Commit Graph

3711 Commits

Author SHA1 Message Date
Joachim Fasting
540740598e
nixos/dnscrypt-proxy: add example of how to use the cache plugin 2017-03-15 01:12:39 +01:00
Joachim Fasting
719813caf6
nixos/dnscrypt-proxy: replace unimportant options with extraArgs
Removes tcpOnly and ephemeralKeys: reifying them as nixos
options adds little beyond improved discoverability.  Until
17.09 we'll automatically translate these options into extraArgs
for convenience.

Unless reifying an option is necessary for conditional
computation or greatly simplifies configuration/reduces risk of
misconfiguration, it should go into extraArgs instead.
2017-03-15 01:12:37 +01:00
Joachim Fasting
9325c3a616
nixos/dnscrypt-proxy: simplify module logic related to apparmor 2017-03-15 01:12:35 +01:00
Joachim Fasting
83052ef9db
nixos/dnscrypt-proxy: support reload 2017-03-15 01:12:29 +01:00
Bas van Dijk
308c09d41f wordpress: security upgrade: 4.7.2 -> 4.7.3 & other improvements (#23837)
* Moved the wordpress sources derivation to the attribute pkgs.wordpress. This
  makes it easier to override.

* Also introduce the `package` option for the wordpress virtual host config which
  defaults to pkgs.wordpress.

* Also fixed the test in nixos/tests/wordpress.nix.
2017-03-14 16:11:51 +01:00
Benjamin Staffin
638e1b8243 nixos: Add a menu launcher for the NixOS manual 2017-03-14 06:04:43 -04:00
Tuomas Tynkkynen
aba0b45b86 Merge remote-tracking branch 'upstream/master' into staging
Conflicts:
      pkgs/development/libraries/qt-5/5.7/qtbase/default.nix
2017-03-14 00:49:22 +02:00
Renaud
72619a86c9 JBoss AS: list known vulnerability
CVE-2015-7501

Warning in JBoss module
2017-03-13 18:45:19 +01:00
Thomas Tuegel
65592837b6
freetype: 2.6.5 -> 2.7.1
The Infinality bytecode interpreter is removed in favor of the new v40 TrueType
interpreter. In the past, the Infinality interpreter provided support for
ClearType-style hinting instructions while the default interpreter (then v35)
provided support only for original TrueType-style instructions. The v40
interpreter corrects this deficiency, so the Infinality interpreter is no longer
necessary.

To understand why the Infinality interpreter is no longer necessary, we should
understand how ClearType differs from TrueType and how the v40 interpreter
works. The following is a summary of information available on the FreeType
website [1] mixed with my own editorializing.

TrueType instructions use horizontal and vertical hints to improve glyph
rendering. Before TrueType, fonts were only vertically hinted; horizontal hints
improved rendering by snapping stems to pixel boundaries. Horizontal hinting is
a risk because it can significantly distort glyph shapes and kerning. Extensive
testing at different resolutions is needed to perfect the TrueType
hints. Microsoft invested significant effort to do this with its "Core fonts for
the Web" project, but few other typefaces have seen this level of attention.

With the advent of subpixel rendering, the effective horizontal resolution of
most displays increased significantly. ClearType eschews horizontal hinting in
favor of horizontal supersampling. Most fonts are designed for the Microsoft
bytecode interpreter, which implements a compatibility mode with
TrueType-style (horizontal and vertical) instructions. However, applying the
full horizontal hints to subpixel-rendered fonts leads to color fringes and
inconsistent stem widths. The Infinality interpreter implements several
techniques to mitigate these problems, going so far as to embed font- and
glyph-specific hacks in the interpreter. On the other hand, the v40 interpreter
ignores the horizontal hinting instructions so that glyphs render as they are
intended to on the Microsoft interpreter. Without the horizontal hints, the
problems of glyph and kerning distortion, color fringes, and inconsistent stem
widths--the problems the Infinality interpreter was created to solve--simply
don't occur in the first place.

There are also security concerns which motivate removing the Infinality patches.
Although there is an updated version of the Infinality interpreter for FreeType
2.7, the lack of a consistent upstream maintainer is a security concern. The
interpreter is a Turing-complete virtual machine which has had security
vulnerabilities in the past. While the default interpreter is used in billions
of devices and is maintained by an active developer, the Infinality interpreter
is neither scrutinized nor maintained. We will probably never know if there are
defects in the Infinality interpreter, and if they were discovered they would
likely never be fixed. I do not think that is an acceptable situtation for a
core library like FreeType.

Dropping the Infinality patches means that font rendering will be less
customizable. I think this is an acceptable trade-off. The Infinality
interpreter made many compromises to mitigate the problems with horizontal
hinting; the main purpose of customization is to tailor these compromises to the
user's preferences. The new interpreter does not have to make these compromises
because it renders fonts as their designers intended, so this level of
customization is not necessary.

The Infinality-associated patches are also removed from cairo. These patches
only set the default rendering options in case they aren't set though
Fontconfig. On NixOS, the rendering options are always set in Fontconfig, so
these patches never actually did anything for us!

The Fontconfig test suite is patched to account for a quirk in the way PCF fonts
are named.

The fontconfig option `hintstyle` is no longer configurable in NixOS. This
option selects the TrueType interpreter; the v40 interpreter is `hintslight` and
the older v35 interpreter is `hintmedium` or `hintfull` (which have actually
always been the same thing). The setting may still be changed through the
`localConf` option or by creating a user Fontconfig file.

Users with HiDPI displays should probably disable hinting and antialiasing: at
best they have no visible effect.

