Commit Graph

7410 Commits

Author SHA1 Message Date
Eelco Dolstra
01dbf03628
network-link-*.service: Set stopIfChanged = false
This reduces the time window during which IP addresses are gone during
switch-to-configuration. A complication is that with stopIfChanged =
true, preStop would try to delete the *new* IP addresses rather than
the old one (since the preStop script now runs after the switch to the
new configuration). So we now record the actually configured addresses
in /run/nixos/network/addresses/<interface>. This is more robust in
any case.

Issue https://github.com/NixOS/nixops/issues/640.
2017-04-04 15:13:49 +02:00
Eelco Dolstra
35dbcbb296
Fix eval error due to config.ec2.hvm 2017-04-04 13:49:13 +02:00
Eelco Dolstra
279565c3d6
Revert "Revert "EC2: Disable PV support""
This reverts commit 71710fd099.
2017-04-04 13:03:05 +02:00
Jörg Thalheim
847fdaaddc Merge pull request #24502 from Mic92/rtl8192su-firmware
rtl8192su-firmware: init at unstable-2016-10-05
2017-04-04 12:09:13 +02:00
Jörg Thalheim
71710fd099
Revert "EC2: Disable PV support"
This reverts commit fbe6d23624.

this breaks every non-ec2 (non-hvm) system

cc @edolstra
2017-04-04 12:05:21 +02:00
Carles Pagès
d5a623cb39 Update 17.03 release notes 2017-04-03 22:54:34 +02:00
Piotr Bogdan
c91c3209f3 unclutter: Fix default value of $DISPLAY 2017-04-03 18:41:11 +01:00
Eelco Dolstra
8cc3db6b67
Add 17.03 AMIs 2017-04-03 17:46:34 +02:00
Eelco Dolstra
fbe6d23624
EC2: Disable PV support
Unfortunately, somewhere between 16.09 and 17.03, paravirtualized
instances stopped working. They hang at the pv-grub prompt
("grubdom>"). I tried reverting to a 4.4 kernel, reverting kernel
compression from xz to bzip2 (even though pv-grub is supposed to
support xz), and reverting the only change to initrd generation
(5a8147479e). Nothing worked so I'm
giving up.
2017-04-03 17:46:34 +02:00
Eelco Dolstra
e6faf2a4e6
create-amis.sh: Use pv-grub-hd0_1.05 2017-04-03 17:46:34 +02:00
Thomas Tuegel
bd0163fc34
Merge branch 'fontconfig-penultimate' 2017-04-03 09:31:20 -05:00
Thomas Tuegel
89bfa112cf
fontconfig-penultimate: 0.2.1 -> 0.3.2 2017-04-03 09:26:19 -05:00
Eelco Dolstra
b0d07aa894 Merge pull request #24533 from Zimmi48/patch-1
[doc] improve "getting the sources" chapter
2017-04-03 15:33:32 +02:00
Thomas Tuegel
03942659ca
nixos/fontconfig: remove renderMonoTTFAsBitmap 2017-04-03 08:24:32 -05:00
Thomas Tuegel
21c9190a5f
nixos/fontconfig: remove forceAutohint option 2017-04-03 08:23:32 -05:00
Thomas Tuegel
7a78892c47
nixos/fontconfig: disable autohint by default 2017-04-03 08:22:03 -05:00
Graham Christensen
c7453084ef
docker: test for socket permissions 2017-04-03 09:05:41 -04:00
Alexey Shmalko
fa4fe71105
docker: fix socket permissions
Docker socket is world writable. This means any user on the system is
able to invoke docker command. (Which is equal to having a root access
to the machine.)

This commit makes socket group-writable and owned by docker group.

Inspired by
https://github.com/docker/docker/blob/master/contrib/init/systemd/docker.socket
2017-04-03 09:05:37 -04:00
Shea Levy
3a26d09e15 initrd-ssh: Use initrd secrets for host keys 2017-04-02 16:33:37 -04:00
Shea Levy
b09490a322 systemd-boot: Support initrd secrets 2017-04-02 16:33:37 -04:00
Shea Levy
59c0977300 Add facility to append secrets to the initrd 2017-04-02 16:33:37 -04:00
Tuomas Tynkkynen
affce1e246 nixos hibernate test: Use waitForOpenPort
There was one confusing recent failure of this:

http://cache.nixos.org/log/myla8bc17j8spmifdxmrz9jswxwsf5w6-vm-test-run-hibernate.drv

I don't have any real ideas on what could cause the problem but there is
at least one theoretical one: the system starts hibernating before the
listener process manages to open the TCP port for listening, and it can't
open it after resuming because not enough pages from the netcat binary
have been paged in (and as the 9p filesystem holding it is now toast,
they can't be loaded anymore).
2017-04-02 02:33:21 +03:00
Théo Zimmermann
72070e6dfc doc: improve "getting the sources" chapter 2017-04-01 17:56:29 +02:00
Niklas Hambüchen
ee0f3e7ad9 acme: Use chown -R for challenges directory. Fixes #24529.
Commit 75f131da02 added
`chown 'nginx:nginx' '/var/lib/acme'` to the pre-start script,
but since it doesn't use `chown -R`, it is possible that there
are older existing subdirs (like `acme-challenge`)
that are owned to `root` from before that commit went it.
2017-04-01 15:22:01 +02:00
Vasiliy Solovey
4fc2a86795 rl-notes 17.09: add note about idea -> jetbrains renaming 2017-04-01 12:46:27 +03:00
Eelco Dolstra
80b40fdf03
sshd.nix: Alternative fix for #19589
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.
2017-03-31 16:18:58 +02:00
Eelco Dolstra
4e79b0b075
Revert "sshd: separate key generation into another service"
This reverts commit 1a74eedd07. It
breaks NixOps, which expects that

