* removed pid-file support, it is needless to run collectd as systemd service
* removed static user id, as all the files reowned on the service start
* added ambient capabilities for ping and smart (hdd health) functions
- Update to version 1.3.0
- Remove dependency on `oxygen-icons5`, as Lumina desktop now distributes
it’s own "material-design-[light/dark]" icon themes and uses them as the
default icon sets.
First of all, thanks to @pbogdan for getting this problem reproduced:
https://github.com/NixOS/nixpkgs/commit/2014db3efcd2a#commitcomment-22815396
Also thanks to @vcunat for bringing this to my attention:
https://github.com/NixOS/nixpkgs/commit/44c64fef16ed5#commitcomment-22813503
Although it is not entirely clear why Nix has killed the build prior to
finishing, it seems to be related to the process substition I was using.
So instead of using "exec touch", let's wrap this inside an if so we
don't exit too early.
Tested this against all sub-tests in nixos/tests/keymap.nix and also a
few configurations with wrong keyboard layout definitions.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The message buffer of the kernel lists
> Please run 'e2fsck -f /dev/disk/by-label/nixos' first.
as the output of the command `resize2fs "$device"`.
This fixes NixOS/nixpkgs#26910.
This commit adds the xen_4_8 package to be used instead of
xen (currently at 4.5.5):
* Add packages xen_4_8, xen_4_8-slim and xen_4_8-light
* Add packages qemu_xen_4_8 and qemu_xen_4_8-light to be used
with xen_4_8-slim and xen_4_8-light respectively.
* Add systemd to buildInputs of xen (it is required by oxenstored)
* Adapt xen service to work with the new version of xen
* Use xen-init-dom0 to initlilise dom0 in xen-store
* Currently, the virtualisation.xen.stored option is ignored
if xen 4.8 is used
old version of blkid used to output version information including libblkid version
when invoked with --help parameter
new version does not output libblkid version when invoked with --help parameter
fix is to invoke blkid with -V parameter to output version including libblkid in both cases
* systemd-boot-builder.py: add support for profiles
This will also list the generations of other profiles than `system` in
the boot menu. See the documentation of the `--profile-name` option of
nixos-rebuild for more information on profiles.
* Fix errors introduced by previous commit
Tesseract seems to have a hard time detecting the "ALICE FOOBAR" text,
so let's match on "Select your user and enter password" instead.
Ran the test on x86_64-linux and it now succeeds.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We really want to break channel updates whenever we break something like
this, because this actually will hit machines out there and can be very
much annoying (we had broken keymaps a few times which is why I
introduced these tests in the first place).
Just to be sure I don't break channel updates with this commit, I ran
all of the keymap tests and they all succeeded.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Enumerating the symbols directory doesn't include variants, so we're now
basically doing what "localectl list-x11-keymap-layouts" does but we use
sed instead.
The reason I'm not using localectl directly is because the path to
rules/base.lst is hardcoded in the systemd source.
Of course, the XKB specification allows for much more complicated rules,
but at least this should cover the most basic ones including variants.
So the sed expression itself is just for listing the available layouts
and variants and we use a grep with -xF to match only full lines without
interpreting regular expressions.
This should again allow to set "dvorak" as the layout option.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @lheckemann
Fixes: #25526
machine: must succeed: xwininfo -root -tree | sed 's/.*0x[0-9a-f]* \"\([^\"]*\)\".*/\1/; t; d'
machine: exit status 0
machine: Last chance to match /(?^:dfiirst configuration)/ on the the window list, which currently contains:
machine: [i3 con] container around 0xf8a5f0, i3: first configuration, [i3 con] floatingcon around 0xf8c260, [i3 con] container around 0xf8a380, i3bar for output Virtual-1, [i3 con] bottom dockarea Virtual-1, [i3 con] workspace 1, [i3 con] content Virtual-1, [i3 con] top dockarea Virtual-1, [i3 con] output Virtual-1, [i3 con] workspace __i3_scratch, [i3 con] content __i3, [i3 con] pseudo-output __i3, i3
machine: Last chance to match /(?^:BALICE)/ on the screen, which currently contains:
machine: performing optical character recognition
machine: sending monitor command: screendump /tmp/nix-build-vm-test-run-sddm.drv-0/ocrin.ppm
machine: Session Layout
O O
0 1 : 0 9
Wednesday, June 21, 2017
|_ I
Select your user and enter password
If the test has not passed yet, on the last attempt it now outputs:
machine: Last chance to match /logine: / on TTY2, which currently contains:
machine: running command: fold -w$(stty -F /dev/tty2 size | awk '{print $2}') /dev/vcs2
machine: exit status 0
machine:
<<< Welcome to NixOS 17.09.git.a804ef4 (x86_64) - tty2 >>>
machine login:
to help debug the problem. Notice the "logine" typo in my check.