The fontconfig-ultimate settings are still available in NixOS, but they are no
longer the default. They still work, but their main purpose is to set rendering
quirks which are no longer necessary and may actually be
detrimental (e.g. setting `hintfull` for some fonts). Also, the vast array of
font substitutions provided is not an appropriate default; the default setting
should be to give the user the font they asked for.

[1]. https://www.freetype.org/freetype2/docs/subpixel-hinting.html
2017-03-12 17:31:33 -05:00
Vladimír Čunát
50fadc8b18
cups: split the $lib output
This saves > 10 MB from most closures.
Printing test succeeds on x86_64-linux.
2017-03-12 18:36:30 +01:00
Rodney Lorrimar
f488b1811b
pumpio service: don't keep secrets in nix store
Added extra config options to allow reading passwords from file rather
than the world-readable nix store.

The full config.json file is created at service startup.

Relevant to #18881
2017-03-12 16:01:02 +01:00
Rodney Lorrimar
f1a1490135
pumpio service: adjust upload directory config for 3.0.0
These changes are backwards compatible.
2017-03-12 16:00:57 +01:00
Franz Pletz
323d0fdd5a
phpfpm module: set correct nixos sendmail path 2017-03-11 09:39:12 +01:00
Joachim Fasting
bb6361b81a
nixos/dnscrypt-proxy: grant daemon access to load plugins 2017-03-10 18:54:54 +01:00
Joachim Fasting
5279ec111f
nixos/dnscrypt-proxy docs: reword section on forwarding
Newer versions of DNSCrypt proxy *can* cache lookups (via
plugin); make the wording more neutral wrt. why one might want
to run the proxy in a forwarding setup.
2017-03-10 18:54:52 +01:00
Joachim Fasting
c0a8a9205b
nixos/dnscrypt-proxy: inline option renamings
In an effort to make the module more self-contained.
2017-03-10 18:54:51 +01:00
Joachim Fasting
563c8e1496
nixos/dnscrypt-proxy: inline top-level binding (cleanup) 2017-03-10 18:54:50 +01:00
Joachim Fasting
c6da2c7c2b
nixos/dnscrypt-proxy: use example.com in example values
It is the canonical example domain after all.
2017-03-10 18:54:44 +01:00
Thomas Tuegel
64b88c3017 Merge branch 'master' into phonon-gstreamer 2017-03-10 07:30:14 -06:00
Thomas Tuegel
edd43351cf
nixos/plasma5: no need to set gstreamer plugin path 2017-03-10 07:26:40 -06:00
Dan Peebles
c390cec122 buildbot NixOS modules: switch to not daemonize
1) The forking behavior of `buildbot start` is temporarily broken for
   mysterious reasons that I'm still looking into
2) Let systemd do the forking: no point in using two different process
   startup wait loops
2017-03-10 00:11:57 -05:00
Thomas Tuegel
e3cb24d1e0 Merge pull request #23503 from ttuegel/fontconfig
Generalize Fontconfig options
2017-03-09 19:29:28 -06:00
Evan Danaher
a09246948c nginx: disallow alias directive on server level; it doesn't work. 2017-03-09 16:54:44 -05:00
Evan Danaher
e7358b192a nginx: Assert that either root or alias is null.
If both are set, nginx won't start.  More error checking is certainly in
order, but this seems like a reasonable start.
2017-03-09 13:02:49 -05:00
Evan Danaher
ff2e2e82cc nginx: Add alias configuration option for hosts and locations.
It's like root, but doesn't keep the prefix.
2017-03-09 13:02:29 -05:00
Dan Peebles
c3939cbcf5 buildbot modules: don't put BB users in nixbld group
The nixbld group belongs to nix-daemon and you really don't want to be
in it. If you are in it, nix-daemon will kill your processes when you
least expect it :)
2017-03-09 11:46:26 -05:00
Gregor Kleen
899fd868ea das_watchdog: fix service type 2017-03-09 16:14:17 +01:00
Joachim Fasting
06520c7fb7
nixos/dnscrypt-proxy: indicate update status
Make it easier for the user to tell when the list is updated
and, at their option, see what changed.
2017-03-08 19:07:53 +01:00
Joachim Fasting
5f27abec23
nixos/dnscrypt-proxy: more fs isolation for the updater
It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available.  We
filter mount syscalls to prevent the process from undoing the fs
isolation.
2017-03-08 19:07:51 +01:00
Joachim Fasting
e72aaa73ea
nixos/dnscrypt-proxy: support updating before nss is up
Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.

We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
2017-03-08 19:07:50 +01:00
Joachim Fasting
adf044e1fb
nixos/dnscrypt-proxy: refactoring
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...).  Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
2017-03-08 19:07:44 +01:00
Daniel Ehlers
0bd211d84f
ddclient: Make verbose logging deactivatable. 2017-03-07 22:03:22 +01:00
Franz Pletz
d7674dabba
phpfpm service: fix phpOptions
Broken due to #23216.
2017-03-07 15:08:55 +01:00
Joachim Fasting
15da23d5c1
nixos/modules: use defaultText/literalExample where applicable
Primarily to fix rendering of default values/examples but also
to avoid unnecessary work.
2017-03-07 14:06:08 +01:00
Joachim Fasting
540163e4a4
search module: add missing types 2017-03-07 14:06:02 +01:00
Tom
9a7bad2c17 networkmanager service: support changing the mac-address (#23464)
Set `networking.networkmanager.wifi.macAddress` or `networking.networkmanager.ethernet.macAddress`
to one of these values to change your macAddress.

* "XX:XX:XX:XX:XX:XX": set the MAC address of the interface.
* "permanent": use the permanent MAC address of the device.
* "preserve": don’t change the MAC address of the device upon activation.
* "random": generate a randomized value upon each connect.
* "stable": generate a stable, hashed MAC address.