  rm -f /etc/ssh/ssh_host_ed25519_key*
  systemctl restart sshd
  cat /etc/ssh/ssh_host_ed25519_key.pub

works.
2017-03-31 16:18:58 +02:00
Robin Gloster
cbd6fb1b3a
Release Notes: tracking UIDs/GIDs is in 17.09 2017-03-31 15:51:37 +02:00
Eelco Dolstra
e241fb87a1
Update 17.03 release notes 2017-03-31 15:00:30 +02:00
Jörg Thalheim
50f7a7ca2e
rtl8192su-firmware: init at unstable-2016-10-05 2017-03-31 10:49:38 +02:00
Scott R. Parish
7138b55918
slock: needs the ability to be install with suid privileges 2017-03-30 14:36:53 -07:00
Robin Gloster
163668f6c4
Release Notes 17.03: update on master 2017-03-30 22:52:08 +02:00
sternenseemann
fd3a99633b 2bwm: init at 0.2 2017-03-30 19:21:27 +02:00
Robin Gloster
8a18e1f7f1
quagga service: disable 2017-03-30 16:23:33 +02:00
Robin Gloster
ce953d0bc9
panomatic: remove 2017-03-30 16:23:33 +02:00
Joachim Fasting
c504e14c87
rl-notes 17.03: add notes about changes to the dnscrypt-proxy interface
(cherry picked from commit 9613677176)
2017-03-30 13:36:08 +02:00
Joachim Fasting
543f5263d2
nixos/dnscrypt-proxy test: exercise plugin loading 2017-03-30 13:36:06 +02:00
Robin Gloster
a79891f6b2
sitecopy: remove 2017-03-30 12:06:09 +02:00
Eelco Dolstra
a57bcd38b4
update-users-groups.pl: Keep track of deallocated UIDs/GIDs
When a user or group is revived, this allows it to be allocated the
UID/GID it had before.

A consequence is that UIDs and GIDs are no longer reused.

Fixes #24010.
2017-03-29 18:13:18 +02:00
romildo
2630e7384f qt5ct: add a nixos module to enable qt5ct
In order to use qt5ct (Qt5 Configuration Tool) to configure Qt5
settings (theme, font, icons, etc.) under DE/WM without Qt
integration, the environment variable QT_QPA_PLATFORMTHEME should be
set to "qt5ct".

It can be done automatically by this module, or by setting the
variable explicitly in the user or in the system configuration.
2017-03-29 06:17:23 -03:00
Bas van Dijk
1d52c677be ssmtp: use the authPassFile option instead of authPass
This gives users the option of storing the authPass outside the
world-readable Nix store.
2017-03-29 00:34:23 +02:00
Tim Steinbach
eb70ae34b1 Merge pull request #24254 from bachp/gitlab-runner-9
Upgrade Gitlab Runner
2017-03-28 18:21:35 -04:00
Joachim Fasting
8427222eca
rl-notes 17.03: add note about pre-NSS dnscrypt-proxy
(cherry picked from commit de5d4dc147)
2017-03-29 00:05:48 +02:00
Jörg Thalheim
36fca93290
rename iana_etc to iana-etc
fixes #23621
2017-03-28 22:35:15 +02:00
Pascal Bach
8373124202 gitlab-runner: make v1 runner available
gitlab-runner 9.0.0 is only compatible with gitlab >= 9.0
gitlab-runner1 1.11.1 is only compatible with gitlab < 9.4
2017-03-28 21:02:43 +02:00
Bas van Dijk
6f2eca1744 wordpress: replace the dbPassword option with dbPasswordFile (#24146)
We shouldn't force users to store passwords in the world-readable Nix store.
2017-03-28 17:38:16 +02:00
Clemens Fruhwirth
72ec884cc6 Make GCE image as small as possible and incorporate partition growing
when users of nixops specified a larger root disk via
deployment.gce.rootDiskSize

1GB is the smallest possible size as GCP doesn't support
fractions of GB for RAW images, see
https://cloud.google.com/compute/docs/images/import-existing-image#requirements
2017-03-27 17:41:42 +02:00
Robin Gloster
d1228f95e9
Revert "Revert "gdm module: only make xserver args overrideable""
This reverts commit 4e57e7f7c6.

This actually broke gnome3 and didn't fix anything, I failed bisecting.
2017-03-27 17:20:56 +02:00
Franz Pletz
1b95985b71 Merge pull request #24148 from volth/libvirt-3.1.0
libvirt: 3.0.0 -> 3.1.0
2017-03-27 10:02:06 +02:00
aszlig
ee39d4b98a
nixos/tests/virtualbox: Fix @shell@ expansion
This has surfaced since f803270b7e.

The commit bumped bash to version 4.4, which caused to change the order
of --subst-var flags in substituteAll, which this test was relying on,
because it added a @shell@ to boot.initrd.postMountCommands.

Our substituter is currently working a bit like this:

original.replace('@var1@', 'val1').replace('@var2@', 'val2')...

Unfortunately, this means that if @var2@ occurs within @var1@ it is
replaced by the new value, so the order of the substvars actually
matter. I highly doubt that we want a behaviour like this and I'm
wondering why it didn't occur to me as a problem while writing the
initial implementation of the VirtualBox tests.

Whether to get rid of this and disallowing substitution of substvars
within substvars is another topic which I think needs discussion in a
different place.

