Commit Graph

11803 Commits

Author SHA1 Message Date
Arian van Putten
99d3279952 nixos/nscd: Disable negative caching of hosts
Hopefully fixes #50290
2018-12-12 15:35:40 +01:00
Arian van Putten
e712417936 nixos/nscd: Disable caching of group and passwd
Systemd provides an option for allocating DynamicUsers
which we want to use in NixOS to harden service configuration.
However, we discovered that the user wasn't allocated properly
for services. After some digging this turned out to be, of course,
a cache inconsistency problem.

When a DynamicUser creation is performed, Systemd check beforehand
whether the requested user already exists statically. If it does,
it bails out. If it doesn't, systemd continues with allocating the
user.

However, by checking whether the user exists,  nscd will store
the fact that the user does not exist in it's negative cache.
When the service tries to lookup what user is associated to its
uid (By calling whoami, for example), it will try to consult
libnss_systemd.so However this will read from the cache and tell
report that the user doesn't exist, and thus will return that
there is no user associated with the uid. It will continue
to do so for the cache duration time.  If the service
doesn't immediately looks up its username, this bug is not
triggered, as the cache will be invalidated around this time.
However, if the service is quick enough, it might end up
in a situation where it's incorrectly reported that the
user doesn't exist.

Preferably, we would not be using nscd at all. But we need to
use it because glibc reads  nss modules from /etc/nsswitch.conf
by looking relative to the global LD_LIBRARY_PATH.  Because LD_LIBRARY_PATH
is not set globally (as that would lead to impurities and ABI issues),
glibc will fail to find any nss modules.
Instead, as a hack, we start up nscd with LD_LIBRARY_PATH set
for only that service. Glibc will forward all nss syscalls to
nscd, which will then respect the LD_LIBRARY_PATH and only
read from locations specified in the NixOS config.
we can load nss modules in a pure fashion.

However, I think by accident, we just copied over the default
settings of nscd, which actually caches user and group lookups.
We already disable this when sssd is enabled, as this interferes
with the correct working of libnss_sss.so as it already
does its own caching of LDAP requests.
(See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/usingnscd-sssd)

Because nscd caching is now also interferring with libnss_systemd.so
and probably also with other nsss modules, lets just pre-emptively
disable caching for now for all options related to users and groups,
but keep it for caching hosts ans services lookups.

Note that we can not just put in /etc/nscd.conf:
enable-cache passwd no

As this will actually cause glibc to _not_ forward the call to nscd
at all, and thus never reach the nss modules. Instead we set
the negative and positive cache ttls  to 0 seconds as a workaround.
This way, Glibc will always forward requests to nscd, but results
will never be cached.

Fixes #50273
2018-12-12 15:35:40 +01:00
Arian van Putten
eb88005130 nixos/systemd: Add a regression test for #50273 2018-12-12 15:35:39 +01:00
Vladimír Čunát
ad3e9191d1
nixos/nvidia: improve the assertion again
/cc ac19d5e34 #51836.
2018-12-12 00:26:09 +01:00
Benjamin Staffin
1181d6153e
logind: make killUserProcesses an option (#51426)
Right now it's not at all obvious that one can override this option
using `services.logind.extraConfig`; we might as well add an option
for `killUserProcesses` directly so it's clear and documented.
2018-12-11 16:51:16 -05:00
Vladimír Čunát
ac19d5e34f
Merge #51836: nixos/nvidia: fix inverted assertion 2018-12-11 21:41:20 +01:00
Jappie Klooster
e576c3b385 doc: Fix insecure nginx docs (#51840) 2018-12-11 11:02:56 +00:00
markuskowa
9fba490258
Merge pull request #50862 from markuskowa/fix-slurm-module
nixos/slurm: set slurmd KillMode and add extraConfigPaths
2018-12-11 00:45:47 +01:00
Samuel Dionne-Riel
abcb25bd8d aerospike: Disables build on aarch64
The issue with its inclusion in the manual has been side-stepped by
matching on the platforms in supports.
2018-12-10 14:55:19 -05:00
Andrew Childs
f2332809fd nixos/nvidia: fix inverted assertion 2018-12-11 02:04:10 +09:00
Tor Hedin Brønner
59d1fb6151
Merge pull request #44497 from hedning/gnome-upstream-wayland
Add gnome wayland support
2018-12-10 16:53:27 +01:00
Tim Steinbach
97ad321e42
zsh-autosuggestions: Fix module for 0.5.0
The update for zsh-autosuggestions in #51752 broke the module.
This fix reflects the required changes.
2018-12-10 10:11:33 -05:00
Vladimír Čunát
3946d83a3c
nixos tests: disable kafka for now
They consistently fail since openjdk bump with some out-of-space errors.
That's not a problem by itself, but each test instance ties a build slot
for many hours and consequently they also delay channels as those wait
for all builds to finish.

