Commit Graph

12039 Commits

Author SHA1 Message Date
worldofpeace
9d6fc7ad04 nixos/file-roller: init 2019-01-18 15:04:36 -05:00
Matthew Bauer
1ff9a93e1c nixos/doc: bs=1000000 for dd args (#54280)
Not all dd implementations take ‘bs=1m’. Better to just list it out
fully to reduce potential for problems.

Fixes #54181.
2019-01-18 19:19:00 +02:00
buffet
5c06a4a30c Updated default DM 2019-01-18 18:11:00 +01:00
Florian Klink
4f11c06fac programs.ssh.knownHosts: update example to be an attrset
We shouldn't encourage using a list here, but prefer the attrset.
Using a list here causes very unintuitive effects during merging.
2019-01-18 15:33:07 +01:00
step21
586bbd20e8 nixos/nixpkgs: virtualbox docs update (#54247) 2019-01-18 09:22:15 +00:00
Peter Hoeg
9f5b5fee9c
Merge pull request #48101 from peterhoeg/f/pykms_master
nixos pykms: run via DynamicUser
2019-01-18 15:52:12 +08:00
Peter Hoeg
eaa665e243
Merge pull request #53495 from peterhoeg/p/zm
zoneminder: init at 1.32.3 and add NixOS module
2019-01-18 15:49:28 +08:00
Julien Moutinho
65cfba23af nixos/tests: test LDAP password changing through nslcd
NOTE: slapd.conf is deprecated, hence use cn=config.
2019-01-18 05:13:42 +01:00
danbst
34a764ce87 zramSwap: remove basic.target for zram devices
This creates a dependency cycle when used with boot.tmpOnTmpfs:
basic.target <- tmp.mount <- swap.target <- zram-init-dev0 <- basic.target

This same fix is done already for tmp.mount

Fixes https://github.com/NixOS/nixpkgs/issues/47474
2019-01-17 21:18:45 +02:00
Robin Stumm
429c0bf60c nixos/mysql: fix option ensureDatabases
The database name needs to be quoted
in case it contains special characters
so the MySQL service does not fail to start.
2019-01-17 19:08:50 +01:00
Jan Tojnar
23c1a234dc
Merge pull request #54124 from jtojnar/remove-packages-by-name
nixos/desktops: deduplicate removePackagesByName
2019-01-17 16:05:14 +01:00
danbst
8d8a7210e4 zramSwap: allow configure compression algorithm + cleanups
- add `zramSwap.algorithm` option, which allows to change compressor
declaratively. zstd as default
- add `zramSwap.swapDevices` option, which allows to define how many zram
devices will be used as swap. Rest devices can be managed freely
- simpler floating calculations
- fix udev race condition
- some documentation changes
- replaced `/sys/block/zram*` handling with `zramctl`, because I had occasional
"Device is busy" error (looks like zram has to be configured in predefined order)
- added `memoryPercent` and `algorithm` as restart triggers. I think, it was
a bug that changing `memoryPercent` in configuration wasn't applied immediately.
- removed a bind to .swap device. While it looks natural (when swap device goes
off, so should zram device), it wasn't implemented properly. This caused problems
with swapon/swapoff:
```
$ cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/zram0                              partition       8166024 0       -2
/var/swapfile                           file            5119996 5120    1

$ sudo swapoff -a

$ sudo swapon -a
swapon: /dev/zram0: read swap header failed

$ cat /proc/swaps
Filename                                Type            Size    Used    Priority
/var/swapfile                           file            5119996 0       1
```
2019-01-17 15:58:53 +02:00
Danylo Hlynskyi
23a13b562c
kernel config: add support for CONFIG_SQUASHFS_ZSTD (#52967)
Also, allow override `make-squashfs.nix` compression parameters.
2019-01-17 15:24:44 +02:00
Jörg Thalheim
a6b97bd1bb
Merge pull request #42183 from kisik21/master
nixos/stage-1, nixos/f2fs: added F2FS resizing
2019-01-17 07:42:32 +00:00
Jan Tojnar
bedc81fcb6
nixos/desktops: deduplicate removePackagesByName
GNOME, MATE and LxQt all use removePackagesByName. Let’s move it to a single
place, rename the attributes to meaningful name and add docs.
2019-01-17 07:13:25 +01:00
Maximilian Bosch
003132c2dd
nixos/prometheus: make source_labels optional
It's possible to skip `source_labels` entirely, an example for this is
the blackbox exporter configuration:

