Updates gitlab to the current stable version and fixes a lot of features that
were broken, at least with the current version and our configuration.
Quite a lot of sweat and tears has gone into testing nearly all features and
reading/patching the Gitlab source as we're about to deploy gitlab for our
whole company.
Things to note:
* The gitlab config is now written as a nix attribute set and will be
converted to JSON. Gitlab uses YAML but JSON is a subset of YAML.
The `extraConfig` opition is also an attribute set that will be merged
with the default config. This way *all* Gitlab options are supported.
* Some paths like uploads and configs are hardcoded in rails (at least
after my study of the Gitlab source). This is why they are linked from
the Gitlab root to /run/gitlab and then linked to the configurable
`statePath`.
* Backup & restore should work out of the box from another Gitlab instance.
* gitlab-git-http-server has been replaced by gitlab-workhorse upstream.
Push & pull over HTTPS works perfectly. Communication to gitlab is done
over unix sockets. An HTTP server is required to proxy requests to
gitlab-workhorse over another unix socket at
`/run/gitlab/gitlab-workhorse.socket`.
* The user & group running gitlab are now configurable. These can even be
changed for live instances.
* The initial email address & password of the root user can be configured.
Fixes#8598.
NetworkManager needs an additional avahi-user to use link-local
IPv4 (and probably IPv6) addresses. avahi-autoipd also needs to be
patched to the right path.
Add a module to make options to pam_oath module configurable.
These are:
- enable - enable the OATH pam module
- window - number of OTPs to check
- digits - length of the OTP (adds support for two-factor auth)
- usersFile - filename to store OATH credentials in
We don't want to build all those things along with the manual, so that's
what the defaultText attribute is for.
Unfortunately a few of them were missing, so let's add them.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit adds the firmware for the Intel 2200BG wireless cards for
the ipw2200 kernel module. Also it changes the
networking.enableIntel2200BGFirmware option to set it as
hardware.firmware since firmware-linux-nonfree does not contain the
appropiate firmware anymore. Also hardware.enableAllFirmware does enable
the intel2200BGFirmware now.
This reverts commit b861bf8ddf, because according to @mdorman [1] this
change rendered his NixOS systems unbootable, and we probably don't want that.
[1] b861bf8ddf (commitcomment-16058598)
Allow usage of list of strings instead of a comma-separated string
for filesystem options. Deprecate the comma-separated string style
with a warning message; convert this to a hard error after 16.09.
15.09 was just released, so this provides a deprecation period during
the 16.03 release.
closes#10518
Signed-off-by: Robin Gloster <mail@glob.in>
The test only checked for existence of the rule file in the output path
of the rulefile generator.
However, we also need to check whether the basename of the file is also
the one we're currently searching for.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Partially reverts the following commits:
9f2a61c59c9c13fe6604
As @edolstra pointed out, it would make more sense to do this by default
instead of having that allowImpurePaths option. This of course might
break systems which add extra packages to udev, but on the upside it's
hard to miss one of these paths now because it won't get buried in the
ocean of build output lines.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
So far we were merely printing a warning if there are still references
to (/usr)/s?bin, but we actually want to make sure that we fix those
paths, especially on updates of packages that come with udev rules.
This adds a new option allowImpurePaths, which when set to false will
cause the "udev-rules" derivation to fail.
I've set this to true by default, to not break existing systems too much
and the intention is to set it to false for a few NixOS VM tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We were trying to find FHS references in all of the rules found in
services.udev.packages. Unfortunately we're still fixing up paths in the
same derivation where we are checking those references, so for example
references to /sbin/modprobe were still printed to be needed to fixup
even though they were already fixed at the time.
So now we're printing a more helpful warning message which is also
conditional (before the warning message was printed regardless of
whether there are any rules that need fixup) and is based off the rules
that were already fixed up.
The new warning message not only contains the build-local rule files but
also the original files from other store paths and the FHS path
references that were still found.
