Commit Graph

1276 Commits

Author SHA1 Message Date
Rob Vermaas
3ce6ce149e Fix dogstatsd, needs procps in path.
(cherry picked from commit ecdb0f7867007b2e5ae0d14a0994d3b502d90fa7)
2014-05-18 13:00:57 +02:00
Austin Seipp
a0c6f07be4 Merge pull request #2604 from wkennington/master.notbit
notbit: Bump version and add more configuration options
2014-05-17 16:44:27 -05:00
Austin Seipp
4f27ad14a1 grsec: refactor grsecurity packages
This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:43 -05:00
Austin Seipp
92abc4c610 kernel: enable AppArmor by default
AppArmor only requires a few patches to the 3.2 and 3.4 kernels in order
to work properly (with the minor catch grsecurity -stable includes the
3.2 patches.) This adds them to the kernel builds by default, removes
features.apparmor (since it's always true) and makes it the default MAC
system.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:09 -05:00
Charles Strahan
5445132f73 fix -G delimiter in call to useradd 2014-05-17 00:45:16 -04:00
Austin Seipp
2558fa587b Merge pull request #2629 from letac/master
Phabricator, a web application, snapshot of 2014-05-12
2014-05-14 14:57:36 -05:00
lethalman
8967d2d3b3 Merge pull request #2301 from bjornfor/graphite-fixes
nixos/graphite-service: fix startup
2014-05-14 21:44:43 +02:00
William A. Kennington III
08467c14de notbit: Add additional options to the daemon 2014-05-13 20:20:19 -05:00
William A. Kennington III
042273e528 notbit: Don't include unecessary notbit binaries in the environment 2014-05-13 20:19:57 -05:00
William A. Kennington III
8915390bab notbit: Use the correct default port 2014-05-13 20:19:27 -05:00
Athan Clark
5fc3df831c Simple typo 2014-05-13 10:35:57 -06:00
lethalman
8051101362 Merge pull request #2375 from lethalman/gnome3
gtkhtml, evolution, gnome-photos, gnome-clocks, zeitgeist, bijiben
2014-05-13 12:04:11 +02:00
Corey O'Connor
5112e6476b resolve issue #2308 2014-05-13 11:11:34 +02:00
Strahinja Popovic
25e0d51a67 Phabricator, a web application, snapshot of 2014-05-12 2014-05-12 19:59:40 +02:00
Wout Mertens
c927cee2c3 dhcpcd: Allow adding hook code 2014-05-12 15:03:42 +02:00
Rob Vermaas
7d3dcd9a8c Set console=ttyS0 for Amazon EC2 instances, as suggested by Amazon. 2014-05-12 12:29:04 +02:00
Thomas Tuegel
8df521bf0f sane: use mkSaneConfig to set system environment 2014-05-11 14:01:07 -05:00
Emery Hemingway
c96d5fe170 nixos: f2fs filesystem module support (close #2085) 2014-05-11 13:53:26 +02:00
mornfall
456ef924ba Merge pull request #2497 from aristidb/sudo_terminfo
sudo: env_keep TERMINFO for urxvt
2014-05-10 19:34:14 +02:00
Rickard Nilsson
b87b6870f8 When auto-formatting ext devices, use the -F flag to make it work with unpartioned disks 2014-05-09 16:49:03 +02:00
Eelco Dolstra
253bbb8e2b nixos-container: Ensure umask 022
Fixes #2585.
2014-05-09 13:26:02 +02:00
Eelco Dolstra
1c4fd9b25d nixos-install: Run in a separate UTS namespace
This prevents the activation script from clobbering our hostname.
2014-05-09 13:25:53 +02:00
Eelco Dolstra
c06786759c /var/run -> /run 2014-05-09 00:52:02 +02:00
Eelco Dolstra
61bdad6775 nixos-install: Don't bind-mount all of /etc
We only need a copy of /etc/resolv.conf for networking, and
/etc/{passwd,group} for building.
2014-05-09 00:52:02 +02:00
Eelco Dolstra
3ef8d6ad5c nixos-install: Add operation --chroot
"nixos-install --chroot" runs a command (by default a login shell) in
a chroot inside the NixOS installation in /mnt. This might useful for
poking around a new installation.
2014-05-09 00:52:02 +02:00
Eelco Dolstra
4fc151b5a3 nixos-install: Ask the user to set a root password
This removes the need to have an initially empty root password.
2014-05-09 00:52:02 +02:00
Eelco Dolstra
8919d736a0 nixos-install: Don't copy the bootstrap Nix if it's already there
This makes re-running nixos-install a bit faster.
2014-05-09 00:52:02 +02:00
Eelco Dolstra
22f102cbdc nixos-install: Assume the build user group is "nixbld"
The build user group is always "nixbld", so no need to detect it.
2014-05-09 00:52:02 +02:00
Eelco Dolstra
171d43ba4f nixos-install: Run in a private mount namespace
This ensures that all mounts are automatically cleaned up.
2014-05-09 00:52:02 +02:00
Eelco Dolstra
e0e656ef46 nixos-install: Don't pass --show-trace by default 2014-05-09 00:51:48 +02:00
Eelco Dolstra
4b7c606589 nixos-generator-config: Don't emit a double / in bind mounts 2014-05-09 00:51:48 +02:00
Eelco Dolstra
dc78ae327c nixos-generate-config: Don't include /var/setuid-wrappers 2014-05-09 00:51:48 +02:00
Eelco Dolstra
91afe9eb8d nixos-generate-config: Use stable device paths (e.g. /dev/disk/by-uuid/X) 2014-05-09 00:51:48 +02:00
Eelco Dolstra
1bd8ced9c0 Don't enable the NVIDIA driver by default because it's unfree 2014-05-09 00:51:48 +02:00
Vladimír Čunát
2aa3580a5e nixos-generate-config.pl: add new PCI IDs for broadcom_sta
The last ID wasn't in official README,
but it was reported by third3ye on IRC.
2014-05-08 15:24:41 +02:00
Eelco Dolstra
30180e8a24 Fix incorrect comment 2014-05-08 12:29:59 +02:00
Eelco Dolstra
fae135b871 Installer test: Increase amount of RAM
On x86_64, 384 MB is not enough anymore for running "nix-env -i".

http://hydra.nixos.org/build/10865007
2014-05-07 18:24:15 +02:00
Eelco Dolstra
333bfe16c4 Containers: Support setting up macvlan interfaces
By setting a line like

  MACVLANS="eno1"

in /etc/containers/<name>.conf, the container will get an Ethernet
interface named mv-eno1, which represents an additional MAC address on
the physical eno1 interface. Thus the container has direct access to
the physical network. You can specify multiple interfaces in MACVLANS.

Unfortunately, you can't do this with wireless interfaces.

Note that dhcpcd is disabled in containers by default, so you'll
probably want to set

  networking.useDHCP = true;

in the container, or configure a static IP address.

To do: add a containers.* option for this, and a flag for
"nixos-container create".
2014-05-07 17:53:57 +02:00
Eelco Dolstra
6f7aaf10a5 Containers: Use systemd-nspawn's --network-veth flag
Note that this causes the name of the host-side interface to change
from c-<name> to ve-<name>.
2014-05-07 17:53:57 +02:00
Eelco Dolstra
810680bcae Containers: Use systemd-nspawn's --keep-unit flag
This gets rid of some redundant scopes/slices.
2014-05-07 17:53:57 +02:00
Ricardo M. Correia
cd1b48bc35 nixos: Add zram swap module
This allows you to use the Linux kernel's built-in compressed memory as
swap space functionality.

It is recommended to enable only for kernel 3.14 (which is when zram came out of
the staging drivers area) or higher.
2014-05-06 20:04:22 +02:00
Eelco Dolstra
5bfe944907 Don't run hwclock if /dev/rtc doesn't exist
E.g. on EC2 instances.

Backport: 14.04
2014-05-05 16:47:51 +02:00
Eelco Dolstra
4a08f37206 Don't start getty@tty1 on headless machines (like EC2)
Backport: 14.04
2014-05-05 16:47:36 +02:00
Eelco Dolstra
bac68f9747 switch-to-configuration: Honour RefuseManualStop
This prevents spurious errors about systemd-tmpfiles-setup.service.