As for now, I'm using stdenv.shell, because the closure size of this
should fit within the initrd, so it's fine especially because it's just
a test.

Tested with the net-hostonlyif and systemd-detect-virt tests and they
both succeed with this change.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: @globin on IRC
2017-03-27 04:53:17 +02:00
c74d
a4ac5506f5 google-compute-image: fix Yama LSM option conflict
Having fixed the Google Compute Engine image build process's copying
of store paths in PR #24264, I ran `nixos-rebuild --upgrade switch`...
and the GCE image broke again, because it sets the NixOS configuration
option for the sysctl variable `kernel.yama.ptrace_scope` to
`mkDefault "1"`, i.e., with override priority 1000, and now the
`sysctl` module sets the same option to `mkDefault "0"` (this was
changed in commit 86721a5f78).

This patch raises the override priority of the Google Compute Engine
image configuration's definition of the Yama sysctl option to 500
(still lower than the priority of an unmodified option definition).

I have tested that this patch allows the Google Compute Engine image
to again build successfully for me.
2017-03-26 21:09:58 +02:00
Arnold Krille
68729958e8
network-interfaces: reload bridges on conf changes
And adopt the tests to add an interface and remove it again.

It should work when deactivating rstp, it will not work when activating
rstp for the first bridge as then the userspace daemon is not yet
available. But once one bridge is active with stp, it should work with
the reload for any further bridge.

Fixes #21745. Also see #22547.
2017-03-26 18:47:43 +02:00
Jörg Thalheim
e0fd894d88 Merge pull request #24334 from cko/update_docu
NixOS Manual: Update version numbers
2017-03-26 11:23:32 +02:00
Edward Tjörnhammar
b35d22b30c
radarr: init at 0.2.0.553 + nixos module 2017-03-25 21:19:55 +01:00
Edward Tjörnhammar
2db5c5cfe2
jackett: init at 0.7.1197 + nixos module 2017-03-25 21:19:44 +01:00
Edward Tjörnhammar
958668ab80
nixos, openafs-client: correct serviceConfig 2017-03-25 21:19:34 +01:00
Christine Koppelt
e5c927cb8d NixOS Manual: Update version numbers 2017-03-25 20:14:04 +01:00
Richard Zetterberg
dc10688edb nftables: adds information regarding nftables and Docker (#24326) 2017-03-25 16:34:02 +01:00
Franz Pletz
d545772640
libvirt: make guest suspend work, use upstream units 2017-03-25 14:59:01 +01:00
Nikolay Amiantov
417844b596 phpfpm service: don't use private /tmp
This breaks local PostgreSQL connections.
2017-03-25 14:52:44 +01:00
Robin Gloster
6b8ad8b581
networkd: fix setting both defaultGateway{,6} 2017-03-25 14:30:05 +01:00
goibhniu
170b8da281 Merge pull request #24304 from matklad/uefi-install-docs
docs: clarify UEFI bootloader setup
2017-03-25 13:08:06 +01:00
Tuomas Tynkkynen
60788745c9 channel.nix: Use filterSource to exclude unnecessary files from nixpkgs
Currently, if you try to build a NixOS config including channel.nix, e.g.:

nix-build -I nixpkgs=. -I nixos-config=nixos/modules/installer/cd-dvd/installation-cd-minimal.nix nixos -A config.system.build.isoImage

twice in a row, you end up with two different build results. This is
caused by the 'result' symlink of the first build affecting the channel
contents of the second build.

If we use filterSource with a predicate that ignores the 'result'
symlinks, the problem is gone. Do the same thing for VIM/Emacs
swap/backup files to avoid even more 'spurious' rebuilds.

Additionally, filter out the '.git' directory at the same time, as we
'rm -rf' it from the result anyway. This avoids a considerable amount of
unnecessary file I/O copying and deleting the .git directory.
2017-03-25 01:42:28 +02:00
Leon Isenberg
db30cff500 earlyoom service: init 2017-03-24 23:16:16 +01:00
Aleksey Kladov
edac1d3e7a docs: clarify UEFI bootloader setup 2017-03-25 00:48:27 +03:00
Vladimír Čunát
455ce3528c
Merge branch 'staging' 2017-03-24 21:07:55 +01:00
Thomas Tuegel
352e335f3d
nixos/sddm: test automatic and manual login 2017-03-24 10:39:13 -05:00
Thomas Tuegel
5dbbb60d4f
nixos/plasma5: re-enable test
Fixes #24240.

I do not know the cause of the test failures, but the tests pass now.
2017-03-24 10:38:59 -05:00
Thomas Tuegel
27ba56f1e0
nixos/plasma5: also test SDDM theme 2017-03-24 09:45:57 -05:00
Joachim Fasting
f815a7697e
dnscrypt-proxy service: systemd notification under apparmor 2017-03-24 14:37:44 +01:00
Robin Gloster
4e57e7f7c6
Revert "gdm module: only make xserver args overrideable"
This reverts commit a5aa926902.

This allows gdm to run again, the test is still failing.
2017-03-24 10:35:20 +01:00
c74d
e0e520a519 google-compute-image: copy store paths with rsync
In `nixos/modules/virtualisation/google-compute-image.nix`, copy store
paths with `rsync -a` rather than `cp -prd`, because `rsync` seems
better able to handle the hard-links that may be present in the store,
whereas `cp` may fail to copy them.

I have tested that the Google Compute Engine image builds successfully
for me with this patch, whereas it did not without this patch.

This is the same fix applied for Azure images in commit
097ef6e435.

