Commit Graph

21214 Commits

Author SHA1 Message Date
Martin Weinelt
f1e7183f69
nixos/tests/zigbee2mqtt: relax DevicePolicy and log systemd-analye security 2021-04-30 19:42:26 +02:00
Martin Weinelt
a691549f7e
nixos/zigbee2mqtt: harden systemd unit
This is what is still exposed, and it allows me to control my lamps from
within home-assistant.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                  0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                              0.1
✗ MemoryDenyWriteExecute=                                     Service may create writable executable memory mappings                              0.1

→ Overall exposure level for zigbee2mqtt.service: 1.3 OK 🙂
2021-04-30 19:42:26 +02:00
Martin Weinelt
e0f1e1f7bf
nixos/zigbee2mqtt: convert to rfc42 style settings 2021-04-30 19:42:26 +02:00
Kim Lindberger
fdd6ca8fce
Merge pull request #118898 from talyz/gitlab-memory-bloat
nixos/gitlab: Add options to tame GitLab's memory usage somewhat
2021-04-30 16:58:30 +02:00
Michael Weiss
28b8cff301
nixos/tests/cage: Fix the test with wlroots 0.13
See #119615 for more details. The aarch64-linux test failed with
"qemu-system-aarch64: Virtio VGA not available" so I've restricted the
test to x86_64-linux (the virtio paravirtualized 3D graphics driver is
likely only available on very few platforms).
2021-04-30 15:57:04 +02:00
Sandro
a73342b7ce
Merge pull request #120637 from andreisergiu98/ombi-update 2021-04-30 12:57:15 +02:00
Peter Hoeg
82c31a83b8 nixos/module: example referenced old ffmpeg 2021-04-30 09:43:18 +08:00
Michael Weiss
af99194379
nixos/tests/cage: Increase the xterm font size to fix the test
The result still looks far from ideal but at least it gets recognized
now. "-fa Monospace" is required to switch to a font from the FreeType
library so that "-fs 24" works.

Note: Using linuxPackages_latest is not required anymore.
2021-04-29 21:08:10 +02:00
Lassulus
addfd88117
Merge pull request #117072 from em0lar/keycloak-module-dbuser
nixos/keycloak: use db username in db init scripts
2021-04-29 20:15:19 +02:00
Leo Maroni
d9e18f4e7f
nixos/keycloak: use db username in db init scripts 2021-04-29 19:36:29 +02:00
Kim Lindberger
abecdfea73
Merge pull request #120833 from talyz/pipewire-0.3.26
pipewire: 0.3.25 -> 0.3.26
2021-04-29 18:46:35 +02:00
Florian Klink
7f9a5ad257
cage: drop maintainership (#121174)
I cannot currently maintain this, as I don't have access to the hardware
running it anymore.
2021-04-29 18:07:13 +02:00
WilliButz
674cea17a7
Merge pull request #120492 from SuperSandro2000/prometheus-unbound-exporter
Prometheus unbound exporter
2021-04-29 10:54:22 +02:00
Vladimír Čunát
5b0871bd97
Merge #120493: nixos/kresd: allow package to be configured 2021-04-29 10:41:12 +02:00
Andrei Pampu
e88bf5f13b
nixos/ombi: set ombi as system user 2021-04-29 10:52:02 +03:00
Sandro Jäckel
d3fe53a8a6
nixos/tests/prometheus-exporters: nixpkgs-fmt 2021-04-29 06:19:31 +02:00
Sandro Jäckel
da858b16b8
nixos/tests/prometheus-exporters: add unbound test
Author: WilliButz <willibutz@posteo.de>
2021-04-29 06:19:30 +02:00
Sandro Jäckel
ba13dc0652
nixos/prometheus: add unbound exporter 2021-04-29 06:19:29 +02:00
Peter Hoeg
6d23cfd56b nixos/pcscd: fix #121088 2021-04-29 10:10:18 +08:00
Peter Hoeg
ce93de4f62 nixos/hyperv: bail gracefully if device is missing 2021-04-29 09:37:17 +08:00
Luke Granger-Brown
f64e68e09b
Merge pull request #120071 from johanot/ceph-16
ceph: 15.2.10 -> 16.2.1
2021-04-29 00:03:45 +01:00
Alyssa Ross
a8afbb45c1 treewide: use lib.warnIf where appropriate 2021-04-28 21:44:21 +00:00
Martin Weinelt
de5a69c918
nixos/promtail: Set TimeoutStopSec=10
On reboots and shutdowns promtail blocks for at least 90 seconds,
because it would still try to deliver log messages for loki, which isn't
possible when the network has already gone down.

