Aaron Andersen
ee030b121b
nixos/httpd: set modern default values for mpm and http2
2020-04-21 20:33:18 -04:00
Aaron Andersen
20f37a4430
nixos/httpd: run as non root user
2020-04-21 20:33:18 -04:00
worldofpeace
af2009a800
Merge pull request #85710 from worldofpeace/gnome-iso-wayland-default
...
installation-cd-graphical-gnome: don't run xorg default
2020-04-21 18:19:44 -04:00
davidak
6a7e0562de
Update link in /etc/os-release ( #85723 )
2020-04-22 00:16:22 +02:00
adisbladis
2d91da909e
Merge pull request #85604 from adisbladis/podman-module
...
nixos/virtualisation.podman: Init module
2020-04-21 23:48:48 +02:00
Florian Klink
c1a6e60335
Merge pull request #85598 from danderson/tailscale-fix-cachedir
...
nixos/tailscale: set a CacheDir in the systemd unit.
2020-04-21 22:38:32 +02:00
Florian Klink
6ba4ef6580
Merge pull request #85708 from Beskhue/fix-documentation
...
nixos/phpfpm: fix erroneous pools example
2020-04-21 22:16:15 +02:00
worldofpeace
1f12a07179
installation-cd-graphical-gnome: don't run xorg default
...
If for some reason the Wayland session fails to start
it will just start the Xorg session.
2020-04-21 15:26:25 -04:00
Florian Klink
91e3358f62
Merge pull request #85692 from nh2/systemd-update-default-rate-limit
...
journald service: Increase default rate limit 1000 -> 10000.
2020-04-21 21:06:48 +02:00
Thomas Churchman
8880957042
nixos/phpfpm: fix erroneous pools example
2020-04-21 20:59:52 +02:00
Frederik Rietdijk
23be4a8b4d
Merge master into staging-next
2020-04-21 19:59:56 +02:00
worldofpeace
9b20a24d4d
Merge pull request #85643 from petabyteboy/feature/generate-config
...
nixos/tools: adapt for renamed console options
2020-04-21 12:50:55 -04:00
Niklas Hambüchen
d16d34732c
journald service: Increase default rate limit 1000 -> 10000.
...
Follows the upstream change of this default:
https://github.com/systemd/systemd/pull/8660
2020-04-21 18:29:03 +02:00
adisbladis
43f383c464
nixos.virtualisation.containers: Init common /etc/containers configuration module
...
What's happening now is that both cri-o and podman are creating
/etc/containers/policy.json.
By splitting out the creation of configuration files we can make the
podman module leaner & compose better with other container software.
2020-04-21 10:38:39 +01:00
adisbladis
650df709fb
nixos.virtualisation: Move containers.nix to nixos-containers.nix
...
In anticipation of the new containers module.
2020-04-21 10:36:56 +01:00
adisbladis
f0a92ef1d9
nixos/podman: Add maintainer team & add myself to podman team
2020-04-21 10:03:22 +01:00
adisbladis
b512a788a4
nixos/virtualisation.podman: Init module
2020-04-21 10:03:18 +01:00
Dominik Xaver Hörl
0412bde942
treewide: add bool type to enable options, or make use of mkEnableOption
...
Add missing type information to manually specified enable options or replace them by mkEnableOption where appropriate.
2020-04-21 08:55:36 +02:00
Frederik Rietdijk
803b3d296c
Merge staging-next into staging
2020-04-21 08:29:51 +02:00
Milan Pässler
d19089e1e7
nixos/tools: adapt for renamed console options
2020-04-21 02:07:53 +02:00
David Anderson
cee5ddbb28
nixos/tailscale: set a CacheDir in the systemd unit.
...
Fixes a bug where tailscaled drops some files into / when CacheDir
is unset.
Signed-off-by: David Anderson <dave@natulte.net>
2020-04-20 15:35:55 -07:00
Marek Mahut
60100a7c92
Merge pull request #83769 from dadada/nixos/dokuwiki-multi-server
...
nixos/dokuwiki: add support for multi-site, additional plugins and templates
2020-04-20 19:39:48 +02:00
Eelco Dolstra
f76d7b5e41
Merge pull request #85620 from matthewbauer/use-modulesPath-for-nixos-generate-config
...
nixos/nixos-generate-config.pl: use modulesPath instead of <nixpkgs>
2020-04-20 17:25:17 +02:00
Matthew Bauer
c45295d47e
nixos/nixos-generate-config.pl: use modulesPath instead of <nixpkgs>
...
