Commit Graph

1206 Commits

Author SHA1 Message Date
John Ericson
4ccb74011f Merge commit '18aa59b0f26fc707e7313f8467e67159e61600c2' from master into staging
There was one conflict in the NixOS manual; I checked that it still
built after resolving it.
2019-04-01 00:40:03 -04:00
worldofpeace
099cc0482b nixos/pantheon: enable lightdm gtk greeter
Pantheon's greeter has numerous issues that cannot be
fixed in a timely manner, and users are better off if they just
didn't use it by default.
2019-03-29 21:29:59 -04:00
aszlig
dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Florian Klink
8817bbefdb nixos/ldap: set proper User= and Group= for nslcd service
eb90d97009 broke nslcd, as /run/nslcd was
created/chowned as root user, while nslcd wants to do parts as nslcd
user.

This commit changes the nslcd to run with the proper uid/gid from the
start (through User= and Group=), so the RuntimeDirectory has proper
permissions, too.

In some cases, secrets are baked into nslcd's config file during startup
(so we don't want to provide it from the store).

This config file is normally hard-wired to /etc/nslcd.conf, but we don't
want to use PermissionsStartOnly anymore (#56265), and activation
scripts are ugly, so redirect /etc/nslcd.conf to /run/nslcd/nslcd.conf,
which now gets provisioned inside ExecStartPre=.

This change requires the files referenced to in
users.ldap.bind.passwordFile and users.ldap.daemon.rootpwmodpwFile to be
readable by the nslcd user (in the non-nslcd case, this was already the
case for users.ldap.bind.passwordFile)

fixes #57783
2019-03-28 13:08:47 +01:00
aszlig
ada3239253
nixos/release-notes: Add entry about confinement
First of all, the reason I added this to the "highlights" section is
that we want users to be aware of these options, because in the end we
really want to decrease the attack surface of NixOS services and this is
a step towards improving that situation.

The reason why I'm adding this to the changelog of the NixOS 19.03
release instead of 19.09 is that it makes backporting services that use
these options easier. Doing the backport of the confinement module after
the official release would mean that it's not part of the release
announcement and potentially could fall under the radar of most users.

These options and the whole module also do not change anything in
existing services or affect other modules, so they're purely optional.

Adding this "last minute" to the 19.03 release doesn't hurt and is
probably a good preparation for the next months where we hopefully
confine as much services as we can :-)

I also have asked @samueldr and @lheckemann, whether they're okay with
the inclusion in 19.03. While so far only @samueldr has accepted the
change, we can still move the changelog entry to the NixOS 19.09 release
notes in case @lheckemann rejects it.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 21:07:07 +01:00
Matthew Bauer
38c6c7c8a3
Merge pull request #57617 from aaronjanse/patch-20190313a
nixos/manual: clarify declarative packages section
2019-03-25 22:16:47 -04:00
Danylo Hlynskyi
40cc269561
Merge branch 'master' into postgresql-socket-in-run 2019-03-25 01:06:59 +02:00
Dmitry Kalinkin
6f95ac3588
Merge pull request #57988 from lopsided98/buildbot-update
buildbot: 1.8.1 -> 2.1.0
2019-03-23 20:38:20 -04:00
Frederik Rietdijk
23e431387b Merge staging-next into staging 2019-03-23 09:20:09 +01:00
Ben Wolsieffer
b2e11e0cdf buildbot: 1.8.1 -> 2.1.0 2019-03-22 18:43:15 -04:00
Florian Klink
9aa57902cc
Merge pull request #57938 from flokli/network-manager-rename-changelog
network-manager: move para about service rename to 19.09 changelog
2019-03-22 19:18:47 +01:00
Vladimír Čunát
1ad3f34a99
nixos manual Makefile: improve purity
And be quiet when building/downloading the required tools.
2019-03-22 14:48:08 +01:00
Vladimír Čunát
4c3ec0e325
nixos docs: run the formatting tool (no content change)
As documented in the docs themselves :-)
2019-03-22 14:44:11 +01:00
Vladimír Čunát
11d204a9c4
nixos docs: improve GPU driver documentation
I'm not 100% sure about the incompatibility lines,
but I believe it's better to discourage these anyway.
If you find better information, feel free to amend...