Upstreams example unit also uses a ten seconds timeout, something which
has worked pretty well for me as well.
2021-04-28 21:02:11 +02:00
John Ericson
74f3ae80dc
Merge pull request #120439 from wamserma/arg-usage-release-nix
nixos: use supportedSystems instead of hardcoded list for netboot
2021-04-28 00:11:22 -04:00
Aaron Andersen
45eb9c21ee
Merge pull request #119672 from chessai/init-duckling-service
init duckling service
2021-04-27 20:58:28 -04:00
Samuel Dionne-Riel
1f4dedfa64
Merge pull request #120667 from samueldr/fix/grub1-test
nixosTests.installer: Fix grub1 test being unreliable
2021-04-27 19:32:13 -04:00
Izorkin
8723d226b4 nixos/mastodon: update SystemCallFilters 2021-04-28 00:44:25 +02:00
Vladimír Čunát
a4749b11d4
nixos/kresd.package: improve the generated docs 2021-04-27 21:38:30 +02:00
chessai
e47e2a1b9f init duckling service 2021-04-27 10:41:07 -07:00
talyz
1215bd4ea9
Revert "nixos/tests/gitlab: add 32 byte secrets"
This reverts commit d6e0d38b84.

We need shorter secrets to continue working, since the earlier
recommendation was too short and there's no way to rotate the them.
2021-04-27 18:08:59 +02:00
talyz
7a67a2d1a8
gitlab: Add patch for db_key_base length bug, fix descriptions
The upstream recommended minimum length for db_key_base is 30 bytes,
which our option descriptions repeated. Recently, however, upstream
has, in many places, moved to using aes-256-gcm, which requires a key
of exactly 32 bytes. To allow for shorter keys, the upstream code pads
the key in some places. However, in many others, it just truncates the
key if it's too long, leaving it too short if it was to begin
with. This adds a patch that fixes this and updates the descriptions
to recommend a key of at least 32 characters.

See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
2021-04-27 17:49:43 +02:00
talyz
fb86d324d1
pipewire: Add update script 2021-04-27 16:50:22 +02:00
ajs124
39a51c9923
Merge pull request #118338 from Izorkin/update-nginx-zlib-ng
nginx: update to 1.20.0, replace zlib to zlib-ng
2021-04-27 16:36:25 +02:00
talyz
6edd102013
pipewire: Fix tests 2021-04-27 12:41:35 +02:00
talyz
24320ba1dd
pipewire: 0.3.25 -> 0.3.26 2021-04-27 12:41:30 +02:00
Luke Granger-Brown
825a9ad1f9
Merge pull request #120286 from lukegb/hibernate-install
nixos/tests/hibernate: install a system instead
2021-04-26 18:00:41 +01:00
Robert Schütz
e22d76fe34
Merge pull request #120520 from minijackson/jellyfin-remove-10.5
jellyfin_10_5: remove unmaintained version
2021-04-26 17:16:43 +02:00
Minijackson
2ad8aa72ae
jellyfin_10_5: remove unmaintained version
This version contains a vulnerability[1], and isn't maintained. The
original reason to have two jellyfin versions was to allow end-users to
backup the database before the layout was upgraded, but these backups
should be done periodically.

[1]: <https://nvd.nist.gov/vuln/detail/CVE-2021-21402>
2021-04-26 14:11:29 +02:00
Lassulus
ee04d772e4
Merge pull request #120489 from samueldr/fix/make-disk-image-auto-size
Fix make disk image automatic size
2021-04-26 10:34:15 +02:00
Lassulus
cdddbf59ea
Merge pull request #120251 from mschwaig/fix-make-disk-image-for-efi-2
make-disk-image: fix broken EFI image builds
2021-04-26 10:04:00 +02:00
Samuel Dionne-Riel
7d112134de nixosTests.installer: Fix grub1 test being unreliable
The kernel sometimes assigns `/dev/sdb` to the 8GiB disk. This, in turn,
means the test will fail because we're targeting the wrong disk.

```
machine # [    0.000000] sd 2:0:0:0: [sda] 16777216 512-byte logical blocks: (8.59 GB/8.00 GiB)
machine # [    0.000000] sd 3:0:0:0: [sdb] 1048576 512-byte logical blocks: (537 MB/512 MiB)
```

```
machine # [    0.000000] sd 2:0:0:0: [sdb] 16777216 512-byte logical blocks: (8.59 GB/8.00 GiB)
machine # [    0.000000] sd 3:0:0:0: [sda] 1048576 512-byte logical blocks: (537 MB/512 MiB)
```

Note how the "sd x:0:0:0:` ID is stable. That is because QEMU **is**
told to give specific identifiers to the disks. So using the
dev/disk/by-id/ identifiers is stable.

