* Fix the FW names
FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw.
* Update the comment (documentation) at the top
Order the chains of the main table alphabetically (like in the rest of
the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop
(used while reloading the firewall).
* Refactor the module (mainly comments)
- Move some attributes to the top for better visibility (that should
hopefully make it easier to read and understand this module without
jumping around too much).
- Add some missing examples and improve some descriptions.
- Reorder the mkOption attributes for consistency.
- Wrap lines at 72 characters.
- Use two spaces between sentences.
This adds pulseaudio.daemon.config, which is a set of keys to values
which are directly translated to keys and values of pulseaudio's
daemon.conf, e. g.
hardware.pulseaudio.daemon.config = { flat-volumes = "no"; }
becomes
flat-volumes=no
in pulse/daemon.conf.
The reason being less mental overhead when reading upstream
documentation. Examples can be pasted right into the configuration
instead of translating to Nix attrset first.
Make sure that the output of the sieve compiler produces files that
have a newer time stamp than the source sieve script. Otherwise you
get errors in the logs about Dovecot not being able to compile do to a
permission issue.
ckb is a driver for Corsair keyboards/mice. It also contains a graphical tool for configuring their LED backlight settings.
The driver is implemented as a userland daemon. A NixOS module is included that runs this as a systemd service.
The content of programs.zsh.interactiveShellInit was
inserted too soon in the generated zshrc
This caused some settings related to autocompletion to be ignored
This reverts commit 712e62c260.
This commit broke NixOS containers. Systemd wouldn't detect if a container
started successfully and would kill it again after a grace period.
Additionally this prints mount errors due to already mounted filesystems
at boot.
I have left in 2 NixOS custom config directives, so the configuration
should be the same with the only change in behaviour being that the
service is not eagerly loaded but in fact only socket activated, which
it should be.
Using outputsToInstall the intended behaviour of including host and dnsutils
when bind is installed can be implemented instead of using symlinks to fix
installing all outputs individually with nix-env.
Fixes#19761.
It hides bugs and do you ever actually want to serve up an empty directory?
It was pretty confusing to me when it tried to write into a read-only store
path because I accidentally pointed it to the wrong store path.
Until now nixos only delivered the latest zfs release. This release is often not
compatible with the latest mainline kernel. Therefor an unstable variant is
added, which might be based on testing releases or git revisions.
fixes#21359
perlPackages.TextWrapI18N: init at 0.06
perlPackages.Po4a: init at 0.47
jade: init at 1.2.1
ding-libs: init at 0.6.0
Switch nscd to no-caching mode if SSSD is enabled.
abbradar: disable jade parallel building.
Closes#21150
This code in amazon-image.nix:
if mountFS "$device" "$mp" "" auto; then
if [ -z "$diskForUnionfs" ]; then diskForUnionfs="$mp"; fi
fi
relies on mountFS to return a zero exit status if mounting
succeeds. But the lustrateRoot check in mountFS was causing a non-zero
exit status. As a result /disk0 would be mounted, but not used for
/tmp.
(cherry picked from commit d082ed8c35dec48aee2afd1303b3c8b2a1b242b0)
/etc/hostname is the file used by hostnamectl(1) and the
org.freedesktop.hostname1 dbus service (both provided by systemd) to get
the "static hostname". Better provide it so that users of those
tools/services get a proper hostname.
An example of an issue created by the lack of /etc/hostname is that the
bluetooth stack on NixOS identifies itself to peers as "BlueZ $VERSION"
instead of the hostname.
References:
https://www.freedesktop.org/software/systemd/man/hostname.html
Changes v1 -> v2:
* ensure /etc/hostname ends with a newline
* cpu-freq: Try powersave if ondemand is not available
* Revert "cpu-freq: Try powersave if ondemand is not available"
This reverts commit 4dc56db37e32dcfecd667ebbf88263e47b296097.
Consult available scaling governors; for freshly generated configs, this provides a better experience than relying on a default that might not work everywhere.