See https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/ for more information
2017-03-07 03:50:37 +01:00
Graham Christensen
710973e354 Merge pull request #23492 from zarelit/xfce_lockscreen
xfce: add screenLock option
2017-03-06 19:42:47 -05:00
Fernando J Pando
9f062c2c0b buildbot: 0.9.3 -> 0.9.4
- adds jwt
- adds module tests
- master.cfg as path in module
- fix systemd worker config
- builds on darwin
- tested on nixos
2017-03-07 00:45:37 +01:00
Joachim Fasting
f278793fdb
btsync module: remove redundant example
The default value already gives a good example of what values to
put here.
2017-03-06 15:59:23 +01:00
Wei Tang
99013f853a
jenkins-job-builder: allow setting access tokens for reloading 2017-03-06 07:57:01 -05:00
timor
f40b961378 couchdb: add support for version 2.0.0
Version 2.0.0 is installed as a separate package called "couchdb2".
When setting the config option "package" attribute to pkgs.couchdb2, a
corresponding service configuration will be generated.  If a previous
1.6 installation exists, the databases can still be found on the local
port (default: 5986) and can be replicated from there.

Note that single-node or cluster setup still needs to be configured
manually, as described in
http://docs.couchdb.org/en/2.0.0/install/index.html.
2017-03-06 11:42:02 +01:00
Jörg Thalheim
947815f59f
fcron: 3.1.2 -> 3.2.1
fixes #23320 #23413
2017-03-05 22:41:11 +01:00
Bjørn Forsman
316e7d6764 nixos/nix-daemon: doc: use literalExample
Makes the example more readable by not squashed everything onto one
single line.
2017-03-05 14:07:23 +01:00
Jaka Hudoklin
f5d81ed79b Merge pull request #20904 from offlinehacker/nixos/xserver/xpra
Add xpra display-manager
2017-03-05 01:32:23 +01:00
Thomas Tuegel
cc7c3c6bb8
nixos/plasma5: set GST_PLUGIN_SYSTEM_PATH_1_0 to list of paths 2017-03-04 16:31:22 -06:00
Thomas Tuegel
42cf524f2d
nixos/plasma5: set default fonts for Plasma desktop 2017-03-04 14:59:11 -06:00
David Costa
fc6c50f1b5 xfce: add screenLock option
screenLock option is needed to provide at least one application for
xflock4 to lock the screen
2017-03-04 18:01:02 +01:00
Léo Gaspard
0e2bd7e248 openldap module: fix paths for example includes 2017-03-04 13:30:29 +01:00
Eelco Dolstra
3971876585
nix-daemon: Remove a bunch of unnecessary environment variables 2017-03-03 16:50:37 +01:00
Eelco Dolstra
3070c88798
Fix incorrect $NIX_BUILD_HOOK on Nix 1.12 2017-03-03 16:50:26 +01:00
Dan Peebles
3f116702cc buildbot-master module: fix overly restrictive option type for masterCfg 2017-03-03 01:33:18 +00:00
Florian Jacob
518e5c09a8 avahi-daemon service: Add option to enable point-to-point interfaces. 2017-03-02 23:52:08 +01:00
Nikolay Amiantov
516a7fc7bd kmscon service: disable systemd-vconsole-setup
cc #22470.
2017-03-01 13:47:34 +03:00
Nikolay Amiantov
2e80b50a7e cura, curaengine: 14.04 -> 2.4.0
Move old Cura to {cura,curaengine}_stable
2017-03-01 02:23:18 +03:00
Susan Potter
251b9ca0e7
nginx service: add commonHttpConfig option 2017-02-28 09:36:56 -06:00
Franz Pletz
ec4ead0bfe
phpfpm service: add target and slice 2017-02-28 00:00:57 +01:00
Franz Pletz
e3d58dae7f
phpfpm service: one service per pool for isolation 2017-02-27 23:38:53 +01:00
Dan Peebles
8def08a56c apache-kafka.service: pass in log4j config more explicitly
The implicit behavior of pulling it out of the classpath seemed not
to work properly and could be thrown off by other things on the
classpath also providing the properties file. This guarantees that
our settings stick.
2017-02-27 18:32:12 +00:00
Thomas Tuegel
127bf18a35
extra-cmake-modules: Lift Qt dependency 2017-02-27 11:49:46 -06:00
Thomas Tuegel
f21d4d0015
nixos/plasma5: Rename Plasma 5 desktop
- There is no such thing as KDE 5
2017-02-27 11:49:31 -06:00
Thomas Tuegel
8eb4d2afbc
Remove top-level kde5 attribute
- There is no such thing as KDE 5
2017-02-27 11:49:10 -06:00
Edward Tjörnhammar
fa367c2d02
nixos, dhcpd: make machines assignable 2017-02-27 10:52:21 +01:00
Fabian Schmitthenner
ae67f060f2 phpfpm: eliminate build at evaluation time
phpfpm currently uses `readFile` to read the php.ini file from the
phpPackage. This causes php to be build at evaluation time.

This eliminates the use of readFile and builds the php.ini at build
time.
2017-02-26 23:35:12 +01:00
obadz
4b6f021251 Revert "lightdm: obbey services.xserver.{window/desktop}Manager.default"
This reverts commit 29caa185a7.