* * *

Tested by forcing the sda/sdb swap this way:

    diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix
    index 24c55081f9a..2eee224351b 100644
    --- a/nixos/tests/installer.nix
    +++ b/nixos/tests/installer.nix
    @@ -702,12 +702,19 @@ in {
               + " mkpart primary linux-swap 1M 1024M"
               + " mkpart primary ext2 1024M -1s",
               "udevadm settle",
    +      )
    +      print(machine.succeed("find /dev/disk/ '!' -type d -printf '%p → %l\n' | sort"))
    +      machine.succeed(
               "mkswap ${grubDevice}-part1 -L swap",
               "swapon -L swap",
               "mkfs.ext3 -L nixos ${grubDevice}-part2",
               "mount LABEL=nixos /mnt",
               "mkdir -p /mnt/tmp",
           )
    +      machine.succeed("echo success")
    +      machine.succeed(
    +          'if [[ "$(find ${grubDevice} -printf \'%l\')" != "../../sdb" ]]; then exit 22; else true; fi'
    +      )
         '';
         grubVersion = 1;
         # /dev/sda is not stable, even when the SCSI disk number is.

And ran this way:

     $ until (clear; tmux clear ; time env -i nix-build nixos/release-combined.nix -A nixos.tests.installer.grub1.x86_64-linux); do echo derp; done
2021-04-25 19:59:29 -04:00
Martin Schwaighofer
f20ae954d5 make-disk-image: fix broken EFI image builds
Work around missing /dev files inside runInLinuxVM by creating a
symlink before calling nixos-enter.

This fixes https://github.com/NixOS/nixpkgs/issues/93381.
I ran into this issue when trying to create a VMware image that boots from EFI.

Thanks @colemickens for reporting this and @danielfullmer for fixing the same thing in in qemu-vm.nix (37676e77cb) and explaining what the issue was.
2021-04-26 01:12:10 +02:00
Samuel Dionne-Riel
7b8b3fab6d make-disk-image: Round image size to the next mebibyte
This ensures the following gptfdisk warning won't happen:

```
Warning: File size is not a multiple of 512 bytes! Misbehavior is likely!
```

Additionally, helps towards aligning the partition to be more optimal
for the underlying storage.

It is actually impossible to align for the actual underlying storage
optimally because we don't know what the block device will be!

But aligning on 1MiB should help.
2021-04-25 15:24:45 -04:00
Michele Guerini Rocco
e035c1b417
Merge pull request #119952 from attila-lendvai/extraLayouts
nixos/doc/manual: refine extraLayouts, add warnings an test commands
2021-04-25 21:06:49 +02:00
Luke Granger-Brown
ed83f6455c
Merge pull request #119443 from ambroisie/add-podgrab
Add podgrab package and module
2021-04-25 14:12:40 +01:00
Frederik Rietdijk
c648f7ee2a Merge master into staging-next 2021-04-25 13:54:29 +02:00
Luke Granger-Brown
0cc25061b0
Merge pull request #114240 from sorki/containers/nested
nixos/nixos-containers: default boot.enableContainers to true
2021-04-25 11:37:01 +01:00
Luke Granger-Brown
2136e90fa3
Merge pull request #114637 from KaiHa/pr/fix-systemd-boot-builder
systemd-boot-builder.py: ignore profile names with invalid chars
2021-04-25 11:35:00 +01:00
Luke Granger-Brown
30ab5fb006
Merge pull request #107604 from pkern/exim
nixos/exim: Make queue runner interval configurable and reduce it to 5m by default
2021-04-25 11:15:17 +01:00
Luke Granger-Brown
2fa2e63932
Merge pull request #103902 from pkern/spamassassin
nixos/spamassassin: Avoid network dependency on boot
2021-04-25 11:14:57 +01:00