Plugin and QML import paths were previously determined by NIX_PROFILES. Using
PATH instead allows Qt applications to work under nix-shell without further
modification.
- Reduce environment pollution with a separate $bin output containing programs,
plugins, and shared data. Libraries remain in $out and are not installed into
the environment.
- Only propagate build inputs as required.
nsd by default logs _both_ to syslog and to standard error which results
in all the messages ending up in the journal twice, the ones from stderr
with an ugly timestamp sticked in front of them.
* Add kibana5 and logstash5
* Upgrade the elastic beats to 5.4
* Make sure all elastic products use the same version
(see elk5Version)
* Add a test for the ELK stack
Adds /dev/disk/by-{id,label}/* symlinks for bcache device nodes, in the
final rootfs.
Symlinks will only be created for bcache devices that contain
filesystems. So if you have a blank bcache device or run LVM on top of
bcache you will not get this kind of symlink.
Or else `services.udev.packages = [ bcache-tools ]` cannot be used.
To not break bcache in the initrd I'm modifying this in stage-1.nix:
- --replace /bin/sh ${extraUtils}/bin/sh
+ --replace ${bash}/bin/sh ${extraUtils}/bin/sh
Reasoning behind that change:
* If not modifying the /bin/sh pattern in any way, it will also match
${bash}/bin/sh, creating a broken path like
/nix/store/HASH-bash/nix/store/HASH-bash/bin/sh in the udev rule file.
* The addition of /bin/sh was done in 775f381a9e
("stage-1: add bcache support"). It seems somewhat plausible that
no new users have appeared since then and we can take this opportunity
to back out of this change without much fear of regressions.
If there _are_ regressions, they should be in the form of build time
errors, not runtime (boot), due to how the udev rule output is checked
for invalid path references. So low risk, IMHO.
* An alternative approach could be to copy the /bin/sh substitute rule
over to the non-initrd udev rules implementation in NixOS, but I think
this way is better:
- The rules file comes with a working path out of the box.
- We can use more precise pattern matching when modifying the udev
rules for the initrd.
The default font is unreadably small on some hidpi displays. This
makes it possible to specify a TrueType or OpenType font at any point
size, and it will automatically be converted to the format the Grub
uses.
This adds configuration options for the bind package so that the
interfaces that bind listens on can be configured rather than just
hardcoded as any. The default values preserve the old behavior to be
backwards compatible.
* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates
Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
Restructure the nixos-artwork to make it easy to selectively
incorporate other components from upstream without needing to download
the full package.
Until now only the Gnome_Dark wallpaper was included. Add other
wallpapers available in the package repository.
This change updates the instructions for building a NixOS ISO so that it's clear how to do it.
Previously, the instructions stated to set NIXOS_CONFIG prior to running `nix-build`, yet the example provided by-passed NIXOS_CONFIG anyway. But the *really* important missing piece is the need for nixos/default.nix. See #21840.
This change removes the NIXOS_CONFIG verbiage, and adds steps to clone nixpkgs and (most importantly) cd'ing into nixpkgs/nixos. That way, the reader may think: *Oh, so I need a default.nix and a configuration.nix. Ahhh, OK.*
I purposely added the redundant default.nix argument.
* postgresql service: make 9.6 the default version for 17.09
* postgresql service: change default superuser for 17.09
Change the default superuser from `root` to `postgres` for state
version 17.09
* postgresql service: change default data directory for 17.09
The new directory includes the schema version of the database.
This makes upgrades easier and is more consistent with other distros.
* updated nixos release notes
While systemd suggests using the pre-defined graphical-session user
target, I found that this interface is difficult to use. Additionally,
no other major distribution, even in their unstable versions, currently
use this mechanism.
The window or desktop manager is supposed to run in a systemd user service
which activates graphical-session.target and the user services that are
binding to this target. The issue is that we can't elegantly pass the
xsession environment to the window manager session, in particular
whereas the PassEnvironment option does work for DISPLAY, it for some
mysterious reason won't for PATH.