The 32-bit thing is completely GPU-agnostic, so I can't see why we had
it separately for proprietary drivers and missing for the rest.
2019-03-22 14:31:17 +01:00
Wael M. Nasreddine
5af0780492
Merge remote-tracking branch 'origin/master' into staging
* origin/master: (693 commits)
  buildGoModule: use go_1_12 instead of go_1_11 (#58103)
  gitAndTools.lab: 0.15.2 -> 0.15.3 (#58091)
  signal-desktop: 1.22.0 -> 1.23.0
  added missing semicolon to documentation
  terminus_font_ttf: 4.46.0 -> 4.47.0
  buildGoModule: remove SSL env vars in favor of cacert in buildInputs (#58071)
  dav1d: init at 0.2.1
  dropbox-cli: 2018.11.28 -> 2019.02.14
  atlassian-confluence: 6.14.1 -> 6.14.2
  maintainers: update email for dywedir
  python.pkgs.hglib: use patch to specify hg path (#57926)
  chkrootkit: 0.52 -> 0.53
  radare2-cutter: 1.7.2 -> 1.8.0
  autorandr: 1.7 -> 1.8
  pythonPackages.pyhepmc: fix build
  llvm-polly/clang-polly: use latest llvm
  apulse: 0.1.11.1 -> 0.1.12, cleanup
  factorio: experimental 0.17.14 → 0.17.16 (#58000)
  sequeler: 0.6.7 -> 0.6.8
  nasc: 0.5.1 -> 0.5.2
  ...
2019-03-21 21:01:25 -07:00
Dmitry Moskowski
7e4ca152a4 added missing semicolon to documentation 2019-03-21 22:22:13 +00:00
Florian Klink
a54e41a673 network-manager: move para about service rename to 19.09 changelog 2019-03-20 03:09:59 +01:00
Jörg Thalheim
b488c60cdb network-manager: rename systemd service back to match upstream
Compatibility with other distributions/software and expectation
of users coming from other systems should have higher priority over consistency.
In particular this fixes #51375, where the NetworkManager-wait-online.service
broke as a result of this.
2019-03-19 23:48:08 +01:00
Léo Gaspard
59c5630f60
Merge branch 'pr-57699'
* pr-57699:
  nixos/matrix: add manual section about self-hosting a matrix client and server
2019-03-16 14:48:39 +01:00
Florian Jacob
ef52869ef1 nixos/matrix: add manual section
about self-hosting a matrix client and server
2019-03-16 14:26:07 +01:00
aszlig
116bdc9f55
nixos/manual: Document PostgreSQL socket change
This is a backwards-incompatible change and while it won't probably
affect a whole lot of users, it makes sense to give them a heads-up
anyway.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-16 03:03:21 +01:00
Aaron Janse
0258cff887
nixos/manual: reword note in declarative packages section 2019-03-14 21:11:27 -07:00
Aaron Janse
bd9b82dece
nixos/manual: fix typo 2019-03-14 02:17:31 +00:00
Aaron Janse
f67eb111ac
nixos/manual: clarify declarative packages section 2019-03-13 18:40:00 -07:00
Aaron Janse
56dcc319cf
nixos/manual: document auto-login
fix #29526
2019-03-12 22:23:05 -07:00
Andreas Rammhold
c55427ca43
nixos/doc: add types prefix to addCheck example
The function `addCheck` resides within the attrset `types`. We should be
explicit about this since otherwise people might be confused where it
does come from / why it doesn't work for them.
2019-03-11 22:56:56 +01:00
Graham Christensen
777e94d903
Merge pull request #55436 from layus/warn-manual-ids
Nixos manual: error out on missing IDs
2019-03-09 08:21:07 -05:00
Danylo Hlynskyi
60e8fcf0e5
module system: revert "remove types.optionSet", just deprecate (#56857)
The explicit remove helped to uncover some hidden uses of `optionSet`
in NixOps. However it makes life harder for end-users of NixOps - it will
be impossible to deploy 19.03 systems with old NixOps, but there is no
new release of NixOps with `optionSet` fixes.

Also, "deprecation" process isn't well defined. Even that `optionSet` was
declared "deprecated" for many years, it was never announced. Hence, I
leave "deprecation" announce. Then, 3 releases after announce,
we can announce removal of this feature.

This type has to be removed, not `throw`-ed in runtime, because it makes
some perfectly fine code to fail. For example:
```
$ nix-instantiate --eval -E '(import <nixpkgs/lib>).types' --strict
trace: `types.list` is deprecated; use `types.listOf` instead
error: types.optionSet is deprecated; use types.submodule instead
(use '--show-trace' to show detailed location information)
```
2019-03-07 21:28:09 +02:00
Michael Raskin
500d61560f Release notes: switch to modesetting: mention backlight problem 2019-03-07 13:38:19 +01:00
Danylo Hlynskyi
ef1911d045 zram: revert "change default algorithm to zstd" (#56856)
19.03 default kernel is still 4.14, which doesn't support zstd. So,
zramSwap in current fasion fails on default kernel.
2019-03-07 02:11:20 +02:00
Jan Malakhovski
ca496b194f nixos: doc: increase maxdepth for xsltproc
See https://github.com/NixOS/nixpkgs/issues/37903#issuecomment-376618117
for details. With the previous patch and some custom modules included in
`configuration.nix` the above bug is very easy to trigger.

This is a simplest workaround I have. A proper solution would look like
https://github.com/NixOS/nixpkgs/issues/37903#issuecomment-376980838.
2019-03-05 09:41:40 +00:00
Arian van Putten
2e75a7b516 nixos: doc: optionally include all modules in manual generation
Before this change `man 5 configuration.nix` would only show options of modules in
the `baseModules` set, which consists only of the list of modules in
`nixos/modules/module-list.nix`

With this change applied and `documentation.nixos.includeAllModules` option enabled
all modules included in `configuration.nix` file will be used instead.

This makes configurations with custom modules self-documenting. It also means
that importing non-`baseModules` modules like `gce.nix` or `azure.nix`
will make their documentation available in `man 5 configuration.nix`.

`documentation.nixos.includeAllModules` is currently set to `false` by
default as enabling it usually uncovers bugs and prevents evaluation.
It should be set to `true` in a release or two.

