Commit Graph

2380 Commits

Author SHA1 Message Date
aszlig
ce0954020c
nixos/taskserver: Set allowedTCPPorts accordingly
As suggested by @matthiasbeyer:

"We might add a short note that this port has to be opened in the
firewall, or is this done by the service automatically?"

This commit now adds the listenPort to
networking.firewall.allowedTCPPorts as soon as the listenHost is not
"localhost".

In addition to that, this is now also documented in the listenHost
option declaration and I have removed disabling of the firewall from the
VM test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:16:15 +02:00
aszlig
5be76d0b55
nixos/taskserver: Reorder into one mkMerge
No changes in functionality but rather just restructuring the module
definitions to be one mkMerge, which now uses mkIf from the top-level
scope of the CA initialization service so we can better abstract
additional options we might need there.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:07:52 +02:00
aszlig
5062bf1b84
nixos/taskserver/helper: Assert CA existence
We want to make sure that the helper tool won't work if the automatic CA
wasn't properly set up. This not only avoids race conditions if the tool
is started before the actual service is running but it also fails if
something during CA setup has failed so the user can investigate what
went wrong.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:57:03 +02:00
aszlig
2ced6fcc75
nixos/taskserver: Setup CA before main service
We need to explicitly make sure the CA is created before we actually
launch the main Taskserver service in order to avoid race conditions
where the preStart phase of the main service could possibly corrupt
certificates if it would be started in parallel.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:53:53 +02:00
aszlig
9279ec732b
nixos/taskserver: Introduce an extraConfig option
This is simply to add configuration lines to the generated configuration
file. The reason why I didn't went for an attribute set is that the
taskdrc file format doesn't map very well on Nix attributes, for example
the following can be set in taskdrc:

server = somestring
server.key = anotherstring

In order to use a Nix attribute set for that, it would be way too
complicated, for example if we want to represent the mentioned example
we'd have to do something like this:

{ server._top = somestring;
  server.key = anotherstring;
}

Of course, this would work as well but nothing is more simple than just
appending raw strings.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:21:55 +02:00
aszlig
9f1e536948
nixos/taskserver: Allow to specify expiration/bits
At least this should allow for some customisation of how the
certificates and keys are created. We now have two sub-namespaces within
PKI so it should be more clear which options you have to set if you want
to either manage your own CA or let the module create it automatically.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:14:33 +02:00
aszlig
a41b109bc1
nixos/taskserver: Don't change imperative users
Whenever the nixos-taskserver tool was invoked manually for creating an
organisation/group/user we now add an empty file called .imperative to
the data directory.

During the preStart of the Taskserver service, we use process-json which
in turn now checks whether those .imperative files exist and if so, it
doesn't do anything with it.

This should now ensure that whenever there is a manually created user,
it doesn't get killed off by the declarative configuration in case it
shouldn't exist within that configuration.

In addition, we also add a small subtest to check whether this is
happening or not and fail if the imperatively created user got deleted
by process-json.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 03:42:13 +02:00
aszlig
9586795ef2
nixos/taskserver: Silence certtool everywhere
We only print the output whenever there is an error, otherwise let's
shut it up because it only shows information the user can gather through
other means. For example by invoking certtool manually, or by just
looking at private key files (the whole blurb it's outputting is in
there as well).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 02:16:35 +02:00
aszlig
7889fcfa41
nixos/taskserver/helper: Implement deletion
Now we finally can delete organisations, groups and users along with
certificate revocation. The new subtests now make sure that the client
certificate is also revoked (both when removing the whole organisation
and just a single user).

If we use the imperative way to add and delete users, we have to restart
the Taskserver in order for the CRL to be effective.

However, by using the declarative configuration we now get this for
free, because removing a user will also restart the service and thus its
client certificate will end up in the CRL.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:41:41 +02:00
aszlig
3008836fee
nixos/taskserver: Add a command to reload service
Unfortunately we don't have a better way to check whether the reload has
been done successfully, but at least we now *can* reload it without
figuring out the exact signal to send to the process.

Note that on reload, Taskserver will not reload the CRL file. For that
to work, a full restart needs to be done.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:04:34 +02:00
aszlig
b6643102d6
nixos/taskserver: Generate a cert revocation list
If we want to revoke client certificates and want the server to actually
notice the revocation, we need to have a valid certificate revocation
list.

