Commit Graph

19607 Commits

Author SHA1 Message Date
Maximilian Bosch
752b6a95db
nixos/mautrix-telegram: update defaults
These three defaults must exist in the config now, otherwise
`mautrix-telegram` will refuse to start.
2020-11-29 21:28:07 +01:00
Gabriel Ebner
0155830275 nixos/pipewire: allow overriding the pipewire derivation 2020-11-29 17:43:07 +01:00
Gabriel Ebner
ce28fd3d22 nixos/pipewire: add media-session.d files 2020-11-29 17:43:07 +01:00
Gabriel Ebner
53029a15cc nixos/pipewire: enable sound on alsa support
Otherwise sound.extraConfig has no effect.
2020-11-29 15:08:38 +01:00
Luke Granger-Brown
d29428523e rl-21.03: add PulseAudio 13.0 -> 14.0 upgrade to release notes 2020-11-29 13:27:46 +00:00
Frederik Rietdijk
0d8491cb2b Merge master into staging-next 2020-11-29 13:51:10 +01:00
Sarah Brofeldt
a7a5f7904c
Merge pull request #99173 from johanot/fix-initrd-ssh-commands-test
nixos/initrd-ssh: set more defensive pemissions on sshd test key
2020-11-29 11:27:03 +01:00
StigP
e2968a0442
Merge pull request #102061 from braunse/gogs-0-12-3
gogs: 0.11.91 -> 0.12.3
2020-11-29 10:01:47 +01:00
Ryan Mulligan
cb42d08df2
Merge pull request #62104 from Vizaxo/master
nixos/exwm: allow custom Emacs load script
2020-11-28 18:47:21 -08:00
Martin Weinelt
62ef710b54
Merge pull request #104268 from mvnetbiz/ha-allowpaths
home-assistant: add allowlist_external_dirs to systemd unit ReadWritePaths
2020-11-29 00:25:35 +01:00
Sander van der Burg
336628268f nixos/disnix: reorder startup to take MongoDB and InfluxDB into account, add option to add Disnix profile to the system PATH 2020-11-28 20:15:21 +01:00
Sander van der Burg
5e392940cf nixos/dysnomia: add InfluxDB configuration options, add option to use legacy modules, eliminate import from derivation hack 2020-11-28 20:15:21 +01:00
Silvan Mosberger
cb59ff4aab
Merge pull request #86225 from sorki/proxychains
nixos/proxychains: init
2020-11-28 19:45:32 +01:00
Tim Steinbach
8529788e73
jq: Add test 2020-11-28 13:42:36 -05:00
Tim Steinbach
fe8fa45573
bat: Add test 2020-11-28 13:42:36 -05:00
Tim Steinbach
2d85247086
lsd: Add test 2020-11-28 13:42:36 -05:00
Tim Steinbach
13ebb30910
minecraft-server: Add test 2020-11-28 12:43:17 -05:00
Tim Steinbach
0dc74a15ad
minecraft: Add test 2020-11-28 12:43:17 -05:00
Frederik Rietdijk
9e062723b2 Merge master into staging-next 2020-11-28 08:53:47 +01:00
Sebastien Braun
5c87a6b8ea gogs: 0.11.91 -> 0.12.3 2020-11-28 06:50:52 +01:00
Sandro
a390213f85
Merge pull request #85133 from snicket2100/mosquitto-service-sandboxing
mosquitto: systemd service sandboxing
2020-11-27 18:53:36 +01:00
Frederik Rietdijk
b2a3891e12 Merge master into staging-next 2020-11-27 15:09:19 +01:00
Milan Pässler
81aff9f411 nixos/gitlab: use bindsTo instead of requires for gitaly 2020-11-26 14:12:14 +01:00
Jan Tojnar
e95cc8519b
Merge pull request #104553 from jansol/pipewire
pipewire: 0.3.15 -> 0.3.16
2020-11-26 10:59:17 +01:00
Sarah Brofeldt
2e4d714334 nixos/tests/networking: Alleviate race in scripted test 2020-11-25 20:08:03 +01:00
Tim Steinbach
4196aa9660
awscli: Add test 2020-11-25 13:00:41 -05:00
Luke Granger-Brown
ad62155cb6 nixos/zram: add zramSwap.memoryMax option
This allows capping the total amount of memory that will be used for
zram-swap, in addition to the percentage-based calculation, which is
useful when blanket-applying a configuration to many machines.

This is based off the strategy used by Fedora for their rollout of
zram-swap-by-default in Fedora 33
(https://fedoraproject.org/wiki/Changes/SwapOnZRAM), which caps the
maximum amount of memory used for zram at 4GiB.

In future it might be good to port this to the systemd zram-generator,
instead of using this separate infrastructure.
2020-11-25 13:43:38 +00:00
Frederik Rietdijk
5790bb073f nixos auto-upgrade: remove flag when flake
The `--no-build-output` flag that is added by default is only valid
for the old cli, which is not used when flakes are used.

Follow-up to c9daa81eff.
2020-11-25 08:34:04 +01:00
Florian Klink
5b3a952e04
Merge pull request #102938 from cruegge/dev-symlinks
nixos/stage-1: create /dev/std{in,out,err} symlinks
2020-11-25 01:57:21 +01:00
Stijn DW
3d3bcc5cc9 nixos/factorio: Don't open firewall ports by default 2020-11-24 23:14:57 +01:00
Stijn DW
d93434458b nixos/factorio: add openFirewall option 2020-11-24 23:14:57 +01:00
Graham Christensen
d9c3f13df3
Merge pull request #104776 from grahamc/utillinux
utillinux: rename to util-linux
2020-11-24 15:14:36 -05:00
Graham Christensen
bc49a0815a
utillinux: rename to util-linux 2020-11-24 12:42:06 -05:00
adisbladis
302df2a9a1
Merge pull request #81661 from adisbladis/ssh-pam-sudo-keys
pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles
2020-11-24 16:06:47 +01:00
Artturin
4db239272c mullvad-vpn: add iproute2 2020-11-24 06:12:32 -08:00
Ryan Mulligan
91f1d7e405
Merge pull request #104734 from ju1m/fix-udev
nixos/network-interfaces: fix typo in udev rule syntax
2020-11-24 05:44:52 -08:00
Peter Simons
58f29d3ca8
Merge pull request #104721 from vkleen/postfix-smtp-fix
nixos.postfix: make postfix.enableSmtp work again
2020-11-24 08:58:35 +01:00
Jan Tojnar
6d99109b12
Merge branch 'staging-next' into staging 2020-11-24 05:44:44 +01:00
Julien Moutinho
2263fa5698 nixos/network-interfaces: fix typo in udev rule syntax 2020-11-24 04:21:44 +01:00
adisbladis
ba1fa0c604
pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles
If a system administrator has explicitly configured key locations this
should be taken into account by `sudo`.
2020-11-24 02:47:07 +01:00
Viktor Kleen
6216c843ed
nixos/postfix: make postfix.enableSmtp work again
This fixes issue #104715.
2020-11-23 23:46:06 +00:00
rnhmjoj
8f177612b1
nixos/wireless: fix failure with no interfaces
This resolves issue #101963.

When the service is started and no interface is ready yet, wpa_supplicant
is being exec'd with no `-i` flags, thus failing. Once the interfaces
are ready, the udev rule would fire but wouldn't restart the unit because
it wasn't currently running (see systemctl(1) try-restart).

The solution is to exit (with a clear error message) but always restart
wpa_supplicant when the interfaces are modified.
2020-11-24 00:18:18 +01:00
Florian Klink
bbf3c9483b
Merge pull request #104520 from Izorkin/wsdd
wsdd: init at 0.6.2
2020-11-23 23:18:23 +01:00
Frederik Rietdijk
587538d087 Merge staging-next into staging 2020-11-23 18:10:33 +01:00
Izorkin
0aa34a03d0
nixos/tests/samba-wsdd: add check WSD Discovery 2020-11-23 17:13:22 +03:00
Izorkin
03760ab82e
nixos/samba-wsdd: init service samba-wsdd 2020-11-23 13:26:00 +03:00
Jan Solanti
aca97840da pipewire: 0.3.15 -> 0.3.16
This release replaces the libpulseaudio shim with a pipewire module that acts as a fake pulseaudio server along with a systemd service that loads that module on demand.
2020-11-23 10:40:35 +02:00
Scott Worley
e0d27cfb31 nixos/locate: Whitespace: One pruneFS default per line
This makes merging less painful.

This is nixfmt's preferred format.
2020-11-22 21:53:08 -08:00
zowoq
dbbd289982 nixos/*: fix indentation 2020-11-23 08:42:51 +10:00
zowoq
bbcbaeb54d nixos/tests/fctix: remove trailing whitespace 2020-11-23 08:42:51 +10:00
Florian Klink
c76891314d
Merge pull request #104094 from flokli/systemd-unified-cgroup-hierarchy
systemd: switch to unified cgroup hierarchy by default
2020-11-22 22:35:42 +01:00
Graham Christensen
1ee1134cb1
Merge pull request #104456 from endgame/refresh-instance-metadata-on-boot
Refresh instance metadata on boot
2020-11-22 08:23:14 -05:00
Tristan Helmich
3049064aa5 nixos/release-notes: Warn on wpa_supplicant changes 2020-11-22 11:43:43 +00:00
Florian Klink
904f124247
Merge pull request #99116 from jslight90/gitlab-13.4.0
GitLab 13.0.14 -> 13.6.0
2020-11-22 12:00:03 +01:00
Jack Kelly
6fd871dec4 rl-21.03: describe EC2 instance user/meta data reloading 2020-11-22 12:22:46 +10:00
Jack Kelly
43bfd7e5b1 {ec2,openstack}-metadata-fetcher: unconditionally fetch metadata
The metadata fetcher scripts run each time an instance starts, and it
is not safe to assume that responses from the instance metadata
service (IMDS) will be as they were on first boot.