For imports, it is better to use ‘modulesPath’ than rely on <nixpkgs>
being correctly set. Some users may not have <nixpkgs> set correctly.
In addition, when ‘pure-eval=true’, <nixpkgs> is unset.
2020-04-20 09:57:17 -05:00
Léo Gaspard
203955fa0c
Merge pull request #82714 from delroth/s3tc
...
libtxc_dxtn{,_s2tc}: remove from nixpkgs + hardware.opengl options
2020-04-20 13:41:47 +02:00
Jörg Thalheim
2f0ee4bd0b
Merge pull request #85371 from Mic92/tmpfiles
2020-04-20 10:32:58 +01:00
Nikola Knezevic
3c551848be
oauth2_proxy: Update NixOS module
...
Update to match the current flags and apply fixes to all breaking changes.
2020-04-20 10:11:46 +02:00
adisbladis
ab37d7e7ea
nixos-containers: Add support for custom nixpkgs argument
2020-04-20 07:33:46 +01:00
Pierre Bourdon
1b89bffcf4
libtxc_dxtn{,_s2tc}: remove from nixpkgs + hardware.opengl options
...
Context: discussion in https://github.com/NixOS/nixpkgs/pull/82630
Mesa has been supporting S3TC natively without requiring these libraries
since the S3TC patent expired in December 2017.
2020-04-20 03:19:41 +02:00
Emily
ef7e6eeaf4
nixos/acme: set maintainers to acme team
2020-04-20 01:39:31 +01:00
Florian Klink
a88d17bc69
Merge pull request #83301 from evils/tuptime
...
Tuptime: Init Package, Module and Test
2020-04-19 23:38:53 +02:00
worldofpeace
f882896cc8
Merge pull request #73934 from flokli/nixos-test-port-cockroachdb
...
nixosTests.cockroachdb: port to python
2020-04-19 16:30:45 -04:00
Yegor Timoshenko
6f1165a0cb
Merge pull request #84522 from emilazy/add-linux-hardened-patches
...
linux_*_hardened: use linux-hardened patch set
2020-04-19 20:01:35 +03:00
Michael Weiss
0e4417f118
Revert "nixos: Introduce nix.buildLocation option"
...
This reverts commit 5291925fd2
.
Reason: This started to cause severe regressions, see:
- https://github.com/NixOS/nixpkgs/issues/85552
- https://github.com/NixOS/nixpkgs/pull/83166#pullrequestreview-395960588
Fixes #85552 .
2020-04-19 15:16:08 +02:00
dadada
2d86cca35e
nixos/dokuwiki: change default of aclFile and usersFile
...
`aclFile` and `usersFile` will be set to a default value if `aclUse` is
specified and aclFile is not overriden by `acl`.
2020-04-18 23:37:19 +02:00
dadada
9460fb5788
nixos/dokuwiki: modify usersFile and aclFile
...
Use types.str instead of types.path to exclude private information from
the derivation.
Add a warinig about the contents of acl beeing included in the nix
store.
2020-04-18 23:37:19 +02:00
dadada
2b67a89f29
nixos/dokuwiki: dokuwiki user
2020-04-18 23:37:19 +02:00
dadada
2e699f1db1
nixos/dokuwiki: add option disableActions
2020-04-18 23:37:18 +02:00
dadada
a58dc30d34
nixos/dokuwiki: set default value for usersFile
...
If usersFile is not set, a file is created along the stateDir that can
hold the users and supports dynamically adding users using the web GUI.
2020-04-18 23:37:18 +02:00
dadada
0228046eec
nixos/dokuwiki: add assertion for usersFile
2020-04-18 23:37:18 +02:00
dadada
af6a7a0486
nixos/dokuwiki: add plugins and templates options
...
Adds support for additional plugins and templates similarly to how
wordpress.nix does it.
Plugins and templates need to be packaged as in the example.
2020-04-18 23:37:18 +02:00
dadada
71baf4801c
nixos/dokuwiki: refactor
2020-04-18 23:37:18 +02:00
dadada
dc7ed06615
nixos/dokuwiki: add <name?> option
...
Enables multi-site configurations.
This break compatibility with prior configurations that expect options
for a single dokuwiki instance in `services.dokuwiki`.