With 8ecd3a5e1d reverted, we now get this:
/nix/store/...-udev-rules/63-md-raid-arrays.rules (originally from
/nix/store/...-mdadm-3.3.4/lib/udev/rules.d/63-md-raid-arrays.rules)
contains references to /usr/bin/readlink and /usr/bin/basename.
Which is now more accurate to what is not yet fixed and where it's
coming from.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
In 8ecd3a5, we fixed up the FHS paths for stage 1, but unfortunately we
have a similar udev rules generator twice one for the initrd and one
without. So we might need to refactor this in the future.
For now, let's just fix the references to readlink and basename in the
udev module as well until we have properly addressed this.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #12722
It's not entirely clear why this happens, but sometimes /proc/1/exe
returns a bogus value, like
/ar3a3j6b9livhy5fcfv69izslhgk4gcz-systemd-217/lib/systemd/systemd. In
any case, we can just conservatively assume that we need to restart
systemd when this happens.
Fixes#10261.
This reverts most of 89e983786a, as those references are sanitized now.
Fixes#10039, at least most of it.
The `sane` case wasn't fixed, as it calls a *function* in pkgs to get
the default value.
This is an improved version of original #12357.
For the purpose of generating docs, evaluate options with each derivation
in `pkgs` (recursively) replaced by a fake with path "\${pkgs.attribute.path}".
It isn't perfect, but it seems to cover a vast majority of use cases.
Caveat: even if the package is reached by a different means,
the path above will be shown and not e.g. `${config.services.foo.package}`.
As before, defaults created by `mkDefault` aren't displayed,
but documentation shouldn't (mostly) be a reason to use that anymore.
Note: t wouldn't be enough to just use `lib.mapAttrsRecursive`,
because derivations are also (special) attribute sets.
Fixes references coming from the mdadm udev rules.
This addresses #12722 (mdadm udev rules have references to /usr/bin) but
still won't fix the warning, though (if we want to fix the warnings, we
will have to patch the udev rules generater in services/hardware/udev).
For common mdraid functionality, this shouldn't fix anything, because
the wrong references seem to only apply to containers, see these
(wrapped) lines from ${mdadm}/lib/udev/rules.d/63-md-raid-arrays.rules:
# Tell systemd to run mdmon for our container, if we need it.
ENV{MD_LEVEL}=="raid[1-9]*",
ENV{MD_CONTAINER}=="?*",
PROGRAM="/usr/bin/readlink $env{MD_CONTAINER}",
ENV{MD_MON_THIS}="%c"
ENV{MD_MON_THIS}=="?*",
PROGRAM="/usr/bin/basename $env{MD_MON_THIS}",
ENV{SYSTEMD_WANTS}+="mdmon@%c.service"
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Partially reverts commit 901163c0c7.
This has broken remote SSH into initrd because ${cfg.shell} is not
expanded. Also, nsswitch is useless without libnss_files.so which
are installed by initrd-ssh.
This is a regression introduced by merging the EBS and S3 images. The
EBS images had a special marker /.ebs to prevent the initrd from using
ephemeral storage for the unionfs, but this marker was missing in the
consolidated image.
The fix is to check the file ami-manifest-path on the metadata server
to see if we're an S3-based instance. This does require networking in
the initrd.
Issue #12613.
The default behavior with an m3.medium instance is to relocate
/nix and /tmp to /disk0 because an assumption is made that any
ephemeral disk is larger than the root volume. Rather than make
that assumption, add a check to see if the disk is larger, and
only then relocate /nix and /tmp.
This addresses https://github.com/NixOS/nixpkgs/issues/12613
Regression introduced by 5184aaa1ea.
The fix was intended to remove the "x == true/false" assertions, but by
accident a "x == false" was made "x == true" instead of "(!x)".
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: devhell <"^"@regexmail.net>
Reportedly some ARM boards need some boot code at the start of a SD card
that could be larger than a megabyte. Change it to 8M, and while at it
reduce the /boot size such that the root partition should now start on a
128M boundary (the flash on SD cards really don't like non-aligned
writes these days).
