Commit Graph

13768 Commits

Author SHA1 Message Date
Aaron Andersen
ee030b121b nixos/httpd: set modern default values for mpm and http2 2020-04-21 20:33:18 -04:00
Aaron Andersen
20f37a4430 nixos/httpd: run as non root user 2020-04-21 20:33:18 -04:00
worldofpeace
af2009a800
Merge pull request #85710 from worldofpeace/gnome-iso-wayland-default
installation-cd-graphical-gnome: don't run xorg default
2020-04-21 18:19:44 -04:00
davidak
6a7e0562de
Update link in /etc/os-release (#85723) 2020-04-22 00:16:22 +02:00
adisbladis
2d91da909e
Merge pull request #85604 from adisbladis/podman-module
nixos/virtualisation.podman: Init module
2020-04-21 23:48:48 +02:00
Florian Klink
c1a6e60335
Merge pull request #85598 from danderson/tailscale-fix-cachedir
nixos/tailscale: set a CacheDir in the systemd unit.
2020-04-21 22:38:32 +02:00
Florian Klink
6ba4ef6580
Merge pull request #85708 from Beskhue/fix-documentation
nixos/phpfpm: fix erroneous pools example
2020-04-21 22:16:15 +02:00
worldofpeace
1f12a07179 installation-cd-graphical-gnome: don't run xorg default
If for some reason the Wayland session fails to start
it will just start the Xorg session.
2020-04-21 15:26:25 -04:00
Florian Klink
91e3358f62
Merge pull request #85692 from nh2/systemd-update-default-rate-limit
journald service: Increase default rate limit 1000 -> 10000.
2020-04-21 21:06:48 +02:00
Thomas Churchman
8880957042 nixos/phpfpm: fix erroneous pools example 2020-04-21 20:59:52 +02:00
Frederik Rietdijk
23be4a8b4d Merge master into staging-next 2020-04-21 19:59:56 +02:00
worldofpeace
9b20a24d4d
Merge pull request #85643 from petabyteboy/feature/generate-config
nixos/tools: adapt for renamed console options
2020-04-21 12:50:55 -04:00
Niklas Hambüchen
d16d34732c journald service: Increase default rate limit 1000 -> 10000.
Follows the upstream change of this default:

https://github.com/systemd/systemd/pull/8660
2020-04-21 18:29:03 +02:00
adisbladis
43f383c464
nixos.virtualisation.containers: Init common /etc/containers configuration module
What's happening now is that both cri-o and podman are creating
/etc/containers/policy.json.

By splitting out the creation of configuration files we can make the
podman module leaner & compose better with other container software.
2020-04-21 10:38:39 +01:00
adisbladis
650df709fb
nixos.virtualisation: Move containers.nix to nixos-containers.nix
In anticipation of the new containers module.
2020-04-21 10:36:56 +01:00
adisbladis
f0a92ef1d9
nixos/podman: Add maintainer team & add myself to podman team 2020-04-21 10:03:22 +01:00
adisbladis
b512a788a4
nixos/virtualisation.podman: Init module 2020-04-21 10:03:18 +01:00
Dominik Xaver Hörl
0412bde942 treewide: add bool type to enable options, or make use of mkEnableOption
Add missing type information to manually specified enable options or replace them by mkEnableOption where appropriate.
2020-04-21 08:55:36 +02:00
Frederik Rietdijk
803b3d296c Merge staging-next into staging 2020-04-21 08:29:51 +02:00
Milan Pässler
d19089e1e7 nixos/tools: adapt for renamed console options 2020-04-21 02:07:53 +02:00
David Anderson
cee5ddbb28 nixos/tailscale: set a CacheDir in the systemd unit.
Fixes a bug where tailscaled drops some files into / when CacheDir
is unset.

