Commit Graph

7077 Commits

Author SHA1 Message Date
obadz
4b6f021251 Revert "lightdm: obbey services.xserver.{window/desktop}Manager.default"
This reverts commit 29caa185a7.

Not clear what the proper thing to do is. cf94cdb59b renders this
question mostly moot. Reverting before 17.03 branch to avoid a repeat
of #19054.
2017-02-26 16:22:21 +00:00
Jörg Thalheim
6c36d9fa20
nftables: make default configuration null
reason:
 - We currently have an open discussion regarding a more modular
   firewall (https://github.com/NixOS/nixpkgs/issues/23181) and
   leaving null makes future extension easier.
 - the current default might not cover all use cases (different ssh port)
   and might break setups, if applied blindly
2017-02-26 16:24:20 +01:00
Frederik Rietdijk
f69292ddc0 Python: explain deterministic builds in release notes 2017-02-26 14:51:26 +01:00
Jookia
e2c95b46e5
nftables module: Add new module for nftables firewall settings
fixes #18842
2017-02-26 13:41:14 +01:00
Tomasz Czyż
0b27c74eb2 pgjwt: init at 0.0.1 (#22644) 2017-02-26 11:14:32 +01:00
Daniel Peebles
2f36be3816 Merge pull request #23190 from primeos/os-release
[RFC] version: Extend /etc/os-release
2017-02-26 00:03:33 -05:00
Dan Peebles
e798f573f0 make-disk-image.nix: set last fsck time on ext4 images to enable resize-on-startup 2017-02-26 02:02:22 +00:00
Michael Weiss
7e97cbe5a4 version: Extend /etc/os-release
- Provide additional link for support and bug reporting.
- Use HTTPS links (related: "The IAB encourages all web servers to
employ TLS to protect their content, and use OCSP stapling to improve
the efficiency and privacy of revocation checking." [0].
- Add VERSION_CODENAME

[0]: https://www.iab.org/documents/correspondence-reports-documents/2017-2/iab-statement-on-ocsp-stapling/
2017-02-25 22:24:34 +01:00
Franz Pletz
26a2822cf0
nginx service: restart instead of stop to reduce downtime
cc #23127
2017-02-25 20:12:37 +01:00
Thomas Tuegel
a1431f35db Merge pull request #23169 from Kendos-Kenlen/kde-hack
kde5: Install default monospace font, Hack
2017-02-25 11:59:33 -06:00
Franz Pletz
3a4dd97c55
nginx module: fix acme if vhost name != serverName
cc #21931 @bobvanderlinden
2017-02-25 08:04:38 +01:00
Gauthier POGAM--LE MONTAGNER
b65cc5c59e kde5: add hack font dependency (fix #22975) 2017-02-25 00:35:59 +01:00
Antoine Eiche
386c19a224 nova-image: support partition resizing 2017-02-24 22:19:53 +01:00
Antoine Eiche
dec7ecbbbc nova-image: refactoring
The nova image configuration is separated from the image build.
2017-02-24 22:17:52 +01:00
Benjamin Staffin
1c555e772e Merge pull request #23155 from doshitan/fix-prometheus-basic-auth
prometheus service: fix basic auth option
2017-02-24 15:08:35 -05:00
Tanner Doshier
b846ce5243 prometheus service: fix basic auth option
If some configuration is provided, we need to filter out the `_module` key or
else it breaks prometheus.
2017-02-24 13:32:01 -06:00
Ryan Mulligan
41b56b4b8a f2fs module: add crc32 dependency to initrd kernel modules, closes #23093
f2fs.fsck depends on crc32 module being present in the initrd system,
otherwise, if f2fs is used as the root disk, the system is unbootable.
2017-02-24 18:32:50 +01:00
Robin Gloster
8f60b43d9c Merge pull request #23130 from grahamc/insecure-packages-with-docs
nixpkgs: allow packages to be marked insecure (this time with docs)
2017-02-24 13:44:28 +01:00
Graham Christensen
a9c875fc2e
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-24 07:41:05 -05:00
Eelco Dolstra
8e1fa01f3a
nix: 1.11.6 -> 1.11.7 2017-02-24 12:53:53 +01:00
Franz Pletz
4730993ca6 Merge pull request #23109 from dtzWill/update/neo4j
neo4j: update and fix JVM parameters in NixOS module
2017-02-23 19:02:32 +01:00
Franz Pletz
d508ef88f7 Merge pull request #23082 from mayflower/graylog_update
graylog: update + module plugin support
2017-02-23 17:42:57 +01:00
Robin Gloster
940492cef5 Merge pull request #22634 from Ekleog/dhparams
dhparams module: initialize
2017-02-23 17:16:04 +01:00
Franz Pletz
4905c1c54f
prosody service: needs working network connectivity 2017-02-23 16:07:41 +01:00
Franz Pletz
66f553974b
dhcpcd service: fix network-online.target integration
When dhcpcd instead of networkd is used, the network-online.target behaved
the same as network.target, resulting in broken services that need a working
network connectivity when being started.

