Commit Graph

10598 Commits

Author SHA1 Message Date
Matthew Bauer
d468f4b27e
Merge pull request #57139 from delroth/firewall-dedup
nixos/firewall: canonicalize ports lists
2019-03-25 22:15:17 -04:00
Ben Gamari
f2bdc91b35 nixos/gitlab: Allow configuration of extra initializers
This adds a configuration option allowing the addition of additional
initializers in config/extra-gitlab.rb.
2019-03-25 15:18:35 -04:00
Samuel Dionne-Riel
60847311e6 nixos/virtualbox-image: set the root fsType to reenable root FS resizing
This otherwise does not eval `:tested` any more, which means no nixos
channel updates.

Regression comes from 0eb6d0735f (#57751)
which added an assertion stopping the use of `autoResize` when the
filesystem cannot be resized automatically.
2019-03-24 22:41:26 -04:00
Danylo Hlynskyi
40cc269561
Merge branch 'master' into postgresql-socket-in-run 2019-03-25 01:06:59 +02:00
Benjamin Staffin
c94005358c NixOS: Run Docker containers as declarative systemd services (#55179)
* WIP: Run Docker containers as declarative systemd services

* PR feedback round 1

* docker-containers: add environment, ports, user, workdir options

* docker-containers: log-driver, string->str, line wrapping

* ExecStart instead of script wrapper, %n for container name

* PR feedback: better description and example formatting

* Fix docbook formatting (oops)

* Use a list of strings for ports, expand documentation

* docker-continers: add a simple nixos test

* waitUntilSucceeds to avoid potential weird async issues

* Don't enable docker daemon unless we actually need it

* PR feedback: leave ExecReload undefined
2019-03-25 00:59:09 +02:00
Bob van der Linden
d8dc1226f4
nixos/openvswitch: /var/run -> /run 2019-03-24 21:15:34 +01:00
Bob van der Linden
8c1e00095a
nixos/docker: /var/run -> /run 2019-03-24 21:15:34 +01:00
Bob van der Linden
1eefda5595
nixos/xpra: /var/run -> /run 2019-03-24 21:15:33 +01:00
Bob van der Linden
889bb1e91e
nixos/kodi: /var/run -> /run 2019-03-24 21:15:33 +01:00
Bob van der Linden
65710d1df5
nixos/mighttpd2: /var/run -> /run 2019-03-24 21:15:33 +01:00
Bob van der Linden
f09fb4d4dd
nixos/tt-rss: /var/run -> /run 2019-03-24 21:15:32 +01:00
Bob van der Linden
9b100c4e6f
nixos/selfoss: /var/run -> /run 2019-03-24 21:15:32 +01:00
Bob van der Linden
cdc6f2e484
nixos/restya-board: /var/run -> /run 2019-03-24 21:15:31 +01:00
Bob van der Linden
bde23ec9a3
nixos/codimd: /var/run -> /run 2019-03-24 21:15:31 +01:00
Bob van der Linden
60481ba3fd
nixos/hologram-agent: /var/run -> /run 2019-03-24 21:15:30 +01:00
Bob van der Linden
798931135e
nixos/fcron: /var/run -> /run 2019-03-24 21:15:30 +01:00
Bob van der Linden
0cf1944c36
nixos/cups: /var/run -> /run 2019-03-24 21:15:30 +01:00
Bob van der Linden
323e8ef375
nixos/xrdp: /var/run -> /run 2019-03-24 21:15:29 +01:00
Bob van der Linden
210b7134d3
nixos/wpa_supplicant: /var/run -> /run 2019-03-24 21:15:29 +01:00
Bob van der Linden
b9e27ec43e
nixos/supplicant: /var/run -> /run 2019-03-24 21:15:29 +01:00
Bob van der Linden
8062476f73
nixos/raccoon: /var/run -> /run 2019-03-24 21:15:28 +01:00
Bob van der Linden
34738dea2a
nixos/ocserv: /var/run -> /run 2019-03-24 21:15:28 +01:00
Bob van der Linden
cc5f08fed8
nixos/miniupnpd: /var/run -> /run 2019-03-24 21:15:28 +01:00
Bob van der Linden
321bc431cc
nixos/lldpd: /var/run -> /run 2019-03-24 21:15:27 +01:00
Bob van der Linden
1e48222cbe
nixos/ircd-hybrid: /var/run -> /run 2019-03-24 21:15:27 +01:00
Bob van der Linden
937e733c04
nixos/htpdate: /var/run -> /run 2019-03-24 21:15:26 +01:00
Bob van der Linden
1a567685b2
nixos/hostapd: /var/run -> /run 2019-03-24 21:15:26 +01:00
Bob van der Linden
82dee48ef2
nixos/bind: /var/run -> /run 2019-03-24 21:15:26 +01:00
Bob van der Linden
9afbe4c2bd
nixos/avahi-daemon: /var/run -> /run 2019-03-24 21:15:25 +01:00
Bob van der Linden
08558245a4
nixos/asterisk: /var/run -> /run 2019-03-24 21:13:19 +01:00
Dmitry Kalinkin
cf7f234ff5
Merge pull request #57527 from Chiiruno/dev/meguca
Init: statik, Update: easyjson, quicktemplate, meguca, hydron
2019-03-24 15:26:37 -04:00
Andreas Rammhold
af27dbf1d1
Merge pull request #57897 from rnhmjoj/fix-ipv6
nixos/containers: create veths if only IPv6 is configured
2019-03-24 18:17:06 +01:00
worldofpeace
ffe35f3f76 nixos/pantheon: add meta.maintainers 2019-03-24 07:04:28 -04:00
worldofpeace
f812cba2cf nixos/pantheon/files: add meta.maintainers 2019-03-24 07:04:28 -04:00
worldofpeace
415bceed8e nixos/pantheon/contractor: add meta.maintainers 2019-03-24 07:04:28 -04:00
worldofpeace
3565b1775a nixos/gsignond: add meta.maintainers 2019-03-24 07:04:28 -04:00
Tom Fitzhenry
0d67c6a52b syslinux: change serial bit rate to 115200
Prior to this commit an installation over serial via syslinux would
involve:
1. setting bitrate to BIOS's bitrate (typically 115200)
2. setting bitrate to syslinux's bitrate (38400)
3. setting bitrate to stty's bitrate (115200)

