Commit Graph

12546 Commits

Author SHA1 Message Date
Léo Gaspard
07fdcb348f
Merge pull request #59056 from aanderse/mod_php-sendmail
nixos/httpd: replace ssmtp with system-sendmail
2019-04-06 20:57:58 +02:00
aszlig
6fe989eaed
nixos/tests/acme: Use exact match in TOS location
Since the switch to check the nginx config with gixy in
59fac1a6d7, the ACME test doesn't build
anymore, because gixy reports the following false-positive (reindented):

  >> Problem: [alias_traversal] Path traversal via misconfigured alias.
  Severity: MEDIUM
  Description: Using alias in a prefixed location that doesn't ends with
               directory separator could lead to path traversal
               vulnerability.
  Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
  Pseudo config:

  server {
    server_name letsencrypt.org;

    location /documents/2017.11.15-LE-SA-v1.2.pdf {
      alias /nix/store/y4h5ryvnvxkajkmqxyxsk7qpv7bl3vq7-2017.11.15-LE-SA-v1.2.pdf;
    }
  }

The reason this is a false-positive is because the destination is not a
directory, so something like "/foo.pdf../other.txt" won't work here,
because the resulting path would be ".../destfile.pdf../other.txt".

Nevertheless it's a good idea to use the exact match operator (=), to
not only shut up gixy but also gain a bit of performance in lookup (not
that it would matter in our test).

Signed-off-by: aszlig <aszlig@nix.build>
2019-04-06 12:51:56 +02:00
Aaron Andersen
9c9a6f380e nixos/httpd: replace ssmtp with system-sendmail 2019-04-06 06:34:46 -04:00
Pierre Bourdon
f8eec8dc34 environment.noXlibs: disable gnome3 support for pinentry (#59051) 2019-04-06 10:06:55 +00:00
Silvan Mosberger
82b8ff405b
Merge pull request #58778 from aanderse/davmail
nixos/davmail: set logging default to warn, instead of debug
2019-04-06 06:23:48 +02:00
Silvan Mosberger
cddafbcc60
Merge pull request #57782 from bkchr/gnupg_program
programs.gnupg: Support setting the gnupg program
2019-04-05 15:43:18 +02:00
Bastian Köcher
c0deb007fc programs.gnupg: Support setting the gnupg package 2019-04-05 08:49:53 +02:00
Jörg Thalheim
4aeafc6b63
tests/pdns-recursor: use waitForOpenPort as port check
This should be safer w.r.t. race conditions.
2019-04-05 02:30:28 +01:00
Jörg Thalheim
e49a143ac7
Merge pull request #58982 from Mic92/pdns
pdns-recursor: 4.1.11 -> 4.1.12
2019-04-05 02:23:48 +01:00
Jörg Thalheim
6dd7483ce1
Merge pull request #57979 from 4z3/writeNginxConfig
nixos/nginx: use nginxfmt and gixy
2019-04-04 20:23:58 +01:00
Silvan Mosberger
fab50f0e91
Merge pull request #57716 from dasJ/redo-icingaweb2
nixos/icingaweb2: Replace most options with toINI
2019-04-04 21:20:01 +02:00
Jörg Thalheim
d8445c9925
tests/pdns-recursor: add 2019-04-04 19:42:49 +01:00
Peter Hoeg
61613a2512
Merge pull request #57337 from peterhoeg/m/logitech
nixos: better support for logitech devices and update relevant packages
2019-04-03 21:19:56 +08:00
Silvan Mosberger
c978593908
Merge pull request #58509 from symphorien/all-fw
nixos: make hardware.enableAllFirmware enable *all* firmware
2019-04-03 06:32:16 +02:00
Aaron Andersen
01cec5155f nixos/davmail: set logging default to warn, instead of debug 2019-04-02 09:52:32 -04:00
Franz Pletz
ff36d95878
nixos/quicktun: init 2019-04-02 12:16:48 +02:00
Franz Pletz
ab574424a0
Merge pull request #57789 from Ma27/wireguard-test
nixos/wireguard: add test
2019-04-02 08:11:52 +00:00
Léo Gaspard
e3b87b04b7 Revert "Merge pull request #57559 from Ekleog/iso-image-reproducibilization"
This reverts commit bb32e322a5, reversing
changes made to e0b4356c0d.
2019-04-01 18:17:42 +02:00
Silvan Mosberger
86956b98e6
Merge pull request #58639 from Infinisil/update/browserpass
browserpass: 2.0.22 -> 3.0.1
2019-04-01 17:31:41 +02:00
Simon Lackerbauer
88c31ae57c
nixos/openldap: add new options 2019-04-01 17:24:33 +02:00
Florian Klink
8313a5dcd3
Merge pull request #58588 from shazow/fix/vlc
vlc: Add chromecast support; libmicrodns: Init at 0.0.10
2019-04-01 17:16:42 +02:00
Tim Steinbach
03389563a2
linux: Fix kernel-testing test 2019-04-01 10:04:54 -04:00
Andrey Petrov
c37aa79639 vlc: add chromecastSupport option
Enables Chromecast support by default in VLC.