This commit makes dhcpcd wait for a lease and makes it wanted by
network-online.target. In turn, network-online.target is now wanted by
multi-user.target, so it will be activated at every boot.
2017-02-23 16:07:40 +01:00
Will Dietz
bc15b4222b nixos/neo4j: Update to default JVM options from current release.
The options previously listed here were the defaults back in 2.1.x.
2017-02-23 08:41:29 -06:00
Robin Gloster
274994785d
networking module: remove reference to removed ip-up.target 2017-02-23 15:25:19 +01:00
Tristan Helmich
7420922806 graylog module: add plugin support 2017-02-23 15:21:29 +01:00
Dan Peebles
15c05ad213 google-compute-image.nix: fix evaluation failure 2017-02-22 23:51:57 +00:00
Dan Peebles
49641e0de0 make-disk-image.nix: support additional filesystem contents
This makes make-disk-image.nix slightly more consistent with other image
builders we have. Unfortunately I duplicated some code in doing so, but
this is temporary duplication on the path to consolidating everything.
See https://github.com/NixOS/nixpkgs/issues/23052 for more details on that.

I'm also exposing the option in the amazon-image.nix maintainer module.
2017-02-22 23:49:49 +00:00
Vladimír Čunát
4509487e82
nixos polkit: fixup setuid wrapper of pkexec
Broken in 628e6a8.  Fixes #23083.
2017-02-22 23:04:21 +01:00
Franz Pletz
9b81dcfda2
nixos/release-notes: fix typos 2017-02-22 08:45:30 +01:00
Jörg Thalheim
27d4f8c717 Merge pull request #23046 from Zimmi48/patch-2
nixos/manual/networkmanager: add info on nm-applet
2017-02-22 01:40:50 +01:00
Jörg Thalheim
6a044f1841 Merge pull request #23045 from Zimmi48/patch-1
nixos/manual/xserver: propose more alternatives
2017-02-22 01:38:25 +01:00
Jörg Thalheim
5b14e91717 Merge pull request #22822 from Mic92/iputils
iputils: 20151218 -> 20161105
2017-02-22 00:37:13 +01:00
Jörg Thalheim
45719174c3
nixos/release-notes: mention iputils changes 2017-02-22 00:32:52 +01:00
Tristan Helmich
1d64f5f41b
libvirt: expose libvirt qemu configuration file
fixes #22823
2017-02-21 19:20:22 +01:00
Robin Gloster
f1e6dc8750
networking.defaultGateway{,6}: fix example 2017-02-21 15:46:00 +01:00
Théo Zimmermann
0994d6af9d nixos/manual/networkmanager: add info on nm-applet 2017-02-21 15:20:10 +01:00
Théo Zimmermann
361d730f35 nixos/manual/xserver: propose more alternatives 2017-02-21 14:56:26 +01:00
Jörg Thalheim
0338817f62 vnstat: provide full path of "kill" in ExecReload 2017-02-21 09:26:25 +00:00
Nikolay Amiantov
2cc4703a2d wrappers service: make /run/wrappers a mountpoint
Also remove some compatibility code because the directory in question would be
shadowed by a mountpoint anyway.
2017-02-21 12:13:35 +03:00
Peter Hoeg
8e5b630b49 Merge pull request #22264 from peterhoeg/m/modeswitch
usb-modeswitch: 2.2.1 -> 2.5.0 and nixos module
2017-02-21 16:49:04 +08:00
Peter Hoeg
0789a2a4d6 usb-wwan: nixos module 2017-02-21 16:35:27 +08:00
Franz Pletz
05c2c13182 Merge pull request #22715 from phi-gamma/fix-22709-xen-domU
xen: update domU config for pvgrub2
2017-02-21 06:14:12 +01:00
Anders Papitto
3d963c3e8f herbstluftwm module: add configFile option
based on the equivalent for i3
2017-02-21 05:46:13 +01:00
Kevin Cox
da33c8a19d
systemd: Properly escape environment options.
Using toJSON on a string value works because the allowed JSON escape
sequences is almost a subset of the systemd allowed escape sequences.
The only exception is `\/` which JSON allows but systemd doesn't.
Luckily this sequence isn't required and toJSON don't produce it making
the result valid for systemd consumption.

