Commit Graph

7240 Commits

Author SHA1 Message Date
Jörg Thalheim
71710fd099
Revert "EC2: Disable PV support"
This reverts commit fbe6d23624.

this breaks every non-ec2 (non-hvm) system

cc @edolstra
2017-04-04 12:05:21 +02:00
Carles Pagès
d5a623cb39 Update 17.03 release notes 2017-04-03 22:54:34 +02:00
Eelco Dolstra
8cc3db6b67
Add 17.03 AMIs 2017-04-03 17:46:34 +02:00
Eelco Dolstra
fbe6d23624
EC2: Disable PV support
Unfortunately, somewhere between 16.09 and 17.03, paravirtualized
instances stopped working. They hang at the pv-grub prompt
("grubdom>"). I tried reverting to a 4.4 kernel, reverting kernel
compression from xz to bzip2 (even though pv-grub is supposed to
support xz), and reverting the only change to initrd generation
(5a8147479e). Nothing worked so I'm
giving up.
2017-04-03 17:46:34 +02:00
Eelco Dolstra
e6faf2a4e6
create-amis.sh: Use pv-grub-hd0_1.05 2017-04-03 17:46:34 +02:00
Thomas Tuegel
bd0163fc34
Merge branch 'fontconfig-penultimate' 2017-04-03 09:31:20 -05:00
Thomas Tuegel
89bfa112cf
fontconfig-penultimate: 0.2.1 -> 0.3.2 2017-04-03 09:26:19 -05:00
Eelco Dolstra
b0d07aa894 Merge pull request #24533 from Zimmi48/patch-1
[doc] improve "getting the sources" chapter
2017-04-03 15:33:32 +02:00
Thomas Tuegel
03942659ca
nixos/fontconfig: remove renderMonoTTFAsBitmap 2017-04-03 08:24:32 -05:00
Thomas Tuegel
21c9190a5f
nixos/fontconfig: remove forceAutohint option 2017-04-03 08:23:32 -05:00
Thomas Tuegel
7a78892c47
nixos/fontconfig: disable autohint by default 2017-04-03 08:22:03 -05:00
Graham Christensen
c7453084ef
docker: test for socket permissions 2017-04-03 09:05:41 -04:00
Alexey Shmalko
fa4fe71105
docker: fix socket permissions
Docker socket is world writable. This means any user on the system is
able to invoke docker command. (Which is equal to having a root access
to the machine.)

This commit makes socket group-writable and owned by docker group.

Inspired by
https://github.com/docker/docker/blob/master/contrib/init/systemd/docker.socket
2017-04-03 09:05:37 -04:00
Shea Levy
3a26d09e15 initrd-ssh: Use initrd secrets for host keys 2017-04-02 16:33:37 -04:00
Shea Levy
b09490a322 systemd-boot: Support initrd secrets 2017-04-02 16:33:37 -04:00
Shea Levy
59c0977300 Add facility to append secrets to the initrd 2017-04-02 16:33:37 -04:00
Tuomas Tynkkynen
affce1e246 nixos hibernate test: Use waitForOpenPort
There was one confusing recent failure of this:

http://cache.nixos.org/log/myla8bc17j8spmifdxmrz9jswxwsf5w6-vm-test-run-hibernate.drv

I don't have any real ideas on what could cause the problem but there is
at least one theoretical one: the system starts hibernating before the
listener process manages to open the TCP port for listening, and it can't
open it after resuming because not enough pages from the netcat binary
have been paged in (and as the 9p filesystem holding it is now toast,
they can't be loaded anymore).
2017-04-02 02:33:21 +03:00
Théo Zimmermann
72070e6dfc doc: improve "getting the sources" chapter 2017-04-01 17:56:29 +02:00
Niklas Hambüchen
ee0f3e7ad9 acme: Use chown -R for challenges directory. Fixes #24529.
Commit 75f131da02 added
`chown 'nginx:nginx' '/var/lib/acme'` to the pre-start script,
but since it doesn't use `chown -R`, it is possible that there
are older existing subdirs (like `acme-challenge`)
that are owned to `root` from before that commit went it.
2017-04-01 15:22:01 +02:00
Eelco Dolstra
80b40fdf03
sshd.nix: Alternative fix for #19589
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.
2017-03-31 16:18:58 +02:00
Eelco Dolstra
4e79b0b075
Revert "sshd: separate key generation into another service"
This reverts commit 1a74eedd07. It
breaks NixOps, which expects that

  rm -f /etc/ssh/ssh_host_ed25519_key*
  systemctl restart sshd
  cat /etc/ssh/ssh_host_ed25519_key.pub

works.
2017-03-31 16:18:58 +02:00
Robin Gloster
cbd6fb1b3a
Release Notes: tracking UIDs/GIDs is in 17.09 2017-03-31 15:51:37 +02:00
Eelco Dolstra
e241fb87a1
Update 17.03 release notes 2017-03-31 15:00:30 +02:00
Robin Gloster
163668f6c4
Release Notes 17.03: update on master 2017-03-30 22:52:08 +02:00
sternenseemann
fd3a99633b 2bwm: init at 0.2 2017-03-30 19:21:27 +02:00
Robin Gloster
8a18e1f7f1
quagga service: disable 2017-03-30 16:23:33 +02:00
Robin Gloster
ce953d0bc9
panomatic: remove 2017-03-30 16:23:33 +02:00
Joachim Fasting
c504e14c87
rl-notes 17.03: add notes about changes to the dnscrypt-proxy interface
(cherry picked from commit 961367717662ca84daf01a1f9ee3f9404ae659d0)
2017-03-30 13:36:08 +02:00
Joachim Fasting
543f5263d2
nixos/dnscrypt-proxy test: exercise plugin loading 2017-03-30 13:36:06 +02:00
Robin Gloster
a79891f6b2
sitecopy: remove 2017-03-30 12:06:09 +02:00
Eelco Dolstra
a57bcd38b4
update-users-groups.pl: Keep track of deallocated UIDs/GIDs
When a user or group is revived, this allows it to be allocated the
UID/GID it had before.