* fix/asterisk-module: use unix-group for asterisk-files
* fix/asterisk-module: add configOption to use some default config-files
* fix/asterisk-module: correction of skel copy
* fix/asterisk-module: use /etc/asterisk as configDir
* fix/asterisk-module: add reload; do not restart unit
* asterisk: 13.6.0 -> 14.1.2
* fix/asterisk: compile with lua, pjsip, format_mp3
* fix/asterisk: fix indentation
* fix/asterisk: remove broken flag
The profile minimal has several drawbacks: no man pages, unusual 'dbus'
lib that makes many X11 pieces to rebuild, etc.
With xz compression in the squashfs, despite these additions, the iso is
smaller than what it was in 16.09.
It seems that it is a GPL violation to distribute zfs in the
installation ISOs.
https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/
If anyone knows the issue better and has a reason to reenable it
legally, feel free to reenable it. I don't know much about it.
The current default value of listenAddress = null blows up:
$ nixos-rebuild build
error: cannot coerce null to a string, at
.../nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix:97:16
With listenAddress = "" we use the same default as upstream and there is
no blow up :-)
...by providing a default value of "no labels" (an empty attrset).
Without this change we get
$ nixos-rebuild test -I nixpkgs=.
building Nix...
building the system configuration...
error: The option `services.prometheus.scrapeConfigs.[definition 1-entry 1].static_configs.[definition 1-entry 1].labels' is used but not defined.
which is unneeded, because labels _are_ optional.
All the new options in detail:
Enable docker in multi-user.target make container created with restart=always
to start. We still want socket activation as it decouples dependencies between
the existing of /var/run/docker.sock and the docker daemon. This means that
services can rely on the availability of this socket. Fixes#11478#21303
wantedBy = ["multi-user.target"];
This allows us to remove the postStart hack, as docker reports on its own when
it is ready.
Type=notify
The following will set unset some limits because overhead in kernel's ressource
accounting was observed. Note that these limit only apply to containerd.
Containers will have their own limit set.
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Upgrades may require schema migrations. This can delay the startup of dockerd.
TimeoutStartSec=0
Allows docker to create its own cgroup subhierarchy to apply ressource limits on
containers.
Delegate=true
When dockerd is killed, container should be not affected to allow
`live restore` to work.
KillMode=process
currently services.nginx does not start up if `networking.enableIPv6 = false`
the commit changes the nginx behavior to handle this case accordingly.
The commit resolves#21308
Overlayfs is quite a bit faster, e.g. with it the KDE 5 test takes ~7m
instead of ~30m on my laptop (which is still not great, since plain
9pfs is ~4m30s).
The structured options are incomplete compared to upstream and I think
it will be a maintenance burden to try to keep up. Instead, provide an
option for the raw config file contents (prometheus.yml).
This works around:
machine: must succeed: nix-store -qR /run/current-system | grep nixos-
machine# error: changing ownership of path ‘/nix/store’: Invalid argument
Probably Nix shouldn't be anal about the ownership of the store unless
it's trying to build/write to the store.
http://hydra.nixos.org/build/45093872/nixlog/17/raw
(cherry picked from commit 57a0f140643cde409022e297ed05e05f8d34d778)
Previously we were using two or three (qemu_kvm, qemu_test, and
qemu_test with a different dbus when minimal.nix is included).
(cherry picked from commit 8bfa4ce82ea7d23a1d4c6073bcc044e6bf9c4dbe)
This option is defined in qemu-vm.nix, but that module is not always
imported.
http://hydra.nixos.org/build/44817443
(cherry picked from commit 03c55005dfd6fbcd5cf8e00128a3bb6336b3bc0f)
Otherwise it starts way too early, only to fail and having to restart
until devices are available. It is less wasteful to simply wait until
there's a reasonable chance of success. This is consistent with
upstream.
networkd options are always correct or up to date. This option allows to by
pass type checking. It is also easier to write because examples can be just copy
and paste from manpages.
Networkd units can contain secrets. In future also wireguard vpn will be supported by
networkd. To avoid leakage of private keys, those could be then also put outside
of the /nix/store
Having a writeable /etc/systemd/network also allows to quick fix network issues,
when upgrading `nixos-rebuild switch` would require network on its own (due
updates).
