Commit Graph

3862 Commits

Author SHA1 Message Date
Kirill
64a7be7f3c Merge branch 'master' into aria2.service 2017-04-27 17:50:13 +03:00
Kirill
31c4498a47 Fix indentation. Fix openPorts option default to false. 2017-04-27 17:13:27 +03:00
Orivej Desh
8f634a78b9 clickhouse: init at 1.1.54190 2017-04-27 13:25:58 +00:00
Graham Christensen
bdd89faebb
Revert "openvpn service: source up/down scripts"
This reverts commit 50ad243f78.
2017-04-26 12:32:59 -04:00
Tristan Helmich
50ad243f78
openvpn service: source up/down scripts
source the up/down scripts instead of executing them to avoid loosing
access to special variables like $1
2017-04-25 13:18:54 -04:00
Edward Tjörnhammar
45470c65f5
nixos: static ids for jackett, radarr, sonarr 2017-04-25 12:08:21 +02:00
Franz Pletz
e74ea4282a
avahi service: add reflector option 2017-04-24 21:06:42 +02:00
Edward Tjörnhammar
0277345265
nixos, i2pd: remove, no longer needed, extip hack 2017-04-24 20:49:13 +02:00
Kirill
7a6738fefc Implement aria2 service for controlling a daemon via rpc. 2017-04-24 18:50:40 +03:00
aszlig
79e712822f
nixos/xserver: Document xrandrHeads.apply
It was asked by @CMCDragonkai to elaborate on that, so let's just do
this by actually providing a code comment.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-04-24 12:02:10 +02:00
aszlig
8266c89b55
nixos/xserver: Fix up/refactor xrandrHeads option
Using invalid module options in the submodule isn't very nice, because
it doesn't give very useful errors in case of type mismatch, also we
don't get descriptions of these options as they're effecively
nonexistent to the module system. Another downside of this is that
merging of these options isn't done correctly as well (eg. for
types.lines).

So we now have proper submodules for each xrandrHead and we also use
corcedTo in the type of xrandrHeads so that we can populate the
submodule's "output" option in case a plain string is defined for a list
item.

Instead of silently skipping multiple primary heads, we now have an
assertion, which displays a message and aborts configuration evaluation
appropriately.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-04-24 11:22:55 +02:00
Tad Fisher
bf427b9bae ups: fix config generation 2017-04-23 21:35:48 -07:00
aszlig
83e1400e0c
nixos/slim: Implement logging to journal
The main change here is a patch of SLiM to tread a log file of
/dev/stderr specially in that it now uses std::cerr instead of a file
for logging.

This allows us to set the logfile to stderr in NixOS for the generated
SLiM configuration file and we now get logging to the systemd journal.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-04-23 19:25:23 +02:00
Rodney Lorrimar
ced172010a gogs service: add option for enabling "secure" cookies 2017-04-23 16:27:43 +01:00
William Casarin
35eeb08dc6 plex: fix startup issue
Fixes an issue with plex on startup

Fixes #24090
2017-04-23 08:26:18 -07:00
Rodney Lorrimar
0e90a05a52 gogs service: generate the secret key only once, then reuse 2017-04-23 15:05:44 +01:00
Jörg Thalheim
44c3726dca
fcron: install systab
fixes #25072
2017-04-23 11:44:04 +02:00
Michael Weiss
e1244f6e8a Revert "display-manager: fix argument handling of sddm"
This reverts commit 6b7c5ba535.

Unfortunately it seems like this broke slim, lightdm and gdm (see #25068
and #23264). This is already reverted in the 17.03 branch (99dfb6d).

TODO: We need tests for slim and lightdm and fix the test for gdm
(failing since 2016-10-26) to prevent such breakage in the future.
2017-04-23 03:19:07 +02:00
Rodney Lorrimar
cfa1faa37c gogs service: chmod 440 config file
Directory which contains the config file /var/lib/gogs already
has mode 700 but users are liable to change these things.
2017-04-22 17:51:04 +01:00
Rodney Lorrimar
79d52bc26c gogs service: don't copy database password to nix store
Relevant to #24288
2017-04-22 17:07:21 +01:00
Rodney Lorrimar
0c9512d263 gogs service: fix encoding of secret key
I was getting a secret key like this:

  [security]
  SECRET_KEY = 7X

Use coreutils base64 instead to get the full 256 bits of randomness.
2017-04-22 17:07:20 +01:00
Benno Fünfstück
855155083a Merge pull request #24755 from LumiGuide/bepasty-secretKeyFile
bepasty: add secretKeyFile option
2017-04-22 00:07:04 +02:00
Fernando J Pando
4ac06ea6a1 buildbot: 0.9.4 -> 0.9.5
- adds distro dependency
- buildbot nodaemon in service module
- fakerepo for module tests
- service module parameter fixup
- tested on nixos
- tested on darwin
2017-04-21 10:32:36 -04:00
Roger Qiu
bb6a5b079f nixos/xserver: Changed xrandrHeads to support corresponding monitor section configuration in Xorg 2017-04-21 22:01:29 +10:00
Philipp Hausmann
59ca1f6486 cloud-init: Disable broken hostname functionality by default 2017-04-20 19:12:27 +02:00
Marius Bergmann
6572f5e81b keepalived service: init (#22755) 2017-04-20 12:50:59 +01:00
Benno Fünfstück
149656581d Merge pull request #24601 from pbogdan/unclutter
unclutter: Fix default value of $DISPLAY
2017-04-19 18:40:43 +02:00
Jörg Thalheim
8174b447a2 znapsend: do not spawn a shell in the service 2017-04-19 13:56:51 +02:00
Robin Stumm
725b84be18 znapzend service: fix reload 2017-04-19 01:05:55 +02:00
Jörg Thalheim
6b7c5ba535
display-manager: fix argument handling of sddm
previously session type was not correctly set.