Feel free to re-enable when fixed, of course.
2018-12-10 13:19:00 +01:00
Tor Hedin Brønner
75e223bf7a nixos/tests/gnome3-gdm: port to wayland
The test now runs wayland, which means we can no longer use X11 style testing.
Instead we get gnome shell to execute javascript through its dbus interface.
2018-12-10 10:36:25 +01:00
Tor Hedin Brønner
116c16d9e2 nixos/tests/gnome3: select X11 gnome shell explicitely
This isn't strictly necessary yet as LightDM doesn't read the wayland sessions,
but there's no harm in being explicit.
2018-12-10 10:36:25 +01:00
Tor Hedin Brønner
3c0e70402f nixos/displayManager: Note that sessionCommands aren't run on Wayland 2018-12-10 10:36:25 +01:00
Tor Hedin Brønner
cdd266c73b nixos/gnome3: Implement sessionPath through environment.extraInit
This will simply make the `sessionPath` more likely to work.
2018-12-10 10:36:25 +01:00
Tor Hedin Brønner
48a9a24910 nixos/sddm: Enable wayland-sessions
LightDM is unable to separate between `wayland-sessions/gnome.desktop` and
`xsessions/gnome.desktop` so I ommitted adding this to LightDM.
2018-12-10 10:36:24 +01:00
markuskowa
c362f98ba0
Merge pull request #51791 from dotlambda/borgbackup-1.1.8
borgbackup: 1.1.7 -> 1.1.8
2018-12-09 22:34:02 +01:00
Tor Hedin Brønner
80fdafb373 nixos/tests/gnome3: fix terminal title
The tests passes, but that's just because a race condition where the window is
titled `Terminal` long enough.
2018-12-09 19:27:06 +01:00
Tor Hedin Brønner
373be8207a nixos/tests/i3wm: fix terminal title
Probably due to #51678 which makes bash set the terminal title.
2018-12-09 18:29:51 +01:00
Robert Schütz
3cbf18f32b nixos/tests/borgbackup: test borg mount 2018-12-09 18:17:27 +01:00
Markus Kowalewski
8eee1ec2a9
tests/slurm: wait for open DBD port
This makes tests more reliable. It seems
that waitForUnit(slurmdbd.service) is not sufficient
on some systems.
2018-12-09 13:36:53 +01:00
Tor Hedin Brønner
9895ce24b4 nixos/displayManager: Install wayland sessions from extraSessionFilePackages 2018-12-09 11:04:42 +01:00
Yegor Timoshenko
5c685feca1
Merge pull request #51678 from NixOS/yegortimoshenko-patch-1
nixos/bash: set title in PS1
2018-12-08 21:35:05 +03:00
markuskowa
9a7ce7d69a
Merge pull request #51728 from ck3d/fix-lirc-runtime-owner-ship
nixos lirc: fix owner-ship of runtime directory
2018-12-08 18:08:14 +01:00
Jörg Thalheim
91a7848fe2
nixos/release-notes: mention removal of quassel-webserver 2018-12-08 16:31:28 +00:00
Jörg Thalheim
da4e257fce
Merge pull request #51670 from Mic92/quassel-webserver
quassel-webserver: remove
2018-12-08 16:26:45 +00:00
Frederik Rietdijk
3e950d584c Merge staging-next into master 2018-12-08 16:29:21 +01:00
markuskowa
86d80a7b78
Merge pull request #51583 from WilliButz/grafana-update
grafana: 5.3.4 -> 5.4.0
2018-12-08 15:42:15 +01:00
Renaud
53218d4a39
nixos/systemd-nspawn: accept all Exec and Files options
See: https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html
Closes #49712
2018-12-08 14:41:37 +01:00
Christian Kögler
4bb55815be nixos lirc: fix owner-ship of runtime directory 2018-12-08 14:37:02 +01:00
Frederik Rietdijk
e0950ae9ad Merge master into staging-next 2018-12-08 12:40:13 +01:00
Graham Christensen
ca3f089a83
Merge pull request #51314 from Izorkin/mariadb-my.cnf
mariadb: change location configuration file to /etc/my.cnf
2018-12-07 15:37:53 -05:00
Yegor Timoshenko
d53077b20c
nixos/bash: set title in PS1 2018-12-07 22:42:55 +03:00
Jörg Thalheim
40c8969b4c
quassel-webserver: remove
Package is broken and the original maintainer does not respond.
Unless someone wants to pick it up, I propose the removal.

fixes #51614
2018-12-07 16:46:36 +00:00
Frederik Rietdijk
5f554279ec Merge master into staging-next 2018-12-07 15:22:35 +01:00
Renaud
0eb2f4b5f5
Merge pull request #50809 from sorki/wireguard_containers_wont_modprobe
wireguard: don't modprobe if boot.isContainer is set
2018-12-07 11:06:28 +01:00
lewo
f7e67be1dc
Merge pull request #51528 from grahamc/buildImage-on-layered-image
dockertools buildImage: support new-style image specs
2018-12-07 09:44:58 +01:00
aszlig
776f084cf1
nixos/tests: Fix wrong arch in runInMachine test
Since 83b27f60ce, the tests were moved
into all-tests.nix and some of the tooling has changed so that
subattributes of test expressions are now recursively evaluated until a
derivation with a .test attribute has been found.