This was originally implemented in #47177, edited for more configurability,
documented and rebased onto master by @oxij.
2019-03-05 09:41:40 +00:00
matix2267
6ab2aea003 nixos/doc: Small updates about wireless configuration. (#55918)
* Reference networking section from installation
* Add info about pskRaw option in networking.wireless.networks
2019-03-05 04:27:15 +02:00
Andreas Rammhold
768336a74b
Merge pull request #56233 from jtojnar/nginx-tlsv13
nixos/nginx: Enable TLS 1.3 support
2019-03-03 14:19:38 +01:00
Tristan Helmich (omniIT)
9efddfa2c1 graylog: 2.5.1 -> 3.0.0 2019-03-02 17:03:40 +00:00
Piotr Bogdan
b01302b85e nixos/manual: fix build 2019-03-02 10:32:24 +00:00
Sarah Brofeldt
ecd5ec3521
Merge pull request #56377 from LnL7/nixos-rebuild-edit
nixos-rebuild: add changelog/docs for edit subcommand
2019-03-02 10:12:07 +01:00
Frederik Rietdijk
2fcb11a244 Merge staging-next into master 2019-03-01 09:06:20 +01:00
Danylo Hlynskyi
79cc48cdbb
Revert "Merge pull request #54980 from danbst/etc-relative" (#56507)
This reverts commit 0b91fa43e4, reversing
changes made to 183919a0c0.
2019-02-28 07:48:40 +02:00
Domen Kožar
0fd85a1f99
nixos release: there's a wildcard protection now for release-* on github 2019-02-26 14:12:46 +07:00
Linus Heckemann
bd018946eb 19.09 is Loris.
https://en.wikipedia.org/wiki/Loris
2019-02-25 23:21:14 +01:00
Daiderd Jordan
ad0b82d067
nixos-rebuild: add changelog/docs for edit subcommand 2019-02-25 19:36:23 +01:00
Jan Tojnar
f93ff28c62 nixos/nginx: Enable TLS 1.3 support 2019-02-25 16:47:19 +01:00
Silvan Mosberger
02db11d369
Merge pull request #55792 from sdier/fix/pam-update
Allow duosec to be used in nixos as a pam module.
2019-02-25 01:38:51 +01:00
Scott Dier
a11ad16bd7 nixos/security: Add release note for duosec pam support for 19.03. 2019-02-24 22:49:01 +00:00
Frederik Rietdijk
c2eac6741b Merge master into staging-next 2019-02-24 09:19:12 +01:00
Frederik Rietdijk
1fccd25595 buildPythonPackage: always export LANG=C.UTF-8 2019-02-23 20:08:26 +01:00
Austin Seipp
c193b9c158
nixos/manual: fix missed <listitem> in highlights section
Otherwise, the "Kubernetes" note shows up inside the "Pantheon Desktop
Environment" highlight section.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2019-02-23 09:59:43 -06:00
Austin Seipp
136c3823ce
nixos/manual: add 19.03 release note for cockroachdb module
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2019-02-23 09:55:00 -06:00
Michael Raskin
1de2255d82 Release notes: remark about output names with intel -> modesetting 2019-02-23 17:00:45 +01:00
Vladimír Čunát
71f4ba29a3
Merge branch 'master' into staging-next
Hydra nixpkgs: ?compare=1506218
2019-02-22 17:51:01 +01:00
aanderse
e5405f9ae8 nixos/beanstalkd: new service for existing package (#55953) 2019-02-22 14:10:02 +01:00
Markus Kowalewski
c26a79a556
release-notes: add note about openmpi-4.0.0 upgrade.
Add link to openmpi upgrade guide, regarding deprecated MPI-1 symbols.
2019-02-21 15:08:32 +01:00
Michael Raskin
0b91fa43e4
Merge pull request #54980 from danbst/etc-relative
nixos: make symlinks in `/etc` relative (except `/etc/static`)
2019-02-21 09:45:42 +00:00
Michael Raskin
95039d0668
nixos/xserver: drop intel from videoDrivers (#55583)
* nixos/xserver: drop intel from videoDrivers

* Some more notes about possible regressions
2019-02-21 09:42:11 +00:00
Frederik Rietdijk
5871da418f Merge staging into python-unstable 2019-02-21 08:02:10 +01:00
Johan Thomsen
8d62d7972f
nixos/kubernetes: adding manual section for kubernetes and writing release note for NixOS 19.03 2019-02-20 21:08:51 +01:00
Frederik Rietdijk
b4acd97729 buildPython*: enable strictDeps 2019-02-17 14:40:48 +01:00
Frederik Rietdijk
6fe10d2779 Merge master into staging-next 2019-02-16 09:29:54 +01:00
Silvan Mosberger
c84488329b
Merge pull request #47747 from florianjacob/matomo-archive-processing-service
Matomo archive processing service
2019-02-14 21:05:16 +01:00
Robert Helgesson
488a3f09cd
nixos/wpa_supplicant: use <citerefentry>
Fixes #55505
2019-02-10 13:23:28 +01:00
Matthew Bauer
5c09d977c7 Merge remote-tracking branch 'origin/master' into staging 2019-02-09 12:14:06 -05:00
Guillaume Maudoux
a65974c604 nixos/manual: error out on missing IDs 2019-02-08 10:59:46 +01:00
Guillaume Maudoux
473a3ef606 nixos/manual: add dummy ids to silence warnings 2019-02-08 10:23:57 +01:00
Graham Christensen
d7bb260850
Merge pull request #55396 from layus/warn-manual-ids
nixos/manual: warn on missing xml:id
2019-02-07 16:07:52 -05:00
Léo Gaspard
a6abec9c66
mailutils: use system-sendmail instead of sendmailPath
system-sendmail allows all sendmail's to be auto-detected, including on
non-NixOS systems. This is, to me, a better UX than having to manually
override the sendmailPath argument.