Fixes #23973.
2017-03-24 02:14:10 +01:00
Jan Malakhovski
2822bacd60
nixos: xen: condition default packages on enable
Closes #23690.
2017-03-24 01:54:04 +01:00
Thomas Tuegel
ae1034ea96
nixos/sddm: improve test
Disable SDDM auto-login to improve testing for SDDM themes. See #24246.
2017-03-23 19:20:27 -05:00
Robin Gloster
c2b9b8031f Merge pull request #24026 from benley/use-xkbDir
nixos: Use xkbDir consistently so it has an effect
2017-03-23 18:02:26 +01:00
Vladimír Čunát
c71f8f6ead
release-combined: disable plasma tests temporarily
... to get a channel bump after a long time; see #24240.
2017-03-23 16:10:04 +01:00
Robin Gloster
e82baf043e
security-wrapper: link old wrapper dir to new one
This makes setuid wrappers not fail after upgrading.

references #23641, #22914, #19862, #16654
2017-03-23 15:57:30 +01:00
Robin Gloster
45f486f096
Revert "security-wrapper: Don't remove the old paths yet as that can create migration pain"
This reverts commit 4c751ced37.

This does not fix the issue as /run is now mounted with nosuid.
2017-03-23 15:57:23 +01:00
Vladimír Čunát
c1a9dc3d37
Merge branch 'master' into staging 2017-03-23 13:31:28 +01:00
Symphorien Gibol
a6665adde8 grub module: fix useOSProber when installing grub as EFI 2017-03-23 12:53:44 +01:00
Jörg Thalheim
b2ba188656 Merge pull request #24182 from ndowens/munin
munin: 2.0.30 -> 2.0.33; for CVE-2017-6188
2017-03-22 19:21:02 +01:00
Piotr Bogdan
a4b4cd0710 lightdm-greeters service: add extraConfig option (#24135) 2017-03-22 15:33:22 +01:00
Thomas Tuegel
a96e047b31
nixos/sddm: replace themes option with package option 2017-03-22 07:44:55 -05:00
Thomas Tuegel
7ca62935bb
nixos/plasma5: do not include extra-cmake-modules in sddm
Fixes #24126.
2017-03-22 07:44:55 -05:00
Joachim Fasting
95eaa3aec3
nixos/tor: add missing option type 2017-03-22 02:27:23 +01:00
Jörg Thalheim
b4169bb8dd
munin: fix tests by replacing cron with systemd timer 2017-03-22 00:16:36 +01:00
Eelco Dolstra
86721a5f78
Allow attaching to non-child processes by default
The inability to run strace or gdb is the kind of
developer-unfriendliness that we're used to from OS X, let's not do it
on NixOS.

This restriction can be re-enabled by setting

  boot.kernel.sysctl."kernel.yama.ptrace_scope" = 1;

It might be nice to have a NixOS module for enabling hardened defaults.

Xref #14392.

Thanks @abbradar.
2017-03-21 18:48:35 +01:00
Eelco Dolstra
78bb734452
nix-daemon.nix: Make the 1.12 check less strict 2017-03-21 18:48:35 +01:00
Nikolay Amiantov
6555ec03c3 udev module: filter duplicate udev paths
Fixes #24174
2017-03-21 20:22:27 +03:00
Nikolay Amiantov
d3e2957c90 octoprint: 1.3.1 -> 1.3.2
Fix startup wizard and cleanup dependencies.
2017-03-21 20:22:27 +03:00
Carlos D
e6a02918ce Expand on creating USB bootable for OS X 2017-03-21 17:31:10 +01:00
Domen Kožar
02129a8788 Merge pull request #23672 from edanaher/nginx-alias
Nginx alias directive
2017-03-21 15:04:02 +01:00
Eelco Dolstra
2cb25f8b59
nix: 1.11.7 -> 1.11.8 2017-03-21 14:49:23 +01:00
Robin Gloster
f2ff646e59 Merge pull request #23641 from awakenetworks/parnell/fix-wrapper-migration
security-wrapper: Don't remove the old paths yet as that can create migration pain
2017-03-21 13:40:15 +01:00
Robin Gloster
c93eb74e6a Merge pull request #23838 from mayflower/remove-md5
fetch-*: remove md5 support
2017-03-21 13:27:51 +01:00
Franz Pletz
4bd12fa7b2
gitlab module: explicitely create pages shared path
Fixes creation of backups.
2017-03-21 13:16:51 +01:00
Frederik Rietdijk
94eb74eaad Merge remote-tracking branch 'upstream/master' into HEAD 2017-03-21 13:04:37 +01:00
Frederik Rietdijk
4263c53f66 Python changelog 2017-03-21 11:05:03 +01:00
Franz Pletz
fb50cde71e
nixos/treewide: systemd.time is in manvolume 7
cc #23396
2017-03-21 08:28:53 +01:00
Robin Gloster
c808801937
nix-daemon: fix autoOptimiseStore option 2017-03-21 02:17:09 +01:00
Robin Gloster
5e0f932de0
rl-notes 17.03: info on python module location
closes #11567
2017-03-20 23:28:51 +01:00
Robin Gloster
c066dc8416
fetch-*: add md5 support removal to rl-notes 2017-03-20 22:26:02 +01:00
Franz Pletz
295a824abc Merge pull request #21866 from pjones/pjones/rmilter
rmilter: Fix a couple of bugs
2017-03-20 20:50:56 +01:00
Franz Pletz
c13922f012
nginx: explicitly use stable version
Also updates the documention of the NixOS option `services.nginx.package`
that upstream recommends using the mainline version instead.