Example: an EC2 instance can have its user data changed while
the instance is stopped. When the instance is restarted, we want to
see the new user data applied.
2020-11-22 11:04:46 +10:00
Jack Kelly
8c39655de3 {ec2,openstack}-metadata-fetcher: introduce wget_imds function 2020-11-22 11:04:46 +10:00
Jack Kelly
f8c3027812 openstack-metadata-fetcher: stop lying in log message 2020-11-22 11:04:46 +10:00
Jörg Thalheim
258903e725
Merge pull request #94610 from kwohlfahrt/openldap 2020-11-21 23:09:40 +01:00
Aaron Andersen
30c2069a9c
Merge pull request #78168 from active-group/subversion-apache-config-docs
nixos/doc: Rudimentary documentation for Subversion-inside-Apache HTTP.
2020-11-21 15:17:45 -05:00
Kai Wohlfahrt
c96f18feee nixos/openldap: migrate sssd-ldap to new settings 2020-11-21 16:13:03 +00:00
Kai Wohlfahrt
db5bb4e26b nixos/openldap: Fix sssd-ldap test
Use this as a test of the migration warnings/functionality.
2020-11-21 16:13:03 +00:00
Kai Wohlfahrt
fefc26f844 nixos/openldap: use mkRenamedOptionModule
This offers less helpful warnings, but makes the implementation
considerably more straightforward.
2020-11-21 16:13:03 +00:00
Kai Wohlfahrt
ce1acd97a7 nixos/openldap: fix path + base64 value types 2020-11-21 16:13:03 +00:00
Kai Wohlfahrt
b2ebffe186 nixos/openldap: Fix indentation 2020-11-21 16:13:03 +00:00
Kai Wohlfahrt
3f892c2174 nixos/openldap: Remove extraConfig options
Instead of deprecating, as per PR feedback
2020-11-21 16:13:03 +00:00
Kai Wohlfahrt
2050376cae nixos/openldap: Mention schemas in migration hint 2020-11-21 15:45:16 +00:00
Kai Wohlfahrt
5fafbee87a nixos/openldap: Add release-notes for OLC config 2020-11-21 15:45:15 +00:00
Kai Wohlfahrt
adda7e62d0 nixos/openldap: Add support for base64 values 2020-11-21 15:39:20 +00:00
Kai Wohlfahrt
d05061c5cd nixos/openldap: Pick some PR nits 2020-11-21 15:39:20 +00:00
Kai Wohlfahrt
9528faf182 nixos/openldap: Allow declarativeContents for multiple databases 2020-11-21 15:39:19 +00:00
Kai Wohlfahrt
057cb570be nixos/openldap: Add delcarativeConfig by suffix
Adding by index could be an issue if the user wanted the data to be
added to a DB other than the first.
2020-11-21 15:39:19 +00:00
Kai Wohlfahrt
1fde3c3561 nixos/openldap: switch to slapd.d configuration
The old slapd.conf is deprecated. Replace with slapd.d, and use this
opportunity to write some structured settings.

Incidentally, this fixes the fact that openldap is reported up before
any checks have completed, by using forking mode.
2020-11-21 15:39:19 +00:00
Joachim F
547d660f64
Merge pull request #104052 from TredwellGit/nixos/malloc
nixos/malloc: fix Scudo
2020-11-21 14:31:58 +00:00
Frederik Rietdijk
f36b838e2a nixos test-driver: fix single line docstrings, fixes #104467
Single line docstrings should have the """ on a single line according to PEP 8.
It seems support for this landed in the latest version of Black.
2020-11-21 09:51:31 +01:00
Frederik Rietdijk
1ffd7cf0d6 Merge master into staging-next 2020-11-21 08:43:10 +01:00
Milan Pässler
d6e0d38b84 nixos/tests/gitlab: add 32 byte secrets 2020-11-21 01:39:08 +01:00
Milan Pässler
0f82bd767b nixos/gitlab: start gitaly after gitlab 2020-11-21 01:38:11 +01:00
Guillaume Girol
01083f116d
Merge pull request #102235 from symphorien/paperwork2
Paperwork 2.0
2020-11-20 21:30:08 +00:00
Jeff Slight
f98a6322e6 nixos/gitlab: add changes for gitlab 13.4.x 2020-11-20 19:26:30 +01:00
Graham Christensen
75d7828724
Merge pull request #98544 from Mic92/unfuck-update-user-group
nixos/update-user-groups: Fix encoding issues + atomic writes
2020-11-20 10:28:52 -05:00
Florian Klink
90d5bdb12f nixosTests.podman: run default backends, don't run runc rootless
The runc backend doesn't work with unified cgroup hierarchy, and it
failing is a known issue.

However, the default backends should work in both rootless and as-root
scenarios, so make sure we test these.
2020-11-20 16:23:35 +01:00
adisbladis
da3516f694
Merge pull request #104374 from adisbladis/dockertools-cross-aarch64
dockerTools: Always cross compile for another arch in the cross example
2020-11-20 14:57:26 +01:00
Eelco Dolstra
80097e57c9
nix: 2.3.8 -> 2.3.9 2020-11-20 13:03:04 +01:00
adisbladis
b7b22c5814
dockerTools: Always cross compile for another arch in the cross example
The example fails to build on aarch64, so lets cross build for gnu64.
2020-11-20 12:57:58 +01:00
Frederik Rietdijk
553b7a8bf0 Merge master into staging-next 2020-11-20 08:12:06 +01:00
Jan Tojnar
f6105d21e3
Merge branch 'master' into staging-next 2020-11-20 01:38:32 +01:00
Graham Christensen
b339462460
nixos: release-combined: only build the amazon image for x86_64,aarch64-linux -- exclude i686 2020-11-19 19:34:23 -05:00
Graham Christensen
1115df837e
Merge pull request #104322 from grahamc/amazon-image
nixos/release-small: add amazonImage
2020-11-19 18:45:07 -05:00
Graham Christensen
1ef139f3b0
nixos/release-small: add amazonImage
fixup breakage from #104193
2020-11-19 17:45:40 -05:00
Graham Christensen
7fa7bf2fda
Merge pull request #104193 from grahamc/ec2-metadata-imdsv2
NixOS EC2 AMI: Support IMDSv2
2020-11-19 16:11:32 -05:00
Robert Hensing
c68e739300
Merge pull request #104271 from adisbladis/dockertools-cross
dockerTools.buildLayeredImage: Fix cross compilation
2020-11-19 20:41:53 +01:00
Frederik Rietdijk
ea7b8978ef Merge master into staging-next 2020-11-19 20:08:15 +01:00
Graham Christensen
0d87ce610e
nixos: release: add amazonImage as a channel blocker 2020-11-19 13:56:55 -05:00
Graham Christensen
f2cfecdec3
nixos ami: preflight the imds token
According to Freenode's ##AWS, the metadata server can sometimes
take a few moments to get its shoes on, and the very first boot
of a machine can see failed requests for a few moments.
2020-11-19 13:56:44 -05:00
Graham Christensen
83ea88e03f
nixos: ec2 ami: support IMDSv2
AWS's metadata service has two versions. Version 1 allowed plain HTTP
requests to get metadata. However, this was frequently abused when a
user could trick an AWS-hosted server in to proxying requests to the
metadata service. Since the metadata service is frequently used to
generate AWS access keys, this is pretty gnarly. Version two is
identical except it requires the caller to request a token and provide
it on each request.

Today, starting a NixOS AMI in EC2 where the metadata service is
configured to only allow v2 requests fails: the user's SSH key is not
placed, and configuration provided by the user-data is not applied.
The server is useless. This patch addresses that.

Note the dependency on curl is not a joyful one, and it expand the
initrd by 30M. However, see the added comment for more information
about why this is needed. Note the idea of using `echo` and `nc` are
laughable. Don't do that.
2020-11-19 13:00:56 -05:00
adisbladis
11367b2db1
dockerTools: Add cross compilation test 2020-11-19 18:13:22 +01:00
Florian Klink
f6832971f5 nixosTests.systemd: increase accounting coverage
For now, testing IO Accounting is skipped, as it seems to be either
broken, or hard to reproduce in a VM.
2020-11-19 16:56:46 +01:00
Florian Klink
5d45f269aa nixos/k3s: disable unifiedCgroupHierarchy
This gets automatically disabled by docker if the docker backend is
used, but the bundled containerd also doesn't seem to support cgroupsv2,
so disable it explicitly here, too.
2020-11-19 16:56:46 +01:00
Florian Klink
d22b3ed4bc systemd: switch to unified cgroup hierarchy by default
See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for
details on why this is desirable, and how it impacts containers.

Users that need to keep using the old cgroup hierarchy can re-enable it
by setting `systemd.unifiedCgroupHierarchy` to `false`.

Well-known candidates not supporting that hierarchy, like docker and
hidepid=… will disable it automatically.

Fixes #73800
2020-11-19 16:56:46 +01:00
Jörg Thalheim
2bf5899d6a
Merge pull request #104105 from spacefrogg/openafs-1.9 2020-11-19 14:42:17 +01:00
Matt Votava
746efadcce home-assistant: add allowlist_external_dirs to systemd unit ReadWritePaths 2020-11-19 04:29:03 -08:00
Robert Hensing
c790ed8c4e
Merge pull request #96371 from asdf8dfafjk/fcitx_commit
fcitx: Add test (Unicode input, table input, m17n)
2020-11-19 11:05:36 +01:00
Silvan Mosberger
3307adf755
Merge pull request #98980 from JustinLovinger/idmapd
nixos/nfs: add idmapd.settings option
2020-11-18 22:46:48 +01:00
Jörg Thalheim
58bf9ed18b
nixos/telegraf: fix test 2020-11-18 21:42:01 +01:00
Jörg Thalheim
0f84e08fcd
nixos/telegraf: make example a bit more compact 2020-11-18 21:41:58 +01:00
Jörg Thalheim
69caedcc42
nixos/telegraf: null value for environmentFiles is invalid
it's also not needed given that empty list covers all use cases.
2020-11-18 21:41:55 +01:00
Andreas Rammhold
6f7d8e5528
nixos/sane: bump the MaxConnections to a reasonable amount
Whenever I try to scan from another computer it has to establish >2
connections in order to succeed. With the connections being limited to 1
I can not scan any document.

This is also what other distributions ([Debian], [ArchLinux], …) have
done in one way or another.

[Debian]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850649#5
[ArchLinux]: no limit: 99cba454bb/trunk/saned.socket (L4)
2020-11-18 20:25:44 +01:00
Graham Christensen
21339b41bf
nixos: openstack: have its own metadata fetcher expression
These two APIs have diverged over time and are no longer compatible.
2020-11-18 11:42:32 -05:00
Frederik Rietdijk
da12fc6838 Merge staging-next into staging 2020-11-18 15:36:56 +01:00
Emery Hemingway
7e25b71132 nixos: use nativeBuildInputs in make- iso9660-image and system-tarball
The tools used to create iso9660 images and tarballs are independent of
the platform of the closure contained within.
2020-11-18 14:05:30 +01:00
Janne Heß
e5e9887e38
nixos/dbus: Add AppArmor support 2020-11-18 10:10:36 +01:00
Michael Raitza
1f323ec2b4 openafs: remove 1.6; point to openafs_1_8 2020-11-17 21:31:59 +01:00
Vladimír Čunát
bdcd2d82ee
Merge #103633: kresd service: switch .listenDoH
... to new implementation - and a couple other improvements.
2020-11-17 20:06:55 +01:00
Vladimír Čunát
e61ef63e4e
kresd service: switch .listenDoH to new implementation
Beware: extraFeatures are not needed *for this* anymore,
but their removal may still cause a regression in some configs
(example: prefill module).
2020-11-17 20:04:56 +01:00
Tim Steinbach
08e6c4d001
Merge pull request #104018 from NeQuissimus/xterm_update
xterm: 353 -> 362, add test, add update script
2020-11-17 12:15:19 -05:00
Tim Steinbach
0984125676
Merge pull request #103988 from NeQuissimus/nano_update
nano: Update script, test
2020-11-17 12:14:51 -05:00
TredwellGit
fc6948cd47 nixos/malloc: fix Scudo
Fixes segmentation faults.
https://github.com/NixOS/nixpkgs/issues/100799
2020-11-17 09:11:31 -05:00
Oleksii Filonenko
512c3c0a05 maintainers: rename filalex77 -> Br1ght0ne 2020-11-17 13:09:31 +02:00
Tim Steinbach
61e56265c2
xterm: Add test 2020-11-16 22:13:13 -05:00
Tim Steinbach
0338f728c0
nano: Add test 2020-11-16 14:00:34 -05:00
Jörg Thalheim
e54cd0ef25
Merge pull request #103876 from Mic92/lvm-generator-fix
nixos/lvm2-activation-generator: fix warnings on activation
2020-11-16 18:37:36 +01:00
Florian Klink
462c5b26c5
Merge pull request #103966 from flokli/kernel-enable-ipv6
kernel config: explicitly enable CONFIG_IPV6
2020-11-16 16:32:50 +01:00
Frederik Rietdijk
36b27ccf77
Merge pull request #103462 from NixOS/staging-next
Staging next
2020-11-16 15:23:47 +01:00
Maximilian Bosch
9fc484c373
Merge pull request #103717 from WilliButz/codimd/add-package-option
nixos/codimd: add package option, refactor prettyJSON
2020-11-16 13:46:17 +01:00
Florian Klink
13be37662d kernel config: explicitly enable CONFIG_IPV6
We currently build CONFIG_IPV6=m.

