The option had been added to the grsec build-support code,
but it hadn't been added to the grsec module.
After this commit, grsec module users will be able to change
the default value. It also serves to document that this option
exists and that NixOS will disable it by default.
Absolute path is required when one has such postfix configuration
where he/she needs to specify the actual (real) path to active dovecot
config.
Without this commit applied, the dovecot is running in such way:
/nix/store/hashAAA-dovecot-ver/sbin/dovecot -F -c /nix/store/hashBBB-dovecot2.conf
and postfix can't be aware of the value of "hashBBB" via services.postfix.extraConfig = '' ... '';
(it can only be aware of "hashAAA" with ${pkgs.dovecot} parameter)
Also enable Restart on-failure.
Edit: set RestartSec to 1s
Now that dbus reload has been moved before restarting units,
the reload may fail if dbus has been stopped before.
The reload-or-restart will reload dbus if it's active,
otherwise start it.
Generating the file was refactored to be completely in nix.
Functionally it should create the same content as before,
only adding the newlines.
CC recent updaters: @aszlig, @rickynils.
This reverts commit 766207ca1d.
We need to solve the problem with `environment.profileRelativeEnvVars`.
The best workaround is to make profileRelativeEnvVars prepend paths.
This patch fixes the AppArmor profile path clause and adds
(currently ignored) network rules.
The AppArmor profile used to be defined for the path sbin/dnscrypt-proxy,
but the real path is bin/dnscrypt-proxy (due to sbin now being a symlink
to bin), which permitted the service to run unconfined.
Adding the network rules has no effect other than improving correctness,
as the version of AppArmor in the NixOS kernel fails to enforce network
rules.
postfix 2.11 is much more humane with respect to disk writes since it uses
sockets (which do not change inodes on accesses) instead of fifos (which do).
Added configurations to `bumblebee` package to easy multiple monitors on Optimus
machines.
The behaviour of the default `bumblebee` package hasn't change, so this change
is backwards compatible. Users who want to connect a monitor to their discrete
card should use the package `bumblebee_display` instead.
Also added new configuration option to nixos bumblebee module:
```
hardware.bumblebee.connectDisplay = true
```
will enable the new configuration, but the default is still false.
During install, the bootloader script gets run inside a chroot after the
/etc/group bind-mount is unmounted. Since we're not doing any building,
this should be safe, but really nix should just not care if the group
does not exist when no build is needed.
Fixes#5494
Since the 4.2.8 upgrade, ntpd is broken on NixOS:
Dec 28 19:06:54 hagbard ntpd[27723]: giving up resolving host 1.nixos.pool.ntp.org: Servname not supported for ai_socktype (-8)
This appears to be because DNS resolution doesn't work in chroots
anymore (due to /etc being missing). So disable chroots for now. It's
probably better to use systemd's containment facilities anyway.
Tested on KDE4, fixed with xfce, and was used with GNOME before.
CC @lethalman.
I did not test e19, as it won't build, probably due to #5392 @shlevy.
CC maintainer @matejc.
Also removed a forgotten unused patch.
Commit 939edb1 reintroduced autoStart, but instead of creating a list of
units for the wantedBy list with optional it became a list of lists of
units.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Added attributes to nixos/tests/mesos.nix to verify that mesos-slave
attributes work. If the generated attributes are invalid, the daemon
should fail to start.
Change-Id: I5511245add30aba658b1af22cd7355b0bbf5d15c
This reverts commit 5d67b17901.
The issues have been resolved by ac603e208c.
Tested this with hostonlyifs and USB support with extension pack.
Conflicts:
nixos/modules/programs/virtualbox-host.nix
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Tested-by: Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>
IMHO, having a short timeout (1h) defeats the point of using
ssh-agent, which is not to have to retype passphrases all the time. Of
course, users who want timeouts can set programs.ssh.agentTimeout.
This restores the 14.04 behaviour.
Because we have to rely on setuid wrappers on NixOS, we can't easily
hardcode the executable paths and set it 4755. So for all calls, we need
to change the runtime path executable directory to /var/setuid-wrappers/
and for verification we need to retain the executable directory.
Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL
and VBoxVolInfo don't reside in directories that are commonly in PATH,
but in /usr/lib/virtualbox in most mainstream distros. But because the
names of these executables are distinctive enough to not cause
collisions with other setuid programs, I'll leave it like that and not
patch up setuid-wrappers.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
/run/opengl-drivers should contain only libGL-related libraries, not
stuff like udev. Injecting anything into LD_LIBRARY_PATH is dangerous
because it can break applications that expect a different version of
the library.
Caused by eef9a8ac2a. Fixes#5371.
- Move lgi to luaPackages
- Use luaPackages in awesome and passthru lua
- Allow to pass lua modules to the awesome WM so that those can be used in the configuration
The warning was displayed whenever services.virtualboxHost.enable was
true, but if people were to enable hardening, they'd still get that
annoying message.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Creates unnecessary cruft in the root users home directory, which we
really don't need. Except the log, but therefore we now cat the log to
stderr and the private temporary directory is cleaned up afterwards.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The current options for the XServer produce a huge amount of log messages. The
server produces around 70-80 messages per minute. The most messages look like
this:
display-manager-start[1846]: GetModeLine - scrn: 0 clock: 75200
display-manager-start[1846]: GetModeLine - hdsp: 1366 hbeg: 1414 hend: 1478 httl: 1582
display-manager-start[1846]: vdsp: 768 vbeg: 772 vend: 779 vttl: 792 flags: 9
Since theses messages aren't very useful, I propose to remove the `-logverbose`
and `-verbose` options from the XServer arguments.