Fixes #21665.
2017-03-20 20:04:09 +01:00
Eelco Dolstra
337f731c2b Merge pull request #24134 from pstn/nix-auto-optimise
Added option and description for nix store auto-optimisation.
2017-03-20 20:01:48 +01:00
Philipp Steinpass
68c6d90417 Added option and description for nix store auto-optimisation. 2017-03-20 19:09:19 +01:00
Franz Pletz
7151e74883
nixos: enable nginx test
cc #23279
2017-03-20 19:05:59 +01:00
Franz Pletz
fff8cc79df Merge pull request #23279 from mbbx6spp/make-nginx-module-less-gross
nginx service: add commonHttpConfig option
2017-03-20 19:03:20 +01:00
Thomas Tuegel
1b0d9e9ae6 Merge pull request #23819 from ttuegel/freetype
FreeType 2.7.1 and Fontconfig defaults
2017-03-20 11:43:50 -05:00
Thomas Tuegel
d458b5401a
nixos/fontconfig: add Changelog message about FreeType update 2017-03-20 10:39:48 -05:00
Thomas Tuegel
020791f7e1 Merge pull request #24125 from ttuegel/disable-kimpanel
nixos/plasma5: do not set kimpanel as default IBus panel
2017-03-20 10:23:09 -05:00
Nikolay Amiantov
179fe96a03 Merge pull request #24112 from abbradar/odroid
Add ODROID-XU{3,4} support
2017-03-20 17:44:09 +03:00
Thomas Tuegel
d709cdd829
nixos/plasma5: do not set kimpanel as default IBus panel
kimpanel does not show installed IBus engines or allow switching input
methods. kimpanel does show configured keyboard layouts through kxkb, so I
believe there is some problem communicating with IBus. No error messages are
produced in the log and I have been unable to discover the cause. I have no
intention of continuing to work on kimpanel at this time, so it should be
disabled. The GTK+ 3-based panel provided by IBus is perfectly serviceable in
the interim.
2017-03-20 09:31:05 -05:00
Thomas Tuegel
4837aba1ee Merge pull request #24101 from romildo/fix.lumina
lumina: fix kwindowsystem and oxygen-icons5 attributes
2017-03-20 09:00:25 -05:00
Kristoffer Søholm
f9e8ef7e6d nixos/bluetooth: add extraConfig option (#23427) 2017-03-20 14:28:02 +01:00
Nikolay Amiantov
1f0ce0eaf8 makeTest: don't rely on makeWrapper not quoting newlines 2017-03-20 16:15:38 +03:00
Tuomas Tynkkynen
74c4e30842 Revert "nixos: build for aarch64-linux"
This reverts commit b806e25d65.

This seems to push Hydra's memory usage out of the roof fail nixos
evaluating with:

Too many heap sections: Increase MAXHINCR or MAX_HEAP_SECTS

Let's revert this for now. It's not a big deal at all since the
nixpkgs-unstable jobset is still building the packages.
2017-03-20 10:30:51 +02:00
Nikolay Amiantov
15d3f8e783 sd-image-armv7l-multiplatform module: enable ODROID-XU3 console 2017-03-20 11:07:04 +03:00
romildo
501d9c7186 lumina: fix kwindowsystem and oxygen-icons5 attributes 2017-03-19 21:46:35 -03:00
Will Dietz
cb73cb9e62 neo4j service: neo4j-wrapper is deprecated, merge into neo4j.conf 2017-03-19 16:56:53 -05:00
Will Dietz
515fc22263 neo4j service: fix package installed into env to match running service 2017-03-19 16:56:52 -05:00
Michael Walker
b29bc8d41c vsftpd: Expose the no_anon_password flag. 2017-03-19 01:53:29 +00:00
Benjamin Staffin
b79c284952
nixos: Use xkbDir consistently so it has an effect 2017-03-18 17:56:38 -04:00
Daiderd Jordan
a48df6fba6 Merge pull request #22508 from matthewbauer/remove-emacs24macport
emacs24macport: remove
2017-03-18 22:19:20 +01:00
Frederik Rietdijk
e67b979ab5 Merge remote-tracking branch 'upstream/master' into HEAD 2017-03-18 15:32:43 +01:00
Philipp Hausmann
c904e68e53 Remove static uid/gid 2017-03-18 13:54:39 +01:00
Joachim Schiele
6022a79cbc nixos/release.nix: added tests.wordpress 2017-03-18 11:10:49 +01:00
Vladimír Čunát
742b120ddc
Merge branch 'master' into staging
Nontrivial rebuilds from master, again :-/
2017-03-18 11:00:31 +01:00
Will Dietz
63f1a14ae5 neo4j service: increase file limit, per warning emitted at startup (#23961) 2017-03-18 01:03:09 +01:00
Joachim F
9a976c09ba Merge pull request #23963 from dtzWill/feature/irkerd
irker: init at 2017-02-12
2017-03-18 00:35:32 +01:00
Franz Pletz
9536169074
nixos/treewide: remove boolean examples for options
They contain no useful information and increase the length of the
autogenerated options documentation.

See discussion in #18816.
2017-03-17 23:36:19 +01:00
Franz Pletz
00239ce8e9
rmilter/rspamd service: tighten unix socket permissions 2017-03-17 23:01:24 +01:00
Franz Pletz
8ab2d2ee27
rmilter service: support only one socket 2017-03-17 23:00:34 +01:00
Peter Jones
4defb788eb
rmilter service: Fix a couple of bugs
* The module uses `stringSplit` but it should be `splitString`

  * `rmilter` doesn't actually support binding to multiple sockets.
    Therefore, bind to the last one specified if `socketActivation` is
    `false`.