Backport: 14.04
2014-05-05 16:46:58 +02:00
Rob Vermaas
d056d1d37b Fix users.*.extraGroups for users.mutableUsers = true.
(cherry picked from commit eb222923054fdc895ab73ff5d0260c1e1fc689c7)
2014-05-05 15:35:16 +02:00
Aristid Breitkreuz
204fc0a397 sudo: env_keep TERMINFO for urxvt 2014-05-04 14:42:16 +02:00
William A. Kennington III
84a94ff006 network-interfaces: Add an option for specifying search to resolv.conf 2014-05-02 12:42:20 -05:00
Luca Bruno
4ca985a7e3 bijiben: new package
Note editor designed to remain simple to use

https://wiki.gnome.org/Apps/Bijiben
2014-05-02 17:43:18 +02:00
Luca Bruno
b3fe998fdb gnome-clocks: new package
Clock application designed for GNOME 3

https://wiki.gnome.org/Apps/Clocks
2014-05-02 16:04:57 +02:00
Luca Bruno
fbfccea0e8 geoclue2: add dbus service 2014-05-02 16:04:57 +02:00
Luca Bruno
4229053cb0 gnome-photos: new package
Photos is an application to access, organize and share your photos with GNOME 3

https://wiki.gnome.org/Apps/Photos
2014-05-02 16:04:57 +02:00
Luca Bruno
d6206ccceb evolution: new package
Personal information management application that provides integrated mail,
calendaring and address book functionality

https://wiki.gnome.org/Apps/Evolution
2014-05-02 16:04:57 +02:00
Michael Raskin
eef9a8ac2a On my system OpenGL with bumblebee seems to require libudev in LD_LIBRARY_PATH. Fix that, fix bumblebee module loading and make the socket group configurable 2014-05-02 14:32:47 +04:00
Austin Seipp
368a677c97 nixos: overhaul datadog module
This overhauls the Datadog module a bit to be much more useful. In
particular, it adds support for nginx and postgresql monitoring
integrations to dd-agent. These have to exist in separate files under
/etc/dd-agent, so the module just exposes then as separate options. In
the future, more integrations could be added this way.

In the process of doing this, I also had to rename the dd-agent user to
datadog. Note the UIDs did not change, so this is strictly backwards
compatible. The reason for this is to make it easier to create a
'datadog' postgres user with access to pg_stats, as 'dd-agent' typically
isn't a valid username. This allows the out of the box configurations to
be used.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-02 01:24:35 -05:00
Austin Seipp
b553d11616 btsync: Default to no login/password for the Web UI
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-02 00:41:47 -05:00
Austin Seipp
8946e91fad btsync: remove unneeded assertion
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-01 17:00:49 -05:00
William A. Kennington III
1396f624f4 sshd: Fix typing for options which take paths 2014-05-01 16:33:44 -05:00
William A. Kennington III
78c33177ce ssh: Support knownHost public keys as strings 2014-05-01 16:21:25 -05:00
Domen Kožar
1a501134e8 Merge pull request #2467 from lethalman/release-notes
Added gnome 3.10 to the release notes
2014-05-01 18:37:08 +02:00
Luca Bruno
ea1a9445bb Added gnome 3.10 to the release notes 2014-05-01 18:32:28 +02:00
Shea Levy
e4630c1d41 grub: Allow setting the boot root explicitly
If /boot is a btrfs subvolume, it will be on a different device than /
but not be at the root from grub's perspective. This should be fixed in
a nicer way by #2449, but that can't go into 14.04.
2014-05-01 10:56:55 -04:00
Eelco Dolstra
0b091e1286 Mark builds from git explicitly 2014-05-01 15:05:14 +02:00
Eelco Dolstra
3b616e378a release.nix: Drop officialRelease flag 2014-05-01 15:05:14 +02:00
Eelco Dolstra
c9ebb42573 Disable the rabbitmq test
It frequently gets stuck in an infinite loop, delaying releases for
many hours.
2014-04-30 23:19:50 +02:00
Eelco Dolstra
0ea20bef3c Set release date 2014-04-30 23:13:45 +02:00
Eelco Dolstra
be0f5eb45c qemu-guest.nix: Load virtio_rng
This allows the guest to have a paravirtualized RNG, if the host
provides it.
2014-04-30 18:23:42 +02:00
Eelco Dolstra
a96f4920d5 Don't make the EFI tests release-critical
They're failing on i686: http://hydra.nixos.org/build/10712961
2014-04-30 16:48:20 +02:00
Eelco Dolstra
1d8f7e63b0 Punctuation 2014-04-30 16:39:56 +02:00
Shea Levy
8e9de81857 Merge remote-tracking branch 'origin/modernize_nixos_generate_config'
modernize nixos-generate-config
2014-04-30 10:23:52 -04:00
Shea Levy
26d03000c2 Actually use services.mysql.port
Fixes #1315
2014-04-30 10:21:29 -04:00
Eelco Dolstra
05decd49ff Handle Zabbix agent and server both being enabled
This gave an error about the zabbix user uid being defined multiple
times.
2014-04-30 16:18:03 +02:00
Domen Kozar
88a8ec37d3 modernize nixos-generate-config 2014-04-30 16:14:53 +02:00
Eelco Dolstra
27d47f3983 Fix the simple installer test
http://hydra.nixos.org/build/10712818
2014-04-30 15:07:34 +02:00
Eelco Dolstra
437962ebb2 Installer test: Unmount filesystems after installation
Hopefully fixes failures like:

  http://hydra.nixos.org/build/10712833

This shouldn't be necessary, but it might be that the use of unionfs
is interfering with a clean shutdown.
2014-04-30 15:07:34 +02:00
Eelco Dolstra
728d3476ba systemd: Require some more kernel features 2014-04-30 13:53:12 +02:00
Eelco Dolstra
9bb209a3bd gummiboot: Automatically disable GRUB 2014-04-30 11:47:18 +02:00
Eelco Dolstra
e9be441b62 Merge the EFI test into tests/installer.nix 2014-04-30 11:26:39 +02:00
Eelco Dolstra
8c75ae3838 nixos-generate-config: Use systemd-detect-virt instead of dmidecode
Dmidecode fails in our EFI test with the error "SMBIOS entry point
missing". But we don't need dmidecode because we have already have
systemd-detect-virt.
2014-04-30 11:26:39 +02:00
Eelco Dolstra
956f464fff Remove obsolete zsh help text 2014-04-30 11:26:39 +02:00
Eelco Dolstra
077ecf43e5 Installer test: Remove fileSystems argument
The config function unintentionally ignored its fileSystems
argument. However, things still worked thanks to the magic of
nixos-generate-config. Yay!
2014-04-30 11:26:39 +02:00
Eelco Dolstra
90dac235bb Remove the option ‘programs.bash.enable’
NixOS has a pervasive dependency on bash. For instance, the X11
session script sources /etc/profile to get a reasonable
environment. Thus we should not provide an option to disable bash.

Also, enabling zsh no longer sets ‘users.defaultUserShell’ to zsh, to
prevent a collision with bash's definition of the same
option. (Changing the default shell is also something that should be
left to the user.)
2014-04-29 19:00:39 +02:00
Eelco Dolstra
bfc524664a Disable autofs module
It appears to be unmaintained and untested. Also, systemd provides
automount functionality so it's probably not needed anymore.
2014-04-29 15:34:55 +02:00
Eelco Dolstra
501d532188 Add a test for automounting 2014-04-29 15:34:55 +02:00
Eelco Dolstra
02cef04c81 Move the NVIDIA support into its own module
Previously all card-specific stuff was scattered across xserver.nix
and opengl.nix, which is ugly. Now it can be kept together in a single
card-specific module. This required the addition of a few internal
options:

- services.xserver.drivers: A list of { name, driverName, modules,
  libPath } sets.

- hardware.opengl.package: The OpenGL implementation. Note that there
  can be only one OpenGL implementation at a time in a system
  configuration (i.e. no dynamic detection).

