Commit Graph

25330 Commits

Author SHA1 Message Date
Naïm Favier
e869dc0ce0
Revert "nixosTests.gnome: add autologin delay to catch GDM failures" 2022-01-20 13:04:47 +01:00
Lassulus
634bcb85e2
Merge pull request #155478 from ivanbrennan/xmonad-enable-configured-recompile
XMonad: enable configured recompile
2022-01-20 11:27:13 +01:00
ivanbrennan
44af29e6f5 nixosTests.xmonad: test configured recompilation
Add test coverage for the enableConfiguredRecompile option, checking
that we can compile and exec a new xmonad from a user's local config, as
well as restart the originally configured xmonad.

As I needed a reliable way to wait for recompilation to finish before
proceeding with subsequent test steps, I adjusted the startup behavior
to write a file ("oldXMonad" or "newXMonad") to /etc upon startup, and
replaced some "sleep" calls with "wait_for_file".
2022-01-20 01:48:05 -05:00
Sandro
67f0e333d6
Merge pull request #142706 from euank/k3s-tests-update 2022-01-20 03:22:26 +01:00
Sandro
ecebce4031
Merge pull request #153075 from mattchrist/bind-forward-only 2022-01-20 03:04:47 +01:00
ivanbrennan
6c72deb51b nixos/xmonad: update example config
Update the example config to show a working example for xmonad 0.17.0, which
added an argument to the `launch` function and adjusted the location of the
recompiled binary.
2022-01-19 20:31:05 -05:00
ajs124
0efda5e2d0 nixos/dovecot: make use of mkEnableOption 2022-01-20 00:37:02 +01:00
Michele Guerini Rocco
2da332aa2d
Merge pull request #155535 from risicle/ris-libreswan-4.6
libreswan: 4.5 -> 4.6
2022-01-19 22:42:49 +01:00
ajs124
c6683b4f27 nixos/dovecot: make ssl_dh optional
hasn't been needed since 2.3.3, in fact it is encouraged not to use such cipher suites anymore
2022-01-19 22:39:57 +01:00
Pascal Bach
e34a112c18
Merge pull request #155510 from yayayayaka/fix-nextcloud-test
nixos/nextcloud: Fix nixos test on master
2022-01-19 21:48:43 +01:00
pennae
989fd06cb8 nixos/ssh: add release notes for extraHostNames option 2022-01-19 17:21:11 +01:00
datafoo
1d3f0903a8 nixos/mosquitto: add package option 2022-01-19 15:59:53 +01:00
Taeer Bar-Yam
552b80dc51
add defaultText
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
2022-01-19 09:39:50 -05:00
Taeer Bar-Yam
aa99bd69f0
fix punctuation
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
2022-01-19 09:38:13 -05:00
Maciej Krüger
8f086db04f
nixos/cinnamon: fix gnome alias deperaction 2022-01-19 15:33:57 +01:00
Taeer Bar-Yam
8fa2e787f1 modules/programs/ssh: knownHosts -> extraKnownHosts 2022-01-19 08:48:41 -05:00
Robert Hensing
f22ffbc14e
Merge pull request #155598 from hercules-ci/cleanup-nixos-test-lorri
nixos/tests/lorri: Remove redundant stdout redirect
2022-01-19 13:25:28 +01:00
Sandro
42cbcca501
Merge pull request #125474 from jojosch/dnsdist-1.6.0 2022-01-19 11:55:12 +01:00
rnhmjoj
741a585052
nixos/tests/libreswan: fixup 739c51ae4e 2022-01-19 11:43:01 +01:00
Robert Hensing
54a62ae266 nixos/tests/lorri: Remove redundant stdout redirect
Introduced accidentally in https://github.com/NixOS/nixpkgs/pull/144679
2022-01-19 11:22:23 +01:00
Johannes Schleifenbaum
612ad7776a
nixos/dnsdist: add test 2022-01-19 08:24:02 +01:00
Jörg Thalheim
966ea2c020
Merge pull request #150360 from Enzime/fix-netboot-cmdline
netboot: Support cmdline variable from netboot.xyz
2022-01-19 06:53:04 +00:00
sternenseemann
48965506a1 lib/asserts: use throw to display message for assertMsg
`assert` has the annoying property that it dumps a lot of code at the
user without the built in capability to display a nicer message. We have
worked around this using `assertMsg` which would *additionally* display
a nice message. We can do even better: By using `throw` we can make
evaluation fail before assert draws its conclusions and prevent it from
displaying the code making up the assert condition, so we get the nicer
message of `throw` and the syntactical convenience of `assert`.