I also believe there is a bug in this module related to systemd
`ListenStream`.  If `socketActivation` is true, Postfix gets
connection timeouts trying to connect to one of the `ListenStream`
inet addresses.  I don't know enough about `ListenStream` passing
connections on to `fd:3` to understand what's going on.

These changes are in production (with `socketActivation = false`) via NixOps.
2017-03-17 20:15:48 +01:00
Thomas Tuegel
a6fce585e4
nixos/fontconfig: set rendering defaults, not overrides 2017-03-17 13:50:10 -05:00
Thomas Tuegel
354ea69ae4
fontconfig-penultimate: init at 0.2
Also provides a NixOS module.
2017-03-17 13:50:05 -05:00
Joachim F
01f8e2161c Merge pull request #23962 from oxij/nixos/tor-sec
nixos: tor: usability and security fixes
2017-03-17 16:14:41 +01:00
Pascal Bach
3728143cbc prometheus-unifi-exporter: init at 0.4.0 2017-03-17 15:41:22 +01:00
Will Dietz
2807d75dca irkerd service: init 2017-03-17 09:16:32 -05:00
Michael Raskin
f9fb38fcae Merge pull request #23924 from 7c6f434c/improve-firefox-test
nixos: tests: firefox: make more comprehensive
2017-03-17 13:00:18 +01:00
Léo Gaspard
66e54f25a1 dhparams module: condition on enable option (#23661)
Hence, the init/cleanup service only runs when the dhparams module is enabled.
2017-03-17 01:56:13 +01:00
Jan Malakhovski
a04782581a nixos: torify: disable by default, add some documentation as of why
This `tsocks` wrapper leaks DNS requests to clearnet, meanwhile Tor comes with
`torsocks` which doesn't.

Previous commits to this file state that all of this still useful somehow.
Assuming that it's true, at least let's not confuse users with two different tools
and don't clash with the `tsocks` binary from nixpkgs by disabling this by default.
2017-03-16 21:06:12 +00:00
Jan Malakhovski
6d25f77a64 nixos: tor: add enableGeoIP 2017-03-16 21:06:12 +00:00
Daiderd Jordan
00ed0f792e Merge pull request #22897 from timor/couchdb-2.0.0
couchdb: add support for version 2.0.0
2017-03-16 22:03:32 +01:00
Philipp Hausmann
ffa0a87774 Remove unused options 2017-03-16 20:51:06 +01:00
Philipp Hausmann
0bd6fdcfc4 Cosmetics 2017-03-16 20:50:10 +01:00
Philipp Hausmann
45d8d6ebeb Add slimserver nixos module 2017-03-16 20:43:09 +01:00
Profpatsch
6da60bb101 modules/mlmmj: fix a typo in listaddress folder 2017-03-16 18:47:11 +01:00
Graham Christensen
e4c0613470 Merge pull request #23674 from c0bw3b/sec/jboss7
JBoss AS: list known vulnerability
2017-03-15 17:33:27 -04:00
Vladimír Čunát
e99bc64552
Merge branch 'master' into staging
More larger rebuilds from master, unfortunately.
2017-03-15 19:09:56 +01:00
Michael Raskin
14a3412048 nixos: tests: firefox: make more comprehensive
Run Firefox inside an XTerm, it doesn't crash mysteriously this way.
Also try opening developer tools and checking that Firefox doesn't
crash in the process.
2017-03-15 17:25:57 +01:00
Pascal Bach
a8cca7037e prometheus-fritzbox-exporter: init at 1.0 2017-03-15 17:22:36 +01:00
Volth
bcc4c261be lxc: ensure directory /var/lib/lxc/rootfs 2017-03-15 12:42:27 +01:00
Bart Brouns
bb3ef8a95c physlock: fix issue 21935 2017-03-15 11:47:02 +01:00
Benjamin Staffin
98e4c5dd45 Merge pull request #23861 from benley/nixos-manual-launcher
nixos: Add a menu launcher for the NixOS manual
2017-03-15 04:37:16 -04:00
Joachim Fasting
f122f0147b
nixos/dnscrypt-proxy: log resolver list verification failure
Otherwise, the service unit just fails for no discernable
reason.  Verifcation failure is bad so it ought to be easily
discoverable.
2017-03-15 01:13:08 +01:00
Joachim Fasting
de15e7894b
nixos/dnscrypt-proxy: get resolver list from github
The list has disappeared from its ordinary location at
download.dnscrypt.org.
2017-03-15 01:12:46 +01:00
Joachim Fasting
472002f216
nixos/dnscrypt-proxy: remove the resolverList option
This option was initially added to make it easier to use an
up-to-date list, but now that we always use an up-to-date list
from upstream, there's no point to the option.

From now on, you can either use a resolver listed by dnscrypt
upstream or a custom resolver.
2017-03-15 01:12:43 +01:00
Joachim Fasting
540740598e
nixos/dnscrypt-proxy: add example of how to use the cache plugin 2017-03-15 01:12:39 +01:00
Joachim Fasting
719813caf6
nixos/dnscrypt-proxy: replace unimportant options with extraArgs
Removes tcpOnly and ephemeralKeys: reifying them as nixos
options adds little beyond improved discoverability.  Until
17.09 we'll automatically translate these options into extraArgs
for convenience.