- hardware.opengl.package32: The 32-bit OpenGL implementation.
2014-04-29 14:42:36 +02:00
Eelco Dolstra
3fe96bcca1 Rename hardware.opengl.videoDrivers back to services.xserver.videoDrivers
Fixes #2379.
The new name was a misnomer because the values really are X11 video
drivers (e.g. ‘cirrus’ or ‘nvidia’), not OpenGL implementations. That
it's also used to set an OpenGL implementation for kmscon is just
confusing overloading.
2014-04-29 14:42:36 +02:00
Eelco Dolstra
e6b5c0121f Obsolete fonts.extraFonts
You can now just set fonts.fonts, which will be merged with the
default value unless you use mkOverride.
2014-04-29 12:34:57 +02:00
Eelco Dolstra
d6c2dcd98c Remove redundant ~/.fonts element from the font search path 2014-04-29 12:27:03 +02:00
William A. Kennington III
936481a12e nixos: Add support for changing supported systems
release.nix and release-combined.nix current hardcode the systems which
they are built for. This change introduces an argument to the
expressions called supportedSystems, which allows the builder to choose
which architectures he wants to build. By default, this uses the same
linux x86_64 and i686 architectures.
2014-04-29 10:53:36 +02:00
Eelco Dolstra
a142d68b43 Fix some uid/gid attributes to match the actual user/group name 2014-04-29 10:51:42 +02:00
Eelco Dolstra
0e23a175de Allocate system uids/gids between 400 and 500
Previously it was between 100 and 500, but this can already collide
with the static uids/guid in misc/ids.nix.
2014-04-29 10:45:06 +02:00
Eelco Dolstra
05468f9b78 Bring back the isSystemUser option 2014-04-29 10:43:38 +02:00
Eelco Dolstra
2dfbe55421 Remove use of obsolete flags 2014-04-29 10:13:21 +02:00
Austin Seipp
9242ed1fe2 nixos: refactor tarsnap module
The Tarsnap module is now far more flexible, allowing individual
archives with individual options to be specified at will, allowing
granular backup schedules, etc.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-28 18:15:16 -05:00
Eelco Dolstra
4353220202 polkit: Remove unnecessary restart
There already is a restart trigger that takes care of this.
2014-04-28 23:57:37 +02:00
Eelco Dolstra
cbfba813fe wpa_supplicant: Restart when wlan devices (dis)appear 2014-04-28 20:12:06 +02:00
Eelco Dolstra
f5cd4eef11 cpufreq: Don't fail if the CPU doesn't support frequency setting 2014-04-28 19:13:04 +02:00
Eelco Dolstra
685ca50650 gpm: Depend on /dev/input/mice 2014-04-28 19:12:48 +02:00
Rob Vermaas
de1c182b0a Fix EC2 creation script for latest nixops
(cherry picked from commit 361eb3a5f50aba4ecfe08bf37640179dfc2e6453)
2014-04-28 15:46:49 +02:00
Eelco Dolstra
aa02b2cfb1 Bump some mentions of 13.10 2014-04-28 12:38:50 +02:00
Eelco Dolstra
c6f76861dc Update release notes 2014-04-28 12:38:50 +02:00
Eelco Dolstra
379c8ba237 polkit: Restart using systemctl
The use of pkill is now particularly bad due to containers (it might
kill processes in containers).
2014-04-28 12:38:50 +02:00
Eelco Dolstra
d621300665 Revert "Don't mount /sys/fs/fuse/connections and /sys/kernel/config"
This reverts commit 6eaced3582. Doesn't
work very well, e.g. if you actually have the FUSE module loaded. And
in any case it's already fixed in NixOps.
2014-04-28 09:19:01 +02:00
Eelco Dolstra
56b4b841ae switch-to-configuration: Use old systemctl to stop units
Otherwise, when switching from systemd 203 to 212, you get errors like:

  Failed to stop remote-fs.target: Bad message
  Failed to stop systemd-udevd-control.socket: Bad message
  ...
2014-04-28 08:28:44 +02:00
Eelco Dolstra
6eaced3582 Don't mount /sys/fs/fuse/connections and /sys/kernel/config
These fail to mount if you don't have the appropriate kernel support,
and this confuses NixOps' ‘check’ command. We should teach NixOps not
to complain about non-essential mount points, but in the meantime it's
better to turn them off.
2014-04-28 08:16:27 +02:00
Edward Tjörnhammar
22f73bfd85 Enable encrypted backing devices in fileystem configurations 2014-04-26 23:26:23 +02:00
Domen Kožar
cd31cff9f4 Make gnome3 test as release critical 2014-04-26 13:31:07 +02:00
Eelco Dolstra
37e6e08cde switch-to-configuration: Use systemctl's --no-legend flag 2014-04-25 17:42:09 +02:00
Eelco Dolstra
7ddcd7b6b6 Give the KDE test more memory 2014-04-25 17:27:05 +02:00
Eelco Dolstra
537c034e8f Make some tests release-critical 2014-04-25 17:08:58 +02:00
Eelco Dolstra
fec3b75e4b Fix ‘nixos-container run’
By default, socat only waits 0.5s for the remote side to finish after
getting EOF on the local side. So don't close the local side, instead
wait for socat to exit when the remote side finishes.

http://hydra.nixos.org/build/10663282
2014-04-25 17:04:51 +02:00
Austin Seipp
b470c93c1e nixos: only enable spipe when user specifies
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-25 05:42:00 -05:00
Eelco Dolstra
c52fb449f4 Urgh
Can't figure out why "hostname -s" keeps failing randomly :-(

http://hydra.nixos.org/build/10662142
2014-04-25 00:30:33 +02:00
Eelco Dolstra
b8d59765e1 cups: Add a listenAddresses option 2014-04-25 00:30:12 +02:00
Eelco Dolstra
cd05320716 Manual: Don't include the platform type of the host system
This causes unnecessary rebuilds of the manual.

http://hydra.nixos.org/build/10662170
2014-04-25 00:14:55 +02:00
Eelco Dolstra
23297b0edd Make nscd startup synchronous
Nscd forks into the background before it's ready to accept
connections. So explicitly wait until it's ready.

http://hydra.nixos.org/build/10661767
2014-04-24 23:18:47 +02:00
Eelco Dolstra
d7a7f80aff cups: Start after network.target
http://hydra.nixos.org/build/10661709
2014-04-24 23:18:16 +02:00
Eelco Dolstra
2c70276d96 Remove outdated remark 2014-04-24 23:18:15 +02:00
Eelco Dolstra
af817ae0d8 Try again 2014-04-24 18:32:32 +02:00
Eelco Dolstra
019e9d8a3d Fix simpleTest function 2014-04-24 15:46:10 +02:00
Eelco Dolstra
2b7e746c02 Make the misc test a bit more robust 2014-04-24 15:19:26 +02:00
Eelco Dolstra
2d8c0d24f2 dhcpcd: Fix segfaults
This fixes several problems in the dhcpcd service:

* A segfault during startup, due to a race with udev (dhcpcd would get
  an ADD event from udev, causing it to re-add an interface that it
  already had, leading to a segfault later on).

* A hang/segfault processing "dhcpcd rebind" (which NixOS calls after
  waking up from suspend).

Also, add "lo" to the list of ignored interfaces. It usually ignores
"lo", but apparently not when it gets an ADD event from udev.
2014-04-24 15:19:26 +02:00
Eelco Dolstra
25af3671f9 Remove some dead code 2014-04-24 15:19:26 +02:00
Eelco Dolstra
d4986b5fd3 Don't create world-readable swapfiles 2014-04-24 15:19:10 +02:00
Domen Kožar
7eabca3409 Merge pull request #2315 from lethalman/gnome3
gedit, libmediaart, fix xdg-user-dirs, enable GI in grilo, prioritize nautilus mimetype, seahorse, gnome-music, glade, gnome-documents
2014-04-24 01:16:54 +02:00
Oliver Charles
eb07baf75c Fixing evaluation of misc/version.nix 2014-04-23 14:14:54 +01:00
Shea Levy
66a43c0159 Update version 2014-04-23 08:02:18 -04:00
Ricardo M. Correia
419a71e1e5 spl, zfs: Add git versions, based on recent commits
Upstream has not been tagging new versions for a long time, but we need
compatibility with newer kernels. The 0.6.2 versions already have a bunch of
backported compatibility patches, but 3.14 kernels need even more.

Also, the git versions have fixed a bunch of crashes and other bugs, so perhaps
we should just bite the bullet and just use recent git versions (as sometimes
upstream recommends, when people run into bugs).

