Commit Graph

6052 Commits

Author SHA1 Message Date
Franz Pletz
c4c23f36ca Merge pull request #22727 from mayflower/fix/netdev-master-bindsto
network-interfaces service: fix bindsTo deps for masters
2017-02-18 13:37:50 +01:00
Franz Pletz
741770c99a
network-interface service: tuntap ifs have netdev services 2017-02-18 13:36:37 +01:00
Brice Waegeneire
47c214cc2a fix comments about nixos-hardware-scan
It has been renamed to nixos-generate-config in 3ed4173
2017-02-18 13:29:47 +01:00
Vladimír Čunát
432dba859e
Merge branch 'staging'
A security update of libxml2 is within.
2017-02-18 08:59:29 +01:00
Léo Gaspard
e2c78910d1
dhparams module: initialize 2017-02-18 00:07:03 +01:00
Robin Gloster
bd0d8ed807
programs.mtr: init setcap-wrapper 2017-02-17 20:18:19 +01:00
Nikolay Amiantov
213356c927 activation-script service: add utillinux to path 2017-02-17 21:54:58 +03:00
aszlig
08881b8cbe
taskserver: Remove taskserver from systemPackages
This is deliberate because using the taskd binary to configure
Taskserver has a good chance of messing up permissions.

The nixos-taskserver tool now can manage even manual configurations, so
there really is no need anymore to expose the taskd binary.

If people still want to use the taskd binary at their own risk they can
still add taskserver to systemPackages themselves.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:46:05 +01:00
aszlig
c7bbb93878
taskserver: Pass configuration via command line
Putting an include directive in the configuration file referencing a
store path with the real configuration file has the disavantage that
once we change the real configuration file the store path is also a
different one.

So we would have to replace that include directive with the new
configuration file, which is very much error-prone, because whenever
taskd modifies the configuration file on its own it generates a new one
with *only* the key/value options and without any include directives.

Another problem is that we only added the include directive on the first
initalization, so whenever there is *any* configuration change, it won't
affect anything.

We're now passing all the configuration options via command line,
because taskd treats everything in the form of --<name>=<value> to be a
configuration directive.

This also has the effect that we now no longer have extraConfig, because
configuration isn't a file anymore.

Instead we now have an attribute set that is mapped down to
configuration options.

Unfortunately this isn't so easy with the way taskd is configured,
because there is an option called "server" and also other options like
"server.cert", "server.key" and so on, which do not map very well to
attribute sets.

So we have an exception for the "server" option, which is now called
"server.listen", because it specifies the listening address.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #22705
2017-02-17 19:45:58 +01:00
aszlig
78fe00da7c
taskserver: Allow helper tool in manual config
The helper tool so far was only intended for use in automatic PKI
handling, but it also is very useful if you have an existing CA.

One of the main advantages is that you don't need to specify the data
directory anymore and the right permissions are also handled as well.

Another advantage is that we now have an uniform management tool for
both automatic and manual config, so the documentation in the NixOS
manual now applies to the manual PKI config as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:45:55 +01:00
aszlig
32c2e8f4ae
taskserver/helpertool: Fix error message on export
The error message displays that a specific user doesn't exist in an
organisation, but uses the User object's name attribute to show which
user it was.

This is basically a very stupid chicken and egg problem and easily fixed
by using the user name provided on the command line.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:45:52 +01:00
Michele Guerini Rocco
5231d0ac29 bluetooth module: add option to power up bluetooth controller (#22685) 2017-02-17 19:44:04 +01:00
Jörg Thalheim
fd78ff23f7
replace ping6 with ping
reason: after the upgrade of iputils from 20151218 to 20161105
functionality of ping6 and tracepath6 was merged into ping and tracepath.

Ping is now mostly a drop-in replacment for ping6, except that selecting a
specific interface is done by encoding it into the address (ex.: fe80::1%eth0)
rather then specifing it with the `-I` flag.
2017-02-17 16:04:49 +01:00
Robin Gloster
7ec5faa8a4
programs.wireshark: use setcap wrapper 2017-02-17 15:42:55 +01:00
Bjørn Forsman
8f3e6fdd8c
nixos: add programs.wireshark option
To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:

  programs.wireshark.enable = true;

The setuid wrapper is available for users in the 'wireshark' group.

