Commit Graph

9880 Commits

Author SHA1 Message Date
Arian van Putten
1d5f4cbb78 nixos/nscd: Add a descriptive comment to the nscd configuration 2018-12-12 15:35:46 +01:00
Arian van Putten
a74619c1ae nixos/nscd: also add netgroup to the config
It was the last database that wasn't listed.
2018-12-12 15:35:40 +01:00
Arian van Putten
de76c16f9c nixos/nscd: Merge nscd and sssd-nscd config 2018-12-12 15:35:40 +01:00
Arian van Putten
99d3279952 nixos/nscd: Disable negative caching of hosts
Hopefully fixes #50290
2018-12-12 15:35:40 +01:00
Arian van Putten
e712417936 nixos/nscd: Disable caching of group and passwd
Systemd provides an option for allocating DynamicUsers
which we want to use in NixOS to harden service configuration.
However, we discovered that the user wasn't allocated properly
for services. After some digging this turned out to be, of course,
a cache inconsistency problem.

When a DynamicUser creation is performed, Systemd check beforehand
whether the requested user already exists statically. If it does,
it bails out. If it doesn't, systemd continues with allocating the
user.

However, by checking whether the user exists,  nscd will store
the fact that the user does not exist in it's negative cache.
When the service tries to lookup what user is associated to its
uid (By calling whoami, for example), it will try to consult
libnss_systemd.so However this will read from the cache and tell
report that the user doesn't exist, and thus will return that
there is no user associated with the uid. It will continue
to do so for the cache duration time.  If the service
doesn't immediately looks up its username, this bug is not
triggered, as the cache will be invalidated around this time.
However, if the service is quick enough, it might end up
in a situation where it's incorrectly reported that the
user doesn't exist.

Preferably, we would not be using nscd at all. But we need to
use it because glibc reads  nss modules from /etc/nsswitch.conf
by looking relative to the global LD_LIBRARY_PATH.  Because LD_LIBRARY_PATH
is not set globally (as that would lead to impurities and ABI issues),
glibc will fail to find any nss modules.
Instead, as a hack, we start up nscd with LD_LIBRARY_PATH set
for only that service. Glibc will forward all nss syscalls to
nscd, which will then respect the LD_LIBRARY_PATH and only
read from locations specified in the NixOS config.
we can load nss modules in a pure fashion.

However, I think by accident, we just copied over the default
settings of nscd, which actually caches user and group lookups.
We already disable this when sssd is enabled, as this interferes
with the correct working of libnss_sss.so as it already
does its own caching of LDAP requests.
(See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/usingnscd-sssd)

Because nscd caching is now also interferring with libnss_systemd.so
and probably also with other nsss modules, lets just pre-emptively
disable caching for now for all options related to users and groups,
but keep it for caching hosts ans services lookups.

Note that we can not just put in /etc/nscd.conf:
enable-cache passwd no

As this will actually cause glibc to _not_ forward the call to nscd
at all, and thus never reach the nss modules. Instead we set
the negative and positive cache ttls  to 0 seconds as a workaround.
This way, Glibc will always forward requests to nscd, but results
will never be cached.