This should display a big fat warning that people can hardly miss until
we have fixed the issues with the host-only-interfaces that persist when
hardining is enabled.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Hardening mode in VirtualBox is quite restrictive and on some systems it
could make sense to disable hardening mode, especially while we still
have issues with hostonly networking and other issues[TM] we don't know
or haven't tested yet.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It turns out that installing therubytracer, with dependency on old v8, even
when using source libv8 version is problematic.
(see
http://stackoverflow.com/questions/21666379/problems-installing-gitlab-on-odroid-v8-lib-not-available).
But wait, rails does not even need therubytracer, just any kind of javascript
server side execution framework like nodejs. Well just use that, as also
suggested from different internet sources (look link above), it works just
fine.
We only need to have setuid-root wrappers for VBox{Headless,SDL} and
VirtualBox, otherwise VBoxManage will run as root and NOT drop
privileges!
Fixes#5283.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I had to make several adjustments to make it work with nixos:
* Replace relative config file lookups with ENV variable.
* Modify gitlab-shell to not clear then environment when running
pre-receive.
* Modify gitlab-shell to write some environment variables into
the .authorized_keys file to make sure gitlab-shell reads the
correct config file.
* Log unicorn output to syslog.
I tried various ways of adding a syslog package but the bundler would
not pick them up. Please fix in a better way if possible.
* Gitlab-runner program wrapper.
This is useful to run e.g. backups etc. with the correct
environment set up.
Since we're using HTTPS for the binary cache (introduced in faf0797) by
default, the binary cache should also be available during installation.
The file that is defined in SSL_CERT_FILE outside of the chroot is
copied over to /tmp/ca-cert.crt inside the chroot, so we have an
absolute path we can reference during nixos-install. However, this might
end up with the file not being cleaned up properly from outside of the
store, but neither would be /tmp/root so the cleanup issue needs to be
solved in another place (or commit to be more exact).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The current nixos module for VirtualBox unconditionally configures a vboxnet0
network interface at boot. This may be undesired, especially when the user wants
to manage network interfaces in a centralized manner.
- Create container nixos profile
- Create lxc-container nixos config using container nixos profile
- Docker nixos image, use nixos profile for its base config
The default configuration installed the Bitstream Vera fonts, but DejaVu
is a superior replacement, and the default Fontconfig settings need it
now for the generic faces monospace, sans-serif, and serif.
Details:
* The option `fonts.fontconfig.ultimate.enable` can be used to disable
the fontconfig-ultimate configuration.
* The user-configurable options provided by fontconfig-ultimate are
exposed in the NixOS module: `allowBitmaps` (default: true),
`allowType1` (default: false), `useEmbeddedBitmaps` (default: false),
`forceAutohint` (default: false), `renderMonoTTFAsBitmap` (default:
false).
* Upstream provides three substitution modes for substituting TrueType
fonts for Type 1 fonts (which do not render well). The default,
"free", substitutes free fonts for Type 1 fonts. The option "ms"
substitutions Microsoft fonts for Type 1 fonts. The option "combi"
uses a combination of Microsoft and free fonts. Substitutions can also
be disabled.
* All 21 of the Infinality rendering modes supported by fontconfig-ultimate
or by the original Infinality distribution can be selected through
`fonts.fontconfig.ultimate.rendering`. The default is the medium style
provided by fontconfig-ultimate. Any of the modes may be customized,
or Infinality rendering can be disabled entirely.
Details:
* The option `fonts.enableFontConfig` has (finally) been renamed
`fonts.fontconfig.enable`.
* Configurations are loaded in this order: first the Fontconfig-upstream
configuration is loaded, then the NixOS-specific font directories are
set, the system-wide default configuration is loaded, and finally the
user configuration is loaded (if enabled).
* The NixOS options `fonts.fontconfig.defaultFonts.monospace`,
`fonts.fontconfig.defaultFonts.sansSerif` and
`fonts.fontconfig.defaultFonts.serif` are added to allow setting the
default system-wide font used for these generic faces. The defaults
are the appropriate faces from the DejaVu collection because of their
comprehensive Unicode coverage, clean rendering, and excellent
legibility.
* The NixOS option `fonts.fontconfig.antialias` can be used to disable
antialiasing (it is enabled by default).
* The options `fonts.fontconfig.subpixel.rgba` and
`fonts.fontconfig.subpixel.lcdfilter` control the system-wide default
settings for subpixel order and LCD filtering algorithm,
respectively.
* `fonts.fontconfig.hinting.enable` can be used to disable TrueType font
hinting (it is enabled by default).
`fonts.fontconfig.hinting.autohint` controls the FreeType autohinter.
`fonts.fontconfig.hinting.style` controls the hint style; it is "full"
by default.
* User configurations can be disabled system-wide by setting
`fonts.fontconfig.includeUserConf = false`. They are enabled by
default so users can set Fontconfig options in the desktop environment
of their choice.