Changes v1 -> v2:
  - add "defaultText" to the programs.wireshark.package option (AFAIK,
    that prevents the manual from being needlessly rebuilt when the
    package changes)
2017-02-17 15:42:54 +01:00
Robin Gloster
070825d443
setcapWrapper: add support for setting permissions 2017-02-17 15:42:54 +01:00
Matthew Daiter
336d6cc513 stanchion: remove ssl option 2017-02-17 13:24:51 +01:00
Nikolay Amiantov
8ecd5c4019 Merge pull request #22864 from abbradar/dbus-etc
Redo DBus configuration
2017-02-17 11:47:51 +03:00
Robin Gloster
6e12406e30
Revert "nginx: Format the config file"
This reverts commit e362a3d5c9.

See #22883
2017-02-16 22:45:00 +01:00
Profpatsch
bb797c1390 networking.networkd: adjust autmatic mapping of bonds
Since the bonds interface changed to a lot more possible values we create a
mapping of kernel bond attribute names and values to networkd attributes.
Those match for the most part, but have to transformed slightly.

There is also an assert that unknown options won’t slip through silently.
2017-02-16 21:24:40 +01:00
Profpatsch
9debdaf512 networking.bonds: add support for arbitrary driverOptions
Until now the four attributes available very selectively provided a small
subset, while copying upstream documentation.

