Commit Graph

18593 Commits

Author SHA1 Message Date
Doron Behar
35521e4ea7
Merge pull request #95599 from doronbehar/module/mpd/passwordFile
nixos/mpd: Allow to configure a credentialsFile
2020-09-11 09:11:13 +03:00
Orivej Desh
21b2900bd4 nixos/plasma5: fix build with hardware.bluetooth.enable = true after #97456 2020-09-11 05:29:57 +00:00
Vladimír Čunát
538e558f48
Revert "Merge #96844: nixos/nfsd: run rpc-statd as a normal user"
This reverts commit 42eebd7ade, reversing
changes made to b169bfc9e2.

This breaks nfs3.simple test and even current PR #97656 wouldn't fix it.
Therefore let's revert for now to unblock the channels.
2020-09-10 21:31:35 +02:00
Florian Klink
ee55841b22
Merge pull request #97346 from NinjaTrappeur/nin-fix-vm-rm-state
test-driver.py: fix VM state directory deletion
2020-09-10 21:31:02 +02:00
Florian Klink
303078d9ca
Merge pull request #97303 from martinetd/systemd-confinement-list
systemd-confinement: handle ExecStarts etc being lists
2020-09-10 21:17:17 +02:00
Tethys Svensson
b32701bc54 nixos/systemd-boot: Temporarily ignore errors
This is a temporary fix for #97433. A more proper fix has been
implemented upstream in systemd/systemd#17001, however until it gets
backported, we are stuck with ignoring the error.

After the backport lands, this commit should be reverted.
2020-09-10 20:56:04 +02:00
Florian Klink
484632983f
Merge pull request #97631 from Izorkin/nginx-sandboxing
nixos/nginx: remove option enableSandbox
2020-09-10 20:33:25 +02:00
Vladimír Čunát
ec49caa0b0
nixos release notes: fixup build after #96991 2020-09-10 19:57:21 +02:00
Doron Behar
b4756fe0c4 nixos/mpd: Mention in /etc/mpd.conf it was autogenerated 2020-09-10 18:00:29 +03:00
Kevin Cox
91032af924
Merge pull request #97592 from NixOS/kevincox-chrony-state
chrony: Create state directory with correct owner.
2020-09-10 09:49:55 -04:00
Sascha Grunert
35f7a3347c
kubernetes: fix certificate generation
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-09-10 13:07:32 +02:00
Félix Baylac-Jacqué
a4a1c016a3
Merge pull request #97526 from immae/fix_ejabberd
nixos/ejabberd: Fix tests
2020-09-10 10:21:11 +02:00
Gabriel Ebner
0256763808
Merge pull request #97596 from gebner/fix-qt5ct
nixos/qt5ct: do not require qtstyleplugins
2020-09-10 08:51:21 +02:00
Izorkin
535896671b
nixos/nginx: remove option enableSandbox 2020-09-10 08:19:20 +03:00
Ryan Mulligan
531c08a1d9 nixos/jitsi-meet: add docs 2020-09-09 22:18:20 -07:00
Jörg Thalheim
940195c0e7
Merge pull request #96991 from Mic92/sshd 2020-09-10 06:13:07 +02:00
WORLDofPEACE
f7a6a1a183
Merge pull request #96092 from nbraud/security/rngd
nixos/modules/security/rngd: Disable by default
2020-09-09 21:53:41 -04:00
worldofpeace
ca674c1769 rl-2009: document rngd 2020-09-09 21:52:48 -04:00
nicoo
e64d3f60fb nixos/modules/security/rngd: Disable by default
`rngd` seems to be the root cause for slow boot issues, and its functionality is
redundant since kernel v3.17 (2014), which introduced a `krngd` task (in kernel
space) that takes care of pulling in data from hardware RNGs:

> commit be4000bc4644d027c519b6361f5ae3bbfc52c347
> Author: Torsten Duwe <duwe@lst.de>
> Date:   Sat Jun 14 23:46:03 2014 -0400
>
>     hwrng: create filler thread
>
>     This can be viewed as the in-kernel equivalent of hwrngd;
>     like FUSE it is a good thing to have a mechanism in user land,
>     but for some reasons (simplicity, secrecy, integrity, speed)
>     it may be better to have it in kernel space.
>
>     This patch creates a thread once a hwrng registers, and uses
>     the previously established add_hwgenerator_randomness() to feed
>     its data to the input pool as long as needed. A derating factor
>     is used to bias the entropy estimation and to disable this
>     mechanism entirely when set to zero.