Right now the expiration_days is set to 10 years, but that's merely to
actually get certtool to actually generate the CRL without trying to
prompt for user input.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 23:07:58 +02:00
aszlig
d0ab617974
nixos/taskserver: Constrain server cert perms
It doesn't do much harm to make the server certificate world readable,
because even though it's not accessible anymore via the file system,
someone can still get it by simply doing a TLS handshake with the
server.

So this is solely for consistency.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:59:30 +02:00
aszlig
6e10705754
nixos/taskserver: Handle declarative conf via JSON
We now no longer have the stupid --service-helper option, which silences
messages about already existing organisations, users or groups.

Instead of that option, we now have a new subcommand called
"process-json", which accepts a JSON file directly from the specified
NixOS module options and creates/deletes the users accordingly.

Note that this still has a two issues left to solve in this area:

 * Deletion is not supported yet.
 * If a user is created imperatively, the next run of process-json will
   delete it once deletion is supported.

So we need to implement deletion and a way to mark organisations, users
and groups as "imperatively managed".

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:24:58 +02:00
aszlig
cf0501600a
nixos/taskserver/helper: Factor out program logic
The Click functions really are for the command line and should be solely
used for that.

What I have in mind is that instead of that crappy --service-helper
argument, we should really have a new subcommand that is expecting JSON
which is directly coming from the services.taskserver.organisations
module option.

That way we can decrease even more boilerplate and we can also ensure
that organisations, users and groups get properly deleted if they're
removed from the NixOS configuration.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:19:50 +02:00
aszlig
7875885fb2
nixos/taskserver: Link to manual within .enable
With <olink/> support in place, we can now reference the Taskserver
section within the NixOS manual, so that users reading the manpage of
configuration.nix(5) won't miss this information.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 18:45:09 +02:00
Valérian Galliat
26dc7e503d Shout: fix infinite loop in service configuration
Fixes #14594.
2016-04-11 09:58:52 -04:00
aszlig
b19fdc9ec9
nixos/taskserver: Set server.crl for automatic CA
Currently, we don't handle this yet, but let's set it so that we cover
all the options.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 13:38:33 +02:00
aszlig
05a7cd17fc
nixos/taskserver: Rename .pki options
We're now using .pki.server.* and .pki.ca.* so that it's entirely clear
what these keys/certificates are for. For example we had just .pki.key
before, which doesn't really tell very much about what it's for except
if you look at the option description.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 13:33:48 +02:00
aszlig
6395c87d07
nixos/taskserver: Improve doc for PKI options
The improvement here is just that we're adding a big <note/> here so
that users of these options are aware that whenever they're setting one
of these the certificates and keys are _not_ created automatically.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:58:29 +02:00
aszlig
6df374910f
nixos/taskserver: Move .trust out of .pki
This is clearly a server configuration option and has nothing to do with
certificate creation and signing, so let's move it away from the .pki
namespace.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:47:39 +02:00
aszlig
3affead91b
nixos/taskserver: Move .pki.fqdn to .fqdn
It's not necessarily related to the PKI options, because this is also
used for setting the server address on the Taskwarrior client.

So if someone doesn't have his/her own certificates from another CA, all
options that need to be adjusted are in .pki. And if someone doesn't
want to bother with getting certificates from another CA, (s)he just
doesn't set anything in .pki.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:42:20 +02:00
aszlig
6de94e7d24
nixos/taskserver: Rename .server options to .pki
After moving out the PKI-unrelated options, let's name this a bit more
appropriate, so we can finally get rid of the taskserver.server thing.

This also moves taskserver.caCert to taskserver.pki.caCert, because that
clearly belongs to the PKI options.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:38:16 +02:00
aszlig
d6bd457d1f
nixos/taskserver: Rename server.{host,port}
Having an option called services.taskserver.server.host is quite
confusing because we already have "server" in the service name, so let's
first get rid of the listening options before we rename the rest of the
options in that .server attribute.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:26:34 +02:00
aszlig
2acf8677fa
nixos/taskserver: Rewrite helper-tool in Python
In the comments of the pull request @nbp wrote:

"Why is it implemented in 3 different languages: Nix, Bash and C?"