This adds a new "boot.zfs.useGit" boolean option, so that a user can
easily opt into using the git versions.
2014-04-23 01:42:52 +02:00
Eelco Dolstra
da444ff26f Turn assertion about oneshot services into a warning 2014-04-22 23:53:21 +02:00
Luca Bruno
3ccf8e1ba2 gnome-documents: new package
Document manager application designed to work with GNOME 3

https://wiki.gnome.org/Apps/Documents
2014-04-22 22:17:21 +02:00
Luca Bruno
5a79b0fc86 gnome-online-miners: new package
A set of crawlers that go through your online content and index them locally in Tracker

https://wiki.gnome.org/Projects/GnomeOnlineMiners
2014-04-22 22:17:21 +02:00
Luca Bruno
737fc27473 gnome-music: new package
Music player and management application for the GNOME desktop environment

https://wiki.gnome.org/Apps/Music
2014-04-22 22:17:20 +02:00
Luca Bruno
f6159b9095 seahorse: new package
Application for managing encryption keys and passwords in the GnomeKeyring

https://wiki.gnome.org/Apps/Seahorse
2014-04-22 22:17:20 +02:00
Luca Bruno
a4ef8dd634 gnome3: prioritize nautilus when opening inode/directory 2014-04-22 22:17:20 +02:00
Luca Bruno
bfbdbc19eb gedit: new package
Official text editor of the GNOME desktop environment

https://wiki.gnome.org/Apps/Gedit
2014-04-22 22:17:19 +02:00
Shea Levy
7d1ddae58e nixos: evaluate assertions at toplevel, not at systemPackages
Fixes #2340
2014-04-22 14:09:02 -04:00
Eelco Dolstra
03d9e5cda0 sshd: Add support for socket activation
By enabling ‘services.openssh.startWhenNeeded’, sshd is started
on-demand by systemd using socket activation. This is particularly
useful if you have a zillion containers and don't want to have sshd
running permanently. Note that socket activation is not noticeable
slower, contrary to what the manpage for ‘sshd -i’ says, so we might
want to make this the default one day.
2014-04-22 17:38:54 +02:00
Eelco Dolstra
baffee02b8 sshd: Always start a session
Partially reverts 70a4c7b1df. Whether to
start a session is independent of whether we're running in a
container.
2014-04-22 17:38:53 +02:00
Eelco Dolstra
b4afe5b7bc dbus: Use upstream units 2014-04-22 17:38:53 +02:00
Eelco Dolstra
fa3826dcf4 Ignore *.wants in systemd.packages for now 2014-04-22 17:38:53 +02:00
Alexander Kjeldaas
baf4faeddc Only disable TPM access by rngd when tcsd is enabled. 2014-04-22 14:05:09 +02:00
Alexander Kjeldaas
4cca346d21 Add types to tcsd config options. 2014-04-22 14:05:09 +02:00
Alexander Kjeldaas
5065802b3a Added TCSD (Trusted Computing Group Software Stack (TSS) daemon).
Start tcsd after systemd-udev-settle and run it in foreground.
2014-04-22 14:05:09 +02:00
Alexander Kjeldaas
64311899db Don't let rngd read /dev/tpm0.
Only one process can interact with the TPM module and
that process should be tcsd.  The tpm_rng kernel module
should instead be loaded and /dev/hwrnd be used to
read the TPM random generator.
Also, log which random generator devices are used by
rngd on startup.
2014-04-22 14:05:09 +02:00
Eelco Dolstra
27a8cada79 openvpn: Add systemd startup notification
This causes OpenVPN services to reach the "active" state when the VPN
connection is up (i.e., after OpenVPN prints "Initialization Sequence
Completed"). This allows units to be ordered correctly after openvpn-*
units, and makes systemctl present a password prompt:

  $ start openvpn-foo
  Enter Private Key Password: *************

(I first tried to implement this by calling "systemd-notify --ready"
from the "up" script, but systemd-notify is not reliable.)
2014-04-22 13:14:58 +02:00
Shea Levy
2a4282c811 Revert "Merge branch 'dbus-switch-to-configuration'"
This seems to have combined badly with the systemd upgrade, we'll revert
for now and revisit after the 14.04 branch.

This reverts commit ad80532881, reversing
changes made to 1c5d3c7883.
2014-04-21 18:30:05 -04:00
Rickard Nilsson
cfa5b5778c pulseaudio module: Use pid-file for system-wide daemon, add loglevel option 2014-04-21 23:22:11 +02:00
Rickard Nilsson
5db9287b7c rtkit: Update from 0.10 to 0.11 2014-04-21 23:22:10 +02:00
Ricardo M. Correia
3ad27289fc nixos/tests/avahi: Fix race condition on mDNS test 2014-04-21 19:54:16 +02:00
Ricardo M. Correia
5d5ca7b260 grsecurity: Update all patches
stable:  3.0-3.2.57-201404131252            -> 3.0-3.2.57-201404182109
test:    3.0-3.13.10-201404141717           -> 3.0-3.14.1-201404201132
vserver: 3.0-3.2.57-vs2.3.2.16-201404131253 -> 3.0-3.2.57-vs2.3.2.16-201404182110
2014-04-21 18:46:41 +02:00
Eelco Dolstra
19e9d25e8f Remove KDE 4.11 2014-04-21 18:13:17 +02:00
Oliver Charles
ad80532881 Merge branch 'dbus-switch-to-configuration' 2014-04-21 13:09:14 +01:00
Shea Levy
1c5d3c7883 Merge branch 'modulesfix' of git://github.com/kirelagin/nixpkgs
ohci_pci is required in initrd since kernel 3.11
2014-04-21 07:51:31 -04:00
Kirill Elagin
ca7978a09d ohci_pci is required in initrd since kernel 3.11 2014-04-21 15:42:05 +04:00
Oliver Charles
42ae633445 Merge branch 'master' into dbus-switch-to-configuration
Conflicts:
	nixos/modules/system/activation/switch-to-configuration.pl
2014-04-20 19:17:05 +01:00
Eelco Dolstra
cf53152902 Fix GRUB 2 example
Fixes #1891.
2014-04-20 19:41:15 +02:00
Eelco Dolstra
4e8c2f0ff9 Merge branch 'systemd-update' 2014-04-20 19:31:01 +02:00
Eelco Dolstra
2fbb9aba43 Fix the installer test
http://hydra.nixos.org/build/10419676
2014-04-20 01:56:11 +02:00
Eelco Dolstra
37d5e9c455 Temporary fix for installer tests
http://hydra.nixos.org/build/10455979
2014-04-20 01:53:11 +02:00
Eelco Dolstra
0a256cc0ee Firewall: Only start if we have CAP_NET_ADMIN 2014-04-19 23:02:59 +02:00
Eelco Dolstra
4fb50f071f Manual: Typo fixes 2014-04-19 22:59:25 +02:00
William A. Kennington III
3ccf990372 pcscd: Refactor service and use socket activation 2014-04-19 14:37:31 +01:00
Eelco Dolstra
18a7ce76fc Enable udisks2 by default
The ability for unprivileged users to mount external media is useful
regardless of the desktop environment. Also, since udisks2 is
activated on-demand, it doesn't add any overhead if you're not using it.
2014-04-19 14:41:21 +02:00
Eelco Dolstra
894e2dfb25 Add a test for udisks2 2014-04-19 14:37:05 +02:00
Eelco Dolstra
fa9ed04997 Restart polkit if its configuration may have changed 2014-04-19 14:29:02 +02:00
Eelco Dolstra
82535e0f8f switch-to-configuration: Check overrides.conf for X-* options 2014-04-19 14:28:33 +02:00
Eelco Dolstra
b03a2f9e90 Set personality when running a 32-bit container on a 64-bit host 2014-04-19 13:14:51 +02:00
Eelco Dolstra
9f1c9404da Put /var/setuid-wrappers on a tmpfs
This allows all other filesystems to be mounted without the suid
option.
2014-04-19 12:40:09 +02:00
Eelco Dolstra
2a64b0a91b Shut up warning about resolv.conf missing 2014-04-19 12:34:59 +02:00
Eelco Dolstra
fa1a46a01c setuid-wrapper: Fix broken string comparison 2014-04-19 10:58:30 +02:00
Eelco Dolstra
b80e6b27c7 setuid-wrapper: Drop runtime dependency on setuid-wrapper.c 2014-04-19 10:53:17 +02:00
Eelco Dolstra
a8aa9f3fd4 setuid-wrapper.c: Remove tabs 2014-04-19 10:53:05 +02:00
Eelco Dolstra
e7ab051cda Disable predictable interface names in tests
Apparently systemd is now smart enough to figure out predictable names
for QEMU network interfaces. But since our tests expect them to be
named eth0/eth1..., this is not desirable at the moment.

http://hydra.nixos.org/build/10418789
2014-04-19 10:13:46 +02:00
Mathijs Kwik
bf841cd892 Revert "systemd: oneshot units should be allowed to restart on failure/abort"
This reverts commit c1e638abb6.