Closes: #96067
2020-09-09 21:51:25 -04:00
Ismaël Bouya
cdaec7e9ed
ejabberd: fix failing tests
This commit fixes the ejabberd tests for hydra:

mod_http_upload and mod_disco need to be explicitly enabled, and a
handler needs to be setup to make it work. Also, the client needs to be
able to contact the server.

The commit also fixes the situation where http upload failed: in that
case the client would wait forever because nothing catched the error.

Finally, there remains a non-reproducible error where ejabberd server
fails to start with an error like:
format: "Failed to create cookie file '/var/lib/ejabberd/.erlang.cookie': eacces"
(happens ~15%) I tried to check existence of /var/lib/ejabberd/ in
pre-start script and saw nothing that would explain this error, so I
gave up about this error in particular.
2020-09-10 01:08:22 +02:00
ajs124
c97fcc3fe0
Merge pull request #97438 from pbogdan/openvpn-path
nixos/openvpn: path now requires conversion to a string
2020-09-09 23:59:01 +02:00
Gabriel Ebner
4bf695e988 nixos/qt5ct: do not require qtstyleplugins
These do not build with qt 5.15.
2020-09-09 22:30:32 +02:00
Kevin Cox
57b9d5c144
chrony: Create state directory with correct owner.
Fixes https://github.com/NixOS/nixpkgs/issues/97546
2020-09-09 15:48:48 -04:00
Patryk Wychowaniec
183d9abdaf
lxd: s/sha256/hash 2020-09-09 20:07:17 +02:00
Patryk Wychowaniec
93b8435915
lxd: add wait_for_file() to ensure LXD is actually running 2020-09-09 19:46:21 +02:00
Patryk Wychowaniec
04111cb356
lxd: use stable URL for Alpine's image 2020-09-09 19:30:02 +02:00
WORLDofPEACE
f0f88be1ea
Merge pull request #79370 from sorki/dtoverlays
Improve device-tree overlay support
2020-09-09 11:01:48 -04:00
Richard Marko
6c9df40a4b nixos/device-tree: improve overlays support
Now allows applying external overlays either in form of
.dts file, literal dts context added to store or precompiled .dtbo.

If overlays are defined, kernel device-trees are compiled with '-@'
so the .dtb files contain symbols which we can reference in our
overlays.

Since `fdtoverlay` doesn't respect `/ compatible` by itself
we query compatible strings of both `dtb` and `dtbo(verlay)`
and apply only if latter is substring of the former.

Also adds support for filtering .dtb files (as there are now nearly 1k
dtbs).

Co-authored-by: georgewhewell <georgerw@gmail.com>
Co-authored-by: Kai Wohlfahrt <kai.wohlfahrt@gmail.com>
2020-09-09 16:34:58 +02:00
WORLDofPEACE
f03c63e3f8
Merge pull request #95987 from minijackson/jellyfin-stateVersion-20.09-releaseNotes
nixos/jellyfin: document stateVersion 20.09 in release notes
2020-09-09 10:09:27 -04:00
Thomas Tuegel
959c0bf468
Merge pull request #97456 from ttuegel/master--plasma5-no-qt-5.15
Remove Qt 5.15 from the Plasma 5 closure
2020-09-09 05:14:21 -05:00
Axel Forsman
b6139e58e3 nixos/picom: add experimentalBackends option
This option is only available as a command-line flag and not from the
config file, that is `services.picom.settings`. Therefore it is more
important that it gets its own option.

One reason one might need this set is that blur methods other than
kernel do not work with the old backends, see yshui/picom#464.