Before the error if the wrong default desktop was chosen would be:
/nixpkgs-channels/lib/modules.nix:282:11:
Default desktop manager ($(defaultDM)) not found.
which has the string interpolation done incorreclty. Now that is fixed
and it is more user-friendly as:
/nixpkgs-channels/lib/modules.nix:282:11:
Default desktop manager (gnome) not found.
Probably you want to change
services.xserver.desktopManager.default = "gnome";
to one of
services.xserver.desktopManager.default = "gnome3";
services.xserver.desktopManager.default = "none";
- Fixed a bug in bluedevil (link to a .js file)
- Made bluez5 the default bluetooth service except for kde4
- created org.bluez.obex systemd dbus service
- Patched bluez5 using bluez-5.37-obexd_without_systemd-1.patch
in order to enable obex when using either the bluedevil plasmoid
or dolpin file manager within plasma workspaces 5.
The functionality was tested using a Sony Xperia Z, the machine
and the handset paired and two different files were sent in both
directions successfully.
- added numlock on boot switch
- simply add :
services.xserver.displayManager.sddm.autoNumlock = true;
to configuration.nix and sddm will start
with numlock enabled.
If we limit SSH_ASKPASS to interactive shells, users are unable to trigger
the ssh-passphrase dialog from their desktop environment autostart scripts.
Usecase: I call ssh-add during my desktop environment autostart and want to have
the passphrase dialog immediately after startup.
For this to work, SSH_ASKPASS needs to be propagated properly on
non-interactive shells.
See http://nixos.org/nixpkgs/manual/#sec-package-naming
I've added an alias for multipath_tools to make sure that we don't break
existing configurations referencing the old name.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Make top level /var/lib/postfix as root:root 0755
After generating custom configs in /var/lib/postfix/conf,
`postfix set-permissions` called, to perform all required tricks
related to queue handling (postfix use file mode bits to keep
some internal statuses, so `chmod -R` not recommended by authors,
see comments in $out/libexec/postfix/post-install for details)
Also post-install script was patched, to skip permission check/update
for files inside $out, as well as symlinks following to $NIX_STORE.
Config file `main.cf` extended with all default directory locations,
to prevent post-install script from guessing and overwrite them.
And finally all actions in activation script snippets performed
by postmap/postalias/postfix tools from current build, not random one
from paths.
When using `--ensure-unique-name`, don't needlessly append `"-0"` if the
container name is already unique.
This is especially helpful with NixOps since when it deploys to a
container it uses `--ensure-unique-name`. This means that the container
name will never match the deployment host due to the `"-0"`. Having the
container name and the host name match isn't exactly a requirement, but
it's nice to have and a small change.
Set this option to 'true' (default: 'false') to enable extension mechanisms for
DNS (EDNS) in your local glibc resolver. This is required for supporting
DNSSEC, for example.
Implementation detail: the patch changes assignments to "resolv_conf_options"
to use "+=" instead of "=" to ensure that multiple users of that variable don't
overwrite each other. The generated config file is a shell script, after all,
so this should work fine.
Closes https://github.com/NixOS/nixpkgs/issues/12470.
- add missing types in module definitions
- add missing 'defaultText' in module definitions
- wrap example with 'literalExample' where necessary in module definitions
Building config.system.build.isoImage would fail with the following
error using the channel:
ln: failed to create symbolic link
'/nix/store/zz0hzi5imrg4927v6f8mv281qs6v6pbq-nixos-16.03pre69762.e916273/nixos/nixpkgs/.': File exists
The fix skips symlink as it already exists if the channel
nixpkgs copy is used.
Fixes#10367
Regression introduced by 3891d3e654.
Merging multiple options with type "str" won't work and give an
evaluation error. For extra configuration lines in the Postfix config it
really should be "lines", especially because even the description
mentions "extra lines".
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Modifies libvirt package to search for configs in /var/lib and changes
libvirtd service to copy the default configs to the new location.
This enables the user to change e.g. the networking configuration with
virsh or virt-manager and keep those settings.