This reverts commit 656cc3acaf because it
causes building the manual to fail:
$ nixos-rebuild build
...
building path(s) ‘/nix/store/s9y5z78z5pssvmixcmv9ix13gs8xj87f-manual-olinkdb’
Writing /nix/store/s9y5z78z5pssvmixcmv9ix13gs8xj87f-manual-olinkdb/manual.db for book(book-nixos-manual)
./man-pages.xml:625: element para: Relax-NG validity error : Did not expect element para there
./man-pages.xml:3: element variablelist: Relax-NG validity error : Element refsection has extra content: variablelist
./man-pages.xml:29: element refsection: Relax-NG validity error : Element refentry has extra content: refsection
./man-pages.xml:3: element reference: Relax-NG validity error : Element reference failed to validate content
./man-pages.xml fails to validate
CC @cleverca22, @Mic92
- most nixos user only require time synchronisation,
while ntpd implements a battery-included ntp server (1,215 LOCs of C-Code vs 64,302)
- timesyncd support ntp server per interface (if configured through dhcp for instance)
- timesyncd is already included in the systemd package, switching to it would
save a little disk space (1,5M)
The collectd service runs as an unprivileged user by default, so it does
not leak more information to its data directory than any user can obtain
elsewhere by other means.
If people are running it as root and are worried about information leak,
we can add collectd group and set perms to 750.
CC @offlinehacker.
Fixes#21198.
A secret can be stored in a file. It is written at runtime in the
configuration file.
Note it is also possible to write them in the nix store for dev
purposes.
This commit introduces a nixos module for the Openstack Keystone
service. It also provides a optional bootstrap step that creates some
basic initial resources (tenants, endpoints,...).
The provided test starts Keystone by enabling bootstrapping and checks
if user creation works well.
This commit is based on initial works made by domenkozar.
Split packages in three categories, all of them going into the system
package list:
- pre-requisite packages
- core packages
- optional packages
Add a new configuration option 'environment.lxqt.excludePackages' to
specify optional LXQt packages that should be excluded from system
packages.
Add 'gvfs' as a pre-requisite package, needed by 'pcmanfm-qt' to
handle virtual places, like "Computer" and "Network".
The boot tests import test-instrumentation.nix directly to create a VM
image that only contains things such as the backdoor and serial console
the same way as used by other NixOS VM tests.
With one difference though: It doesn't need nor want to have 9p
filesystems mounted, because we actually want to test an image rather
than re-using most stuff from the host's store.
Change tested against the boot.uefiUsb and ipv6 tests, just that it
becomes clear we don't break either the tests with 9p nor the boot
tests (which were already broken but now succeed).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
even if cups rewrites its config file due to config changes made through
its web-based management UI, we need to keep the PATH pointing to
currently-live nix store directories. fixes#20806.
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.
systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.
Fixes https://github.com/NixOS/nixpkgs/issues/20948
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
- As noted on github, GDM needs different parameters for X.
- Making xserverArgs a true list instead of concat-string helps to
filter it and it feels more correct anyway.
- Tested: gdm+gnome, lightdm+gnome. There seems to be no logout option
in gnome, and gdm doesn't offer other sessions, but maybe these are normal.
It was deprecated and removed from all modules in the tree by #18319.
The wireguard module PR (#17933) was still in the review at the time and
the deprecated usage managed to slip inside.
Previously, we would only set a default value, on the theory that
`boot.kernelPackages` could be used to sanely configure a custom grsec
kernel. Regrettably, this is not the case and users who expect e.g.,
`boot.kernelPackages = pkgs.linuxPackages_latest` to work will end up
with a non-grsec kernel (this problem has come up twice on the bug
tracker recently).
With this patch, `security.grsecurity.enable = true` implies
`boot.kernelPackages = linuxPackages_grsec_nixos` and any customization
must be done via package override or by eschewing the module.
Fixes#20713, though I'm certain nixpkgs contains loads of places
without proper quoting, as (ba)sh unfortunately encourages that.
The only plus side is that most of such problems in nixpkgs aren't
actually security problems but mere annoyance to those who are foolish
enough to use "weird" characters in critical names.
Allows one or more directories to be mounted as a read-only file system.
This makes it convenient to run volatile containers that do not retain
application state.