Unless reifying an option is necessary for conditional
computation or greatly simplifies configuration/reduces risk of
misconfiguration, it should go into extraArgs instead.
2017-03-15 01:12:37 +01:00
Joachim Fasting
9325c3a616
nixos/dnscrypt-proxy: simplify module logic related to apparmor 2017-03-15 01:12:35 +01:00
Joachim Fasting
83052ef9db
nixos/dnscrypt-proxy: support reload 2017-03-15 01:12:29 +01:00
Franz Pletz
91744f31b0 Merge pull request #23623 from mayflower/fix/users-create-home
nixos/users-groups: chown home on createHome
2017-03-14 23:07:57 +01:00
Bas van Dijk
308c09d41f wordpress: security upgrade: 4.7.2 -> 4.7.3 & other improvements (#23837)
* Moved the wordpress sources derivation to the attribute pkgs.wordpress. This
  makes it easier to override.

* Also introduce the `package` option for the wordpress virtual host config which
  defaults to pkgs.wordpress.

* Also fixed the test in nixos/tests/wordpress.nix.
2017-03-14 16:11:51 +01:00
Benjamin Staffin
638e1b8243 nixos: Add a menu launcher for the NixOS manual 2017-03-14 06:04:43 -04:00
Peter Hoeg
80750f459c Merge pull request #17303 from peterhoeg/iio
iio-sensor-proxy: init at 2.2 and nixos module
2017-03-14 11:16:09 +08:00
Tuomas Tynkkynen
aba0b45b86 Merge remote-tracking branch 'upstream/master' into staging
Conflicts:
      pkgs/development/libraries/qt-5/5.7/qtbase/default.nix
2017-03-14 00:49:22 +02:00
Graham Christensen
b806e25d65
nixos: build for aarch64-linux 2017-03-13 17:34:33 -04:00
Renaud
72619a86c9 JBoss AS: list known vulnerability
CVE-2015-7501

Warning in JBoss module
2017-03-13 18:45:19 +01:00
Thomas Tuegel
65592837b6
freetype: 2.6.5 -> 2.7.1
The Infinality bytecode interpreter is removed in favor of the new v40 TrueType
interpreter. In the past, the Infinality interpreter provided support for
ClearType-style hinting instructions while the default interpreter (then v35)
provided support only for original TrueType-style instructions. The v40
interpreter corrects this deficiency, so the Infinality interpreter is no longer
necessary.

To understand why the Infinality interpreter is no longer necessary, we should
understand how ClearType differs from TrueType and how the v40 interpreter
works. The following is a summary of information available on the FreeType
website [1] mixed with my own editorializing.

TrueType instructions use horizontal and vertical hints to improve glyph
rendering. Before TrueType, fonts were only vertically hinted; horizontal hints
improved rendering by snapping stems to pixel boundaries. Horizontal hinting is
a risk because it can significantly distort glyph shapes and kerning. Extensive
testing at different resolutions is needed to perfect the TrueType
hints. Microsoft invested significant effort to do this with its "Core fonts for
the Web" project, but few other typefaces have seen this level of attention.

With the advent of subpixel rendering, the effective horizontal resolution of
most displays increased significantly. ClearType eschews horizontal hinting in
favor of horizontal supersampling. Most fonts are designed for the Microsoft
bytecode interpreter, which implements a compatibility mode with
TrueType-style (horizontal and vertical) instructions. However, applying the
full horizontal hints to subpixel-rendered fonts leads to color fringes and
inconsistent stem widths. The Infinality interpreter implements several
techniques to mitigate these problems, going so far as to embed font- and
glyph-specific hacks in the interpreter. On the other hand, the v40 interpreter
ignores the horizontal hinting instructions so that glyphs render as they are
intended to on the Microsoft interpreter. Without the horizontal hints, the
problems of glyph and kerning distortion, color fringes, and inconsistent stem
widths--the problems the Infinality interpreter was created to solve--simply
don't occur in the first place.

There are also security concerns which motivate removing the Infinality patches.
Although there is an updated version of the Infinality interpreter for FreeType
2.7, the lack of a consistent upstream maintainer is a security concern. The
interpreter is a Turing-complete virtual machine which has had security
vulnerabilities in the past. While the default interpreter is used in billions
of devices and is maintained by an active developer, the Infinality interpreter
is neither scrutinized nor maintained. We will probably never know if there are
defects in the Infinality interpreter, and if they were discovered they would
likely never be fixed. I do not think that is an acceptable situtation for a
core library like FreeType.

Dropping the Infinality patches means that font rendering will be less
customizable. I think this is an acceptable trade-off. The Infinality
interpreter made many compromises to mitigate the problems with horizontal
hinting; the main purpose of customization is to tailor these compromises to the
user's preferences. The new interpreter does not have to make these compromises
because it renders fonts as their designers intended, so this level of
customization is not necessary.

The Infinality-associated patches are also removed from cairo. These patches
only set the default rendering options in case they aren't set though
Fontconfig. On NixOS, the rendering options are always set in Fontconfig, so
these patches never actually did anything for us!

The Fontconfig test suite is patched to account for a quirk in the way PCF fonts
are named.

The fontconfig option `hintstyle` is no longer configurable in NixOS. This
option selects the TrueType interpreter; the v40 interpreter is `hintslight` and
the older v35 interpreter is `hintmedium` or `hintfull` (which have actually
always been the same thing). The setting may still be changed through the
`localConf` option or by creating a user Fontconfig file.

Users with HiDPI displays should probably disable hinting and antialiasing: at
best they have no visible effect.

The fontconfig-ultimate settings are still available in NixOS, but they are no
longer the default. They still work, but their main purpose is to set rendering
quirks which are no longer necessary and may actually be
detrimental (e.g. setting `hintfull` for some fonts). Also, the vast array of
font substitutions provided is not an appropriate default; the default setting
should be to give the user the font they asked for.

