OVMF{,CODE,VARS}.fd are now available in a dedicated fd output, greatly
reducing the closure in the common case where only those files are used (a
few MBs versus several hundred MBs for the full OVMF).
Note: it's unclear why `dontPatchELF` is now necessary for the build to
pass (on my end, at any rate) but it doesn't make much sense to run this
fixup anyway,
Note: my reading of xen's INSTALL suggests that --with-system-ovmf should
point directly to the OVMF binary. As such, the previous invocation was
incorrect (it pointed to the root of the OVMF tree). In any case, I have
only built xen with `--with-system-ovmf`, I have not tested it.
Fixes https://github.com/NixOS/nixpkgs/issues/25854
Closes https://github.com/NixOS/nixpkgs/pull/25855
Without this change there will be silent errors when enabling screen
sharing. The GUI thinks it enables the service when it in fact does not
(errors are seen in the system journal).
vino is already in the closure of gnome-control-center, so this is
basically free.
Configuration of screen sharing is done in GNOME control center.
error now adds the zone file in the output which makes 'reasonable' debugging possible!
[root@nixdoc:~/nixpkgs_nsd]# nixos-rebuild -I nixpkgs=. switch
building Nix...
building the system configuration...
these derivations will be built:
/nix/store/318a7mhwlz1x0cy4hl1259n8x9z0jacy-nsd-env.drv
/nix/store/fnbhk8grwk7vfdk3gby49bv6kml8hjcc-unit-script.drv
/nix/store/xf80mq1f1c3pm37fci0vi5ixy4gb1rcp-unit-nsd.service.drv
/nix/store/bfmkkykqksmvkhvh3ppl36k86lbw9v4i-system-units.drv
/nix/store/ja97mwl2r0wdrxccl82dx8jln7jlmnyb-etc.drv
/nix/store/yh8m6b3j8vapz2r1wzffq8zq09j56q8p-nixos-system-nixdoc.io-17.09.git.0afb6d7.drv
building path(s) ‘/nix/store/sg7w3k6qg2yr02a0sbrgbv5yiqn9pzcq-nsd-env’
created 2 symlinks in user environment
checking zone files
|- checking zone '/nix/store/sg7w3k6qg2yr02a0sbrgbv5yiqn9pzcq-nsd-env/zones/lastlog.de.'
[2017-05-16 10:30:34.628] nsd-checkzone[27696]: error: lastlog.de.:17: syntax error
[2017-05-16 10:30:34.628] nsd-checkzone[27696]: error: lastlog.de.:17: unrecognized RR type 'lastlog'
zone lastlog.de. file lastlog.de. has 2 errors
builder for ‘/nix/store/318a7mhwlz1x0cy4hl1259n8x9z0jacy-nsd-env.drv’ failed with exit code 1
cannot build derivation ‘/nix/store/xf80mq1f1c3pm37fci0vi5ixy4gb1rcp-unit-nsd.service.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/bfmkkykqksmvkhvh3ppl36k86lbw9v4i-system-units.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/ja97mwl2r0wdrxccl82dx8jln7jlmnyb-etc.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/yh8m6b3j8vapz2r1wzffq8zq09j56q8p-nixos-system-nixdoc.io-17.09.git.0afb6d7.drv’: 1 dependencies couldn't be built
error: build of ‘/nix/store/yh8m6b3j8vapz2r1wzffq8zq09j56q8p-nixos-system-nixdoc.io-17.09.git.0afb6d7.drv’ failed
SSH expects a new line at the end of known_hosts file.
Without a new line the next entry goes on the same line
as the last entry in known_hosts causing errors.
printer driver and wrapper are often not written with security in mind.
While reviewing https://github.com/NixOS/nixpkgs/pull/25654 I found
a symlink-race vulnerability within the wrapper code, when writing
unique files in /tmp.
I expect this script to be reused in other models as well
as similar vulnerabilities in the code of other vendors. Therefore
I propose to make /tmp of cups.service private so that only processes
with the same privileges are able to access these files.
Since fat32 provides little recovery facilities after a crash,
it can leave the system in an unbootable state, when a crash/outage
happens shortly after an update. To decrease the likelihood of this
event sync the efi filesystem after each update.
Due the recent inclusion of broadcom-bt-firmware in enableAllFirmware,
it was required to set `nixpkgs.config.allowUnfree` to obtain the full
list. To make this dependency more explicit an assertion is added and an
alternative option `enableRedistributalFirmware` is provided to only
obtain firmware with an license allowing redistribution.