Not clear what the proper thing to do is. cf94cdb59b renders this
question mostly moot. Reverting before 17.03 branch to avoid a repeat
of #19054.
2017-02-26 16:22:21 +00:00
Jörg Thalheim
6c36d9fa20
nftables: make default configuration null
reason:
 - We currently have an open discussion regarding a more modular
   firewall (https://github.com/NixOS/nixpkgs/issues/23181) and
   leaving null makes future extension easier.
 - the current default might not cover all use cases (different ssh port)
   and might break setups, if applied blindly
2017-02-26 16:24:20 +01:00
Jookia
e2c95b46e5
nftables module: Add new module for nftables firewall settings
fixes #18842
2017-02-26 13:41:14 +01:00
Franz Pletz
26a2822cf0
nginx service: restart instead of stop to reduce downtime
cc #23127
2017-02-25 20:12:37 +01:00
Thomas Tuegel
a1431f35db Merge pull request #23169 from Kendos-Kenlen/kde-hack
kde5: Install default monospace font, Hack
2017-02-25 11:59:33 -06:00
Franz Pletz
3a4dd97c55
nginx module: fix acme if vhost name != serverName
cc #21931 @bobvanderlinden
2017-02-25 08:04:38 +01:00
Gauthier POGAM--LE MONTAGNER
b65cc5c59e kde5: add hack font dependency (fix #22975) 2017-02-25 00:35:59 +01:00
Benjamin Staffin
1c555e772e Merge pull request #23155 from doshitan/fix-prometheus-basic-auth
prometheus service: fix basic auth option
2017-02-24 15:08:35 -05:00
Tanner Doshier
b846ce5243 prometheus service: fix basic auth option
If some configuration is provided, we need to filter out the `_module` key or
else it breaks prometheus.
2017-02-24 13:32:01 -06:00
Franz Pletz
4730993ca6 Merge pull request #23109 from dtzWill/update/neo4j
neo4j: update and fix JVM parameters in NixOS module
2017-02-23 19:02:32 +01:00
Franz Pletz
d508ef88f7 Merge pull request #23082 from mayflower/graylog_update
graylog: update + module plugin support
2017-02-23 17:42:57 +01:00
Franz Pletz
4905c1c54f
prosody service: needs working network connectivity 2017-02-23 16:07:41 +01:00
Franz Pletz
66f553974b
dhcpcd service: fix network-online.target integration
When dhcpcd instead of networkd is used, the network-online.target behaved
the same as network.target, resulting in broken services that need a working
network connectivity when being started.

This commit makes dhcpcd wait for a lease and makes it wanted by
network-online.target. In turn, network-online.target is now wanted by
multi-user.target, so it will be activated at every boot.
2017-02-23 16:07:40 +01:00
Will Dietz
bc15b4222b nixos/neo4j: Update to default JVM options from current release.
The options previously listed here were the defaults back in 2.1.x.
2017-02-23 08:41:29 -06:00
Tristan Helmich
7420922806 graylog module: add plugin support 2017-02-23 15:21:29 +01:00
Jörg Thalheim
0338817f62 vnstat: provide full path of "kill" in ExecReload 2017-02-21 09:26:25 +00:00
Anders Papitto
3d963c3e8f herbstluftwm module: add configFile option
based on the equivalent for i3
2017-02-21 05:46:13 +01:00
Ricardo M. Correia
d9ae886946 nixos.openntpd: don't spam systemd journal
Starting `ntpd` with the `-d` option spams the systemd journal.
Instead, let the server fork.
2017-02-20 22:35:51 +01:00
florianjacob
c23c2c50de munin service: listen on IPv6 loopback as well (#23012)
munin service: listen on IPv6 loopback as well
2017-02-20 06:13:48 +01:00
Arian van Putten
252fbbf2d2 mattermost sevice: JoinsNamespaceOf for local pgsql (#22899) 2017-02-20 04:43:04 +01:00
Joachim F
6dbe55ca68 Merge pull request #20456 from ericsagnes/feat/loaf-dep-1
Use attrsOf in place of loaOf when relevant
2017-02-19 15:49:25 +01:00
Joachim F
ecdfffd9fc Merge pull request #22433 from laMudri/xfwm-option
xfce: make xfwm optional
2017-02-19 15:26:07 +01:00
Ricardo M. Correia
f78f207f17 nixos.samba: add enableNmbd and enableWinbindd options
This allows for disabling these services, in case they are not needed.
2017-02-18 19:29:06 +03:00
Profpatsch
2b0469c48f modules/mpd: factor out name & mention man 5 mpd.conf 2017-02-18 16:03:16 +01:00
Vladimír Čunát
432dba859e
Merge branch 'staging'
A security update of libxml2 is within.
2017-02-18 08:59:29 +01:00
aszlig
08881b8cbe
taskserver: Remove taskserver from systemPackages
This is deliberate because using the taskd binary to configure
Taskserver has a good chance of messing up permissions.

The nixos-taskserver tool now can manage even manual configurations, so
there really is no need anymore to expose the taskd binary.

If people still want to use the taskd binary at their own risk they can
still add taskserver to systemPackages themselves.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:46:05 +01:00
aszlig
c7bbb93878
taskserver: Pass configuration via command line
Putting an include directive in the configuration file referencing a
store path with the real configuration file has the disavantage that
once we change the real configuration file the store path is also a
different one.

So we would have to replace that include directive with the new
configuration file, which is very much error-prone, because whenever
taskd modifies the configuration file on its own it generates a new one
with *only* the key/value options and without any include directives.

Another problem is that we only added the include directive on the first
initalization, so whenever there is *any* configuration change, it won't
affect anything.

We're now passing all the configuration options via command line,
because taskd treats everything in the form of --<name>=<value> to be a
configuration directive.

This also has the effect that we now no longer have extraConfig, because
configuration isn't a file anymore.

Instead we now have an attribute set that is mapped down to
configuration options.

Unfortunately this isn't so easy with the way taskd is configured,
because there is an option called "server" and also other options like
"server.cert", "server.key" and so on, which do not map very well to
attribute sets.

So we have an exception for the "server" option, which is now called
"server.listen", because it specifies the listening address.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #22705
2017-02-17 19:45:58 +01:00
aszlig
78fe00da7c
taskserver: Allow helper tool in manual config
The helper tool so far was only intended for use in automatic PKI
handling, but it also is very useful if you have an existing CA.