Signed-off-by: David Anderson <dave@natulte.net>
2020-04-20 15:35:55 -07:00
Marek Mahut
60100a7c92
Merge pull request #83769 from dadada/nixos/dokuwiki-multi-server
nixos/dokuwiki: add support for multi-site, additional plugins and templates
2020-04-20 19:39:48 +02:00
Eelco Dolstra
f76d7b5e41
Merge pull request #85620 from matthewbauer/use-modulesPath-for-nixos-generate-config
nixos/nixos-generate-config.pl: use modulesPath instead of <nixpkgs>
2020-04-20 17:25:17 +02:00
Matthew Bauer
c45295d47e nixos/nixos-generate-config.pl: use modulesPath instead of <nixpkgs>
For imports, it is better to use ‘modulesPath’ than rely on <nixpkgs>
being correctly set. Some users may not have <nixpkgs> set correctly.
In addition, when ‘pure-eval=true’, <nixpkgs> is unset.
2020-04-20 09:57:17 -05:00
Léo Gaspard
203955fa0c
Merge pull request #82714 from delroth/s3tc
libtxc_dxtn{,_s2tc}: remove from nixpkgs + hardware.opengl options
2020-04-20 13:41:47 +02:00
Jörg Thalheim
2f0ee4bd0b
Merge pull request #85371 from Mic92/tmpfiles 2020-04-20 10:32:58 +01:00
Nikola Knezevic
3c551848be oauth2_proxy: Update NixOS module
Update to match the current flags and apply fixes to all breaking changes.
2020-04-20 10:11:46 +02:00
adisbladis
ab37d7e7ea
nixos-containers: Add support for custom nixpkgs argument 2020-04-20 07:33:46 +01:00
Pierre Bourdon
1b89bffcf4
libtxc_dxtn{,_s2tc}: remove from nixpkgs + hardware.opengl options
Context: discussion in https://github.com/NixOS/nixpkgs/pull/82630

Mesa has been supporting S3TC natively without requiring these libraries
since the S3TC patent expired in December 2017.
2020-04-20 03:19:41 +02:00
Emily
ef7e6eeaf4 nixos/acme: set maintainers to acme team 2020-04-20 01:39:31 +01:00
Florian Klink
a88d17bc69
Merge pull request #83301 from evils/tuptime
Tuptime: Init Package, Module and Test
2020-04-19 23:38:53 +02:00
worldofpeace
f882896cc8
Merge pull request #73934 from flokli/nixos-test-port-cockroachdb
nixosTests.cockroachdb: port to python
2020-04-19 16:30:45 -04:00
Yegor Timoshenko
6f1165a0cb
Merge pull request #84522 from emilazy/add-linux-hardened-patches
linux_*_hardened: use linux-hardened patch set
2020-04-19 20:01:35 +03:00
Michael Weiss
0e4417f118
Revert "nixos: Introduce nix.buildLocation option"
This reverts commit 5291925fd2.
Reason: This started to cause severe regressions, see:
- https://github.com/NixOS/nixpkgs/issues/85552
- https://github.com/NixOS/nixpkgs/pull/83166#pullrequestreview-395960588
Fixes #85552.
2020-04-19 15:16:08 +02:00
dadada
2d86cca35e
nixos/dokuwiki: change default of aclFile and usersFile
`aclFile` and `usersFile` will be set to a default value if `aclUse` is
specified and aclFile is not overriden by `acl`.
2020-04-18 23:37:19 +02:00
dadada
9460fb5788
nixos/dokuwiki: modify usersFile and aclFile
Use types.str instead of types.path to exclude private information from
the derivation.
Add a warinig about the contents of acl beeing included in the nix
store.
2020-04-18 23:37:19 +02:00
dadada
2b67a89f29
nixos/dokuwiki: dokuwiki user 2020-04-18 23:37:19 +02:00
dadada
2e699f1db1
nixos/dokuwiki: add option disableActions 2020-04-18 23:37:18 +02:00
dadada
a58dc30d34
nixos/dokuwiki: set default value for usersFile
If usersFile is not set, a file is created along the stateDir that can
hold the users and supports dynamically adding users using the web GUI.
2020-04-18 23:37:18 +02:00
dadada
0228046eec
nixos/dokuwiki: add assertion for usersFile 2020-04-18 23:37:18 +02:00
dadada
af6a7a0486
nixos/dokuwiki: add plugins and templates options
Adds support for additional plugins and templates similarly to how
wordpress.nix does it.

Plugins and templates need to be packaged as in the example.
2020-04-18 23:37:18 +02:00
dadada
71baf4801c
nixos/dokuwiki: refactor 2020-04-18 23:37:18 +02:00
dadada
dc7ed06615
nixos/dokuwiki: add <name?> option
Enables multi-site configurations.

