Renaud
fa0a63ec13
fail2ban service : improve ssh jail ( #21131 )
...
Improvement to the ssh-iptables to block the port(s) actually defined
for sshd in config.services.openssh.ports
2016-12-14 14:58:02 +01:00
Nikolay Amiantov
17d0a570ab
Merge pull request #21137 from jerith666/cupsd-path
...
use symlink to ensure cupsd.conf PATH always points to a valid store path
2016-12-14 14:42:27 +03:00
Matt McHenry
05fb82732c
use symlink to ensure cupsd.conf PATH always points to a valid store path
...
even if cups rewrites its config file due to config changes made through
its web-based management UI, we need to keep the PATH pointing to
currently-live nix store directories. fixes #20806 .
2016-12-13 21:35:56 -05:00
Joachim Fasting
d893c86b34
terraria service: fixup worldPath option type
...
Otherwise, using the defaults results in a type error.
2016-12-13 15:12:33 +01:00
Joachim Fasting
33088accc8
terraria service: fix tmux output
...
tmux.bin was removed in 5535d94394
Use `lib.getBin` to be more robust to future changes.
2016-12-13 15:12:31 +01:00
Joachim Fasting
64a64c6b14
grsecurity test: refactoring
2016-12-13 15:12:11 +01:00
Fernando J Pando
50466c2d4f
buildbot: 0.9.0rc4 -> 0.9.0.post1
...
- updates buildbot to version 9 release
- adds nixos configuration module
- fixes buildbot-www package deps
- re-hardcode path to tail
- builbot configuration via module vars
fixes #19759
2016-12-13 10:52:56 +01:00
montag451
aa1364affd
containers: add tests for hosts and macvlans
2016-12-12 14:25:28 +01:00
montag451
ea5551b551
containers: fix broken /etc/hosts entries when localAddress contains a netmask
2016-12-12 09:20:28 +01:00
montag451
4889c271ca
Add macvlan support for declarative containers
2016-12-12 07:34:28 +01:00
Gregor Kleen
d5ec2a2c9d
postsrsd: additional configuration
...
fixes #19933
2016-12-11 21:43:45 +01:00
Domen Kožar
073cb330ca
doc: remove last mention of <nixos>
2016-12-11 19:51:35 +01:00
Joachim F
9af356258b
Merge pull request #20971 from kierdavis/boinc
...
boinc service: add to module list
2016-12-11 13:06:09 +01:00
Joachim Fasting
230994a30a
psd service: assert that at least one user must be configured
...
Using the default config, a user will experience a run-time failure.
This is poor UX, assert the requirement up-front.
2016-12-10 20:35:44 +01:00
Joachim Fasting
4697f83984
openfire service: more informative assertion failure message
...
Explain why the assertion fails; the user already knows that it *has*
failed.
2016-12-10 20:35:43 +01:00
Joachim Fasting
2a4902dd80
dante service: fix config option type
...
The type was simply str but the default is null, thus resulting in a
conversion error if the user fails to declare a value.
2016-12-10 20:35:41 +01:00
Joachim Fasting
fafb6657c1
syslogd service: assert conflict with rsyslogd
...
Enabling both these at the same time fails because they implement the
same interface.
2016-12-10 20:35:39 +01:00
Joachim Fasting
19b96176b4
couchdb service: fix test in preStart
...
Otherwise you'd get errors like "-f no such command".
2016-12-10 20:35:20 +01:00
Nikolay Amiantov
9cca8e3f87
uwsgi service: fix for new pythonPackages
2016-12-08 21:03:41 +03:00
Kier Davis
2606994cc6
boinc service: use <link> instead of <ulink>
2016-12-08 15:50:52 +00:00
Kier Davis
2994123161
boinc service: add to module list
...
The module itself was added in 811c39c6a4
,
but it looks like I forgot to reference it to module-list.nix.
2016-12-08 15:46:51 +00:00
Joachim Fasting
f39d13cd3e
grsecurity doc: describe work-around for gitlab
...
Fixes https://github.com/NixOS/nixpkgs/issues/20959
2016-12-08 11:59:57 +01:00
Domen Kožar
b6363c7bc8
make-disk-image: make store validity fix optional
...
This is useful for EC2 AMI generation to speedup the process.
In my case it removes 13min out of 45min when generating an image
on EC2.
2016-12-07 13:30:20 +01:00
Domen Kožar
e5cca82d79
make-disk-image: run tune2fs after umount to skip fsck
...
tune2fs marks the filesystem as clean to prevent resize2fs from
complaining.
But we were invoking it before we mounted the filesystem, so the
counters would increase to 1 and it broke the functionality.
