Commit Graph

9845 Commits

Author SHA1 Message Date
Renaud
53218d4a39
nixos/systemd-nspawn: accept all Exec and Files options
See: https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html
Closes #49712
2018-12-08 14:41:37 +01:00
Graham Christensen
ca3f089a83
Merge pull request #51314 from Izorkin/mariadb-my.cnf
mariadb: change location configuration file to /etc/my.cnf
2018-12-07 15:37:53 -05:00
Renaud
0eb2f4b5f5
Merge pull request #50809 from sorki/wireguard_containers_wont_modprobe
wireguard: don't modprobe if boot.isContainer is set
2018-12-07 11:06:28 +01:00
Pierre Bourdon
3873f43fc3 prometheus/exporters: fix regression in DynamicUser behavior
Instead of setting User/Group only when DynamicUser is disabled, the
previous version of the code set it only when it was enabled. This
caused services with DynamicUser enabled to actually run as nobody, and
services without DynamicUser enabled to run as root.

Regression from fbb7e0c82f.
2018-12-05 11:26:38 +01:00
Pierre Bourdon
199b4c4743 prometheus/exporters/tor: make CPython happy by defining $HOME 2018-12-05 11:26:38 +01:00
Austin Seipp
2a22554092 nixos/cockroachdb: simplify dataDir management, tweaks
This cleans up the CockroachDB expression, with a few suggestions from
@aszlig.

However, it brought up the note of using systemd's StateDirectory=
directive, which is a nice feature for managing long-term data files,
especially for UID/GID assigned services. However, it can only manage
directories under /var/lib (for global services), so it has to introduce
a special path to make use of it at all in the case someone wants a path
at a different root.

While the dataDir directive at the NixOS level is _occasionally_ useful,
I've gone ahead and removed it for now, as this expression is so new,
and it makes the expression cleaner, while other kinks can be worked out
and people can test drive it.

CockroachDB's dataDir directive, instead, has been replaced with
systemd's StateDirectory management to place the data under
/var/lib/cockroachdb for all uses.

There's an included RequiresMountsFor= clause like usual though, so if
people want dependencies for any kind of mounted device at boot
time/before database startup, it's easy to specify using their own
mount/filesystems clause.

This can also be reverted if necessary, but, we can see if anyone ever
actually wants that later on before doing it -- it's a backwards
compatible change, anyway.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-04 19:44:16 -06:00
Florian Klink
0834e98ece
Merge pull request #51393 from arianvp/container-names
nixos/containers: Add assertion for container name length
2018-12-05 01:25:16 +01:00
Renaud
68b17ada12
Merge pull request #51475 from redvers/update/mediawiki
mediawiki: 1.29.1 -> 1.31.1
2018-12-04 08:06:57 +01:00
Jörg Thalheim
958d8e625e
Merge pull request #49392 from uvNikita/nixos/containers/veths
nixos/containers: don't create veths if not configured
2018-12-03 23:44:50 +00:00
Red Davies
4173b845ca mediawiki: 1.29.1 -> 1.31.1
1.29.1 is out of support and has security vulnerabilities. 1.31.1 is current LTS.
2018-12-03 21:04:08 +00:00
Bjørn Forsman
bb94d419fb nixos/jenkins-job-builder: add accessTokenFile option
The new option allows storing the secret access token outside the world
readable Nix store.
2018-12-03 17:07:29 +01:00
Bjørn Forsman
8ebfd5c45c nixos/jenkins-job-builder: stop reloadScript on error
Currently there are two calls to curl in the reloadScript, neither which
check for errors. If something is misconfigured (like wrong authToken),
the only trace that something wrong happened is this log message:

  Asking Jenkins to reload config
  <h1>Bad Message 400</h1><pre>reason: Illegal character VCHAR='<'</pre>

The service isn't marked as failed, so it's easy to miss.

Fix it by passing --fail to curl.

While at it:
* Add $curl_opts and $jenkins_url variables to keep the curl command
  lines DRY.
* Add --show-error to curl to show short error message explanation when
  things go wrong (like HTTP 401 error).
* Lower-case the $CRUMB variable as upper case is for exported environment
  variables.