IPFS uses the environment variable IPFS_PATH to determine where to look for it's data, which wasn't set previously therefore ignoring the dataDir attribute
to /etc/dd-agent/conf.d by default, and make sure
/etc/dd-agent/conf.d is used.
Before NixOS 17.03, we were using dd-agent 5.5.X which
used configuration from /etc/dd-agent/conf.d
In NixOS 17.03 the default conf.d location is first used relative,
meaning that $out/agent/conf.d was used without NixOS overrides.
This change implements similar functionality as PR #25288, without
breaking backwards compatibility.
(cherry picked from commit 77c85b0ecb)
Provide the option forwardDns in virtualisation.xen.bridge, which
enables forwarding of DNS queries to the default resolver, allowing
outside internet access for the xen guests.
When you have a setup consisting of multiple monitors, the default is
that the first monitor detected by xrandr is set to the primary monitor.
However this may not be the monitor you need to be set as primary. In
fact this monitor set to primary may in fact be disconnected.
This has happened for the original submitter of the pull request and it
affected these programs:
* XMonad: Gets confused with Super + {w,e,r}
* SDDM: Puts the login screen on the wrong monitor, and does not
currently duplicate the login screen on all monitors
* XMobar: Puts the XMobar on the wrong monitor, as it only puts the
taskbar on the primary monitor
These changes should fix that not only by setting a primary monitor in
xrandrHeads but also make it possible to make a different monitor the
primary one.
The changes are also backwards-compatible.
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.
The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.
The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session. This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).
From an aestethic point of view, enabling this option helps make the
configuration more "declarative".
Closes https://github.com/NixOS/nixpkgs/pull/24681
Use a solid black background when no background image (via
~/.background-image) is provided. In my case this fixes the really
strange behaviour when i3 without a desktop manager starts with the SDDM
login screen as background image.
This eliminates a theoretical risk of ASLR bypass due to the fixed address
mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7)
instead so there is no loss of functionality, but some programs may fail
to run in this configuration. Programs that fail to run because vsyscall
has been disabled will be logged to dmesg.
For background on virtual syscalls see https://lwn.net/Articles/446528/
Closes https://github.com/NixOS/nixpkgs/pull/25289
The xsession script was called with inconsistent (depending on the
display managers) and wrong parameters. The main reason for this where
the spaces the parameter syntax. In order to fix this the old syntax:
$1 = '<desktop-manager> + <window-manager>'
Will be replaced with a new syntax:
$1 = "<desktop-manager>+<window-manager>"
This assumes that neither "<desktop-manager>" nor "<window-manager>"
contain the "+" character but this shouldn't be a problem.
This patch also fixes the quoting by using double quotes (") instead of
single quotes (') [0].
Last but not least this'll add some comments for the better
understanding of the script.
[0]: https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1]. Consequently, we can no longer
responsibly support grsecurity on NixOS.
This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother. For 17.09 all of it should
probably be pruned.
[1]: https://grsecurity.net/passing_the_baton.php
The xen-bridge service accepts the option prefixLength, but does not
use it to set the actual netmask on the bridge. This commit makes
it set the correct netmask.
Right now the `programs.zsh.syntax-highlighting.highlighters` option
lacks appropriate validation which can cause confusing things when
mistyping a higlighter for zsh-syntax-highlighting.
Someone on IRC wanted to boot Fedora from another disk. While I'm not
too familiar with UEFI booting in conjunction with GRUB2 it took some
time to get it to work.
So in order to safe others from frustration I'm adding this as another
example to the extraEntries option.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
QEMU can allow guests to access more than one host core at a time.
Previously, this had to be done via ad-hoc arguments:
virtualisation.qemu.options = ["-smp 12"];
Now you can simply specify:
virtualisation.cores = 12;
It was asked by @CMCDragonkai to elaborate on that, so let's just do
this by actually providing a code comment.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Using invalid module options in the submodule isn't very nice, because
it doesn't give very useful errors in case of type mismatch, also we
don't get descriptions of these options as they're effecively
nonexistent to the module system. Another downside of this is that
merging of these options isn't done correctly as well (eg. for
types.lines).
So we now have proper submodules for each xrandrHead and we also use
corcedTo in the type of xrandrHeads so that we can populate the
submodule's "output" option in case a plain string is defined for a list
item.
Instead of silently skipping multiple primary heads, we now have an
assertion, which displays a message and aborts configuration evaluation
appropriately.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This changes much of the make-disk-image.nix logic (and thus most NixOS
image building) to use LKL to set up the target directory structure rather
than a Linux VM. The only work we still do in a VM is less IO-heavy stuff
that while still time-consuming, is less of the overall load. The goal is
to kill more of that stuff, but that will require deeper changes to NixOS
activation scripts and switch-to-configuration.pl, and I don't want to
bite off too much at once.