By moving the call after the mount, I have confirmed it works by:
$ nix-build nixos/tests/ec2.nix
cc @rbvermaa @edolstra
2016-12-07 13:30:20 +01:00
David Terry
f067bca841
nixos: docs: note that channels are per user
2016-12-07 09:06:25 +01:00
Joachim Fasting
984d9ebb56
hidepid: polkit and systemd-logind compatibility
...
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.
systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.
Fixes https://github.com/NixOS/nixpkgs/issues/20948
2016-12-07 01:12:05 +01:00
Joachim F
e436874ef0
Merge pull request #20919 from joachifm/privoxy-service-improvements
...
Privoxy service improvements
2016-12-06 14:16:28 +01:00
Joachim Fasting
0e765c72e5
grsecurity: enable module hardening
2016-12-06 01:23:58 +01:00
Joachim Fasting
31d79afbe5
grsecurity docs: note that pax_sanitize_slab defaults to fast
2016-12-06 01:23:51 +01:00
Joachim Fasting
071fbcda24
grsecurity: enable optional sysfs restrictions
...
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
2016-12-06 01:23:36 +01:00
Joachim Fasting
8c1f5afdf3
grsecurity: delay toggling of sysctls until system is up
...
We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
2016-12-06 01:22:53 +01:00
Joachim Fasting
3dcdc2d2b0
privoxy service: remove static uid
...
The service owns no data, having a static uid serves no purpose.
This frees up uid/gid 32
2016-12-05 13:37:08 +01:00
Joachim Fasting
ad88f1040e
privoxy service: additional isolation
2016-12-05 13:21:31 +01:00
Vladimír Čunát
a1ae627362
nixos GDM: fix #19896
...
- As noted on github, GDM needs different parameters for X.
- Making xserverArgs a true list instead of concat-string helps to
filter it and it feels more correct anyway.
- Tested: gdm+gnome, lightdm+gnome. There seems to be no logout option
in gnome, and gdm doesn't offer other sessions, but maybe these are normal.
2016-12-04 14:54:31 +01:00
Jörg Thalheim
e00632e200
Merge pull request #20858 from Mic92/lxcfs
...
lxcfs: init at 2.0.4
2016-12-04 11:33:07 +01:00
Jörg Thalheim
7c7dc15cbf
lxcfs: add module
2016-12-04 11:26:17 +01:00
Franz Pletz
69bee1b361
Merge pull request #20770 from mguentner/more_ipfs
...
services: IPFS: add test and more config parameters
2016-12-04 01:46:09 +01:00
Franz Pletz
2401f06801
containers: disable dhcpcd on veth bridge interfaces
2016-12-04 01:41:10 +01:00
Graham Christensen
d5cb4d8734
ecryptfs test: use TTY output to stabilize test
2016-12-02 19:36:27 -05:00
Jörg Thalheim
aa854f192e
cgmanager: add module
2016-12-02 13:52:04 +01:00
lbonn
288e75c5f9
wireguard: remove dependency on ip-up.target
...
It was deprecated and removed from all modules in the tree by #18319 .
The wireguard module PR (#17933 ) was still in the review at the time and
the deprecated usage managed to slip inside.
2016-12-01 00:11:16 +01:00
Graham Christensen
b28d21fd50
Merge pull request #20808 from grahamc/fancy-test-tty
...
login test: Create and use direct reads of the TTY contents.
2016-11-30 11:27:49 -05:00
Graham Christensen
cb74fd75d7
login test: Create and use direct reads of the TTY contents.
2016-11-30 00:17:18 -05:00
Tuomas Tynkkynen
8a4d6516ee
Merge remote-tracking branch 'upstream/staging' into master
2016-11-30 00:34:23 +02:00
Franz Pletz
3000ae8602
gitlab service: fix sidekiq queue config
2016-11-29 17:42:46 +01:00
Domen Kožar
75f131da02
acme: ensure nginx challenges directory is writeable
2016-11-29 15:56:01 +01:00
Domen Kožar
69e0740baa
Merge pull request #20795 from cleverca22/netboot
...
make the /nix/store writable under netboot images
2016-11-29 15:47:39 +01:00
michael bishop
e710edeecf
make the /nix/store writable under netboot images
2016-11-29 10:31:07 -04:00
Erik Rybakken
2f0cc0d3f0
unclutter-xfixes service: init
...
Closes #18398
2016-11-29 14:25:32 +01:00
Joachim F
8eefcb5c09
Merge pull request #19900 from michalpalka/xen-fix-xen-bridge2
...
xen service: fix wrong netmask handed out by xen-bridge.service
2016-11-28 16:31:05 +01:00