One of the main advantages is that you don't need to specify the data
directory anymore and the right permissions are also handled as well.

Another advantage is that we now have an uniform management tool for
both automatic and manual config, so the documentation in the NixOS
manual now applies to the manual PKI config as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:45:55 +01:00
aszlig
32c2e8f4ae
taskserver/helpertool: Fix error message on export
The error message displays that a specific user doesn't exist in an
organisation, but uses the User object's name attribute to show which
user it was.

This is basically a very stupid chicken and egg problem and easily fixed
by using the user name provided on the command line.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:45:52 +01:00
Michele Guerini Rocco
5231d0ac29 bluetooth module: add option to power up bluetooth controller (#22685) 2017-02-17 19:44:04 +01:00
Matthew Daiter
336d6cc513 stanchion: remove ssl option 2017-02-17 13:24:51 +01:00
Nikolay Amiantov
8ecd5c4019 Merge pull request #22864 from abbradar/dbus-etc
Redo DBus configuration
2017-02-17 11:47:51 +03:00
Robin Gloster
6e12406e30
Revert "nginx: Format the config file"
This reverts commit e362a3d5c9.

See #22883
2017-02-16 22:45:00 +01:00
Thomas Tuegel
7c260ad2cc Merge pull request #22813 from benley/pam-kwallet
nixos: add optional pam_kwallet5 integration
2017-02-16 10:20:47 -06:00
Nikolay Amiantov
ac0cdc1952 dbus service: use makeDBusConf 2017-02-16 15:41:23 +03:00
Benjamin Staffin
463e90273f pam: add optional pam_kwallet5 integration 2017-02-16 02:26:42 -05:00
Kier Davis
5e3a26e07b
Fix typo introduced by #22677 2017-02-15 23:44:11 +00:00
Bjørn Forsman
d4e5bb34b7 nixos/geoip-updater: run as user 'geoip' instead of 'nobody'
That way 'nobody' is prevented from messing with the databases.
2017-02-15 23:25:27 +01:00
Franz Pletz
188526da3d
prometheus.blackboxExporter service: add CAP_NET_RAW
The blackbox-exporter for prometheus needs CAP_NET_RAW for sending icmp
probes.
2017-02-15 09:35:27 +01:00
Bjørn Forsman
a45821e7a8 nixos/cron: unbreak since new security.wrapper 2017-02-15 08:30:58 +01:00
Bjørn Forsman
aaac02f6c4 nixos/atd: unbreak after new security.wrappers
* convert list -> attrset
* 'atd' doesn't exist, 'at' does
2017-02-15 08:25:59 +01:00
Graham Christensen
7483ba0932
Revert "nix-daemon: default useSandbox to true"
This reverts commit d0a086770a.
2017-02-14 14:13:39 -05:00
Graham Christensen
3be1388963 Merge pull request #22767 from grahamc/sandbox-by-default
nix-daemon: default useSandbox to true
2017-02-14 13:57:44 -05:00
Parnell Springmeyer
9e36a58649
Merging against upstream master 2017-02-13 17:16:28 -06:00
Graham Christensen
d0a086770a
nix-daemon: default useSandbox to true 2017-02-13 18:06:01 -05:00
Rickard Nilsson
cda4a4dcfc nixos/grafana: Don't print password warning if no password has been set 2017-02-13 23:11:40 +01:00
Dan Peebles
e928cb1c63 ssm-agent NixOS module: init 2017-02-13 04:01:38 +00:00
Graham Christensen
84d4e4277c Merge pull request #22723 from benley/fix-sessions-with-sddm
Fix sessions with sddm.
2017-02-12 19:01:15 -05:00
Franz Pletz
f5a82e4714
gitlab service: fix database creation
Providing custom a username and database name was broken. They were
hardcoded to "gitlab".
2017-02-13 00:57:22 +01:00
Karn Kallio
8a1fcaf5bd Fix sessions with sddm. 2017-02-12 18:19:20 -05:00
Vladimír Čunát
31eba21d1d
virtualbox: force xorg-server-1.18 for now
This is getting a little hacky, but hopefully it won't break anything.
2017-02-12 21:07:49 +01:00
georgewhewell
94b28a8072 fix systemd.services.kube-proxy to use correct extraOpts 2017-02-12 15:06:59 +00:00
Bjørn Forsman
824d82fa0f nixos/geoip-updater: new service
The GeoIP databases from MaxMind have no stable URLs and change every
month (or so). Our current method of packaging these database in Nix and
playing catch-up with ever-changing file hashes is a bad idea. For
instance, it makes it impossible to realize old NixOS configurations.

This patch adds a NixOS service that periodically updates the GeoIP
databases in /var/lib/geoip-databases. Moving NixOS modules over can be
done in later patches.

I tried adding MD5 check, but not all databases have them, so i skipped
it. We are downloading over HTTPS though, it should be good. I also
tried adding zip support, but the first zip file I extracted had a
different filename inside than the archive name, which breaks an
assumption in this service, so I skipped that too.

Changes v9 -> v10:
  - Pass "--max-time" to curl to set upper bound on downloads (ensures
    no indefinite hanging if there's problem with networking).
    Timeout for network connectivity check: 60s.
    Timeout for geoip database (each): 15m.

Changes v8 -> v9:
  - Mention the random timer delay in the documentation for the
    'interval' option.

Changes v7 -> v8:
  - Add "RemainAfterExit=true" for the setup service, so it won't be
    restarted needlessly. (Thanks @danbst!)