Fixes #58365.

Includes release note.
2019-04-01 09:44:56 -04:00
Tim Steinbach
5aef5c5931
kafka: Add test for 2.2
Also add back tests, don't seem broken anymore.

This is just fine:
nix-build ./nixos/release.nix -A tests.kafka.kafka_2_1.x86_64-linux -A tests.kafka.kafka_2_2.x86_64-linux
2019-04-01 08:39:25 -04:00
Tim Steinbach
3db50cc82f
linux: Add testing test 2019-04-01 08:31:36 -04:00
Silvan Mosberger
e98ee8d70c
nixos/browserpass: update for v3
See https://github.com/browserpass/browserpass-native/issues/31

Additionally browserpass was removed from systemPackages, because it
doesn't need to be installed, browsers will get the path to the binary
from the native messaging host JSON.
2019-04-01 01:24:54 +02:00
Will Dietz
c8a9c1c2b8 yubico-pam: add nixos integration 2019-03-31 12:04:35 -05:00
worldofpeace
ffd2e9b572 nixos/rename: drop system.nixos.{stateVersion, defaultChannel}
Comment said to remove these before 18.09 was released :(
2019-03-30 18:18:39 -04:00
Silvan Mosberger
81e2fb5303
Merge pull request #58458 from worldofpeace/colord/no-root
nixos/colord: don't run as root
2019-03-30 04:06:55 +01:00
worldofpeace
f22fbe1175 nixos/colord: don't run as root
Using systemd.packages because there's
a system colord service and colord-session user service
included.
2019-03-29 20:56:06 -04:00
Florian Klink
a6abf97e05
Merge pull request #58420 from Infinisil/remove-renames
Remove a bunch of old option renames
2019-03-30 00:48:25 +01:00
Peter Romfeld
364cbd088e minio: init at 4.0.13 2019-03-29 15:50:36 +01:00
Graham Christensen
bb32e322a5
Merge pull request #57559 from Ekleog/iso-image-reproducibilization
iso-image: make reproducible by not relying on mcopy's readdir
2019-03-29 08:02:56 -04:00
aszlig
dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Maximilian Bosch
673c8193cd
Merge pull request #58489 from aanderse/mailcatcher
nixos/mailcatcher: fix test to be compatible with mailcatcher 7.x series
2019-03-29 04:01:02 +01:00
Symphorien Gibol
15229e1a62 nixos: make hardware.enableAllFirmware enable *all* firmware 2019-03-28 23:59:57 +01:00
Silvan Mosberger
1660845954
Merge pull request #58196 from tomfitzhenry/iso-syslinux-serial-consistent
syslinux: change serial bit rate to 115200
2019-03-28 22:51:48 +01:00
Florian Klink
aa2878cfcf
Merge pull request #58284 from bgamari/gitlab-rails
nixos/gitlab: Package gitlab-rails
2019-03-28 21:12:15 +01:00
Silvan Mosberger
9d4a6cceb7
Merge pull request #57550 from florianjacob/typed-mysql-options
nixos/mysql: specify option types, add tests
2019-03-28 18:55:53 +01:00
Silvan Mosberger
be2f711342
Merge pull request #58487 from bgamari/gitlab-gitaly-procpc
gitaly: Run gitaly with procps in scope
2019-03-28 18:22:27 +01:00
Ben Gamari
af909b3238 nixos/gitlab: Package gitlab-rails
This utility (particularly `gitlab-rails console`) is packaged by GitLab
Omnibus and is used for diagnostics and maintenance operations.
2019-03-28 11:45:31 -04:00
lewo
dc3ed336df
Merge pull request #58345 from xtruder/pkgs/dockerTools/pullImage/finalImageName
dockerTools: add finalImageName parameter for pullImage
2019-03-28 16:25:01 +01:00
Aaron Andersen
417da42c02 nixos/mailcatcher: fix test to be compatible with mailcatcher 7.x series 2019-03-28 11:15:20 -04:00
Ben Gamari
b90f5f03c2 nixos/gitaly: Run gitaly with procps in scope
Gitaly uses `ps` to track the RSS of `gitlab-ruby` and kills it when it
detects excessive memory leakage. See
https://gitlab.com/gitlab-org/gitaly/issues/1562.
2019-03-28 10:48:51 -04:00
Florian Klink
6670b4c37d
Merge pull request #58419 from flokli/ldap-nslcd-startup
nixos/ldap: set proper User= and Group= for nslcd service
2019-03-28 14:30:14 +01:00
Florian Klink
8817bbefdb nixos/ldap: set proper User= and Group= for nslcd service
eb90d97009 broke nslcd, as /run/nslcd was
created/chowned as root user, while nslcd wants to do parts as nslcd
user.