https://github.com/prometheus/blackbox_exporter#prometheus-configuration
2019-01-16 14:01:43 +01:00
Vladyslav M
95a0e24381
Merge pull request #53952 from Ma27/improve-gitea-module
nixos/gitea: minor fixes
2019-01-15 23:55:16 +02:00
gnidorah
30ff54c348 way-cooler: 0.8.0 -> 0.8.1 (#53220) 2019-01-15 23:05:17 +02:00
Peter Hoeg
982354284d zoneminder (nixos): add basic module 2019-01-15 21:27:45 +08:00
Peter Hoeg
9260623a18 zoneminder: add user for NixOS 2019-01-15 21:27:45 +08:00
Robert Hensing
db70173627 Revert "nixos/modules/misc/nixpkgs.nix: Use pure Nixpkgs function"
As a workaround for #51025 and
https://github.com/NixOS/nix/issues/1232

This reverts commit 5f894a67f5.
2019-01-15 13:11:09 +01:00
Claudio Bley
4dbf45bc5e programs/nano: Generate nanorc if syntaxHighlight enabled
* prepend a newline to the `include` directive
* generate the nanorc by default, since `cfg.syntaxHighlight` is `true`
2019-01-14 23:27:04 +01:00
Linus Heckemann
783f2c84e8 nixos/zfs: autoscrub only after boot is complete
Fixes #53583
2019-01-14 21:00:20 +01:00
Franz Pletz
d947944d70
Merge pull request #53962 from elseym/sonarr
sonarr service: add more options to module
2019-01-14 19:33:58 +00:00
elseym
44e1aabd02
nzbget service: fix preStart script and add more options to module 2019-01-14 20:30:44 +01:00
elseym
31ad79f432
sonarr service: add more options to module 2019-01-14 20:30:10 +01:00
Maximilian Bosch
f90bd42c89
nixos/gitea: add git to the service path
Otherwise commands like `git push` will fail if the machine doesn't have
git installed.
2019-01-14 16:04:02 +01:00
Maximilian Bosch
ad3a50e25b
nixos/gitea: add option to disable registration
Although this can be added to `extraOptions` I figured that it makes
sense to add an option to explicitly promote this feature in our
documentation since most of the self-hosted gitea instances won't be
intended for common use I guess.