fixes #23264
2017-04-18 01:41:17 +02:00
John Ericson
37e5e71fdf Merge pull request #24974 from Ericson2314/mapNullable
Introduce `mapNullable` into lib and use it in a few places
2017-04-17 17:12:14 -04:00
John Ericson
85aa5005af Introduce mapNullable into lib and use it in a few places
Also simply some configure flag logic my grep also alerted me too.
2017-04-17 17:04:04 -04:00
Christian Kögler
d2e46b9f70 dhcpcd service: clear exit code of exitHook (#24909)
* dhcpcd: clear exit code of exitHook

* dhcpcd: restart ntp server in oneshot in exit-hook
2017-04-16 20:10:44 +02:00
Jörg Thalheim
16f5bc07f8 Merge pull request #24948 from peterhoeg/m/bluetooth
bluetooth: use upstream's recommendation for enabling interfaces
2017-04-16 18:09:51 +02:00
Joachim F
2db0cf0897 Merge pull request #24900 from pjones/pjones/plex-service
plex: Don't overwrite primary database on restart
2017-04-16 13:09:26 +01:00
Peter Hoeg
99d4ed5861 bluetooth: use upstream's recommendation for enabling interfaces
bluez no longer recommends spawning "hciconfig <device> up" from a udev rule as
the main bluez daemon now supports automatically enabling power for all devices.

Reference: http://www.bluez.org/release-of-bluez-5-35/
2017-04-16 16:57:11 +08:00
edef
27e750e29b etcd module: fix extraConf manual link 2017-04-16 00:26:23 +02:00
Jaka Hudoklin
a98c26cdc4 Merge pull request #24921 from peterhoeg/f/k8s
kubernetes: fix interpolation error and move services to own target
2017-04-15 10:43:25 +02:00
Peter Jones
5a50b26662
plex: Don't overwrite primary database on restart
This change fixes two major issues:

  1. If you don't use SIGQUIT to stop Plex it will corrupt its own
     database :(

  2. Newer versions of Plex keep metadata in the
     `com.plexapp.plugins.library.db` database.  This is the file that
     we copy into `/var/lib/plex/.skeleton`.  If we copy the empty
     database on top of this one the user will lose their entire
     library metadata.  This change skips the copy if the file
     already exists.
2017-04-14 11:19:29 -07:00
Vladimír Čunát
2090aa4f65
Merge: fixup a bad merge
For details see:
https://github.com/NixOS/nixpkgs/commit/24444513fb5#commitcomment-21767916
2017-04-14 19:11:17 +02:00
Thomas Tuegel
48b5b77bb7 Merge pull request #24813 from benley/nm-openvpn
nixos: Add nm-openvpn to the networkmanager group
2017-04-14 05:44:01 -05:00
Vladimír Čunát
5b3f807597
Merge #24179: openssh: 7.4p1 -> 7.5p1 2017-04-14 12:16:26 +02:00
Vladimír Čunát
da20d0e488
murmur service: fix typos from #24830 2017-04-14 11:05:42 +02:00
Vladimír Čunát
24444513fb
Merge branch 'staging' 2017-04-14 10:32:13 +02:00
Daniel Peebles
09a9a472ee Merge pull request #24830 from mayflower/refactor/boolToString
treewide: use boolToString function
2017-04-13 09:45:31 -04:00
Peter Hoeg
a3ee3b51d7 k8s: use slice and target for kubernetes 2017-04-13 19:32:10 +08:00
Peter Hoeg
bf4be8f1dd k8s: convert int to string to avoid interpolation error 2017-04-13 19:31:43 +08:00
Jörg Thalheim
5ca7e8a69a
fcron: do not chmod at all
fcron does handle permissions on its own correctly
2017-04-13 12:28:19 +02:00
Tristan Helmich
13e9cc15f1 smokeping service: restart on-failure 2017-04-12 15:23:19 +02:00
Bjørn Forsman
d916ce2ef4 nixos/lighttpd: set $HOME for gitweb sub-service
This allows gitweb to expand '~' in /etc/gitconfig. Without a $HOME
variable, it fails to list any projects and instead show the text
"No such projects found" in the UI.

Setting $HOME to the gitweb project root seems like a sensible value.
2017-04-11 22:54:31 +02:00
Franz Pletz
3ab45f4b36
treewide: use boolToString function 2017-04-11 18:18:53 +02:00
Benjamin Staffin
47a5f9acee
nixos: Add nm-openvpn to the networkmanager group
This is to satisfy the polkit restriction limiting
org.freedesktop.NetworkManager.* dbus messages to members of that
group.