Fixes #50273
2018-12-12 15:35:40 +01:00
Vladimír Čunát
ad3e9191d1
nixos/nvidia: improve the assertion again
/cc ac19d5e34 #51836.
2018-12-12 00:26:09 +01:00
Benjamin Staffin
1181d6153e
logind: make killUserProcesses an option (#51426)
Right now it's not at all obvious that one can override this option
using `services.logind.extraConfig`; we might as well add an option
for `killUserProcesses` directly so it's clear and documented.
2018-12-11 16:51:16 -05:00
Vladimír Čunát
ac19d5e34f
Merge #51836: nixos/nvidia: fix inverted assertion 2018-12-11 21:41:20 +01:00
Jappie Klooster
e576c3b385 doc: Fix insecure nginx docs (#51840) 2018-12-11 11:02:56 +00:00
markuskowa
9fba490258
Merge pull request #50862 from markuskowa/fix-slurm-module
nixos/slurm: set slurmd KillMode and add extraConfigPaths
2018-12-11 00:45:47 +01:00
Andrew Childs
f2332809fd nixos/nvidia: fix inverted assertion 2018-12-11 02:04:10 +09:00
Tor Hedin Brønner
59d1fb6151
Merge pull request #44497 from hedning/gnome-upstream-wayland
Add gnome wayland support
2018-12-10 16:53:27 +01:00
Tim Steinbach
97ad321e42
zsh-autosuggestions: Fix module for 0.5.0
The update for zsh-autosuggestions in #51752 broke the module.
This fix reflects the required changes.
2018-12-10 10:11:33 -05:00
Tor Hedin Brønner
3c0e70402f nixos/displayManager: Note that sessionCommands aren't run on Wayland 2018-12-10 10:36:25 +01:00
Tor Hedin Brønner
cdd266c73b nixos/gnome3: Implement sessionPath through environment.extraInit
This will simply make the `sessionPath` more likely to work.
2018-12-10 10:36:25 +01:00
Tor Hedin Brønner
48a9a24910 nixos/sddm: Enable wayland-sessions
LightDM is unable to separate between `wayland-sessions/gnome.desktop` and
`xsessions/gnome.desktop` so I ommitted adding this to LightDM.
2018-12-10 10:36:24 +01:00
Tor Hedin Brønner
9895ce24b4 nixos/displayManager: Install wayland sessions from extraSessionFilePackages 2018-12-09 11:04:42 +01:00
Yegor Timoshenko
5c685feca1
Merge pull request #51678 from NixOS/yegortimoshenko-patch-1
nixos/bash: set title in PS1
2018-12-08 21:35:05 +03:00
markuskowa
9a7ce7d69a
Merge pull request #51728 from ck3d/fix-lirc-runtime-owner-ship
nixos lirc: fix owner-ship of runtime directory
2018-12-08 18:08:14 +01:00
Jörg Thalheim
da4e257fce
Merge pull request #51670 from Mic92/quassel-webserver
quassel-webserver: remove
2018-12-08 16:26:45 +00:00
Frederik Rietdijk
3e950d584c Merge staging-next into master 2018-12-08 16:29:21 +01:00
markuskowa
86d80a7b78
Merge pull request #51583 from WilliButz/grafana-update
grafana: 5.3.4 -> 5.4.0
2018-12-08 15:42:15 +01:00
Renaud
53218d4a39
nixos/systemd-nspawn: accept all Exec and Files options
See: https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html
Closes #49712
2018-12-08 14:41:37 +01:00
Christian Kögler
4bb55815be nixos lirc: fix owner-ship of runtime directory 2018-12-08 14:37:02 +01:00
Frederik Rietdijk
e0950ae9ad Merge master into staging-next 2018-12-08 12:40:13 +01:00
Graham Christensen
ca3f089a83
Merge pull request #51314 from Izorkin/mariadb-my.cnf
mariadb: change location configuration file to /etc/my.cnf
2018-12-07 15:37:53 -05:00
Yegor Timoshenko
d53077b20c
nixos/bash: set title in PS1 2018-12-07 22:42:55 +03:00
Jörg Thalheim
40c8969b4c
quassel-webserver: remove
Package is broken and the original maintainer does not respond.
Unless someone wants to pick it up, I propose the removal.

fixes #51614
2018-12-07 16:46:36 +00:00
Frederik Rietdijk
5f554279ec Merge master into staging-next 2018-12-07 15:22:35 +01:00
Renaud
0eb2f4b5f5
Merge pull request #50809 from sorki/wireguard_containers_wont_modprobe
wireguard: don't modprobe if boot.isContainer is set
2018-12-07 11:06:28 +01:00
WilliButz
60eff0eecb
nixos/grafana: use new default for connMaxLifetime 2018-12-05 20:49:45 +01:00
Pierre Bourdon
3873f43fc3 prometheus/exporters: fix regression in DynamicUser behavior
Instead of setting User/Group only when DynamicUser is disabled, the
previous version of the code set it only when it was enabled. This
caused services with DynamicUser enabled to actually run as nobody, and
services without DynamicUser enabled to run as root.

Regression from fbb7e0c82f.
2018-12-05 11:26:38 +01:00
Pierre Bourdon
199b4c4743 prometheus/exporters/tor: make CPython happy by defining $HOME 2018-12-05 11:26:38 +01:00
Austin Seipp
2a22554092 nixos/cockroachdb: simplify dataDir management, tweaks
This cleans up the CockroachDB expression, with a few suggestions from
@aszlig.

However, it brought up the note of using systemd's StateDirectory=
directive, which is a nice feature for managing long-term data files,
especially for UID/GID assigned services. However, it can only manage
directories under /var/lib (for global services), so it has to introduce
a special path to make use of it at all in the case someone wants a path
at a different root.

While the dataDir directive at the NixOS level is _occasionally_ useful,
I've gone ahead and removed it for now, as this expression is so new,
and it makes the expression cleaner, while other kinks can be worked out
and people can test drive it.

CockroachDB's dataDir directive, instead, has been replaced with
systemd's StateDirectory management to place the data under
/var/lib/cockroachdb for all uses.