The configuration { services.openssh.enable = true;
services.openssh.forwardX11 = false; } caused
programs.ssh.setXAuthLocation to be set to false, which was not the
intent. The intent is that programs.ssh.setXAuthLocation should be
automatically enabled if needed or if xauth is already available.
riak-cs: added to all-packages
Added Riak CS nix file to pkgs
Added service file for Riak CS
Removed Erlang_basho specific bindings from the Riak CS repo
riak-cs: changed description
riak-cs: added license
riak-cs: added maintainer
riak_cs: chgned indentations
riak-cs: removed overly complex srcs mechanism
riak-cs: added systemd module
riak-cs: changed Erlang module to Basho-specific version
riak-cs: made modular form
riak-cs: Added a default package in service options
riak-cs: Fixed default package in service options
riak-cs: Patched Makefile
riak_cs: added to module-list
riak_cs: changed from string to actual package in modules
riak-cs: changed example
riak-cs: removed default
riak-cs: changed to defaultText
stanchion: changed default option to defaultText
riak-cs: added defaults; changed types to str
riak-cs: added to all-packages
Added Riak CS nix file to pkgs
Added service file for Riak CS
Removed Erlang_basho specific bindings from the Riak CS repo
riak-cs: changed description
riak-cs: added license
riak-cs: added maintainer
riak_cs: chgned indentations
riak-cs: removed overly complex srcs mechanism
riak-cs: added systemd module
riak-cs: changed Erlang module to Basho-specific version
riak-cs: made modular form
riak-cs: Added a default package in service options
riak-cs: Fixed default package in service options
riak-cs: Patched Makefile
riak_cs: added to module-list
riak_cs: changed from string to actual package in modules
Using a custom package set with the NixOS module is no longer
something I wish to support. It's still *possible* but not
advertised. Secondly, the requiredKernelConfig didn't really
do anything (setting kernelPackages to a non-grsec kernel would
just silently let the user boot into a non-grsec setup ...).
Fix automatic mouse grabbing/releasing when running as a vmware guest.
1. The xf86inputvmmouse is not loaded by default. Add it.
2. InptutDevice sections for which specify a driver are ignored if
AutoAddDevices is enabled (which it is by default). See [1]. Instead use
an InputClass to load the vmmouse driver.
[1] https://www.x.org/archive/X11R7.7/doc/man/man5/xorg.conf.5.xhtml#heading8
The reason to patch QEMU is that with latest Nix, tests like "printing"
or "misc" fail because they expect the store paths to be owned by uid 0
and gid 0.
Starting with NixOS/nix@5e51ffb1c2, Nix
builds inside of a new user namespace. Unfortunately this also means
that bind-mounted store paths that are part of the derivation's inputs
are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534.
This in turn causes things like sudo or cups to fail with errors about
insecure file permissions.
So in order to avoid that, let's make sure the VM always gets files
owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store
path.
In addition, this adds a virtualisation.qemu.program option so that we
can make sure that we only use the patched version if we're *really*
running NixOS VM tests (that is, whenever we have imported
test-instrumentation.nix).
Tested against the "misc" and "printing" tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It was lacking the dbus configuration to bind to
org.freedesktop.DisplayManager, and it was passing fixed TTY/display
numbers to the X server (see 9be012f0d4).
Using the example before this commit resulted in the following error:
```
error: value is a string while a list was expected, at /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/services/misc/nix-daemon.nix:349:37
```
* Sync systemd units with upstream. Upstream uses SIGUSR2 instead of SIGHUP
to reload the clamd service.
* Convert freshclam service to a oneshot service activated by a systemd timer.
This way we can make clamd wait for freshclam to finish fetching the virus
database before failing to start if the database doesn't exist yet.
* Fixes console tools to work as expected as they require hardcoded config
file locations.
The old etcd port 4001 is no longer enabled by default in etcd 3.
The new port is 2379 and is officially assigned by IANA.
There were still some services left that expect etcd on port 4001 by default.
This changes the default to 2379 everywhere.
It should not cause problems for users as the etcd by nix does listen on the new port only by default anyway.
This needs to be included for VirtualBox to detect that it needs to start the video driver. "modesetting" is also set in virtualbox-image.nix but this line seems to take precedence over that one (even though the virtualbox-image.nix has a higher override?) This should fix the problems that I and a few others have been having with the .ova files built for nixos.org.
Fixes#20007.