By changing syslinux's bitrate to 115200, an installation over serial
is a smoother experience, and consistent with the GRUB2 installation
which is also 115200 bps.

    [root@nixos:~]# stty
    speed 115200 baud; line = 0;
    -brkint ixoff iutf8
    -iexten

In a future commit I will add default serial terminals to the syslinux
kernel lines.
2019-03-24 19:36:30 +11:00
Dmitry Kalinkin
6f95ac3588
Merge pull request #57988 from lopsided98/buildbot-update
buildbot: 1.8.1 -> 2.1.0
2019-03-23 20:38:20 -04:00
markuskowa
d71472beaf
Merge pull request #57434 from ck3d/user-dwm
nixos dwm: start user installed dwm if available
2019-03-23 23:49:34 +01:00
Ben Gamari
2036550a46 nixos/docker-registry: Allow use of non-filesystem storage
Previously this module precluded use of storage backends other than
`filesystem`. It is now possible to configure another storage backend
manually by setting `services.dockerRegistry.storagePath` to `null` and
configuring the other backend via `extraConfig`.
2019-03-23 10:32:56 +00:00
tv
59fac1a6d7 nixos/nginx: use writeNginxConfig 2019-03-23 11:16:14 +01:00
Okina Matara
40d7079f79
nixos/meguca: Add videoPaths, set postgresql version to 11 2019-03-23 01:19:29 -05:00
Ben Wolsieffer
b2e11e0cdf buildbot: 1.8.1 -> 2.1.0 2019-03-22 18:43:15 -04:00
Averell Dalton
028a4b6a53 plex: 1.14.1.5488 -> 1.15.2.793 2019-03-22 20:33:22 +01:00
Sarah Brofeldt
78c95f561f
Merge pull request #58031 from dotlambda/elasticsearch-curator-application
elasticsearch-curator: add top-level package using older click
2019-03-22 20:11:54 +01:00
Gabriel Ebner
03f7c82e62
Merge pull request #57826 from gebner/anbox
anbox: init at 2019-03-07
2019-03-22 19:19:47 +01:00
Dmitry Kalinkin
0e57b98b2c
Merge pull request #57596 from artemist/nginx-return
nixos/nginx: add return option to location
2019-03-22 14:08:33 -04:00
Vladimír Čunát
4c3ec0e325
nixos docs: run the formatting tool (no content change)
As documented in the docs themselves :-)
2019-03-22 14:44:11 +01:00
lewo
715365ee02
Merge pull request #58024 from nlewo/openstack-fstype
openstackImage: set the / fsType to reenable root FS resizing
2019-03-22 14:40:27 +01:00
lewo
c8a65c2d71
Merge pull request #57751 from talyz/master
filesystems: Add autoResize assertion
2019-03-22 14:35:57 +01:00
Vladimír Čunát
11d204a9c4
nixos docs: improve GPU driver documentation
I'm not 100% sure about the incompatibility lines,
but I believe it's better to discourage these anyway.
If you find better information, feel free to amend...