Should help with #24806
2017-04-10 22:41:55 -04:00
Aneesh Agrawal
8f4d778509 radicale: Add aneeshusa as maintainer 2017-04-10 20:04:17 -04:00
Aneesh Agrawal
769b991be6 openssh: 7.4p1 -> 7.5p1
Release notes are available at https://www.openssh.com/txt/release-7.5.
Mostly a bugfix release, no major backwards-incompatible changes.

Remove deprecated `UsePrivilegeSeparation` option,
which is now mandatory.
2017-04-10 19:39:22 -04:00
Nikolay Amiantov
c8c340b05a tlp service: mask systemd-rfkill
Fixes #24737.
2017-04-11 02:09:29 +03:00
Franz Pletz
f1f9020224
crowd service: fix secure sso cookies
Crowd didn't detect a secure connection before.
2017-04-10 15:39:37 +02:00
Franz Pletz
4f0dd2f746
prometheus service: add scrapeConfigs.params option 2017-04-10 14:31:27 +02:00
pngwjpgh
773c456ef4 networkmanager: fix dispatcher scripts (#24507)
networkmanager used `source` to mean `text` and wrote dispatcher scripts with the default mode (0666), which means networkmanager wouldn't call them.
2017-04-09 13:14:04 +01:00
Bas van Dijk
01a8de97eb avahi-daemon: refactored using some abstraction 2017-04-09 11:18:53 +02:00
Bas van Dijk
ecf03368f8 bepasty: add secretKeyFile option
This gives users the option to store secrets outside the
world-readable Nix store.
2017-04-08 19:32:19 +02:00
Michael Raskin
861726579b Merge pull request #24008 from phile314/slimserver
slimserver: Init at 7.9.0 (pkg + module)
2017-04-08 17:43:41 +02:00
Bas van Dijk
2030a91f58 cadviser: add storageDriverPasswordFile option
This gives users the option of storing the storageDriverPassword outside the
world-readable Nix store.
2017-04-08 14:15:18 +02:00
Aristid Breitkreuz
4ca22140d9 Merge pull request #24669 from gnidorah/master2
autorandr: 53d29f9 -> 855c18b and module
2017-04-08 12:17:57 +02:00
Sorin Iclanzan
b41dd2fae0 nixos/compton: fixup option descriptions (#24724)
* Fix `fadeExclude` description.
* Fix typo in `shadowExclude`.
2017-04-08 05:04:55 +01:00
Peter Simons
67d735e8df Merge pull request #23409 from florianjacob/avahi-point-to-point-interfaces
avahi-daemon service: Add option to enable point-to-point interfaces.
2017-04-07 12:35:05 +02:00
Jaka Hudoklin
43880af56f Merge pull request #23135 from ljli/earlyoom-service-init
earlyoom service: init
2017-04-06 23:31:28 +02:00
Alexey Shmalko
b8e71f2969 Merge pull request #24651 from edanaher/add-fvwm-window-manager
fvwm module: init; now fvwm can be used as an xserver.windowManager
2017-04-06 16:29:28 +03:00
gnidorah
ca733de964 autorandr: 53d29f9 -> 855c18b and module 2017-04-06 13:28:40 +03:00
Evan Danaher
7a38b0858f fvwm module: init; now fvwm can be used as an xserver.windowManager 2017-04-05 11:12:46 -04:00
Profpatsch
a1e6176cbf modules/searx: fix configFile type 2017-04-04 20:40:31 +02:00
Piotr Bogdan
c91c3209f3 unclutter: Fix default value of $DISPLAY 2017-04-03 18:41:11 +01:00
Eelco Dolstra
80b40fdf03
sshd.nix: Alternative fix for #19589
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.
2017-03-31 16:18:58 +02:00
Eelco Dolstra
4e79b0b075
Revert "sshd: separate key generation into another service"
This reverts commit 1a74eedd07. It
breaks NixOps, which expects that

  rm -f /etc/ssh/ssh_host_ed25519_key*
  systemctl restart sshd
  cat /etc/ssh/ssh_host_ed25519_key.pub

works.
2017-03-31 16:18:58 +02:00
sternenseemann
fd3a99633b 2bwm: init at 0.2 2017-03-30 19:21:27 +02:00
Robin Gloster
a79891f6b2
sitecopy: remove 2017-03-30 12:06:09 +02:00
Tim Steinbach
eb70ae34b1 Merge pull request #24254 from bachp/gitlab-runner-9
Upgrade Gitlab Runner
2017-03-28 18:21:35 -04:00
Pascal Bach
8373124202 gitlab-runner: make v1 runner available
gitlab-runner 9.0.0 is only compatible with gitlab >= 9.0
gitlab-runner1 1.11.1 is only compatible with gitlab < 9.4
2017-03-28 21:02:43 +02:00
Bas van Dijk
6f2eca1744 wordpress: replace the dbPassword option with dbPasswordFile (#24146)
We shouldn't force users to store passwords in the world-readable Nix store.
2017-03-28 17:38:16 +02:00
Robin Gloster
d1228f95e9
Revert "Revert "gdm module: only make xserver args overrideable""
This reverts commit 4e57e7f7c6.

This actually broke gnome3 and didn't fix anything, I failed bisecting.
2017-03-27 17:20:56 +02:00
Rodney Lorrimar
db14ea3926 longview service: don't write passwords to nix store
Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as
alternatives to apiKey and mysqlPassword, which still work, but are
deprecated with a warning message.

