Commit Graph

21357 Commits

Author SHA1 Message Date
Sandro Jäckel
17ec7e4401
nixos/asf: remove subdirectories from bot config 2022-06-03 11:41:38 +02:00
Sandro Jäckel
16f28933e7
nixos/asf: set restrictive home permissions 2022-06-03 11:41:37 +02:00
Sandro Jäckel
48b21f661c
nixos/asf: add ipcPasswordFile option, only delete bot configs when managed by nixos, make preStart clearer 2022-06-03 11:41:36 +02:00
Lassulus
8cea5e2fa1
Merge pull request #173664 from Izorkin/peertube-redis-server
nixos/peertube: use redis.servers
2022-06-02 20:26:29 +02:00
Thiago Kenji Okada
679197e9ff
Merge pull request #174058 from jian-lin/fix-nvidia.powerManagement.finegrained-only-apply-workarounds-when-needed
nixos/nvidia: only apply workarounds for finegrained when needed
2022-06-02 17:55:23 +01:00
Thiago Kenji Okada
64870a0c57
Merge pull request #174259 from schuelermine/add-nixos-option/hardware.nvidia.forceFullCompositionPipeline
nixos/nvidia: add hardware.nvidia.forceFullCompositionPipeline
2022-06-02 17:50:50 +01:00
Thiago Kenji Okada
3ead2b58f5
Merge pull request #174057 from jian-lin/fix-nvidia.powerManagement.finegrained-remove-useless-setting
nixos/nvidia: remove a useless option
2022-06-02 17:32:24 +01:00
MatthiasBenaets
9a5c77c581 nixos/new-lg4ff: fix kernel selection 2022-06-02 08:27:42 +02:00
Bernardo Meurer
f4d4b16d71
Merge pull request #175831 from lovesegfault/fix-localtime
nixos/localtimed: hopefully fix geoclue
2022-06-01 14:38:29 -07:00
lom
ec9204d732 nixos/new-lg4ff: respect enable option 2022-06-01 15:09:24 -06:00
Bernardo Meurer
ffae8569b0 nixos/localtimed: hopefully fix geoclue 2022-06-01 13:20:16 -07:00
Martin Weinelt
5a188dfbca
Merge pull request #175729 from DeterminateSystems/jellyfin-fix 2022-06-01 17:19:49 +02:00
Sandro
ba4c03124f
Merge pull request #174956 from MatthiasBenaets/new-lg4ff
new-lg4ff: init at 0.3.3
2022-06-01 16:42:55 +02:00
MatthiasBenaets
8dcba104aa new-lg4ff: init at 0.3.3 2022-06-01 14:31:52 +02:00
Linus Heckemann
7eab23d517 jellyfin: fix permissions on state directory
Previously, all configuration and state data was accessible to all
users on the system running jellyfin. This included user passwords in
the Jellyfin database, as well as credentials for LDAP if configured.
The exact set of accessible data depends on system configuration.

Thanks to Sofie Finnes Øvrelid for reporting this issue.

Fixes: CVE-2022-32198

Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>
2022-06-01 12:31:23 +02:00
Martin Weinelt
5b8a2ab169
Merge pull request #175611 from waldheinz/systemd-boot-builder-does-not-update
nixos/systemd-boot: fix systemd-boot-builder refusing to update
2022-06-01 12:22:11 +02:00
Matthias Treydte
ff24f484af nixos/systemd-boot: fix systemd-boot-builder refusing to update
Handling of the string length condition in should_update
was broken, as evident with the log message

> leaving systemd-boot 246 in place (250.4 is not newer)

Discussion with @mweinelt came to the conclusion
that Python's "<" operator already does what we need,
so the should_update function can be dropped.

Fixes a30de3b849
2022-06-01 11:49:07 +02:00
Aaron Andersen
18a07645e5
Merge pull request #174959 from MoritzBoehme/openconnect-auto-start
nixos/openconnect: add autoStart option
2022-05-31 23:05:25 -04:00
Martin Weinelt
02e44ee3be
Merge pull request #174804 from dotlambda/prometheus-dmarc-exporter-no-poetry2nix 2022-06-01 01:46:30 +02:00
Robert Schütz
aff15c41fc dmarc-metrics-exporter: rename from prometheus-dmarc-exporter
Also stop using poetry2nix.
2022-05-31 23:25:18 +00:00
7c6f434c
39e6b1a240
Merge pull request #175558 from klemensn/atop-convert-logs-fix-startup
nixos/atop: Convert log format to fix service start
2022-05-31 20:37:23 +00:00
Sandro
8d8e031d25
Merge pull request #133771 from erdnaxe/libreddit_fix
nixos/libreddit: service hardening and test
2022-05-31 21:53:51 +02:00
Maximilian Bosch
185ee01e80
Merge pull request #173273 from kfollesdal/grafana-azuread
nixos/grafana: add new options to grafana module
2022-05-31 19:24:33 +02:00
Robert Hensing
53326189ba
Merge pull request #174829 from blaggacao/fix/cleanup-nixpkgs-initial-system
nixos: remove effect-less nixpgks.initialSystem
2022-05-31 16:26:25 +02:00
Klemens Nanni
09350ff7d4 nixos/atop: Convert log format to fix service start
Raw logs are stored in a versioned binary format and must be update with
atopconvert(1) upon atop version updates.