For reference, the home-manager picom module exposes this option too.
2020-09-09 11:30:48 +02:00
Minijackson
ad48050cad
nixos/jellyfin: document stateVersion 20.09 in release notes 2020-09-09 09:47:38 +02:00
Ryan Mulligan
a38ffcc20e
Merge pull request #95752 from misuzu/3proxy-test-fix
nixosTests.3proxy: fix flakiness
2020-09-08 20:33:20 -07:00
WORLDofPEACE
e044909aba
Merge pull request #93764 from evenbrenden/xdg-session-id-user-units
nixos/displayManager: add XDG_SESSION_ID to systemd user environment
2020-09-08 21:29:24 -04:00
Peter Hoeg
42eebd7ade
Merge pull request #96844 from peterhoeg/m/nfs
nixos/nfsd: run rpc-statd as a normal user
2020-09-09 09:10:46 +08:00
Matthew Bauer
58823ac103
Merge pull request #97462 from kampka/raspberrypi-builder
Revert "nixos/raspberrypi-builder: fix cross using buildPackages"
2020-09-08 19:25:23 -05:00
WORLDofPEACE
2ab42dcc9e
Merge pull request #97171 from davidak/defaultPackages
nixos/config: add defaultPackages option
2020-09-08 19:40:45 -04:00
WORLDofPEACE
0e7f6a884b
Update nixos/doc/manual/installation/installing.xml
Co-authored-by: Jon <jonringer@users.noreply.github.com>
2020-09-08 19:24:51 -04:00
Lassulus
dd966067ae
Merge pull request #97381 from xaverdh/xmonad-configurable
nixos/xmonad: give users some build and runtime control
2020-09-08 20:57:17 +02:00
Maximilian Bosch
40f7a4ecec
Merge pull request #97371 from WilliButz/bitwarden_rs/environment-file
nixos/bitwarden_rs: add environmentFile option
2020-09-08 20:25:28 +02:00
Christian Kampka
2c6753f9d0
Revert "nixos/raspberrypi-builder: fix cross using buildPackages"
The commit enforces buildPackages in the builder but neglects
the fact that the builder is intended to run on the target system.
Because of that, the builder will fail when remotely building a
configuration eg. with nixops or nix-copy-closure.

This reverts commit a6ac6d00f9.
2020-09-08 20:14:13 +02:00
Maciej Krüger
8c4dd13e3f
nixos/cinnamon: add warpinator & blueberry pkgs 2020-09-08 17:09:12 +02:00
Peter Hoeg
5882e3072a
Merge pull request #97325 from peterhoeg/m/mailhog
nixos/mailhog: run with DynamicUser
2020-09-08 22:55:47 +08:00
Thomas Tuegel
053b05d14d
Remove Qt 5.15 from Plasma closure 2020-09-08 08:47:34 -05:00
Piotr Bogdan
cb141359bf nixos/openvpn: path now requires conversion to a string
Following changes in https://github.com/NixOS/nixpkgs/pull/91092 the `path` attribute is now a list
instead of being a string. This resulted resulted in the following evaluation error:

"cannot coerce a list to a string, at [...]/nixos/modules/services/networking/openvpn.nix:16:18"

so we now need to convert it to the right type ourselves.

Closes https://github.com/NixOS/nixpkgs/issues/97360.
2020-09-08 11:09:04 +01:00
Oleksii Filonenko
45d7f59da8
Merge pull request #97217 from sephii/nixos-caddy-v2-migration 2020-09-08 11:17:55 +03:00
Linus Heckemann
ef4e81d756
Merge pull request #96830 from mayflower/unifi-poller
unifi-poller: add service and prometheus-exporter
2020-09-08 09:53:07 +02:00
Sylvain Fankhauser
b8bfe941fa
caddy: address remaining MR comments for v2 2020-09-08 09:29:04 +02:00
Thomas Tuegel
0b3cc29f09
Merge pull request #97242 from ttuegel/qt-5.15
Qt 5.15.0
2020-09-07 20:18:57 -05:00
Maciej Krüger
04ea3a0ff6
nixos/cinnamon: init
Co-Authored-By: WORLDofPEACE <worldofpeace@protonmail.ch>
2020-09-08 01:44:09 +02:00
Jonathan Ringer
1f3587cdd5 21.03 is Okapi
* Okapi is an artiodactyl mammal native to Central Africa
* https://en.wikipedia.org/wiki/Okapi
2020-09-07 14:20:35 -07:00
Robert Scott
61525137fd
Merge pull request #96958 from servalcatty/v2ray
v2ray: 4.26.0 -> 4.27.5 and add tests
2020-09-07 21:29:51 +01:00
Dominik Xaver Hörl
10ecd1f45b nixos/xmonad: allow passing compile time options to ghc invocation 2020-09-07 20:16:25 +02:00
Dominik Xaver Hörl
15d87cb81c nixos/xmonad: allow passing command line arguments 2020-09-07 19:25:45 +02:00
WilliButz
76362dd7eb
nixos/bitwarden_rs: add environmentFile option
Add the option `environmentFile` to allow passing secrets to the service
without adding them to the Nix store, while keeping the current
configuration via the existing environment file intact.
2020-09-07 17:39:53 +02:00
Evan Stoll
a31736120c nixos/lorri: add package option 2020-09-07 15:46:15 +02:00
Vladimír Čunát
85afe9cbe9
nixos/tests/installer: increase RAM in the VM
1G apparently isn't sufficient anymore, at least in swraid case:
https://hydra.nixos.org/build/126561574
2020-09-07 15:43:37 +02:00
Vladimír Čunát
c1c85b9bad
Merge #97146: 'staging-next' branch
This is the last planned iteration before forking 20.09.
2020-09-07 15:43:36 +02:00
Thomas Tuegel
20bfb27eaf nixos/plasma5: Use Qt 5.14 2020-09-07 08:06:33 -05:00
Félix Baylac-Jacqué
ecb73fd555
test-driver.py: fix VM state directory deletion
The previous version of the code would only kick in if the state
directory path pointed at a *file*, which never occurs. Making that
codepath actually work reveals an ordering bug, which this patch fixes
as well.