Changes v6 -> v7:
  - Add --skip-existing flag to geoip-updater, which skips updating
    existing database files. Pass that flag when we run the service on
    boot (and on any NixOS configuration change).
    (IMHO, this is somewhat a workaround for systemd persistent timers
    not being triggered immediately when a timer has never expired
    before. But it does have the nice side effect of ensuring that the
    installed databases always correspond to the configured ones, since
    the service is now always run after configuration changes.)

Changes v5 -> v6:
  - Update database files atomically (per DB)
  - If a database is removed from the configuration, it'll be removed
    from /var/lib/geoip-databases too (on next run).
  - Add NixOS module assertion so that if user inputs non- .gz or .xz
    file there will be a build time error instead of runtime.
  - Run updater as user "nobody" instead of "root".
  - Rename NixOS service from "geoip-databases" to "geoip-updater".
  - Drop RemainAfterExit, or else the timer won't trigger the unit.
  - Bring back "curl --fail", or else we won't catch and log curl
    failures.

Changes v4 -> v5:
  - Add "GeoLite2-City.mmdb.gz" to default database list.

Changes v3 -> v4:
  - Remove unneeded geoip-updater-setup.service after adding
    'wantedBy = [ "multi-user.target" ]' directly to
    geoip-updater.service
  - Drop unneeded "Service" name from service descriptions.

Changes v2 -> v3:
  - Network may be down when starting from a cold boot, so try a few
    times. Possibly, if using systemd-networkd, it'll pass on the first
    try. But with default DHCP on NixOS, the service is started before
    hostnames can be resolved and thus we need a few extra seconds.
  - Add error handling and mark service as failed if fatal error.
  - Add proper syslog log levels.
  - Add RandomizedDelaySec=3600 to the timer to not put high load on the
    MaxMind servers. Suggested by @Mic92.
  - Set RemainAfterExit on geoip-updater.service instead of
    geoip-updater-setup.service. (The latter is only a proxy that pulls
    in the former service).

Changes v1 -> v2:
From Данило Глинський (Danylo Hlynskyi) <abcz2.uprola@gmail.com>:
  nixos/geoip-databases: add `databases` option and fix initial setup

  There were two great issues when using this service:
  - When you just enable service, databases aren't downloaded, they are
    downloaded when timer triggers. Fixed this with automatic download on
    first system activation.
  - When there is no internet, updater outputs nothing to logs, which is
    IMO misbehavior. Fixed this with removing `--fail` option, better be
    explicit here.
2017-02-12 15:07:34 +01:00
Graham Christensen
b1a05a0865
nixos: drop references to kde4
Excluding modules/programs/environment.nix for PATHand QT_PLUGIN_PATH to allow the programs to continue running.
2017-02-11 14:01:13 -05:00
Graham Christensen
3cec7d10df
kdm: drop service 2017-02-11 13:55:09 -05:00
Graham Christensen
c09004fba0 Merge pull request #22642 from grahamc/kde4-deprecate
kde4, kdm: mark services as deprecated
2017-02-11 10:17:15 -05:00
davidak
d4766e789b caddy: set file descriptor limit to 8192, fixes #22454
the value is recommended for production use
a warning is produced when not set
2017-02-11 01:44:29 +01:00
Graham Christensen
564e0c120b
kde4, kdm: mark services as deprecated 2017-02-10 17:35:52 -05:00
Profpatsch
ed8a0d8e5e modules/searx: add package option (#22636)
The user should be able to specify a patched version of searx.
2017-02-10 22:44:10 +01:00
Graham Christensen
b12564cc1b
nixos: update default cases from KDM/KDE4 to SDDM/KDE5 2017-02-09 21:52:00 -05:00
afranchuk
a5e041ac08 libreswan service: make EnvironmentFile optional (#22591)
Recent versions of libreswan seem to omit this file, but it may be added/changed in the future. It is silly to have the service fail because a file is missing that only enriches the environment.
2017-02-10 00:53:44 +01:00
Joachim F
ca8fb930b1 Merge pull request #22356 from Ekleog/redsocks
Redsocks
2017-02-09 22:39:43 +01:00
Léo Gaspard
7a32b96697 redsocks module: initialize
redsocks module: use separate user for redsocks daemon
2017-02-09 18:01:14 +01:00
Daniel Peebles
7439fe083f Merge pull request #22297 from nand0p/buildbot-0.9.3
buildbot: 0.9.0.post1 -> 0.9.3
2017-02-09 11:15:03 -05:00
Franz Pletz
65a1762a9b
nginx module: make acme group overrideable easily 2017-02-08 23:50:59 +01:00
Andrew Cann
3082647e74 trezord: init at 1.2.0 (#22054) 2017-02-08 17:18:22 +01:00
Graham Christensen
7db1f727f3
moodle: Remove due to continued security issues. 2017-02-08 09:10:45 -05:00
Franz Pletz
626540e32e Merge pull request #22524 from wizeman/u/chrony-impr
nixos.chrony: add extraFlags config option
2017-02-07 21:50:58 +01:00
Peter Simons
bfd7fe8ba5 nixos: fix taskserver module to evaluate properly when keys are managed manually 2017-02-07 18:35:41 +01:00
Ricardo M. Correia
9293f86bf2 nixos.chrony: remove generatecommandkey option
It's deprecated and no longer used.
2017-02-07 18:01:58 +01:00
Ricardo M. Correia
e3fce56047 nixos.chrony: add extraFlags config option 2017-02-07 18:01:57 +01:00
Jörg Thalheim
3aff6c07ab Merge pull request #22518 from wizeman/u/fix-chrony-conf
nixos.chrony: pass config file directly to daemon
2017-02-07 17:17:17 +01:00
Fernando J Pando
34b5c9a4de buildbot: 0.9.0.post1 -> 0.9.3
- Fixes unneeded patching
- Adds worker to build inputs now needed for tests
- Replaces enableworker option with worker configuration module
- Openssh required for tests
- Fixes worker hardcoded paths
- Tested on Nixos Unstable
2017-02-07 11:14:42 -05:00
Svein Ove Aas
e362a3d5c9 nginx: Format the config file 2017-02-07 16:19:11 +01:00
Ricardo M. Correia
af4e6f155e nixos.chrony: pass config file directly to daemon
This fixes an issue where `nixops deploy` wouldn't restart the chrony
service when the chrony configuration changed, because it wouldn't
detect that `/etc/chrony.conf` was a dependency of the chrony service.
2017-02-07 13:48:58 +01:00
Matthew Bauer
3a9a707fd4
emacs24macport: remove 2017-02-06 16:46:05 -06:00
Shea Levy
714fdb425a firewall: Fix check for rpfilter on manual-config kernels 2017-02-06 16:43:23 -05:00
Nikolay Amiantov
9beeee2717 Merge pull request #22431 from abbradar/postfix-local
postfix service: don't empty local_recipient_maps
2017-02-06 03:50:05 +03:00
Joachim Schiele
d491728653 httpd: added serviceExpression which extends the serviceType concept -> allows that httpd services can live outside of nixpkgs (#22269) 2017-02-06 01:08:58 +01:00
Nikolay Amiantov
52c7e647ab postfix service: don't empty local_recipient_maps
From Postfix documentation:

With this setting, the Postfix SMTP server will not reject mail with "User
unknown in local recipient table". Don't do this on systems that receive mail
directly from the Internet. With today's worms and viruses, Postfix will become
a backscatter source: it accepts mail for non-existent recipients and then
tries to return that mail as "undeliverable" to the often forged sender
address.
2017-02-06 01:41:27 +03:00
Joachim F
4459f26ad8 Merge pull request #22175 from dancek/illum
illum: init at 0.4
2017-02-05 16:41:30 +01:00
Shea Levy
67ef18d01a supplicant nixos module: Allow not specifying the configFile path 2017-02-05 06:50:20 -05:00
Nikolay Amiantov
90bc1a8595 Merge pull request #22353 from abbradar/bluetooth
Bluetooth improvements
2017-02-05 13:18:48 +03:00
Joachim Fasting
2628597e76
cjdns service: allow daemon to drop privileges
The service can run certain components with reduced privileges, but for
that it needs the setuid capability.
2017-02-05 04:54:26 +01:00
Joachim Fasting
a0338afe5f
cjdns service: allow writing keys to /etc
20e81f7c0d prevented key generation in
`preStart`, leaving the service broken for the case where the user has
no pre-existing key.

Eventually, we ought to store the state elsewhere so that `/etc` can be
read-only but for now we fix this the easy way.
2017-02-05 04:54:18 +01:00
Nikolay Amiantov
9a11dda5fd nfsd service: don't run exportfs
It's run by service already.
2017-02-05 03:17:38 +03:00
Nikolay Amiantov
5b043ea361 nfs service: create state directories 2017-02-05 03:17:38 +03:00
Hannu Hartikainen
d91b39b3f9 illum: init at 0.4 2017-02-04 20:22:51 +02:00
Joachim F
17cc22a619 Merge pull request #22225 from bachp/glusterfs-service
glusterfs: add service
2017-02-04 15:15:39 +01:00
laMudri
7c27554033 xfce: make xfwm optional 2017-02-04 11:55:01 +00:00
Tim Jaeger
83241c091d
gogs: fix error on push
Pushing to gogs only works if the `gogs` user's shell is `bash`. For error and
solution, refer to [this SO thread](http://stackoverflow.com/a/22315659)
2017-02-04 12:16:37 +01:00
rnhmjoj
a3ff62d48c namecoind: refactor nixos module 2017-02-03 20:06:45 +01:00
rnhmjoj
f7d49037a4
dnschain service: overhaul option interface & implementation
Closes https://github.com/NixOS/nixpkgs/pull/22041
2017-02-03 19:49:16 +01:00
Ricardo Ardissone
0bae18fb55 sane service: mention the lp group for printer+scanners 2017-02-03 20:54:04 +03:00
Nikolay Amiantov
230c97c944 Merge pull request #22303 from abbradar/nfs4
NFS improvements
2017-02-03 20:04:25 +03:00
Benjamin Staffin
53e6431d61 Merge pull request #22358 from yorickvP/asteriskupd
asterisk: add lts version
2017-02-03 02:30:34 -05:00
Pascal Bach
19759cfeab services: add GlusterFS service
This service is only limited in configuration options.
But it is sufficient to run glusterd and configure it using the gluster command
2017-02-02 23:16:52 +01:00
Daiderd Jordan
f87fb85259 Merge pull request #22376 from LumiGuide/wordpress-4.7.2
wordpress: 4.7.1 -> 4.7.2 (Security fix)
2017-02-02 19:30:36 +01:00
Daniel Peebles
ff8a21e03c Merge pull request #22348 from nand0p/hologram-module
hologram: 8d86e3f -> d20d1c3
2017-02-02 17:42:07 +01:00
Fernando J Pando
1d85e0bbab hologram: 8d86e3f -> d20d1c3
- Updates dependencies
- Adds configuration module
- Tested on Nixos Unstable
2017-02-02 11:31:42 -05:00
Bas van Dijk
5cc75352f8 wordpress: 4.7.1 -> 4.7.2
See: https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/
2017-02-02 16:41:32 +01:00
Yorick van Pelt
1b47bc9477 service.asterisk: add package option 2017-02-02 15:16:00 +01:00
Nikolay Amiantov
4abcef2ba1 bluez service: use upstream units 2017-02-02 00:52:54 +03:00
Tristan Helmich
24f3abdafb
Revert "Make services.xserver.xkbDir conflict free when overriden."
This reverts commit 82bcfef109.

cc @nbp

Fixes #22290, #22352.