This commit changes the nslcd to run with the proper uid/gid from the
start (through User= and Group=), so the RuntimeDirectory has proper
permissions, too.

In some cases, secrets are baked into nslcd's config file during startup
(so we don't want to provide it from the store).

This config file is normally hard-wired to /etc/nslcd.conf, but we don't
want to use PermissionsStartOnly anymore (#56265), and activation
scripts are ugly, so redirect /etc/nslcd.conf to /run/nslcd/nslcd.conf,
which now gets provisioned inside ExecStartPre=.

This change requires the files referenced to in
users.ldap.bind.passwordFile and users.ldap.daemon.rootpwmodpwFile to be
readable by the nslcd user (in the non-nslcd case, this was already the
case for users.ldap.bind.passwordFile)

fixes #57783
2019-03-28 13:08:47 +01:00
aszlig
ada3239253
nixos/release-notes: Add entry about confinement
First of all, the reason I added this to the "highlights" section is
that we want users to be aware of these options, because in the end we
really want to decrease the attack surface of NixOS services and this is
a step towards improving that situation.

The reason why I'm adding this to the changelog of the NixOS 19.03
release instead of 19.09 is that it makes backporting services that use
these options easier. Doing the backport of the confinement module after
the official release would mean that it's not part of the release
announcement and potentially could fall under the radar of most users.

These options and the whole module also do not change anything in
existing services or affect other modules, so they're purely optional.

Adding this "last minute" to the 19.03 release doesn't hurt and is
probably a good preparation for the next months where we hopefully
confine as much services as we can :-)

I also have asked @samueldr and @lheckemann, whether they're okay with
the inclusion in 19.03. While so far only @samueldr has accepted the
change, we can still move the changelog entry to the NixOS 19.09 release
notes in case @lheckemann rejects it.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 21:07:07 +01:00
aszlig
52299bccf5
nixos/confinement: Use PrivateMounts option
So far we had MountFlags = "private", but as @Infinisil has correctly
noticed, there is a dedicated PrivateMounts option, which does exactly
that and is better integrated than providing raw mount flags.

When checking for the reason why I used MountFlags instead of
PrivateMounts, I found that at the time I wrote the initial version of
this module (Mar 12 06:15:58 2018 +0100) the PrivateMounts option didn't
exist yet and has been added to systemd in Jun 13 08:20:18 2018 +0200.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 20:34:32 +01:00
aszlig
861a1cec60
nixos/confinement: Remove handling for StartOnly
Noted by @Infinisil on IRC:

   infinisil: Question regarding the confinement PR
   infinisil: On line 136 you do different things depending on
              RootDirectoryStartOnly
   infinisil: But on line 157 you have an assertion that disallows that
              option being true
   infinisil: Is there a reason behind this or am I missing something

I originally left this in so that once systemd supports that, we can
just flip a switch and remove the assertion and thus support
RootDirectoryStartOnly for our confinement module.

However, this doesn't seem to be on the roadmap for systemd in the
foreseeable future, so I'll just remove this, especially because it's
very easy to add it again, once it is supported.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 20:22:37 +01:00
Maximilian Bosch
3fc3096da8
Merge pull request #58432 from aanderse/mailcatcher
nixos/mailcatcher: init module for existing package
2019-03-27 16:11:15 +01:00