Related to #24288.
2017-03-26 23:06:42 +01:00
Daniel Ehlers
20a5b5bead sshguard: new package 2017-03-26 14:46:22 +02:00
Edward Tjörnhammar
b35d22b30c
radarr: init at 0.2.0.553 + nixos module 2017-03-25 21:19:55 +01:00
Edward Tjörnhammar
2db5c5cfe2
jackett: init at 0.7.1197 + nixos module 2017-03-25 21:19:44 +01:00
Edward Tjörnhammar
958668ab80
nixos, openafs-client: correct serviceConfig 2017-03-25 21:19:34 +01:00
Richard Zetterberg
dc10688edb nftables: adds information regarding nftables and Docker (#24326) 2017-03-25 16:34:02 +01:00
Nikolay Amiantov
417844b596 phpfpm service: don't use private /tmp
This breaks local PostgreSQL connections.
2017-03-25 14:52:44 +01:00
Leon Isenberg
db30cff500 earlyoom service: init 2017-03-24 23:16:16 +01:00
Vladimír Čunát
455ce3528c
Merge branch 'staging' 2017-03-24 21:07:55 +01:00
Joachim Fasting
f815a7697e
dnscrypt-proxy service: systemd notification under apparmor 2017-03-24 14:37:44 +01:00
Robin Gloster
4e57e7f7c6
Revert "gdm module: only make xserver args overrideable"
This reverts commit a5aa926902.

This allows gdm to run again, the test is still failing.
2017-03-24 10:35:20 +01:00
Linus Heckemann
79872b9e39 Document possibility of multiple keyboard layouts
In services.xserver.layout
2017-03-23 21:15:14 +00:00
Linus Heckemann
c5c0459a60 xserver: check that selected layout exists
Fixes #5638
2017-03-23 21:02:38 +00:00
Robin Gloster
c2b9b8031f Merge pull request #24026 from benley/use-xkbDir
nixos: Use xkbDir consistently so it has an effect
2017-03-23 18:02:26 +01:00
Vladimír Čunát
c1a9dc3d37
Merge branch 'master' into staging 2017-03-23 13:31:28 +01:00
Jörg Thalheim
b2ba188656 Merge pull request #24182 from ndowens/munin
munin: 2.0.30 -> 2.0.33; for CVE-2017-6188
2017-03-22 19:21:02 +01:00
Piotr Bogdan
a4b4cd0710 lightdm-greeters service: add extraConfig option (#24135) 2017-03-22 15:33:22 +01:00
Thomas Tuegel
a96e047b31
nixos/sddm: replace themes option with package option 2017-03-22 07:44:55 -05:00
Thomas Tuegel
7ca62935bb
nixos/plasma5: do not include extra-cmake-modules in sddm
Fixes #24126.
2017-03-22 07:44:55 -05:00
Joachim Fasting
95eaa3aec3
nixos/tor: add missing option type 2017-03-22 02:27:23 +01:00
Jörg Thalheim
b4169bb8dd
munin: fix tests by replacing cron with systemd timer 2017-03-22 00:16:36 +01:00
Eelco Dolstra
78bb734452
nix-daemon.nix: Make the 1.12 check less strict 2017-03-21 18:48:35 +01:00
Nikolay Amiantov
6555ec03c3 udev module: filter duplicate udev paths
Fixes #24174
2017-03-21 20:22:27 +03:00
Nikolay Amiantov
d3e2957c90 octoprint: 1.3.1 -> 1.3.2
Fix startup wizard and cleanup dependencies.
2017-03-21 20:22:27 +03:00
Domen Kožar
02129a8788 Merge pull request #23672 from edanaher/nginx-alias
Nginx alias directive
2017-03-21 15:04:02 +01:00
Franz Pletz
4bd12fa7b2
gitlab module: explicitely create pages shared path
Fixes creation of backups.
2017-03-21 13:16:51 +01:00
Frederik Rietdijk
94eb74eaad Merge remote-tracking branch 'upstream/master' into HEAD 2017-03-21 13:04:37 +01:00
Franz Pletz
fb50cde71e
nixos/treewide: systemd.time is in manvolume 7
cc #23396
2017-03-21 08:28:53 +01:00
Robin Gloster
c808801937
nix-daemon: fix autoOptimiseStore option 2017-03-21 02:17:09 +01:00
Franz Pletz
295a824abc Merge pull request #21866 from pjones/pjones/rmilter
rmilter: Fix a couple of bugs
2017-03-20 20:50:56 +01:00
Franz Pletz
c13922f012
nginx: explicitly use stable version
Also updates the documention of the NixOS option `services.nginx.package`
that upstream recommends using the mainline version instead.