This commit implements a new graphical user target that works just like
default.target. Services which should be run in a graphical session just
need to declare wantedBy graphical.target. The graphical target will be
activated in the xsession before executing the window or display manager.
Fixes #17858.
* tinc: Mention in docs that the host name may not be used verbatim.
Source:
5c344f2976/src/net_setup.c (L341)
* tinc: also replaces non-alphanumeric characters.
An iso containing metadatas is created and attached as a cdrom to the
qemu VM used for this test.
The cloudinit service is enabled. The test case ensures the root
authorized_keys file is populated and the cloudinit write_file module is
working well.
OVMF{,CODE,VARS}.fd are now available in a dedicated fd output, greatly
reducing the closure in the common case where only those files are used (a
few MBs versus several hundred MBs for the full OVMF).
Note: it's unclear why `dontPatchELF` is now necessary for the build to
pass (on my end, at any rate) but it doesn't make much sense to run this
fixup anyway,
Note: my reading of xen's INSTALL suggests that --with-system-ovmf should
point directly to the OVMF binary. As such, the previous invocation was
incorrect (it pointed to the root of the OVMF tree). In any case, I have
only built xen with `--with-system-ovmf`, I have not tested it.
Fixes https://github.com/NixOS/nixpkgs/issues/25854
Closes https://github.com/NixOS/nixpkgs/pull/25855
Without this change there will be silent errors when enabling screen
sharing. The GUI thinks it enables the service when it in fact does not
(errors are seen in the system journal).
vino is already in the closure of gnome-control-center, so this is
basically free.
Configuration of screen sharing is done in GNOME control center.
error now adds the zone file in the output which makes 'reasonable' debugging possible!
[root@nixdoc:~/nixpkgs_nsd]# nixos-rebuild -I nixpkgs=. switch
building Nix...
building the system configuration...
these derivations will be built:
/nix/store/318a7mhwlz1x0cy4hl1259n8x9z0jacy-nsd-env.drv
/nix/store/fnbhk8grwk7vfdk3gby49bv6kml8hjcc-unit-script.drv
/nix/store/xf80mq1f1c3pm37fci0vi5ixy4gb1rcp-unit-nsd.service.drv
/nix/store/bfmkkykqksmvkhvh3ppl36k86lbw9v4i-system-units.drv
/nix/store/ja97mwl2r0wdrxccl82dx8jln7jlmnyb-etc.drv
/nix/store/yh8m6b3j8vapz2r1wzffq8zq09j56q8p-nixos-system-nixdoc.io-17.09.git.0afb6d7.drv
building path(s) ‘/nix/store/sg7w3k6qg2yr02a0sbrgbv5yiqn9pzcq-nsd-env’
created 2 symlinks in user environment
checking zone files
|- checking zone '/nix/store/sg7w3k6qg2yr02a0sbrgbv5yiqn9pzcq-nsd-env/zones/lastlog.de.'
[2017-05-16 10:30:34.628] nsd-checkzone[27696]: error: lastlog.de.:17: syntax error
[2017-05-16 10:30:34.628] nsd-checkzone[27696]: error: lastlog.de.:17: unrecognized RR type 'lastlog'
zone lastlog.de. file lastlog.de. has 2 errors
builder for ‘/nix/store/318a7mhwlz1x0cy4hl1259n8x9z0jacy-nsd-env.drv’ failed with exit code 1
cannot build derivation ‘/nix/store/xf80mq1f1c3pm37fci0vi5ixy4gb1rcp-unit-nsd.service.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/bfmkkykqksmvkhvh3ppl36k86lbw9v4i-system-units.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/ja97mwl2r0wdrxccl82dx8jln7jlmnyb-etc.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/yh8m6b3j8vapz2r1wzffq8zq09j56q8p-nixos-system-nixdoc.io-17.09.git.0afb6d7.drv’: 1 dependencies couldn't be built
error: build of ‘/nix/store/yh8m6b3j8vapz2r1wzffq8zq09j56q8p-nixos-system-nixdoc.io-17.09.git.0afb6d7.drv’ failed
SSH expects a new line at the end of known_hosts file.
Without a new line the next entry goes on the same line
as the last entry in known_hosts causing errors.