[1]. https://www.freetype.org/freetype2/docs/subpixel-hinting.html
2017-03-12 17:31:33 -05:00
Jörg Thalheim
9e6fe2e4f2 Merge pull request #23765 from benley/ykpers-duplicate
ykpers: consolidate into yubikey-personalization
2017-03-12 22:26:32 +01:00
Vladimír Čunát
50fadc8b18
cups: split the $lib output
This saves > 10 MB from most closures.
Printing test succeeds on x86_64-linux.
2017-03-12 18:36:30 +01:00
Jörg Thalheim
41625dcab6
pump.io: fix tests
fixes #23568
2017-03-12 16:01:07 +01:00
Rodney Lorrimar
f488b1811b
pumpio service: don't keep secrets in nix store
Added extra config options to allow reading passwords from file rather
than the world-readable nix store.

The full config.json file is created at service startup.

Relevant to #18881
2017-03-12 16:01:02 +01:00
Rodney Lorrimar
f1a1490135
pumpio service: adjust upload directory config for 3.0.0
These changes are backwards compatible.
2017-03-12 16:00:57 +01:00
zetok
4ca17dd6c0 gresecurity docs: fix incorrect option (#23789) 2017-03-12 15:05:14 +01:00
Benjamin Staffin
f474f82860 ykpers: consolidate into yubikey-personalization
Looks like this accidentally got packaged twice.
2017-03-11 16:23:00 -05:00
Franz Pletz
323d0fdd5a
phpfpm module: set correct nixos sendmail path 2017-03-11 09:39:12 +01:00
Daiderd Jordan
b52af49d36
virtualisation-xen: fix defaultText interpolation 2017-03-11 00:09:22 +01:00
Joachim Fasting
bb6361b81a
nixos/dnscrypt-proxy: grant daemon access to load plugins 2017-03-10 18:54:54 +01:00
Joachim Fasting
5279ec111f
nixos/dnscrypt-proxy docs: reword section on forwarding
Newer versions of DNSCrypt proxy *can* cache lookups (via
plugin); make the wording more neutral wrt. why one might want
to run the proxy in a forwarding setup.
2017-03-10 18:54:52 +01:00
Joachim Fasting
c0a8a9205b
nixos/dnscrypt-proxy: inline option renamings
In an effort to make the module more self-contained.
2017-03-10 18:54:51 +01:00
Joachim Fasting
563c8e1496
nixos/dnscrypt-proxy: inline top-level binding (cleanup) 2017-03-10 18:54:50 +01:00
Joachim Fasting
c6da2c7c2b
nixos/dnscrypt-proxy: use example.com in example values
It is the canonical example domain after all.
2017-03-10 18:54:44 +01:00
Thomas Tuegel
64b88c3017 Merge branch 'master' into phonon-gstreamer 2017-03-10 07:30:14 -06:00
Thomas Tuegel
edd43351cf
nixos/plasma5: no need to set gstreamer plugin path 2017-03-10 07:26:40 -06:00
Dan Peebles
c390cec122 buildbot NixOS modules: switch to not daemonize
1) The forking behavior of `buildbot start` is temporarily broken for
   mysterious reasons that I'm still looking into
2) Let systemd do the forking: no point in using two different process
   startup wait loops
2017-03-10 00:11:57 -05:00
Thomas Tuegel
e3cb24d1e0 Merge pull request #23503 from ttuegel/fontconfig
Generalize Fontconfig options
2017-03-09 19:29:28 -06:00
Evan Danaher
a09246948c nginx: disallow alias directive on server level; it doesn't work. 2017-03-09 16:54:44 -05:00
Evan Danaher
e7358b192a nginx: Assert that either root or alias is null.
If both are set, nginx won't start.  More error checking is certainly in
order, but this seems like a reasonable start.
2017-03-09 13:02:49 -05:00
Evan Danaher
ff2e2e82cc nginx: Add alias configuration option for hosts and locations.
It's like root, but doesn't keep the prefix.
2017-03-09 13:02:29 -05:00
Dan Peebles
c3939cbcf5 buildbot modules: don't put BB users in nixbld group
The nixbld group belongs to nix-daemon and you really don't want to be
in it. If you are in it, nix-daemon will kill your processes when you
least expect it :)
2017-03-09 11:46:26 -05:00
Gregor Kleen
899fd868ea das_watchdog: fix service type 2017-03-09 16:14:17 +01:00
Orivej Desh
838051e9cd nixos/iso-image: support boot from USB disks 2017-03-09 15:35:30 +02:00
Joachim Fasting
06520c7fb7
nixos/dnscrypt-proxy: indicate update status
Make it easier for the user to tell when the list is updated
and, at their option, see what changed.
2017-03-08 19:07:53 +01:00
Joachim Fasting
5f27abec23
nixos/dnscrypt-proxy: more fs isolation for the updater
It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available.  We
filter mount syscalls to prevent the process from undoing the fs
isolation.
2017-03-08 19:07:51 +01:00
Joachim Fasting
e72aaa73ea
nixos/dnscrypt-proxy: support updating before nss is up
Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.

We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
2017-03-08 19:07:50 +01:00
Joachim Fasting
adf044e1fb
nixos/dnscrypt-proxy: refactoring
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...).  Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
2017-03-08 19:07:44 +01:00
Parnell Springmeyer
4c751ced37
security-wrapper: Don't remove the old paths yet as that can create migration pain 2017-03-08 08:57:52 -06:00
Profpatsch
22c265182f networking/bonds: fix examples
After the change of the bonding options, the examples were not quite correct.
The diff is over-the top because the new `let` needs everything indented.

Also add a small docstring to the `networkd` attr in the networking test.
2017-03-08 04:54:17 +01:00