Commit Graph

6364 Commits

Author SHA1 Message Date
Renaud
fa0a63ec13 fail2ban service : improve ssh jail (#21131)
Improvement to the ssh-iptables to block the port(s) actually defined
for sshd in config.services.openssh.ports
2016-12-14 14:58:02 +01:00
Nikolay Amiantov
17d0a570ab Merge pull request #21137 from jerith666/cupsd-path
use symlink to ensure cupsd.conf PATH always points to a valid store path
2016-12-14 14:42:27 +03:00
Matt McHenry
05fb82732c use symlink to ensure cupsd.conf PATH always points to a valid store path
even if cups rewrites its config file due to config changes made through
its web-based management UI, we need to keep the PATH pointing to
currently-live nix store directories.  fixes #20806.
2016-12-13 21:35:56 -05:00
Joachim Fasting
d893c86b34
terraria service: fixup worldPath option type
Otherwise, using the defaults results in a type error.
2016-12-13 15:12:33 +01:00
Joachim Fasting
33088accc8
terraria service: fix tmux output
tmux.bin was removed in 5535d94394

Use `lib.getBin` to be more robust to future changes.
2016-12-13 15:12:31 +01:00
Joachim Fasting
64a64c6b14
grsecurity test: refactoring 2016-12-13 15:12:11 +01:00
Fernando J Pando
50466c2d4f
buildbot: 0.9.0rc4 -> 0.9.0.post1
- updates buildbot to version 9 release
- adds nixos configuration module
- fixes buildbot-www package deps
- re-hardcode path to tail
- builbot configuration via module vars

fixes #19759
2016-12-13 10:52:56 +01:00
montag451
aa1364affd containers: add tests for hosts and macvlans 2016-12-12 14:25:28 +01:00
montag451
ea5551b551 containers: fix broken /etc/hosts entries when localAddress contains a netmask 2016-12-12 09:20:28 +01:00
montag451
4889c271ca Add macvlan support for declarative containers 2016-12-12 07:34:28 +01:00
Gregor Kleen
d5ec2a2c9d
postsrsd: additional configuration
fixes #19933
2016-12-11 21:43:45 +01:00
Domen Kožar
073cb330ca doc: remove last mention of <nixos> 2016-12-11 19:51:35 +01:00
Joachim F
9af356258b Merge pull request #20971 from kierdavis/boinc
boinc service: add to module list
2016-12-11 13:06:09 +01:00
Joachim Fasting
230994a30a
psd service: assert that at least one user must be configured
Using the default config, a user will experience a run-time failure.
This is poor UX, assert the requirement up-front.
2016-12-10 20:35:44 +01:00
Joachim Fasting
4697f83984
openfire service: more informative assertion failure message
Explain why the assertion fails; the user already knows that it *has*
failed.
2016-12-10 20:35:43 +01:00
Joachim Fasting
2a4902dd80
dante service: fix config option type
The type was simply str but the default is null, thus resulting in a
conversion error if the user fails to declare a value.
2016-12-10 20:35:41 +01:00
Joachim Fasting
fafb6657c1
syslogd service: assert conflict with rsyslogd
Enabling both these at the same time fails because they implement the
same interface.
2016-12-10 20:35:39 +01:00
Joachim Fasting
19b96176b4
couchdb service: fix test in preStart
Otherwise you'd get errors like "-f no such command".
2016-12-10 20:35:20 +01:00
Nikolay Amiantov
9cca8e3f87 uwsgi service: fix for new pythonPackages 2016-12-08 21:03:41 +03:00
Kier Davis
2606994cc6
boinc service: use <link> instead of <ulink> 2016-12-08 15:50:52 +00:00
Kier Davis
2994123161
boinc service: add to module list
The module itself was added in 811c39c6a4,
but it looks like I forgot to reference it to module-list.nix.
2016-12-08 15:46:51 +00:00
Joachim Fasting
f39d13cd3e
grsecurity doc: describe work-around for gitlab
Fixes https://github.com/NixOS/nixpkgs/issues/20959
2016-12-08 11:59:57 +01:00
Domen Kožar
b6363c7bc8 make-disk-image: make store validity fix optional
This is useful for EC2 AMI generation to speedup the process.

In my case it removes 13min out of 45min when generating an image
on EC2.
2016-12-07 13:30:20 +01:00
Domen Kožar
e5cca82d79 make-disk-image: run tune2fs after umount to skip fsck
tune2fs marks the filesystem as clean to prevent resize2fs from
complaining.

But we were invoking it before we mounted the filesystem, so the
counters would increase to 1 and it broke the functionality.