Examples of things that this fixes are environment variables with double
quotes or newlines.
2017-02-20 22:20:13 -05:00
Robin Gloster
2f8aaf0c0a Merge pull request #22941 from mayflower/systemd-tmpfiles
systemd: setup tmpfiles on switching configuration
2017-02-20 23:14:31 +01:00
Ricardo M. Correia
d9ae886946 nixos.openntpd: don't spam systemd journal
Starting `ntpd` with the `-d` option spams the systemd journal.
Instead, let the server fork.
2017-02-20 22:35:51 +01:00
aszlig
dc31a1ea29
systemd-boot: Unlink loader.conf if it exists
Since systemd version 232 the install subcommand of bootctl opens the
loader.conf with fopen() modes "wxe", where the "e" stands for
exclusive, so the call will fail if the file exists.

For installing the boot loader just once this is fine, but if we're
using NIXOS_INSTALL_BOOTLOADER on a systemd where the bootloader is
already present this will fail.

Exactly this is done within the simpleUefiGummiboot installer test,
where nixos-install is called twice and thus the bootloader is also
installed twice, resulting in an error during the fopen call:

Failed to open loader.conf for writing: File exists

Removing the file prior to calling bootctl should fix this.

I've tested this using the installer.simpleUefiGummiboot test and it now
succeeds.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22925
2017-02-20 14:54:48 +01:00
aszlig
4daccf208f
systemd-boot: Make sure /etc/machine-id exists
This leads to the following error when trying to install a new machine
where the machine ID wasn't yet initialized during boot:

Failed to get machine did: No such file or directory

In addition this was also detected by the simpleUefiGummiboot installer
test.

So let's generate a fallback machine ID by using
systemd-machine-id-setup before actually running bootctl.

Tested this by running the installer.simpleUefiGummiboot test, it still
fails but not because of the machine ID.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22561
2017-02-20 14:54:44 +01:00
Lorenzo Manacorda
2c4d9c9228
manual: Add link to config section (#22994)
Add link to "Configuration" chapter from "Changing the Configuration" section.