Unfortunately this isn't the case for all of the tests and the
runInMachine doesn't use the makeTest function other tests are using but
instead uses runInMachine, which doesn't generate a .test attribute.

Whener a .test attribute wasn't found by the new handleTest function, it
recurses down again until there is no value left that is an attribute
set and subsequently returns its unchanged value. This however has the
drawback that instead of getting different attributes for each
architecture we only get the last architecture in the supportedSystems
list.

In the case of the release.nix, the last architecture in
supportedSystems is "aarch64-linux", so the runInMachine test is always
built on that architecture.

In order to work around this, I changed runInMachine to emit a .test
attribute so that it looks to handleTest like it was a test created via
makeTest.

Signed-off-by: aszlig <aszlig@nix.build>
2018-12-07 05:56:53 +01:00
Peter Hoeg
728aaf4af6
Merge pull request #51622 from dotlambda/home-assistant-0.83
home-assistant: 0.82.1 -> 0.83.3
2018-12-07 09:24:16 +08:00
Samuel Dionne-Riel
70488665fa
Merge pull request #51207 from samueldr/fix/sd-image-slimming
sd-image: Slims the ext4 filesystem even more.
2018-12-06 23:35:09 +00:00
Robert Schütz
b63bb15612 home-assistant: 0.82.1 -> 0.83.3 2018-12-06 14:59:27 +01:00
WilliButz
60eff0eecb
nixos/grafana: use new default for connMaxLifetime 2018-12-05 20:49:45 +01:00
Graham Christensen
c88337c9ac
dockerTools.buildImage: support using a layered image in fromImage
Docker images used to be, essentially, a linked list of layers. Each
layer would have a tarball and a json document pointing to its parent,
and the image pointed to the top layer:

    imageA  ----> layerA
                    |
                    v
                  layerB
                    |
                    v
                  layerC

The current image spec changed this format to where the Image defined
the order and set of layers:

    imageA  ---> layerA
            |--> layerB
            `--> layerC

For backwards compatibility, docker produces images which follow both
specs: layers point to parents, and images also point to the entire
list:

    imageA  ---> layerA
            |      |
            |      v
            |--> layerB
            |      |
            |      v
            `--> layerC

This is nice for tooling which supported the older version and never
updated to support the newer format.

Our `buildImage` code only supported the old version, so in order for
`buildImage` to properly generate an image based on another image
with `fromImage`, the parent image's layers must fully support the old
mechanism.

This is not a problem in general, but is a problem with
`buildLayeredImage`.

`buildLayeredImage` creates images with newer image spec, because
individual store paths don't have a guaranteed parent layer. Including
a specific parent ID in the layer's json makes the output less likely
to cache hit when published or pulled.

This means until now, `buildLayeredImage` could not be the input to
`buildImage`.

The changes in this PR change `buildImage` to only use the layer's
manifest when locating parent IDs. This does break buildImage on
extremely old Docker images, though I do wonder how many of these
exist.

This work has been sponsored by Target.
2018-12-05 14:25:54 -05:00
Pierre Bourdon
3873f43fc3 prometheus/exporters: fix regression in DynamicUser behavior
Instead of setting User/Group only when DynamicUser is disabled, the
previous version of the code set it only when it was enabled. This
caused services with DynamicUser enabled to actually run as nobody, and
services without DynamicUser enabled to run as root.

Regression from fbb7e0c82f.
2018-12-05 11:26:38 +01:00
Pierre Bourdon
199b4c4743 prometheus/exporters/tor: make CPython happy by defining $HOME 2018-12-05 11:26:38 +01:00
Florian Klink
5c82aa8854 pkgsi686Linux.nixosTests.gitlab: fix 32 bit tests
GitLab 11.5.1 dropped the dependency to posix_spawn, which is broken on
32bit. (See https://gitlab.com/gitlab-org/gitlab-ce/issues/53525)

The only part missing is decreasing virtualisation.memorySize to
something that a 32 bit qemu still executes.

The maximum seems to be 2047, and tests passed with that value for me.
2018-12-05 10:47:18 +01:00
Austin Seipp
2a22554092 nixos/cockroachdb: simplify dataDir management, tweaks
This cleans up the CockroachDB expression, with a few suggestions from
@aszlig.

However, it brought up the note of using systemd's StateDirectory=
directive, which is a nice feature for managing long-term data files,
especially for UID/GID assigned services. However, it can only manage
directories under /var/lib (for global services), so it has to introduce
a special path to make use of it at all in the case someone wants a path
at a different root.

While the dataDir directive at the NixOS level is _occasionally_ useful,
I've gone ahead and removed it for now, as this expression is so new,
and it makes the expression cleaner, while other kinks can be worked out
and people can test drive it.