Also added a notice that this should be added after the initial deploy
as you have to register yourself using that feature unless the install
wizard is used.
2019-01-14 16:04:02 +01:00
Franz Pletz
ca0639837c
Merge pull request #53871 from elseym/fix-container-extraveths
nixos/containers: explicitly set link up on host for extraVeths
2019-01-14 03:59:19 +00:00
Vladimír Čunát
9d16949d42
nixos manual: fix a typo that made it invalid XML
The problem was merge to master in the bfbadab4 commit.
2019-01-13 23:23:32 +01:00
Jörg Thalheim
bfbadab4a4
Merge pull request #53801 from Mic92/nixos-builders
nixos-rebuild: allow to override builders
2019-01-13 21:59:43 +00:00
Jan Tojnar
e35acd7f1c gnome3: link nautilus-python paths to environment 2019-01-13 17:43:33 +01:00
Profpatsch
c8c53fcb11 modules/profiles/minimal: sound is disabled by default
The option is `false` by default since
e349ccc77f, so we don’t need to mention
it explicitely in these minimal configs.
2019-01-13 13:47:36 +01:00
elseym
8a8bf886b5
nixos/containers: explicitly set link up on host for extraVeths 2019-01-13 11:27:39 +01:00
Vladimír Čunát
570d84a01e
Merge branch 'staging-next' 2019-01-13 00:39:38 +01:00
Silvan Mosberger
497e6f1705
Merge pull request #51661 from eonpatapon/testing-hosts
test: set machines fqdn in /etc/hosts
2019-01-12 20:41:13 +01:00
Frederik Rietdijk
9f827d66f5
Update nixos/doc/manual/man-nixos-rebuild.xml
Co-Authored-By: Mic92 <Mic92@users.noreply.github.com>
2019-01-12 18:26:00 +00:00
Frederik Rietdijk
f45195fb44
Update nixos/doc/manual/man-nixos-rebuild.xml
Co-Authored-By: Mic92 <Mic92@users.noreply.github.com>
2019-01-12 18:25:52 +00:00
Samuel Dionne-Riel
2646a64fbc
Merge pull request #53827 from samueldr/feature/data-in-logs
tests: Logs timing in tests
2019-01-12 12:54:56 -05:00
Samuel Dionne-Riel
3b68ddb6fe
Merge pull request #53828 from samueldr/feature/double-alarm-time
tests: Wait for shell for twice as long (10m)
2019-01-12 12:08:14 -05:00
Vladimír Čunát
bde8efe792
Merge branch 'master' into staging-next
A couple thousand rebuilds have accumulated on master.
2019-01-12 12:19:34 +01:00
Samuel Dionne-Riel
b28b37eb00 tests: Wait for shell for twice as long (10m)
See #49441 for an earlier attempt, which was subsequently reverted. I am
assuming that doubling the time will be sufficient if the machine is
overloaded since so many of the tests already pass at 5 minutes, while
still not holding back failures for needlessly long.
2019-01-11 22:40:19 -05:00
Samuel Dionne-Riel
5d93e2c01c test-driver: Logs time taken for nests 2019-01-11 22:36:31 -05:00
Samuel Dionne-Riel
1fe0018df8 test-driver: Adds time it took to connect to guest in logs
This will make it possible to track whether the time is generous or not
when ran on hydra.
2019-01-11 22:36:31 -05:00
Joachim F
8ffae68b22
Merge pull request #53806 from pbogdan/krb-test-eval
nixos/tests/kerberos: fix evaluation
2019-01-11 17:09:38 +00:00
Eelco Dolstra
94ea1c2d83
nix: 2.1.3 -> 2.2 2019-01-11 12:47:06 +01:00
Jörg Thalheim
e40bfa4d85
nixos-rebuild: allow to override builders
Since nix 2.0 the no-build-hook option was replaced by the builders options
that allows to override remote builders ad-hoc.
Since it is useful to disable remote builders updating nixos without network,
this commit reintroduces the option.
2019-01-11 11:40:25 +00:00
Piotr Bogdan
cfc281f571 nixos/tests/kerberos: fix evaluation 2019-01-11 04:36:51 +00:00
Maximilian Bosch
44a80294f7
Merge pull request #53746 from zaninime/patch-1
nexus: 3.12.1 -> 3.14.0-04
2019-01-10 23:01:26 +01:00
Maximilian Bosch
edcd1494f7
nixos/nexus: increase disk size of VM test to 8GB
Nexus increased their default minimum disk space requirement to 4GB:

```
com.orientechnologies.orient.core.exception.OLowDiskSpaceException: Error occurred while executing a
write operation to database 'OSystem' due to limited free space on the disk (1823 MB). The database
is now working in read-only mode. Please close the database (or stop OrientDB), make room on your hard
drive and then reopen the database. The minimal required space is 4096 MB. Required space is now
set to 4096MB (you can change it by setting parameter storage.diskCache.diskFreeSpaceLimit) .
server# [   72.560866] zqnav3mg7m6ixvdcacgj7p5ibijpibx5-unit-script-nexus-start[627]:   DB name="OSystem"
```