* programs.zsh: factor zsh-syntax-highlighting out into its own module
* programs.zsh.syntax-highlighting: add `highlighters` option
* programs.zsh: document BC break introduced by moving zsh-syntax-completion into its own module
The main change here is a patch of SLiM to tread a log file of
/dev/stderr specially in that it now uses std::cerr instead of a file
for logging.
This allows us to set the logfile to stderr in NixOS for the generated
SLiM configuration file and we now get logging to the systemd journal.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
* programs.zsh: add enableOhMyZsh option to automate setup of oh-my-zsh in global zshrc
* programs.zsh: make oh-my-zsh plugins configurable
* programs.zsh: add ohMyZshCustom option
* programs.zsh: add ohMyZshTheme option
* programs.zsh: applying minor fixes to evaluate expressions properly
* programs.zsh: fix ordering of oh-my-zsh config and execution
* programs.zsh: move all oh-my-zsh params into its own scope named programs.zsh.oh-my-zsh
The idea is to provide a convenient way to enable most vanilla hardening
features in one go. The hardened profile, then, will serve as a place for
features that enhance security but cannot be enabled for all deployments
because they interfere with legitimate use cases (e.g., using ptrace to
debug problems in an already running process).
Closes https://github.com/NixOS/nixpkgs/pull/24680
This reverts commit 6b7c5ba535.
Unfortunately it seems like this broke slim, lightdm and gdm (see #25068
and #23264). This is already reverted in the 17.03 branch (99dfb6d).
TODO: We need tests for slim and lightdm and fix the test for gdm
(failing since 2016-10-26) to prevent such breakage in the future.
- adds distro dependency
- buildbot nodaemon in service module
- fakerepo for module tests
- service module parameter fixup
- tested on nixos
- tested on darwin
This has surfaced since d990aa7163.
The "simpleUefiGummiboot" installer test fails since this commit,
because that commit introduced a small check to verify whether the store
was altered.
While installing NixOS for the first time, the store is usually in
/mnt/nix/store and without the read-only bind mount that's preventing
programs from altering the store.
So after nixos-install is done creating the system closure and setting
it as the active system profile, the bootloader is written from the
closure inside the chroot. The systemd-boot-builder is invoked during
this step, which adds .pyc files for various Python modules of the
Python 3 store path, which in turn invalidates the hash of the Python 3
store path itself.
At the time the system is booted up again, the nix-store is verified and
fails with something like this:
path /nix/store/zvm545rqc4d97caqq9h7344bnd06jhzb-python3-3.5.3 was
modified! expected hash
b2c975f4b8d197443fbb09690fb3f6545e165dd44c9309d7d6df2fce0579ebeb, got
bccca19f39c9d26d857ccf1fb72818b2b817967e6d497a25a1283e36ed0acf01
Running the interpreter with the -B argument prevents Python from
writing those byte code files:
https://docs.python.org/3/using/cmdline.html#cmdoption-B
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This reverts commit c2b56626f1.
It broke creating the manual. I suspect the descriptions are
auto-wrapped by <para> and </para>.
We've been through this already in 3af715af90.
/cc #24978, @zraexy, @Mic92.
The key distinction I'm drawing is that there's a component that deals
with the store of the machine being built, and another component for
the store building it. The inner part of it assumes nothing from the
builder (doesn't need chroot or root powers) so it can run comfortably
inside a Nix build, as well as nixos-rebuild. I have some upcoming work
that will use that to significantly speed up and streamline image builds
for NixOS, especially on virtualized hosts like EC2, but it's also a
reasonable speedup on native hosts.
bluez no longer recommends spawning "hciconfig <device> up" from a udev rule as
the main bluez daemon now supports automatically enabling power for all devices.
Reference: http://www.bluez.org/release-of-bluez-5-35/
This change fixes two major issues:
1. If you don't use SIGQUIT to stop Plex it will corrupt its own
database :(
2. Newer versions of Plex keep metadata in the
`com.plexapp.plugins.library.db` database. This is the file that
we copy into `/var/lib/plex/.skeleton`. If we copy the empty
database on top of this one the user will lose their entire
library metadata. This change skips the copy if the file
already exists.
This allows gitweb to expand '~' in /etc/gitconfig. Without a $HOME
variable, it fails to list any projects and instead show the text
"No such projects found" in the UI.
Setting $HOME to the gitweb project root seems like a sensible value.