CockroachDB's dataDir directive, instead, has been replaced with
systemd's StateDirectory management to place the data under
/var/lib/cockroachdb for all uses.

There's an included RequiresMountsFor= clause like usual though, so if
people want dependencies for any kind of mounted device at boot
time/before database startup, it's easy to specify using their own
mount/filesystems clause.

This can also be reverted if necessary, but, we can see if anyone ever
actually wants that later on before doing it -- it's a backwards
compatible change, anyway.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-04 19:44:16 -06:00
Florian Klink
0834e98ece
Merge pull request #51393 from arianvp/container-names
nixos/containers: Add assertion for container name length
2018-12-05 01:25:16 +01:00
Tim Steinbach
16f42b3694 kafka: Add 2.1 2018-12-05 00:06:07 +00:00
Tim Steinbach
7c5d43f4f5 kafka: Add test for 2.0 2018-12-05 00:06:07 +00:00
Michael Peyton Jones
656b74f021
nixos: add AppStream module 2018-12-04 20:26:25 +00:00
Jörg Thalheim
7dbb64aca4
Merge pull request #51493 from marsam/feature/docs-remove-nix-repl-references
docs: Remove nix-repl references
2018-12-04 10:53:09 +00:00
Renaud
68b17ada12
Merge pull request #51475 from redvers/update/mediawiki
mediawiki: 1.29.1 -> 1.31.1
2018-12-04 08:06:57 +01:00
Mario Rodas
f1dd6faaaa
docs: Remove nix-repl references
nix-repl has been deprecated
2018-12-03 21:37:54 -05:00
Jörg Thalheim
958d8e625e
Merge pull request #49392 from uvNikita/nixos/containers/veths
nixos/containers: don't create veths if not configured
2018-12-03 23:44:50 +00:00
Red Davies
4173b845ca mediawiki: 1.29.1 -> 1.31.1
1.29.1 is out of support and has security vulnerabilities. 1.31.1 is current LTS.
2018-12-03 21:04:08 +00:00
Bjørn Forsman
bb94d419fb nixos/jenkins-job-builder: add accessTokenFile option
The new option allows storing the secret access token outside the world
readable Nix store.
2018-12-03 17:07:29 +01:00
Bjørn Forsman
8ebfd5c45c nixos/jenkins-job-builder: stop reloadScript on error
Currently there are two calls to curl in the reloadScript, neither which
check for errors. If something is misconfigured (like wrong authToken),
the only trace that something wrong happened is this log message:

  Asking Jenkins to reload config
  <h1>Bad Message 400</h1><pre>reason: Illegal character VCHAR='<'</pre>

The service isn't marked as failed, so it's easy to miss.

Fix it by passing --fail to curl.

While at it:
* Add $curl_opts and $jenkins_url variables to keep the curl command
  lines DRY.
* Add --show-error to curl to show short error message explanation when
  things go wrong (like HTTP 401 error).
* Lower-case the $CRUMB variable as upper case is for exported environment
  variables.

The new behaviour, when having wrong accessToken:

  Asking Jenkins to reload config
  curl: (22) The requested URL returned error: 401

And the service is clearly marked as failed in `systemctl --failed`.
2018-12-03 17:07:29 +01:00
Frederik Rietdijk
a510aa2672 Merge master into staging-next 2018-12-03 12:18:43 +01:00
Piotr Bogdan
9ca3414e05 nixos/cockroachdb: supply defaultText for the package option 2018-12-02 20:50:57 -06:00
Austin Seipp
4594b18070 nixos/chrony: fix misplaced ConditionCapability= directive
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-02 20:32:47 -06:00
Michael Weiss
fa5b8f82c5
Merge pull request #51316 from primeos/sway
nixos/sway-beta: Improve the wrapper
2018-12-02 22:03:31 +01:00
Izorkin
953be3e283 mariadb: change location configuration file to /etc/my.cnf 2018-12-02 22:15:02 +03:00
Silvan Mosberger
4afae70e2b
Merge pull request #48423 from charles-dyfis-net/bees
bees: init at 0.6.1; nixos/modules: services.bees init
2018-12-02 18:38:47 +01:00
Jörg Thalheim
50071c4475
Revert "nixos/luksroot: Check whether the device already exists"
This reverts commit 9cd4ce98bf.

This might be broken for some people: https://github.com/NixOS/nixpkgs/pull/50281#issuecomment-443516289
2018-12-02 17:27:35 +00:00
markuskowa
506d4c7e44
Merge pull request #51329 from c0bw3b/cleanup/gnu-https
Favor HTTPS URLs - the GNU edition
2018-12-02 16:52:33 +01:00
c0bw3b
0498ccd076 Treewide: use HTTPS on GNU domains
HTTP -> HTTPS for :
- http://gnu.org/
- http://www.gnu.org/
- http://elpa.gnu.org/
- http://lists.gnu.org/
- http://gcc.gnu.org/
- http://ftp.gnu.org/ (except in fetchurl mirrors)
- http://bugs.gnu.org/
2018-12-02 15:51:59 +01:00
Arian van Putten
bf102825ef nixos/containers: Add assertion for container name length
When privateNetwork is enabled, currently the container's interface name
is derived from the container name. However, there's a hard limit
on the size of interface names. To avoid conflicts and other issues,
we set a limit on the container name when privateNetwork is enabled.