This seems to be not really well-supported in mainline kernels - see
https://lore.kernel.org/netdev/20201115224509.2020651-1-flokli@flokli.de/T/#u

Compiling it as a module doesn't give too much benefit - even for people
who did explicitly set `enableIPv6` to false, the `ipv6` module was
still loaded, as soon as another module was loaded that requires it
(bridge,br_netfilter,wireguard,ip6table_mangle,sctp,…).

By compiling it in, we only loose the possibility to not add it to
`boot.kernelModules` anymore (as it's part of the kernel directly). The
space savings are negligible.

People wanting to disable IPv6 still get the appropriate sysctls and
options set (while having the kernel code loaded), nothing is really
changing here.
2020-11-16 13:07:49 +01:00
Andreas Rammhold
ad37c2c445
Merge pull request #102916 from andir/nixos-help
nixos-help: fixup .desktop file & smaller refactoring
2020-11-16 12:17:28 +01:00
Frederik Rietdijk
986c2d36da Merge master into staging-next 2020-11-16 09:01:53 +01:00
Symphorien Gibol
3c9707d4a3 nixos: add release notes for the paperwork update. 2020-11-15 15:46:53 +01:00
Jörg Thalheim
8ac3a1503a
nixos/lvm2-activation-generator: fix warnings on activation 2020-11-15 08:06:05 +01:00
Cole Helbling
19c0927d30
nixos/doas: add noLog option 2020-11-14 19:16:56 -08:00
Jörg Thalheim
e2289a5f18
Merge pull request #98025 from Mic92/telegraf 2020-11-14 17:02:53 +01:00
Jörg Thalheim
7534d92648
nixos/telegraf: allow multiple env files 2020-11-14 16:33:50 +01:00
Jörg Thalheim
8edc4619ab
nixos/telegraf: switch to setting types
This allows to split up configuration into multiple modules
2020-11-14 16:33:46 +01:00
Jörg Thalheim
157d7354d6
nixos/telegraf: add environmentFile option 2020-11-14 16:33:42 +01:00
Jörg Thalheim
9750813b89
nixos/telegraf: add support for native ping 2020-11-14 16:33:39 +01:00
Mike Sperber
aaad9fd0da nixos/doc: Rudimentary documentation for Subversion-inside-Apache HTTP.
Content thanks to: Aaron Andersen
2020-11-14 15:05:46 +01:00
Symphorien Gibol
6fa1646268 nixos/firejail: allow to pass options to firejail 2020-11-14 12:00:00 +00:00
Frederik Rietdijk
463f738cc6 Merge master into staging-next 2020-11-13 20:58:35 +01:00
WilliButz
74d354a397
nixos/codimd: add package option, refactor prettyJSON
This adds a `package` option to allow for easier overriding of the used
CodiMD version and `runCommandLocal` with `nativeBuildInputs` is now
used to pretty print the configuration.
2020-11-13 16:14:41 +01:00
Doron Behar
8769c817f4
Merge pull request #75615 from FSMaxB/patch-1
Add note about installing NixOS from distributions with /usr/sbin and…
2020-11-13 10:50:32 +02:00
Max Bruckner
be0555b8a8 nixos/doc: Add note about /usr/sbin and /sbin
An installation from Debian buster may fail without adding /usr/sbin to
$PATH because chroot is not in the PATH of a non-root user.
2020-11-13 10:30:20 +02:00
Maximilian Bosch
fca0aad258
Merge pull request #103500 from chkno/nixos-YY.MM-not-in-nixpkgs-channels
doc: 20.09 release notes: nixos-YY.MM branches no longer in nixos-channels repo
2020-11-12 23:27:27 +01:00
Martin Weinelt
9309563332
postfix: add passthru tests 2020-11-12 20:00:50 +01:00
Martin Weinelt
1b5a1c697d nixos/tests/postfix: migrate test to use tlsTrustedAuthorities
Fixes: 632104e ("postfix: deprecated `sslCACert` in favour of
`tlsTrustedAuthorities`")
2020-11-12 19:38:27 +01:00
Elis Hirwing
2789f47b97
Merge pull request #103531 from gnidorah/acpilight
nixos/acpilight: add to packages
2020-11-12 07:02:39 +01:00
zowoq
31051812bc nixos/doc/*: fix indentation 2020-11-12 14:24:00 +10:00
gnidorah
ec26da1fc6 nixos/acpilight: add to packages 2020-11-12 05:22:18 +03:00
Kevin Cox
66c98ec550
Merge pull request #95751 from srhb/forceImportAll
nixos/zfs: Fix boot.zfs.forceImportAll
2020-11-11 20:32:42 -05:00
Maximilian Bosch
c9e96d90de
Merge pull request #103499 from chkno/fix-doc-build
doc: Fix doc-building instructions
2020-11-11 23:42:35 +01:00
Scott Worley
f72a3142f0 doc: 20.09 release notes: nixos-YY.MM branches no longer in nixos-channels repo
Since 7c442a2f67
for https://github.com/NixOS/nixpkgs/issues/99257
2020-11-11 11:29:39 -08:00
Scott Worley
88b7340a79 doc: Fix doc-building instructions 2020-11-11 11:22:29 -08:00
Gabriel Ebner
753656bbbc
Merge pull request #103225 from gebner/hsphfpd
pulseaudio: add hsphfpd support
2020-11-11 19:56:35 +01:00
Sarah Brofeldt
e0d51db401 nixos: boot.zfsImportAll = false; by default
Also add 21.03 release note
2020-11-11 18:46:05 +01:00
Sarah Brofeldt
a4010e0580 nixos/zfs: Respect forceImportAll in import service 2020-11-11 18:45:14 +01:00
Sarah Brofeldt
ffe4dbf32f nixos/tests/zfs: Test boot.zfs.forceImportAll 2020-11-11 18:45:14 +01:00
Frederik Rietdijk
4076ffe580 Merge staging-next into staging 2020-11-11 16:00:34 +01:00
Tim Steinbach
b9c505b7bf
sbt-extras: Add test 2020-11-11 09:32:06 -05:00
Kevin Cox
dce7cc111a
Merge pull request #96912 from atlaua/aranea/qemu-vm-kernel-config
nixos/qemu-vm: Fix and update system.requiredKernelConfig entries
2020-11-11 07:29:14 -05:00
Kevin Cox
5dee9b5699
Merge pull request #96679 from midchildan/add-mackerel
mackerel-agent: init at 0.69.3
2020-11-11 06:59:22 -05:00
Daniël de Kok
3497b757d3
Merge pull request #102472 from helsinki-systems/feat/vim-python3
vim: Get rid of Python 2 dependency
2020-11-11 11:52:02 +01:00
Maximilian Bosch
a805b2ea32
Merge pull request #103182 from pacien/ssmtp-assert-usestarttls-usetls
nixos/ssmtp: add assertion for useSTARTTLS dependency on useTLS
2020-11-11 10:51:00 +01:00
Aaron Andersen
e419de361d
Merge pull request #102376 from felschr/feat/cfdyndns-password-file
nixos/cfdyndns: add apikeyFile option
2020-11-10 18:08:25 -05:00
Edmund Wu
4d0ad2783d nixos/*: hsphfpd support 2020-11-10 20:53:13 +01:00
ajs124
fd950b9fc7
Merge pull request #103196 from helsinki-systems/fix/plasma5-noaliases
nixos/plasma5: Fix when running without aliases
2020-11-10 16:59:34 +01:00
Felix Tenley
a33290b1a8
nixos/cfdyndns: add apikeyFile option
nixos/cfdyndns: remove apikey option
2020-11-10 14:00:16 +01:00
Jörg Thalheim
31a0b5dff6
nixos/promtail: fix access to journal 2020-11-10 10:49:27 +01:00
Jörg Thalheim
4c64fa224e
nixos/loki: mergeable configuration
type.attrs is not mergable
2020-11-10 10:49:25 +01:00
Jörg Thalheim
88d1da8e5d
nixos/promtail: use json type for configuration 2020-11-10 10:49:23 +01:00
Jörg Thalheim
689eb49d42
nixos/loki: add logcli to system path
Admins quite likely want to query loki for debugging purpose.
2020-11-10 10:49:21 +01:00
Frederik Rietdijk
0b2ca377b1 Merge staging-next into staging 2020-11-10 10:13:13 +01:00
Frederik Rietdijk
379aaa1e0c Merge master into staging-next 2020-11-10 10:11:08 +01:00
WORLDofPEACE
fcef646736
Merge pull request #93431 from sorki/audio/pulseJack
nixos/jack,pulseaudio: fix pulse connection to jackd service
2020-11-09 19:40:12 -05:00
Michele Guerini Rocco
e6b8587b25
Merge pull request #101755 from rnhmjoj/activation-type
nixos/activation-script: make scripts well-typed
2020-11-10 00:04:47 +01:00
Jan Tojnar
3a5ba30c13 fwupd: 1.4.6 → 1.5.1
* https://github.com/fwupd/fwupd/releases/tag/1.5.0
* https://github.com/fwupd/fwupd/releases/tag/1.5.1