This break compatibility with prior configurations that expect options
for a single dokuwiki instance in `services.dokuwiki`.
2020-04-18 23:37:18 +02:00
John Ericson
1ea80c2cc3 Merge remote-tracking branch 'upstream/master' into staging 2020-04-18 15:40:49 -04:00
Jörg Thalheim
35eb7793a3
Merge pull request #83166 from avnik/nix-build-location 2020-04-18 18:37:15 +01:00
Alexander V. Nikolaev
5291925fd2 nixos: Introduce nix.buildLocation option
Allow to specify where package build will happens.
It helps big packages (like browsers) not to overflow tmpfs.
2020-04-18 20:31:04 +03:00
worldofpeace
996ae856b6
Merge pull request #85365 from immae/fix_acme_postrun
nixos/acme: Fix postRun in acme certificate being ran at every run
2020-04-18 13:16:16 -04:00
Alyssa Ross
1b0d8015fe nixos/rss2email: globally install rss2email
For man pages.
2020-04-18 14:16:00 +00:00
Pavol Rusnak
fadcfc3ea4
treewide: per RFC45, remove more unquoted URLs 2020-04-18 14:04:37 +02:00
John Ericson
e3d50e5cb0 Merge branch 'master' of github.com:NixOS/nixpkgs into staging 2020-04-18 00:10:08 -04:00
Milan Pässler
16a4332d60 nixos/deluge: support 2.x 2020-04-18 02:00:04 +02:00
John Ericson
33c2a76c5e Merge remote-tracking branch 'upstream/master' into staging 2020-04-17 18:40:51 -04:00
Ismaël Bouya
8e88b8dce2
nixos/acme: Fix postRun in acme certificate being ran at every run 2020-04-17 22:16:50 +02:00
Emily
b0d5032ee4 nixos/hardened: add emily to maintainers 2020-04-17 16:13:39 +01:00
Emily
ad9bfe2254 nixos/hardened: enable user namespaces for root
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f.

This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.

We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.

Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:

    boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
2020-04-17 16:13:39 +01:00
Emily
84f258bf09 nixos/hardened: don't set vm.unprivileged_userfaultfd
Upstreamed in anthraxx/linux-hardened@a712392b88.
2020-04-17 16:13:39 +01:00
Emily
cc28d51237 nixos/hardened: don't set vm.mmap_min_addr
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd.
2020-04-17 16:13:39 +01:00
Emily
46d12cca56 nixos/hardened: don't set vm.mmap_rnd{,_compat}_bits
Upstreamed in anthraxx/linux-hardened@ae6d85f437.
2020-04-17 16:13:39 +01:00
Emily
af4f57b2c4 nixos/hardened: don't set net.core.bpf_jit_harden
Upstreamed in anthraxx/linux-hardened@82e384401d.
2020-04-17 16:13:39 +01:00
Emily
71bbd876b7 nixos/hardened: don't set kernel.unprivileged_bpf_disabled
Upstreamed in anthraxx/linux-hardened@1a3e0c2830.
2020-04-17 16:13:39 +01:00
Emily
9da578a78f nixos/hardened: don't set kernel.dmesg_restrict
Upstreamed in anthraxx/linux-hardened@e3d3f13ffb.
2020-04-17 16:13:39 +01:00
Emily
cf1bce6a7a nixos/hardened: don't set vsyscall=none
Upstreamed in anthraxx/linux-hardened@d300b0fdad.
2020-04-17 16:13:39 +01:00
Emily
3b32cd2a5b nixos/hardened: don't set slab_nomerge
Upstreamed in anthraxx/linux-hardened@df29f9248c.
2020-04-17 16:13:39 +01:00
Euan Kemp
bc138f407f
nixos/k3s: add initial k3s service
* nixos/k3s: simplify config expression

* nixos/k3s: add config assertions and trim unneeded bits

* nixos/k3s: add a test that k3s works; minor module improvements

This is a single-node test. Eventually we should also have a multi-node
test to verify the agent bit works, but that one's more involved.

* nixos/k3s: add option description

* nixos/k3s: add defaults for token/serveraddr

Now that the assertion enforces their presence, we dont' need to use the typesystem for it.