2020-04-18 23:37:18 +02:00
John Ericson
1ea80c2cc3
Merge remote-tracking branch 'upstream/master' into staging
2020-04-18 15:40:49 -04:00
Jörg Thalheim
35eb7793a3
Merge pull request #83166 from avnik/nix-build-location
2020-04-18 18:37:15 +01:00
Alexander V. Nikolaev
5291925fd2
nixos: Introduce nix.buildLocation option
...
Allow to specify where package build will happens.
It helps big packages (like browsers) not to overflow tmpfs.
2020-04-18 20:31:04 +03:00
worldofpeace
996ae856b6
Merge pull request #85365 from immae/fix_acme_postrun
...
nixos/acme: Fix postRun in acme certificate being ran at every run
2020-04-18 13:16:16 -04:00
Alyssa Ross
1b0d8015fe
nixos/rss2email: globally install rss2email
...
For man pages.
2020-04-18 14:16:00 +00:00
Pavol Rusnak
fadcfc3ea4
treewide: per RFC45, remove more unquoted URLs
2020-04-18 14:04:37 +02:00
John Ericson
e3d50e5cb0
Merge branch 'master' of github.com:NixOS/nixpkgs into staging
2020-04-18 00:10:08 -04:00
Milan Pässler
16a4332d60
nixos/deluge: support 2.x
2020-04-18 02:00:04 +02:00
John Ericson
33c2a76c5e
Merge remote-tracking branch 'upstream/master' into staging
2020-04-17 18:40:51 -04:00
Ismaël Bouya
8e88b8dce2
nixos/acme: Fix postRun in acme certificate being ran at every run
2020-04-17 22:16:50 +02:00
Emily
b0d5032ee4
nixos/hardened: add emily to maintainers
2020-04-17 16:13:39 +01:00
Emily
ad9bfe2254
nixos/hardened: enable user namespaces for root
...
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f .
This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.
We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.
Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:
boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
2020-04-17 16:13:39 +01:00
Emily
84f258bf09
nixos/hardened: don't set vm.unprivileged_userfaultfd
...
Upstreamed in anthraxx/linux-hardened@a712392b88 .
2020-04-17 16:13:39 +01:00
Emily
cc28d51237
nixos/hardened: don't set vm.mmap_min_addr
...
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd .
2020-04-17 16:13:39 +01:00
Emily
46d12cca56
nixos/hardened: don't set vm.mmap_rnd{,_compat}_bits
...
Upstreamed in anthraxx/linux-hardened@ae6d85f437 .
2020-04-17 16:13:39 +01:00
Emily
af4f57b2c4
nixos/hardened: don't set net.core.bpf_jit_harden
...
Upstreamed in anthraxx/linux-hardened@82e384401d .
2020-04-17 16:13:39 +01:00
Emily
71bbd876b7
nixos/hardened: don't set kernel.unprivileged_bpf_disabled
...
Upstreamed in anthraxx/linux-hardened@1a3e0c2830 .
2020-04-17 16:13:39 +01:00
Emily
9da578a78f
nixos/hardened: don't set kernel.dmesg_restrict
...
Upstreamed in anthraxx/linux-hardened@e3d3f13ffb .
2020-04-17 16:13:39 +01:00
Emily
cf1bce6a7a
nixos/hardened: don't set vsyscall=none
...
Upstreamed in anthraxx/linux-hardened@d300b0fdad .
2020-04-17 16:13:39 +01:00
Emily
3b32cd2a5b
nixos/hardened: don't set slab_nomerge
...
Upstreamed in anthraxx/linux-hardened@df29f9248c .
2020-04-17 16:13:39 +01:00
Euan Kemp
bc138f407f
nixos/k3s: add initial k3s service
...
* nixos/k3s: simplify config expression
* nixos/k3s: add config assertions and trim unneeded bits
* nixos/k3s: add a test that k3s works; minor module improvements
This is a single-node test. Eventually we should also have a multi-node
test to verify the agent bit works, but that one's more involved.
* nixos/k3s: add option description
* nixos/k3s: add defaults for token/serveraddr
Now that the assertion enforces their presence, we dont' need to use the typesystem for it.
* nixos/k3s: remove unneeded sudo in test
* nixos/k3s: add to test list
2020-04-17 16:39:54 +02:00
Jan Tojnar
4816b426a0
nixos/httpd: remove unnecessary override
...