And he's right, it doesn't make sense, because we were using C as a
runuser replacement and used Nix to generate the shellscript
boilerplates.

Writing this in Python gets rid of all of this and we also don't need
the boilerplate as well, because we're using Click to handle all the
command line stuff.

Note that this currently is a 1:1 implementation of what we had before.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:02:52 +02:00
joachifm
9c484f29ce Merge pull request #14564 from valeriangalliat/shout/config
Shout: configure with attrs
2016-04-11 09:56:10 +02:00
joachifm
245f200dd8 Merge pull request #11987 from angus-g/caddy
Add Caddy and its NixOS module
2016-04-11 09:20:21 +02:00
aszlig
85832de2e8
nixos/taskserver: Remove client.cert option
The option is solely for debugging purposes (particularly the unit tests
of the project itself) and doesn't make sense to include it in the NixOS
module options.

If people want to use this, we might want to introduce another option so
that we can insert arbitrary configuration lines.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-10 21:37:12 +02:00
aszlig
c1178f171c
nixos/xserver: Use null as default for dpi option
Commit 98d9bba introduced this option as a nullOr type and it actually
checks whether null has been set and only appends -dpi if that's the
case. So let's actually set the default to null instead of 0.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-10 17:46:17 +02:00
Valérian Galliat
b0d1eb4579 Shout: configure with attrs 2016-04-10 10:49:32 -04:00
Vladimír Čunát
30f14243c3 Merge branch 'master' into closure-size
Comparison to master evaluations on Hydra:
  - 1255515 for nixos
  - 1255502 for nixpkgs
2016-04-10 11:17:52 +02:00
Franz Pletz
b667040c7c Merge pull request #14543 from groxxda/fix/minidlna
minidlna: logging via journalctl, use systemd runtimedirectory, install manpages
2016-04-10 01:14:48 +02:00
joachifm
079c03a2c9 Merge pull request #14539 from colemickens/update-plex
Plex: update plex, plexpass; fix plex module to restart
2016-04-09 18:01:58 +02:00
Brandon Edens
98d9bbaec2 Add DPI option to xserver invocation. 2016-04-08 18:53:42 -07:00
Alexander Ried
72cd570421 minidlna: use journalctl for logging, systemd for runtimedir 2016-04-08 23:04:12 +02:00
Alexander Ried
4d87926795 minidlna: use hostname in DLNA friendly name 2016-04-08 23:04:12 +02:00
Cole Mickens
db9640b032 plex module: restart on failure 2016-04-08 10:55:59 -07:00
Emery Hemingway
c7379b30dc u9fs service: switch user with systemd
Drop the broken fsRoot option.
2016-04-08 16:32:30 +02:00
joachifm
6d2df6d578 Merge pull request #14222 from Pleune/fix/iodined-client-mode
iodine service: add client mode implimentation
2016-04-08 02:19:32 +02:00
Eelco Dolstra
133e6e1ea6 httpd.service: Support reload
This is useful when ACME has generated a new TLS certificate.
2016-04-07 17:53:46 +02:00
Thomas Tuegel
4ac323d924 kde5: enable libmtp udev rules 2016-04-07 07:44:26 -05:00
aszlig
64e566a49c
nixos/taskserver: Add module documentation
It's not by any means exhaustive, but we're still going to change the
implementation, so let's just use this as a starting point.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:26:12 +02:00
aszlig
8b793d1916
nixos/taskserver: Rename client.{allow,deny}
These values match against the client IDs only, so let's rename it to
something that actually reflects that. Having client.cert in the same
namespace also could lead to confusion, because the client.cert setting
is for the *debugging* client only.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:26:11 +02:00
aszlig
04fa5dcdb8
nixos/taskserver: Fix type/description for ciphers
Referring to the GnuTLS documentation isn't very nice if the user has to
use a search engine to find that documentation. So let's directly link
to it.

The type was "str" before, but it's actually a colon-separated string,
so if we set options in multiple modules, the result is one concatenated
string.

