Commit Graph

6338 Commits

Author SHA1 Message Date
Joachim F
e436874ef0 Merge pull request #20919 from joachifm/privoxy-service-improvements
Privoxy service improvements
2016-12-06 14:16:28 +01:00
Joachim Fasting
0e765c72e5
grsecurity: enable module hardening 2016-12-06 01:23:58 +01:00
Joachim Fasting
31d79afbe5
grsecurity docs: note that pax_sanitize_slab defaults to fast 2016-12-06 01:23:51 +01:00
Joachim Fasting
071fbcda24
grsecurity: enable optional sysfs restrictions
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
2016-12-06 01:23:36 +01:00
Joachim Fasting
8c1f5afdf3
grsecurity: delay toggling of sysctls until system is up
We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
2016-12-06 01:22:53 +01:00
Joachim Fasting
3dcdc2d2b0
privoxy service: remove static uid
The service owns no data, having a static uid serves no purpose.

This frees up uid/gid 32
2016-12-05 13:37:08 +01:00
Joachim Fasting
ad88f1040e
privoxy service: additional isolation 2016-12-05 13:21:31 +01:00
Vladimír Čunát
a1ae627362
nixos GDM: fix #19896
- As noted on github, GDM needs different parameters for X.
- Making xserverArgs a true list instead of concat-string helps to
  filter it and it feels more correct anyway.
- Tested: gdm+gnome, lightdm+gnome.  There seems to be no logout option
  in gnome, and gdm doesn't offer other sessions, but maybe these are normal.
2016-12-04 14:54:31 +01:00
Jörg Thalheim
e00632e200 Merge pull request #20858 from Mic92/lxcfs
lxcfs: init at 2.0.4
2016-12-04 11:33:07 +01:00
Jörg Thalheim
7c7dc15cbf
lxcfs: add module 2016-12-04 11:26:17 +01:00
Franz Pletz
69bee1b361 Merge pull request #20770 from mguentner/more_ipfs
services: IPFS: add test and more config parameters
2016-12-04 01:46:09 +01:00
Franz Pletz
2401f06801
containers: disable dhcpcd on veth bridge interfaces 2016-12-04 01:41:10 +01:00
Graham Christensen
d5cb4d8734
ecryptfs test: use TTY output to stabilize test 2016-12-02 19:36:27 -05:00
Jörg Thalheim
aa854f192e
cgmanager: add module 2016-12-02 13:52:04 +01:00
lbonn
288e75c5f9 wireguard: remove dependency on ip-up.target
It was deprecated and removed from all modules in the tree by #18319.

The wireguard module PR (#17933) was still in the review at the time and
the deprecated usage managed to slip inside.
2016-12-01 00:11:16 +01:00
Graham Christensen
b28d21fd50 Merge pull request #20808 from grahamc/fancy-test-tty
login test: Create and use direct reads of the TTY contents.
2016-11-30 11:27:49 -05:00
Graham Christensen
cb74fd75d7
login test: Create and use direct reads of the TTY contents. 2016-11-30 00:17:18 -05:00
Tuomas Tynkkynen
8a4d6516ee Merge remote-tracking branch 'upstream/staging' into master 2016-11-30 00:34:23 +02:00
Franz Pletz
3000ae8602
gitlab service: fix sidekiq queue config 2016-11-29 17:42:46 +01:00
Domen Kožar
75f131da02 acme: ensure nginx challenges directory is writeable 2016-11-29 15:56:01 +01:00
Domen Kožar
69e0740baa Merge pull request #20795 from cleverca22/netboot
make the /nix/store writable under netboot images
2016-11-29 15:47:39 +01:00
michael bishop
e710edeecf
make the /nix/store writable under netboot images 2016-11-29 10:31:07 -04:00
Erik Rybakken
2f0cc0d3f0 unclutter-xfixes service: init
Closes #18398
2016-11-29 14:25:32 +01:00
Joachim F
8eefcb5c09 Merge pull request #19900 from michalpalka/xen-fix-xen-bridge2
xen service: fix wrong netmask handed out by xen-bridge.service
2016-11-28 16:31:05 +01:00
Joachim F
944868dd9b Merge pull request #19851 from michalpalka/xen-fix-xen-bridge
xen service: fix iptables race condition in xen-bridge.service
2016-11-28 16:30:16 +01:00
Maximilian Güntner
f7c099bd8c
tests: added basic ipfs test
$getter can be used once ipfs supports private/local networks
and or internet gets routed to the VMs

Signed-off-by: Maximilian Güntner <code@klandest.in>
2016-11-28 15:33:58 +01:00
Maximilian Güntner
0526a5c90a
services: add gatewayAddress and apiAddress to ipfs
Signed-off-by: Maximilian Güntner <code@klandest.in>
2016-11-28 15:33:51 +01:00
Aycan iRiCAN
37715d1f46 hydra-module: add cfg.package to hydra-evaluator path 2016-11-28 15:53:44 +02:00
Joachim Fasting
e99228db30
grsecurity module: force a known good kernel package set
Previously, we would only set a default value, on the theory that
`boot.kernelPackages` could be used to sanely configure a custom grsec
kernel.  Regrettably, this is not the case and users who expect e.g.,
`boot.kernelPackages = pkgs.linuxPackages_latest` to work will end up
with a non-grsec kernel (this problem has come up twice on the bug
tracker recently).