This was introduced in c801cd1a04
but it no longer seems necessary.
2020-04-17 14:41:21 +02:00
Jan Tojnar
c214e63f2e
nixos/httpd: Use extensions from php package
...
After the recent rewrite, enabled extensions are passed to php programs
through an extra ini file by a wrapper. Since httpd uses shared module
instead of program, the wrapper did not affect it and no extensions
other than built-ins were loaded.
To fix this, we are passing the extension config another way – by adding it
to the service's generated config.
For now we are hardcoding the path to the ini file. It would be nice to add
the path to the passthru and use that once the PHP expression settles down.
2020-04-17 14:38:29 +02:00
adisbladis
5340ebe085
mopidy: Create a mopidyPackages set
...
This is to avoid mixing python versions in the same plugin closure.
2020-04-17 12:39:03 +01:00
Yegor Timoshenko
8262ecd369
Merge pull request #85004 from emilazy/add-initrd-secrets-path-assertion
...
nixos/stage-1: check secret paths before copying
2020-04-16 17:42:40 +03:00
worldofpeace
b61999e4ad
Merge pull request #85332 from arianvp/revert-acme
...
Revert "nixos/acme: Fix allowKeysForGroup not applying immediately"
2020-04-16 08:43:36 -04:00
Jörg Thalheim
4cc7c2e55a
tmpfiles: load user-defined entries first
...
systemd-tmpfiles will load all files in lexicographic order and ignores rules
for the same path in later files with a warning Since we apply the default rules
provided by systemd, we should load user-defines rules first so users have a
chance to override defaults.
2020-04-16 13:02:24 +01:00
Maximilian Bosch
74d6e86ec2
nixos/doc: fix database-setup example for matrix-synapse
...
Closes #85327
2020-04-16 11:38:15 +02:00
Arian van Putten
5c1c642939
Revert "nixos/acme: Fix allowKeysForGroup not applying immediately"
...
This reverts commit 5532065d06
.
As far as I can tell setting RemainAfterExit=true here completely breaks
certificate renewal, which is really bad!
the sytemd timer will activate the service unit every OnCalendar=,
however with RemainAfterExit=true the service is already active! So the
timer doesn't rerun the service!
The commit also broke the actual tests, (As it broke activation too)
but this was fixed later in https://github.com/NixOS/nixpkgs/pull/76052
I wrongly assumed that PR fixed renewal too, which it didn't!
testing renewals is hard, as we need to sleep in tests.
2020-04-16 10:37:04 +02:00
Jan Tojnar
4b706490da
Merge branch 'staging-next' into staging
2020-04-16 10:10:38 +02:00
Maximilian Bosch
2d55f9c01a
Merge pull request #84266 from Ma27/nspawn-overrides
...
nixos/systemd-nspawn: disallow multiple packages with `.nspawn`-units
2020-04-16 00:24:33 +02:00
Maximilian Bosch
70ecf83c33
Merge pull request #82339 from Ma27/captive-browser-xdg
...
nixos/captive-browser: set chromium's data-dir to a XDG-compliant location
2020-04-16 00:06:12 +02:00
Maximilian Bosch
dca0b71876
Merge pull request #85162 from Ma27/build-vms-file-loc
...
nixos/build-vms: propagate file location
2020-04-15 17:42:12 +02:00
Michele Guerini Rocco
da232ea497
Merge pull request #78129 from flyfloh/airsonic-vhost
...
airsonic: fix virtualHost option
2020-04-15 09:18:28 +02:00
Matthew Bauer
57e20c5d87
Merge pull request #83362 from bachp/boinc
...
nixos/boinc: simplify setup of boinc service
2020-04-14 15:55:54 -04:00
Maximilian Bosch
57087ea280
Merge pull request #85165 from mayflower/alertmanager-clustering
...
prometheus/alertmanager: implement HA clustering support
2020-04-14 16:13:34 +02:00
worldofpeace
6304c9af48
Merge pull request #85222 from mayflower/libinput-manual-ref
...
nixos/libinput: refer to libinput manual
2020-04-14 09:42:55 -04:00
worldofpeace
e4c5e68fca
Merge pull request #84255 from prikhi/lightdm-mini-greeter-040
...