Including the rest on the VM 8GB should be the most suitable solution.
As the installer test also takes 8GB of disk size this should still be
in an acceptable range.
2019-01-10 22:44:26 +01:00
lewo
7612a6add4
Merge pull request #52870 from xtruder/pkgs/dockerTools/buildLayeredImage/extraCommands
dockerTools: allow to pass extraCommands, uid and gid to buildLayered image
2019-01-10 19:00:19 +01:00
Yorick
4d68e82dbc nixos/borgbackup: use coercedTo instead of apply on paths (#53756)
so multiple declarations merge properly
2019-01-10 16:34:02 +01:00
Jaka Hudoklin
954cda5c9d
dockerTools: allow to pass extraCommands, uid and gid to buildLayeredImage 2019-01-10 16:02:23 +01:00
Vladimír Čunát
287144e342
Merge branch 'master' into staging-next 2019-01-10 13:07:21 +01:00
Vladimír Čunát
829ada37bf
Merge #53365: nixos/nsd: Don't override bind via nixpkgs.config 2019-01-10 11:00:40 +01:00
Julien Moutinho
eb90d97009 nixos/nslcd: use systemd's RuntimeDirectory 2019-01-09 17:45:19 +01:00
Julien Moutinho
4af7db9c73 nixos/nslcd: restart when nslcd.conf changes 2019-01-09 17:45:15 +01:00
Aaron Andersen
fd5a88687c nixos/httpd: add options sslCiphers & sslProtocols 2019-01-09 11:30:19 -05:00
Claudio Bley
cb0b629894 nixos/luksroot: Fix typo Verifiying -> Verifying 2019-01-08 15:45:02 -05:00
Robin Gloster
c75571d66c
Merge pull request #53598 from mayflower/atlassian-updates
atlassian updates
2019-01-08 17:56:13 +00:00
Silvan Mosberger
6a942aec5b
Merge pull request #52765 from Izorkin/datadog-agent
datadog-agent: 6.4.2 -> 6.8.3
2019-01-08 16:01:26 +01:00
Jörg Thalheim
ba9f589180
Merge pull request #53446 from Mic92/systemd-udev-settle
nixos/systemd-udev-settle: don't restart on upgrades
2019-01-08 13:05:25 +01:00
Izorkin
47a8b13efa datadog-agent: 6.4.2 -> 6.8.3 2019-01-08 11:16:44 +03:00
Matthew Bauer
04373fd3cc
Merge pull request #52594 from matthewbauer/fix-51025
make-disk-image: use filterSource instead of cleanSource
2019-01-07 16:29:58 -06:00
Matthew Bauer
f05d8f31ec make-disk-image: use filterSource instead of cleanSource
cleanSource does not appear to work correctly in this case. The path
does not get coerced to a string, resulting in a dangling symlink
produced in channel.nix.  Not sure why, but this
seems to fix it.

Fixes #51025.

/cc @elvishjericco
2019-01-07 16:28:50 -06:00
Robin Gloster
89d24aca93
atlassian-crowd: 3.2.5 -> 3.3.3 2019-01-07 21:54:23 +01:00
Franz Pletz
b60f8fc6e2
atlassian modules: don't chown home recursively
This can take a long time and should not be necassary anyway.
2019-01-07 21:54:20 +01:00
Matthew Bauer
de30f4e61d
Merge pull request #51570 from eonpatapon/cassandra-logging
cassandra: add option to configure logging
2019-01-07 12:41:07 -06:00
Nikita Uvarov
53013ead39
nixos/containers: add bridge without address specified
According to systemd-nspawn(1), --network-bridge implies --network-veth,
and --port option is supported only when private networking is enabled.
Fixes #52417.
2019-01-07 14:21:17 +01:00
Bas van Dijk
6ac10cd764
Merge pull request #53399 from LumiGuide/feat-wordpress-copy-plugins
apache-httpd/wordpress: copy plugins and themes instead of symlinking
2019-01-07 13:41:29 +01:00
Tim Steinbach
289fe57eea
urxvt: Allow switching out package 2019-01-07 07:35:20 -05:00
Matthew Bauer
751c03e8fd
Merge pull request #47665 from erikarvstedt/initrd-improvements
Minor initrd improvements
2019-01-06 21:48:26 -06:00
Joachim Fasting
ab070d1b0b
nixos/opengl: assert 32bit emu support if 32bit support is enabled
See https://github.com/NixOS/nixpkgs/issues/51097
2019-01-06 19:52:08 +01:00
Falco Peijnenburg
9d2c9157d7 nixos/apache-httpd/wordpress: copy plugins and themes instead of symlinking
Symlinking works for most plugins and themes, but Avada, for instance, fails to
understand the symlink, causing its file path stripping to fail. This results in
requests that look like:

https://example.com/wp-content//nix/store/...plugin/path/some-file.js

Since hard linking directories is not allowed, copying is the next best thing.
2019-01-06 17:51:31 +01:00
Joachim Fasting
e6538caa48
nixos/tests: re-enable hardened test
Has been okay since 62623b60d5
2019-01-06 14:08:20 +01:00
Joachim Fasting
39c30a33c1
nixos/tests/hardened: test loading out-of-tree-modules 2019-01-06 13:19:28 +01:00
Frederik Rietdijk
a4250d1478 Merge staging-next into staging 2019-01-06 09:48:31 +01:00
Frederik Rietdijk
e5381cdece Merge master into staging-next 2019-01-06 09:36:23 +01:00
Jörg Thalheim
09fb07e4af
Merge pull request #52943 from ck3d/vdr-enableLirc
nixos vdr: introduce option enableLirc
2019-01-05 17:51:41 +01:00
Jörg Thalheim
8a2389e4a1
Merge pull request #53404 from Mic92/xsslock
nixos/xss-lock: specify a default locker
2019-01-05 16:44:29 +01:00
Jörg Thalheim
2614c8a6c5
nixos/xss-lock: specify a default locker
Having a default locker is less error-prone and more convenient.
Incorrect values might leave the machine vulnerable since there is no
fallback.
2019-01-05 16:42:30 +01:00
Vladimír Čunát
d84a33d85b
Merge branch 'master' into staging-next
A few more rebuilds (~1k on x86_64-linux).
2019-01-05 15:02:04 +01:00
Joachim Fasting
167578163a
nixos/hardened profile: always enable pti 2019-01-05 14:07:39 +01:00
Joachim Fasting
3f1f443125
nixos/hardened profile: slab/slub hardening
slab_nomerge may reduce surface somewhat

slub_debug is used to enable additional sanity checks and "red zones" around
allocations to detect read/writes beyond the allocated area, as well as
poisoning to overwrite free'd data.

The cost is yet more memory fragmentation ...
2019-01-05 14:07:37 +01:00
Jörg Thalheim
0a2c8cc1db
nixos/systemd-udev-settle: don't restart on upgrades
The idea is that we only need this target during boot,
however there is no point on restarting it on every upgrade.

This hopefully fixes #21954
2019-01-05 13:57:29 +01:00
Jörg Thalheim
9b2f0fbcdd
nixos/lirc: expose socket path via passthru 2019-01-05 13:22:39 +01:00
Frederik Rietdijk
60a3973a55 Merge staging-next into staging 2019-01-05 10:15:00 +01:00
worldofpeace
21327795ce nixos/version: add LOGO to /etc/os-release 2019-01-05 00:03:39 -05:00
Frederik Rietdijk
9618abe87c Merge master into staging-next 2019-01-04 21:13:19 +01:00
Michael Weiss
65c953976c
Merge pull request #53138 from gnidorah/sway
nixos/sway: Improve the wrapper
2019-01-04 11:49:07 +01:00
aszlig
6446d9eee8
nixos/nsd: Improve checking for empty dnssec zones
While at it (see previous commit), using attrNames in combination with
length is a bit verbose for checking whether the filtered attribute set
is empty, so let's just compare it against an empty attribute set.