Fixes #21665.
2017-03-20 20:04:09 +01:00
Eelco Dolstra
337f731c2b Merge pull request #24134 from pstn/nix-auto-optimise
Added option and description for nix store auto-optimisation.
2017-03-20 20:01:48 +01:00
Philipp Steinpass
68c6d90417 Added option and description for nix store auto-optimisation. 2017-03-20 19:09:19 +01:00
Franz Pletz
fff8cc79df Merge pull request #23279 from mbbx6spp/make-nginx-module-less-gross
nginx service: add commonHttpConfig option
2017-03-20 19:03:20 +01:00
Thomas Tuegel
1b0d9e9ae6 Merge pull request #23819 from ttuegel/freetype
FreeType 2.7.1 and Fontconfig defaults
2017-03-20 11:43:50 -05:00
Thomas Tuegel
d709cdd829
nixos/plasma5: do not set kimpanel as default IBus panel
kimpanel does not show installed IBus engines or allow switching input
methods. kimpanel does show configured keyboard layouts through kxkb, so I
believe there is some problem communicating with IBus. No error messages are
produced in the log and I have been unable to discover the cause. I have no
intention of continuing to work on kimpanel at this time, so it should be
disabled. The GTK+ 3-based panel provided by IBus is perfectly serviceable in
the interim.
2017-03-20 09:31:05 -05:00
Thomas Tuegel
4837aba1ee Merge pull request #24101 from romildo/fix.lumina
lumina: fix kwindowsystem and oxygen-icons5 attributes
2017-03-20 09:00:25 -05:00
Kristoffer Søholm
f9e8ef7e6d nixos/bluetooth: add extraConfig option (#23427) 2017-03-20 14:28:02 +01:00
romildo
501d9c7186 lumina: fix kwindowsystem and oxygen-icons5 attributes 2017-03-19 21:46:35 -03:00
Will Dietz
cb73cb9e62 neo4j service: neo4j-wrapper is deprecated, merge into neo4j.conf 2017-03-19 16:56:53 -05:00
Will Dietz
515fc22263 neo4j service: fix package installed into env to match running service 2017-03-19 16:56:52 -05:00
Michael Walker
b29bc8d41c vsftpd: Expose the no_anon_password flag. 2017-03-19 01:53:29 +00:00
Benjamin Staffin
b79c284952
nixos: Use xkbDir consistently so it has an effect 2017-03-18 17:56:38 -04:00
Daiderd Jordan
a48df6fba6 Merge pull request #22508 from matthewbauer/remove-emacs24macport
emacs24macport: remove
2017-03-18 22:19:20 +01:00
Philipp Hausmann
c904e68e53 Remove static uid/gid 2017-03-18 13:54:39 +01:00
Vladimír Čunát
742b120ddc
Merge branch 'master' into staging
Nontrivial rebuilds from master, again :-/
2017-03-18 11:00:31 +01:00
Will Dietz
63f1a14ae5 neo4j service: increase file limit, per warning emitted at startup (#23961) 2017-03-18 01:03:09 +01:00
Joachim F
9a976c09ba Merge pull request #23963 from dtzWill/feature/irkerd
irker: init at 2017-02-12
2017-03-18 00:35:32 +01:00
Franz Pletz
9536169074
nixos/treewide: remove boolean examples for options
They contain no useful information and increase the length of the
autogenerated options documentation.

See discussion in #18816.
2017-03-17 23:36:19 +01:00
Franz Pletz
00239ce8e9
rmilter/rspamd service: tighten unix socket permissions 2017-03-17 23:01:24 +01:00
Franz Pletz
8ab2d2ee27
rmilter service: support only one socket 2017-03-17 23:00:34 +01:00
Peter Jones
4defb788eb
rmilter service: Fix a couple of bugs
* The module uses `stringSplit` but it should be `splitString`

  * `rmilter` doesn't actually support binding to multiple sockets.
    Therefore, bind to the last one specified if `socketActivation` is
    `false`.

I also believe there is a bug in this module related to systemd
`ListenStream`.  If `socketActivation` is true, Postfix gets
connection timeouts trying to connect to one of the `ListenStream`
inet addresses.  I don't know enough about `ListenStream` passing
connections on to `fd:3` to understand what's going on.

These changes are in production (with `socketActivation = false`) via NixOps.
2017-03-17 20:15:48 +01:00
Joachim F
01f8e2161c Merge pull request #23962 from oxij/nixos/tor-sec
nixos: tor: usability and security fixes
2017-03-17 16:14:41 +01:00
Pascal Bach
3728143cbc prometheus-unifi-exporter: init at 0.4.0 2017-03-17 15:41:22 +01:00
Will Dietz
2807d75dca irkerd service: init 2017-03-17 09:16:32 -05:00
Jan Malakhovski
a04782581a nixos: torify: disable by default, add some documentation as of why
This `tsocks` wrapper leaks DNS requests to clearnet, meanwhile Tor comes with
`torsocks` which doesn't.