As pointed out by wkennington, upstream disallows all cases as of v207
2014-04-18 21:42:22 +02:00
Eelco Dolstra
5ee5aa1b90 Make "nixos-container login" an alias of "machinectl login" 2014-04-18 20:47:31 +02:00
Eelco Dolstra
0121688424 gpm: Better start condition 2014-04-18 20:23:27 +02:00
Eelco Dolstra
febb15f722 systemd: Enable keeping backlight / rfkill state across reboots 2014-04-18 19:37:15 +02:00
Eelco Dolstra
232a9caa96 Fix predictable network interface naming
In current systemd, this has been moved to systemd-network, which
we're not using yet. So revive the old udev rules from systemd 203.
2014-04-18 19:34:45 +02:00
Michael Raskin
7231b6b94e Merge pull request #2248 from ehmry/rsync
rsync updated 3.0.9 to 3.1.0, rsyncd service module
2014-04-18 10:17:08 -07:00
Eelco Dolstra
465d6ff572 Set $LOCALE_ARCHIVE in all systemd units
This variable used to be inherited implicitly from the stage-2 script,
but systemd now clears the environment. So we need to set it
explicitly.
2014-04-18 19:04:45 +02:00
Eelco Dolstra
313c38d5f1 switch-to-configuration: Handle systemctl output change 2014-04-18 19:04:45 +02:00
Eelco Dolstra
02b936189c Improve gpm service 2014-04-18 18:45:20 +02:00
Eelco Dolstra
48d90cf3b6 Revert "Put /nix/var/nix/{temproots,userpool} on a tmpfs"
This reverts commit dd49094a25. Nix
barfs if /nix/var/nix/temproots is a symlink :-(
2014-04-18 18:37:07 +02:00
Eelco Dolstra
1e540af43b Fix broken upstream user unit symlinks 2014-04-18 17:38:06 +02:00
Eelco Dolstra
85fdaed9de ssh-agent: Tweaks 2014-04-18 17:37:47 +02:00
Eelco Dolstra
fec3bc85a6 postgresql: Use systemd's new "mixed" kill mode
"Mixed" mode sends the initial SIGINT only to the main process, but
sends the SIGKILL after the time-out expires to the entire cgroup.
2014-04-18 17:32:24 +02:00
Eelco Dolstra
16bba2db2e Use "machinectl poweroff" to shut down containers 2014-04-18 17:11:59 +02:00
Eelco Dolstra
f9423208c2 Containers: Don't warn about not having a boot loader 2014-04-18 17:00:11 +02:00
Eelco Dolstra
dd49094a25 Put /nix/var/nix/{temproots,userpool} on a tmpfs 2014-04-18 16:56:20 +02:00
Eelco Dolstra
c13cede19d Remove long-obsolete /nix/var/nix/chroots directory 2014-04-18 16:50:37 +02:00
Eelco Dolstra
21573af9fb Containers: Use /etc/resolv.conf supplied by the host
This used to work with systemd-nspawn 203, because it bind-mounted
/etc/resolv.conf (so openresolv couldn't overwrite it). Now it's just
copied, so we need some special handling.
2014-04-18 16:48:11 +02:00
Eelco Dolstra
5c62d3d26b nixos-rebuild: Handle $SHELL not being bash 2014-04-18 16:05:20 +02:00
Eelco Dolstra
da774bced5 Remove dhcpcd_without_udev attribute 2014-04-18 15:36:06 +02:00
Eelco Dolstra
4c764479a6 Remove redundant space 2014-04-18 14:59:59 +02:00
Eelco Dolstra
359935a1ef kmod-static-nodes: Drop superfluous wantedBy 2014-04-18 14:51:18 +02:00
Eelco Dolstra
9bb40b7a5b Pull in nix-daemon.socket
This led to the container test failing, which made no sense
whatsoever, until I realized nix-daemon.socket creates the socket
directory as a side effect, which systemd-nspawn then bind-mounts.

http://hydra.nixos.org/build/10397575
2014-04-18 14:50:07 +02:00
Eelco Dolstra
d43b536ab6 Work around apparent dhcpcd bug 2014-04-18 02:43:00 +02:00
Eelco Dolstra
f7d28f7cd6 Slight test speedup
Don't do a pointless ARP check in dhcpcd.
2014-04-18 02:40:01 +02:00
Eelco Dolstra
64b968f81f Remove debug line 2014-04-18 02:31:10 +02:00
Eelco Dolstra
12f06ae499 Doh 2014-04-18 01:36:43 +02:00
Eelco Dolstra
9f65e82b59 Make the login test a bit more robust
http://hydra.nixos.org/build/10397037
2014-04-18 01:22:38 +02:00
Eelco Dolstra
ffedee6ed5 Start ssh-agent as a user unit
This has some advantages:

* You get ssh-agent regardless of how you logged in. Previously it was
  only started for X11 sessions.

* All sessions of a user share the same agent. So if you added a key
  on tty1, it will also be available on tty2.

* Systemd will restart ssh-agent if it dies.

* $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is
  more secure than /tmp.

For bonus points, we should patch ssh-agent to support socket-based
activation...
2014-04-18 00:45:26 +02:00
Eelco Dolstra
e34a1589fe Add support for user units
With ‘systemd.user.units’ and ‘systemd.user.services’, you can specify
units used by per-user systemd instances.  For example,

  systemd.user.services.foo =
    { description = "foo";
      wantedBy = [ "default.target" ];
      serviceConfig.ExecStart = "${pkgs.foo}/bin/foo";
    };

declares a unit ‘foo.service’ that gets started automatically when the
user systemd instance starts, and is stopped when the user systemd
instance stops.

Note that there is at most one systemd instance per user: it's created
when a user logs in and there is no systemd instance for that user
yet, and it's removed when the user fully logs out (i.e. has no
sessions anymore). So if you're simultaneously logged in via X11 and a
virtual console, you get only one copy of foo.
2014-04-18 00:38:40 +02:00
Eelco Dolstra
073351a5cf Refactor unit option declarations
This gets rid of some duplication.
2014-04-17 23:35:05 +02:00
Eelco Dolstra
2ad6933a22 Remove special handling of systemd-journal-gatewayd 2014-04-17 19:05:29 +02:00
Eelco Dolstra
179acfb664 Allow upstream systemd units to be extended
If you define a unit, and either systemd or a package in
systemd.packages already provides that unit, then we now generate a
file /etc/systemd/system/<unit>.d/overrides.conf. This makes it
possible to use upstream units, while allowing them to be customised
from the NixOS configuration. For instance, the module nix-daemon.nix
now uses the units provided by the Nix package. And all unit
definitions that duplicated upstream systemd units are finally gone.

This makes the baseUnit option unnecessary, so I've removed it.
2014-04-17 18:52:31 +02:00
Eelco Dolstra
8dcf76480c firewall: Order after systemd-modules-load.service
This ensures that connection tracking modules are loaded on time.
2014-04-17 18:10:20 +02:00
Luca Bruno
1942d9cadc gnome-control-center: find gnome-shell search providers 2014-04-17 17:32:20 +02:00
Eelco Dolstra
bfda72c2f9 Fix waitForX 2014-04-17 17:07:03 +02:00
Eelco Dolstra
560a1103ad Add option ‘systemd.tmpfiles.rules’
This allows specifying rules for systemd-tmpfiles.

Also, enable systemd-tmpfiles-clean.timer so that stuff is cleaned up
automatically 15 minutes after boot and every day, *if* you have the
appropriate cleanup rules (which we don't have by default).
2014-04-17 16:14:56 +02:00
Eelco Dolstra
bb9304e280 Remove creation of /tmp/.ICE-unix
This is now done by tmpfiles.
2014-04-17 16:14:56 +02:00
Bjørn Forsman
705dd70b32 nixos/grahite-service: mkdir -m => mkdir && chmod
mkdir -m will only set the permissions if it *creates* the directory.
Existing directories, with possibly wrong permissions, will not be
updated.

Use explicit chmod so permissions will always be correct.
2014-04-17 15:51:28 +02:00
Bjørn Forsman
ffb593f880 nixos/graphite-service: fix startup issue
The preStart snippets (graphite, carbon) try to create directories under
/var/db/. That currently fails because the code is run as user
"graphite". Fix by setting "PermissionsStartOnly = true" so that the
preStart stuff is run as 'root'.