In exchange, it is a breach of retro-compatibility. Given right now I
can't see any uses for sendmailPath other than what is supported by
system-sendmail, I didn't keep it, but it'd be possible to allow
sendmailPath to override the choice of sendmail from system-sendmail.
2019-02-07 17:36:51 +01:00
Léo Gaspard
a59a9a7e60
Merge branch 'pr-55320'
* pr-55320:
  nixos/release-notes: mention breaking changes with matrix-synapse update
  nixos/matrix-synapse: reload service with SIGHUP
  nixos/tests/matrix-synapse: generate ca and certificates
  nixos/matrix-synapse: use python to launch synapse
  pythonPackages.pymacaroons-pynacl: remove unmaintained fork
  matrix-synapse: 0.34.1.1 -> 0.99.0
  pythonPackages.pymacaroons: init at 0.13.0
2019-02-07 17:12:04 +01:00
nyanloutre
e088eb34d9 nixos/release-notes: mention breaking changes with matrix-synapse update 2019-02-07 16:53:30 +01:00
Guillaume Maudoux
4c0230eb56 nixos/manual: warn on missing xml:id 2019-02-07 16:35:24 +01:00
Maximilian Bosch
d9e455a026
nixos/grafana: add changelog entry for dashboard and datasource provisioning 2019-02-06 12:55:01 +01:00
aanderse
b8a9c3fbfd redmine: 3.4.8 -> 4.0.1 (#55234)
* redmine: 3.4.8 -> 4.0.1

* nixos/redmine: update nixos test to run against both redmine 3.x and 4.x series

* nixos/redmine: default new installs from 19.03 onward to redmine 4.x series, while keeping existing installs on redmine 3.x series

* nixos/redmine: add comment about default redmine package to 19.03 release notes

* redmine: add aandersea as a maintainer
2019-02-05 11:51:33 +00:00
Maximilian Bosch
722af384ea
nixos/ndppd: add short changelog entry 2019-02-04 21:47:13 +01:00
Maximilian Bosch
e998f5140f
nixos-build-vms: pass --option to nix-build
Also simplified the argument parsing to write all currently supported
CLI options into a bash array and pass this to `nix-build`.

Also documented `--option` usage in the corresponding manpage.
2019-02-04 10:46:12 +01:00
CrazedProgrammer
6e77cef7b0 nixos/release-notes: mention removal of astah-community 2019-02-02 12:25:12 +01:00
Vladimír Čunát
8ba516664b
Merge branch 'staging-next' into staging 2019-02-01 09:42:53 +01:00
danbst
f47bfce584 make back /etc/static absolute symlink 2019-01-31 09:29:44 +02:00
Florian Jacob
fc8e1745c0 nixos/etc: Make symlinks relative instead of absolute
so that the links can be followed if the NixOS installation is not mounted as filesystem root.
In particular, this makes /etc/os-release adhere to the standard:
https://www.freedesktop.org/software/systemd/man/os-release.html
Fixes #28833.
2019-01-31 09:17:35 +02:00
aanderse
c6cd07707b nixos/httpd: rename apache log files to have a .log file extension (#54529)
nixos/httpd: rename apache log files to have a .log file extension
2019-01-31 04:04:58 +02:00
Danylo Hlynskyi
30c312341f
Merge pull request #54637 from danbst/small-eval-optimization
module system: small eval optimization
2019-01-31 00:42:24 +02:00
danbst
27982b408e types.optionSet: deprecate and remove last usages 2019-01-31 00:41:10 +02:00
Florian Klink
d3c2ed21d0
Merge pull request #53762 from ju1m/nslcd
Improving integration of `nslcd`, PAM and `openldap`.
2019-01-30 19:34:40 +01:00
laMudri
75f58dcc11 release notes: mention ibus-table config change 2019-01-29 22:55:59 +00:00
worldofpeace
dc923b6ad1 nixos/pulseaudio: disable flat-volumes by default
The motivation for this is that some applications are unaware
of this feature and can set their volume to 100% on startup
harming people ears and possiblly blowing someone's audio
setup.

I noticed this in #54594 and by extension epiphany[0].

Please also note that many other distros have this default for
the reason outlined above.

Closes #5632 #54594

[0]: https://bugzilla.gnome.org/show_bug.cgi?id=675217
2019-01-27 19:51:26 +00:00
Matthew Bauer
92f0f8dd68 Merge remote-tracking branch 'NixOS/master' into staging 2019-01-27 00:01:13 -05:00
Matthew Bauer
6604240a4b nixos/manual: use default bs value
Apparently this is a little slower but much safer & not prone to
potential argument errors.
2019-01-26 22:48:32 -05:00
worldofpeace
2912e6c840 release-notes/rl-1903: add pantheon 2019-01-24 20:54:14 +00:00
Danylo Hlynskyi
ab31b13401
Merge pull request #52991 from danbst/zram-zstd
zramSwap: allow configure compression algorithm + cleanups
2019-01-23 09:30:55 +02:00
Samuel Dionne-Riel
50555a6d35
Merge pull request #54330 from samueldr/fix/disable-tests-shell-access
Revert "Add ssh backdoor to VM tests infrastructure."
2019-01-19 14:20:15 -05:00
Samuel Dionne-Riel
3aab228d09 Revert "Add ssh backdoor to VM tests infrastructure."
This reverts commit d6e3db44cf.

See #53935 for explanations. In short, it may be causing issues with
tests on the build infrastructure.
2019-01-19 13:24:39 -05:00
Matthew Bauer
1ff9a93e1c nixos/doc: bs=1000000 for dd args (#54280)
Not all dd implementations take ‘bs=1m’. Better to just list it out
fully to reduce potential for problems.