We make driver options an arbitrary key-value set and point to kernel
documentation, which is always up-to-date. This way every option can be set.
The four already existing options are deprecated with a warning.
2017-02-16 21:24:40 +01:00
Daniel Peebles
19a9099eb2 Merge pull request #22869 from copumpkin/amazon-init-fix
amazon-init NixOS module: fix (I think) race condition with network
2017-02-16 12:44:49 -05:00
Thomas Tuegel
7c260ad2cc Merge pull request #22813 from benley/pam-kwallet
nixos: add optional pam_kwallet5 integration
2017-02-16 10:20:47 -06:00
Dan Peebles
b172684c17 amazon-init NixOS module: fix (I think) race condition with network
The initialization code is now a systemd service that explicitly
waits for network-online, so the occasional failure I was seeing
because the `nixos-rebuild` couldn't get anything from the binary
cache should stop. I hope!
2017-02-16 16:03:58 +00:00
Nikolay Amiantov
0c81594a29 kbd service: use /dev/tty1 for systemd-vconsole-setup
Fixes #22470
2017-02-16 17:08:14 +03:00
Nikolay Amiantov
109ee2a338 kbd service: use systemd-vconsole-setup even with early setup
This way we have fonts reloaded on switches.
2017-02-16 17:08:13 +03:00
Nikolay Amiantov
ac0cdc1952 dbus service: use makeDBusConf 2017-02-16 15:41:23 +03:00
Benjamin Staffin
463e90273f pam: add optional pam_kwallet5 integration 2017-02-16 02:26:42 -05:00
Kier Davis
5e3a26e07b
Fix typo introduced by #22677 2017-02-15 23:44:11 +00:00
Bjørn Forsman
d4e5bb34b7 nixos/geoip-updater: run as user 'geoip' instead of 'nobody'
That way 'nobody' is prevented from messing with the databases.
2017-02-15 23:25:27 +01:00
Bjørn Forsman
ce0a52f9bf nixos/security.wrappers: improve documentation
* The source attribute is mandatory, not optional
* The program attribute is optional
* Move the info about the mandatory attribute first (most important,
  IMHO)
2017-02-15 20:05:27 +01:00
Profpatsch
91d0260feb modules/filesystems: disallow non-empty fstab fields (#22803)
It was possible to pass empty strings / strings with only separator characters;
this lead to broken fstab formatting.
2017-02-15 13:22:48 +01:00
Franz Pletz
188526da3d
prometheus.blackboxExporter service: add CAP_NET_RAW
The blackbox-exporter for prometheus needs CAP_NET_RAW for sending icmp
probes.
2017-02-15 09:35:27 +01:00
Bjørn Forsman
f9cb2b5640 nixos/security.wrappers: use literalExample in documentation
It's much more readable when the example attrset is pretty printed
instead of written as one line.
2017-02-15 09:08:41 +01:00
Bjørn Forsman
a45821e7a8 nixos/cron: unbreak since new security.wrapper 2017-02-15 08:30:58 +01:00
Bjørn Forsman
aaac02f6c4 nixos/atd: unbreak after new security.wrappers
* convert list -> attrset
* 'atd' doesn't exist, 'at' does
2017-02-15 08:25:59 +01:00
Bjørn Forsman
b1bfe9d3db nixos: hint about security.setuidOwners/Programs -> security.wrappers
Let users know about the option rename / change during nixos-rebuild
with a useful message instead of an error (with no way forward).
2017-02-15 07:25:33 +01:00
Bjørn Forsman
34c1b74421 nixos/virtualbox: unbreak wrt. new security.wrappers
The new option takes an attrset, not a list.
2017-02-15 07:25:33 +01:00
Bjørn Forsman
448acd8e5e nixos: remove remaining reference to setuidPrograms
The option doesn't exist anymore.
2017-02-15 07:25:33 +01:00
Ian-Woo Kim
5ca0f72472 nixos-container: break lines in description of forwardPorts. 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
4f0b663c2e nixos-container: hostPort -> forwardPort and forwardPort is now a list of (protocol,hostPort,containerPort). 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
0bfc631de2 nixos-container: support multiple port forwarding. change type of hostPort from 'string' to 'listOf str' 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
8684285251 nixos-container: introduce hostPort in declarative container options. 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
a238c8a575 nixos-container: add --port option for nixos-container (forward network ports to systemd-nspawn container) 2017-02-15 05:12:46 +01:00
Parnell Springmeyer
1f83f1c878
security-wrapper: Wrap <para> tags in a <note> tag 2017-02-14 21:30:04 -06:00
Graham Christensen
7483ba0932
Revert "nix-daemon: default useSandbox to true"
This reverts commit d0a086770a.
2017-02-14 14:13:39 -05:00
Graham Christensen
3be1388963 Merge pull request #22767 from grahamc/sandbox-by-default
nix-daemon: default useSandbox to true
2017-02-14 13:57:44 -05:00
Eelco Dolstra
14c47bd546 Merge pull request #22758 from dezgeg/pr-nixos-rebuild
nixos-rebuild: Don't rebuild nixos-rebuild when --fast is used
2017-02-14 16:35:43 +01:00
Parnell Springmeyer
69794e333a
Using para tags for manual formatting 2017-02-14 08:53:30 -06:00
Parnell Springmeyer
794b3721bc
Syntax wibble 2017-02-14 08:42:08 -06:00
Parnell Springmeyer
e856d6efe8
Default should be to set owner and group to root on setcap wrappers too 2017-02-14 08:40:12 -06:00
Parnell Springmeyer
c01689f8da
Fixing ref to old-wrappersDir 2017-02-14 08:33:07 -06:00
Parnell Springmeyer
f8b8c353ff
Simplifying the wrapper program derivation 2017-02-14 08:27:40 -06:00
Parnell Springmeyer
fb6d13c01a
Addressing feedback and fixing a bug 2017-02-14 07:38:45 -06:00
Parnell Springmeyer
467bb3f674
/run/wrapper is not a filesystem, no need to skip it 2017-02-14 07:32:24 -06:00
Parnell Springmeyer
ba499e3aa0
Removing unused module option old-wrapperDir 2017-02-14 07:30:21 -06:00
Parnell Springmeyer
a27f35993d
Derp, correctly write the source program's path 2017-02-13 18:28:13 -06:00
Parnell Springmeyer
cca2e11556
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00
Parnell Springmeyer
9e36a58649
Merging against upstream master 2017-02-13 17:16:28 -06:00
Graham Christensen
d0a086770a
nix-daemon: default useSandbox to true 2017-02-13 18:06:01 -05:00
Rickard Nilsson
cda4a4dcfc nixos/grafana: Don't print password warning if no password has been set 2017-02-13 23:11:40 +01:00
Tuomas Tynkkynen
2000f0941e nixos-rebuild: Don't build nixos-rebuild with --fast 2017-02-13 21:52:32 +02:00
Tuomas Tynkkynen
23fee8bfbd nixos-rebuild: Support passing e.g. '-j8'
Where there is no space between '-j' and the number.
2017-02-13 21:52:30 +02:00
Graham Christensen
1d2548772e Merge pull request #22724 from grahamc/pam-oath-fixup
pam_oath: require OATH and pam_unix credentials to be valid
2017-02-13 09:36:35 -05:00
Robin Gloster
af9f44dd57
grub: fix capitalisation
Missed this occurence while renaming the option
2017-02-13 14:55:36 +01:00
symphorien
0b87efacb1 grub: add grub.useOSProber option (#22558) 2017-02-13 14:53:15 +01:00
Eelco Dolstra
a4ec1841da
VM tests: veryloose -> cache=loose 2017-02-13 12:18:10 +01:00
Rob Vermaas
af3732b6c6
Azure: switch back to qemu 2.2.0 for generating image. Seems to work best.
(cherry picked from commit 2da8a5dac8)
2017-02-13 09:55:03 +00:00
Rob Vermaas
eff0752dbc
Use default qemu for azure image generation, and use option to enforce sizing of image to be compliant with Azure/HyperV.
(cherry picked from commit e16db5666a)
2017-02-13 08:54:41 +00:00
Dan Peebles
e63d15f173 ecs-agent NixOS module: enable docker 2017-02-13 04:06:31 +00:00
Dan Peebles
e928cb1c63 ssm-agent NixOS module: init 2017-02-13 04:01:38 +00:00
Franz Pletz
76a3c30471
network-interfaces service: fix bindsTo deps for masters
Previously, netdev units for network interfaces defined in the nixos
configurations would bindTo the systemd device unit of the interface if
not in a container.