* nixos/k3s: remove unneeded sudo in test

* nixos/k3s: add to test list
2020-04-17 16:39:54 +02:00
Jan Tojnar
4816b426a0
nixos/httpd: remove unnecessary override
This was introduced in c801cd1a04
but it no longer seems necessary.
2020-04-17 14:41:21 +02:00
Jan Tojnar
c214e63f2e
nixos/httpd: Use extensions from php package
After the recent rewrite, enabled extensions are passed to php programs
through an extra ini file by a wrapper. Since httpd uses shared module
instead of program, the wrapper did not affect it and no extensions
other than built-ins were loaded.

To fix this, we are passing the extension config another way – by adding it
to the service's generated config.

For now we are hardcoding the path to the ini file. It would be nice to add
the path to the passthru and use that once the PHP expression settles down.
2020-04-17 14:38:29 +02:00
adisbladis
5340ebe085
mopidy: Create a mopidyPackages set
This is to avoid mixing python versions in the same plugin closure.
2020-04-17 12:39:03 +01:00
Yegor Timoshenko
8262ecd369
Merge pull request #85004 from emilazy/add-initrd-secrets-path-assertion
nixos/stage-1: check secret paths before copying
2020-04-16 17:42:40 +03:00
worldofpeace
b61999e4ad
Merge pull request #85332 from arianvp/revert-acme
Revert "nixos/acme: Fix allowKeysForGroup not applying immediately"
2020-04-16 08:43:36 -04:00
Jörg Thalheim
4cc7c2e55a
tmpfiles: load user-defined entries first
systemd-tmpfiles will load all files in lexicographic order and ignores rules
for the same path in later files with a warning Since we apply the default rules
provided by systemd, we should load user-defines rules first so users have a
chance to override defaults.
2020-04-16 13:02:24 +01:00
Maximilian Bosch
74d6e86ec2
nixos/doc: fix database-setup example for matrix-synapse
Closes #85327
2020-04-16 11:38:15 +02:00
Arian van Putten
5c1c642939 Revert "nixos/acme: Fix allowKeysForGroup not applying immediately"
This reverts commit 5532065d06.

As far as I can tell setting RemainAfterExit=true here completely breaks
certificate renewal, which is really bad!

the sytemd timer will activate the service unit every OnCalendar=,
however with RemainAfterExit=true the service is already active! So the
timer doesn't rerun the service!

The commit also broke the actual tests, (As it broke activation too)
but this was fixed later in https://github.com/NixOS/nixpkgs/pull/76052
I wrongly assumed that PR fixed renewal too, which it didn't!