It also replaces the confusing, imperative case log message "delete VM
state directory" with "deleting VM state directory".

Finally, we hint the user about how to prevent this deletion. IE. by
passing the --keep-vm-state flag.

Bug report:
https://github.com/NixOS/nixpkgs/pull/91046#issuecomment-685568750

Credit goes to Edef for the rebase on top of a recent nixpkgs commit
and for writing most of this commit message.

Co-authored-by: edef <edef@edef.eu>
2020-09-07 12:26:40 +02:00
Peter Hoeg
d6264419f5 nixos/nfsd: run rpc-statd as a normal user 2020-09-07 18:04:03 +08:00
Peter Hoeg
9123308be5 nixos/mailhog: run with DynamicUser 2020-09-07 17:56:53 +08:00
WilliButz
5d51096839
nixos/prometheus-exporters: fix default firewall filter
Instead of always using the default port of one exporter for its default
firewall filter, the port from the current service configuration is used.
2020-09-07 10:28:36 +02:00
Oleksii Filonenko
c3a7c89a20
release-notes/rl-2009: add item about Caddy v2 2020-09-07 09:39:23 +02:00
Oleksii Filonenko
6322325a53
caddy: 1.0.5 -> 2.0.0
Rename legacy v1 to `caddy1`
2020-09-07 09:39:16 +02:00
worldofpeace
dd2727773a Revert "nixos/qemu-vm: support nix run"
This reverts commit 02590c9620.

02590c9620 (commitcomment-42078853)
2020-09-06 19:45:10 -04:00
Maximilian Bosch
cac5339531
nixos/doc/borgbackup: correct install instructions for vorta
No need to fiddle around with `flatpack` to get `vorta`, a graphical
desktop-client for `borgbackup` running as it's available in `nixpkgs`.
2020-09-06 22:44:37 +02:00
Silvan Mosberger
f822080b05
Merge pull request #68887 from teto/ssh_banner
services.openssh: add banner item
2020-09-06 22:15:25 +02:00
Matthieu Coudron
1835fc455b services.openssh: add banner
Add the possibility to setup a banner.

Co-authored-by: Silvan Mosberger <github@infinisil.com>
2020-09-06 21:32:20 +02:00
Jörg Thalheim
d9ccdd860c
Merge pull request #96885 from bbigras/sssd-ldap
nixos/tests/sssd-ldap: init
2020-09-06 20:29:36 +01:00
worldofpeace
02590c9620 nixos/qemu-vm: support nix run 2020-09-06 14:57:51 -04:00
Jörg Thalheim
60d30e13f7
Update nixos/doc/manual/installation/installing.xml
Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
2020-09-06 19:44:30 +01:00
Jörg Thalheim
a5872edf2f
nixos/installer: enable sshd by default
Right now the UX for installing NixOS on a headless system is very bad.
To enable sshd without physical steps users have to have either physical
access or need to be very knowledge-able to figure out how to modify the
installation image by hand to put an `sshd.service` symlink in the
right directory in /nix/store. This is in particular a problem on ARM
SBCs (single board computer) but also other hardware where network is
the only meaningful way to access the hardware.

