Commit Graph

21236 Commits

Author SHA1 Message Date
Luke Granger-Brown
be598f3980
Merge pull request #120541 from pennae/fail2ban
nixos/fail2ban: add maxretry/extraPackages options
2021-05-01 15:09:24 +01:00
Sandro
ac72d9acfe
Merge pull request #91955 from c00w/expand
sd-image: Add option to control sd image expansion on boot.
2021-05-01 14:52:07 +02:00
Luke Granger-Brown
d76b075e3c
Merge pull request #121246 from thblt/master
nixos/pcscd: ensure polkit rules are loaded (fix #121121)
2021-05-01 13:30:45 +01:00
lewo
85aef7706e
Merge pull request #120620 from mweinelt/empty-capability-bounding-sets
nixos/{opendkim,rspamd}: Fix CapabilityBoundingSet option
2021-05-01 08:17:19 +02:00
Luke Granger-Brown
c58f60b41b
Merge pull request #121352 from lukegb/debug-hydra
amazonImage: make statically sized again
2021-05-01 04:06:34 +01:00
Luke Granger-Brown
733d682cc3 nixos/release: add amazonImageAutomaticSize
This allows us to continue to have the automatically sized image attempt
to build on Hydra, which should give us a good indication of when we've
got this fixed.
2021-05-01 02:43:45 +00:00
Luke Granger-Brown
87c3b7e767 amazonImage: make statically sized again
For reasons we haven't been able to work out, the aarch64 EC2 image now
regularly exceeds the output image size on hydra.nixos.org. As a
workaround, set this back to being statically sized again.

The other images do seem to build - it's just a case of the EC2 image
now being too large (occasionally non-determinstically).
2021-05-01 02:19:42 +00:00
Colin L Rice
bef4bda8dd sd-image: Add option to control sd image expansion on boot.
This is supeer useful to allow the normal sd-image code to be used by
someone who wants to setup multiple partitions with a sd-image.

Currently I'm manually copying the sd-image file and modifying it
instead.
2021-04-30 22:12:07 -04:00
Martin Weinelt
326f86d8cd
Merge pull request #121222 from mweinelt/nginx
nixos/nginx: update hardening settings
2021-05-01 00:36:16 +02:00
Martin Weinelt
efb30a191e
Merge pull request #120529 from mweinelt/zigbee2mqtt 2021-04-30 21:59:22 +02:00
Florian Klink
44a0debca7
Merge pull request #121021 from pennae/container-sigterm
nixos/nix-containers: use SIGTERM to stop containers
2021-04-30 21:35:16 +02:00
lunik1
248a57d61a
nixos/adguardhome: init (#120568) 2021-04-30 20:55:31 +02:00
Martin Weinelt
62de527dc3
nixos/zigbee2mqtt: start maintaing the module 2021-04-30 20:40:04 +02:00
Martin Weinelt
2b61d9ea01
nixos/zigbee2mqtt: create migration path from config to settings 2021-04-30 20:39:21 +02:00
Martin Weinelt
f1e7183f69
nixos/tests/zigbee2mqtt: relax DevicePolicy and log systemd-analye security 2021-04-30 19:42:26 +02:00
Martin Weinelt
a691549f7e
nixos/zigbee2mqtt: harden systemd unit
This is what is still exposed, and it allows me to control my lamps from
within home-assistant.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                  0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                              0.1
✗ MemoryDenyWriteExecute=                                     Service may create writable executable memory mappings                              0.1

→ Overall exposure level for zigbee2mqtt.service: 1.3 OK 🙂
2021-04-30 19:42:26 +02:00
Martin Weinelt
e0f1e1f7bf
nixos/zigbee2mqtt: convert to rfc42 style settings 2021-04-30 19:42:26 +02:00
Martin Weinelt
506bc7ba02
nixos/nginx: update hardening settings
- Set an explicit umask that allows u+rwx and g+r.
- Adds `ProtectControlGroups` and `ProtectKernelLogs`, there should be
  no need to access either.
- Adds `ProtectClock` to prevent write-access to the system clock.
- `ProtectProc` hides processes from other users within the /proc
  filesystem and `ProcSubSet` hides all files/directories unrelated to
  the process management of the units process.
- Sets `RemoveIPC`, as there is no SysV or POSIX IPC within nginx that I
  know of.
- Restricts the creation of arbitrary namespaces
- Adds a reasonable `SystemCallFilter` preventing calls to @privileged,
  @obsolete and others.

And finally applies some sorting based on the order these options appear
in systemd.exec(5).
2021-04-30 18:49:43 +02:00
Kim Lindberger
fdd6ca8fce
Merge pull request #118898 from talyz/gitlab-memory-bloat
nixos/gitlab: Add options to tame GitLab's memory usage somewhat
2021-04-30 16:58:30 +02:00
Michael Weiss
28b8cff301
nixos/tests/cage: Fix the test with wlroots 0.13
See #119615 for more details. The aarch64-linux test failed with
"qemu-system-aarch64: Virtio VGA not available" so I've restricted the
test to x86_64-linux (the virtio paravirtualized 3D graphics driver is
likely only available on very few platforms).
2021-04-30 15:57:04 +02:00
pennae
317a2c9f26 nixos/nix-containers: add tests for early/no-machined container stop 2021-04-30 15:43:27 +02:00
Sandro
a73342b7ce
Merge pull request #120637 from andreisergiu98/ombi-update 2021-04-30 12:57:15 +02:00
Thibault Polge
71d9291742
nixos/pcscd: Correctly install pcsclite (fix #121121)
This makes sure that the polkit policies for pcsclite are correcly loaded.
2021-04-30 10:33:03 +02:00
Peter Hoeg
82c31a83b8 nixos/module: example referenced old ffmpeg 2021-04-30 09:43:18 +08:00
Michael Weiss
af99194379
nixos/tests/cage: Increase the xterm font size to fix the test
The result still looks far from ideal but at least it gets recognized
now. "-fa Monospace" is required to switch to a font from the FreeType
library so that "-fs 24" works.