Also, fix grammar error.
(cherry picked from commit a585f987fa32f2e81b3f273291971151c25f98b7)
2017-02-20 14:32:49 +01:00
Nikolay Amiantov
d8fb60d1d4 Merge pull request #23014 from zraexy/zraexy-bumblebee-pmmethod
bumblebee service: Fix pmMethod bbswitch check
2017-02-20 16:18:45 +03:00
Robin Gloster
12b4556642 Merge pull request #22882 from bjornfor/wireshark
nixos: add programs.wireshark option
2017-02-20 14:03:30 +01:00
zraexy
5abca15f21 bumblebee service: Fix pmMethod bbswitch check
Made useBbswitch work when pmMethod is "auto" and removed invalid pmMethod option "nouveau".
2017-02-19 22:46:47 -09:00
florianjacob
c23c2c50de munin service: listen on IPv6 loopback as well (#23012)
munin service: listen on IPv6 loopback as well
2017-02-20 06:13:48 +01:00
Arian van Putten
252fbbf2d2 mattermost sevice: JoinsNamespaceOf for local pgsql (#22899) 2017-02-20 04:43:04 +01:00
Franz Pletz
60555c7c0a Merge pull request #22969 from symphorien/extrainitrd
grub module: add extraInitrd option
2017-02-20 04:32:48 +01:00
Eelco Dolstra
4b833facf1 Add ca-central-1 AMIs 2017-02-19 23:46:08 +01:00
Eelco Dolstra
a2b8ceb83a Create AMIs for ca-central-1 (Canada) 2017-02-19 23:19:07 +01:00
Nikolay Amiantov
22750b36fd nvidia: support application profiles
Closes #22666.
2017-02-19 19:46:01 +03:00
Joachim F
6dbe55ca68 Merge pull request #20456 from ericsagnes/feat/loaf-dep-1
Use attrsOf in place of loaOf when relevant
2017-02-19 15:49:25 +01:00
Joachim F
ecdfffd9fc Merge pull request #22433 from laMudri/xfwm-option
xfce: make xfwm optional
2017-02-19 15:26:07 +01:00
Symphorien Gibol
9ed2846e04 grub module: add extraInitrd option 2017-02-19 10:50:22 +01:00
Ricardo M. Correia
f78f207f17 nixos.samba: add enableNmbd and enableWinbindd options
This allows for disabling these services, in case they are not needed.
2017-02-18 19:29:06 +03:00
Profpatsch
2b0469c48f modules/mpd: factor out name & mention man 5 mpd.conf 2017-02-18 16:03:16 +01:00
Franz Pletz
313ccd5be3
network-interfaces service: fix typo in bonding options 2017-02-18 15:51:52 +01:00
Cray Elliott
5e0b978eff mwprocapture: init at 1.2.3269 (#22160) 2017-02-18 15:44:31 +01:00
Robin Gloster
4e4161c212
systemd: setup tmpfiles on switching configuration
This fixes systemd.tmpfiles.rules on switching configuration so that
does not only get applied on a fresh boot. This e.g. fixes kubernetes.
2017-02-18 15:04:52 +01:00
Franz Pletz
c4c23f36ca Merge pull request #22727 from mayflower/fix/netdev-master-bindsto
network-interfaces service: fix bindsTo deps for masters
2017-02-18 13:37:50 +01:00
Franz Pletz
741770c99a
network-interface service: tuntap ifs have netdev services 2017-02-18 13:36:37 +01:00
Brice Waegeneire
47c214cc2a fix comments about nixos-hardware-scan
It has been renamed to nixos-generate-config in 3ed4173
2017-02-18 13:29:47 +01:00
Vladimír Čunát
432dba859e
Merge branch 'staging'
A security update of libxml2 is within.
2017-02-18 08:59:29 +01:00
Léo Gaspard
e2c78910d1
dhparams module: initialize 2017-02-18 00:07:03 +01:00
Robin Gloster
bd0d8ed807
programs.mtr: init setcap-wrapper 2017-02-17 20:18:19 +01:00
Nikolay Amiantov
213356c927 activation-script service: add utillinux to path 2017-02-17 21:54:58 +03:00
aszlig
08881b8cbe
taskserver: Remove taskserver from systemPackages
This is deliberate because using the taskd binary to configure
Taskserver has a good chance of messing up permissions.

The nixos-taskserver tool now can manage even manual configurations, so
there really is no need anymore to expose the taskd binary.