This commit enables sshd by default. This does not give anyone access to
the NixOS installer since by default. There is no user with a non-empty
password or key. It makes it easy however to add ssh keys to the
installation image (usb stick, sd-card on arm boards) by simply mounting
it and adding a keys to `/root/.ssh/authorized_keys`.
Importantly this should not require nix/nixos on the machine that
prepare the installation device and even feasiable on non-linux systems
by using ext4 third party drivers.

Potential new threats: Since this enables sshd by default a
potential bug in openssh could lead to remote code execution. Openssh
has a very good track-record over the last 20 years, which makes it
far more likely that Linux itself would have a remote code execution
vulnerability. It is trusted by millions of servers on many operating
systems to be exposed to the internet by default.

Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
2020-09-06 20:26:08 +02:00
davidak
74b3d66baf nixos/config: add defaultPackages option
readd perl (used in shell scripts), rsync (needed for NixOps) and strace (common debugging tool)

they where previously removed in https://github.com/NixOS/nixpkgs/pull/91213

Co-authored-by: Timo Kaufmann <timokau@zoho.com>
Co-authored-by: 8573 <8573@users.noreply.github.com>
2020-09-06 18:58:20 +02:00
Dominique Martinet
fd196452f0 systemd-confinement: handle ExecStarts etc being lists
systemd-confinement's automatic package extraction does not work correctly
if ExecStarts ExecReload etc are lists.

Add an extra flatten to make things smooth.

Fixes #96840.
2020-09-06 18:55:10 +02:00
Florian Klink
d7046947e5
Merge pull request #91121 from m1cr0man/master
Restructure acme module
2020-09-06 18:26:22 +02:00
Frederik Rietdijk
d362c0e54e Merge master into staging-next 2020-09-06 18:14:23 +02:00
elseym
aaf0002f68
prometheus-unifi-poller-exporter: init module 2020-09-06 17:48:19 +02:00
elseym
8c49e5a78c
tests/prometheus-exporters: allow overriding test-node-name
allows the prometheus-exporters test abstraction to work with e.g. hyphenated exporter-names
2020-09-06 17:48:00 +02:00
elseym
b381aacbba
nixos/unifi-poller: init unifi-poller service 2020-09-06 17:47:52 +02:00
Peter Hoeg
6e22c6ea6a
Merge pull request #96769 from peterhoeg/m/phpfpm
nixos/phpfpm: always restart service on failure
2020-09-06 21:41:38 +08:00
Florian Klink
569fdb2c35
Merge pull request #93424 from helsinki-systems/feat/gitlab-mailroom
nixos/gitlab: Support incoming mail
2020-09-06 15:34:02 +02:00
Julien Moutinho
fb6d63f3fd apparmor: fix and improve the service 2020-09-06 07:43:03 +02:00
Peter Hoeg
5483b1e216
Merge pull request #97123 from peterhoeg/m/fscache
nixos/cachefilesd: don't set up manually
2020-09-06 10:23:32 +08:00
Jan Tojnar
f0cb5c6a15
Revert "nixos/fontconfig: fix 50-user.conf handling"
This reverts commit 8425726f86.

This should have been reverted in https://github.com/NixOS/nixpkgs/pull/95358
but I forgot about it.
2020-09-06 02:56:31 +02:00
Lucas Savva
34b5c5c1a4
nixos/acme: More features and fixes
- Allow for key reuse when domains are the only thing that
  were changed.
- Fixed systemd service failure when preliminarySelfsigned
  was set to false
2020-09-06 01:28:19 +01:00
Evan Stoll
854a229ae5
nixos/terraria: allow dataDir to be configured (#89033)
* nixos/terraria: allow dataDir to be configured

add dataDir option to terraria module

* Update nixos/modules/services/games/terraria.nix

Co-authored-by: WORLDofPEACE <worldofpeace@protonmail.ch>

Co-authored-by: WORLDofPEACE <worldofpeace@protonmail.ch>
2020-09-05 16:37:52 -04:00
Lassulus
964606d40f
Merge pull request #96659 from doronbehar/module/syncthing
nixos/syncthing: add ignoreDelete folder option
2020-09-05 22:05:04 +02:00
WORLDofPEACE
d0972c9637
Merge pull request #95194 from ju1m/nixos-install
nixos-install: add support for flakes
2020-09-05 15:31:14 -04:00
Even Brenden
660882d883 nixos/displayManager: add XDG_SESSION_ID to systemd user environment
xss-lock needs XDG_SESSION_ID to respond to loginctl lock-session(s)
(and possibly other session operations such as idle hint management).
This change adds XDG_SESSION_ID to the list of imported environment
variables when starting systemctl.