I know there is types.envVar, which does the same as separatedString ":"
but I found that it could confuse the reader of the Taskserver module.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:22:25 +02:00
aszlig
33f948c88b
nixos/taskserver: Fix type for client.{allow,deny}
We already document that we allow special values such as "all" and
"none", but the type doesn't represent that. So let's use an enum in
conjuction with a loeOf type so that this becomes clear.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:21:42 +02:00
Lluís Batlle i Rossell
e1bcc27f1a Making trac/ldap handle httpd 2.4.
The option authzldapauthoritative had been removed in 2.4

I pushed this into 16.03 instead of master first. My fault.
(cherry picked from commit 516f47efefc44a5465266fe4d72f9136147d2caf)
2016-04-07 11:40:22 +02:00
Angus Gibson
bb6408ba16 caddy service: initial implementation 2016-04-05 23:45:54 +00:00
aszlig
2d89617052
nixos/taskserver: Rename nixos-taskdctl
Using nixos-taskserver is more verbose but less cryptic and I think it
fits the purpose better because it can't be confused to be a wrapper
around the taskdctl command from the upstream project as
nixos-taskserver shares no commonalities with it.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
78925e4a90
nixos/taskserver: Factor out nixos-taskdctl
With a cluttered up module source it's really a pain to navigate through
it, so it's a good idea to put it into another file.

No changes in functionality here, just splitting up the files and fixing
references.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
0141b4887d
nixos/taskserver: Use nixos-taskdctl in preStart
Finally, this is where we declaratively set up our organisations and
users/groups, which looks like this in the system configuration:

services.taskserver.organisations.NixOS.users = [ "alice" "bob" ];

This automatically sets up "alice" and "bob" for the "NixOS"
organisation, generates the required client keys and signs it via the
CA.

However, we still need to use nixos-taskdctl export-user in order to
import these certificates on the client.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
227229653a
nixos/taskserver: Add a nixos-taskdctl command
It's a helper for NixOS systems to make it easier to handle CA
certificate signing, similar to what taskd provides but comes preseeded
with the values from the system configuration.

The tool is very limited at the moment and only allows to *add*
organisations, users and groups. Deletion and suspension however is much
simpler to implement, because we don't need to handle certificate
signing.

Another limitation is that we don't take into account whether
certificates and keys are already set in the system configuration and if
they're set it will fail spectacularly.

For passing the commands to the taskd command, we're using a small C
program which does setuid() and setgid() to the Taskserver user and
group, because runuser(1) needs PAM (quite pointless if you're already
root) and su(1) doesn't allow for setting the group and setgid()s to the
default group of the user, so it even doesn't work in conjunction with
sg(1).

In summary, we now have a shiny nixos-taskdctl command, which lets us do
things like:

nixos-taskdctl add-org NixOS
nixos-taskdctl add-user NixOS alice
nixos-taskdctl export-user NixOS alice

The last command writes a series of shell commands to stdout, which then
can be imported on the client by piping it into a shell as well as doing
it for example via SSH:

ssh root@server nixos-taskdctl export-user NixOS alice | sh

Of course, in terms of security we need to improve this even further so
that we generate the private key on the client and just send a CSR to
the server so that we don't need to push any secrets over the wire.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
5146f76095
nixos/taskserver: Add an option for organisations
We want to declaratively specify users and organisations, so let's add
another module option "organisations", which allows us to specify users,
groups and of course organisations.

The implementation of this is not yet done and this is just to feed the
boilerplate.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
274fe2a23b
nixos/taskserver: Fix generating server cert
We were generating a self-signed certificate for the server so far,
which we obviously don't want.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
77d7545fac
nixos/taskserver: Introduce a new fqdn option
Using just the host for the common name *and* for listening on the port
is quite a bad idea if you want to listen on something like :: or an
internal IP address which is proxied/tunneled to the outside.

Hence this separates host and fqdn.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
d94ac7a454
nixos/taskserver: Use types.str instead of string
The "string" option type has been deprecated since a long time
(800f9c2), so let's not use it here.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
411c6f77a3
nixos/taskserver: Add trust option to config file
The server starts up without that option anyway, but it complains about
its value not being set. As we probably want to have access to that
configuration value anyway, let's expose this via the NixOS module as
well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
1f410934f2
nixos/taskserver: Properly indent CA config lines
No change in functionality, but it's easier to read when properly
indented.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
3d820d5ba1
nixos/taskserver: Refactor module for CA creation
Now the service starts up if only the services.taskserver.enable option
is set to true.