* The changelog mentions removed dependency on efivar but we still need the package because it also contains efiboot required dependency. https://github.com/fwupd/fwupd/pull/2485
* Blacklist options were renamed.
* Test firmware was moved to a separate repo. We need to install it or some tests will be skipped. https://github.com/fwupd/fwupd/pull/2330
* Initially, there was an option to configure dbx but in the end, it was removed in favour of bespoke dbxtool. https://github.com/fwupd/fwupd/pull/2061, https://github.com/fwupd/fwupd/pull/2318, https://github.com/fwupd/fwupd/pull/2329
* Fwupd now checks hashes of plug-ins and will complain loudly that it is tainted when “invalid” plug-in is loaded (during testing).
* Installed tests complain about not being able to access cdn, even though we are not setting CI_NETWORK env var. We need a patch to fix that.
2020-11-09 22:50:17 +01:00
Edmund Wu
0e4d0d95d0 treewide: generate pulseaudio pulseDir 2020-11-09 19:24:42 +01:00
Timo Kaufmann
b839d4a855
Merge pull request #98938 from raboof/nixos-manual-wayland
nixos.manual: introduce Wayland section
2020-11-09 16:59:12 +01:00
Doron Behar
9db44f61a7 rubyMinimal: remove
Due to being unused, and seemingly unusable, added appropriate release
notes.
2020-11-09 16:17:41 +02:00
Frederik Rietdijk
20f001c01e Merge master into staging-next 2020-11-09 14:33:52 +01:00
Jan Tojnar
8e7fca3a5c
nixos/plymouth: fix eval with aliases disabled
Fallout from https://github.com/NixOS/nixpkgs/pull/101369
2020-11-09 14:00:18 +01:00
Janne Heß
576a928794
vim: Get rid of Python 2 dependency 2020-11-09 13:02:04 +01:00
Maximilian Bosch
e74d6735f0
Merge pull request #103170 from nh2/roundcube-restart-on-config-changes
roundcube service: Restart on config changes
2020-11-09 12:47:22 +01:00
Samuel Gräfenstein
88bf1b3e92 nixos/boot: add final newline to pbkdf2-sha512.c 2020-11-09 11:39:28 +00:00
Janne Heß
59239feacb
nixos/plasma5: Fix when running without aliases 2020-11-09 11:09:06 +01:00
pacien
f7c50a8aa0 nixos/ssmtp: add assertion for useSTARTTLS dependency on useTLS
services.ssmtp.useSTARTTLS has no effect when services.ssmtp.useTLS is disabled.
2020-11-09 04:35:12 +01:00
Marek Mahut
e02f6bfa26
Merge pull request #100418 from pltanton/master
fido2luks: 0.2.3 -> 0.2.15
2020-11-09 00:22:09 +01:00
Niklas Hambüchen
91b20fb1aa roundcube service: Restart on config changes.
Until now, e.g. `extraConfig` changes did not reflect in
the system on `nixos-rebuild switch`.
2020-11-08 22:20:18 +01:00
Daniël de Kok
d43f378b4a
Merge pull request #103101 from matthiasbeyer/update-mutt
mutt: 1.14.7 -> 2.0.0
2020-11-08 18:26:51 +01:00
Niklas Hambüchen
1c460c0a5c
Merge pull request #103147 from nh2/nginx-sandbox-protecthome-release-notes
manual: nginx: Mention ProtectHome in release notes. See #85567
2020-11-08 18:01:03 +01:00
Niklas Hambüchen
2e7b320931 manual: nginx: Remove reference to stateDir from release notes. Fixes #102211.
Fixed wording taken from:
https://github.com/NixOS/nixpkgs/issues/102211#issuecomment-719976230
2020-11-08 17:55:11 +01:00
Daniël de Kok
c65164ec75 nixos/release-notes: Mutt 2.x has some backward incompatible changes 2020-11-08 17:26:54 +01:00
Niklas Hambüchen
2f845dccbf manual: nginx: Mention ProtectHome in release notes. See #85567.
See https://github.com/NixOS/nixpkgs/pull/85567#pullrequestreview-525820684
2020-11-08 17:03:07 +01:00
Ninjatrappeur
5f5d38e88f
Merge pull request #101218 from andir/unbound-systemd 2020-11-08 16:55:29 +01:00
Gabriel Ebner
df88279649
Merge pull request #103004 from lovesegfault/octoprint-marlingcodedocumentation
octoprint: add marlingcodedocumentation
2020-11-08 11:42:08 +01:00
Niklas Hambüchen
169ab0b89f redis service: Listen on localhost by default. Fixes #100192.
All other database servers in NixOS also use this safe-by-default setting.
2020-11-08 01:15:33 +01:00
Julien Moutinho
c48faf07f4 transmission: fix #98904 2020-11-07 16:27:24 +01:00
midchildan
921a66edc4
nixos/mackerel-agent: init 2020-11-07 13:37:33 +09:00
Andika Demas Riyandi
038497d3b3
nar-serve: init at 0.3.0 (#95420)
* nar-serve: init at 0.3.0

* nixos/nar-serve: add new module

Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2020-11-06 18:59:51 +01:00
Jonathan Ringer
0a6a075813
Merge pull request #102979 from AmineChikhaoui/ec2-amis-gpt
ec2-amis: update AMIs to use gpt partition table
2020-11-06 09:14:48 -08:00
Maximilian Bosch
68726901e1
Merge pull request #94673 from justinas/prom-sql-exporter
prometheus-sql-exporter: init at 0.3.0
2020-11-06 17:00:47 +01:00
Maximilian Bosch
428fc4e297
nixos/prometheus-exporters: fix sql test 2020-11-06 16:43:07 +01:00
Justinas Stankevicius
d447c2413c
nixos/prometheus-sql-exporter: new module 2020-11-06 16:35:38 +01:00
Tim Steinbach
caf8d001a9
Merge pull request #102977 from NeQuissimus/hardened_test
linux-hardened: Do not block channel
2020-11-06 08:50:18 -05:00
Frederik Rietdijk
99fb79ae84 Merge master into staging-next 2020-11-06 12:51:56 +01:00
Michele Guerini Rocco
25d15ebffb
Merge pull request #98661 from doronbehar/doc/nixos/systemd-nixos-specific
doc/nixos: Explain better NixOS specific Systemd stuff
2020-11-06 11:52:58 +01:00
Doron Behar
8716b71ea6 doc/nixos: Explain better NixOS specific Systemd stuff
Divide the "Service Management" chapter into two sections. The 1st (the
original) explaining General, not NixOS specific ways to interact with
Systemd. The 2nd section, explaining NixOS specific things worth
knowing.

Explain in the 2nd section a bit NixOS modules and services of Nixpkgs,
and mention `systemd.user.services` option. Give an example
demonstrating how to enable imperatively an upstream provided unit file
for a user. Explain why `systemctl --user enable` doesn't work for the
long term on NixOS.
2020-11-06 11:35:59 +02:00
Bernardo Meurer
7fede29d83
nixos/octoprint: remove references to deprecated/removed m33-fio plugin 2020-11-06 00:39:50 -08:00
Tim Steinbach
0f0af1dbd4
linux-hardened: Do not block channel 2020-11-05 22:11:17 -05:00
AmineChikhaoui
43907de6a7
ec2-amis: update AMIs to use gpt partition table
Use changes made as part of #102182.
2020-11-05 20:58:08 -05:00
Aaron Andersen
33d8766feb
Merge pull request #102202 from danderson/danderson/post-stop
nixos/tailscale: use upstream systemd service config.
2020-11-05 20:22:53 -05:00
Timo Kaufmann
1fd1c2ad88
Merge pull request #96639 from xfix/support-microsoft-usb-keyboards
nixos/availableKernelModules: add microsoft hid
2020-11-05 20:33:49 +01:00
Tim Steinbach
55dbb2f30c
Merge pull request #102928 from NeQuissimus/scala_test
scala: Add tests, update script
2020-11-05 10:26:08 -05:00
Peter Hoeg
13ed0cce2f nixos/systemd-resolved: fix incorrect user 2020-11-05 22:41:39 +08:00
Christoph Ruegge
bcc808c68f Create /dev/std{in,out,err} symlinks in stage-1
This used to be done by udev, but that was removed in
systemd/systemd@6b2229c. The links are created by systemd at the end of
stage-2, but activation scripts might need them earlier.
2020-11-05 15:32:19 +01:00
Tim Steinbach
6834d33b00
scala: Refactor, add tests
Abstract over Scala derivation, add tests for individual versions
2020-11-05 08:32:28 -05:00
Wout Mertens
91d70c1edb
Merge pull request #102273 from rnhmjoj/bluetooth
nixos/bluetooth: disable restart on unit changes
2020-11-05 14:21:13 +01:00
Tim Steinbach
3a6feb7ec7
Merge pull request #102850 from NeQuissimus/oh-my-zsh_update
oh-my-zsh: Update script, test
2020-11-05 07:28:24 -05:00
Andreas Rammhold
9a01e97824
nixos-help: bundle the desktop item with the script
This is to ensure that whenever we install the desktop item we also have
the script installed. Prior to b02719a we always had the reference to
the script in the desktop item. Since desktop items are being copied to
home directories and thus "bit rod" over time that absolute path was
removed.
2020-11-05 11:56:31 +01:00
Andreas Rammhold
3560f0d913
nixos-help: use writeShellScriptBin and drop custom shebang line 2020-11-05 11:47:14 +01:00
Klemens Nanni
b02719a29c nixos-help: Do $PATH lookup in nixos-manual.desktop instead of hardcoding derivation
See db236e588d "steam: Do $PATH lookup in steam.desktop [...]".
tl;dr: Otherwise widget/panel/desktop icons in DEs like KDE break.
2020-11-05 11:45:56 +01:00
Jan Tojnar
a821be7531
Merge branch 'master' into staging-next 2020-11-05 09:42:47 +01:00
Tim Steinbach
9813539969
oh-my-zsh: Add test 2020-11-04 20:37:50 -05:00
Tim Steinbach
18d375cae7
Merge pull request #102817 from NeQuissimus/ammonite_update
ammonite: Add test reference, update script
2020-11-04 18:10:07 -05:00
Tim Steinbach
7e062659e9
ammonite: Add test reference, update script 2020-11-04 12:57:58 -05:00
Tim Steinbach
ac9ba67ec5
Merge pull request #102642 from NeQuissimus/sbt_1_4_2
SBT: Add test, update script, 1.4.0 -> 1.4.2
2020-11-04 12:49:34 -05:00
Tim Steinbach
23be792bad
sbt: Add test 2020-11-04 11:30:36 -05:00
Marek Mahut
6336ac33c9
Merge pull request #102652 from freezeboy/remove-btc1
btc1: remove
2020-11-04 16:11:50 +01:00
freezeboy
dc0f5ed6d2 btc1: remove 2020-11-04 12:26:42 +01:00
Daniel Schaefer
d4905b1370
Merge pull request #99003 from martinetd/stunnel-doc 2020-11-04 17:40:48 +08:00
Victor Nawothnig
27e9328895 Support virtio_scsi devices on nixos-generate-config 2020-11-04 10:00:28 +01:00
Frederik Rietdijk
10c57af49c Merge staging-next into staging 2020-11-04 09:28:07 +01:00
Jörg Thalheim
f2ec450424
Merge pull request #101249 from Izorkin/dhcpd-ipv6
nixos/dhcpcd: if disabled IPv6 don't solicit or accept IPv6
2020-11-04 08:09:08 +01:00
David Anderson
503caab776 nixos/tailscale: use upstream systemd service config.
Signed-off-by: David Anderson <dave@natulte.net>
2020-11-03 19:37:48 -08:00
Fabián Heredia Montiel
acd3d3dd20 nixos/modules/services/network-filesystems/ipfs: refactor
Add `package` option to change the package used for the service.
2020-11-03 17:35:06 -06:00
Maximilian Bosch
d6b804db2f
Merge pull request #102530 from Ma27/fix-initrd-network-ssh-test
nixos/initrd-network-ssh: fix test
2020-11-04 00:01:10 +01:00
Andreas Rammhold
5903ea5395
nixos/unbond: unbound should be required for nss-lookup.target
Other units depend on nss-lookup.target and expect the DNS resolution to
work once that target is reached. The previous version
`wants=nss-lookup.target` made this unit require the nss-lookup.target
to be reached before this was started.