In situations where you switch to a new nixos configration with changes
to network-setup.service (like nameservers) and have stacked interfaces
like vlans on a bond, it would fail to propagate restarts to the netdevs
correctly resulting with broken networking. The bond would be present
but no vlan interfaces rendering the machine unreachable.

My fear is that the udev events fail to propagate correctly while a systemd
transaction that is also restarting the triggered netdev service is running.
This commit changes this behaviour so netdev services bindTo other netdev
services if present and otherwise fall back to the previous behaviour.

We also noticed that stacked interfaces would sometimes seemingly be stopped
in the wrong order. For instance in the above example, the bond interface
would be deleted before the vlan interfaces resulting in the vlan interfaces
not being present when their service is being stopped. This would cause the
systemd transaction to fail and thus break networking. Their postStop hooks
are now allowed to fail as we have reached the desired state.
2017-02-13 01:57:25 +01:00
Graham Christensen
84d4e4277c Merge pull request #22723 from benley/fix-sessions-with-sddm
Fix sessions with sddm.
2017-02-12 19:01:15 -05:00
Franz Pletz
f5a82e4714
gitlab service: fix database creation
Providing custom a username and database name was broken. They were
hardcoded to "gitlab".
2017-02-13 00:57:22 +01:00
Graham Christensen
96d767de62
pam_oath: require OATH and pam_unix credentials to be valid 2017-02-12 18:27:11 -05:00
Karn Kallio
8a1fcaf5bd Fix sessions with sddm. 2017-02-12 18:19:20 -05:00
Vladimír Čunát
31eba21d1d
virtualbox: force xorg-server-1.18 for now
This is getting a little hacky, but hopefully it won't break anything.
2017-02-12 21:07:49 +01:00
Philipp Gesang
3dad33227f
xen: update domU config for pvgrub2
fix #22709

Recent pvgrub (from Grub built with “--with-platform=xen”) understands
the Grub2 configuration format. Grub legacy configuration (menu.lst) is
ignored.
2017-02-12 20:53:54 +01:00
georgewhewell
94b28a8072 fix systemd.services.kube-proxy to use correct extraOpts 2017-02-12 15:06:59 +00:00
Bjørn Forsman
824d82fa0f nixos/geoip-updater: new service
The GeoIP databases from MaxMind have no stable URLs and change every
month (or so). Our current method of packaging these database in Nix and
playing catch-up with ever-changing file hashes is a bad idea. For
instance, it makes it impossible to realize old NixOS configurations.