The 32-bit thing is completely GPU-agnostic, so I can't see why we had
it separately for proprietary drivers and missing for the rest.
2019-03-22 14:31:17 +01:00
Jörg Thalheim
e6ad7eeecd
Merge pull request #58055 from dtzWill/fix/zsh-history-dont-export-vars
zsh: don't export HISTFILE and friends
2019-03-22 07:02:29 +00:00
Matthew Bauer
73be6fba8b
Merge pull request #54625 from FlorianFranzen/efi32
grub: Support 32bit EFI on 64bit platforms
2019-03-21 11:39:45 -04:00
Will Dietz
173f79f690 zsh: don't export HISTFILE and friends
Just set them normally.
Exporting them will propagate them to all executed programs
such as bash (as used by nix-shell or nix run),
and badness ensues when different formats are used.
2019-03-21 10:28:20 -05:00
Robert Schütz
c0409de98d elasticsearch-curator: add top-level package using older click
See https://github.com/NixOS/nixpkgs/pull/58023 for a discussion
of why this is necessary. The upstream issue can be found at
https://github.com/elastic/curator/pull/1280.
2019-03-21 11:53:32 +01:00
Antoine Eiche
f116d046f6 openstackImage: set the / fsType to reenable root FS resizing
Since 34234dcb51, the reisizefs tool is
embeded only if the `fsType` starts with `ext`. The default `fsType`
value is `auto`.
2019-03-21 10:04:07 +01:00
Alyssa Ross
0cd7f32a4c
Merge pull request #54627 from FlorianFranzen/waybar
waybar: init at 0.4.0
2019-03-20 23:38:04 +00:00
Samuel Leathers
439936101c
Merge pull request #57856 from Izorkin/zsh-options
nixos/zsh: enable configure history and custom options
2019-03-20 13:08:43 -04:00
Samuel Leathers
cafd07a54e
Merge pull request #56423 from Izorkin/nginx-unit
unit: add service unit and update package
2019-03-20 13:08:05 -04:00
rnhmjoj
552e583ef0
nixos/containers: create veths if only IPv6 is configured
This fixes the failing nixos.tests.containers-ipv6 test. Thanks to andir.
2019-03-20 04:38:10 +01:00
Bob van der Linden
40679eb3c8 nixos/zabbix: /var/run -> /run 2019-03-20 00:02:46 +01:00
Bob van der Linden
3068252913 nixos/nagios: /var/run -> /run 2019-03-20 00:02:45 +01:00
Bob van der Linden
78acc82432 nixos/svnserve: /var/run -> /run 2019-03-20 00:02:45 +01:00
Bob van der Linden
3f17dcbbfd nixos/spice-vdagentd: /var/run -> /run 2019-03-20 00:02:45 +01:00
Bob van der Linden
231d815721 nixos/mbpfan: /var/run -> /run 2019-03-20 00:02:45 +01:00
Bob van der Linden
e1376ddd3d nixos/matrix-synapse: /var/run -> /run 2019-03-20 00:02:45 +01:00
Bob van der Linden
c67f2f0815 nixos/spamassassin: /var/run -> /run 2019-03-20 00:02:44 +01:00
Bob van der Linden
edd5c88086 nixos/postgrey: /var/run -> /run 2019-03-20 00:02:44 +01:00
Bob van der Linden
0438ad4712 nixos/pfix-srsd: /var/run -> /run 2019-03-20 00:02:44 +01:00
Bob van der Linden
e8434784bd nixos/rethinkdb: /var/run -> /run 2019-03-20 00:02:43 +01:00
Bob van der Linden
af0380997f nixos/redis: /var/run -> /run 2019-03-20 00:02:43 +01:00
Bob van der Linden
09d3ea4f67 nixos/openldap: /var/run -> /run 2019-03-20 00:02:43 +01:00
Bob van der Linden
660ee99293 nixos/mongodb: /var/run -> /run 2019-03-20 00:02:43 +01:00
Bob van der Linden
651f05c47c nixos/couchdb: /var/run -> /run 2019-03-20 00:02:42 +01:00
Bob van der Linden
66fb3aa1be nixos/bacula: /var/run -> /run 2019-03-20 00:01:45 +01:00
Bob van der Linden
9d4bc79003 nixos/zsh: do not use /var/run 2019-03-20 00:01:45 +01:00
Bob van der Linden
8f6aaa8b78 nixos/xonsh: do not use /var/run 2019-03-20 00:01:45 +01:00
Bob van der Linden
45d43a6472 nixos/fish: do not use /var/run 2019-03-20 00:01:45 +01:00
Bob van der Linden
bad7d82487 nixos/bash: do not use /var/run 2019-03-20 00:01:45 +01:00
Alexey Shmalko
89845931e4
acpilight: add to module-list
acpilight package and module have been added to nixpkgs, but the
module hasn't been added to module-list.nix, so using it results in
the following error.

```
The option `hardware.acpilight' defined in `/etc/nixos/configuration.nix' does not exist.
```