Fixes #38509
2018-12-02 15:26:39 +01:00
Bas van Dijk
7035598251
Merge pull request #51225 from LumiGuide/elk-6.5.1
elk: 6.3.2 -> 6.5.1
2018-12-02 14:44:47 +01:00
Jörg Thalheim
31f67bed5b
Merge pull request #51379 from Gerschtli/add/programs-nm-applet
nixos/nm-applet: add nm-applet program
2018-12-02 11:49:45 +00:00
Jan Tojnar
a51a99c690
gobject-introspection: rename package
camelCase package name was a huge inconsistency in GNOME package set.
2018-12-02 12:42:29 +01:00
Jörg Thalheim
b3662053b3
nixos/nm-applet: make the module smaller
more readable imho
2018-12-02 11:38:47 +00:00
Tobias Happ
95cbb71abe nixos/nm-applet: add nm-applet program 2018-12-02 12:18:47 +01:00
John Boehr
4226ddc034 nixos/cockroachdb: create new service
This also includes a full end-to-end CockroachDB clustering test to
ensure everything basically works. However, this test is not currently
enabled by default, though it can be run manually. See the included
comments in the test for more information.

Closes #51306. Closes #38665.

Co-authored-by: Austin Seipp <aseipp@pobox.com>
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-01 19:07:49 -06:00
Janne Heß
9cd4ce98bf nixos/luksroot: Check whether the device already exists
The new reuse behaviour is cool and really useful but it breaks one of
my use cases. When using kexec, I have a script which will unlock the
disks in my initrd. However, do_open_passphrase will fail if the disk is
already unlocked.
2018-12-01 23:42:51 +01:00
Renaud
947be9e992
Merge pull request #51199 from samueldr/fix/iso-image-fat32
iso-image: Verifies the FAT partition at build.
2018-12-01 16:14:55 +01:00
Michael Weiss
062602d81e nixos/sway-beta: Improve the wrapper
According to the dbus-launch documentation [0] "--exit-with-session"
shouldn't be used: "This option is not recommended, since it will
consume input from the terminal where it was started; it is mainly
provided for backwards compatibility." And it also states: "To start a
D-Bus session within a text-mode session, do not use dbus-launch.
Instead, see dbus-run-session(1)."

The new wrapper also avoids starting an additional D-Bus session if
DBUS_SESSION_BUS_ADDRESS is already set.

Fix #51303.

[0]: https://dbus.freedesktop.org/doc/dbus-launch.1.html
[1]: https://dbus.freedesktop.org/doc/dbus-run-session.1.html
2018-12-01 15:15:27 +01:00
Bas van Dijk
fbf0efc6a7 elk: 6.3.2 -> 6.5.1 2018-12-01 12:47:12 +01:00
Austin Seipp
ee14496ae2 nixos/dhcpcd: (try to) restart chrony in the exitHook
As the comment notes, restarts/exits of dhcpcd generally require
restarting the NTP service since, if name resolution fails for a pool of
servers, the service might break itself. To be on the safe side, try
restarting Chrony in these instances, too.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-11-30 18:50:33 -06:00
Austin Seipp
7b8d9700e1 nixos/chrony: don't emit initstepslew when servers is empty
Setting the server list to be empty is useful e.g. for hardware-only
or virtualized reference clocks that are passed through to the system
directly. In this case, initstepslew has no effect, so don't emit it.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-11-30 18:50:32 -06:00
Samuel Dionne-Riel
61bdaad9a9 sd-image: Slims the ext4 filesystem even more.
This is to try and squeeze more lost space from the image, so that hydra
starts building it again.

The fsck previous to the resize2fs is required so resize2fs works.

The one afterwards is a sanity check.