If people still want to use the taskd binary at their own risk they can
still add taskserver to systemPackages themselves.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:46:05 +01:00
aszlig
5af8b120a6
nixos/tests/taskserver: Add test for manual config
This subtest actually serves two purposes:

  1. Test manual PKI configuration
  2. Test changing of configuration files

In order to only test manual PKI configuration it would have been enough
to just add another server with a manual config.

But as the switch from automatic PKI config to manual config is probably
one of the most fundamental changes in configuration, so it serves
*very* well to also check whether changes in the NixOS configuration
actually have an impact in the real system.

So instead of adding another server, we now create a dummy "newServer"
machine, which is the new configuration for "server" and use
switch-to-configuration to switch "server" to the config of "newServer".

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:46:01 +01:00
aszlig
c7bbb93878
taskserver: Pass configuration via command line
Putting an include directive in the configuration file referencing a
store path with the real configuration file has the disavantage that
once we change the real configuration file the store path is also a
different one.

So we would have to replace that include directive with the new
configuration file, which is very much error-prone, because whenever
taskd modifies the configuration file on its own it generates a new one
with *only* the key/value options and without any include directives.

Another problem is that we only added the include directive on the first
initalization, so whenever there is *any* configuration change, it won't
affect anything.

We're now passing all the configuration options via command line,
because taskd treats everything in the form of --<name>=<value> to be a
configuration directive.

This also has the effect that we now no longer have extraConfig, because
configuration isn't a file anymore.

Instead we now have an attribute set that is mapped down to
configuration options.

Unfortunately this isn't so easy with the way taskd is configured,
because there is an option called "server" and also other options like
"server.cert", "server.key" and so on, which do not map very well to
attribute sets.

So we have an exception for the "server" option, which is now called
"server.listen", because it specifies the listening address.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #22705
2017-02-17 19:45:58 +01:00
aszlig
78fe00da7c
taskserver: Allow helper tool in manual config
The helper tool so far was only intended for use in automatic PKI
handling, but it also is very useful if you have an existing CA.

One of the main advantages is that you don't need to specify the data
directory anymore and the right permissions are also handled as well.

Another advantage is that we now have an uniform management tool for
both automatic and manual config, so the documentation in the NixOS
manual now applies to the manual PKI config as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:45:55 +01:00
aszlig
32c2e8f4ae
taskserver/helpertool: Fix error message on export
The error message displays that a specific user doesn't exist in an
organisation, but uses the User object's name attribute to show which
user it was.

This is basically a very stupid chicken and egg problem and easily fixed
by using the user name provided on the command line.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:45:52 +01:00
aszlig
a5e9668c5c
nixos/test: Fix escaping for copyFileFromHost
A long-time issue and one of the reasons I've never used that function
before. So let's remove that todo-comment and escape the contents
properly.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
2017-02-17 19:45:49 +01:00
Michele Guerini Rocco
5231d0ac29 bluetooth module: add option to power up bluetooth controller (#22685) 2017-02-17 19:44:04 +01:00
Jörg Thalheim
fd78ff23f7
replace ping6 with ping
reason: after the upgrade of iputils from 20151218 to 20161105
functionality of ping6 and tracepath6 was merged into ping and tracepath.

Ping is now mostly a drop-in replacment for ping6, except that selecting a
specific interface is done by encoding it into the address (ex.: fe80::1%eth0)
rather then specifing it with the `-I` flag.
2017-02-17 16:04:49 +01:00
Robin Gloster
7ec5faa8a4
programs.wireshark: use setcap wrapper 2017-02-17 15:42:55 +01:00
Bjørn Forsman
8f3e6fdd8c
nixos: add programs.wireshark option
To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:

  programs.wireshark.enable = true;

The setuid wrapper is available for users in the 'wireshark' group.