Failure to do so results in atop.service startup failure as I found out
the hard way after the "atop: 2.6.0 -> 2.7.1"[0] bump:
```
May 31 01:49:25 <hostname> sh[2269709]: existing file /var/log/atop/atop_20220531 has incompatible header
May 31 01:49:25 <hostname> sh[2269709]: (created by version 2.6 - current version 2.7)
May 31 01:49:25 <hostname> systemd[1]: atop.service: Main process exited, code=exited, status=7/NOTRUNNING
```

Convert logs in `ExecStartPre` and replace them iff updated.
This is to avoid changing original modification times upon every service
start and thus work against atop's log rotation (see existing
`ExecStartPre`).

0: https://github.com/NixOS/nixpkgs/pull/175180#issuecomment-1141546487
2022-05-31 07:21:01 +02:00
markuskowa
412168b4ae
Merge pull request #175316 from markuskowa/upd-slurm
slurm: 21.08.8.2 -> 22.05.0.1
2022-05-30 21:18:28 +02:00
ajs124
872d0ba943
Merge pull request #174448 from helsinki-systems/upd/nginx
nginxStable: 1.20.2 -> 1.22.0
2022-05-30 13:35:01 +02:00
Janne Heß
563e5c46f5
Merge pull request #175445 from helsinki-systems/fix/vmware-mkoverride
nixos/vmware-guest: Remove the video driver
2022-05-30 12:30:46 +02:00
ajs124
30186896ee nixos/nginx: fix SystemCallFilter for openresty 2022-05-30 11:58:28 +02:00
Janne Heß
5157246aa4
nixos/vmware-guest: Remove the video driver
This breaks isos since https://github.com/NixOS/nixpkgs/pull/172668
because vmware is enabled there. @K900 tested this and confirmed that
the GPU acceleration still works.
2022-05-30 11:56:21 +02:00
Florian Klink
f12a263b69
Merge pull request #172707 from klemensn/init-zfs-mount-options
nixos/stage-1: Fix library path in libraries, fix ZFS mount options
2022-05-30 10:51:17 +02:00
Guillaume Girol
f2493e87d8
Merge pull request #173110 from symphorien/ovmf-cross
nixos/libvirtd: make it possible to boot a UEFI aarch64 vm on x86_64
2022-05-29 21:46:45 +00:00
linj
37792e5766 nixos/dendrite: add an option loadCredential
systemd-247 provides a mechanism called LoadCredential for secrets and
it is better than environment file. See the section of Environment=
in the manual of systemd.exec for more information.

Some options in config.yaml need values to be strings, which currently
can be used with environmentFile but not loadCredential. But it's
possible to use loadCredential for those options, e.g. we can
substitute their values in ExecStart, but not in ExecStartPre due to
[1].

[1]: https://github.com/systemd/systemd/issues/19604
2022-05-29 13:34:14 -07:00
Markus Kowalewski
b6020f42a5
nixos/slurm: update systemd service for slurmd
Adjust according to upstream recommendation
2022-05-29 17:17:01 +02:00
Jörg Thalheim
d32a2bf207 nixos/mimir: also expose mimirtool to users 2022-05-29 03:49:17 -04:00
Jörg Thalheim
6497902407 nixos/mimir: set workingdirectory
Mimir writes files relatative to its working directory.
With this option less files have to be configured.
2022-05-29 03:49:17 -04:00
Alyssa Ross
c3c0dd00d8 treewide: fix loss of precision in NixOS systems
Prior to this patch:

	$ nix-instantiate --eval -E '
	>   with import ./. {
	>     localSystem.config = "aarch64-unknown-linux-musl";
	>   };
	>   (nixos {}).config.nixpkgs.localSystem.config
	> '
	"aarch64-unknown-linux-gnu"

Because only the system triple was being passed through, the Musl part
of the system specification was lost.  This patch fixes various
occurrences of NixOS evaluation when a Nixpkgs evaluation is already
available, to pass through the full elaborated system attribute set,
to avoid this loss of precision.
2022-05-28 20:01:55 +00:00
Aleksandar Topuzović
fd86efb8c2 nixos/nextcloud: Fix broken config file 2022-05-28 19:14:12 +01:00
Florian Klink
8707ec2798
Merge pull request #174167 from chivay/saleae
nixos/saleae-logic: init
2022-05-28 14:30:32 +02:00
Martin Weinelt
c48756aae2
Merge pull request #172849 from waldheinz/systemd-boot-builder-downgrade
nixos/systemd-boot: fix systemd-boot-builder dowgrade to fail
2022-05-28 13:23:44 +02:00
Matthias Treydte
a30de3b849 nixos/systemd-boot: fix systemd-boot-builder dowgrade to fail
Since, 4ddc78818e systemd-boot-builder
is broken in two ways:

  * if no systemd-boot is currently installed *and* the NIXOS_INSTALL_BOOTLOADER
    env variable is not set, it will try to run "bootctl update", which will fail
  * if the currently installed systemd-boot version is newer than the version
    we're about to install, it will also try to run "bootctl update", which will fail

This patch changes the behaviour,

  * for the first case to still fail, but not even bother to try running
    "bootctl update" and instead erroring out with an exception
  * for the second case to leave the newer version in place, restoring
    the pre - 4ddc78818e behaviour

To do the proper version check a new "should_update" helper function was introduced,
mimicing the compare_product C function from bootctl. If the following systemd
issue gets resolved, we would have a nice way to get rid of this function:

> https://github.com/systemd/systemd/issues/23450

This change allows to again switch to a different NixOS configuration which contains
an older systemd-boot.

Co-authored-by: Martin Weinelt <mweinelt@users.noreply.github.com>
2022-05-28 13:18:21 +02:00
Hubert Jasudowicz
91015fe196 nixos/saleae-logic: init 2022-05-27 20:39:32 +02:00
Sandro
e34ee08ec5
Merge pull request #174639 from mtoohey31/fix/os-release-newline 2022-05-27 19:29:38 +02:00
Moritz Böhme
106bfcaf8a
nixos/openconnect: add autoStart option 2022-05-27 17:41:03 +02:00
Sandro
23ec1c06c0
Merge pull request #173126 from NULLx76/update-hedgedoc-module
nixos/hedgedoc: fix and add config options
2022-05-27 16:03:22 +02:00
Maximilian Bosch
57a8966d03
Merge pull request #171227 from aidalgol/nextcloud-setup-script-fix
nixos/nextcloud: Fix broken error suppression in setup script
2022-05-27 13:23:10 +02:00
David Arnold
646e214e11
nixos: remove effect-less nixpgks.initialSystem
- initialSystem was keeping track of the evaluating system
- it had been used by `nesting.children`
- since, 20.09, `nesting.children` has been replaced with named
  specializations

It appears that this option was left over and not cleand up properly.
2022-05-26 20:00:05 -05:00
Klemens Nanni
9eb704b65a nixos/stage-1: Zap no longer needed LD_LIBRARY_PATH
The previous commit properly adjusts all library paths, thus no need to
forcefully adjust the path at runtime any longer.
2022-05-26 22:17:02 +02:00
Klemens Nanni
d33e52b253 nixos/stage-1: Fix library path in libraries also
`extra-utils` composes the set of programs and libraries needed by

1. copying over all programs
2. copying over all libraries any program directly links against
3. set the runtime path for every program to the library directory

It seems that this approach misses the case where a library itself links
against another library.  That is to say, `extra-utils` assumes that
either only progams link against libraries or that every library linked
to by a library is already linked to by a program.

`mount.zfs` linking against `libcrypto`, in turn linking against `libdl`
shows how the current approach falls short:

```
$ objdump -p $(which mount.zfs) | grep NEEDED | grep -e libdl -e libcrypto
  NEEDED               libcrypto.so.1.1
$ ldd (which mount.zfs) | grep libdl
        libdl.so.2 => /nix/store/ybkkrhdwdj227kr20vk8qnzqnmj7a06x-glibc-2.34-115/lib/libdl.so.2 (0x00007f9967a9a000
```

Using `mount.zfs` directly in stage 1 init still works since
`LD_LIBRARY_PATH` overrides this (as intended).

util-linux's `mount` however executes `mount.zfs` with LD_LIBRARY_PATH
removed from its environment as can be seen with strace(1) in an
interactive stage 1 init shell (`boot.shell_on_fail` kernel parameter):

```
 # env -i LD_LIBRARY_PATH=$LD_LIBRARY_PATH $(which strace) -ff -e trace=/exec -v -qqq $(which mount) /mnt-root
execve("/nix/store/3gqbb3swgiy749fxd5a4k6kirkr2jr9n-extra-utils/bin/mount", ["/nix/store/3gqbb3swgiy749fxd5a4k"..., "/mnt-root"], ["LD_LIBRARY_PATH=/nix/store/3gqbb"...]) = 0
[pid  1026] execve("/sbin/mount.zfs", ["/sbin/mount.zfs", "<redacted>", "/mnt-root", "-o", "rw,zfsutil"], []) = 0
/sbin/mount.zfs: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=1026, si_uid=0, si_status=127, si_utime=0, si_stime=0} ---
```

env(1) is used for clarity (hence subshells for absoloute paths).

While `mount` uses the right library path, `mount.zfs` is stripped of
it, so ld.so(8) fails resolve `libdl` (as required by `libcrypto`).

To fix this and not rely on `LD_LIBRARY_PATH` to be set, fix the library
path inside libraries as well.

This finally mounts all ZFS filesystems using `zfsutil` with correct and
intended mount options.
2022-05-26 22:17:02 +02:00
Klemens Nanni
4b045c7066 nixos/stage-1: Remove redundant symlink check
find(1)'s test `-type f` already excludes symbolic links, so `test -L`
will never return false for found files.
2022-05-26 22:17:02 +02:00