Using `-M` from resize2fs will not give much saved space due to a known
(in the manual) issue.

```
[samueldr@aarch64:~/nixpkgs]$ ls -lh result-*/*/*.img
-r--r--r-- 1 root root 2.2G Jan  1  1970 result-original/sd-image/nixos-sd-image-18.09.git.a7fd431-aarch64-linux.img
-r--r--r-- 1 root root 2.1G Jan  1  1970 result-M/sd-image/nixos-sd-image-18.09.git.a7fd431-aarch64-linux.img
-r--r--r-- 1 root root 1.9G Jan  1  1970 result-slimmed/sd-image/nixos-sd-image-18.09.git.a7fd431-aarch64-linux.img
```

```
[samueldr@aarch64:~/nixpkgs]$ nix path-info -S ./result-original
/nix/store/c8k9n78gylx293rjh762fr05a069kxp2-nixos-sd-image-18.09.git.a7fd431-aarch64-linux.img   3844125000

[samueldr@aarch64:~/nixpkgs]$ nix path-info -S ./result-slimmed
/nix/store/962238skj5mnzhrsmjy23dyzmxk77sp4-nixos-sd-image-18.09.git.a7fd431-aarch64-linux.img   3447473208
```
2018-11-30 19:11:49 -05:00
Jan Tojnar
e02516db75
nixos/gnome3: enable remote desktop on wayland 2018-11-30 21:35:21 +01:00
Jan Tojnar
d359635ab4
gnome3.gnome-remote-desktop: init at 0.1.6 2018-11-30 21:35:21 +01:00
Tor Hedin Brønner
2c8565a3ce
nixos/gdm: use XDG_DATA_DIRS to find sessions
Gdm now searches for session files in XDG_DATA_DIRS so we no longer need the
sessions_dir.patch.
2018-11-30 21:34:47 +01:00
Edmund Wu
ea1be31262
nvidia: expose nvidia_x11_legacy390 2018-11-30 13:58:22 -05:00
Robert Schütz
74e283403c
nixos/borgbackup: allow paths to be empty or relative (#51275)
This former necessary in order to exclusively use `--pattern` or `--patterns-from`.
Fixes #51267.
2018-11-30 17:37:50 +01:00
Florian Klink
aa490a543e
Merge pull request #48049 from Vskilet/roundcube-module
nixos/roundcube: add roundcube module
2018-11-30 13:29:00 +01:00
Charles Duffy
f50bfe267a
nixos.tests.bees: init 2018-11-29 20:27:47 -06:00
Charles Duffy
86db2f394c
nixos/modules: services.bees init 2018-11-29 20:27:45 -06:00
Florian Klink
43762227f8
Merge pull request #49385 from krav/gitlab-shell-authorized-keys
gitlab-shell: 8.3.3->8.4.1, fix hardcoded paths
2018-11-29 21:18:08 +01:00
Maximilian Bosch
45c6794573
Merge pull request #36424 from jfrankenau/i18n-extra-locale
nixos/i18n: add option for extra locale settings
2018-11-29 16:22:34 +01:00
Graham Christensen
e488f62df7
Merge pull request #51090 from grahamc/revert-disable-zfs
Revert "zfs cannot be distributed. Disabling it in the isos."
2018-11-29 08:37:31 -05:00
Maximilian Bosch
216a954540
nixos/nextcloud: add basic module documentation and warn about current upgrading issues
Part of #49783. NextCloud tracks in its `config.php` the application's
state which makes it hard for the module to modify configurations during
upgrades.

It will take time until the issue is properly fixed, therefore we
decided to warn about this in the manual.

This PR addresses two things:

* Adding a basic example for nextcloud. I figured it to be helpful to
  add some basic usage instructions when adding a new manual entry.
  Advanced documentation may follow later.

  For now this document actively links to the service options, so users
  are guided to the remaining options that can be helpful in certain
  cases.

* Add a warning about upgrades and manual changes in
  `/var/lib/nextcloud`. This will be fixed in the future, but it's
  definetely helpful to document the current issues in the manual (as
  proposed in https://github.com/NixOS/nixpkgs/issues/49783#issuecomment-439691127).
2018-11-29 11:59:54 +01:00
Samuel Dionne-Riel
3864438049 iso-image: Do not use batch operations for mcopy.
```
       b      Batch mode. Optimized for huge recursive copies, but less secure if a crash happens during the copy.
```

It seems the "less secure if a crash happens" does not need a crash to
happen.

With batch mode:

```
/[...]/.
  Start (0) does not point to parent (___)
```

For pretty much everything copied in.

Without batch mode, everything passes `fsck`.

See #51150
2018-11-28 19:14:54 -05:00
Samuel Dionne-Riel
0a367c41ea iso-image: Verifies the FAT partition at build.
This is done to ensure `mtools`-based operations leave a clean FS.
2018-11-28 19:14:18 -05:00
Samuel Dionne-Riel
1b6a4d3979 sd-image: Do not use batch operation for mcopy.
```
       b      Batch mode. Optimized for huge recursive copies, but less secure if a crash happens during the copy.
```

It seems the "less secure if a crash happens" does not need a crash to
happen.

With batch mode:

```
/[...]/.
  Start (0) does not point to parent (___)
```

For pretty much everything copied in.

Without batch mode, everything passes `fsck`.