This patch adds a NixOS service that periodically updates the GeoIP
databases in /var/lib/geoip-databases. Moving NixOS modules over can be
done in later patches.

I tried adding MD5 check, but not all databases have them, so i skipped
it. We are downloading over HTTPS though, it should be good. I also
tried adding zip support, but the first zip file I extracted had a
different filename inside than the archive name, which breaks an
assumption in this service, so I skipped that too.

Changes v9 -> v10:
  - Pass "--max-time" to curl to set upper bound on downloads (ensures
    no indefinite hanging if there's problem with networking).
    Timeout for network connectivity check: 60s.
    Timeout for geoip database (each): 15m.

Changes v8 -> v9:
  - Mention the random timer delay in the documentation for the
    'interval' option.

Changes v7 -> v8:
  - Add "RemainAfterExit=true" for the setup service, so it won't be
    restarted needlessly. (Thanks @danbst!)

Changes v6 -> v7:
  - Add --skip-existing flag to geoip-updater, which skips updating
    existing database files. Pass that flag when we run the service on
    boot (and on any NixOS configuration change).
    (IMHO, this is somewhat a workaround for systemd persistent timers
    not being triggered immediately when a timer has never expired
    before. But it does have the nice side effect of ensuring that the
    installed databases always correspond to the configured ones, since
    the service is now always run after configuration changes.)

Changes v5 -> v6:
  - Update database files atomically (per DB)
  - If a database is removed from the configuration, it'll be removed
    from /var/lib/geoip-databases too (on next run).
  - Add NixOS module assertion so that if user inputs non- .gz or .xz
    file there will be a build time error instead of runtime.
  - Run updater as user "nobody" instead of "root".
  - Rename NixOS service from "geoip-databases" to "geoip-updater".
  - Drop RemainAfterExit, or else the timer won't trigger the unit.
  - Bring back "curl --fail", or else we won't catch and log curl
    failures.

Changes v4 -> v5:
  - Add "GeoLite2-City.mmdb.gz" to default database list.

Changes v3 -> v4:
  - Remove unneeded geoip-updater-setup.service after adding
    'wantedBy = [ "multi-user.target" ]' directly to
    geoip-updater.service
  - Drop unneeded "Service" name from service descriptions.

Changes v2 -> v3:
  - Network may be down when starting from a cold boot, so try a few
    times. Possibly, if using systemd-networkd, it'll pass on the first
    try. But with default DHCP on NixOS, the service is started before
    hostnames can be resolved and thus we need a few extra seconds.
  - Add error handling and mark service as failed if fatal error.
  - Add proper syslog log levels.
  - Add RandomizedDelaySec=3600 to the timer to not put high load on the
    MaxMind servers. Suggested by @Mic92.
  - Set RemainAfterExit on geoip-updater.service instead of
    geoip-updater-setup.service. (The latter is only a proxy that pulls
    in the former service).

Changes v1 -> v2:
From Данило Глинський (Danylo Hlynskyi) <abcz2.uprola@gmail.com>:
  nixos/geoip-databases: add `databases` option and fix initial setup