lightdm-mini-greeter: 0.3.4 -> 0.4.0
2020-04-14 08:38:23 -04:00
Linus Heckemann
9953a26be1
nixos/libinput: refer to libinput manual
2020-04-14 14:31:49 +02:00
Sander van der Burg
0ffb720e8c
nixos/dysnomia: fix documentRoot property
2020-04-14 14:31:13 +02:00
Michele Guerini Rocco
86d71ddbed
Merge pull request #85170 from flokli/networking-virtual
...
nixos/networking: fix setting MAC Address and MTU in networkd, fix tests
2020-04-14 14:20:49 +02:00
Jörg Thalheim
fd438d5f09
Merge pull request #85185 from m1cr0man/legoaccounts
...
acme: share accounts between certificates
2020-04-14 13:12:57 +01:00
Jaka Hudoklin
de6891ffd0
Merge pull request #83930 from xtruder/nixos/virtualisation/hyperv-image
...
modules/virtualisation: add hyperv-image
2020-04-14 03:27:22 +00:00
John Ericson
c8a6ea5161
Merge remote-tracking branch 'upstream/master' into staging
2020-04-13 22:17:15 -04:00
Lucas Savva
827d5e6b44
acme: share accounts between certificates
...
There are strict rate limits on account creation for Let's Encrypt
certificates. It is important to reuse credentails when possible.
2020-04-14 00:15:16 +01:00
Matthew Bauer
e520d6af29
Merge pull request #84415 from matthewbauer/mb-cross-fixes-april2020
...
Cross compilation fixes [april 2020]
2020-04-13 16:48:38 -04:00
Florian Klink
532528190b
nixos/networking: move network-link-${i.name} to scripted networking
...
The unit sets MTU and MAC Address even with networkd enabled, which
isn't necessary anymore, as networkd handles this by itself.
2020-04-13 22:03:35 +02:00
Florian Klink
ca391c8a4f
nixos/networking: add assertion catching setting mac addresses on tun devices
...
Setting a MAC Address on a tun interface isn't supported, and invoking
the corresponding command fails.
2020-04-13 22:03:35 +02:00
Florian Klink
cddc7a28b8
nixos/networking: fix setting .macAddress and .mtu with networkd
...
This needs to be set in the .linkConfig of a .network
2020-04-13 22:03:35 +02:00
Robin Gloster
e484ca3d9b
alertmanager: implement HA clustering support
2020-04-13 18:39:51 +02:00
Jörg Thalheim
4c3f1d321a
Merge pull request #76723 from jokogr/u/traefik-2.1.1
...
Traefik: 1.7.14 -> 2.2.0
2020-04-13 17:16:54 +01:00
Maximilian Bosch
ec6bac99cc
nixos/build-vms: propagate file location
...
When trying to build a VM using `nixos-build-vms` with a configuration
that doesn't evaluate, an error "at `<unknown-file>`" is usually shown.
This happens since the `build-vms.nix` creates a VM-network of
NixOS-configurations that are attr-sets or functions and don't contain
any file information. This patch manually adds the `_file`-attribute to
tell the module-system which file contained broken configuration:
```
$ cat vm.nix
{ vm.invalid-option = 1; }
$ nixos-build-vms vm.nix
error: The option `invalid-option' defined in `/home/ma27/Projects/nixpkgs/vm.nix@node-vm' does not exist.
(use '--show-trace' to show detailed location information)
```
2020-04-13 17:50:13 +02:00
Mario Rodas
66e43c6588
Merge pull request #84599 from doronbehar/nodejs-python3
...
nodejs: use python3 if possible
2020-04-13 07:44:05 -05:00
Maximilian Bosch
1bf1ae3966
Merge pull request #85092 from mayflower/prometheus-local-config-gen
...
prometheus: use runCommandNoCCLocal for config gen
2020-04-13 11:03:16 +02:00
Ioannis Koutras
1f61fbf326
nixos/traefik: make config deep mergeable
2020-04-12 22:50:36 +02:00
Ioannis Koutras
bc766b003a
nixos/traefik: Adapt to traefik v2
...
This commit:
1. Updates the path of the traefik package, so that the out output is
used.
2. Adapts the configuration settings and options to Traefik v2.
3. Formats the NixOS traefik service using nixfmt.
2020-04-12 22:50:36 +02:00
Robin Gloster
0e040d16e8
prometheus: use runCommandNoCCLocal for config gen
2020-04-12 20:13:23 +02:00