Inspired by home-manager, add importVariables configuration.

Set session to XDG_SESSION_ID when running xss-lock as a service.

Co-authored-by: misuzu <bakalolka@gmail.com>
2020-09-05 20:36:18 +02:00
Vladimír Čunát
6eea644749
nixos/tests/installer swraid: increase partition size
We apparently didn't fit anymore.  I don't think this test is meant
to (also) check closure size.

Note: as of this commit, the test is blocked by a fontconfig problem,
so I tested with that merge temporarily reverted.
2020-09-05 19:29:38 +02:00
Florian Klink
98d6b55fdc nixos/testing: remove remaining coverage-data logic
This isn't used anymore as per
https://github.com/NixOS/nixpkgs/pull/72354#discussion_r451031449.
2020-09-05 16:07:59 +02:00
Oleksii Filonenko
06d2d84519
nixosTests.caddy: update to v2
- Update configuration syntax
- Add filalex77 as a maintainer
2020-09-05 14:09:17 +02:00
Oleksii Filonenko
d71cadacd9
nixos/caddy: use v2 by default 2020-09-05 14:09:17 +02:00
Oleksii Filonenko
8cc592abfa
nixos/caddy: add support for v2 2020-09-05 14:09:16 +02:00
lewo
d65002aff5
Merge pull request #93314 from tnias/nixos_opendkim_20200717
nixos/opendkim: systemd sandbox
2020-09-05 08:46:19 +02:00
Lucas Savva
f57824c915
nixos/acme: Update docs, use assert more effectively 2020-09-05 01:06:29 +01:00
Julien Moutinho
539ae5c932 Revert "apparmor: add apparmor_parser config file"
This reverts commit 2259fbdf4b.
2020-09-05 01:46:12 +02:00
Jan Tojnar
4f0f26771e
Merge pull request #95358 from jtojnar/global-fontconfig 2020-09-05 00:19:38 +02:00
Lucas Savva
67a5d660cb
nixos/acme: Run postRun script as root 2020-09-04 19:34:10 +01:00
Frederik Rietdijk
af81d39b87 Merge staging-next into staging 2020-09-04 20:03:30 +02:00
Jan Tojnar
951efe41e1 fixup! nixos/doc/releases: update the docs as promised 2020-09-04 10:59:06 -07:00
worldofpeace
f2e98e8b36 fixup! nixos/doc/releases: update the docs as promised 2020-09-04 10:59:06 -07:00
worldofpeace
d9c33b2ea4 nixos/doc/releases: update the docs as promised
This goes through a recent example of 19.09 (because the workflow
should be everchanging, so our example needs to be recent).
Lots of changes, just read idk.
2020-09-04 10:59:06 -07:00
Florian Klink
176d5e090a
Merge pull request #97008 from andersk/cryptception-1
cryptsetup, lvm2, systemd: Break cyclic dependency at a different point
2020-09-04 19:12:53 +02:00
Jan Tojnar
7ecabdc22b
Merge pull request #96992 from jtojnar/fc-dtd-urn
treewide: use URN for fontconfig DTD
2020-09-04 17:12:29 +02:00
Peter Hoeg
6ef2152b5d nixos/cachefilesd: don't set up manually
Use our available infrastructure instead of manually handling setup.
2020-09-04 16:11:55 +08:00
Bruno Bigras
64ce52713c nixos/tests/sssd-ldap: init 2020-09-04 01:51:42 -04:00
Julien Moutinho
b03c506178 nixos-install: add support for flakes 2020-09-04 06:56:09 +02:00
Julien Moutinho
c6a3a0f4f5 nixos-rebuild: do not depend on nix.conf to activate flakes 2020-09-04 06:56:09 +02:00
Utku Demir
ae82f81bfa
dockerTools.streamLayeredImage: Store the customisation layer as a tarball
This fixes as issue described here[1], where permissions set by 'extraCommands'
were ignored by Nix.