Signed-off-by: aszlig <aszlig@nix.build>
2019-01-04 01:59:28 +01:00
aszlig
751bdacc9b
nixos/nsd: Don't override bind via nixpkgs.config
When generating values for the services.nsd.zones attribute using values
from pkgs, we'll run into an infinite recursion because the nsd module
has a condition on the top-level definition of nixpkgs.config.

While it would work to push the definition a few levels down, it will
still only work if we don't use bind tools for generating zones.

As far as I could see, Python support for BIND seems to be only needed
for the dnssec-* tools, so instead of using nixpkgs.config, we now
directly override pkgs.bind instead of globally in nixpkgs.

To illustrate the problem with a small test case, instantiating the
following Nix expression from the nixpkgs source root will cause the
mentioned infinite recursion:

  (import ./nixos {
    configuration = { lib, pkgs, ... }: {
      services.nsd.enable = true;
      services.nsd.zones = import (pkgs.writeText "foo.nix" ''
        { "foo.".data = "xyz";
          "foo.".dnssec = true;
        }
      '');
    };
  }).vm

With this change, generating zones via import-from-derivation is now
possible again.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @pngwjpgh
2019-01-04 01:49:50 +01:00
Matthew Bauer
74312c7ef5
Merge pull request #52760 from akru/master
lib/make-ext4-fs: more efficient store maker
2019-01-03 15:07:27 -06:00
Matthew Bauer
9c5cde46a6 nixos/all-firmware: include raspberrypiWirelessFirmware when building 2019-01-03 15:05:38 -06:00
Jean-Philippe Braun
4f99f8d2cb nixos/prometheus-bind-exporter: add module 2019-01-03 21:14:21 +01:00
Frederik Rietdijk
2da31b80bb Merge master into staging-next 2019-01-03 20:07:35 +01:00
Silvan Mosberger
2b1c9fd8a7
Merge pull request #53301 from cdepillabout/remove-cpufreqgov-alias
nixos/cpufreq: Remove the alias to set the cpu frequency governor
2019-01-03 17:47:53 +01:00
(cdep)illabout
46ecec8239
nixos/cpufreq: Remove the alias to set the cpu frequency governor
This PR temporarily fixes the issue with PR 53041 as explained
here:

https://github.com/NixOS/nixpkgs/pull/53041#commitcomment-31825338

The alias `powerManagement.cpufreq.governor` to
`powerManagement.cpuFreqGovernor` has been removed.
2019-01-03 20:57:49 +09:00
Сухарик
a285cead44 nixos/display-managers: allow pure wayland sessions 2019-01-03 09:38:36 +03:00
Matthew Bauer
921a47bc92 treewide: remove cross assertions
sd-image-raspberrypi, sd-image-aarch64, and
sd-image-armv7l-multiplatform can all be cross compiled now.
2019-01-02 23:02:50 -06:00
Matthew Bauer
35af6e3605 treewide: use buildPackages for config builders 2019-01-02 23:02:50 -06:00
Izorkin
420b83b29b zsh.syntaxHighlighting: add option to customize styles 2019-01-03 01:05:45 +03:00
Frederik Rietdijk
092e3b50a8 Merge master into staging-next 2019-01-02 21:08:27 +01:00
ajs124
325e314aae
sshd: Add restartTrigger for sshd_config
Co-Authored-By: Franz Pletz <fpletz@fnordicwalking.de>
2019-01-02 20:11:01 +01:00
Franz Pletz
0ea65cd96c
shairport-sync service: fix default arguments 2019-01-02 19:17:22 +01:00
Vladimír Čunát
70bff06140
Merge branch 'master' into staging 2019-01-02 17:19:23 +01:00
(cdep)illabout
b0f10d2d53
cpufreq: add option for setting the cpu max and min frequencies
This adds a NixOS option for setting the CPU max and min frequencies
with `cpufreq`.  The two options that have been added are:

- `powerManagement.cpufreq.max`
- `powerManagement.cpufreq.min`

It also adds an alias to the `powerManagement.cpuFreqGovernor` option as
`powerManagement.cpufreq.governor`.  This updates the installer to use
the new option name.  It also updates the manual with a note about
the new name.
2019-01-01 19:18:12 +09:00
gnidorah
d15425f816 nixos/sway: Improve the wrapper
Port a change by @primeos from sway-beta module to sway module.