The new behaviour, when having wrong accessToken:

  Asking Jenkins to reload config
  curl: (22) The requested URL returned error: 401

And the service is clearly marked as failed in `systemctl --failed`.
2018-12-03 17:07:29 +01:00
Piotr Bogdan
9ca3414e05 nixos/cockroachdb: supply defaultText for the package option 2018-12-02 20:50:57 -06:00
Austin Seipp
4594b18070 nixos/chrony: fix misplaced ConditionCapability= directive
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-02 20:32:47 -06:00
Michael Weiss
fa5b8f82c5
Merge pull request #51316 from primeos/sway
nixos/sway-beta: Improve the wrapper
2018-12-02 22:03:31 +01:00
Izorkin
953be3e283 mariadb: change location configuration file to /etc/my.cnf 2018-12-02 22:15:02 +03:00
Silvan Mosberger
4afae70e2b
Merge pull request #48423 from charles-dyfis-net/bees
bees: init at 0.6.1; nixos/modules: services.bees init
2018-12-02 18:38:47 +01:00
Jörg Thalheim
50071c4475
Revert "nixos/luksroot: Check whether the device already exists"
This reverts commit 9cd4ce98bf.

This might be broken for some people: https://github.com/NixOS/nixpkgs/pull/50281#issuecomment-443516289
2018-12-02 17:27:35 +00:00
markuskowa
506d4c7e44
Merge pull request #51329 from c0bw3b/cleanup/gnu-https
Favor HTTPS URLs - the GNU edition
2018-12-02 16:52:33 +01:00
c0bw3b
0498ccd076 Treewide: use HTTPS on GNU domains
HTTP -> HTTPS for :
- http://gnu.org/
- http://www.gnu.org/
- http://elpa.gnu.org/
- http://lists.gnu.org/
- http://gcc.gnu.org/
- http://ftp.gnu.org/ (except in fetchurl mirrors)
- http://bugs.gnu.org/
2018-12-02 15:51:59 +01:00
Arian van Putten
bf102825ef nixos/containers: Add assertion for container name length
When privateNetwork is enabled, currently the container's interface name
is derived from the container name. However, there's a hard limit
on the size of interface names. To avoid conflicts and other issues,
we set a limit on the container name when privateNetwork is enabled.

Fixes #38509
2018-12-02 15:26:39 +01:00
Bas van Dijk
7035598251
Merge pull request #51225 from LumiGuide/elk-6.5.1
elk: 6.3.2 -> 6.5.1
2018-12-02 14:44:47 +01:00
Jörg Thalheim
31f67bed5b
Merge pull request #51379 from Gerschtli/add/programs-nm-applet
nixos/nm-applet: add nm-applet program
2018-12-02 11:49:45 +00:00
Jörg Thalheim
b3662053b3
nixos/nm-applet: make the module smaller
more readable imho
2018-12-02 11:38:47 +00:00
Tobias Happ
95cbb71abe nixos/nm-applet: add nm-applet program 2018-12-02 12:18:47 +01:00
John Boehr
4226ddc034 nixos/cockroachdb: create new service
This also includes a full end-to-end CockroachDB clustering test to
ensure everything basically works. However, this test is not currently
enabled by default, though it can be run manually. See the included
comments in the test for more information.

Closes #51306. Closes #38665.

Co-authored-by: Austin Seipp <aseipp@pobox.com>
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-01 19:07:49 -06:00
Janne Heß
9cd4ce98bf nixos/luksroot: Check whether the device already exists
The new reuse behaviour is cool and really useful but it breaks one of
my use cases. When using kexec, I have a script which will unlock the
disks in my initrd. However, do_open_passphrase will fail if the disk is
already unlocked.
2018-12-01 23:42:51 +01:00
Renaud
947be9e992
Merge pull request #51199 from samueldr/fix/iso-image-fat32
iso-image: Verifies the FAT partition at build.
2018-12-01 16:14:55 +01:00
Michael Weiss
062602d81e nixos/sway-beta: Improve the wrapper
According to the dbus-launch documentation [0] "--exit-with-session"
shouldn't be used: "This option is not recommended, since it will
consume input from the terminal where it was started; it is mainly
provided for backwards compatibility." And it also states: "To start a
D-Bus session within a text-mode session, do not use dbus-launch.
Instead, see dbus-run-session(1)."

The new wrapper also avoids starting an additional D-Bus session if
DBUS_SESSION_BUS_ADDRESS is already set.

Fix #51303.