Further:
 * graphite-web-0.9.12/bin/build-index.sh needs perl, so add it to PATH.
 * Now that preStart runs as root, we must wait with "chown graphite"
   until we're done creating files/directories.
 * Drop needless check for root (uid 0) before running chown.
2014-04-17 15:48:39 +02:00
Mathijs Kwik
c1e638abb6 systemd: oneshot units should be allowed to restart on failure/abort 2014-04-17 15:20:39 +02:00
Eelco Dolstra
7ea51b1c6c Enable kmod-static-nodes.service
This creates static device nodes such as /dev/fuse or
/dev/snd/seq. The kernel modules for these devices will be loaded on
demand when the device node is opened.
2014-04-17 14:35:05 +02:00
Eelco Dolstra
317a81ada2 Enable systemd-tmpfiles 2014-04-17 13:23:06 +02:00
Eelco Dolstra
518f710547 Fix module loading in systemd-udevd 2014-04-17 12:26:12 +02:00
Eelco Dolstra
89155dbc01 systemd: Enable user systemd instances 2014-04-17 12:03:04 +02:00
Eelco Dolstra
5378da25a0 Apply pam_loginuid before pam_systemd
As recommended by the pam_systemd manpage.
2014-04-17 11:35:18 +02:00
Eelco Dolstra
f0a9703f77 journalctl no longer parses the flag "-bu" 2014-04-17 10:56:10 +02:00
Eelco Dolstra
eeb32fd82b Hopefully fix random failure in cups test
http://hydra.nixos.org/build/10372895
2014-04-17 10:53:08 +02:00
Luca Bruno
eddb702c96 gnome3: enable pulseaudio by default 2014-04-16 18:27:35 +02:00
Domen Kožar
3a9f28ee08 Merge pull request #2185 from lethalman/gnome3
tracker, licenses.cc-by-30, gnome-user-docs, upgrade sushi, gnome-keyring service, gnome-user-share, gnome-tweak-tool, gnome-shell-extensions, xdg-user-dirs
2014-04-16 18:08:00 +02:00
Eelco Dolstra
150d3b0095 no-x-libs.nix: Disable su xauth forwarding, and X11 dependency in dbus 2014-04-16 16:58:06 +02:00
Eelco Dolstra
c81565f6cf Remove hack for using upstream getty units
Also, enable the container-getty@ unit so that "machinectl login"
works.
2014-04-16 16:11:17 +02:00
Eelco Dolstra
c382ad1e17 Fix tests
Doing a =~ regexp check doesn't do anything in itself...
2014-04-16 16:09:32 +02:00
Luca Bruno
92a831a4ec xdg-user-dirs: new package
A tool to help manage well known user directories
like the desktop folder and the music folder

http://freedesktop.org/wiki/Software/xdg-user-dirs
2014-04-16 15:02:27 +02:00
Eelco Dolstra
e8af68d2dc Make machinectl work 2014-04-16 10:48:14 +02:00
Eelco Dolstra
566a5c33e8 Set MODULE_DIR in systemd-load-modules.service 2014-04-16 10:43:33 +02:00
Eelco Dolstra
8b7d73abba Don't run the cpufreq service in VMs 2014-04-16 10:36:16 +02:00
William A. Kennington III
85e9ad1b2f stage1: Systemd libraries were renamed 2014-04-16 01:49:42 +02:00
Eelco Dolstra
ab989f525b Drop ALSA dependency in containers 2014-04-16 01:44:43 +02:00
Eelco Dolstra
60a84019b4 Don't make containers depend on cpupower 2014-04-16 01:11:32 +02:00
William A. Kennington III
dd209e901c cpu-freq: Use cpupower instead of cpufrequtils
Additionally, put the powersave utility in charge of loading the
cpufrequency modules based on the governor specified in the
configuration.
2014-04-16 01:10:26 +02:00
Eelco Dolstra
2fc520d699 Simplify assertion 2014-04-16 01:08:14 +02:00
William A. Kennington III
eda854d50f systemd: Add an assertion to guarantee oneshot units do not have restart set
This prevents insidious errors once systemd begins handling the unit. If
the unit is loaded at boot, any errors of this nature are logged to the
console before the journal service is running. This makes it very hard
to diagnose the issue. Therefore, this assertion helps guarantee the
mistake is not made.
2014-04-16 01:05:56 +02:00
William A. Kennington III
6ff2521974 upstart: Oneshot rules should always have Restart=no 2014-04-16 01:04:52 +02:00
Eelco Dolstra
ee9c068b0c systemd: Update to 212
Note that systemd no longer depends on dbus, so we're rid of the
cyclic dependency problem between systemd and dbus.

This commit incorporates from wkennington's systemd branch
(203dcff45002a63f6be75c65f1017021318cc839,
1f842558a95947261ece66f707bfa24faf5a9d88).
2014-04-16 00:59:26 +02:00
Eelco Dolstra
e8eea659a0 Don't enable LVM2 in containers
It's a somewhat pointless dependency.
2014-04-15 23:43:39 +02:00
Ricardo M. Correia
d8b21c2224 nixos: Fix sysctl option merging
Using pkgs.lib.mkOverride in a sysctl option would throw a bogus error.

Also, if you defined a sysctl multiple times in the same configuration,
only one of the values would be picked up, while the others were silently
discarded.

This patch should fix both issues. If you define a sysctl multiple
times at your highest defined priority level, you will get a proper
error with detailed location information.
2014-04-15 21:52:04 +02:00
William A. Kennington III
d2ee6e6a24 stage 1: Remove scsi_wait_scan as it is not supported after kernel 3.7 2014-04-15 14:59:39 +02:00
Eelco Dolstra
06edd48842 Fix the bittorrent test
This was broken since e8baaba044,
because on the tracker, a DNS lookup for "tracker" returns ::1 due to
nss_myhostname. This apparently confused it.
2014-04-15 14:37:20 +02:00
Austin Seipp
da6bc44dd7 nixos: transmission improvements
This mostly upgrades transmission, and does some very minor touchups on
AppArmor support.

In particular, there is now no need to ever specify the umask as part of
the settings, as it will be mixed in by default (which is essentially
always what you want). Also, the default configuration is now more
sensible: Downloads are put in /var/lib/transmission/Downloads, and
incomplete files are put in /var/lib/transmission/.incomplete - this
also allows easy use of file syncing probrams, like BitTorrent Sync.

Finally, this unconditionally enables the AppArmor profiles for the
daemon, if AppArmor is enabled - rather than letting the user specify
profile support, it's best to default to supporting profiles for daemons
transparently in all places.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 06:54:51 -05:00
Eelco Dolstra
5fa812ba5e Containers: Inherit the platform type of the host
http://hydra.nixos.org/build/10350055
2014-04-15 12:58:42 +02:00
Eelco Dolstra
00372ca638 nixos-rebuild: Fallback for upgrading Nix
Previously, if the currently installed Nix is too old to evaluate
Nixpkgs, then nixos-rebuild would fail and the user had to upgrade Nix
manually. Now, as a fallback, we run ‘nix-store -r’ to obtain a binary
Nix directly from the binary cache.
2014-04-15 12:07:34 +02:00
Eelco Dolstra
f9e6181478 nixos-rebuild: Exec nixos-rebuild from the new Nixpkgs tree
This allows doing any necessary actions that were not in the installed
nixos-rebuild (such as downloading a new version of Nix). This does
require us to be careful that nixos-rebuild is backwards-compatible
(i.e. can run in any old installation).
2014-04-15 12:07:29 +02:00
Eelco Dolstra
35bf0f4810 Don't restart container-startup-done 2014-04-15 12:07:24 +02:00
Eelco Dolstra
596bd37163 Don't restart container shells in switch-to-configuration 2014-04-15 12:07:18 +02:00
Austin Seipp
ae207efc07 nixos: add spiped service module
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 03:33:47 -05:00
Austin Seipp
42954a2d20 Fix hydra UID
The style for IDs dictates that groups/users should have the same ID -
so if a user doesn't have a group or vice versa, then we should skip
that ID.

In this case, we had already assigned grsecurity GID 121, but I
accidentally also assigned Hydra UID 121. Instead, let's assign Hydra
UID 122. And also assign a GID (122) as well.

Luckily nobody was depending on this yet (except me).

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 02:29:13 -05:00
Luca Bruno
b3a9cc1725 gnome3: add gnome-menus and shared_mime_info packages to find applications 2014-04-15 00:15:20 +02:00
Vladimír Čunát
8340454544 mesa: have all output on /run/opengl-driver{,-32}
Fixes #2242 in a different way (cleaner, I hope).
2014-04-14 21:38:23 +02:00
Vladimír Čunát
557dff54aa nixos opengl: add s2tc to mesa drivers by default
Close #2200. Thanks to @cpages for suggesting and testing this.
2014-04-14 21:38:23 +02:00
Eelco Dolstra
269bd7ef83 Add missing file 2014-04-14 21:03:43 +02:00
Eelco Dolstra
7ce743b422 Manual: Add some IDs 2014-04-14 19:27:26 +02:00
Eelco Dolstra
e1a1146690 Update section on writing tests 2014-04-14 19:19:39 +02:00
Luca Bruno
fd900f2f8a gnome3: add gtk3 to system packages for gtk-update-icon-cache
Updating the icon-cache lets gnome-shell show app icons in the activity
2014-04-14 17:19:38 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Eelco Dolstra
4f2aa2f706 Fix installer test evaluation 2014-04-14 16:24:08 +02:00
Rob Vermaas
3f15f8b703 Add script to create and upload GCE image. 2014-04-14 14:38:52 +02:00
Eelco Dolstra
36c05d5e5b Simplify running tests even further
Now you can just say:

  $ nix-build '<nixos/tests/login.nix>'

You can still get the driver script for interactive testing:

  $ nix-build '<nixos/tests/login.nix>' -A driver
  $ ./result/bin/nixos-test-driver
2014-04-14 14:23:38 +02:00
Eelco Dolstra
abe218950c Make it easier to run the tests
You can now run a test in the nixos/tests directory directly using
nix-build, e.g.