https://github.com/NixOS/nixpkgs/pull/51316
2019-01-01 11:21:15 +03:00
Frederik Rietdijk
070290bda7 Merge master into staging-next 2018-12-31 12:00:36 +01:00
Frederik Rietdijk
c6e043d57c Remove composableDerivation, closes #18763 2018-12-30 12:33:45 +00:00
Silvan Mosberger
45c073e4da
Merge pull request #52930 from Ekleog/low-prio-syspath
system-path: set implicitly installed packages to be low-priority
2018-12-30 00:29:59 +01:00
Silvan Mosberger
070254317e
Revert "nixos/ddclient: make RuntimeDirectory and configFile private" 2018-12-29 16:53:43 +01:00
adisbladis
0ff4d0a516
fish: 2.7.1 -> 3.0.0 2018-12-28 21:23:24 +00:00
Frederik Rietdijk
10afccf145 Merge staging-next into staging 2018-12-27 18:11:34 +01:00
Dmitry Kalinkin
3edd5cb227
Merge pull request #51294 from eadwu/nvidia_x11/legacy_390
nvidia: expose nvidia_x11_legacy390
2018-12-27 09:08:53 -05:00
Joachim Fasting
ea4f371627
nixos/security/misc: expose SMT control option
For the hardened profile disable symmetric multi threading.  There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however.  This is in keeping with OpenBSD
defaults.

TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation.  Write to
/sys/devices/system/cpu/smt/control
2018-12-27 15:00:49 +01:00
Joachim Fasting
e9761fa327
nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
2018-12-27 15:00:48 +01:00
Joachim Fasting
84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Joachim Fasting
9db84f6fcd
nixos/security/misc: use mkMerge for easier extension 2018-12-27 15:00:46 +01:00
Christian Kögler
987fdea1a8 nixos vdr: introduce option enableLirc
also introduce option socket for lirc, to have access to socket path
2018-12-26 22:59:06 +01:00
Léo Gaspard
fa98337a15
system-path: set implicitly installed packages to be low-priority
The aim is to minimize surprises: when the user explicitly installs a
package in their configuration, it should override any package
implicitly installed by NixOS.
2018-12-26 23:16:17 +09:00
Samuel Dionne-Riel
302d53df2b nixos/sd-image-aarch64-new-kernel: Added to release
This, paired with the previous commit, ensures the channel won't be held
back from a kernel upgrade and a non-building sd image, while still
having a new-kernel variant available.
2018-12-26 11:03:32 +00:00
Samuel Dionne-Riel
207210660f nixos/sd-image-aarch64: Configures it to use the default kernel 2018-12-26 11:03:32 +00:00
Frederik Rietdijk
e45ca47f14 Merge staging-next into staging 2018-12-26 09:30:32 +01:00
Dmitry Kalinkin
c7f26a34e8
Merge pull request #52896 from veprbl/pr/gmane_wo_net-snmp
treewide: Fix broken Gmane URLs
2018-12-25 22:55:03 -05:00
Craig Younkins
8b12b17df3
treewide: Fix broken Gmane URLs 2018-12-25 22:34:55 -05:00
worldofpeace
c1599d29d9 gcr: rename from gnome3.gcr 2018-12-25 20:14:28 -05:00
worldofpeace
3f6c81da4d
Merge pull request #52592 from worldofpeace/geoclue/correct-sysconf
geoclue2: correct sysconfdir
2018-12-25 19:03:22 -05:00
worldofpeace
c65edd687f geoclue2: correct sysconfdir 2018-12-25 18:38:19 -05:00
Jan Tojnar
c45e9d0fac
Merge branch 'master' into staging 2018-12-25 17:03:57 +01:00
Alexander Krupenkin
2f0c495c31
lib/make-ext4-fs: more efficient store maker 2018-12-24 23:21:15 +03:00
Sander van der Burg
a27aa247c0
Merge pull request #50596 from svanderburg/mobile-updates
Mobile updates
2018-12-24 15:52:33 +01:00
Jan Tojnar
ef935fa101
Merge branch 'master' into staging 2018-12-24 15:02:29 +01:00
zimbatm
d06f798ce7
Merge pull request #51566 from adisbladis/google-oslogin
GCE OSLogin module: init
2018-12-24 14:11:49 +01:00
msteen
8d217ede58 fix infinite recursion caused by the unnecessary inspection of options + fix is parent of mount point check (#51541) 2018-12-24 14:05:55 +01:00
Samuel Dionne-Riel
772759173d
Merge pull request #52721 from samueldr/aarch64/limited-support
Fixes eval issues in hydra by setting AArch64 as limited support
2018-12-23 13:28:22 -05:00
Jörg Thalheim
044ff3dc66
nixos/vdr: don't delete recordings 2018-12-23 18:54:39 +01:00
Jörg Thalheim
633bc1d09b
Merge pull request #52686 from Mic92/vdr
vdr: revisited version of https://github.com/NixOS/nixpkgs/pull/32050
2018-12-23 16:19:27 +01:00
Emery Hemingway
124d8ccc69
Add IPFS warning 2018-12-22 20:04:19 +01:00
Jörg Thalheim
45986ec587
nixos/vdr: create video directory automatically 2018-12-22 15:13:35 +01:00
Christian Kögler
dd3f755cf4
vdr: initial at 2.4.0 and nixos module
used same plugin mechanism as kodi does
2018-12-22 15:13:25 +01:00
worldofpeace
94af8ebde2 nixos/displayManager: only install wayland sessions if they exist in extraSessionFilePackages
Not everyone is using wayland just yet.
2018-12-22 01:15:09 -05:00
Samuel Dionne-Riel
1bfe8f189b nixos/release-combined.nix: makes aarch64-linux limited support
This is because it will not eval properly with `hydra-eval-jobs`.

```
$ ...hydra/result/bin/hydra-eval-jobs \
    --arg nixpkgs '{ outPath = ./.; revCount = 123; shortRev = "4567"; }' \
    -I "$PWD" \
    nixos/release-combined.nix
```