There's an included RequiresMountsFor= clause like usual though, so if
people want dependencies for any kind of mounted device at boot
time/before database startup, it's easy to specify using their own
mount/filesystems clause.

This can also be reverted if necessary, but, we can see if anyone ever
actually wants that later on before doing it -- it's a backwards
compatible change, anyway.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-04 19:44:16 -06:00
Florian Klink
0834e98ece
Merge pull request #51393 from arianvp/container-names
nixos/containers: Add assertion for container name length
2018-12-05 01:25:16 +01:00
Renaud
68b17ada12
Merge pull request #51475 from redvers/update/mediawiki
mediawiki: 1.29.1 -> 1.31.1
2018-12-04 08:06:57 +01:00
Jörg Thalheim
958d8e625e
Merge pull request #49392 from uvNikita/nixos/containers/veths
nixos/containers: don't create veths if not configured
2018-12-03 23:44:50 +00:00
Red Davies
4173b845ca mediawiki: 1.29.1 -> 1.31.1
1.29.1 is out of support and has security vulnerabilities. 1.31.1 is current LTS.
2018-12-03 21:04:08 +00:00
Bjørn Forsman
bb94d419fb nixos/jenkins-job-builder: add accessTokenFile option
The new option allows storing the secret access token outside the world
readable Nix store.
2018-12-03 17:07:29 +01:00
Bjørn Forsman
8ebfd5c45c nixos/jenkins-job-builder: stop reloadScript on error
Currently there are two calls to curl in the reloadScript, neither which
check for errors. If something is misconfigured (like wrong authToken),
the only trace that something wrong happened is this log message:

  Asking Jenkins to reload config
  <h1>Bad Message 400</h1><pre>reason: Illegal character VCHAR='<'</pre>

The service isn't marked as failed, so it's easy to miss.

Fix it by passing --fail to curl.

While at it:
* Add $curl_opts and $jenkins_url variables to keep the curl command
  lines DRY.
* Add --show-error to curl to show short error message explanation when
  things go wrong (like HTTP 401 error).
* Lower-case the $CRUMB variable as upper case is for exported environment
  variables.

The new behaviour, when having wrong accessToken:

  Asking Jenkins to reload config
  curl: (22) The requested URL returned error: 401

And the service is clearly marked as failed in `systemctl --failed`.
2018-12-03 17:07:29 +01:00
Frederik Rietdijk
a510aa2672 Merge master into staging-next 2018-12-03 12:18:43 +01:00
Piotr Bogdan
9ca3414e05 nixos/cockroachdb: supply defaultText for the package option 2018-12-02 20:50:57 -06:00
Austin Seipp
4594b18070 nixos/chrony: fix misplaced ConditionCapability= directive
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-02 20:32:47 -06:00
Michael Weiss
fa5b8f82c5
Merge pull request #51316 from primeos/sway
nixos/sway-beta: Improve the wrapper
2018-12-02 22:03:31 +01:00
Izorkin
953be3e283 mariadb: change location configuration file to /etc/my.cnf 2018-12-02 22:15:02 +03:00
Silvan Mosberger
4afae70e2b
Merge pull request #48423 from charles-dyfis-net/bees
bees: init at 0.6.1; nixos/modules: services.bees init
2018-12-02 18:38:47 +01:00
Jörg Thalheim
50071c4475
Revert "nixos/luksroot: Check whether the device already exists"
This reverts commit 9cd4ce98bf.

This might be broken for some people: https://github.com/NixOS/nixpkgs/pull/50281#issuecomment-443516289
2018-12-02 17:27:35 +00:00
markuskowa
506d4c7e44
Merge pull request #51329 from c0bw3b/cleanup/gnu-https
Favor HTTPS URLs - the GNU edition
2018-12-02 16:52:33 +01:00
c0bw3b
0498ccd076 Treewide: use HTTPS on GNU domains
HTTP -> HTTPS for :
- http://gnu.org/
- http://www.gnu.org/
- http://elpa.gnu.org/
- http://lists.gnu.org/
- http://gcc.gnu.org/
- http://ftp.gnu.org/ (except in fetchurl mirrors)
- http://bugs.gnu.org/
2018-12-02 15:51:59 +01:00
Arian van Putten
bf102825ef nixos/containers: Add assertion for container name length
When privateNetwork is enabled, currently the container's interface name
is derived from the container name. However, there's a hard limit
on the size of interface names. To avoid conflicts and other issues,
we set a limit on the container name when privateNetwork is enabled.

Fixes #38509
2018-12-02 15:26:39 +01:00