... because `nixos-generate-config` currently understand it's running under virtualbox, and correctly adds the configuration in `/etc/nixos/hardware-configuration.nix`
printer driver and wrapper are often not written with security in mind.
While reviewing https://github.com/NixOS/nixpkgs/pull/25654 I found
a symlink-race vulnerability within the wrapper code, when writing
unique files in /tmp.
I expect this script to be reused in other models as well
as similar vulnerabilities in the code of other vendors. Therefore
I propose to make /tmp of cups.service private so that only processes
with the same privileges are able to access these files.
Since fat32 provides little recovery facilities after a crash,
it can leave the system in an unbootable state, when a crash/outage
happens shortly after an update. To decrease the likelihood of this
event sync the efi filesystem after each update.
Due the recent inclusion of broadcom-bt-firmware in enableAllFirmware,
it was required to set `nixpkgs.config.allowUnfree` to obtain the full
list. To make this dependency more explicit an assertion is added and an
alternative option `enableRedistributalFirmware` is provided to only
obtain firmware with an license allowing redistribution.
IPFS uses the environment variable IPFS_PATH to determine where to look for it's data, which wasn't set previously therefore ignoring the dataDir attribute
to /etc/dd-agent/conf.d by default, and make sure
/etc/dd-agent/conf.d is used.
Before NixOS 17.03, we were using dd-agent 5.5.X which
used configuration from /etc/dd-agent/conf.d
In NixOS 17.03 the default conf.d location is first used relative,
meaning that $out/agent/conf.d was used without NixOS overrides.
This change implements similar functionality as PR #25288, without
breaking backwards compatibility.
(cherry picked from commit 77c85b0ecb)
Provide the option forwardDns in virtualisation.xen.bridge, which
enables forwarding of DNS queries to the default resolver, allowing
outside internet access for the xen guests.
When you have a setup consisting of multiple monitors, the default is
that the first monitor detected by xrandr is set to the primary monitor.
However this may not be the monitor you need to be set as primary. In
fact this monitor set to primary may in fact be disconnected.
This has happened for the original submitter of the pull request and it
affected these programs:
* XMonad: Gets confused with Super + {w,e,r}
* SDDM: Puts the login screen on the wrong monitor, and does not
currently duplicate the login screen on all monitors
* XMobar: Puts the XMobar on the wrong monitor, as it only puts the
taskbar on the primary monitor
These changes should fix that not only by setting a primary monitor in
xrandrHeads but also make it possible to make a different monitor the
primary one.
The changes are also backwards-compatible.
This test exercises the linux_hardened kernel along with the various
hardening features (enabled via the hardened profile).
Move hidepid test from misc, so that misc can go back to testing a vanilla
configuration.
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.
The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.
The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session. This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).
From an aestethic point of view, enabling this option helps make the
configuration more "declarative".
Closes https://github.com/NixOS/nixpkgs/pull/24681
Use a solid black background when no background image (via
~/.background-image) is provided. In my case this fixes the really
strange behaviour when i3 without a desktop manager starts with the SDDM
login screen as background image.
This eliminates a theoretical risk of ASLR bypass due to the fixed address
mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7)
instead so there is no loss of functionality, but some programs may fail
to run in this configuration. Programs that fail to run because vsyscall
has been disabled will be logged to dmesg.
For background on virtual syscalls see https://lwn.net/Articles/446528/
Closes https://github.com/NixOS/nixpkgs/pull/25289
The xsession script was called with inconsistent (depending on the
display managers) and wrong parameters. The main reason for this where
the spaces the parameter syntax. In order to fix this the old syntax:
$1 = '<desktop-manager> + <window-manager>'
Will be replaced with a new syntax:
$1 = "<desktop-manager>+<window-manager>"
This assumes that neither "<desktop-manager>" nor "<window-manager>"
contain the "+" character but this shouldn't be a problem.
This patch also fixes the quoting by using double quotes (") instead of
single quotes (') [0].
Last but not least this'll add some comments for the better
understanding of the script.
[0]: https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1]. Consequently, we can no longer
responsibly support grsecurity on NixOS.
This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother. For 17.09 all of it should
probably be pruned.
[1]: https://grsecurity.net/passing_the_baton.php
The xen-bridge service accepts the option prefixLength, but does not
use it to set the actual netmask on the bridge. This commit makes
it set the correct netmask.