We now also have three systemd services (started in this order):

 * taskserver-init: For creating the necessary data directory and also
                    includes a refecence to the configuration file in
                    the Nix store.
 * taskserver-ca:   Only enabled if none of the server.key, server.cert,
                    server.crl and caCert options are set, so we can
                    allow for certificates that are issued by another
                    CA.
                    This service creates a new CA key+certificate and a
                    server key+certificate and signs the latter using
                    the CA key.
                    The permissions of these keys/certs are set quite
                    strictly to allow only the root user to sign
                    certificates.
 * taskserver:      The main Taskserver service which just starts taskd.

We now also log to stdout and thus to the journal.

Of course, there are still a few problems left to solve, for instance:

 * The CA currently only signs the server certificates, so it's
   only usable for clients if the server doesn't validate client certs
   (which is kinda pointless).
 * Using "taskd <command>" is currently still a bit awkward to use, so
   we need to properly wrap it in environment.systemPackages to set the
   dataDir by default.
 * There are still a few configuration options left to include, for
   example the "trust" option.
 * We might want to introduce an extraConfig option.
 * It might be useful to allow for declarative configuration of
   organisations and users, especially when it comes to creating client
   certificates.
 * The right signal has to be sent for the taskserver service to reload
   properly.
 * Currently the CA and server certificates are created using
   server.host as the common name and doesn't set additional certificate
   information. This could be improved by adding options that explicitly
   set that information.

As for the config file, we might need to patch taskd to allow for
setting not only --data but also a --cfgfile, which then omits the
${dataDir}/config file. We can still use the "include" directive from
the file specified using --cfgfile in order to chainload
${dataDir}/config.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
6d38a59c2d
nixos/taskserver: Improve module options
The descriptions for the options previously seem to be from the
taskdrc(5) manual page. So in cases where they didn't make sense for us
I changed the wording a bit (for example for client.deny we don't have a
"comma-separated list".

Also, I've reordered things a bit for consistency (type, default,
example and then description) and add missing types, examples and
docbook tags.

Options that are not used by default now have a null value, so that we
can generate a configuration file out of all the options defined for the
module.

The dataDir default value is now /var/lib/taskserver, because it doesn't
make sense to put just yet another empty subdirectory in it and "data"
doesn't quite make sense anyway, because it also contains the
configuration file as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
8081c791e9
nixos/taskserver: Remove options for log/pidFile
We're aiming for a proper integration into systemd/journald, so we
really don't want zillions of separate log files flying around in our
system.

Same as with the pidFile. The latter is only needed for taskdctl, which
is a SysV-style initscript and all of its functionality plus a lot more
is handled by systemd already.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
aszlig
5060ee456c
nixos/taskserver: Unify taskd user and group
The service doesn't start with the "taskd" user being present, so we
really should add it. And while at it, it really makes sense to add a
default group as well.

I'm using a check for the user/group name as well, to allow the
taskserver to be run as an existing user.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00
Matthias Beyer
e6ace2a76a
taskd service: Add initialization script 2016-04-05 18:53:31 +02:00
Matthias Beyer
da53312f5c
Add services file for taskwarrior server service 2016-04-05 18:53:31 +02:00
joachifm
376b57fefe Merge pull request #14396 from peterhoeg/dbus
dbus nixos module: add units for systemd user session
2016-04-02 22:23:42 +00:00
joachifm
687d21e4fd Merge pull request #14405 from jerith666/crashplan-46-r2
Crashplan 46 r2
2016-04-02 22:06:40 +00:00
Matt McHenry
213a8a1e96 crashplan: fix vardir file existence check 2016-04-02 16:43:12 -04:00
Peter Hoeg
83cb6ec399 dbus nixos module: add units for systemd user session
This patch makes dbus launch with any user session instead of
leaving it up to the desktop environment launch script to run it.

It has been tested with KDE, which simply uses the running daemon
instead of launching its own.