See #51150
2018-11-29 01:50:30 +02:00
Samuel Dionne-Riel
2e5eb135aa sd-image: Verifies the FAT partition before copying it.
This is to ensure `mtools`-based operations don't wreck the FS.
2018-11-29 01:50:30 +02:00
Florian Klink
3caeeabb14 gitlab: stop regenerating the authorized_keys file 2018-11-28 23:09:23 +01:00
Renaud
36994f8620
Merge pull request #51073 from erikarvstedt/docs
Minor doc fixes
2018-11-28 20:34:53 +01:00
Robin Gloster
1262a5ca97
roundcube: apply code review suggestions 2018-11-28 18:53:37 +01:00
Robin Gloster
9ace7f6409
roundcube: clean-up and add test 2018-11-28 18:52:10 +01:00
Victor SENE
2f8073bd92
roundcube: IPv6 by default 2018-11-28 18:52:10 +01:00
Victor SENE
195fa0dafc
nixos/roundcube: add to module-list 2018-11-28 18:52:09 +01:00
Victor SENE
b5120953c6
nixos/roundcube: add roundcube module and default configuration 2018-11-28 18:52:08 +01:00
Léo Gaspard
f161f02552
Merge branch 'pr-51043'
* pr-51043:
  nixos/urxvtd: remove socket activation
2018-11-29 00:50:01 +09:00
Svein Ove Aas
24865963f0 modularity: Document the ability to use non-files in imports (#50503)
* modularity: Document the ability to use non-files in imports
* Update nixos/doc/manual/configuration/modularity.xml

Co-Authored-By: Baughn <svein@google.com>
2018-11-28 12:39:51 +01:00
Brandon Black
dacbd5a61a nixos/ntp: use upstream default restrictions to avoid DDoS (#50762)
Fixes #50732
2018-11-28 10:15:25 +00:00
Silvan Mosberger
5b56b28a5a
Merge pull request #51065 from bbigras/sway
nixos/sway-beta: pass arguments from wrapper to sway
2018-11-27 23:57:10 +01:00
Silvan Mosberger
331755f959
Merge pull request #51085 from erikarvstedt/container-config
containers: simplify env var definition
2018-11-27 23:45:02 +01:00
Domen Kožar
d04fedd715
postgresql: Enable systemd integration for 9.6+
This allows, finally, proper detection when postgresql is ready to
accept connections. Until now, it was possible that services depending
on postgresql would fail in a race condition trying to connect
to postgresql.
2018-11-27 19:16:21 +00:00
Domen Kožar
56e12aae54
Fix nixops evaluation
See https://discourse.nixos.org/t/nixops-stopped-working/1527
2018-11-26 23:12:31 +00:00
Graham Christensen
6db866cbd2
Revert "zfs cannot be distributed. Disabling it in the isos."
ZFS's popularity is growing, and not including it by default is a
bit frustrating. On top of that, the base iso includes ZFS
_anyway_ due to other packages depending upon it.

I think we're in the clear to do this on the basis that Oracle
probably doesn't care, it is probably fine (the SFLC agrees) and
we're a small fish. If a copyright holder asks us to, we can
definitely revert it again.

This reverts commit 33d07c7ea9.
2018-11-26 17:51:18 -05:00
Erik Arvstedt
c64a9718ce nixos/containers: simplify env var definition
Also clear up the misleading comment: This env var isn't
root-specific, it's needed for all users.
2018-11-26 23:06:56 +01:00
Arian van Putten
7ce4cd4470 nixos/nspawn: Fix small typo (#51077)
This has slipped through review in my previous PR it seems
2018-11-26 22:05:13 +01:00
Erik Arvstedt
931b7b47a2 nixos tests doc: minor fixes
This fixes some quirks I introduced in previous commits.