Before:

    nix-repl> python.override { reproducibleBuild = true; stripBytecode = false; }
    trace: Deterministic builds require stripping bytecode.
    error: assertion (((lib).assertMsg  (reproducibleBuild -> stripBytecode))  "Deterministic builds require stripping bytecode.") failed at /home/lukas/src/nix/nixpkgs/pkgs/development/interpreters/python/cpython/2.7/default.nix:45:1

After:

    nix-repl> python.override { reproducibleBuild = true; stripBytecode = false; }
    error: Deterministic builds require stripping bytecode.
2022-01-19 00:50:06 +01:00
Robert Hensing
ef6f8783ea nixos/doc/rl-2205.section.md: Hint to avoid merge conflicts 2022-01-18 23:40:28 +01:00
Nikolay Amiantov
e5e160e08e
Merge pull request #155367 from talyz/keycloak-loadcredential
nixos/keycloak: Use LoadCredential to load secrets + module formatting
2022-01-19 00:47:58 +03:00
Jules Aguillon
df590070b0 types.singleLineStr: strings that don't contain '\n'
Add a new type, inheriting 'types.str' but checking whether the value
doesn't contain any newline characters.

The motivation comes from a problem with the
'users.users.${u}.openssh.authorizedKeys' option.
It is easy to unintentionally insert a newline character at the end of a
string, or even in the middle, for example:

    restricted_ssh_keys = command: keys:
      let
        prefix = ''
          command="${command}",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding
        '';
      in map (key: "${prefix} ${key}") keys;

The 'prefix' string ends with a newline, which ends up in the middle of
a key entry after a few manipulations.

This is problematic because the key file is built by concatenating all
the keys with 'concatStringsSep "\n"', with result in two entries for
the faulty key:

    ''
      command="...",options...
      MY_KEY
    ''

This is hard to debug and might be dangerous. This is now caught at
build time.
2022-01-18 22:06:34 +01:00
Sandro
5c4fa6964f
Merge pull request #138386 from Yarny0/tsm-client 2022-01-18 20:50:28 +01:00
Lara
909536115d nixos/nextcloud: Fix nixos test on master
Resolves #155509
2022-01-18 19:09:22 +00:00
Lara
7109660b9a nixos/nextcloud: Optionally disable setting HTTP response headers
This commit introduces a new option
`services.nextcloud.nginx.recommendedHttpHeaders` that can be used to
optionally disable serving recommended HTTP Response Headers in nginx.
This is especially useful if some headers are already configured
elsewhere to be served in nginx and thus result in duplicate headers.

Resolves #120223
2022-01-18 18:33:11 +00:00
bb2020
272fc86d2c nixos/mbpfan: convert to structural settings 2022-01-18 21:31:33 +03:00
bb2020
6f7bf7bc46 nixos/mbpfan: set aggressive default values 2022-01-18 21:26:52 +03:00
pennae
54fcd869d8
Merge pull request #155009 from domenkozar/cachix-agent
nixos: add cachix-agent service
2022-01-18 17:06:39 +00:00
Pascal Bach
fa233bca31 nixos/gitea: allow specifying dump format and name 2022-01-18 18:05:33 +01:00
Vladimír Čunát
24bb158cf0
Merge #143715: nixos/malloc: fix scudo on aarch64-linux 2022-01-18 17:39:33 +01:00
pennae
21115ea8f9
Merge pull request #155041 from tokudan/ssh-rename-optionCRA
openssh: Rename option, old option is deprecated upstream
2022-01-18 16:07:20 +00:00
Domen Kožar
91cc0cf63b
Update nixos/modules/services/system/cachix-agent/default.nix
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
2022-01-18 16:49:18 +01:00
talyz
07b64a2ad7
nixos/bookstack: Add option config to replace extraConfig
The `extraConfig` parameter only handles text - it doesn't support
arbitrary secrets and, with the way it's processed in the setup
script, it's very easy to accidentally unescape the echoed string and
run shell commands / feed garbage to bash.