  $ nix-build '<nixos/tests/login.nix>' -A test

This gets rid of having to add the test to nixos/tests/default.nix.
(Of course, you still need to add it to nixos/release.nix if you want
Hydra to run the test.)
2014-04-14 14:02:44 +02:00
Luca Bruno
b80925a19e empathy: find gsettings schemas, enable in gnome3, disable parallel build
Enabling by default on gnome3 as now it's possible to create and use
accounts (tested with telepathy_gabble and gtalk).

At this time, empathy x86-64 fails to build on hydra but I'm unable
to reproduce. Therefore, try disabling the parallel build.
2014-04-14 13:25:59 +02:00
Eelco Dolstra
30d0864dc6 Simplify 2014-04-14 10:26:12 +02:00
Eelco Dolstra
ba29614578 Manual: Generate stable ids for options
E.g. ‘#opt-boot.initrd.kernelModules’.

Also, shut up a stupid XSLT warning (‘attribute value is not an NCName’).
2014-04-14 10:26:12 +02:00
Luca Bruno
997b4898b5 gnome-shell-extensions: new package
Modify and extend GNOME Shell functionality and behavior

https://wiki.gnome.org/Projects/GnomeShell/Extensions
2014-04-14 09:58:04 +02:00
Luca Bruno
3cc07a44bc gnome-tweak-tool: new package
A tool to customize advanced GNOME 3 options

https://wiki.gnome.org/action/show/Apps/GnomeTweakTool
2014-04-14 09:58:04 +02:00
Luca Bruno
c6383af311 gnome-online-accounts: add dbus service 2014-04-14 09:58:04 +02:00
Luca Bruno
add4977a91 system-path, gnome3: run update-desktop-database to create the mime cache
This allows programs such as yelp to handle help:// protocol schemas
2014-04-14 09:58:03 +02:00
Luca Bruno
a5b4c74a16 gnome-user-share: new package
Service that exports the contents of the Public folder in your home directory on the local network

https://help.gnome.org/users/gnome-user-share/3.8
2014-04-14 09:58:03 +02:00
Luca Bruno
191c4b6145 gnome3: make extensions.gnome.org recognize the gnome desktop 2014-04-14 09:58:03 +02:00
Luca Bruno
b0154961ed gnome-keyring: add dbus service 2014-04-14 09:58:03 +02:00
Luca Bruno
9d5a06cfe7 gnome3: use package names for environment.gnome3.excludePackages 2014-04-14 09:58:03 +02:00
Luca Bruno
87284dd9e9 sushi, telepathy: make enabling the service overridable 2014-04-14 09:58:02 +02:00
Luca Bruno
b4096479fa gnome-user-docs: new package licensed under the new licenses.cc-by-30
User and system administration help for the Gnome

https://help.gnome.org/users/gnome-help/3.10
2014-04-14 09:58:02 +02:00
Luca Bruno
d5b4c3c63e tracker: new package
Desktop-neutral user information store, search tool and indexer

https://wiki.gnome.org/Projects/Tracker
2014-04-14 09:58:02 +02:00
Emery Hemingway
93e9154805 rsync updated 3.0.9 to 3.1.0, rsyncd service module 2014-04-13 23:25:28 -04:00
Bjørn Forsman
6fa1ad04da nixos: extend documentation example for security.setuidOwners
Show that it is possible to set custom permission bits.
2014-04-13 12:31:08 +02:00
Austin Seipp
a3155a0e2a nixos: add a UID for Hydra
Otherwise the Hydra module can't be used when mutableUsers = false;

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 21:20:18 -05:00
Austin Seipp
64efd184ed grsecurity: Fix GRKERNSEC_PROC restrictions
Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit
too strict. It doesn't allow a special group (e.g. the grsecurity group
users) to access /proc information - this requires
GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive.

This was also not in line with the default automatic grsecurity
configuration - it actually defaults to USERGROUP (although it has a
default GID of 1001 instead of ours), not USER.

This introduces a new option restrictProcWithGroup - enabled by default
- which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off
restrictProc by default and makes sure both cannot be enabled.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 11:16:05 -05:00
Austin Seipp
172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Shea Levy
0122697550 Revert "Merge branch 'postgresql-user' of git://github.com/ocharles/nixpkgs"
Reverting postgres superuser changes until after stable.

This reverts commit 6cc0cc7ff6, reversing
changes made to 3c4be425db.
2014-04-11 19:23:03 -04:00
Shea Levy
9b077bac58 Revert "postgresql: properly fix permissions issue by in postStart"
Reverting postgres superuser changes until after stable.

This reverts commit c66be6378d.
2014-04-11 19:22:43 -04:00
Shea Levy
e9e60103de Revert "Create the 'postgres' superuser"
Reverting postgres superuser changes until after stable.

This reverts commit 7de29bd26f.
2014-04-11 19:22:39 -04:00
Shea Levy
c23050e231 Revert "Use PostgreSQL 9.3's pg_isready to wait for connectivity"
Reverting postgres superuser changes until after stable.

This reverts commit e206684110.
2014-04-11 19:21:50 -04:00
Eelco Dolstra
e2bc9a3d14 Include Archive::Cpio in the installation CD
http://hydra.nixos.org/build/10268978
2014-04-11 17:16:44 +02:00
Eelco Dolstra
13185280fe Fix tests broken due to the firewall being enabled by default 2014-04-11 17:16:44 +02:00
Eelco Dolstra
017408e048 Use iptables' ‘-w’ flag
This prevents errors like "Another app is currently holding the
xtables lock" if the firewall and NAT services are starting in
parallel.  (Longer term, we should probably move to a single service
for managing the iptables rules.)
2014-04-11 17:16:44 +02:00
Eelco Dolstra
b9281e6a2d Fix NAT module 2014-04-11 17:16:44 +02:00
Eelco Dolstra
2da09363bf nix: Update to 1.7 2014-04-11 12:24:48 +02:00
Peter Simons
ad65a1e064 Revert "nixos: fix shell on conatiners"
This reverts commit c69577b7d6.
See https://github.com/NixOS/nixpkgs/pull/2198 for further details.
2014-04-11 12:07:00 +02:00
Eelco Dolstra
d2155649af Merge branch 'containers'
Fixes #2105.
2014-04-10 15:55:51 +02:00
Eelco Dolstra
6a7a8a144f Document NixOS containers 2014-04-10 15:07:29 +02:00
Eelco Dolstra
a34bfbab4c Add option networking.nat.internalInterfaces
This allows applying NAT to an interface, rather than an IP range.
2014-04-10 15:07:29 +02:00
Eelco Dolstra
ac8c924c09 nixos-container: Add ‘run’ and ‘root-login’ commands
And remove ‘root-shell’.
2014-04-10 15:07:29 +02:00
Eelco Dolstra
da4f180252 Bring back ‘nixos-container update’ 2014-04-10 15:07:29 +02:00
Eelco Dolstra
3dca6b98cb Fix permissions on /var/lib/startup-done 2014-04-10 15:07:28 +02:00
Peter Simons
26d8f54587 Merge pull request #2198 from offlinehacker/nixos/shadow/login_containers_fix
nixos: fix shell on conatiners
2014-04-10 12:39:19 +02:00
Peter Simons
0e147530ef Merge pull request #2199 from offlinehacker/nixos/ntp/containers_fix
nixos: disable ntp on containers by default
2014-04-10 12:33:35 +02:00
Jaka Hudoklin
0b170187e3 nixos: disable ntp on containers by default 2014-04-10 12:30:03 +02:00
Jaka Hudoklin
c69577b7d6 nixos: fix shell on conatiners 2014-04-10 12:28:09 +02:00
aszlig
5dd14a1059
nixos/phpfpm: Add option to set PHP package.
This allows to easily override the used PHP package, especially for
example if you want to use PHP 5.5 or if you want to override the
derivation.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-04-10 07:52:26 +02:00
Shea Levy
9dcffe951d Merge branch 'cjdns' of git://github.com/ehmry/nixpkgs
cjdns: update to 20130303
2014-04-09 20:34:32 -04:00
Bjørn Forsman
e856584e1a nixos/jenkins-service: fix 'group' option documentation
Both for master and slave.
2014-04-09 21:52:46 +02:00
Emery Hemingway
316e809ff8 cjdns: update to 20130303
build system is now nodejs based
new nixos module to start cjdns
2014-04-09 10:30:57 -04:00
Domen Kožar
e5e27cfd64 Merge pull request #2153 from lethalman/gnome3
accounts-daemon service, fix gnome-shell, add libgnomekbd, musicbrainz5, sushi, gnome-contacts
2014-04-09 15:01:17 +02:00
Luca Bruno
a3115707dd Add environment.gnome3.excludePackages
Give the user a full desktop, and the possibility to exclude
non-base packages from the default list of packages.
2014-04-09 00:36:53 +02:00
Luca Bruno
c56af6102a at-spi2-core: add dbus module, enabled on gnome3 by default 2014-04-09 00:36:53 +02:00
Luca Bruno
8553993887 telepathy-mission-control: add dbus service, enabled by default on gnome3 2014-04-09 00:36:52 +02:00
Luca Bruno
2bc0f7b701 evolution-data-server: fix gsettings schemas and add dbus service 2014-04-09 00:36:51 +02:00
Shea Levy
452a1f9318 Revert "Turn on user-controlled wpa-cli on the livecd"
user-controlled wpa-cli requires explicit interface setting for some
reason