1. No need for an extra newline when printing the output of shell commands.
2. 'or die' is what's already used in the NixOS test sources, while
   'die unless' has no occurrences.
2018-11-26 19:36:50 +01:00
Florian Klink
2c2ab68672
Merge pull request #50962 from flokli/gitlab-updater
gitlab: 11.4.4 -> 11.5.0
2018-11-26 18:47:14 +01:00
Bruno Bigras
cc21100623 nixos/sway-beta: pass arguments from wrapper to sway 2018-11-26 11:55:05 -05:00
Jean-Philippe Braun
cdacdc0686 nixos/kubernetes: allow to disable clusterCidr
Fix option type and set --allocate-node-cidr to false if no clusterCidr
is defined.
2018-11-26 16:36:30 +01:00
Ding Xiang Fei
88570538b3 google-compute-image: make it a module and the size tuneable (#49854)
* move GCE system configuration to `google-compute-config.nix`
* remove `fetch-ssh-keys` service (disabled in comment)
2018-11-26 14:51:00 +00:00
Ding Xiang Fei
b011049cf6 Merge branch 'master' of https://github.com/nixos/nixpkgs into tarball-closureinfo 2018-11-26 12:04:07 +08:00
fishyfriend
b34b39cab4 nixos/urxvtd: remove socket activation
This fixes #23193. urxvtd is not presently compatible with socket activation.
2018-11-25 15:25:19 -05:00
Silvan Mosberger
b5f4f228d6
Merge pull request #51012 from griff/rspamd-proxy-type
nixos/rspamd: Allow worker type to be proxy again
2018-11-25 21:07:42 +01:00
Renaud
6a5fff3741
Merge pull request #51001 from c0bw3b/cleanup/more-https
Treewide: use more HTTPS-enabled sources
2018-11-25 16:22:34 +01:00
Brian Olsen
0d753af661
nixos/rspamd: Allow worker type to be proxy again
When reworking the rspamd workers I disallowed `proxy` as a type and
instead used `rspamd_proxy` which is the correct name for that worker
type. That change breaks peoples existing config and so I have made this
commit which allows `proxy` as a worker type again but makes it behave
as `rspamd_proxy` and prints a warning if you use it.
2018-11-25 16:03:34 +01:00
Franz Pletz
c1d760f0bf
Merge pull request #50469 from mguentner/mxisd
mxisd: init at 1.2.0 plus service with test
2018-11-25 13:26:05 +00:00
Maximilian Güntner
efae5d43ef
modules: add mxisd with test 2018-11-25 14:24:10 +01:00
Craig Younkins
eff461c8ef treewide: systemd timeout arguments to use infinity instead of 0 (#50934)
Fixes https://github.com/NixOS/nixpkgs/issues/49700
2018-11-25 13:33:22 +01:00
c0bw3b
5e4ceba7bf nixos/mediawiki: fetch over https 2018-11-24 23:18:26 +01:00
c0bw3b
c615b0504b nixos/flashpolicyd: fix url and use https 2018-11-24 23:13:09 +01:00
c0bw3b
434eab9955 nixos/systemhealth: fix url and use https 2018-11-24 23:07:30 +01:00
c0bw3b
2ea29c63af nixos/hpsa: use https 2018-11-24 23:05:10 +01:00
Joachim Fasting
6a7f02d89d
nixos/hardened: restrict access to nix daemon 2018-11-24 16:06:21 +01:00
Joachim Fasting
62623b60d5
nixos/tests/hardened: fix build by disabling nix.useSandbox 2018-11-24 16:06:18 +01:00
Joachim F
e426613174
Merge pull request #50950 from jonasnick/nixos-tor-hiddenservice-version
nixos/tor: add HiddenServiceVersion option
2018-11-24 12:41:37 +00:00
Michael Raskin
5e159d463b
Merge pull request #49228 from Ekleog/rss2email-module
rss2email module: init
2018-11-23 22:30:29 +00:00
Jonas Nick
5640aa2814 nixos/tor: add HiddenServiceVersion option 2018-11-23 20:53:02 +00:00
Andreas Rammhold
51c3082119 nixos/prometheus: require one alertmanager configuration parameter
This commit adds an assertion that checks that either `configFile` or
`configuration` is configured for alertmanager. The alertmanager config
can not be an empty attributeset. The check executed with `amtool` fails
before the service even has the chance to start. We should probably not
allow a broken alertmanager configuration anyway.

This also introduces a test for alertmanager configuration that piggy
backs on the existing prometheus tests.
2018-11-23 19:45:17 +01:00
Andreas Rammhold
b1032db5a9 nixos/prometheus: check alertmanager configuration 2018-11-23 19:45:17 +01:00
Andreas Rammhold
d1ef00ebee nixos/prometheus: add package option to alertmanager 2018-11-23 19:45:17 +01:00
Florian Klink
6870eafe72 gitlab tests: enable recommendedProxySettings, test redirection works as it should
The nixos test is a bit misleading, as the given nginx configuration
would always cause gitlab to redirect to localhost, which is clearly not
what you want in a production setup.

Instead we now enable services.nginx.recommendedProxySettings,
curl against http://gitlab, and assure we get redirected to that same
hostname, too.
2018-11-23 19:44:45 +01:00
Jörg Thalheim
50daffc4b8
nixos/docker-image: add example usage 2018-11-23 15:40:10 +00:00
Franz Pletz
4470dd9902
Merge pull request #50948 from Ma27/fix-nixos-build-vms-eval
nixos-build-vms: fix eval
2018-11-23 14:10:30 +00:00
Maximilian Bosch
b36fa8ef91
nixos-build-vms: fix eval
Previously I got the following error message:

```
error: opening file '/home/ma27/Projects/nixpkgs/nixos/modules/installer/default.nix': No such file or directory
```

Probably related to 6c68fbd4e1.
2018-11-23 13:43:47 +01:00
Jörg Thalheim
d3aeed389c
Merge pull request #50641 from blaxill/firewallMerge
nixos/firewall: Always use global firewall.allowed rules
2018-11-23 11:42:16 +00:00
Ben Blaxill
308ab4ea25 Rename back to default and better release notes 2018-11-22 19:24:23 -05:00
Markus Kowalewski
0ed4fc606a
nixos/slurm: add recommended mysql settings 2018-11-22 13:21:37 +01:00
Markus Kowalewski
25af518845
nixos/slurm: add extraConfigPaths options 2018-11-22 11:43:05 +01:00
Matthieu Coudron
35f74c3608 mininet: init at 2.3.0d4 (#41261)
Mininet (https://github.com/mininet/mininet) is a popular network emulator that
glues several components such as network namespaces, traffic control
commands into a set of python bindings. It is then "easy" to describe a
topology and run experiments on it.
2018-11-21 23:33:10 +00:00