[0]: https://dbus.freedesktop.org/doc/dbus-launch.1.html
[1]: https://dbus.freedesktop.org/doc/dbus-run-session.1.html
2018-12-01 15:15:27 +01:00
Bas van Dijk
fbf0efc6a7 elk: 6.3.2 -> 6.5.1 2018-12-01 12:47:12 +01:00
Austin Seipp
ee14496ae2 nixos/dhcpcd: (try to) restart chrony in the exitHook
As the comment notes, restarts/exits of dhcpcd generally require
restarting the NTP service since, if name resolution fails for a pool of
servers, the service might break itself. To be on the safe side, try
restarting Chrony in these instances, too.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-11-30 18:50:33 -06:00
Austin Seipp
7b8d9700e1 nixos/chrony: don't emit initstepslew when servers is empty
Setting the server list to be empty is useful e.g. for hardware-only
or virtualized reference clocks that are passed through to the system
directly. In this case, initstepslew has no effect, so don't emit it.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-11-30 18:50:32 -06:00
Robert Schütz
74e283403c
nixos/borgbackup: allow paths to be empty or relative (#51275)
This former necessary in order to exclusively use `--pattern` or `--patterns-from`.
Fixes #51267.
2018-11-30 17:37:50 +01:00
Florian Klink
aa490a543e
Merge pull request #48049 from Vskilet/roundcube-module
nixos/roundcube: add roundcube module
2018-11-30 13:29:00 +01:00
Charles Duffy
86db2f394c
nixos/modules: services.bees init 2018-11-29 20:27:45 -06:00
Florian Klink
43762227f8
Merge pull request #49385 from krav/gitlab-shell-authorized-keys
gitlab-shell: 8.3.3->8.4.1, fix hardcoded paths
2018-11-29 21:18:08 +01:00
Maximilian Bosch
45c6794573
Merge pull request #36424 from jfrankenau/i18n-extra-locale
nixos/i18n: add option for extra locale settings
2018-11-29 16:22:34 +01:00
Graham Christensen
e488f62df7
Merge pull request #51090 from grahamc/revert-disable-zfs
Revert "zfs cannot be distributed. Disabling it in the isos."
2018-11-29 08:37:31 -05:00
Samuel Dionne-Riel
3864438049 iso-image: Do not use batch operations for mcopy.
```
       b      Batch mode. Optimized for huge recursive copies, but less secure if a crash happens during the copy.
```

It seems the "less secure if a crash happens" does not need a crash to
happen.

With batch mode:

```
/[...]/.
  Start (0) does not point to parent (___)
```

For pretty much everything copied in.

Without batch mode, everything passes `fsck`.

See #51150
2018-11-28 19:14:54 -05:00
Samuel Dionne-Riel
0a367c41ea iso-image: Verifies the FAT partition at build.
This is done to ensure `mtools`-based operations leave a clean FS.
2018-11-28 19:14:18 -05:00
Samuel Dionne-Riel
1b6a4d3979 sd-image: Do not use batch operation for mcopy.
```
       b      Batch mode. Optimized for huge recursive copies, but less secure if a crash happens during the copy.
```

It seems the "less secure if a crash happens" does not need a crash to
happen.

With batch mode:

```
/[...]/.
  Start (0) does not point to parent (___)
```

For pretty much everything copied in.

Without batch mode, everything passes `fsck`.

See #51150
2018-11-29 01:50:30 +02:00
Samuel Dionne-Riel
2e5eb135aa sd-image: Verifies the FAT partition before copying it.
This is to ensure `mtools`-based operations don't wreck the FS.
2018-11-29 01:50:30 +02:00
Florian Klink
3caeeabb14 gitlab: stop regenerating the authorized_keys file 2018-11-28 23:09:23 +01:00
Robin Gloster
1262a5ca97
roundcube: apply code review suggestions 2018-11-28 18:53:37 +01:00
Robin Gloster
9ace7f6409
roundcube: clean-up and add test 2018-11-28 18:52:10 +01:00
Victor SENE
2f8073bd92
roundcube: IPv6 by default 2018-11-28 18:52:10 +01:00
Victor SENE
195fa0dafc
nixos/roundcube: add to module-list 2018-11-28 18:52:09 +01:00
Victor SENE
b5120953c6
nixos/roundcube: add roundcube module and default configuration 2018-11-28 18:52:08 +01:00
Léo Gaspard
f161f02552
Merge branch 'pr-51043'
* pr-51043:
  nixos/urxvtd: remove socket activation
2018-11-29 00:50:01 +09:00
Brandon Black
dacbd5a61a nixos/ntp: use upstream default restrictions to avoid DDoS (#50762)
Fixes #50732
2018-11-28 10:15:25 +00:00