This is upstream's recommended way to run dbus.
2016-04-02 23:11:57 +08:00
joachifm
b9ba6e2f6b Merge pull request #14297 from elitak/mfi
mfi: init at 2.1.11
2016-04-01 14:57:28 +00:00
Arseniy Seroka
882d0b35b8 Merge pull request #14145 from MostAwesomeDude/tahoe
services: Add Tahoe-LAFS service.
2016-04-01 15:23:37 +03:00
Eric Litak
0de2d2fbcd mfi: init at 2.1.11
This package has some outdated dependencies, so old versions of mongodb
and v8 had to be re-added as well.
2016-04-01 02:45:11 -07:00
Vladimír Čunát
ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
rnhmjoj
a98a918b10 syncthing: run daemon with dedicated user as default 2016-04-01 01:26:52 +02:00
Corbin
e3e5633307 services: Add Tahoe-LAFS service.
Including systemd configuration and much of the standard storage node and
introducer configuration.
2016-03-31 14:01:09 -07:00
Nikolay Amiantov
63f1eb6b00 xserver service: add glamoregl for intel drivers
Closes #14286

Credits to vcunat for the initial patch.
2016-03-29 18:52:04 +03:00
Franz Pletz
dcae10ebda wpa_supplicant service: Depend on interfaces being present 2016-03-28 21:52:23 +00:00
Nikolay Amiantov
25754a5fc2 uwsgi service: use python.buildEnv, fix PATH 2016-03-27 19:23:01 +03:00
Nikolay Amiantov
ea5c7d553c dspam service: run after postgresql to prevent segfaults 2016-03-27 19:23:01 +03:00
Kevin Cox
26bd115c9c etcd: 2.1.2 -> 2.3.0 2016-03-26 22:47:15 -04:00
Mitchell Pleune
879778091a iodine service: add clients implimentation
- services.iodined moved to services.iodine
- configuration file backwards compatable
- old iodine server configuration moved to services.iodine.server
- attribute set services.iodine.clients added to specify any number
  of iodine clients
  - example:
    iodine.clients.home = { server = "iodinesubdomain.yourserver.com"; ... };
  - client services names iodine-name where name would be home
2016-03-26 21:16:29 -04:00
Eelco Dolstra
fca9b335ae Hide sendmailSetuidWrapper 2016-03-25 16:08:34 +01:00
Domen Kožar
7a89a85622 nix.useChroot: allow 'relaxed' as a value 2016-03-25 12:50:39 +00:00
Arseniy Seroka
2358582976 Merge pull request #14045 from otwieracz/master
znapzend: added
2016-03-24 23:10:40 +03:00
Slawomir Gonet
3ff417cbb7 znapzend service: init at 0.15.3 2016-03-24 20:57:33 +01:00
Joachim Fasting
1ca4610577 dnscrypt-proxy service: change default upstream resolver
Previously, the cisco resolver was used on the theory that it would
provide the best user experience regardless of location.  The downsides
of cisco are 1) logging; 2) missing supoprt for DNS security extensions.

The new upstream resolver is located in Holland, supports DNS security,
and *claims* to not log activity. For users outside of Europe, this will
mean reduced performance, but I believe it's a worthy tradeoff.
2016-03-24 17:14:22 +01:00
Joachim Fasting
9bf6e64860 dnscrypt-proxy service: use dynamic uid/gid
The daemon doesn't have any portable data, reserving a
UID/GID for it is redundant.

This frees up UID/GID 151.
2016-03-24 17:14:22 +01:00
Joachim Fasting
03bdf8f03c dnscrypt-proxy service: additional hardening
Run the daemon with private /home and /run/user to
prevent it from enumerating users on the system.
2016-03-24 17:14:22 +01:00
Joachim Fasting
4001917359 dnscrypt-proxy service: cosmetic enhancements 2016-03-24 17:14:22 +01:00
Mitchell Pleune
927aaecbcb iodined service: wantedBy ip-up.target
When iodined tries to start before any interface other than loopback has an ip, iodined fails.
Wait for ip-up.target

The above is because of the following:
in iodined's code: src/common.c line 157
	the flag AI_ADDRCONFIG is passed as a flag to getaddrinfo.
	Iodine uses the function

		get_addr(char *host,
			int port,
			int addr_family,
			int flags,
			struct sockaddr_storage *out);

	to get address information via getaddrinfo().

