Commit Graph

21382 Commits

Author SHA1 Message Date
Domen Kožar
8ecb0344a0
Merge pull request #121720 from samueldr/feature/arm-stage-1-modules
installer images: Add available modules to stage-1 on ARM platforms
2021-05-07 22:01:09 +02:00
Evils
5ae90276c3 nixos/fancontrol: clean up module
set a group and user for the service
remove default null config
  it's required, now it throws an error pointing to the option

set myself (module author) as maintainer
2021-05-07 11:46:40 -07:00
Evils
3d043c6939 nixosTests.fancontrol: fix test
and set myself (module author) as maintainer
2021-05-07 11:46:40 -07:00
Robin Gloster
29e92116d1
Merge pull request #118037 from mayflower/privacy-extensions-configurable
nixos/network: allow configuring tempaddr for undeclared interfaces
2021-05-07 13:01:29 -05:00
ajs124
cd609e7a1c
Merge pull request #117094 from helsinki-systems/drop/spidermonkey_1_8_5
spidermonkey_1_8_5: drop
2021-05-07 18:55:49 +02:00
Robert Hensing
316b82563a
Merge pull request #121702 from hercules-ci/nixos-hercules-ci-agent-update
nixos/hercules-ci-agent: updates
2021-05-07 15:48:33 +02:00
Linus Heckemann
47828e7dc0 nixos/manual: document IPv6 Privacy Extensions options 2021-05-07 13:55:11 +02:00
Jan Tojnar
9468b07326
Merge branch 'gnome-40' 2021-05-07 12:12:40 +02:00
Robert Hensing
0633b6aa74
Merge pull request #121870 from Pacman99/pass-specialargs
lib/modules: pass specialArgs to modules
2021-05-07 01:54:48 +02:00
Pacman99
87c659ab94 nixos/top-level: specialArgs to specialisations 2021-05-06 16:04:08 -07:00
Sander van der Burg
77295e7e6b nixos/disnix: configure the remote client by default, if multi-user mode has been enabled 2021-05-06 19:33:02 +02:00
Martin Weinelt
6a09bc4405
Merge pull request #121865 from mweinelt/home-assistant 2021-05-06 18:05:00 +02:00
Martin Weinelt
24adc01e2e
nixos/home-assistant: allow netlink sockets and /proc/net inspection
Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf
component to enumerate network interfaces via netlink. Since discovery
is all over the place lets allow AF_NETLINK unconditionally.

It also relies on pyroute2 now, which additionally tries to access files
in /proc/net, so we relax ProtectProc a bit by default as well.

This leaves us with these options unsecured:

✗ PrivateNetwork=                                             Service has access to the host's network                                                                 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                                                    0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                                       0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                                         0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                                       0.2
✗ PrivateUsers=                                               Service has access to other users                                                                        0.2
✗ SystemCallFilter=~@resources                                System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed)      0.2
✗ RestrictAddressFamilies=~AF_NETLINK                         Service may allocate netlink sockets                                                                     0.1
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                                            0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                                                   0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                                       0.1
✗ ProcSubset=                                                 Service has full access to non-process /proc files (/proc subset=)                                       0.1

→ Overall exposure level for home-assistant.service: 1.6 OK 🙂
2021-05-06 16:55:53 +02:00
Jörg Thalheim
4e783a4cb7
Merge pull request #121724 from Izorkin/update-netdata
netdata: 1.29.3 -> 1.30.1
2021-05-06 14:58:33 +01:00
Maximilian Bosch
a50b9e6c23
Merge pull request #113716 from Ma27/wpa_multiple
wpa_supplicant: allow both imperative and declarative networks
2021-05-06 11:01:35 +02:00
Simon Thoby
1bdda029cd nixos/services/torrent/transmission.nix: add a missing apparmor rule
libbrotli wasn't listed as a dependency for the AppArmor profile of the transmission-daemon binary.
As a result, transmission wouldn't run and would fail, logging this audit message to dmesg:
audit[11595]: AVC apparmor=DENIED operation=open profile=/nix/store/08i1rmakmnpwyxpvp0sfc5hcm106am7w-transmission-3.00/bin/transmission-daemon name=/proc/11595/environ pid=11595 comm=transmission-da requested_mask=r denied_mask=r fsuid=70 ouid=70
2021-05-05 22:47:52 +02:00
Jan Tojnar
878abc6488
nixos/gnome3: Install GNOME Tour
It will be run after startup.
2021-05-05 22:43:02 +02:00
Jan Tojnar
316928e8c1
nixos/gnome3: Enable power-profiles-daemon
GNOME 40 added support for it in Control Center.
2021-05-05 22:43:01 +02:00
Jan Tojnar
49ae2e4c26
gnome3.gnome-getting-started-docs: drop
It has been retired