[1] https://github.com/NixOS/nixpkgs/pull/91084#issuecomment-669834938
2020-09-04 16:53:23 +12:00
Lucas Savva
1b6cfd9796
nixos/acme: Fix race condition, dont be smart with keys
Attempting to reuse keys on a basis different to the cert (AKA,
storing the key in a directory with a hashed name different to
the cert it is associated with) was ineffective since when
"lego run" is used it will ALWAYS generate a new key. This causes
issues when you revert changes since your "reused" key will not
be the one associated with the old cert. As such, I tore out the
whole keyDir implementation.

As for the race condition, checking the mtime of the cert file
was not sufficient to detect changes. In testing, selfsigned
and full certs could be generated/installed within 1 second of
each other. cmp is now used instead.

Also, I removed the nginx/httpd reload waiters in favour of
simple retry logic for the curl-based tests
2020-09-04 01:09:43 +01:00
Anders Kaseorg
f4b2c9dfe7 cryptsetup, lvm2, systemd: Break cyclic dependency at a different point
The cyclic dependency of systemd → cryptsetup → lvm2 → udev=systemd
needs to be broken somewhere.  The previous strategy of building
cryptsetup with an lvm2 built without udev (#66856) caused the
installer.luksroot test to fail.  Instead, build lvm2 with a udev built
without cryptsetup.

Fixes #96479.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2020-09-03 12:35:56 -07:00
Janne Heß
8cf4ec8b97
nixos/systemd: Don't use apply for $PATH
When not using apply, other modules can use $PATH as a list instead of
getting a colon-separated list to each /bin directory.
2020-09-03 20:27:55 +02:00
Philipp Bartsch
c46dd4e221 nixos/doc: add opendkim changes to release notes 2020-09-03 18:03:28 +02:00
Philipp Bartsch
47928442a8 nixos/opendkim: add keyPath to ReadWritePaths 2020-09-03 17:54:16 +02:00
Philipp Bartsch
118f341723 nixos/opendkim: add systemd service sandbox 2020-09-03 17:54:15 +02:00
Daniël de Kok
7b73713a98 programs.zsh: remove unnecessary with 2020-09-03 08:42:24 +02:00
Jörg Thalheim
02a2649220
Merge pull request #89748 from heinic/krb5-lists 2020-09-03 07:31:22 +01:00
Jan Tojnar
6dd3b54ccc
treewide: use URN for fontconfig DTD
To match upstream change:

9c46ef4aac
2020-09-03 06:39:00 +02:00
WORLDofPEACE
8739e4235e
Merge pull request #96925 from jtojnar/gpaste-session-path
nixos/gpaste: return sessionPath
2020-09-02 15:43:53 -04:00
Lucas Savva
61dbf4bf89
nixos/acme: Add proper nginx/httpd config reload checks
Testing of certs failed randomly when the web server was still
returning old certs even after the reload was "complete". This was
because the reload commands send process signals and do not wait
for the worker processes to restart. This commit adds log watchers
which wait for the worker processes to be restarted.
2020-09-02 19:25:30 +01:00
Lucas Savva
982c5a1f0e
nixos/acme: Restructure module
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests

I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.

I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.

- Fix duplicate systemd rules on reload services

Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
2020-09-02 19:22:43 +01:00
Félix Baylac-Jacqué
09c383c17a
Merge pull request #94917 from ju1m/biboumi
nixos/biboumi: init
2020-09-02 17:43:27 +02:00
Serval
4ac99e76bc
nixos/tests/v2ray: init 2020-09-02 22:18:52 +08:00
WORLDofPEACE
31008a8f15
Merge pull request #96937 from jtojnar/drop-strigi
strigi: drop
2020-09-02 08:53:24 -04:00
WORLDofPEACE
18348c7829
Merge pull request #96042 from rnhmjoj/loaOf
treewide: completely remove types.loaOf
2020-09-02 08:45:37 -04:00
Sascha Grunert
27b0c4b151 nixos/containers: add oci-seccomp-bpf-hook
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-09-02 21:53:37 +10:00
Julien Moutinho
f333296776 nixos/biboumi: init 2020-09-02 08:31:53 +02:00
WORLDofPEACE
765d0371a8
Merge pull request #96879 from romildo/rm.deepin.doc
deepin: register removal in release notes, aliases and module list
2020-09-02 02:25:43 -04:00
Orivej Desh
1a68e21d47
nixos/systemd: support adding and overriding tmpfiles.d via environment.etc (#96766)
This allows the user to configure systemd tmpfiles.d via
`environment.etc."tmpfiles.d/X.conf".text = "..."`, which after #93073
causes permission denied (with new X.conf):

```
ln: failed to create symbolic link '/nix/store/...-etc/etc/tmpfiles.d/X.conf': Permission denied
builder for '/nix/store/...-etc.drv' failed with exit code 1
```