Signed-off-by: Franz Pletz <fpletz@fnordicwalking.de>
2017-02-01 22:37:04 +01:00
Nikolay Amiantov
c34cfa21d4 Merge pull request #22343 from abbradar/dbus-etc
dbus service: use /etc/dbus-1 for configuration
2017-02-01 23:00:07 +03:00
Nikolay Amiantov
e0e9fddf56 nfsd service: use upstream systemd units
* Use /etc/nfs.conf as the recommended upstream way to configure services.
* Move server options to nfsd module.
2017-02-01 19:47:33 +03:00
Eelco Dolstra
9d6a55aefd
~/.nixpkgs -> ~/.config/nixpkgs
The former is still respected as a fallback for config.nix for
backwards compatibility (but not for overlays because they're a new
feature).
2017-02-01 16:07:55 +01:00
Nikolay Amiantov
72b3746266 dbus service: remove {system,session}.conf from config dir
They are already included by dbus from /run/current-system/sw/share/dbus-1.
2017-02-01 15:37:24 +03:00
Nikolay Amiantov
39344a36d3 dbus service: use /etc/dbus-1 for configuration
Also use upstream systemd units.
2017-02-01 15:03:22 +03:00
Franz Pletz
f96c3f1844 Merge pull request #22180 from mguentner/offline_ipfs
services: ipfs: separate system units, add offline mode
2017-02-01 03:41:31 +01:00
Nikolay Amiantov
876a6d7f03 rpcbind service: use upstream systemd unit 2017-02-01 02:45:19 +03:00
Peter Simons
10349e72b9 nixos: drop unused 'haskellPackages' option from ihaskell service
Closes https://github.com/NixOS/nixpkgs/issues/19039.
2017-01-31 22:38:01 +01:00
Benjamin Staffin
e01c15d433 nixos: if gnome3 is installed, build gvim for gtk3 too 2017-01-31 02:36:35 -05:00
Edward Tjörnhammar
b08524bf01
nixos: nylon, use named instances 2017-01-30 20:32:06 +01:00
Edward Tjörnhammar
e324c02aa5
nixos: i2pd, follow redirect 2017-01-29 18:00:58 +01:00
Parnell Springmeyer
6777e6f812
Merging with upstream 2017-01-29 05:54:01 -06:00
Parnell Springmeyer
628e6a83d0
More derp 2017-01-29 05:33:56 -06:00
Nicolas B. Pierron
82bcfef109 Make services.xserver.xkbDir conflict free when overriden. 2017-01-29 12:24:31 +01:00
Parnell Springmeyer
4aa0923009
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00
Parnell Springmeyer
a8cb2afa98
Fixing a bunch of issues 2017-01-29 01:58:12 -06:00
Parnell Springmeyer
e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Joachim F
ac1e65c302 Merge pull request #22230 from michaelpj/services/arbtt-fix-wanted-by
arbtt: multi-user.target does not exist in user systemd
2017-01-29 00:37:17 +01:00
Michael Peyton Jones
46c0da1818 arbtt: multi-user.target does not exist in user systemd 2017-01-28 14:29:19 +00:00
Franz Pletz
ae3fc70ede Merge pull request #22124 from mayflower/feature/frab
frab: init at 2016-12-28 & module
2017-01-27 17:15:05 +01:00
Dan Peebles
ced27b2966 fluentd module: add configurable package option 2017-01-27 15:08:23 +00:00
Guillaume Maudoux
29667f639c dbus: catch new services without reboot (#20871)
DBus daemon now loads its config from /run/current-system/dbus.
Reloading the daemon makes it re-read that file and catch the updates
after a system upgrade.
2017-01-27 14:46:13 +01:00
Maximilian Güntner
123dd9f4e7
services: ipfs: separate system units, add offline mode
Offline mode: When adding a lot of data, start this service.
It will will not flood the DHT since it only exposes the API.
When you are done simply reverse the process.
2017-01-27 00:27:50 +01:00
Parnell Springmeyer
a26a796d5c
Merging against master - updating smokingpig, rebase was going to be messy 2017-01-26 02:00:04 -08:00
Parnell Springmeyer
025555d7f1
More fixes and improvements 2017-01-26 00:05:40 -08:00
Franz Pletz
fbf762e0b7
frab module: init 2017-01-25 23:58:21 +01:00
Robin Gloster
117e5547d1 Merge pull request #21311 from makefu/services/logstash
services.logstash: default options, examples and address update
2017-01-25 22:11:40 +01:00
Shaun Sharples
462ef74442 factorio: remove autosave-interval from command-line options 2017-01-25 21:39:37 +01:00
Shaun Sharples
7f358917ee factorio: settings moved from command-line options to server-settings.json 2017-01-25 21:39:37 +01:00
Parnell Springmeyer
bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Vladimír Čunát
278bbe3b33
add kresd service with basic options
Still celebrating today's 1.2.0 release!
2017-01-25 18:46:28 +01:00
Bob van der Linden
d9987f360a nginx: added serverName option for virtualHosts
This allows overriding the `server_name` attribute of virtual
hosts. By doing so it is possible to have multiple virtualHost
definitions that share the same `server_name`. This is useful in
particular when you need a HTTP as well as a HTTPS virtualhost: same
server_name, different port.
2017-01-25 14:55:55 +01:00
Franz Pletz
b9b95aa4d4 Merge pull request #22034 from mayflower/conntrack-helpers
Disable conntrack helper autoloading by default
2017-01-25 14:18:41 +01:00