  There were two great issues when using this service:
  - When you just enable service, databases aren't downloaded, they are
    downloaded when timer triggers. Fixed this with automatic download on
    first system activation.
  - When there is no internet, updater outputs nothing to logs, which is
    IMO misbehavior. Fixed this with removing `--fail` option, better be
    explicit here.
2017-02-12 15:07:34 +01:00
Tuomas Tynkkynen
9e04b57dde nixos top-level: Add 'dtbs' symlink when kernel uses device trees
Currently e.g. extlinux-conf-builder.sh uses
`readlink -m "$toplevel/kernel/../dtbs"` to figure out the directory.
That is obscenely ugly.
2017-02-12 15:47:49 +02:00
Graham Christensen
4f34e030a5 Merge pull request #22677 from grahamc/drop-kdm-kde4-modules
Drop kdm and kde4 modules
2017-02-12 08:36:33 -05:00
Ricardo M. Correia
123cbd40c2 raspberryPi boot loader: don't remove xx-initrd files
The Raspberry Pi boot loader was deleting all xx-initrd text files
(which simply contain the path to the actual initrd files) just after
having created them. The code was actually trying to delete real,
obsolete initrd files, which are named <hash>-initrd-initrd (after path
cleaning), but the glob was catching the other files as well.
2017-02-12 02:48:57 +02:00
Ricardo M. Correia
c19b17d14f raspberryPi boot loader: fix booting Raspberry Pi 3
The Raspberry Pi 3 seems to need the .DTB file when booting the kernel,
so we must copy it to /boot when installing a new kernel.
2017-02-12 02:48:57 +02:00
Graham Christensen
b1a05a0865
nixos: drop references to kde4
Excluding modules/programs/environment.nix for PATHand QT_PLUGIN_PATH to allow the programs to continue running.
2017-02-11 14:01:13 -05:00
Graham Christensen
3cec7d10df
kdm: drop service 2017-02-11 13:55:09 -05:00
Graham Christensen
c09004fba0 Merge pull request #22642 from grahamc/kde4-deprecate
kde4, kdm: mark services as deprecated
2017-02-11 10:17:15 -05:00
Tuomas Tynkkynen
607be4d88e sd-image-*: Copy all RPi firmware files
Turns out all variants of start.elf and fixup.dat are needed (depending
on what's in config.txt). I was under the mistaken impression that you
were supposed to rename one of the variants to switch using them, but
nope.
2017-02-11 12:23:16 +02:00
Franz Pletz
3fd44e2912
network-interfaces service: add metric option for defaultGateways 2017-02-11 04:53:56 +01:00
davidak
d4766e789b caddy: set file descriptor limit to 8192, fixes #22454
the value is recommended for production use
a warning is produced when not set
2017-02-11 01:44:29 +01:00
Graham Christensen
564e0c120b
kde4, kdm: mark services as deprecated 2017-02-10 17:35:52 -05:00
Profpatsch
ed8a0d8e5e modules/searx: add package option (#22636)
The user should be able to specify a patched version of searx.
2017-02-10 22:44:10 +01:00
Eelco Dolstra
1b1138d3e7 Merge pull request #22610 from grahamc/switch-to-kde5-by-default
nixos: update default cases from KDM/KDE4 to SDDM/KDE5
2017-02-10 22:06:21 +01:00
Nikolay Amiantov
442b4d65c3 Merge pull request #22304 from abbradar/nvidia
Refactor NVidia drivers
2017-02-10 23:53:34 +03:00
Dan Peebles
3809938208 ecs-agent module: remove debug print
Whoops :)
2017-02-10 15:16:17 -05:00
Tuomas Tynkkynen
a14ef4ad52 open-vm-tools: 10.0.7 -> 10.1.0
Also add an option to disable all the X11 stuff.
2017-02-10 20:12:00 +02:00
Dan Peebles
a0ebb1497f ecs-agent NixOS module: init
A very simple skeleton for now that doesn't attempt to model any of
the agent configuration, but we can grow it later. Tested and works
on an EC2 instance with ECS.
2017-02-10 05:37:38 +00:00
Graham Christensen
b12564cc1b
nixos: update default cases from KDM/KDE4 to SDDM/KDE5 2017-02-09 21:52:00 -05:00
afranchuk
a5e041ac08 libreswan service: make EnvironmentFile optional (#22591)
Recent versions of libreswan seem to omit this file, but it may be added/changed in the future. It is silly to have the service fail because a file is missing that only enriches the environment.
2017-02-10 00:53:44 +01:00
Joachim F
ca8fb930b1 Merge pull request #22356 from Ekleog/redsocks
Redsocks
2017-02-09 22:39:43 +01:00