testing renewals is hard, as we need to sleep in tests.
2020-04-16 10:37:04 +02:00
Jan Tojnar
4b706490da
Merge branch 'staging-next' into staging 2020-04-16 10:10:38 +02:00
Maximilian Bosch
2d55f9c01a
Merge pull request #84266 from Ma27/nspawn-overrides
nixos/systemd-nspawn: disallow multiple packages with `.nspawn`-units
2020-04-16 00:24:33 +02:00
Maximilian Bosch
70ecf83c33
Merge pull request #82339 from Ma27/captive-browser-xdg
nixos/captive-browser: set chromium's data-dir to a XDG-compliant location
2020-04-16 00:06:12 +02:00
Maximilian Bosch
dca0b71876
Merge pull request #85162 from Ma27/build-vms-file-loc
nixos/build-vms: propagate file location
2020-04-15 17:42:12 +02:00
Michele Guerini Rocco
da232ea497
Merge pull request #78129 from flyfloh/airsonic-vhost
airsonic: fix virtualHost option
2020-04-15 09:18:28 +02:00
Matthew Bauer
57e20c5d87
Merge pull request #83362 from bachp/boinc
nixos/boinc: simplify setup of boinc service
2020-04-14 15:55:54 -04:00
Maximilian Bosch
57087ea280
Merge pull request #85165 from mayflower/alertmanager-clustering
prometheus/alertmanager: implement HA clustering support
2020-04-14 16:13:34 +02:00
worldofpeace
6304c9af48
Merge pull request #85222 from mayflower/libinput-manual-ref
nixos/libinput: refer to libinput manual
2020-04-14 09:42:55 -04:00
worldofpeace
e4c5e68fca
Merge pull request #84255 from prikhi/lightdm-mini-greeter-040
lightdm-mini-greeter: 0.3.4 -> 0.4.0
2020-04-14 08:38:23 -04:00
Linus Heckemann
9953a26be1 nixos/libinput: refer to libinput manual 2020-04-14 14:31:49 +02:00
Sander van der Burg
0ffb720e8c nixos/dysnomia: fix documentRoot property 2020-04-14 14:31:13 +02:00
Michele Guerini Rocco
86d71ddbed
Merge pull request #85170 from flokli/networking-virtual
nixos/networking: fix setting MAC Address and MTU in networkd, fix tests
2020-04-14 14:20:49 +02:00
Jörg Thalheim
fd438d5f09
Merge pull request #85185 from m1cr0man/legoaccounts
acme: share accounts between certificates
2020-04-14 13:12:57 +01:00
Jaka Hudoklin
de6891ffd0
Merge pull request #83930 from xtruder/nixos/virtualisation/hyperv-image
modules/virtualisation: add hyperv-image
2020-04-14 03:27:22 +00:00
John Ericson
c8a6ea5161 Merge remote-tracking branch 'upstream/master' into staging 2020-04-13 22:17:15 -04:00
Lucas Savva
827d5e6b44
acme: share accounts between certificates
There are strict rate limits on account creation for Let's Encrypt
certificates. It is important to reuse credentails when possible.
2020-04-14 00:15:16 +01:00
Matthew Bauer
e520d6af29
Merge pull request #84415 from matthewbauer/mb-cross-fixes-april2020
Cross compilation fixes [april 2020]
2020-04-13 16:48:38 -04:00
Florian Klink
532528190b nixos/networking: move network-link-${i.name} to scripted networking
The unit sets MTU and MAC Address even with networkd enabled, which
isn't necessary anymore, as networkd handles this by itself.
2020-04-13 22:03:35 +02:00
Florian Klink
ca391c8a4f nixos/networking: add assertion catching setting mac addresses on tun devices
Setting a MAC Address on a tun interface isn't supported, and invoking
the corresponding command fails.
2020-04-13 22:03:35 +02:00
Florian Klink
cddc7a28b8 nixos/networking: fix setting .macAddress and .mtu with networkd
This needs to be set in the .linkConfig of a .network
2020-04-13 22:03:35 +02:00
Robin Gloster
e484ca3d9b
alertmanager: implement HA clustering support 2020-04-13 18:39:51 +02:00
Jörg Thalheim
4c3f1d321a
Merge pull request #76723 from jokogr/u/traefik-2.1.1
Traefik: 1.7.14 -> 2.2.0
2020-04-13 17:16:54 +01:00
Maximilian Bosch
ec6bac99cc
nixos/build-vms: propagate file location
When trying to build a VM using `nixos-build-vms` with a configuration
that doesn't evaluate, an error "at `<unknown-file>`" is usually shown.

This happens since the `build-vms.nix` creates a VM-network of
NixOS-configurations that are attr-sets or functions and don't contain
any file information. This patch manually adds the `_file`-attribute to
tell the module-system which file contained broken configuration:

```
$ cat vm.nix
{ vm.invalid-option = 1; }

$ nixos-build-vms vm.nix
error: The option `invalid-option' defined in `/home/ma27/Projects/nixpkgs/vm.nix@node-vm' does not exist.
(use '--show-trace' to show detailed location information)
```
2020-04-13 17:50:13 +02:00
Mario Rodas
66e43c6588
Merge pull request #84599 from doronbehar/nodejs-python3
nodejs: use python3 if possible
2020-04-13 07:44:05 -05:00
Maximilian Bosch
1bf1ae3966
Merge pull request #85092 from mayflower/prometheus-local-config-gen
prometheus: use runCommandNoCCLocal for config gen
2020-04-13 11:03:16 +02:00
Ioannis Koutras
1f61fbf326 nixos/traefik: make config deep mergeable 2020-04-12 22:50:36 +02:00
Ioannis Koutras
bc766b003a nixos/traefik: Adapt to traefik v2
This commit:

1. Updates the path of the traefik package, so that the out output is
   used.
2. Adapts the configuration settings and options to Traefik v2.
3. Formats the NixOS traefik service using nixfmt.
2020-04-12 22:50:36 +02:00
Robin Gloster
0e040d16e8
prometheus: use runCommandNoCCLocal for config gen 2020-04-12 20:13:23 +02:00