Changes v1 -> v2:
  - add "defaultText" to the programs.wireshark.package option (AFAIK,
    that prevents the manual from being needlessly rebuilt when the
    package changes)
2017-02-17 15:42:54 +01:00
Robin Gloster
070825d443
setcapWrapper: add support for setting permissions 2017-02-17 15:42:54 +01:00
Matthew Daiter
336d6cc513 stanchion: remove ssl option 2017-02-17 13:24:51 +01:00
Nikolay Amiantov
8ecd5c4019 Merge pull request #22864 from abbradar/dbus-etc
Redo DBus configuration
2017-02-17 11:47:51 +03:00
Robin Gloster
6e12406e30
Revert "nginx: Format the config file"
This reverts commit e362a3d5c9.

See #22883
2017-02-16 22:45:00 +01:00
Profpatsch
bb797c1390 networking.networkd: adjust autmatic mapping of bonds
Since the bonds interface changed to a lot more possible values we create a
mapping of kernel bond attribute names and values to networkd attributes.
Those match for the most part, but have to transformed slightly.

There is also an assert that unknown options won’t slip through silently.
2017-02-16 21:24:40 +01:00
Profpatsch
9debdaf512 networking.bonds: add support for arbitrary driverOptions
Until now the four attributes available very selectively provided a small
subset, while copying upstream documentation.