With this patch, `security.grsecurity.enable = true` implies
`boot.kernelPackages = linuxPackages_grsec_nixos` and any customization
must be done via package override or by eschewing the module.
2016-11-28 12:11:04 +01:00
Sophie Taylor
016fa06c71
cjdns: Improving systemd unit description 2016-11-27 22:07:51 -05:00
Ruben Maher
9c9a21d525 matrix-synapse service: Make url_preview_enabled optional (#20609) 2016-11-28 03:33:48 +01:00
Franz Pletz
e394c305a8 Merge pull request #20620 from rnhmjoj/fakeroute
fakeroute: init at 0.3
2016-11-28 03:01:15 +01:00
pngwjpgh
bcc9a6ac75 infinoted service: init
Service module for the dedicated gobby server included in libinfinity
2016-11-27 17:23:21 +01:00
Michael Raskin
36010e7046 Merge pull request #20366 from MarcWeber/submit/apache-port-to-listen
apache-httpd
2016-11-26 13:37:02 +00:00
Vladimír Čunát
925b335607
Merge branch 'master' into staging 2016-11-26 11:27:09 +01:00
Vladimír Čunát
8ebfce0eda
display-managers module: improve variable quoting
Fixes #20713, though I'm certain nixpkgs contains loads of places
without proper quoting, as (ba)sh unfortunately encourages that.

The only plus side is that most of such problems in nixpkgs aren't
actually security problems but mere annoyance to those who are foolish
enough to use "weird" characters in critical names.
2016-11-26 11:23:31 +01:00
Robert Helgesson
8a424e3fbd
tahoe service: use ExecStart instead of script
Since only a single command is necessary to start Tahoe it is sufficient
to use ExecStart and thereby skip starting up Bash (and leaving it
running).
2016-11-25 21:49:34 +01:00
Jaka Hudoklin
3b500d37f5 Merge pull request #19023 from offlinehacker/kube-update
WIP: kubernetes update package and module
2016-11-24 23:10:01 +01:00
Frederik Rietdijk
25a9889f0e blivet test: use python2 2016-11-24 22:28:03 +01:00
Corbin Simpson
27f1def068 nixos/collectd: Fix syntax error on some hostnames. (#20694)
Without this, hostnames that e.g. end in digits will cause syntax errors for
collectd.
2016-11-24 21:47:17 +01:00
rnhmjoj
7eb9a03221
fakeroute: add service 2016-11-23 15:23:10 +01:00
Eelco Dolstra
d97a379510 Merge pull request #20641 from mayflower/fix/installer-closure-size
Reduce closure size of installer images
2016-11-23 12:49:46 +01:00
Joachim F
a6f392abd6 Merge pull request #20385 from ericsagnes/feat/i3-refactor
i3 module: refactor
2016-11-23 05:11:14 +01:00
Franz Pletz
6de991bd95
nixos: compress squashfs with xz 2016-11-23 02:24:13 +01:00
Franz Pletz
da600849e3
nixos: disable sound for minimal ISO
Saves a few megabytes of ALSA stuff.
2016-11-23 02:24:13 +01:00
Franz Pletz
f983743d75
w3m-nox: use imlib2 without X11 support
Also, the minimal live CD previously installed both the X11 and
non-X11 versions (through services.nixosManual) of w3m.
2016-11-23 02:24:12 +01:00
Franz Pletz
ffac67fcf3
nixos/base: don't include dar & cabextract in ISO
Should free up lots of space due to dependency on gnupg, which dpeends on
openldap which pull in gcc.
2016-11-23 02:24:11 +01:00
Eric Sagnes
2b1d67a275 manual: reviewing contributions nixos -> nixpkgs (#20626) 2016-11-22 15:15:02 +01:00
Franz Pletz
d94e93ccdf Merge pull request #19588 from Shados/add-dante
Add dante package & accompanying service module
2016-11-22 15:10:46 +01:00
Franz Pletz
2f1be760da
nixos/release: add containers-tmpfs test
cc #20557
2016-11-22 15:05:45 +01:00