Previous commits to this file state that all of this still useful somehow.
Assuming that it's true, at least let's not confuse users with two different tools
and don't clash with the `tsocks` binary from nixpkgs by disabling this by default.
2017-03-16 21:06:12 +00:00
Jan Malakhovski
6d25f77a64 nixos: tor: add enableGeoIP 2017-03-16 21:06:12 +00:00
Daiderd Jordan
00ed0f792e Merge pull request #22897 from timor/couchdb-2.0.0
couchdb: add support for version 2.0.0
2017-03-16 22:03:32 +01:00
Philipp Hausmann
ffa0a87774 Remove unused options 2017-03-16 20:51:06 +01:00
Philipp Hausmann
0bd6fdcfc4 Cosmetics 2017-03-16 20:50:10 +01:00
Philipp Hausmann
45d8d6ebeb Add slimserver nixos module 2017-03-16 20:43:09 +01:00
Profpatsch
6da60bb101 modules/mlmmj: fix a typo in listaddress folder 2017-03-16 18:47:11 +01:00
Graham Christensen
e4c0613470 Merge pull request #23674 from c0bw3b/sec/jboss7
JBoss AS: list known vulnerability
2017-03-15 17:33:27 -04:00
Vladimír Čunát
e99bc64552
Merge branch 'master' into staging
More larger rebuilds from master, unfortunately.
2017-03-15 19:09:56 +01:00
Pascal Bach
a8cca7037e prometheus-fritzbox-exporter: init at 1.0 2017-03-15 17:22:36 +01:00
Bart Brouns
bb3ef8a95c physlock: fix issue 21935 2017-03-15 11:47:02 +01:00
Benjamin Staffin
98e4c5dd45 Merge pull request #23861 from benley/nixos-manual-launcher
nixos: Add a menu launcher for the NixOS manual
2017-03-15 04:37:16 -04:00
Joachim Fasting
f122f0147b
nixos/dnscrypt-proxy: log resolver list verification failure
Otherwise, the service unit just fails for no discernable
reason.  Verifcation failure is bad so it ought to be easily
discoverable.
2017-03-15 01:13:08 +01:00
Joachim Fasting
de15e7894b
nixos/dnscrypt-proxy: get resolver list from github
The list has disappeared from its ordinary location at
download.dnscrypt.org.
2017-03-15 01:12:46 +01:00
Joachim Fasting
472002f216
nixos/dnscrypt-proxy: remove the resolverList option
This option was initially added to make it easier to use an
up-to-date list, but now that we always use an up-to-date list
from upstream, there's no point to the option.

From now on, you can either use a resolver listed by dnscrypt
upstream or a custom resolver.
2017-03-15 01:12:43 +01:00
Joachim Fasting
540740598e
nixos/dnscrypt-proxy: add example of how to use the cache plugin 2017-03-15 01:12:39 +01:00
Joachim Fasting
719813caf6
nixos/dnscrypt-proxy: replace unimportant options with extraArgs
Removes tcpOnly and ephemeralKeys: reifying them as nixos
options adds little beyond improved discoverability.  Until
17.09 we'll automatically translate these options into extraArgs
for convenience.

Unless reifying an option is necessary for conditional
computation or greatly simplifies configuration/reduces risk of
misconfiguration, it should go into extraArgs instead.
2017-03-15 01:12:37 +01:00
Joachim Fasting
9325c3a616
nixos/dnscrypt-proxy: simplify module logic related to apparmor 2017-03-15 01:12:35 +01:00
Joachim Fasting
83052ef9db
nixos/dnscrypt-proxy: support reload 2017-03-15 01:12:29 +01:00
Bas van Dijk
308c09d41f wordpress: security upgrade: 4.7.2 -> 4.7.3 & other improvements (#23837)
* Moved the wordpress sources derivation to the attribute pkgs.wordpress. This
  makes it easier to override.

* Also introduce the `package` option for the wordpress virtual host config which
  defaults to pkgs.wordpress.

* Also fixed the test in nixos/tests/wordpress.nix.
2017-03-14 16:11:51 +01:00
Benjamin Staffin
638e1b8243 nixos: Add a menu launcher for the NixOS manual 2017-03-14 06:04:43 -04:00
Tuomas Tynkkynen
aba0b45b86 Merge remote-tracking branch 'upstream/master' into staging
Conflicts:
      pkgs/development/libraries/qt-5/5.7/qtbase/default.nix
2017-03-14 00:49:22 +02:00
Renaud
72619a86c9 JBoss AS: list known vulnerability
CVE-2015-7501

Warning in JBoss module
2017-03-13 18:45:19 +01:00
Thomas Tuegel
65592837b6
freetype: 2.6.5 -> 2.7.1
The Infinality bytecode interpreter is removed in favor of the new v40 TrueType
interpreter. In the past, the Infinality interpreter provided support for
ClearType-style hinting instructions while the default interpreter (then v35)
provided support only for original TrueType-style instructions. The v40
interpreter corrects this deficiency, so the Infinality interpreter is no longer
necessary.

To understand why the Infinality interpreter is no longer necessary, we should
understand how ClearType differs from TrueType and how the v40 interpreter
works. The following is a summary of information available on the FreeType
website [1] mixed with my own editorializing.

TrueType instructions use horizontal and vertical hints to improve glyph
rendering. Before TrueType, fonts were only vertically hinted; horizontal hints
improved rendering by snapping stems to pixel boundaries. Horizontal hinting is
a risk because it can significantly distort glyph shapes and kerning. Extensive
testing at different resolutions is needed to perfect the TrueType
hints. Microsoft invested significant effort to do this with its "Core fonts for
the Web" project, but few other typefaces have seen this level of attention.

With the advent of subpixel rendering, the effective horizontal resolution of
most displays increased significantly. ClearType eschews horizontal hinting in
favor of horizontal supersampling. Most fonts are designed for the Microsoft
bytecode interpreter, which implements a compatibility mode with
TrueType-style (horizontal and vertical) instructions. However, applying the
full horizontal hints to subpixel-rendered fonts leads to color fringes and
inconsistent stem widths. The Infinality interpreter implements several
techniques to mitigate these problems, going so far as to embed font- and
glyph-specific hacks in the interpreter. On the other hand, the v40 interpreter
ignores the horizontal hinting instructions so that glyphs render as they are
intended to on the Microsoft interpreter. Without the horizontal hints, the
problems of glyph and kerning distortion, color fringes, and inconsistent stem
widths--the problems the Infinality interpreter was created to solve--simply
don't occur in the first place.