A consequence is that UIDs and GIDs are no longer reused.

Fixes #24010.
2017-03-29 18:13:18 +02:00
Tim Steinbach
eb70ae34b1 Merge pull request #24254 from bachp/gitlab-runner-9
Upgrade Gitlab Runner
2017-03-28 18:21:35 -04:00
Joachim Fasting
8427222eca
rl-notes 17.03: add note about pre-NSS dnscrypt-proxy
(cherry picked from commit de5d4dc14788bcf0c8e6ef8dd5d8f3500a568422)
2017-03-29 00:05:48 +02:00
Jörg Thalheim
36fca93290
rename iana_etc to iana-etc
fixes #23621
2017-03-28 22:35:15 +02:00
Pascal Bach
8373124202 gitlab-runner: make v1 runner available
gitlab-runner 9.0.0 is only compatible with gitlab >= 9.0
gitlab-runner1 1.11.1 is only compatible with gitlab < 9.4
2017-03-28 21:02:43 +02:00
Bas van Dijk
6f2eca1744 wordpress: replace the dbPassword option with dbPasswordFile (#24146)
We shouldn't force users to store passwords in the world-readable Nix store.
2017-03-28 17:38:16 +02:00
Robin Gloster
d1228f95e9
Revert "Revert "gdm module: only make xserver args overrideable""
This reverts commit 4e57e7f7c6.

This actually broke gnome3 and didn't fix anything, I failed bisecting.
2017-03-27 17:20:56 +02:00
Franz Pletz
1b95985b71 Merge pull request #24148 from volth/libvirt-3.1.0
libvirt: 3.0.0 -> 3.1.0
2017-03-27 10:02:06 +02:00
aszlig
ee39d4b98a
nixos/tests/virtualbox: Fix @shell@ expansion
This has surfaced since f803270b7e.

The commit bumped bash to version 4.4, which caused to change the order
of --subst-var flags in substituteAll, which this test was relying on,
because it added a @shell@ to boot.initrd.postMountCommands.

Our substituter is currently working a bit like this:

original.replace('@var1@', 'val1').replace('@var2@', 'val2')...

Unfortunately, this means that if @var2@ occurs within @var1@ it is
replaced by the new value, so the order of the substvars actually
matter. I highly doubt that we want a behaviour like this and I'm
wondering why it didn't occur to me as a problem while writing the
initial implementation of the VirtualBox tests.

Whether to get rid of this and disallowing substitution of substvars
within substvars is another topic which I think needs discussion in a
different place.

As for now, I'm using stdenv.shell, because the closure size of this
should fit within the initrd, so it's fine especially because it's just
a test.

Tested with the net-hostonlyif and systemd-detect-virt tests and they
both succeed with this change.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: @globin on IRC
2017-03-27 04:53:17 +02:00
c74d
a4ac5506f5 google-compute-image: fix Yama LSM option conflict
Having fixed the Google Compute Engine image build process's copying
of store paths in PR #24264, I ran `nixos-rebuild --upgrade switch`...
and the GCE image broke again, because it sets the NixOS configuration
option for the sysctl variable `kernel.yama.ptrace_scope` to
`mkDefault "1"`, i.e., with override priority 1000, and now the
`sysctl` module sets the same option to `mkDefault "0"` (this was
changed in commit 86721a5f78).

This patch raises the override priority of the Google Compute Engine
image configuration's definition of the Yama sysctl option to 500
(still lower than the priority of an unmodified option definition).

I have tested that this patch allows the Google Compute Engine image
to again build successfully for me.
2017-03-26 21:09:58 +02:00
Arnold Krille
68729958e8
network-interfaces: reload bridges on conf changes
And adopt the tests to add an interface and remove it again.

It should work when deactivating rstp, it will not work when activating
rstp for the first bridge as then the userspace daemon is not yet
available. But once one bridge is active with stp, it should work with
the reload for any further bridge.

Fixes #21745. Also see #22547.
2017-03-26 18:47:43 +02:00
Jörg Thalheim
e0fd894d88 Merge pull request #24334 from cko/update_docu
NixOS Manual: Update version numbers
2017-03-26 11:23:32 +02:00
Edward Tjörnhammar
b35d22b30c
radarr: init at 0.2.0.553 + nixos module 2017-03-25 21:19:55 +01:00
Edward Tjörnhammar
2db5c5cfe2
jackett: init at 0.7.1197 + nixos module 2017-03-25 21:19:44 +01:00
Edward Tjörnhammar
958668ab80
nixos, openafs-client: correct serviceConfig 2017-03-25 21:19:34 +01:00
Christine Koppelt
e5c927cb8d NixOS Manual: Update version numbers 2017-03-25 20:14:04 +01:00
Richard Zetterberg
dc10688edb nftables: adds information regarding nftables and Docker (#24326) 2017-03-25 16:34:02 +01:00
Franz Pletz
d545772640
libvirt: make guest suspend work, use upstream units 2017-03-25 14:59:01 +01:00
Nikolay Amiantov
417844b596 phpfpm service: don't use private /tmp
This breaks local PostgreSQL connections.
2017-03-25 14:52:44 +01:00
Robin Gloster
6b8ad8b581
networkd: fix setting both defaultGateway{,6} 2017-03-25 14:30:05 +01:00