Fixes #54181.
2019-01-18 19:19:00 +02:00
buffet
5c06a4a30c Updated default DM 2019-01-18 18:11:00 +01:00
step21
586bbd20e8 nixos/nixpkgs: virtualbox docs update (#54247) 2019-01-18 09:22:15 +00:00
Julien Moutinho
65cfba23af nixos/tests: test LDAP password changing through nslcd
NOTE: slapd.conf is deprecated, hence use cn=config.
2019-01-18 05:13:42 +01:00
danbst
8d8a7210e4 zramSwap: allow configure compression algorithm + cleanups
- add `zramSwap.algorithm` option, which allows to change compressor
declaratively. zstd as default
- add `zramSwap.swapDevices` option, which allows to define how many zram
devices will be used as swap. Rest devices can be managed freely
- simpler floating calculations
- fix udev race condition
- some documentation changes
- replaced `/sys/block/zram*` handling with `zramctl`, because I had occasional
"Device is busy" error (looks like zram has to be configured in predefined order)
- added `memoryPercent` and `algorithm` as restart triggers. I think, it was
a bug that changing `memoryPercent` in configuration wasn't applied immediately.
- removed a bind to .swap device. While it looks natural (when swap device goes
off, so should zram device), it wasn't implemented properly. This caused problems
with swapon/swapoff:
```
$ cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/zram0                              partition       8166024 0       -2
/var/swapfile                           file            5119996 5120    1

$ sudo swapoff -a

$ sudo swapon -a
swapon: /dev/zram0: read swap header failed

$ cat /proc/swaps
Filename                                Type            Size    Used    Priority
/var/swapfile                           file            5119996 0       1
```
2019-01-17 15:58:53 +02:00
Vladimír Čunát
9d16949d42
nixos manual: fix a typo that made it invalid XML
The problem was merge to master in the bfbadab4 commit.
2019-01-13 23:23:32 +01:00
Frederik Rietdijk
9f827d66f5
Update nixos/doc/manual/man-nixos-rebuild.xml
Co-Authored-By: Mic92 <Mic92@users.noreply.github.com>
2019-01-12 18:26:00 +00:00
Frederik Rietdijk
f45195fb44
Update nixos/doc/manual/man-nixos-rebuild.xml
Co-Authored-By: Mic92 <Mic92@users.noreply.github.com>
2019-01-12 18:25:52 +00:00
Jörg Thalheim
e40bfa4d85
nixos-rebuild: allow to override builders
Since nix 2.0 the no-build-hook option was replaced by the builders options
that allows to override remote builders ad-hoc.
Since it is useful to disable remote builders updating nixos without network,
this commit reintroduces the option.
2019-01-11 11:40:25 +00:00
(cdep)illabout
46ecec8239
nixos/cpufreq: Remove the alias to set the cpu frequency governor
This PR temporarily fixes the issue with PR 53041 as explained
here:

https://github.com/NixOS/nixpkgs/pull/53041#commitcomment-31825338

The alias `powerManagement.cpufreq.governor` to
`powerManagement.cpuFreqGovernor` has been removed.
2019-01-03 20:57:49 +09:00
(cdep)illabout
b0f10d2d53
cpufreq: add option for setting the cpu max and min frequencies
This adds a NixOS option for setting the CPU max and min frequencies
with `cpufreq`.  The two options that have been added are:

- `powerManagement.cpufreq.max`
- `powerManagement.cpufreq.min`

It also adds an alias to the `powerManagement.cpuFreqGovernor` option as
`powerManagement.cpufreq.governor`.  This updates the installer to use
the new option name.  It also updates the manual with a note about
the new name.
2019-01-01 19:18:12 +09:00
Frederik Rietdijk
c6e043d57c Remove composableDerivation, closes #18763 2018-12-30 12:33:45 +00:00
adisbladis
0ff4d0a516
fish: 2.7.1 -> 3.0.0 2018-12-28 21:23:24 +00:00
Craig Younkins
8b12b17df3
treewide: Fix broken Gmane URLs 2018-12-25 22:34:55 -05:00
Florian Klink
3539f3875a release-notes/rl-1903: add security.googleOsLogin 2018-12-21 18:01:36 +01:00
Florian Klink
d180bf3862 security.pam: make pam_unix.so required, not sufficient
Having pam_unix set to "sufficient" means early-succeeding account
management group, as soon as pam_unix.so is succeeding.

This is not sufficient. For example, nixos modules might install nss
modules for user lookup, so pam_unix.so succeeds, and we end the stack
successfully, even though other pam account modules might want to do
more extensive checks.

Other distros seem to set pam_unix.so to 'required', so if there are
other pam modules in that management group, they get a chance to do some
validation too.

For SSSD, @PsyanticY already added a workaround knob in
https://github.com/NixOS/nixpkgs/pull/31969, while stating this should
be the default anyway.

I did some thinking in what could break - after this commit, we require
pam_unix to succeed, means we require `getent passwd $username` to
return something.
This is the case for all local users due to the passwd nss module, and
also the case for all modules installing their nss module to
nsswitch.conf - true for ldap (if not explicitly disabled) and sssd.

I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss
module loaded? Should the pam account module be placed before pam_unix?

We don't drop the `security.pam.services.<name?>.sssdStrictAccess`
option, as it's also used some lines below to tweak error behaviour
inside the pam sssd module itself (by changing it's 'control' field).

This is also required to get admin login for Google OS Login working
(#51566), as their pam_oslogin_admin accounts module takes care of sudo
configuration.
2018-12-21 15:31:07 +01:00
Florian Klink
91c65721f7 owncloud: remove server
pkgs.owncloud still pointed to owncloud 7.0.15 (from May 13 2016)

Last owncloud server update in nixpkgs was in Jun 2016.
At the same time Nextcloud forked away from it, indicating users
switched over to that.