Add the module to module-list.nix.
2019-03-19 23:21:36 +02:00
Peter Hoeg
fe97297bb1 logitech (nixos): support module for logitech input devices 2019-03-19 09:58:57 +08:00
Yurii Izorkin
f56d507e06 nixos/datadog-agent: change start command (#57871) 2019-03-18 13:31:04 -07:00
Izorkin
53d05fd0cc nixos/zsh: enable configure history and custom options 2019-03-18 19:57:54 +03:00
Florian Franzen
e51a840259 grub: Support 32bit EFI on 64bit x86 platforms 2019-03-18 10:38:07 +01:00
Florian Franzen
52d0db7e73 nixos/waybar: init module 2019-03-18 09:56:27 +01:00
Edward Tjörnhammar
0f03f28b75 nixos/anbox: init module
Co-authored-by: Luke Adams <luke.adams@belljar.io>
Co-authored-by: Volth <volth@webmaster.ms>
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
Co-authored-by: Edward Tjörnhammar <ed@cflags.cc>
Co-authored-by: Gabriel Ebner <gebner@gebner.org>
2019-03-18 09:28:02 +01:00
Alex Guzman
0c34b9fcf8
nixos/security: make duo support secure failure correctly
seems that this got broken when the config option was made to use enums. "secure" got replaced with "enum", which isn't a valid option for the failure mode.
2019-03-17 18:25:20 -07:00
Izorkin
42a99b1be2 nixos/unit: init service unit 2019-03-16 19:54:21 +03:00
talyz
0eb6d0735f filesystems: Add autoResize assertion
Assert that autoResize is only used when fsType is explicitly set to a
supported filesystem: if it's set to "auto", the default, the required
resizing tools won't be copied into the initrd even if the actual
filesystem is supported.
2019-03-16 13:01:35 +01:00
Vladimír Čunát
3aecf21239
Merge #56922: nixos/knot: init basic service + tests 2019-03-16 09:17:15 +01:00
Silvan Mosberger
056b9d0085
Merge pull request #57633 from talyz/master
amazon-image.nix: Resolve failure to include resize2fs
2019-03-16 05:12:05 +01:00
Janne Heß
b0daedd371 nixos/icingaweb2: Replace most options with toINI 2019-03-15 20:35:29 +01:00
talyz
261372b69c amazon-image.nix: Resolve failure to include resize2fs
Since 34234dcb51, for resize2fs to be automatically included in
initrd, a filesystem needed for boot must be explicitly defined as an
ext* type filesystem.
2019-03-15 17:33:45 +01:00
Florian Jacob
5bec5e8cb1 nixos/mysql: specify option types 2019-03-15 16:32:36 +01:00
Silvan Mosberger
f8de52a2fe
Revert "nixos/nginx: support h2c" 2019-03-15 14:31:11 +01:00
Ryan Mulligan
4b6a41a939
Merge pull request #57077 from callahad/brother-dsseries
dsseries: init at 1.0.5-1
2019-03-14 21:17:31 -07:00
aszlig
ef553788d0
postgresql: Move socket dir to /run/postgresql
The default, which is /tmp, has a few issues associated with it:

One being that it makes it easy for users on the system to spoof a
PostgreSQL server if it's not running, causing applications to connect
to their provided sockets instead of just failing to connect.

Another one is that it makes sandboxing of PostgreSQL and other services
unnecessarily difficult. This is already the case if only PrivateTmp is
used in a systemd service, so in order for such a service to be able to
connect to PostgreSQL, a bind mount needs to be done from /tmp to some
other path, so the service can access it. This pretty much defeats the
whole purpose of PrivateTmp.

We regularily run into issues with this in the past already (one example
would be https://github.com/NixOS/nixpkgs/pull/24317) and with the new
systemd-confinement mode upcoming in
https://github.com/NixOS/nixpkgs/pull/57519, it makes it even more
tedious to sandbox services.

I've tested this change against all the postgresql NixOS VM tests and
they still succeed and I also grepped through the source tree to replace
other occasions where we might have /tmp hardcoded. Luckily there were
very few occasions.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @ocharles, @thoughtpolice, @danbst
2019-03-15 04:52:35 +01:00
aszlig
d13ad389b4
nixos/confinement: Explicitly set serviceConfig
My implementation was relying on PrivateDevices, PrivateTmp,
PrivateUsers and others to be false by default if chroot-only mode is
used.

However there is an ongoing effort[1] to change these defaults, which
then will actually increase the attack surface in chroot-only mode,
because it is expected that there is no /dev, /sys or /proc.

If for example PrivateDevices is enabled by default, there suddenly will
be a mounted /dev in the chroot and we wouldn't detect it.

Fortunately, our tests cover that, but I'm preparing for this anyway so
that we have a smoother transition without the need to fix our
implementation again.

Thanks to @Infinisil for the heads-up.

[1]: https://github.com/NixOS/nixpkgs/issues/14645

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-15 04:13:01 +01:00
Silvan Mosberger
fb879ae920
Merge pull request #57174 from worldofpeace/pantheon/cleanup
nixos/pantheon cleanup
2019-03-15 01:26:49 +01:00
aszlig
9e9af4f9c0
nixos/confinement: Allow to include the full unit
From @edolstra at [1]:

  BTW we probably should take the closure of the whole unit rather than
  just the exec commands, to handle things like Environment variables.

With this commit, there is now a "fullUnit" option, which can be enabled
to include the full closure of the service unit into the chroot.

However, I did not enable this by default, because I do disagree here
and *especially* things like environment variables or environment files
shouldn't be in the closure of the chroot.

For example if you have something like:

  { pkgs, ... }:

  {
    systemd.services.foobar = {
      serviceConfig.EnvironmentFile = ${pkgs.writeText "secrets" ''
        user=admin
        password=abcdefg
      '';
    };
  }

We really do not want the *file* to end up in the chroot, but rather
just the environment variables to be exported.

Another thing is that this makes it less predictable what actually will
end up in the chroot, because we have a "globalEnvironment" option that
will get merged in as well, so users adding stuff to that option will
also make it available in confined units.

I also added a big fat warning about that in the description of the
fullUnit option.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 20:04:33 +01:00