or collision between environment.etc and systemd-default-tmpfiles
packages (with existing X.conf, such as tmp.conf):

```
duplicate entry tmpfiles.d/tmp.conf -> /nix/store/...-etc-tmp.conf
mismatched duplicate entry /nix/store/...-systemd-246/example/tmpfiles.d/tmp.conf <-> /nix/store/...-etc-tmp.conf
builder for '/nix/store/...-etc.drv' failed with exit code 1
```

Fixes #96755
2020-09-02 02:54:11 +00:00
John Ericson
1965a241fc
Merge pull request #61019 from volth/gcc.arch-amd
platform.gcc.arch: support for AMD CPUs
2020-09-01 22:31:16 -04:00
Jan Tojnar
77293baff0
strigi: drop
It has not been used by KDE for many years and depends on umaintained libraries we want to drop (Qt4 and Gamin).
2020-09-02 02:05:40 +02:00
José Romildo Malaquias
3b92996c0b nixos/doc: document removal of deepin in the release notes 2020-09-01 19:46:34 -03:00
rnhmjoj
3f8a3246f4
nixos/lib/make-options-doc: remove loaOf subs
Remove the substitution for the <name?> placeholder used by loaOf,
now that the type has been deprecated.
2020-09-02 00:42:51 +02:00
rnhmjoj
bc62423a87
nixos/doc: convert loaOf options refs to attrsOf 2020-09-02 00:42:51 +02:00
rnhmjoj
20d491a317
treewide: completely remove types.loaOf 2020-09-02 00:42:50 +02:00
José Romildo Malaquias
b5c9c03fac nixos/deepin: register as a removed module 2020-09-01 19:42:08 -03:00
Jan Tojnar
3b68a757ff
nixos/gpaste: return sessionPath
GPaste ships keybindings for gnome-control-center. Those depend on GSettings schemas
but there is currently no mechanism for loading schemas other than using global ones
from $XDG_DATA_DIRS. Eventually, I want to add such mechanism but until then,
let's return the impure sessionPath option that was removed in
f63d94eba3
2020-09-01 22:21:09 +02:00
Aaron Andersen
c51e7b7874 nixos/beanstalkd: add openFirewall option 2020-09-01 10:07:28 -04:00
misuzu
0c688868e7 nixosTests.3proxy: fix flakiness 2020-09-01 14:31:52 +03:00
Robert Hensing
c914fffeba
Merge pull request #95894 from alexarice/agda-release-notes
Agda: add release notes
2020-09-01 12:26:14 +02:00
Sascha Grunert
46a0aa4176 nixos/cri-o: unset hooks dir to avoid dir creation on startup
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-09-01 18:04:54 +10:00
Lassulus
a081e99e41
Merge pull request #83780 from hax404/robustirc-bridge
robustirc-bridge: init at 1.8
2020-08-31 18:14:45 +02:00
Frederik Rietdijk
303e0bca3b
Merge pull request #96610 from romildo/rm.deepin
deepin: remove from nixpkgs
2020-08-31 17:58:11 +02:00
Georg Haas
2bd6f0744f
nixos/tests/robustirc-bridge: init 2020-08-31 15:22:50 +02:00
Peter Hoeg
07408cac94 nixos/phpfpm: always restart service on failure 2020-08-31 21:19:54 +08:00
Arian van Putten
882ed6759a
Merge pull request #96149 from JJJollyjim/acme-test-go-15
nixos/acme: fix subjectAltName in test snakeoil certs
2020-08-31 13:54:19 +02:00
WORLDofPEACE
bd5a11f925
Merge pull request #96712 from andersk/disable-macvlan
nixosTests: Disable networking.networkd.macvlan
2020-08-30 21:49:19 -04:00
Anders Kaseorg
a05b9042b8 nixosTests: Disable networking.networkd.macvlan
This test is failing nondeterministically.  Fixes #96709.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2020-08-30 17:43:34 -07:00