To fix this, implement a new option, `config`, which instead takes a
typed attribute set, generates the `.env` file in nix and does
arbitrary secret replacement. This option is then used to provide the
configuration for all other options which change the `.env` file.
2022-01-18 15:16:23 +01:00
talyz
a0b54a0626
nixos/bookstack: Simplify the nginx setup
Use the recommended defaults and remove unnecessary configuration.
2022-01-18 15:16:17 +01:00
talyz
df607c1d1f
nixos/bookstack: Make the hostname configurable...
...and set a reasonable default `appURL` based on it.

This is pretty much required when configuring ACME, and useful in
general.
2022-01-18 15:16:11 +01:00
talyz
e7fa7fdffc
nixos/bookstack: Clear the cache more reliably
When upgrading bookstack, if something in the cache conflicts with the
new installation, the artisan commands might fail. To solve this, make
the cache lifetime bound to the setup service. This also removes the
`cacheDir` option, since the path is now handled automatically by
systemd.
2022-01-18 15:16:04 +01:00
Franz Pletz
70630b4a19
Merge pull request #155299 from numinit/mattermost-6.3 2022-01-18 14:27:54 +01:00
Daniel Frank
d851c11a9f
openssh: add release-notes entry for services.openssh.{challengeResponseAuthentication -> kbdInteractiveAuthentication} 2022-01-18 14:01:20 +01:00
Daniel Frank
11b2191b74
openssh: Update tests to use new option name 2022-01-18 13:58:33 +01:00
Daniel Frank
6d985ef174
openssh: Rename option, old option is deprecated upstream 2022-01-18 13:58:29 +01:00
pennae
363577461d
Merge pull request #153346 from Stunkymonkey/borg-persistent
nixos/borgbackup: Add a persistentTimer option.
2022-01-18 12:29:17 +00:00
Janne Heß
44cb0a4c67
Merge pull request #155443 from vs49688/sy
nixos/modules/syncthing: add 22000/udp to firewall
2022-01-18 13:27:06 +01:00
Franz Pletz
76aa0af628
Merge branch 'master' into mattermost-6.3 2022-01-18 13:23:38 +01:00
Felix Buehler
7caa6f4de4 nixos/borgbackup: move systemd.timers logic into single block 2022-01-18 12:53:36 +01:00
pennae
42d6774dc7
Merge pull request #155295 from InternetUnexplorer/nix-serve-open-firewall
nixos/nix-serve: add openFirewall option
2022-01-18 09:36:12 +00:00
Domen Kožar
42994be64b nixos: add cachix-agent service 2022-01-18 10:26:47 +01:00
Artturi
78ff70f529
Merge pull request #153762 from Artturin/ananicymod1 2022-01-18 10:49:13 +02:00
ivanbrennan
a3ea1bc599 nixos/xmonad: enableConfiguredRecompile
Commit 9a5b5d9fe8 added Haskell
dependencies (GHC and packages) to the xmonad binary's environment even
if xmonad had been preconfigured (via the "config" option). The intent
was to enable one-off recompiling using a local config file (e.g.
~/.config/xmonad/xmonad.hs), so the user can get quick feedback while
developing their config.

While this works, it may not be a common use-case, and it requires some
careful crafting in xmonad.hs itself. On top of that, it significantly
increases the size of the closure.

Given all that, commit b69d9d3c23 removed
GHC and packages from the binary's environment.