https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/353
2021-05-05 22:43:01 +02:00
Jan Tojnar
913123f3b1
rl-2105: Mention GNOME 40 2021-05-05 22:42:58 +02:00
Jan Tojnar
d2e141e412
gnome3.gdm: 3.38.2.1 → 40.0 2021-05-05 22:42:32 +02:00
Jan Tojnar
941b15b003
librsvg: register installed tests 2021-05-05 22:20:22 +02:00
Izorkin
53651179b9
nixos/netdata: update capabilities 2021-05-05 20:46:07 +03:00
Michael Weiss
ff5fdec093
Merge pull request #121437 from primeos/nixos-tests-sway
nixos/tests/sway: init
2021-05-05 13:52:51 +02:00
Robert Hensing
ce93c98ce2
Merge pull request #99132 from Infinisil/recursive-type-deprecation
Recursive type deprecation
2021-05-05 11:13:37 +02:00
Ben Siraphob
a913f3ff49 nixos/tests/wmderland: remove stdenv.lib 2021-05-05 01:43:05 -04:00
Silvan Mosberger
0a377f11a5 nixos/treewide: Remove usages of deprecated types.string 2021-05-05 03:31:41 +02:00
Samuel Dionne-Riel
1cb977c858 sd-image: Rely on profiles/all-hardware.nix
This ensures that SD images and UEFI installers don't drift in
compatibility with regards to early initrd.
2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
cb9b46a3cd profiles/all-hardware.nix: Add vc4 for broadcom hardware
Namely, early KMS on raspberry pi
2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
f5b7687d26 profiles/all-hardware.nix: Share some config for all ARM 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
14ac6de024 profiles/all-hardware.nix: Fix for arvmv7l-linux 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
82625705c6 profiles/all-hardware.nix: Add analogix-dp
While it's being brought in implicitly by the other analogix driver,
let's be explicit, in case things change.
2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
9fa3e2c2a3 profiles/all-hardware.nix: Add regulator needed for rockchip
But not exclusive to rockchip
2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
535d463cf9 profiles/all-hardware.nix: Add rockchip modules 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
70205bd13c profiles/all-hardware.nix: Add support for Raspberry Pi 4 USB 2021-05-04 19:42:13 -04:00
Samuel Dionne-Riel
a846d19831 profiles/all-hardware.nix: Add power regulator modules
This is used on some allwinner platforms, and is a weak dependency for
USB to work.
2021-05-04 19:42:12 -04:00
Samuel Dionne-Riel
a8af02fe6d profiles/all-hardware.nix: Add modules for integrated displays
Namely, this is used by the pinebook's display
2021-05-04 19:42:12 -04:00
Samuel Dionne-Riel
5bc36c1b30 profiles/all-hardware.nix: Add support for Allwinner hardware 2021-05-04 19:42:12 -04:00
Samuel Dionne-Riel
c60de92917 profiles/all-hardware.nix: Add simplefb for AArch64 2021-05-04 19:42:12 -04:00
Samuel Dionne-Riel
385dc32fa8
Merge pull request #119974 from samueldr/feature/grub-gfx-aarch64
iso-image: Fix GRUB graphical menu on AArch64
2021-05-04 19:36:40 -04:00
Izorkin
9aad915539
nixos/netadata: add required packages 2021-05-04 21:02:23 +03:00
talyz
8f83860a0a keycloak.tests: Make sure databaseUsername is either ignored...
...or used correctly.
2021-05-04 19:27:08 +02:00
talyz
deb58f6486 nixos/keycloak: Document how to use a custom local database 2021-05-04 19:27:08 +02:00
talyz
fdf6bb5b95 Revert "nixos/keycloak: use db username in db init scripts"
This reverts commit d9e18f4e7f.

This change is broken, since it doesn't configure the proper database
username in keycloak when provisioning a local database with a custom
username. Its intended behavior is also potentially confusing and
dangerous, so rather than fixing it, let's revert to the old one.
2021-05-04 19:27:08 +02:00
Michael Weiss
957b7a476e
nixos/tests/sway: init
This adds a basic test for Sway. Because Sway is an important part of
the Wayland ecosystem, is stable, and has few dependencies this test
should also be suitable for testing core packages it depends on (e.g.
wayland, wayland-protocols, wlroots, xwayland, mesa, libglvnd, libdrm,
and soon libseat).

The test is modeled after the suggested way of using Sway, i.e. logging
in via a virtual console (tty1) and copying the configuration from
/etc/sway/config (we replace Mod4 (the GNU/Tux key - you've replaced
that evil logo, right? :D) with Mod1 (Alt key) because QEMU monitor's
sendkey command doesn't support the former).

The shell aliases are used to make the sendkey log output shorter.

Co-authored-by: Patrick Hilhorst <git@hilhorst.be>
2021-05-04 16:52:36 +02:00
Robert Hensing
519a435b08 nixos/hercules-ci-agent: Set default labels 2021-05-04 16:29:05 +02:00
Robert Hensing
4abd56732e nixos/hercules-ci-agent: Set default concurrency to auto 2021-05-04 16:28:31 +02:00
Michael Weiss
3c1a76611e
nixos/test-driver: Allow interactive testing on Wayland-only setups
On my system I have XWayland disabled and therefore only WAYLAND_DISPLAY
is set. This ensures that the graphical output will still be enabled on
such setups (both Wayland and X11 are supported by the viewer).
2021-05-04 16:23:02 +02:00
Michele Guerini Rocco
93c5837be5
Merge pull request #121512 from rnhmjoj/searx
searx: set settings.yml permissions using umask
2021-05-04 11:43:12 +02:00
markuskowa
741ed21bea
Merge pull request #121336 from markuskowa/upd-slurm
nixos/slurm: 20.11.5.1 -> 20.11.6.1, improve security
2021-05-04 11:00:35 +02:00