Commit Graph

6355 Commits

Author SHA1 Message Date
Jörg Thalheim
036e0f114a gogs: improve cookieSecure documentation 2017-05-01 11:37:12 +02:00
Rodney Lorrimar
ced172010a gogs service: add option for enabling "secure" cookies 2017-04-23 16:27:43 +01:00
Rodney Lorrimar
0e90a05a52 gogs service: generate the secret key only once, then reuse 2017-04-23 15:05:44 +01:00
Rodney Lorrimar
cfa1faa37c gogs service: chmod 440 config file
Directory which contains the config file /var/lib/gogs already
has mode 700 but users are liable to change these things.
2017-04-22 17:51:04 +01:00
Rodney Lorrimar
79d52bc26c gogs service: don't copy database password to nix store
Relevant to #24288
2017-04-22 17:07:21 +01:00
Rodney Lorrimar
0c9512d263 gogs service: fix encoding of secret key
I was getting a secret key like this:

  [security]
  SECRET_KEY = 7X

Use coreutils base64 instead to get the full 256 bits of randomness.
2017-04-22 17:07:20 +01:00
Benno Fünfstück
855155083a Merge pull request #24755 from LumiGuide/bepasty-secretKeyFile
bepasty: add secretKeyFile option
2017-04-22 00:07:04 +02:00
Marius Bergmann
6572f5e81b keepalived service: init (#22755) 2017-04-20 12:50:59 +01:00
aszlig
e662e035f9
nixos/systemd-boot-builder: Don't write .pyc files
This has surfaced since d990aa7163.

The "simpleUefiGummiboot" installer test fails since this commit,
because that commit introduced a small check to verify whether the store
was altered.

While installing NixOS for the first time, the store is usually in
/mnt/nix/store and without the read-only bind mount that's preventing
programs from altering the store.

So after nixos-install is done creating the system closure and setting
it as the active system profile, the bootloader is written from the
closure inside the chroot. The systemd-boot-builder is invoked during
this step, which adds .pyc files for various Python modules of the
Python 3 store path, which in turn invalidates the hash of the Python 3
store path itself.

At the time the system is booted up again, the nix-store is verified and
fails with something like this:

path /nix/store/zvm545rqc4d97caqq9h7344bnd06jhzb-python3-3.5.3 was
modified! expected hash
b2c975f4b8d197443fbb09690fb3f6545e165dd44c9309d7d6df2fce0579ebeb, got
bccca19f39c9d26d857ccf1fb72818b2b817967e6d497a25a1283e36ed0acf01

Running the interpreter with the -B argument prevents Python from
writing those byte code files:

https://docs.python.org/3/using/cmdline.html#cmdoption-B

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-04-20 00:37:02 +02:00
Benno Fünfstück
149656581d Merge pull request #24601 from pbogdan/unclutter
unclutter: Fix default value of $DISPLAY
2017-04-19 18:40:43 +02:00
Jörg Thalheim
b2ed3db94a Merge pull request #24962 from makefu/modules/command-not-found/refactor
Refactor command-not-found
2017-04-18 17:18:20 +02:00
Vladimír Čunát
91ad6b3597
Revert "grub module: fix efiInstallAsRemovable description"
This reverts commit c2b56626f1.
It broke creating the manual.  I suspect the descriptions are
auto-wrapped by <para> and </para>.

We've been through this already in 3af715af90.
/cc #24978, @zraexy, @Mic92.
2017-04-18 14:26:36 +02:00
Jörg Thalheim
6b7c5ba535
display-manager: fix argument handling of sddm
previously session type was not correctly set.

fixes #23264
2017-04-18 01:41:17 +02:00
zraexy
c2b56626f1 grub module: fix efiInstallAsRemovable description 2017-04-17 14:45:56 -08:00
John Ericson
37e5e71fdf Merge pull request #24974 from Ericson2314/mapNullable
Introduce `mapNullable` into lib and use it in a few places
2017-04-17 17:12:14 -04:00
John Ericson
85aa5005af Introduce mapNullable into lib and use it in a few places
Also simply some configure flag logic my grep also alerted me too.
2017-04-17 17:04:04 -04:00
makefu
5a5db609e5
command-not-found: add options
add option to disable command-not-found as well as option to define dbPath.
Disabling this may remove the perl dependency for bash/zsh prompts
2017-04-17 16:48:47 +02:00
Daniel Peebles
e9f1d8693a Merge pull request #23026 from copumpkin/nixos-install-wip
Refactor nixos-install to separate out filesystem build logic
2017-04-17 09:50:35 -04:00
Markus Mueller
5042e9d009
network-interfaces-scripted: Add static parameter for default gateway 2017-04-16 22:59:53 +02:00
Jörg Thalheim
002a2b479a Merge pull request #24486 from srp/master
slock needs suid privileges
2017-04-16 21:40:21 +02:00
Christian Kögler
d2e46b9f70 dhcpcd service: clear exit code of exitHook (#24909)
* dhcpcd: clear exit code of exitHook

* dhcpcd: restart ntp server in oneshot in exit-hook
2017-04-16 20:10:44 +02:00
Jörg Thalheim
16f5bc07f8 Merge pull request #24948 from peterhoeg/m/bluetooth
bluetooth: use upstream's recommendation for enabling interfaces
2017-04-16 18:09:51 +02:00
Dan Peebles
d990aa7163 Refactor nixos-install to separate out filesystem build logic
The key distinction I'm drawing is that there's a component that deals
with the store of the machine being built, and another component for
the store building it. The inner part of it assumes nothing from the
builder (doesn't need chroot or root powers) so it can run comfortably
inside a Nix build, as well as nixos-rebuild. I have some upcoming work
that will use that to significantly speed up and streamline image builds
for NixOS, especially on virtualized hosts like EC2, but it's also a
reasonable speedup on native hosts.
2017-04-16 16:09:41 +00:00
Joachim F
2db0cf0897 Merge pull request #24900 from pjones/pjones/plex-service
plex: Don't overwrite primary database on restart
2017-04-16 13:09:26 +01:00
Peter Hoeg
99d4ed5861 bluetooth: use upstream's recommendation for enabling interfaces
bluez no longer recommends spawning "hciconfig <device> up" from a udev rule as
the main bluez daemon now supports automatically enabling power for all devices.