But there are still those among us who want to be able to recompile from
a preconfigured xmonad, so let's provide a way to opt-into configured
recompilation.
2022-01-18 00:04:15 -05:00
Zane van Iperen
f533a6d2bd
nixos/modules/syncthing: add 22000/udp to firewall 2022-01-18 11:40:06 +10:00
piegames
71358dd070
Merge pull request #154659: nixos/heisenbridge: Improve hardening 2022-01-18 01:30:12 +01:00
InternetUnexplorer
ecda6429f2 nixos/nix-serve: add openFirewall option 2022-01-17 15:14:02 -08:00
Bernardo Meurer
eaf7be02b9
Merge pull request #150859 from helsinki-systems/feat/redo-restart-by-activation-script 2022-01-17 21:11:09 +00:00
Martin Weinelt
e5b47c5c21
Merge pull request #155407 from pennae/mosquitto-startup 2022-01-17 21:29:37 +01:00
pennae
dc101d9fef nixos/mosquitto: wait for network-online.target, not network.target
network.target is reached earlier, but with much fewer services
available. DNS is likely to be not functional before
network-online.target, so waiting for that seems better for that reason
alone. the existing backends for network-online.target all seem to do
reasonable things (wait until all links are in *some* stable state), so
we shouldn't lose anything from waiting.
2022-01-17 20:58:50 +01:00
legendofmiracles
59a07c683a
Merge pull request #154791 from CRTified/fix-154775-adguardhome-settings 2022-01-17 12:45:24 -06:00
Janne Heß
2cf157c781
nixos/switch-to-configuration: Rework activation script restarts
This removes `/run/nixos/activation-reload-list` (which we will need in
the future when reworking the reload logic) and makes
`/run/nixos/activation-restart-list` honor `restartIfChanged` and
`reloadIfChanged`. This way activation scripts don't have to bother with
choosing between reloading and restarting.
2022-01-17 17:57:23 +01:00
Felix Buehler
91dfaa5453 nixos/borgbackup: start remote backup only if network is available 2022-01-17 15:42:39 +01:00
blargg
697198834c nixos/borgbackup: Add a persistentTimer option.
Persistent starts the backup service on power on if it was missed while
the system was powered down, for example.
2022-01-17 15:42:37 +01:00
Spencer Janssen
ed5883c1b6 zrepl: 0.4.0 -> 0.5.0 2022-01-17 15:35:45 +01:00
talyz
95430e31f5
nixos/keycloak: Reformat the code with nixpkgs-fmt 2022-01-17 12:47:53 +01:00
talyz
21b1de2bcd
nixos/keycloak: Inherit library functions and builtins
Instead of referencing all library functions through `lib.` and
builtins through `builtins.` at every invocation, inherit them into
the appropriate scope.
2022-01-17 12:42:30 +01:00
Yarny0
f6dca95c5d tsm-client: add test derivation and a module test
The tsm-client needs a tsm-server to do anything useful.
Without a server, automated tests can just
check diagnostic outputs for plausibility.

The commit at hand adds two tests:

1.
The command line interface `dsmc` is called,
then it is verified that the program does

* report the correct client version,
* find its configuration file,
* report a connection error.

2.
To check the GUI (and the tsm-client nixos module), we add a
vm test which uses the module to install `tsm-client-withGui`.
To verify that the GUI's basic functionality is present,
we skip over all connection failure related error
messages and open the "Connection Information"
dialog from the main application window.
This dialog presents the node name and the client version;
both are verified by the test.

Note: Our `tsm-client` build recipe consists of two packages:
The "unwrapped" package and the final package.
This commit puts the unwrapped one into the final
package's `passthru` so that tests can access
the original version string that is needed to check
the client version reported by the application.
2022-01-17 12:09:27 +01:00
Yarny0
c2192ed77a nixos/tsm-{client,backup}: use new type nonEmptyStr
The module option type `nonEmptyStr` was introduced in commit

a3c5f0cba8

The tsm modules previously simply used
`strMatching ".+"` to prevent empty option strings,
but the new type is more thorough as
it also catches space-only strings.
2022-01-17 12:09:27 +01:00
Yarny0
c5effcaaea nixos/tsm-backup: enable most systemd sandboxing options
This enables some systemd sandboxing
options for the `tsm-backup.service`.
Those settings have been determined by expermentation.
This commit tries hard to protect the filesystem from
write access, but not to hide anything from read access,
so users can backup all files they choose to backup.
An exception are API filesystems (`/dev`, `/proc`, `/sys`):
As their "files" are not stored on persistent storage,
they are sandboxed away as much as possible.