cc @matej (original maintainer)
2018-12-16 15:05:53 +01:00
Arian van Putten
ef6ed03e2f nixos/nscd: Address doc feedback 2018-12-12 15:35:40 +01:00
Arian van Putten
335b41b3fb nixos/nscd: Add release note entry about nscd changes 2018-12-12 15:35:40 +01:00
Florian Jacob
ed6a60de1e nixos/matomo: add automatic archive processing 2018-12-09 14:42:27 +01:00
Jörg Thalheim
91a7848fe2
nixos/release-notes: mention removal of quassel-webserver 2018-12-08 16:31:28 +00:00
Mario Rodas
f1dd6faaaa
docs: Remove nix-repl references
nix-repl has been deprecated
2018-12-03 21:37:54 -05:00
markuskowa
506d4c7e44
Merge pull request #51329 from c0bw3b/cleanup/gnu-https
Favor HTTPS URLs - the GNU edition
2018-12-02 16:52:33 +01:00
c0bw3b
0498ccd076 Treewide: use HTTPS on GNU domains
HTTP -> HTTPS for :
- http://gnu.org/
- http://www.gnu.org/
- http://elpa.gnu.org/
- http://lists.gnu.org/
- http://gcc.gnu.org/
- http://ftp.gnu.org/ (except in fetchurl mirrors)
- http://bugs.gnu.org/
2018-12-02 15:51:59 +01:00
Tobias Happ
95cbb71abe nixos/nm-applet: add nm-applet program 2018-12-02 12:18:47 +01:00
Florian Klink
43762227f8
Merge pull request #49385 from krav/gitlab-shell-authorized-keys
gitlab-shell: 8.3.3->8.4.1, fix hardcoded paths
2018-11-29 21:18:08 +01:00
Florian Klink
3caeeabb14 gitlab: stop regenerating the authorized_keys file 2018-11-28 23:09:23 +01:00
Renaud
36994f8620
Merge pull request #51073 from erikarvstedt/docs
Minor doc fixes
2018-11-28 20:34:53 +01:00
Svein Ove Aas
24865963f0 modularity: Document the ability to use non-files in imports (#50503)
* modularity: Document the ability to use non-files in imports
* Update nixos/doc/manual/configuration/modularity.xml

Co-Authored-By: Baughn <svein@google.com>
2018-11-28 12:39:51 +01:00
Brandon Black
dacbd5a61a nixos/ntp: use upstream default restrictions to avoid DDoS (#50762)
Fixes #50732
2018-11-28 10:15:25 +00:00
Erik Arvstedt
931b7b47a2 nixos tests doc: minor fixes
This fixes some quirks I introduced in previous commits.