Reference: http://www.bluez.org/release-of-bluez-5-35/
2017-04-16 16:57:11 +08:00
edef
27e750e29b etcd module: fix extraConf manual link 2017-04-16 00:26:23 +02:00
Jörg Thalheim
b9d9083322
powertop: add module 2017-04-15 15:17:02 +02:00
Jaka Hudoklin
a98c26cdc4 Merge pull request #24921 from peterhoeg/f/k8s
kubernetes: fix interpolation error and move services to own target
2017-04-15 10:43:25 +02:00
Peter Jones
5a50b26662
plex: Don't overwrite primary database on restart
This change fixes two major issues:

  1. If you don't use SIGQUIT to stop Plex it will corrupt its own
     database :(

  2. Newer versions of Plex keep metadata in the
     `com.plexapp.plugins.library.db` database.  This is the file that
     we copy into `/var/lib/plex/.skeleton`.  If we copy the empty
     database on top of this one the user will lose their entire
     library metadata.  This change skips the copy if the file
     already exists.
2017-04-14 11:19:29 -07:00
Vladimír Čunát
2090aa4f65
Merge: fixup a bad merge
For details see:
https://github.com/NixOS/nixpkgs/commit/24444513fb5#commitcomment-21767916
2017-04-14 19:11:17 +02:00
Thomas Tuegel
48b5b77bb7 Merge pull request #24813 from benley/nm-openvpn
nixos: Add nm-openvpn to the networkmanager group
2017-04-14 05:44:01 -05:00
Vladimír Čunát
5b3f807597
Merge #24179: openssh: 7.4p1 -> 7.5p1 2017-04-14 12:16:26 +02:00
Vladimír Čunát
da20d0e488
murmur service: fix typos from #24830 2017-04-14 11:05:42 +02:00
Vladimír Čunát
24444513fb
Merge branch 'staging' 2017-04-14 10:32:13 +02:00
Daniel Peebles
09a9a472ee Merge pull request #24830 from mayflower/refactor/boolToString
treewide: use boolToString function
2017-04-13 09:45:31 -04:00
Peter Hoeg
a3ee3b51d7 k8s: use slice and target for kubernetes 2017-04-13 19:32:10 +08:00
Peter Hoeg
bf4be8f1dd k8s: convert int to string to avoid interpolation error 2017-04-13 19:31:43 +08:00
Jörg Thalheim
5ca7e8a69a
fcron: do not chmod at all
fcron does handle permissions on its own correctly
2017-04-13 12:28:19 +02:00
Jörg Thalheim
9223fde9f3 Merge pull request #24843 from mayflower/smokeping_service
smokeping service: restart on-failure
2017-04-13 11:27:28 +02:00
Domen Kožar
635822da82
nixos: escape brackets in systemd units
One day we should just whitelist instead of blacklist chars.

Fixes https://github.com/NixOS/nixops/issues/614
2017-04-12 15:56:26 +02:00
Tristan Helmich
13e9cc15f1 smokeping service: restart on-failure 2017-04-12 15:23:19 +02:00
Bjørn Forsman
d916ce2ef4 nixos/lighttpd: set $HOME for gitweb sub-service
This allows gitweb to expand '~' in /etc/gitconfig. Without a $HOME
variable, it fails to list any projects and instead show the text
"No such projects found" in the UI.

Setting $HOME to the gitweb project root seems like a sensible value.
2017-04-11 22:54:31 +02:00
edanaher
e3559c23c2 acme: Add "domain" option to separate domain from name
Fixes #24731.
2017-04-11 18:28:05 +02:00
Franz Pletz
3ab45f4b36
treewide: use boolToString function 2017-04-11 18:18:53 +02:00
Benjamin Staffin
47a5f9acee
nixos: Add nm-openvpn to the networkmanager group
This is to satisfy the polkit restriction limiting
org.freedesktop.NetworkManager.* dbus messages to members of that
group.

Should help with #24806
2017-04-10 22:41:55 -04:00
Aneesh Agrawal
769b991be6 openssh: 7.4p1 -> 7.5p1
Release notes are available at https://www.openssh.com/txt/release-7.5.
Mostly a bugfix release, no major backwards-incompatible changes.

Remove deprecated `UsePrivilegeSeparation` option,
which is now mandatory.
2017-04-10 19:39:22 -04:00
Nikolay Amiantov
c8c340b05a tlp service: mask systemd-rfkill
Fixes #24737.
2017-04-11 02:09:29 +03:00
Franz Pletz
f1f9020224
crowd service: fix secure sso cookies
Crowd didn't detect a secure connection before.
2017-04-10 15:39:37 +02:00
Franz Pletz
4f0dd2f746
prometheus service: add scrapeConfigs.params option 2017-04-10 14:31:27 +02:00
Jörg Thalheim
fa4eff9b52 Merge pull request #24360 from clefru/gce-image-shrink-on-master
Shrink GCE bootstrap image to minimum size, and auto-expand it to actual size on first boot.
2017-04-10 12:01:53 +02:00