It fails with:

```
Too many heap sections: Increase MAXHINCR or MAX_HEAP_SECTS
```
2018-12-21 20:43:23 -05:00
Samuel Dionne-Riel
16316a1288 nixos/release-combined.nix: Adds missing aarch64 constituents
This will block channel advancing, even if it is limited support.
2018-12-21 20:28:04 -05:00
Florian Klink
3539f3875a release-notes/rl-1903: add security.googleOsLogin 2018-12-21 18:01:36 +01:00
Florian Klink
706efadcb6 nixos/modules/virtualisation/google-compute-config.nix: remove google-accounts-daemon
Use googleOsLogin for login instead.
This allows setting users.mutableUsers back to false, and to strip the
security.sudo.extraConfig.

security.sudo.enable is default anyhow, so we can remove that as well.
2018-12-21 17:52:37 +01:00
Florian Klink
0f46188ca1 nixos/tests: add google-oslogin test 2018-12-21 17:52:37 +01:00
Florian Klink
04f3562fc4 config.nsswitch: load cache_oslogin and oslogin nss modules if config.security.googleOsLogin.enable is set 2018-12-21 17:52:37 +01:00
Florian Klink
c6de45c0d7 config.security.googleOsLogin: add module
The OS Login package enables the following components:
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
profile during ssh authentication phase.
NSS Module to provide user and group information
PAM Module for the sshd service, providing authorization and
authentication support, allowing the system to use data stored in
Google Cloud IAM permissions to control both, the ability to log into
an instance, and to perform operations as root (sudo).
2018-12-21 17:52:37 +01:00
Florian Klink
be5ad774bf security.pam.services.<name?>.: add googleOsLogin(AccountVerification|Authentication) 2018-12-21 17:52:37 +01:00