There are also security concerns which motivate removing the Infinality patches.
Although there is an updated version of the Infinality interpreter for FreeType
2.7, the lack of a consistent upstream maintainer is a security concern. The
interpreter is a Turing-complete virtual machine which has had security
vulnerabilities in the past. While the default interpreter is used in billions
of devices and is maintained by an active developer, the Infinality interpreter
is neither scrutinized nor maintained. We will probably never know if there are
defects in the Infinality interpreter, and if they were discovered they would
likely never be fixed. I do not think that is an acceptable situtation for a
core library like FreeType.

Dropping the Infinality patches means that font rendering will be less
customizable. I think this is an acceptable trade-off. The Infinality
interpreter made many compromises to mitigate the problems with horizontal
hinting; the main purpose of customization is to tailor these compromises to the
user's preferences. The new interpreter does not have to make these compromises
because it renders fonts as their designers intended, so this level of
customization is not necessary.

The Infinality-associated patches are also removed from cairo. These patches
only set the default rendering options in case they aren't set though
Fontconfig. On NixOS, the rendering options are always set in Fontconfig, so
these patches never actually did anything for us!

The Fontconfig test suite is patched to account for a quirk in the way PCF fonts
are named.

The fontconfig option `hintstyle` is no longer configurable in NixOS. This
option selects the TrueType interpreter; the v40 interpreter is `hintslight` and
the older v35 interpreter is `hintmedium` or `hintfull` (which have actually
always been the same thing). The setting may still be changed through the
`localConf` option or by creating a user Fontconfig file.

Users with HiDPI displays should probably disable hinting and antialiasing: at
best they have no visible effect.

The fontconfig-ultimate settings are still available in NixOS, but they are no
longer the default. They still work, but their main purpose is to set rendering
quirks which are no longer necessary and may actually be
detrimental (e.g. setting `hintfull` for some fonts). Also, the vast array of
font substitutions provided is not an appropriate default; the default setting
should be to give the user the font they asked for.

[1]. https://www.freetype.org/freetype2/docs/subpixel-hinting.html
2017-03-12 17:31:33 -05:00
Vladimír Čunát
50fadc8b18
cups: split the $lib output
This saves > 10 MB from most closures.
Printing test succeeds on x86_64-linux.
2017-03-12 18:36:30 +01:00
Rodney Lorrimar
f488b1811b
pumpio service: don't keep secrets in nix store
Added extra config options to allow reading passwords from file rather
than the world-readable nix store.

The full config.json file is created at service startup.

Relevant to #18881
2017-03-12 16:01:02 +01:00
Rodney Lorrimar
f1a1490135
pumpio service: adjust upload directory config for 3.0.0
These changes are backwards compatible.
2017-03-12 16:00:57 +01:00
Franz Pletz
323d0fdd5a
phpfpm module: set correct nixos sendmail path 2017-03-11 09:39:12 +01:00
Joachim Fasting
bb6361b81a
nixos/dnscrypt-proxy: grant daemon access to load plugins 2017-03-10 18:54:54 +01:00
Joachim Fasting
5279ec111f
nixos/dnscrypt-proxy docs: reword section on forwarding
Newer versions of DNSCrypt proxy *can* cache lookups (via
plugin); make the wording more neutral wrt. why one might want
to run the proxy in a forwarding setup.
2017-03-10 18:54:52 +01:00
Joachim Fasting
c0a8a9205b
nixos/dnscrypt-proxy: inline option renamings
In an effort to make the module more self-contained.
2017-03-10 18:54:51 +01:00
Joachim Fasting
563c8e1496
nixos/dnscrypt-proxy: inline top-level binding (cleanup) 2017-03-10 18:54:50 +01:00
Joachim Fasting
c6da2c7c2b
nixos/dnscrypt-proxy: use example.com in example values
It is the canonical example domain after all.
2017-03-10 18:54:44 +01:00
Thomas Tuegel
64b88c3017 Merge branch 'master' into phonon-gstreamer 2017-03-10 07:30:14 -06:00
Thomas Tuegel
edd43351cf
nixos/plasma5: no need to set gstreamer plugin path 2017-03-10 07:26:40 -06:00
Dan Peebles
c390cec122 buildbot NixOS modules: switch to not daemonize
1) The forking behavior of `buildbot start` is temporarily broken for
   mysterious reasons that I'm still looking into
2) Let systemd do the forking: no point in using two different process
   startup wait loops
2017-03-10 00:11:57 -05:00
Thomas Tuegel
e3cb24d1e0 Merge pull request #23503 from ttuegel/fontconfig
Generalize Fontconfig options
2017-03-09 19:29:28 -06:00
Evan Danaher
a09246948c nginx: disallow alias directive on server level; it doesn't work. 2017-03-09 16:54:44 -05:00
Evan Danaher
e7358b192a nginx: Assert that either root or alias is null.
If both are set, nginx won't start.  More error checking is certainly in
order, but this seems like a reasonable start.
2017-03-09 13:02:49 -05:00
Evan Danaher
ff2e2e82cc nginx: Add alias configuration option for hosts and locations.
It's like root, but doesn't keep the prefix.
2017-03-09 13:02:29 -05:00
Dan Peebles
c3939cbcf5 buildbot modules: don't put BB users in nixbld group
The nixbld group belongs to nix-daemon and you really don't want to be
in it. If you are in it, nix-daemon will kill your processes when you
least expect it :)
2017-03-09 11:46:26 -05:00
Gregor Kleen
899fd868ea das_watchdog: fix service type 2017-03-09 16:14:17 +01:00
Joachim Fasting
06520c7fb7
nixos/dnscrypt-proxy: indicate update status
Make it easier for the user to tell when the list is updated
and, at their option, see what changed.
2017-03-08 19:07:53 +01:00
Joachim Fasting
5f27abec23
nixos/dnscrypt-proxy: more fs isolation for the updater
It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available.  We
filter mount syscalls to prevent the process from undoing the fs
isolation.
2017-03-08 19:07:51 +01:00
Joachim Fasting
e72aaa73ea
nixos/dnscrypt-proxy: support updating before nss is up
Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.