Another change that we can probalby do is drop the before relationship
with the nss-lookup.target. That might just be implied with the current
version.
2020-11-03 19:21:39 +01:00
Andreas Rammhold
5c16c31e06
nixos/unbound: add release notes for the changes that were introduced
As part of this patch series a few changes have been made to the unbound
serivce the deserve proper documentation.
2020-11-03 19:21:25 +01:00
Andreas Rammhold
2aa64e5df5
nixos/unbound: add option to configure the local control socket path
This option allows users to specify a local UNIX control socket to
"remote control" the daemon. System users, that should be permitted to
access the daemon, must be in the `unbound` group in order to access the
socket. When a socket path is configured we are also creating the
required group.

Currently this only supports the UNIX socket mode while unbound actually
supports more advanced types. Users are still able to configure more
complex scenarios via the `extraConfig` attribute.

When this option is set to `null` (the default) it doesn't affect the
system configuration at all. The unbound defaults for control sockets
apply and no additional groups are created.
2020-11-03 19:21:25 +01:00
Andreas Rammhold
b67cc6298e
nixos/tests/unbound: add test to verify control sockets work 2020-11-03 19:21:24 +01:00
Andreas Rammhold
a040a8a2e3
nixos/tests/unbound: init 2020-11-03 19:21:24 +01:00
Andreas Rammhold
aadc07618a
nixos/unbound: drop ReadWritePaths from systemd unit configuration
Both of the configured paths should be implicit due to RuntimeDirectory
& StateDirectory.
2020-11-03 19:21:24 +01:00
Andreas Rammhold
72fbf05c17
nixos/unbound: note about the AmbientCapabilities 2020-11-03 19:21:24 +01:00
Andreas Rammhold
5e602f88d1
nixos/modules/services/networking/unbound: update systemd unit
Previously we just applied a very minimal set of restrictions and
trusted unbound to properly drop root privs and capabilities.

With this change I am (for the most part) just using the upstream
example unit file for unbound. The main difference is that we start
unbound was `unbound` user with the required capabilities instead of
letting unbound do the chroot & uid/gid changes.

The upstream unit configuration this is based on is a lot stricter with
all kinds of permissions then our previous variant. It also came with
the default of having the `Type` set to `notify`, therefore we are also
using the `unbound-with-systemd` package here. Unbound will start up,
read the configuration files and start listening on the configured ports
before systemd will declare the unit "running". This will likely help
with startup order and the occasional race condition during system
activation where the DNS service is started but not yet ready to answer
queries.

Aditionally to the much stricter runtime environmet I removed the
`/dev/urandom` mount lines we previously had in the code (that would
randomly fail during `stop`-phase).

The `preStart` script is now only required if we enabled the trust
anchor updates (which are still enabled by default).

Another beneefit of the refactoring is that we can now issue reloads via
either `pkill -HUP unbound` or `systemctl reload unbound` to reload the
running configuration without taking the daemon offline. A prerequisite
of this was that unbound configuration is available on a well known path
on the file system. I went for /etc/unbound/unbound.conf as that is the
default in the CLI tooling which in turn enables us to use
`unbound-control` without passing a custom configuration location.
2020-11-03 19:21:24 +01:00
Kevin Cox
f1153d8a0a
Merge pull request #102528 from wizeman/u/fix-chrony-perm2
nixos/chrony: fix owner of chrony drift file
2020-11-03 12:44:13 -05:00
Kim Lindberger
cf2d180a12
Merge pull request #99906 from talyz/keycloak
nixos/keycloak: Init
2020-11-03 18:31:19 +01:00
ajs124
2b03d12ace
Merge pull request #102551 from freezeboy/remove-freepops
freepops: remove
2020-11-03 17:51:51 +01:00
WilliButz
0916fea195
Merge pull request #102541 from helsinki-systems/init/promtail
nixos/promtail: Add a promtail module
2020-11-03 17:34:01 +01:00
Kevin Cox
8230e62f57
Merge pull request #100495 from DianaOlympos/riak-cs-delete
riak-cs: delete
2020-11-03 11:17:42 -05:00
Janne Heß
54217cac69
nixos/promtail: Add a promtail module 2020-11-03 14:36:56 +01:00
Timo Kaufmann
6c13df3fc0
Merge pull request #99632 from midchildan/update/epgstation
epgstation: 1.7.4 -> 1.7.5
2020-11-03 14:03:31 +01:00
Frederik Rietdijk
470f05cb5d Merge staging-next into staging 2020-11-03 12:06:41 +01:00
freezeboy
ee0e1e0bcb nixos(freepops): remove module 2020-11-03 10:45:29 +01:00
Silvan Mosberger
8a7ea52173
Merge pull request #99019 from sumnerevans/master
Add ability to configure executable for redshift service
2020-11-03 01:00:40 +01:00
Silvan Mosberger
aeaf78adb8
Merge pull request #102204 from danderson/danderson/transmission-dir
nixos/transmission: point at the settings dir in cfg.home.
2020-11-03 00:45:04 +01:00
Ricardo M. Correia
48f8b85e1c nixos/chrony: fix owner of chrony drift file
It had become owned by root due to #97546.
2020-11-02 21:41:49 +01:00
Maximilian Bosch
819b0f4bb8
nixos/initrd-network-ssh: fix test
The test relied on moving `initrd` secrets from the store into the
`initrd` which was fine here as it's only an integration test and not a
production environment.

However, this broke in 20.09 when support for this was dropped[1]. To make
sure that the snakeoil key used as hostkey for `sshd` here actually gets
copied into the VM, I added a small script for this that takes care of
this process while building the initial ramdisk.

[1] d930466b77
2020-11-02 21:18:57 +01:00
Graham Christensen
75a2bc94fa
Merge pull request #101192 from grahamc/nixpkgs-location-basic-auth
nginx: support basic auth in location blocks
2020-11-02 09:44:54 -05:00
Graham Christensen
3361a037b9
nginx: add a warning that nginx's basic auth isn't very good. 2020-11-02 08:16:01 -05:00
Graham Christensen
a4b86b2bf5
nginx: test basic auth 2020-11-02 08:16:01 -05:00
Graham Christensen
c7bf3828f0
nginx: add basic auth support for locations 2020-11-02 08:16:00 -05:00
Graham Christensen
33cf4f0e8e
nginx: factor out the generation of basic auth generation 2020-11-02 08:16:00 -05:00
Dominique Martinet
1fb299064b stunnel: make servers accept more lenient
stunnel config's accept syntax is [host:]port -- this is required to e.g. listen on ipv6
where one would set :::port
2020-11-02 10:51:00 +01:00
Antoine Eiche
81063ee414 nixos.tests.systemd-journal: add basic systemd-journal-gatewayd test
This test allows to ensure the systemd-journal-gatewayd service is
responding correcly when the NixOS option `enableHttpGateway` is set.

The test has not been added into the main systemd test because a
graphical stack is not required (and rebuilding the graphical stack on
systemd change is huge).
2020-11-02 09:07:52 +01:00
Andreas Rammhold
2ba1c007f6
Merge pull request #102350 from andir/nixos-test-prometheus
nixos/tests/prometheus: remove invalid thanos config flag
2020-11-01 19:45:00 +01:00
Dominique Martinet
05eef8051b stunnel service: fix servers example
examples incorrectly had 'enable' set, the option is not defined
and reproducing would error out
2020-11-01 18:17:57 +01:00
Maximilian Bosch
4f3f06d070
Merge pull request #101553 from Mic92/nextcloud
Nextcloud: fix ldap integration
2020-11-01 16:10:18 +01:00
Arnout Engelen
c9b669a283
nixos.manual: introduce Wayland section
Co-Authored-By: Nicolas Berbiche <nicolas@normie.dev>
2020-11-01 15:47:10 +01:00
Andreas Rammhold
e4865130cf
nixos/tests/prometheus: remove invalid thanos config flag
Upstream has apparently changed the configuration format and is now
throwing an error when the `encrypt_sse` option is set. According to the
current version of the documentation encryption moved to the
`sse_config` option that (is optional and) offers all the features we do
not use or care about for this test.
2020-11-01 14:33:11 +01:00
Jörg Thalheim
7b5cebfa71
Merge pull request #102237 from oxzi/tlp-deprecation-note
nixos/tlp: Fix deprecation hint
2020-11-01 11:46:11 +01:00
Frederik Rietdijk
409ca6f1f9 Merge staging-next into staging 2020-11-01 11:06:35 +01:00
Frederik Rietdijk
54f7498601
Merge pull request #101369 from doronbehar/pkg/kdeApplications/qt515
kdeApplications: Use latest qt515 by default
2020-11-01 11:05:05 +01:00
Frederik Rietdijk
83dde6c52c Merge staging-next into staging 2020-11-01 10:11:12 +01:00
Rouven Czerwinski
733181d766 nixos/icecream: add modules
This adds modules for the icecream scheduler and daemon.
Icecream can be used for distributed compilation, especially in
environments with diverse toolchains, since it sends the complete build
environment to the daemon.
Unfortunatley the daemon can't be run with DynamicUser = true, since the
daemon requires to be started as root in order to accept other build
environments, see [1].