We make driver options an arbitrary key-value set and point to kernel
documentation, which is always up-to-date. This way every option can be set.
The four already existing options are deprecated with a warning.
2017-02-16 21:24:40 +01:00
Daniel Peebles
19a9099eb2 Merge pull request #22869 from copumpkin/amazon-init-fix
amazon-init NixOS module: fix (I think) race condition with network
2017-02-16 12:44:49 -05:00
Thomas Tuegel
7c260ad2cc Merge pull request #22813 from benley/pam-kwallet
nixos: add optional pam_kwallet5 integration
2017-02-16 10:20:47 -06:00
Dan Peebles
b172684c17 amazon-init NixOS module: fix (I think) race condition with network
The initialization code is now a systemd service that explicitly
waits for network-online, so the occasional failure I was seeing
because the `nixos-rebuild` couldn't get anything from the binary
cache should stop. I hope!
2017-02-16 16:03:58 +00:00
Nikolay Amiantov
0c81594a29 kbd service: use /dev/tty1 for systemd-vconsole-setup
Fixes #22470
2017-02-16 17:08:14 +03:00
Nikolay Amiantov
109ee2a338 kbd service: use systemd-vconsole-setup even with early setup
This way we have fonts reloaded on switches.
2017-02-16 17:08:13 +03:00
Nikolay Amiantov
ac0cdc1952 dbus service: use makeDBusConf 2017-02-16 15:41:23 +03:00
Benjamin Staffin
463e90273f pam: add optional pam_kwallet5 integration 2017-02-16 02:26:42 -05:00
Kier Davis
5e3a26e07b
Fix typo introduced by #22677 2017-02-15 23:44:11 +00:00
Bjørn Forsman
d4e5bb34b7 nixos/geoip-updater: run as user 'geoip' instead of 'nobody'
That way 'nobody' is prevented from messing with the databases.
2017-02-15 23:25:27 +01:00
Bjørn Forsman
ce0a52f9bf nixos/security.wrappers: improve documentation
* The source attribute is mandatory, not optional
* The program attribute is optional
* Move the info about the mandatory attribute first (most important,
  IMHO)
2017-02-15 20:05:27 +01:00
Profpatsch
91d0260feb modules/filesystems: disallow non-empty fstab fields (#22803)
It was possible to pass empty strings / strings with only separator characters;
this lead to broken fstab formatting.
2017-02-15 13:22:48 +01:00
Franz Pletz
188526da3d
prometheus.blackboxExporter service: add CAP_NET_RAW
The blackbox-exporter for prometheus needs CAP_NET_RAW for sending icmp
probes.
2017-02-15 09:35:27 +01:00
Bjørn Forsman
f9cb2b5640 nixos/security.wrappers: use literalExample in documentation
It's much more readable when the example attrset is pretty printed
instead of written as one line.
2017-02-15 09:08:41 +01:00
Bjørn Forsman
a45821e7a8 nixos/cron: unbreak since new security.wrapper 2017-02-15 08:30:58 +01:00
Bjørn Forsman
aaac02f6c4 nixos/atd: unbreak after new security.wrappers
* convert list -> attrset
* 'atd' doesn't exist, 'at' does
2017-02-15 08:25:59 +01:00
Bjørn Forsman
b1bfe9d3db nixos: hint about security.setuidOwners/Programs -> security.wrappers
Let users know about the option rename / change during nixos-rebuild
with a useful message instead of an error (with no way forward).
2017-02-15 07:25:33 +01:00
Bjørn Forsman
34c1b74421 nixos/virtualbox: unbreak wrt. new security.wrappers
The new option takes an attrset, not a list.
2017-02-15 07:25:33 +01:00
Bjørn Forsman
448acd8e5e nixos: remove remaining reference to setuidPrograms
The option doesn't exist anymore.
2017-02-15 07:25:33 +01:00
Ian-Woo Kim
b7a24e0a2b nixos-container: added test for port forwarding ( nixos/tests/containers-portforward.nix ) 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
5ca0f72472 nixos-container: break lines in description of forwardPorts. 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
4f0b663c2e nixos-container: hostPort -> forwardPort and forwardPort is now a list of (protocol,hostPort,containerPort). 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
0bfc631de2 nixos-container: support multiple port forwarding. change type of hostPort from 'string' to 'listOf str' 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
8684285251 nixos-container: introduce hostPort in declarative container options. 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
a238c8a575 nixos-container: add --port option for nixos-container (forward network ports to systemd-nspawn container) 2017-02-15 05:12:46 +01:00
Parnell Springmeyer
1f83f1c878
security-wrapper: Wrap <para> tags in a <note> tag 2017-02-14 21:30:04 -06:00
Graham Christensen
7483ba0932
Revert "nix-daemon: default useSandbox to true"
This reverts commit d0a086770a.
2017-02-14 14:13:39 -05:00
Graham Christensen
3be1388963 Merge pull request #22767 from grahamc/sandbox-by-default
nix-daemon: default useSandbox to true
2017-02-14 13:57:44 -05:00
Eelco Dolstra
14c47bd546 Merge pull request #22758 from dezgeg/pr-nixos-rebuild
nixos-rebuild: Don't rebuild nixos-rebuild when --fast is used
2017-02-14 16:35:43 +01:00
Parnell Springmeyer
69794e333a
Using para tags for manual formatting 2017-02-14 08:53:30 -06:00
Parnell Springmeyer
794b3721bc
Syntax wibble 2017-02-14 08:42:08 -06:00
Parnell Springmeyer
e856d6efe8
Default should be to set owner and group to root on setcap wrappers too 2017-02-14 08:40:12 -06:00
Parnell Springmeyer
c01689f8da
Fixing ref to old-wrappersDir 2017-02-14 08:33:07 -06:00
Parnell Springmeyer
f8b8c353ff
Simplifying the wrapper program derivation 2017-02-14 08:27:40 -06:00
Parnell Springmeyer
fb6d13c01a
Addressing feedback and fixing a bug 2017-02-14 07:38:45 -06:00
Parnell Springmeyer
467bb3f674
/run/wrapper is not a filesystem, no need to skip it 2017-02-14 07:32:24 -06:00
Parnell Springmeyer
ba499e3aa0
Removing unused module option old-wrapperDir 2017-02-14 07:30:21 -06:00
Parnell Springmeyer
a27f35993d
Derp, correctly write the source program's path 2017-02-13 18:28:13 -06:00
Parnell Springmeyer
cca2e11556
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00
Parnell Springmeyer
9e36a58649
Merging against upstream master 2017-02-13 17:16:28 -06:00
Graham Christensen
d0a086770a
nix-daemon: default useSandbox to true 2017-02-13 18:06:01 -05:00
Rickard Nilsson
cda4a4dcfc nixos/grafana: Don't print password warning if no password has been set 2017-02-13 23:11:40 +01:00
Robin Gloster
7e5424ac09
php: default to php71 2017-02-13 22:48:45 +01:00
Tuomas Tynkkynen
2000f0941e nixos-rebuild: Don't build nixos-rebuild with --fast 2017-02-13 21:52:32 +02:00
Tuomas Tynkkynen
23fee8bfbd nixos-rebuild: Support passing e.g. '-j8'
Where there is no space between '-j' and the number.
2017-02-13 21:52:30 +02:00
Graham Christensen
1d2548772e Merge pull request #22724 from grahamc/pam-oath-fixup
pam_oath: require OATH and pam_unix credentials to be valid
2017-02-13 09:36:35 -05:00
Robin Gloster
af9f44dd57
grub: fix capitalisation
Missed this occurence while renaming the option
2017-02-13 14:55:36 +01:00
symphorien
0b87efacb1 grub: add grub.useOSProber option (#22558) 2017-02-13 14:53:15 +01:00
Linus Heckemann
b4cd251c54 Manual: document users.users.<name>.hashedPassword 2017-02-13 13:54:40 +01:00
Eelco Dolstra
a4ec1841da
VM tests: veryloose -> cache=loose 2017-02-13 12:18:10 +01:00
Rob Vermaas
af3732b6c6
Azure: switch back to qemu 2.2.0 for generating image. Seems to work best.
(cherry picked from commit 2da8a5dac8674501ba9ed10e44650088b466688a)
2017-02-13 09:55:03 +00:00
Rob Vermaas
eff0752dbc
Use default qemu for azure image generation, and use option to enforce sizing of image to be compliant with Azure/HyperV.
(cherry picked from commit e16db5666af987f8a76be82ff219e138e92af442)
2017-02-13 08:54:41 +00:00
Dan Peebles
e63d15f173 ecs-agent NixOS module: enable docker 2017-02-13 04:06:31 +00:00
Dan Peebles
e928cb1c63 ssm-agent NixOS module: init 2017-02-13 04:01:38 +00:00
Franz Pletz
76a3c30471
network-interfaces service: fix bindsTo deps for masters
Previously, netdev units for network interfaces defined in the nixos
configurations would bindTo the systemd device unit of the interface if
not in a container.