Note: Using linuxPackages_latest is not required anymore.
2021-04-29 21:08:10 +02:00
Lassulus
addfd88117
Merge pull request #117072 from em0lar/keycloak-module-dbuser
nixos/keycloak: use db username in db init scripts
2021-04-29 20:15:19 +02:00
Leo Maroni
d9e18f4e7f
nixos/keycloak: use db username in db init scripts 2021-04-29 19:36:29 +02:00
Kim Lindberger
abecdfea73
Merge pull request #120833 from talyz/pipewire-0.3.26
pipewire: 0.3.25 -> 0.3.26
2021-04-29 18:46:35 +02:00
Florian Klink
7f9a5ad257
cage: drop maintainership (#121174)
I cannot currently maintain this, as I don't have access to the hardware
running it anymore.
2021-04-29 18:07:13 +02:00
WilliButz
674cea17a7
Merge pull request #120492 from SuperSandro2000/prometheus-unbound-exporter
Prometheus unbound exporter
2021-04-29 10:54:22 +02:00
Vladimír Čunát
5b0871bd97
Merge #120493: nixos/kresd: allow package to be configured 2021-04-29 10:41:12 +02:00
Andrei Pampu
e88bf5f13b
nixos/ombi: set ombi as system user 2021-04-29 10:52:02 +03:00
Sandro Jäckel
d3fe53a8a6
nixos/tests/prometheus-exporters: nixpkgs-fmt 2021-04-29 06:19:31 +02:00
Sandro Jäckel
da858b16b8
nixos/tests/prometheus-exporters: add unbound test
Author: WilliButz <willibutz@posteo.de>
2021-04-29 06:19:30 +02:00
Sandro Jäckel
ba13dc0652
nixos/prometheus: add unbound exporter 2021-04-29 06:19:29 +02:00
Peter Hoeg
6d23cfd56b nixos/pcscd: fix #121088 2021-04-29 10:10:18 +08:00
Peter Hoeg
ce93de4f62 nixos/hyperv: bail gracefully if device is missing 2021-04-29 09:37:17 +08:00
Luke Granger-Brown
f64e68e09b
Merge pull request #120071 from johanot/ceph-16
ceph: 15.2.10 -> 16.2.1
2021-04-29 00:03:45 +01:00
Alyssa Ross
a8afbb45c1 treewide: use lib.warnIf where appropriate 2021-04-28 21:44:21 +00:00
Martin Weinelt
de5a69c918
nixos/promtail: Set TimeoutStopSec=10
On reboots and shutdowns promtail blocks for at least 90 seconds,
because it would still try to deliver log messages for loki, which isn't
possible when the network has already gone down.

Upstreams example unit also uses a ten seconds timeout, something which
has worked pretty well for me as well.
2021-04-28 21:02:11 +02:00
pennae
82931ea446 nixos/nix-containers: use SIGTERM to stop containers
systemd-nspawn can react to SIGTERM and send a shutdown signal to the container
init process. use that instead of going through dbus and machined to request
nspawn sending the signal, since during host shutdown machined or dbus may have
gone away by the point a container unit is stopped.

to solve the issue that a container that is still starting cannot be stopped
cleanly we must also handle this signal in containerInit/stage-2.
2021-04-28 14:07:35 +02:00
John Ericson
74f3ae80dc
Merge pull request #120439 from wamserma/arg-usage-release-nix
nixos: use supportedSystems instead of hardcoded list for netboot
2021-04-28 00:11:22 -04:00
Aaron Andersen
45eb9c21ee
Merge pull request #119672 from chessai/init-duckling-service
init duckling service
2021-04-27 20:58:28 -04:00
Samuel Dionne-Riel
1f4dedfa64
Merge pull request #120667 from samueldr/fix/grub1-test
nixosTests.installer: Fix grub1 test being unreliable
2021-04-27 19:32:13 -04:00
Izorkin
8723d226b4 nixos/mastodon: update SystemCallFilters 2021-04-28 00:44:25 +02:00
Vladimír Čunát
a4749b11d4
nixos/kresd.package: improve the generated docs 2021-04-27 21:38:30 +02:00
chessai
e47e2a1b9f init duckling service 2021-04-27 10:41:07 -07:00
talyz
1215bd4ea9
Revert "nixos/tests/gitlab: add 32 byte secrets"
This reverts commit d6e0d38b84.

We need shorter secrets to continue working, since the earlier
recommendation was too short and there's no way to rotate the them.
2021-04-27 18:08:59 +02:00
talyz
7a67a2d1a8
gitlab: Add patch for db_key_base length bug, fix descriptions
The upstream recommended minimum length for db_key_base is 30 bytes,
which our option descriptions repeated. Recently, however, upstream
has, in many places, moved to using aes-256-gcm, which requires a key
of exactly 32 bytes. To allow for shorter keys, the upstream code pads
the key in some places. However, in many others, it just truncates the
key if it's too long, leaving it too short if it was to begin
with. This adds a patch that fixes this and updates the descriptions
to recommend a key of at least 32 characters.

See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
2021-04-27 17:49:43 +02:00
talyz
fb86d324d1
pipewire: Add update script 2021-04-27 16:50:22 +02:00