[1]: https://github.com/icecc/icecream#using-icecream-in-heterogeneous-environments
2020-11-01 08:13:08 +01:00
rnhmjoj
497b7018e4
nixos/bluetooth: disable restart on unit changes 2020-10-31 21:46:42 +01:00
Andreas Rammhold
fd0b3839b2
Merge pull request #102249 from rnhmjoj/firefox-audio
nixos/tests/firefox: add audio subtest
2020-10-31 21:23:10 +01:00
zimbatm
7d834eff6c
nixos/manual: make reproducible (#102234) 2020-10-31 21:18:16 +01:00
rnhmjoj
f7904ca45b
nixos/tests/firefox: add audio subtest 2020-10-31 20:53:15 +01:00
Philipp Kern
ec6b0950ef
nixos/prometheus: Support environmentFile (#97933)
For the same reason Alertmanager supports environmentFile to pass
secrets along, it is useful to support the same for Prometheus'
configuration to store bearer tokens outside the Nix store.
2020-10-31 20:52:13 +01:00
WORLDofPEACE
eaaf9254aa
Merge pull request #100520 from hyperfekt/patch-3
nixos-install: add passthrough --keep-going flag
2020-10-31 15:19:51 -04:00
Niklas Hambüchen
441abe9949 release notes: Document deprecation warning for StartLimitInterval in [Service] 2020-10-31 18:11:03 +01:00
hyperfekt
1338647a8c nixos-install: pass through keep-going flag 2020-10-31 17:13:45 +01:00
lf-
644079e707 nixos/modules: deprecation warning for StartLimitInterval in [Service]
This implements
https://github.com/NixOS/nixpkgs/issues/45786#issuecomment-440091879
2020-10-31 16:50:35 +01:00
Niklas Hambüchen
c178fe4bbb nixos/modules: Reformat warnings section 2020-10-31 16:50:25 +01:00
Alvar Penning
0ad1519ad9 nixos/tlp: Fix deprecation hint
The deprecated extraConfig option refers to the config option, which
does not exists. The settings option should be used.
2020-10-31 16:33:45 +01:00
lf-
b37bbca521 nixos/modules: fix systemd start rate-limits
These were broken since 2016:
f0367da7d1
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.

NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.

I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(ad16158c10/src/basic/ratelimit.c (L16))
2020-10-31 01:35:56 -07:00
Jade
2df221ec8a
nixos/postgresql: fix inaccurate docs for authentication (#97622)
* nixos/postgresql: fix inaccurate docs for authentication

We actually use peer authentication, then md5 based authentication.
trust is not used.

* Use a link for mkForce docs

Co-authored-by: aszlig <aszlig@redmoonstudios.org>

Co-authored-by: lf- <lf-@users.noreply.github.com>
Co-authored-by: aszlig <aszlig@redmoonstudios.org>
2020-10-31 03:35:19 -04:00
WORLDofPEACE
7b3b82f7af
Merge pull request #100136 from xaverdh/nixos-install-support-impure
nixos-install: pass through impure flag
2020-10-31 01:17:07 -04:00
David Anderson
43effbbc59 nixos/transmission: point at the settings dir in cfg.home.
Without this, transmission starts with an empty config when using
a custom home location.

Signed-off-by: David Anderson <dave@natulte.net>
2020-10-30 19:03:42 -07:00
David Anderson
9a8d6011aa nixos/tailscale: add tailscale to environment.systemPackages.
Use of Tailscale requires using the `tailscale` CLI to talk to the
daemon. If the CLI isn't in systemPackages, the resulting user experience
is confusing as the Tailscale daemon does nothing.

Signed-off-by: David Anderson <dave@natulte.net>
2020-10-30 17:58:14 -07:00
Mira Ressel
a7de454a76 nixos/qemu-vm: Update system.requiredKernelConfig
Verify that all kernel modules which are required for mounting
/nix/store in the VM are present.
2020-10-30 22:22:58 +01:00
Mira Ressel
8ee970442b nixos/qemu-vm: Don't require CONFIG_EXPERIMENTAL
The kernel stopped using this config option with version 3.9 (back in
2013!).
2020-10-30 22:22:57 +01:00
Mira Ressel
ef5268bcab nixos/qemu-vm: Fix condition in requiredKernelConfig
'optional' just takes a single item rather than a list
2020-10-30 22:22:13 +01:00
Graham Christensen
38a394bdee
Merge pull request #102174 from grahamc/ami-root-use-gpt
AMI root partition table: use GPT to support >2T partitions
2020-10-30 16:14:37 -04:00
Graham Christensen
860a3a23c6
Merge pull request #102175 from grahamc/ami-random
amazon-image: random.trust_cpu=on to cut 10s from boot
2020-10-30 16:13:41 -04:00
Graham Christensen
c06b97175b
Merge pull request #102173 from grahamc/create-amis
create-amis.sh: fixup shellcheck issues, improve error logging, and add configurable service names
2020-10-30 16:13:18 -04:00
Graham Christensen
82578fc725
Merge pull request #102172 from grahamc/stage-1-datestamps
stage-1: add datestamps to logs
2020-10-30 16:13:02 -04:00
Graham Christensen
b34cf366aa
Merge pull request #102171 from grahamc/faster-ext-resize
stage-1: modprobe ext{2,3,4} before resizing (so resizing takes less than 45 minutes)
2020-10-30 16:12:50 -04:00
WORLDofPEACE
214af51225
Merge pull request #101067 from deviant/remove-caddy-agree
nixos/caddy: remove services.caddy.agree
2020-10-30 16:02:44 -04:00
Graham Christensen
d77ddf2a40
nixos.amazonAmi: use legacy+gpt disk images to support partitions >2T 2020-10-30 15:50:25 -04:00
Graham Christensen
d78aa080f5
make-disk-image: support legacy+gpt 2020-10-30 15:50:24 -04:00
Doron Behar
77e081bb2b nixos/sddm: Use libsForQt514.sddm if needed (for lxqt)
Currently lxqt is a desktop environment that's compiled against qt514.
To avoid possible issues (#101369), we (hopefully) use the same qt
version as the desktop environment at hand. LXQT should move to qt515,
and for the long term the correct qt version should be inherited by the
sddm module.
2020-10-30 20:37:59 +02:00
Doron Behar
e681f442c9 nixos/plasma: Fix attribute path to kinit 2020-10-30 20:37:58 +02:00
Graham Christensen
c851030763
amazon-image: random.trust_cpu=on to cut 10s from boot
Ubuntu and other distros already have this set via kernel config.
2020-10-30 13:45:19 -04:00
Graham Christensen
74a577b293
create-amis: improve wording around the service name's IAM role
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
2020-10-30 12:40:17 -04:00
Graham Christensen
ece5c0f304
stage-1: modprobe ext{2,3,4} before resizing
I noticed booting a system with an ext4 root which expanded to 5T took
quite a long time (12 minutes in some cases, 43(!) in others.)

I changed stage-1 to run `resize2fs -d 62` for extra debug output and
timing information. It revealed the adjust_superblock step taking
almost all of the time:

    [Fri Oct 30 11:10:15 UTC 2020] zero_high_bits_in_metadata: Memory used: 132k/0k (63k/70k), time:  0.00/ 0.00/ 0.00
    [Fri Oct 30 11:21:09 UTC 2020] adjust_superblock: Memory used: 396k/4556k (295k/102k), time: 654.21/ 0.59/ 5.13

but when I ran resize2fs on a disk with the identical content growing
to the identical target size, it would only take about 30 seconds. I
looked at what happened between those two steps in the fast case with
strace and found:

```
   235	getrusage(RUSAGE_SELF, {ru_utime={tv_sec=0, tv_usec=1795}, ru_stime={tv_sec=0, tv_usec=3590}, ...}) = 0
   236	write(1, "zero_high_bits_in_metadata: Memo"..., 84zero_high_bits_in_metadata: Memory used: 132k/0k (72k/61k), time:  0.00/ 0.00/ 0.00
   237	) = 84
   238	gettimeofday({tv_sec=1604061278, tv_usec=480147}, NULL) = 0
   239	getrusage(RUSAGE_SELF, {ru_utime={tv_sec=0, tv_usec=1802}, ru_stime={tv_sec=0, tv_usec=3603}, ...}) = 0
   240	gettimeofday({tv_sec=1604061278, tv_usec=480192}, NULL) = 0
   241	mmap(NULL, 2564096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa3c7355000
   242	access("/sys/fs/ext4/features/lazy_itable_init", F_OK) = 0
   243	brk(0xf85000)                           = 0xf85000
   244	brk(0xfa6000)                           = 0xfa6000
   245	gettimeofday({tv_sec=1604061278, tv_usec=538828}, NULL) = 0
   246	getrusage(RUSAGE_SELF, {ru_utime={tv_sec=0, tv_usec=58720}, ru_stime={tv_sec=0, tv_usec=3603}, ...}) = 0
   247	write(1, "adjust_superblock: Memory used: "..., 79adjust_superblock: Memory used: 396k/2504k (305k/92k), time:  0.06/ 0.06/ 0.00
   248	) = 79
   249	gettimeofday({tv_sec=1604061278, tv_usec=539119}, NULL) = 0
   250	getrusage(RUSAGE_SELF, {ru_utime={tv_sec=0, tv_usec=58812}, ru_stime={tv_sec=0, tv_usec=3603}, ...}) = 0
   251	gettimeofday({tv_sec=1604061279, tv_usec=939}, NULL) = 0
   252	getrusage(RUSAGE_SELF, {ru_utime={tv_sec=0, tv_usec=520411}, ru_stime={tv_sec=0, tv_usec=3603}, ...}) = 0
   253	write(1, "fix_uninit_block_bitmaps 2: Memo"..., 88fix_uninit_block_bitmaps 2: Memory used: 396k/2504k (305k/92k), time:  0.46/ 0.46/ 0.00
   254	) = 88
```

In particular the access to /sys/fs seemed interesting. Looking
at the source of resize2fs:

```
[root@ip-172-31-22-182:~/e2fsprogs-1.45.5]# rg -B2 -A1 /sys/fs/ext4/features/lazy_itable_init .
./resize/resize2fs.c
923-	if (getenv("RESIZE2FS_FORCE_LAZY_ITABLE_INIT") ||
924-	    (!getenv("RESIZE2FS_FORCE_ITABLE_INIT") &&
925:	     access("/sys/fs/ext4/features/lazy_itable_init", F_OK) == 0))
926-		lazy_itable_init = 1;
```

I confirmed /sys is mounted, and then found a bug suggesting the
ext4 module is maybe not loaded:
https://bugzilla.redhat.com/show_bug.cgi?id=1071909