	Within get_addr, the flag AI_ADDRCONFIG is forced.

	What this flag does, is cause getaddrinfo to return
	"Name or service not known" as an error explicitly if no ip
	has been assigned to the computer.
	see getaddrinfo(3)

Wait for an ip before starting iodined.
2016-03-22 23:40:49 -04:00
Pascal Wittmann
4295ad5ee8 Merge pull request #14079 from NixOS/add-radicale-user
radicale service: run with dedicated user
2016-03-21 13:56:23 +01:00
Domen Kožar
1536834ee0 Merge pull request #14066 from jerith666/crashplan-46
crashplan: 3.6.4 -> 4.6.0
2016-03-20 20:10:28 +00:00
Matt McHenry
447c97f929 crashplan: 3.6.4 -> 4.6.0
* the major change is to set TARGETDIR=${vardir}, and symlink from
  ${vardir} back to ${out} instead of the other way around.  this
  gives CP more liberty to write to more directories -- in particular
  it seems to want to write some configuration files outside of conf?

* run.conf does not need 'export'

* minor tweaks to CrashPlanDesktop.patch
2016-03-20 13:56:54 -04:00
joachifm
3273605aef Merge pull request #14033 from joachifm/clfswm-broken
Mark clfswm as broken
2016-03-20 15:27:41 +00:00
Pascal Wittmann
a491b75523 radicale service: run with dedicated user
This is done in the context of #11908.
2016-03-20 15:50:14 +01:00
Joachim Fasting
e891e50946 nixos: disable the clfswm window manager module 2016-03-19 15:52:18 +01:00
Peter Simons
5391882ebd services.xserver.startGnuPGAgent: remove obsolete NixOS option
GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no
longer requires (or even supports) the "start everything as a child of the
agent" scheme we've implemented in NixOS for older versions.

To configure the gpg-agent for your X session, add the following code to
~/.xsession or some other appropriate place that's sourced at start-up:

    gpg-connect-agent /bye
    GPG_TTY=$(tty)
    export GPG_TTY

If you want to use gpg-agent for SSH, too, also add the settings

    unset SSH_AGENT_PID
    export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"

and make sure that

    enable-ssh-support

is included in your ~/.gnupg/gpg-agent.conf.

The gpg-agent(1) man page has more details about this subject, i.e. in the
"EXAMPLES" section.
2016-03-18 11:06:31 +01:00
Peter Simons
de11380679 nixos/modules/services/x11/xserver.nix: fix minor typo 2016-03-18 11:02:01 +01:00
Peter Simons
a0ab4587b7 Set networking.firewall.allowPing = true by default.
This patch fixes https://github.com/NixOS/nixpkgs/issues/12927.

It would be great to configure good rate-limiting defaults for this via
/proc/sys/net/ipv4/icmp_ratelimit and /proc/sys/net/ipv6/icmp/ratelimit,
too, but I didn't since I don't know what a "good default" would be.
2016-03-17 19:40:13 +01:00
Joachim Fasting
12877098cb dnscrypt-proxy service: expose option to use ephemeral keys
Some users may wish to improve their privacy by using per-query
key pairs, which makes it more difficult for upstream resolvers to
track users across IP addresses.
2016-03-17 15:02:33 +01:00
Joachim Fasting
a0663e3709 dnscrypt-proxy service: documentation fixes
- fix `enable` option description
  using `mkEnableOption longDescription` is incorrect; override
  `description` instead
- additional details for proper usage of the service, including
  an example of the recommended configuration
- clarify `localAddress` option description
- clarify `localPort` option description
- clarify `customResolver` option description
2016-03-17 14:18:30 +01:00
Franz Pletz
38579a1cc9 gitlab service: Remove emailFrom option
Not being used anymore. Use `services.gitlab.extraConfig.gitlab.email_from`
instead.
2016-03-17 04:16:25 +01:00
Peter Simons
6c601ed1f0 Merge pull request #13838 from peti/drop-old-dovecot-versions
Drop support for dovecot 2.1.x from Nixpkgs and NixOS.
2016-03-16 14:36:52 +01:00