Note that the service still has to run with root
privileges to reach files with limited access permissions.
The obvious alternative to use a dedicated user account and
the `CAP_DAC_READ_SEARCH` capability to permit system-wide
read access while blocking write access does not work.
Experiments have shown that `dsmc` verifies access permissions
for each file before attempting to open it for reading.
Hence `dsmc` refuses to copy files where the file permission
mode blocks read access -- even if process capabilities
would allow it to proceed irrespective of permissions.
2022-01-17 12:09:27 +01:00
Yarny0
3f6d1f5f60 nixos/tsm-{client,backup}: update links in module comments
IBM has changed the URL structures of their support web pages.
The commit at hand updates URLs in two comments
so they follow the new structure.
2022-01-17 12:09:27 +01:00
talyz
5010f4fff9
nixos/keycloak: Use LoadCredential to load secrets
Use systemd's LoadCredential mechanism to make the secret files
available to the service.

This gets rid of the privileged part of the ExecPreStart script which
only served to copy these files and assign the correct
permissions. There's been issues with this approach when used in
combination with DynamicUser, where sometimes the user isn't created
before the ExecPreStart script runs, causing the error

install: invalid user ‘keycloak’

This should fix that issue.

Unfortunately, all of the ExecPreStart script had to be moved to
ExecStart, since credentials aren't provided to ExecPreStart. See
https://github.com/systemd/systemd/issues/19604.
2022-01-17 11:46:51 +01:00
Timo Kaufmann
e3b041ac07
Merge pull request #145767 from midchildan/fix/noto-cjk
noto-fonts-cjk: add missing serif font
2022-01-17 11:23:40 +01:00
Ivan Kovnatsky
32c8a5de66
nixos/chromium: Add DefaultSearchProviderEnabled option
Without this option `DefaultSearchProviderSearchURL` and
`DefaultSearchProviderSuggestURL` are really wastefull as it does not
set search engine, at least for me.

Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
2022-01-17 08:04:55 +02:00
Morgan Jones
9db1fb4772 nixos/mattermost: update release notes 2022-01-16 22:34:37 -07:00
CRTified
f9bc03e3c7 nixos/adguardhome: add test 2022-01-17 01:39:27 +01:00
Ben Darwin
43047ec128
nixos/rstudio-server: add to 22.05 release notes 2022-01-17 10:26:24 +11:00
Justin Bedo
0fe0153003
nixos/rstudio-server: init 2022-01-17 10:24:38 +11:00
pennae
d893b16bf9
Merge pull request #154388 from winterqt/thelounge-test
nixos/thelounge: add test
2022-01-16 21:49:35 +00:00
pennae
e65df99e39
Merge pull request #155260 from ncfavier/fix-prosody-filer
nixos/prosody-filer: remove usage of literalExample
2022-01-16 21:36:40 +00:00
Winter
cf12e0e7ed nixos/thelounge: add test 2022-01-16 16:25:45 -05:00
Naïm Favier
bbfca6b6b9
nixos/prosody-filer: remove usage of literalExample 2022-01-16 22:10:47 +01:00
pennae
4a44a5f126
Merge pull request #154061 from winterqt/borgbackup-empty-archive-base-name
nixos/borgbackup: allow empty archive base name
2022-01-16 18:11:37 +00:00
Sandro
55c5f68771
Merge pull request #152246 from pasqui23/beesd 2022-01-16 18:08:54 +01:00
midchildan
bd8132ac62
noto-fonts-cjk: add missing serif font
Fixes #99940
2022-01-17 02:04:02 +09:00
Winter
2104608642 nixos/borgbackup: allow empty archive base name 2022-01-16 10:41:04 -05:00
Kim Lindberger
cdd600c430
Merge pull request #154193 from abbradar/keycloak-changes
keycloak: 15.1.0 -> 16.1.0 + module improvements
2022-01-16 11:27:29 +01:00
Nikolay Amiantov
97a0cf62f0 keycloak service: allow to set empty frontend URL
This together with extraConfig:

{
  "subsystem=undertow"."server=default-server"."http-listener=default"."proxy-address-forwarding" = true;
  "subsystem=undertow"."server=default-server"."https-listener=https"."proxy-address-forwarding" = true;
}

Allows to run Keycloak behind a reverse proxy that provides
X-Forwarded-* headers.
2022-01-16 11:41:50 +03:00
Nikolay Amiantov
84f70eefd1 keycloak service: add themes support
Custom themes can be packaged and then added using `themes` config
attribute.
2022-01-16 11:41:50 +03:00
Nikolay Amiantov
a42abe27c0 keycloak service: use 'attrsOf anything' for extraConfig 2022-01-16 11:25:44 +03:00
Nikolay Amiantov
827267a27f keycloak service: update HTTPS configuration
Keycloak 16.1.0 uses different way to configure HTTPS.
This requires us to order commands correctly, otherwise linked
objects will fail.
2022-01-16 11:25:44 +03:00
Nikolay Amiantov
3c7e78cc6a keycloak service: ordering for CLI script
Allow update commands in the script to be ordered using `mkOrder`.
If we encounter ordered sub-objects we sort them by priority.

To implement this we now explicitly pass current node in `recurse`,
which also allows us to clean up edge case for top-level node.

Also refactor `recurse` to avoid passing result text argument; we
weren't tail recursive before anyway.
2022-01-16 11:25:44 +03:00
Jörg Thalheim
d4846c4526
Merge pull request #155075 from Mic92/ddclient
nixos/ddclient: don't chown secrets until dynamicuser issue is resolved
2022-01-16 06:23:28 +00:00
Martin Weinelt
369db3b2f3
mailpile, nixos/mailpile: drop
Still actively developed and yet stuck on python2. Also marked as
vulnerable and their issue tracker contains yet another security issue
reported in 2021/10 that the upstream hasn't acknowledged yet.

Mind blown.

Closes: #135543, #97274, #97275
2022-01-16 02:36:20 +01:00
Martin Weinelt
84926ba4c8
Merge pull request #155167 from piegamesde/rename-resort 2022-01-16 02:34:28 +01:00
Anderson Torres
ce6fd0d857
Merge pull request #154051 from starcraft66/polymc
polymc: init at 1.0.4

polymc substitutes multimc.
2022-01-15 22:18:26 -03:00
piegames
1f71224fe8 nixos/modules/rename: Sort alphabetically
This was a mess previously
2022-01-16 02:11:06 +01:00
Bernardo Meurer
4fa2647449
Merge pull request #154994 from mweinelt/kernel-disable-unpriv-ebpf
linux: enable BPF_UNPRIV_DEFAULT_OFF on 5.10 and later
2022-01-16 00:46:51 +00:00
Bernardo Meurer
7b0e7dcb39
Merge pull request #155142 from rapenne-s/thermald_no_net
thermald: disable network access
2022-01-16 00:36:11 +00:00
Jan Tojnar
5cd5fb71bc
Merge pull request #150980 from ncfavier/gdm-test
nixosTests.gnome: add autologin delay to catch GDM failures
2022-01-16 00:24:03 +01:00
Tristan Gosselin-Hane
155f315319 multimc: document replacement 2022-01-15 18:09:27 -05:00
Martin Weinelt
3ee206291a
linux: enable BPF_UNPRIV_DEFAULT_OFF between 5.10 and 5.15
Disable unprivileged access to BPF syscalls to prevent denial of service
and privilege escalation via

a) potential speculative execution side-channel-attacks on unmitigated
hardware[0]

or

b) unvalidated memory access in ringbuffer helper functions[1].

Fixes: CVE-2021-4204, CVE-2022-23222

[0] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
[1] https://www.openwall.com/lists/oss-security/2022/01/13/1
2022-01-15 23:44:19 +01:00