command
It's a helper for NixOS systems to make it easier to handle CA
certificate signing, similar to what taskd provides but comes preseeded
with the values from the system configuration.

The tool is very limited at the moment and only allows to *add*
organisations, users and groups. Deletion and suspension however is much
simpler to implement, because we don't need to handle certificate
signing.

Another limitation is that we don't take into account whether
certificates and keys are already set in the system configuration and if
they're set it will fail spectacularly.

For passing the commands to the taskd command, we're using a small C
program which does setuid() and setgid() to the Taskserver user and
group, because runuser(1) needs PAM (quite pointless if you're already
root) and su(1) doesn't allow for setting the group and setgid()s to the
default group of the user, so it even doesn't work in conjunction with
sg(1).

In summary, we now have a shiny nixos-taskdctl command, which lets us do
things like:

nixos-taskdctl add-org NixOS
nixos-taskdctl add-user NixOS alice
nixos-taskdctl export-user NixOS alice

The last command writes a series of shell commands to stdout, which then
can be imported on the client by piping it into a shell as well as doing
it for example via SSH:

ssh root@server nixos-taskdctl export-user NixOS alice | sh

Of course, in terms of security we need to improve this even further so
that we generate the private key on the client and just send a CSR to
the server so that we don't need to push any secrets over the wire.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig 5146f76095
nixos/taskserver: Add an option for organisations
We want to declaratively specify users and organisations, so let's add
another module option "organisations", which allows us to specify users,
groups and of course organisations.

The implementation of this is not yet done and this is just to feed the
boilerplate.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig 274fe2a23b
nixos/taskserver: Fix generating server cert
We were generating a self-signed certificate for the server so far,
which we obviously don't want.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig 77d7545fac
nixos/taskserver: Introduce a new fqdn option
Using just the host for the common name *and* for listening on the port
is quite a bad idea if you want to listen on something like :: or an
internal IP address which is proxied/tunneled to the outside.

Hence this separates host and fqdn.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig d94ac7a454
nixos/taskserver: Use types.str instead of string
The "string" option type has been deprecated since a long time
(800f9c2), so let's not use it here.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig 411c6f77a3
nixos/taskserver: Add trust option to config file
The server starts up without that option anyway, but it complains about
its value not being set. As we probably want to have access to that
configuration value anyway, let's expose this via the NixOS module as
well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig 1f410934f2
nixos/taskserver: Properly indent CA config lines
No change in functionality, but it's easier to read when properly
indented.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig 3d820d5ba1
nixos/taskserver: Refactor module for CA creation
Now the service starts up if only the services.taskserver.enable option
is set to true.

We now also have three systemd services (started in this order):

 * taskserver-init: For creating the necessary data directory and also
                    includes a refecence to the configuration file in
                    the Nix store.
 * taskserver-ca:   Only enabled if none of the server.key, server.cert,
                    server.crl and caCert options are set, so we can
                    allow for certificates that are issued by another
                    CA.
                    This service creates a new CA key+certificate and a
                    server key+certificate and signs the latter using
                    the CA key.
                    The permissions of these keys/certs are set quite
                    strictly to allow only the root user to sign
                    certificates.
 * taskserver:      The main Taskserver service which just starts taskd.

We now also log to stdout and thus to the journal.

Of course, there are still a few problems left to solve, for instance:

 * The CA currently only signs the server certificates, so it's
   only usable for clients if the server doesn't validate client certs
   (which is kinda pointless).
 * Using "taskd <command>" is currently still a bit awkward to use, so
   we need to properly wrap it in environment.systemPackages to set the
   dataDir by default.
 * There are still a few configuration options left to include, for
   example the "trust" option.
 * We might want to introduce an extraConfig option.
 * It might be useful to allow for declarative configuration of
   organisations and users, especially when it comes to creating client
   certificates.
 * The right signal has to be sent for the taskserver service to reload
   properly.
 * Currently the CA and server certificates are created using
   server.host as the common name and doesn't set additional certificate
   information. This could be improved by adding options that explicitly
   set that information.

As for the config file, we might need to patch taskd to allow for
setting not only --data but also a --cfgfile, which then omits the
${dataDir}/config file. We can still use the "include" directive from
the file specified using --cfgfile in order to chainload
${dataDir}/config.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00