In situations where you switch to a new nixos configration with changes
to network-setup.service (like nameservers) and have stacked interfaces
like vlans on a bond, it would fail to propagate restarts to the netdevs
correctly resulting with broken networking. The bond would be present
but no vlan interfaces rendering the machine unreachable.

My fear is that the udev events fail to propagate correctly while a systemd
transaction that is also restarting the triggered netdev service is running.
This commit changes this behaviour so netdev services bindTo other netdev
services if present and otherwise fall back to the previous behaviour.

We also noticed that stacked interfaces would sometimes seemingly be stopped
in the wrong order. For instance in the above example, the bond interface
would be deleted before the vlan interfaces resulting in the vlan interfaces
not being present when their service is being stopped. This would cause the
systemd transaction to fail and thus break networking. Their postStop hooks
are now allowed to fail as we have reached the desired state.
2017-02-13 01:57:25 +01:00
Graham Christensen
84d4e4277c Merge pull request #22723 from benley/fix-sessions-with-sddm
Fix sessions with sddm.
2017-02-12 19:01:15 -05:00
Franz Pletz
f5a82e4714
gitlab service: fix database creation
Providing custom a username and database name was broken. They were
hardcoded to "gitlab".
2017-02-13 00:57:22 +01:00
Graham Christensen
96d767de62
pam_oath: require OATH and pam_unix credentials to be valid 2017-02-12 18:27:11 -05:00
Graham Christensen
59e77daf5b
nixos tests: make getTTYText smart about tty size 2017-02-12 18:27:06 -05:00