We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
2017-03-08 19:07:50 +01:00
Joachim Fasting
adf044e1fb
nixos/dnscrypt-proxy: refactoring
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...).  Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
2017-03-08 19:07:44 +01:00
Daniel Ehlers
0bd211d84f
ddclient: Make verbose logging deactivatable. 2017-03-07 22:03:22 +01:00
Franz Pletz
d7674dabba
phpfpm service: fix phpOptions
Broken due to #23216.
2017-03-07 15:08:55 +01:00
Joachim Fasting
15da23d5c1
nixos/modules: use defaultText/literalExample where applicable
Primarily to fix rendering of default values/examples but also
to avoid unnecessary work.
2017-03-07 14:06:08 +01:00
Joachim Fasting
540163e4a4
search module: add missing types 2017-03-07 14:06:02 +01:00
Tom
9a7bad2c17 networkmanager service: support changing the mac-address (#23464)
Set `networking.networkmanager.wifi.macAddress` or `networking.networkmanager.ethernet.macAddress`
to one of these values to change your macAddress.

* "XX:XX:XX:XX:XX:XX": set the MAC address of the interface.
* "permanent": use the permanent MAC address of the device.
* "preserve": don’t change the MAC address of the device upon activation.
* "random": generate a randomized value upon each connect.
* "stable": generate a stable, hashed MAC address.

See https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/ for more information
2017-03-07 03:50:37 +01:00
Graham Christensen
710973e354 Merge pull request #23492 from zarelit/xfce_lockscreen
xfce: add screenLock option
2017-03-06 19:42:47 -05:00
Fernando J Pando
9f062c2c0b buildbot: 0.9.3 -> 0.9.4
- adds jwt
- adds module tests
- master.cfg as path in module
- fix systemd worker config
- builds on darwin
- tested on nixos
2017-03-07 00:45:37 +01:00
Philipp Hausmann
a0f4a720c8 cloud-init module: Replace hard-coded config by option. 2017-03-06 17:36:24 +01:00
Joachim Fasting
f278793fdb
btsync module: remove redundant example
The default value already gives a good example of what values to
put here.
2017-03-06 15:59:23 +01:00
Wei Tang
99013f853a
jenkins-job-builder: allow setting access tokens for reloading 2017-03-06 07:57:01 -05:00
timor
f40b961378 couchdb: add support for version 2.0.0
Version 2.0.0 is installed as a separate package called "couchdb2".
When setting the config option "package" attribute to pkgs.couchdb2, a
corresponding service configuration will be generated.  If a previous
1.6 installation exists, the databases can still be found on the local
port (default: 5986) and can be replicated from there.

Note that single-node or cluster setup still needs to be configured
manually, as described in
http://docs.couchdb.org/en/2.0.0/install/index.html.
2017-03-06 11:42:02 +01:00
Jörg Thalheim
947815f59f
fcron: 3.1.2 -> 3.2.1
fixes #23320 #23413
2017-03-05 22:41:11 +01:00
Bjørn Forsman
316e7d6764 nixos/nix-daemon: doc: use literalExample
Makes the example more readable by not squashed everything onto one
single line.
2017-03-05 14:07:23 +01:00
Jaka Hudoklin
f5d81ed79b Merge pull request #20904 from offlinehacker/nixos/xserver/xpra
Add xpra display-manager
2017-03-05 01:32:23 +01:00
Thomas Tuegel
cc7c3c6bb8
nixos/plasma5: set GST_PLUGIN_SYSTEM_PATH_1_0 to list of paths 2017-03-04 16:31:22 -06:00
Thomas Tuegel
42cf524f2d
nixos/plasma5: set default fonts for Plasma desktop 2017-03-04 14:59:11 -06:00
David Costa
fc6c50f1b5 xfce: add screenLock option
screenLock option is needed to provide at least one application for
xflock4 to lock the screen
2017-03-04 18:01:02 +01:00
Léo Gaspard
0e2bd7e248 openldap module: fix paths for example includes 2017-03-04 13:30:29 +01:00
Eelco Dolstra
3971876585
nix-daemon: Remove a bunch of unnecessary environment variables 2017-03-03 16:50:37 +01:00
Eelco Dolstra
3070c88798
Fix incorrect $NIX_BUILD_HOOK on Nix 1.12 2017-03-03 16:50:26 +01:00