1. No need for an extra newline when printing the output of shell commands.
2. 'or die' is what's already used in the NixOS test sources, while
   'die unless' has no occurrences.
2018-11-26 19:36:50 +01:00
Jörg Thalheim
d3aeed389c
Merge pull request #50641 from blaxill/firewallMerge
nixos/firewall: Always use global firewall.allowed rules
2018-11-23 11:42:16 +00:00
Ben Blaxill
308ab4ea25 Rename back to default and better release notes 2018-11-22 19:24:23 -05:00
Ben Blaxill
b48c6d051b Add release notes 2018-11-21 17:08:12 -05:00
Craig Younkins
a629f967f7 Fix release notes XML para closing tag 2018-11-20 18:46:52 +00:00
Frederik Rietdijk
63c6875f26 Merge master into staging-next 2018-11-18 10:32:12 +01:00
zimbatm
b56191746e
nixos: doc typo and ws 2018-11-16 22:44:55 +01:00
Jörg Thalheim
6f607b806d
Merge pull request #49821 from DIzFer/profiles-documentation
Docs: Add chapter on Profiles
2018-11-14 11:32:12 +00:00
Tobias Happ
4839403dd6 nixos/{lightdm,sddm,xpra}: remove enabling of logToFile 2018-11-13 21:52:37 +01:00
Robert Hensing
dd3aca2d0b
Merge pull request #49256 from roberth/nixos-nixpkgs-pkgs-use-overlays
NixOS: use overlays when nixpkgs.pkgs is set
2018-11-13 09:55:24 +01:00
Frederik Rietdijk
7863aae5b2 Merge master into staging-next 2018-11-11 08:59:44 +01:00
Silvan Mosberger
e468a1091b
Merge pull request #48687 from danielrutz/port-type
Add port type
2018-11-10 15:12:07 +01:00
Frederik Rietdijk
53d00c3351 Merge master into staging-next 2018-11-10 11:08:54 +01:00
Samuel Dionne-Riel
2f668e3248
Merge pull request #40043 from kierdavis/ckb-update-and-cleanup
ckb/ckb-next: 0.2.9 -> 0.3.2, and cleanup
2018-11-09 23:59:58 +00:00
rnhmjoj
21dfccd93d
nixos/manual: move syncthing notice in the right position 2018-11-07 08:32:03 +01:00
Jörg Thalheim
bac872592c
Typo in clone-config
Co-Authored-By: DIzFer <david@izquierdofernandez.com>
2018-11-06 23:08:26 +01:00
David Izquierdo
6abe1e5981 Even more typos in hardened 2018-11-06 22:54:43 +01:00
Jan Tojnar
6be1696c80
Update nixos/doc/manual/configuration/profiles/demo.xml
Co-Authored-By: DIzFer <david@izquierdofernandez.com>
2018-11-06 22:51:33 +01:00
Jan Tojnar
dbd1a5f216
Second typo in docker-container
Co-Authored-By: DIzFer <david@izquierdofernandez.com>
2018-11-06 22:50:25 +01:00
Jan Tojnar
c7e3f19fc2
Fixed typo in docker-container
Co-Authored-By: DIzFer <david@izquierdofernandez.com>
2018-11-06 22:49:44 +01:00
Jörg Thalheim
f488a072f9
Update nixos/doc/manual/configuration/profiles/clone-config.xml
Co-Authored-By: DIzFer <david@izquierdofernandez.com>
2018-11-06 22:48:05 +01:00
David Izquierdo
b303688f46 Docs: init section QEMU Guest in chapter Profiles 2018-11-06 12:58:41 +01:00
David Izquierdo
62e64978d2 Docs: init section Minimal in chapter Profiles 2018-11-06 12:58:30 +01:00
David Izquierdo
d2af8fb3d2 Docs: init section Installation Device in chapter Profiles 2018-11-06 12:58:14 +01:00
David Izquierdo
670ee54a28 Docs: init section Headless in chapter Profiles 2018-11-06 12:58:05 +01:00
David Izquierdo
614ea40443 Docs: init section Hardened in chapter Profiles 2018-11-06 12:57:50 +01:00
David Izquierdo
b10d669919 Docs: init section Graphical in chapter Profiles 2018-11-06 12:57:37 +01:00
David Izquierdo
207bbdcb91 Docs: init section Docker Container in chapter Profiles 2018-11-06 12:57:25 +01:00
David Izquierdo
40f2cdb302 Docs: init section Demo in chapter Profiles 2018-11-06 12:56:48 +01:00
David Izquierdo
e6445abe64 Docs: Stub for section Clone Config in chapter Profiles 2018-11-06 12:56:22 +01:00
David Izquierdo
4c02d4cb55 Docs: init section Base in chapter Profiles 2018-11-06 12:56:07 +01:00
David Izquierdo
57d9bc4ce2 Docs: init chapter Profiles with section All Hardware 2018-11-06 12:55:37 +01:00
Sarah Brofeldt
81de3e39b0
Merge pull request #49516 from johanot/kubedns-to-coredns
nixos/kubernetes: KubeDNS -> CoreDNS
2018-11-06 10:30:49 +01:00
Kier Davis
3b7984dd51
Merge branch 'master' into ckb-update-and-cleanup 2018-11-06 00:47:14 +00:00
Robert Hensing
03fc1167e8
Merge branch 'master' into nixos-nixpkgs-pkgs-use-overlays 2018-11-04 14:19:33 +01:00
Andreas Rammhold
c891dac82f
Merge pull request #49283 from aanderse/solr
solr: 4.10.3 -> 7.5.0, refactor service to reflect major changes in version bump
2018-11-04 13:24:15 +01:00
Frederik Rietdijk
cb4ff927a1 Merge master into staging-next 2018-11-04 08:49:24 +01:00
Robert Hensing
5341e145c3 release-notes/19.03: nixpkgs.pkgs and nixpkgs.overlays now combine 2018-11-03 19:48:42 +01:00
Niklas Hambüchen
32c2d48524 nixos manual: Add changelog for consul
Signed-off-by: Niklas Hambüchen <mail@nh2.me>
2018-11-03 18:44:48 +01:00
Aaron Andersen
1b725def23 solr: 4.10.3 -> 7.5.0, refactor service to reflect major changes in version bump, NixOS test included 2018-11-03 13:14:13 -04:00
Vladimír Čunát
a92a2c8e15
Merge branch 'master' into staging
Conflict: rename of pythondaemon -> python-daemon.
2018-11-02 14:40:14 +01:00
Joachim F
2dc0fc6516
Merge pull request #47526 from rnhmjoj/syncthing
nixos/syncthing: move configuration to condigDir
2018-11-02 12:02:51 +00:00
Johan Thomsen
eea2db1240 nixos/kubernetes: Added rl-1903 entry documenting kubedns -> coredns 2018-10-31 13:41:04 +01:00
xeji
6efd811062
Merge pull request #49348 from markuskowa/mod-slurm-upgrade
nixos/slurm: add slurmdbd, run daemons as user
2018-10-31 00:16:11 +01:00
Robin Gloster
4c8a198f12 tests/docs: remove remnants of old allowPing default (#49198)
This has been defaulting to true since 16.03, we don't need this code
anymore, also the note in the documentation has been obsolete for quite
a while.
2018-10-30 22:26:43 +01:00
Frederik Rietdijk
1d196d99be Merge staging-next into staging 2018-10-30 20:35:15 +01:00
Markus Kowalewski
d2799d1835
nixos/slurm: node/partitionName option -> list
Make the node and partitionname options lists.
There can be more than paratition or set of nodes.

Add changes to release notes
2018-10-30 19:50:52 +01:00
Markus Kowalewski
111d4eb090
nixos/slurm: run ctld as user and fix spool dir
* run as user 'slurm' per default instead of root
* add user/group slurm to ids.nix
* fix default location for the state dir of slurmctld:
  (/var/spool -> /var/spool/slurmctld)
* Update release notes with the above changes
2018-10-30 19:50:46 +01:00
Alyssa Ross
5bde0f6002
release notes: update for postgres rename 2018-10-30 14:33:36 +00:00
Alyssa Ross
c6c7d55790
postgresql*: use underscores in version numbers 2018-10-30 14:32:21 +00:00
Alyssa Ross
94360c11e9
docs: update sample postgresql package
postgresql90 no longer exists in nixpkgs.
2018-10-30 12:40:24 +00:00
Eric Wolf
30d2792091 nixos/release-notes for 18.09: fix missing entry
- the addition of the groups kvm and render breaks the configuration of
   users, which added them
2018-10-30 08:41:13 +01:00
xeji
21a7ca7c08
Merge pull request #49074 from c0bw3b/pkg/veracrypt
veracrypt: 1.22 -> 1.23 / truecrypt: remove and alias to veracrypt
2018-10-29 23:53:29 +01:00
Léo Gaspard
58f701ab74 opensmtpd: 6.0.3p1 -> 6.4.0p1 2018-10-27 12:15:09 +09:00
c0bw3b
b47fccff0a truecrypt: remove and alias to veracrypt
TrueCrypt has been retired for a while now and the source archive we
pointed to is gone. Moreover the VeraCrypt fork is available, maintained
and fixes issues previous audits found in TrueCrypt.
2018-10-24 20:34:17 +02:00
Frederik Rietdijk
0f38d9669f python3 is now python37 instead of python36
With Python 3.7 now at 3.7.1, and Python 3.6 at it's final maintenance
mode release, it is time to move on to 3.7 as the default interpreter.
2018-10-24 20:05:44 +02:00
Kier Davis
81178785c9
ckb, ckb module: rename to ckb-next
The upstream package has officially changed its name to ckb-next.
2018-10-22 13:23:30 +01:00
Léo Gaspard
5cd6c65054 wasm: remove alias to unbreak the channel
Nixpkgs' channel currently can't move forward so long as there is a
trace in evaluating the top-level arguments. Which means that it isn't
possible to add a warning message to warn users of future package
removal.