My home server doesn't have ext4 loaded and had 3T to play with, so
I tried (and succeeded with) replicating the issue locally:

```
[root@kif:/scratch]# lsmod | grep -i ext

[root@kif:/scratch]# zfs create -V 3G rpool/scratch/ext4

[root@kif:/scratch]# time mkfs.ext4 /dev/zvol/rpool/scratch/ext4
mke2fs 1.45.5 (07-Jan-2020)
Discarding device blocks: done
Creating filesystem with 786432 4k blocks and 196608 inodes
Filesystem UUID: 560a4a8f-93dc-40cc-97a5-f10049bf801f
Superblock backups stored on blocks:
	32768, 98304, 163840, 229376, 294912

Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

real	0m2.261s
user	0m0.000s
sys	0m0.025s

[root@kif:/scratch]# zfs set volsize=3T rpool/scratch/ext4

[root@kif:/scratch]# time resize2fs -d 62 /dev/zvol/rpool/scratch/ext4
resize2fs 1.45.5 (07-Jan-2020)
fs has 11 inodes, 1 groups required.
fs requires 16390 data blocks.
With 1 group(s), we have 22234 blocks available.
Last group's overhead is 10534
Need 16390 data blocks in last group
Final size of last group is 26924
Estimated blocks needed: 26924
Extents safety margin: 49
Resizing the filesystem on /dev/zvol/rpool/scratch/ext4 to 805306368 (4k) blocks.
read_bitmaps: Memory used: 132k/0k (63k/70k), time:  0.00/ 0.00/ 0.00
read_bitmaps: I/O read: 1MB, write: 0MB, rate: 3802.28MB/s
fix_uninit_block_bitmaps 1: Memory used: 132k/0k (63k/70k), time:  0.00/ 0.00/ 0.00
resize_group_descriptors: Memory used: 132k/0k (68k/65k), time:  0.00/ 0.00/ 0.00
move_bg_metadata: Memory used: 132k/0k (68k/65k), time:  0.00/ 0.00/ 0.00
zero_high_bits_in_metadata: Memory used: 132k/0k (68k/65k), time:  0.00/ 0.00/ 0.00
```

here it got stuck for quite some time ... straceing this 20 minutes in revealed this in a tight loop:

```
getuid()                                = 0
geteuid()                               = 0
getgid()                                = 0
getegid()                               = 0
prctl(PR_GET_DUMPABLE)                  = 1 (SUID_DUMP_USER)
fallocate(3, FALLOC_FL_ZERO_RANGE, 2222649901056, 2097152) = 0
fsync(3)                                = 0
```

it finally ended 43(!) minutes later:

```
adjust_superblock: Memory used: 264k/3592k (210k/55k), time: 2554.03/ 0.16/15.07
fix_uninit_block_bitmaps 2: Memory used: 264k/3592k (210k/55k), time:  0.16/ 0.16/ 0.00
blocks_to_move: Memory used: 264k/3592k (211k/54k), time:  0.00/ 0.00/ 0.00
Number of free blocks: 755396/780023556, Needed: 0
block_mover: Memory used: 264k/3592k (216k/49k), time:  0.05/ 0.01/ 0.00
block_mover: I/O read: 1MB, write: 0MB, rate: 18.68MB/s
inode_scan_and_fix: Memory used: 264k/3592k (216k/49k), time:  0.00/ 0.00/ 0.00
inode_ref_fix: Memory used: 264k/3592k (216k/49k), time:  0.00/ 0.00/ 0.00
move_itables: Memory used: 264k/3592k (216k/49k), time:  0.00/ 0.00/ 0.00
calculate_summary_stats: Memory used: 264k/3592k (216k/49k), time: 16.35/16.35/ 0.00
fix_resize_inode: Memory used: 264k/3592k (222k/43k), time:  0.04/ 0.00/ 0.00
fix_resize_inode: I/O read: 1MB, write: 0MB, rate: 22.80MB/s
fix_sb_journal_backup: Memory used: 264k/3592k (222k/43k), time:  0.00/ 0.00/ 0.00
overall resize2fs: Memory used: 264k/3592k (222k/43k), time: 2570.90/16.68/15.07
overall resize2fs: I/O read: 1MB, write: 1MB, rate: 0.00MB/s
The filesystem on /dev/zvol/rpool/scratch/ext4 is now 805306368 (4k) blocks long.

real	43m1.943s
user	0m16.761s
sys	0m15.069s
```

I then cleaned up and recreated the zvol, loaded the ext4 module, created the ext4 fs,
resized the volume, and resize2fs'd and it went quite quickly:

```
[root@kif:/scratch]# zfs destroy rpool/scratch/ext4

[root@kif:/scratch]# zfs create -V 3G rpool/scratch/ext4

[root@kif:/scratch]# modprobe ext4

[root@kif:/scratch]# time resize2fs -d 62 /dev/zvol/rpool/scratch/ext4

[root@kif:/scratch]# time mkfs.ext4 /dev/zvol/rpool/scratch/ext4
mke2fs 1.45.5 (07-Jan-2020)
Discarding device blocks: done
Creating filesystem with 786432 4k blocks and 196608 inodes
Filesystem UUID: 5b415f2f-a8c4-4ba0-ac1d-78860de77610
Superblock backups stored on blocks:
	32768, 98304, 163840, 229376, 294912

Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

real	0m1.013s
user	0m0.001s
sys	0m0.023s

[root@kif:/scratch]# zfs set volsize=3T rpool/scratch/ext4

[root@kif:/scratch]# time resize2fs -d 62 /dev/zvol/rpool/scratch/ext4
resize2fs 1.45.5 (07-Jan-2020)
fs has 11 inodes, 1 groups required.
fs requires 16390 data blocks.
With 1 group(s), we have 22234 blocks available.
Last group's overhead is 10534
Need 16390 data blocks in last group
Final size of last group is 26924
Estimated blocks needed: 26924
Extents safety margin: 49
Resizing the filesystem on /dev/zvol/rpool/scratch/ext4 to 805306368 (4k) blocks.
read_bitmaps: Memory used: 132k/0k (63k/70k), time:  0.00/ 0.00/ 0.00
read_bitmaps: I/O read: 1MB, write: 0MB, rate: 3389.83MB/s
fix_uninit_block_bitmaps 1: Memory used: 132k/0k (63k/70k), time:  0.00/ 0.00/ 0.00
resize_group_descriptors: Memory used: 132k/0k (68k/65k), time:  0.00/ 0.00/ 0.00
move_bg_metadata: Memory used: 132k/0k (68k/65k), time:  0.00/ 0.00/ 0.00
zero_high_bits_in_metadata: Memory used: 132k/0k (68k/65k), time:  0.00/ 0.00/ 0.00
adjust_superblock: Memory used: 264k/1540k (210k/55k), time:  0.02/ 0.02/ 0.00
fix_uninit_block_bitmaps 2: Memory used: 264k/1540k (210k/55k), time:  0.15/ 0.15/ 0.00
blocks_to_move: Memory used: 264k/1540k (211k/54k), time:  0.00/ 0.00/ 0.00
Number of free blocks: 755396/780023556, Needed: 0
block_mover: Memory used: 264k/3592k (216k/49k), time:  0.01/ 0.01/ 0.00
block_mover: I/O read: 1MB, write: 0MB, rate: 157.11MB/s
inode_scan_and_fix: Memory used: 264k/3592k (216k/49k), time:  0.00/ 0.00/ 0.00
inode_ref_fix: Memory used: 264k/3592k (216k/49k), time:  0.00/ 0.00/ 0.00
move_itables: Memory used: 264k/3592k (216k/49k), time:  0.00/ 0.00/ 0.00

calculate_summary_stats: Memory used: 264k/3592k (216k/49k), time: 16.20/16.20/ 0.00
fix_resize_inode: Memory used: 264k/3592k (222k/43k), time:  0.00/ 0.00/ 0.00
fix_resize_inode: I/O read: 1MB, write: 0MB, rate: 5319.15MB/s
fix_sb_journal_backup: Memory used: 264k/3592k (222k/43k), time:  0.00/ 0.00/ 0.00
overall resize2fs: Memory used: 264k/3592k (222k/43k), time: 16.45/16.38/ 0.00
overall resize2fs: I/O read: 1MB, write: 1MB, rate: 0.06MB/s
The filesystem on /dev/zvol/rpool/scratch/ext4 is now 805306368 (4k) blocks long.

real	0m17.908s
user	0m16.386s
sys	0m0.079s
```

Success!
2020-10-30 12:18:23 -04:00
Graham Christensen
a179781696
stage-1: add datestamps to logs
When the stage-1 logs get imported in to the journal, they all get
loaded with the same timestamp. This makes it difficult to identify
what might be taking a long time in early boot.
2020-10-30 12:16:35 -04:00
Graham Christensen
2bf1fc0345
create-amis: allow customizing the service role name
The complete setup on the AWS end can be configured
with the following Terraform configuration. It generates
a ./credentials.sh which I just copy/pasted in to the
create-amis.sh script near the top. Note: the entire stack
of users and bucket can be destroyed at the end of the
import.

    variable "region" {
      type = string
    }
    variable "availability_zone" {
      type = string
    }

    provider "aws" {
      region = var.region
    }

    resource "aws_s3_bucket" "nixos-amis" {
      bucket_prefix = "nixos-amis-"
      lifecycle_rule {
        enabled = true
        abort_incomplete_multipart_upload_days = 1
        expiration {
          days = 7
        }
      }
    }

    resource "local_file" "credential-file" {
      file_permission = "0700"
      filename = "${path.module}/credentials.sh"
      sensitive_content = <<SCRIPT
    export service_role_name="${aws_iam_role.vmimport.name}"
    export bucket="${aws_s3_bucket.nixos-amis.bucket}"
    export AWS_ACCESS_KEY_ID="${aws_iam_access_key.uploader.id}"
    export AWS_SECRET_ACCESS_KEY="${aws_iam_access_key.uploader.secret}"
    SCRIPT
    }

    # The following resources are for the *uploader*
    resource "aws_iam_user" "uploader" {
      name = "nixos-amis-uploader"
    }

    resource "aws_iam_access_key" "uploader" {
      user = aws_iam_user.uploader.name
    }

    resource "aws_iam_user_policy" "upload-to-nixos-amis" {
      user = aws_iam_user.uploader.name

      policy = data.aws_iam_policy_document.upload-policy-document.json
    }

    data "aws_iam_policy_document" "upload-policy-document" {
      statement {
        effect = "Allow"

        actions = [
          "s3:ListBucket",
          "s3:GetBucketLocation",
        ]

        resources = [
          aws_s3_bucket.nixos-amis.arn
        ]
      }

      statement {
        effect = "Allow"

        actions = [
          "s3:PutObject",
          "s3:GetObject",
          "s3:DeleteObject",
        ]

        resources = [
          "${aws_s3_bucket.nixos-amis.arn}/*"
        ]
      }

      statement {
        effect = "Allow"
        actions = [
          "ec2:ImportSnapshot",
          "ec2:DescribeImportSnapshotTasks",
          "ec2:DescribeImportSnapshotTasks",
          "ec2:RegisterImage",
          "ec2:DescribeImages"
        ]
        resources = [
          "*"
        ]
      }
    }