By moving the call after the mount, I have confirmed it works by:

   $ nix-build nixos/tests/ec2.nix

cc @rbvermaa @edolstra
2016-12-07 13:30:20 +01:00
David Terry
f067bca841 nixos: docs: note that channels are per user 2016-12-07 09:06:25 +01:00
Joachim Fasting
984d9ebb56
hidepid: polkit and systemd-logind compatibility
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.

systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.

Fixes https://github.com/NixOS/nixpkgs/issues/20948
2016-12-07 01:12:05 +01:00
Joachim F
e436874ef0 Merge pull request #20919 from joachifm/privoxy-service-improvements
Privoxy service improvements
2016-12-06 14:16:28 +01:00
Joachim Fasting
0e765c72e5
grsecurity: enable module hardening 2016-12-06 01:23:58 +01:00
Joachim Fasting
31d79afbe5
grsecurity docs: note that pax_sanitize_slab defaults to fast 2016-12-06 01:23:51 +01:00
Joachim Fasting
071fbcda24
grsecurity: enable optional sysfs restrictions
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
2016-12-06 01:23:36 +01:00
Joachim Fasting
8c1f5afdf3
grsecurity: delay toggling of sysctls until system is up
We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
2016-12-06 01:22:53 +01:00
Joachim Fasting
3dcdc2d2b0
privoxy service: remove static uid
The service owns no data, having a static uid serves no purpose.

This frees up uid/gid 32
2016-12-05 13:37:08 +01:00
Joachim Fasting
ad88f1040e
privoxy service: additional isolation 2016-12-05 13:21:31 +01:00
Vladimír Čunát
a1ae627362
nixos GDM: fix #19896
- As noted on github, GDM needs different parameters for X.
- Making xserverArgs a true list instead of concat-string helps to
  filter it and it feels more correct anyway.
- Tested: gdm+gnome, lightdm+gnome.  There seems to be no logout option
  in gnome, and gdm doesn't offer other sessions, but maybe these are normal.
2016-12-04 14:54:31 +01:00
Jörg Thalheim
e00632e200 Merge pull request #20858 from Mic92/lxcfs
lxcfs: init at 2.0.4
2016-12-04 11:33:07 +01:00
Jörg Thalheim
7c7dc15cbf
lxcfs: add module 2016-12-04 11:26:17 +01:00
Franz Pletz
69bee1b361 Merge pull request #20770 from mguentner/more_ipfs
services: IPFS: add test and more config parameters
2016-12-04 01:46:09 +01:00
Franz Pletz
2401f06801
containers: disable dhcpcd on veth bridge interfaces 2016-12-04 01:41:10 +01:00
Graham Christensen
d5cb4d8734
ecryptfs test: use TTY output to stabilize test 2016-12-02 19:36:27 -05:00
Jörg Thalheim
aa854f192e
cgmanager: add module 2016-12-02 13:52:04 +01:00
lbonn
288e75c5f9 wireguard: remove dependency on ip-up.target
It was deprecated and removed from all modules in the tree by #18319.

The wireguard module PR (#17933) was still in the review at the time and
the deprecated usage managed to slip inside.
2016-12-01 00:11:16 +01:00
Graham Christensen
b28d21fd50 Merge pull request #20808 from grahamc/fancy-test-tty
login test: Create and use direct reads of the TTY contents.
2016-11-30 11:27:49 -05:00
Graham Christensen
cb74fd75d7
login test: Create and use direct reads of the TTY contents. 2016-11-30 00:17:18 -05:00
Tuomas Tynkkynen
8a4d6516ee Merge remote-tracking branch 'upstream/staging' into master 2016-11-30 00:34:23 +02:00
Franz Pletz
3000ae8602
gitlab service: fix sidekiq queue config 2016-11-29 17:42:46 +01:00
Domen Kožar
75f131da02 acme: ensure nginx challenges directory is writeable 2016-11-29 15:56:01 +01:00
Domen Kožar
69e0740baa Merge pull request #20795 from cleverca22/netboot
make the /nix/store writable under netboot images
2016-11-29 15:47:39 +01:00
michael bishop
e710edeecf
make the /nix/store writable under netboot images 2016-11-29 10:31:07 -04:00
Erik Rybakken
2f0cc0d3f0 unclutter-xfixes service: init
Closes #18398
2016-11-29 14:25:32 +01:00
Joachim F
8eefcb5c09 Merge pull request #19900 from michalpalka/xen-fix-xen-bridge2
xen service: fix wrong netmask handed out by xen-bridge.service
2016-11-28 16:31:05 +01:00