So the only way forward appears to be just removing the alias
altogether.

(cherry picked from commit b4133ebc17)
2018-10-22 09:58:00 +02:00
Daniel Rutz
0885a65169 nixos/doc: Add documentation for types.port type 2018-10-19 12:33:24 +02:00
Silvan Mosberger
e443bbf6fd
Merge pull request #45470 from Infinisil/znc-config
nixos/znc: More flexible module, cleanups
2018-10-17 03:01:30 +02:00
rnhmjoj
16f67637ba
nixos/syncthing: move configuration to condigDir
fixes #47513 following the upstream recommended settings:
https://github.com/syncthing/syncthing/issues/3434#issuecomment-235401876
2018-10-15 20:34:50 +02:00
Graham Christensen
94c6f1ba0e
Merge pull request #48463 from Ekleog/release-notes-license
release-notes/18-09: add licenses marked as unfree
2018-10-15 10:33:31 -04:00
Léo Gaspard
861b70f483
nixos manual: automatic reflow 2018-10-15 23:10:55 +09:00
Léo Gaspard
2a2c99673b
release-notes/18-09: add licenses marked as unfree 2018-10-15 23:10:54 +09:00
Silvan Mosberger
7e31678043
nixos/znc: Add release note entry for removed options 2018-10-14 20:39:50 +02:00
Yegor Timoshenko
6e4d0c4a8a
Merge pull request #47691 from florianjacob/matomo-choose-package
nixos/matomo: introduce services.matomo.package option
2018-10-13 15:27:00 +00:00
Florian Jacob
a1825aecfc
nixos/matomo: introduce services.matomo.package option 2018-10-13 15:25:12 +00:00
Ben Wolsieffer
73c523a605 buildbot: add Python 3 support 2018-10-11 21:39:11 -04:00
Samuel Dionne-Riel
c3c4a9249d
Merge pull request #48025 from samueldr/fix/actually-fix-partitioning-instructions
nixos/doc: Actually fix partitioning instructions.
2018-10-09 23:00:46 -04:00
Samuel Dionne-Riel
7fb45271b2
Merge pull request #47917 from arianvp/fix-imperative-containers
Fix imperative containers
2018-10-08 16:55:38 -04:00
Matthew Bauer
52ed0526fe
Merge pull request #45978 from fgaz/patch-1
nixos docs: system restart to apply containers nat
2018-10-08 13:48:14 -05:00
Samuel Dionne-Riel
467bec34bb nixos/doc: Actually fix partitioning instructions.
The previous tentative to the fix got the order mixed up a bit. This
new fix has been re-verified to get them in the good order as per the
instructions in the following chapters.
2018-10-08 12:35:04 -04:00
Will Dietz
003c20e02c
Merge pull request #47554 from dtzWill/update/light-1.2
light: 1.1.2 -> 1.2, use new udev support instead of setuid wrapper.
2018-10-05 23:15:44 -05:00
Samuel Dionne-Riel
82d1bf9691 nixos/doc: Updates release date for 18.09 2018-10-05 18:32:42 -04:00
Samuel Dionne-Riel
31b1553880
Merge pull request #47575 from samueldr/1809/release-notes
Updates 18.09 release notes for release.
2018-10-05 18:17:04 -04:00
Arian van Putten
bb31835b1d Revert "Revert "Revert "doc: Update section about imperative containers"""
nixos-container can now execute nix commands again inside the container

This reverts commit 9622cd3b38.
2018-10-05 18:36:56 +02:00
Samuel Dionne-Riel
6cfbf403ca doc: Reviews partitioning instructions to use parted.
The tests in <nixos/tests/installer.nix> are using `parted`, so they are
bound to be better tested than `fdisk`.

This is brought on by a couple issues, plus reports on IRC that the
`fdisk` instructions didn't work as expected.

 * #39354
 * #46309
 * #39942
 * #45478

Care was taken so that the other documented steps did not need changes.

In all this kerfufle, a slight re-organization of the Chapter has been
made, allowing better deep linking.
2018-10-03 22:34:58 -04:00
Samuel Dionne-Riel
8467dc857b doc: installing-usb: removes notes about unetbootin.
They are known to cause more issues than solving issues; futhermore
using `dd` should work everywhere without fail.
2018-10-03 22:34:58 -04:00
Samuel Dionne-Riel
8192fcd0fd doc: installing-usb make macOS note a note.
While it seemingly brings more attention to the macOS notes with the
default docbook template, it better represents which parts of the
section are about macOS, and which parts are simply in the flow of the
text; otherwise the last paragraph may be lost into the details for
macOS.
2018-10-03 22:34:57 -04:00
Samuel Dionne-Riel
2c0d56f007 nixos/doc: Adds sub-folder to input files. 2018-10-03 22:34:57 -04:00
Samuel Dionne-Riel
6487a47996 Updates 18.09 release notes for release. 2018-10-02 23:47:37 -04:00