    # The following resources are for the *vmimport service user*
    # See: https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html#vmimport-role
    resource "aws_iam_role" "vmimport" {
      assume_role_policy = data.aws_iam_policy_document.vmimport-trust.json
    }

    resource "aws_iam_role_policy" "vmimport-access" {
      role = aws_iam_role.vmimport.id
      policy = data.aws_iam_policy_document.vmimport-access.json
    }

    data "aws_iam_policy_document" "vmimport-access" {
      statement {
        effect = "Allow"
        actions = [
          "s3:GetBucketLocation",
          "s3:GetObject",
          "s3:ListBucket",
        ]
        resources = [
          aws_s3_bucket.nixos-amis.arn,
          "${aws_s3_bucket.nixos-amis.arn}/*"
        ]
      }
      statement {
        effect = "Allow"
        actions = [
          "ec2:ModifySnapshotAttribute",
          "ec2:CopySnapshot",
          "ec2:RegisterImage",
          "ec2:Describe*"
        ]
        resources = [
          "*"
        ]
      }
    }

    data "aws_iam_policy_document" "vmimport-trust" {
      statement {
        effect = "Allow"
        principals {
          type = "Service"
          identifiers = [ "vmie.amazonaws.com" ]
        }

        actions = [
          "sts:AssumeRole"
        ]

        condition {
          test = "StringEquals"
          variable = "sts:ExternalId"
          values = [ "vmimport" ]
        }
      }
    }
2020-10-30 12:12:08 -04:00
Graham Christensen
e253de8a77
create-amis.sh: log the full response if describing the import snapshot tasks fails 2020-10-30 12:08:01 -04:00
Graham Christensen
f92a883ddb
nixos ec2/create-amis.sh: shellcheck: $ is not needed in arithmetic 2020-10-30 12:08:01 -04:00
Graham Christensen
7dac8470cf
nixos ec2/create-amis.sh: shellcheck: explicitly make the additions to block_device_mappings single strings 2020-10-30 12:08:00 -04:00
Graham Christensen
a66a22ca54
nixos ec2/create-amis.sh: shellcheck: read without -r mangles backslashes 2020-10-30 12:08:00 -04:00
Graham Christensen
baf7ed3f24
nixos ec2/create-amis.sh: shellcheck: SC2155: Declare and assign separately to avoid masking return values. 2020-10-30 12:07:59 -04:00
Graham Christensen
f5994c208d
nixos ec2/create-amis.sh: shellcheck: quote state_dir reference 2020-10-30 12:07:59 -04:00
Graham Christensen
c76692192a
nixos ec2/create-amis.sh: shellcheck: quote region references 2020-10-30 12:07:49 -04:00
Timo Kaufmann
83f48e8348
Merge pull request #95011 from Atemu/undervolt-pl
undervolt: expose power limits as Nixopts
2020-10-30 09:32:50 +01:00
Michele Guerini Rocco
1102a46ffe
Merge pull request #101724 from pickfire/patch-3
fontdir: add ttc to font regex
2020-10-30 08:41:34 +01:00
Benjamin Hipple
e00752079e
Merge pull request #102018 from 1000101/blockbook-frontend
blockbook-frontend: fix&update extraConfig example
2020-10-29 22:30:07 -04:00
Tad Fisher
e07f4d6795
nixos/throttled: disable kernel msr warning 2020-10-29 15:04:18 -07:00
Florian Klink
b8d59e93c8 nixos/networkd: allow RouteMetric= in [DHCPv6] section 2020-10-29 19:47:42 +01:00
talyz
89e83833af
nixos/keycloak: Add support for MySQL and external DBs with SSL
- Add support for using MySQL as an option to PostgreSQL.
- Enable connecting to external DBs with SSL
- Add a database port config option
2020-10-29 12:47:10 +01:00
talyz
d1d3c86c70
rl-2103: Note the addition of the Keycloak service 2020-10-29 12:08:06 +01:00
talyz
c6e4388449
nixos/keycloak: Add documentation 2020-10-29 12:08:01 +01:00
talyz
fe5a16aee6
nixos/keycloak: Document internal functions 2020-10-29 12:07:55 +01:00
talyz
31fe90d6ef
nixos/keycloak: Add test 2020-10-29 12:07:49 +01:00
1000101
4b8611c959 blockbook-frontend: fix&update extraConfig example 2020-10-29 11:41:41 +01:00
Philipp
fc856b89e5
nixos/murmur: add murmur group, don't run as nogroup
fixes #101980
2020-10-29 10:32:04 +01:00
Martin Weinelt
55746e0a4b
Merge pull request #98187 from mweinelt/nixos/babeld
nixos/babeld: lock down service
2020-10-29 01:24:11 +01:00
Minijackson
3fce272478 nixos/shiori: harden service with systemd 2020-10-28 20:46:30 +01:00
Maximilian Bosch
ca45bb574d
nixos/rl-2009: minor typo fix 2020-10-28 19:38:28 +01:00
Thomas Depierre
63caecee7d riak-cs: delete 2020-10-28 19:31:33 +01:00
Vladimír Čunát
0b32140b34
Merge branch 'staging-next' into staging 2020-10-28 18:48:56 +01:00
Linus Heckemann
2b06415ca1
Merge pull request #101370 from m1cr0man/ssl-test-certs
nixos/acme: Permissions and tests fixes
2020-10-28 17:21:57 +01:00
Andreas Rammhold
db0fe5c3eb
Merge branch master into staging to fix eval error
This fixes the eval error of the small (and "big"?) NixOS test set that
was fixed in 1088f05 & eba8f542.
2020-10-28 03:03:27 +01:00
Andreas Rammhold
c127653b72
Merge pull request #101887 from jonringer/minor-release-notes-adjustment
nixos/docs/rl-2009.xml: grafana: description, example agreement
2020-10-28 02:38:55 +01:00
Jonathan Ringer
3963954fc8
nixos/docs/rl-2009.xml: grafana: description, example agreement 2020-10-27 17:50:39 -07:00
Markus S. Wamser
a0cc1243cc doc: 20.09 release notes: remove duplicate service list entry
opt-services.foldingathome.enable was listed twice
2020-10-27 13:43:44 -07:00
davidak
4166a767de doc: improve 20.09 release notes 2020-10-27 21:11:22 +01:00
talyz
513599a6d7
nixos/keycloak: Init 2020-10-27 19:01:26 +01:00
AmineChikhaoui
8cae6703ef
ec2-amis: add stable NixOS 20.09 AMIs
Fixes #101694
2020-10-27 08:52:15 -04:00
WORLDofPEACE
5a08ab936b rl-2009: release on a Tuesday
Because hydra took it's good old time
2020-10-27 03:03:43 -04:00
Ryan Mulligan
178d373a8a
Merge pull request #83687 from primeos/wshowkeys
wshowkeys: init at 2020-03-29
2020-10-26 18:55:16 -07:00
WORLDofPEACE
d1b239703c
Merge pull request #101811 from jonringer/rl-2009-contributions
release-notes-2009: add contributions section
2020-10-26 21:49:20 -04:00
Jonathan Ringer
51ca426eb5
release-notes-2009: add contributions section 2020-10-26 18:36:12 -07:00
Andreas Rammhold
1dc37370c4
Merge pull request #101805 from andir/unbreak-tarball-job
nixos/tests: fix wrong inherit that passes on the nodes attrs
2020-10-27 01:29:36 +01:00
Jonathan Ringer
366bebd53a README.md: update stable release links 2020-10-26 20:10:29 -04:00
Andreas Rammhold
eba8f5425f
nixos/tests: fix wrong inherit that passes on the nodes attrs
The hydra tarball step would fail due to the nodes attribute not being
properly inherited. Since we can't execute all the tests and release
steps locally anymore (thanks to the JSONification and faster hydra
eval) these errors will probably keep in appearing.

This is hopefully the last of those introduced by me test runner
refactoring.

Error was seen on hydra (https://hydra.nixos.org/build/129282411):
> unpacking sources
> unpacking source archive /nix/store/bp95x52h6nv3j8apxrryyj2rviw682k1-source
> source root is source
> patching sources
> autoconfPhase
> No bootstrap, bootstrap.sh, configure.in or configure.ac. Assuming this is not an GNU Autotools package.
> configuring
> release name is nixpkgs-21.03pre249116.1088f059401
> git-revision is 1088f05940
> building
> no Makefile, doing nothing
> running tests
> warning: you did not specify '--add-root'; the result might be removed by the garbage collector
> warning: you did not specify '--add-root'; the result might be removed by the garbage collector
> checking Nixpkgs on i686-linux
> checking Nixpkgs on x86_64-linux
> checking Nixpkgs on x86_64-darwin
> checking eval-release.nix
> trace: `mkStrict' is obsolete; use `mkOverride 0' instead.
> trace: `lib.nixpkgsVersion` is deprecated, use `lib.version` instead!
> trace: warning: lib.readPathsFromFile is deprecated, use a list instead
> trace: Warning: `showVal` is deprecated and will be removed in the next release, please use `traceSeqN`
> trace: lib.zip is deprecated, use lib.zipAttrsWith instead
> checking find-tarballs.nix
> trace: `mkStrict' is obsolete; use `mkOverride 0' instead.
> trace: `lib.nixpkgsVersion` is deprecated, use `lib.version` instead!
> trace: warning: lib.readPathsFromFile is deprecated, use a list instead
> trace: Warning: `showVal` is deprecated and will be removed in the next release, please use `traceSeqN`
> trace: lib.zip is deprecated, use lib.zipAttrsWith instead
> error: while evaluating anonymous function at /build/source/maintainers/scripts/find-tarballs.nix:6:1, called from undefined position:
> while evaluating 'operator' at /build/source/maintainers/scripts/find-tarballs.nix:27:16, called from undefined position:
> while evaluating 'immediateDependenciesOf' at /build/source/maintainers/scripts/find-tarballs.nix:39:29, called from /build/source/maintainers/scripts/find-tarballs.nix:27:44:
> while evaluating anonymous function at /build/source/lib/attrsets.nix:234:10, called from undefined position:
> while evaluating anonymous function at /build/source/maintainers/scripts/find-tarballs.nix:40:37, called from /build/source/lib/attrsets.nix:234:16:
> while evaluating 'derivationsIn' at /build/source/maintainers/scripts/find-tarballs.nix:42:19, called from /build/source/maintainers/scripts/find-tarballs.nix:40:40:
> while evaluating 'canEval' at /build/source/maintainers/scripts/find-tarballs.nix:48:13, called from /build/source/maintainers/scripts/find-tarballs.nix:43:9:
> while evaluating the attribute 'nodes' at /build/source/nixos/lib/testing-python.nix:195:23:
> attribute 'nodes' missing, at /build/source/nixos/lib/testing-python.nix:193:16
> build time elapsed:  0m0.122s 0m0.043s 17m51.526s 0m56.668s
> builder for '/nix/store/96rk3c74vrk6m3snm7n6jhis3j640pn4-nixpkgs-tarball-21.03pre249116.1088f059401.drv' failed with exit code 1
2020-10-27 00:10:31 +01:00
Tim Steinbach
c851af868f
docker-edge: Fix test 2020-10-26 16:25:37 -04:00
WORLDofPEACE
ace69f768b Revert "nixos/pantheon: install nixos wallpaper"
This reverts commit 5100e4f250.

Fixes https://github.com/NixOS/nixpkgs/issues/100293
Though it's only a workaround for now.
See https://github.com/elementary/switchboard-plug-pantheon-shell/issues/246#issuecomment-716713218
We trigger the broken scenario where we have two subdirectories. Reverting
that commit undoes this.
2020-10-26 13:45:19 -04:00
Nick Hu
921287e7f0
Merge pull request #97726 from NickHu/pam_gnupg
pam: add support for pam_gnupg
2020-10-26 15:27:13 +00:00
Andreas Rammhold
1088f05940
Merge pull request #101598 from andir/nixos-build-vms-qemu
nixos/tests: follow-up to the closure reduction PR
2020-10-26 14:19:45 +01:00