This reverts commit c6797b373f.
2014-04-08 18:26:52 -04:00
Eelco Dolstra
2bb8d963b1 Die tabs die 2014-04-09 00:17:16 +02:00
Eelco Dolstra
e09250d41c Disable allowUnfree by default
Fixes #2134.
2014-04-09 00:09:31 +02:00
Eelco Dolstra
caf98828bb nixos-generate-config: Fix PCI/USB checks
As reported by Kirill Elagin, read_file doesn't chomp its output. So
the equality tests on PCI/USB vendor and device IDs were failing.
2014-04-08 15:13:27 +02:00
Luca Bruno
ea3644cb09 sushi: new package
A quick previewer for Nautilus

http://en.wikipedia.org/wiki/Sushi_(software)
2014-04-08 13:41:29 +02:00
Luca Bruno
06614031d6 accountservice: add dbus and systemd services
Enable by default with gnome3.
2014-04-08 13:39:48 +02:00
Eelco Dolstra
2ba552fb2e Revert "Fix services.udisks.enable."
This reverts commit 02a30bea44,
necessary after reverting to udisks 1.0.4.

http://hydra.nixos.org/build/10194840
2014-04-08 13:28:24 +02:00
Rickard Nilsson
604306c34a Don't add users if createUser is false 2014-04-08 12:36:03 +02:00
Eelco Dolstra
694cc6172a Enable the firewall by default
Fixes #2135.
2014-04-08 09:44:01 +02:00
Shea Levy
efdb8a10ed Merge branch 'postgresql-user-fix' of git://github.com/ocharles/nixpkgs into fix-new-conduit
Create 'postgres' user and use pg_isready
2014-04-07 16:37:43 -04:00
Bjørn Forsman
8cd95471d7 nixos: add type definitions to virtualisation.libvirtd.* options 2014-04-07 21:31:29 +02:00
Eelco Dolstra
eb22e5f026 Remove ignored argument to sync 2014-04-07 13:22:12 +02:00
Eelco Dolstra
2f51ca9609 Add a regression test for udisks 2014-04-07 13:22:12 +02:00
Eelco Dolstra
1f6bfa19ad Gnome 3 should not be a release blocker 2014-04-07 12:24:17 +02:00
Luca Bruno
5174e6db80 gnome-backgrounds: new package 2014-04-06 15:23:11 +02:00
Oliver Charles
e206684110 Use PostgreSQL 9.3's pg_isready to wait for connectivity
The postgresql module has a postStart section that waits for a database
to accept connections before continuing. However, this assumes various
properties about the database - specifically the database user
and (implicitly) the database name. This means that for old
installations, this command fails because there is no 'postgres' user,
and the service never starts.

While 7deff39 does create the 'postgres' user, a better solution is to
use `pg_isready`, who's sole purpose is to check if the database is
accepting connections. This has no dependency on users, so should be
more robust.
2014-04-06 12:38:02 +01:00
Oliver Charles
7de29bd26f Create the 'postgres' superuser
Old PostgreSQL installations were created using the 'root' database
user. In this case, we need to create a new 'postgres' account, as we
now assume that this is the superuser account.

Unfortunately, these machines will be left with a 'root' user as
well (which will have ownership of some databases). While PostgreSQL
does let you rename superuser accounts, you can only do that when you
are connected as a *different* database user. Thus we'd have to create a
special superuser account to do the renaming. As we default to using
ident authentication, we would have to create a system level user to do
this. This all feels rather complex, so I'm currently opting to keep the
'root' user on these old machines.
2014-04-06 12:38:01 +01:00
Rickard Nilsson
bf129a2c23 Allow undefined uids and gids when mutableUsers = true
Groups and users without gid/uid are created with
useradd/groupadd after the passwd/group merge phase
if mutableUsers = true.

This should fix #2114.
2014-04-06 12:42:55 +02:00
Austin Seipp
8d0259caf4 nixos: reserve some uids/gids
I have some NixOS modules that I keep out of tree, and having UIDs/GIDs
reserved is quite helpful.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 01:05:56 -05:00
Shea Levy
d35619429a Merge branch 'cache.su' of git://github.com/wkennington/nixpkgs
su: Make the su package a provider of only the su binary

Fixes #1877
2014-04-05 18:49:30 -04:00
William A. Kennington III
28ab3acb58 su: Make the su package a provider of only the su binary
Additionally, provide su with the base system and remove su from the
util-linux package as it is now provided by shadow.
2014-04-05 16:01:52 -05:00
Shea Levy
ad4965f54c Merge branch 'master.xauth' of git://github.com/wkennington/nixpkgs
ssh: Don't set xuth if not running xserver
2014-04-05 15:32:31 -04:00
Shea Levy
a46d2e3150 Merge branch 'murmur' of git://github.com/thoughtpolice/nixpkgs
nixos: add Murmur module (Mumble chat)

Conflicts:
	nixos/modules/misc/ids.nix
2014-04-05 15:18:14 -04:00
Shea Levy
ea9c8d6a13 Merge branch 'rippled' of git://github.com/ehmry/nixpkgs
rippled: initial pkg and module expressions

Had to change the rippled uid.

Conflicts:
	nixos/modules/misc/ids.nix
2014-04-05 14:23:29 -04:00
Domen Kožar
13bef7f403 Merge pull request #2127 from lethalman/gnome3
Gnome3 session changes, gnome-control-center icons
2014-04-05 00:35:06 +02:00
Luca Bruno
671e346eb2 gnome3: add glib-networking gio modules
With glib-networking, epiphany and other gnome apps
can access https and other networking protocols.
2014-04-04 23:45:06 +02:00
Shea Levy
c6797b373f Turn on user-controlled wpa-cli on the livecd
Fixes #1204
2014-04-04 17:05:57 -04:00
Eelco Dolstra
6905aa1cf4 Merge pull request #2095 from geo-kollias/master
Added MonetDB NixOS module.
2014-04-04 13:55:24 +02:00
Domen Kožar
f530ead0ba syncthing: add preStart script to create dataDir 2014-04-04 10:46:30 +02:00
Matej Cotman
7df1ce5088 syncthing: new package and nixos module 2014-04-04 10:46:29 +02:00
Shea Levy
8b5c617237 Add fuse to env by default
Fixes #458
2014-04-03 21:36:13 -04:00
Domen Kožar
52fbaee8d7 solr: add extraJars option 2014-04-03 22:46:45 +02:00
William A. Kennington III
6c6d7dc11d ssh: Don't set xauth if not running xserver 2014-04-03 14:28:45 -05:00
Eelco Dolstra
6e086caa8a xterm: Don't enable unless X11 is enabled 2014-04-03 20:44:57 +02:00
Eelco Dolstra
819e7c9fbd Add a test for NixOS containers 2014-04-03 16:36:24 +02:00
Eelco Dolstra
1e4fa227fe nixos-container: Don't destroy declarative containers 2014-04-03 16:36:24 +02:00
Eelco Dolstra
b0b3fa928a Disable container support in containers
Systemd-nspawn doesn't support nesting, so providing nixos-container
inside a container doesn't make sense.
2014-04-03 16:36:23 +02:00
Eelco Dolstra
1ad9a654be Make starting a container synchronous
So now "systemctl start container@foo" will only return after the
container has reached multi-user.target.
2014-04-03 16:36:23 +02:00
Eelco Dolstra
269926df0d container-login.nix -> container-config.nix 2014-04-03 16:36:16 +02:00
Eelco Dolstra
fee81c3739 Always enable container logins 2014-04-03 16:35:36 +02:00
Austin Seipp
788354cc34 nixos: add mumble test
This tests that both the client and server work. With screenshots!

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-02 03:55:37 -05:00