Commit graph

81359 commits

Author SHA1 Message Date
aszlig
ce0954020c
nixos/taskserver: Set allowedTCPPorts accordingly
As suggested by @matthiasbeyer:

"We might add a short note that this port has to be opened in the
firewall, or is this done by the service automatically?"

This commit now adds the listenPort to
networking.firewall.allowedTCPPorts as soon as the listenHost is not
"localhost".

In addition to that, this is now also documented in the listenHost
option declaration and I have removed disabling of the firewall from the
VM test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:16:15 +02:00
aszlig
5be76d0b55
nixos/taskserver: Reorder into one mkMerge
No changes in functionality but rather just restructuring the module
definitions to be one mkMerge, which now uses mkIf from the top-level
scope of the CA initialization service so we can better abstract
additional options we might need there.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:07:52 +02:00
aszlig
5062bf1b84
nixos/taskserver/helper: Assert CA existence
We want to make sure that the helper tool won't work if the automatic CA
wasn't properly set up. This not only avoids race conditions if the tool
is started before the actual service is running but it also fails if
something during CA setup has failed so the user can investigate what
went wrong.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:57:03 +02:00
aszlig
2ced6fcc75
nixos/taskserver: Setup CA before main service
We need to explicitly make sure the CA is created before we actually
launch the main Taskserver service in order to avoid race conditions
where the preStart phase of the main service could possibly corrupt
certificates if it would be started in parallel.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:53:53 +02:00
Franz Pletz
ef37c57e4e dfu-util: 0.8 -> 0.9 2016-04-12 04:28:50 +02:00
Franz Pletz
23ae6a10a9 wv: 1.2.4 -> 1.2.9 2016-04-12 04:28:50 +02:00
Franz Pletz
310f05ed9d libgsf: 1.14.34 -> 1.14.36 2016-04-12 04:28:50 +02:00
Franz Pletz
e32ed2f78e tmux: 2.1 -> 2.2 2016-04-12 04:26:24 +02:00
Franz Pletz
ecb94c61d4 chaybdis: 3.5.0-rc1 -> 3.5.1 2016-04-12 04:26:13 +02:00
Franz Pletz
2a70630c8c libressl: 2.3 is the current stable branch
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.3-relnotes.txt
2016-04-12 04:25:53 +02:00
aszlig
9279ec732b
nixos/taskserver: Introduce an extraConfig option
This is simply to add configuration lines to the generated configuration
file. The reason why I didn't went for an attribute set is that the
taskdrc file format doesn't map very well on Nix attributes, for example
the following can be set in taskdrc:

server = somestring
server.key = anotherstring

In order to use a Nix attribute set for that, it would be way too
complicated, for example if we want to represent the mentioned example
we'd have to do something like this:

{ server._top = somestring;
  server.key = anotherstring;
}

Of course, this would work as well but nothing is more simple than just
appending raw strings.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:21:55 +02:00
aszlig
9f1e536948
nixos/taskserver: Allow to specify expiration/bits
At least this should allow for some customisation of how the
certificates and keys are created. We now have two sub-namespaces within
PKI so it should be more clear which options you have to set if you want
to either manage your own CA or let the module create it automatically.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:14:33 +02:00
aszlig
a41b109bc1
nixos/taskserver: Don't change imperative users
Whenever the nixos-taskserver tool was invoked manually for creating an
organisation/group/user we now add an empty file called .imperative to
the data directory.

During the preStart of the Taskserver service, we use process-json which
in turn now checks whether those .imperative files exist and if so, it
doesn't do anything with it.

This should now ensure that whenever there is a manually created user,
it doesn't get killed off by the declarative configuration in case it
shouldn't exist within that configuration.

In addition, we also add a small subtest to check whether this is
happening or not and fail if the imperatively created user got deleted
by process-json.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 03:42:13 +02:00
Nikolay Amiantov
59bed14119 imgurbash2: init at 1.0; also drop imgurbash 2016-04-12 04:07:36 +03:00
Nikolay Amiantov
d2dba02a87 openmw: add meta.platforms 2016-04-12 03:57:42 +03:00
Ricardo Ardissone
c6cb8ebe01 openmw: 0.36.1 -> 0.38.0 2016-04-11 21:47:57 -03:00
aszlig
9586795ef2
nixos/taskserver: Silence certtool everywhere
We only print the output whenever there is an error, otherwise let's
shut it up because it only shows information the user can gather through
other means. For example by invoking certtool manually, or by just
looking at private key files (the whole blurb it's outputting is in
there as well).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 02:16:35 +02:00
Nikolay Amiantov
36a8c35461 ogrepaged: mark as broken 2016-04-12 03:12:49 +03:00
Nikolay Amiantov
1365492424 stuntrally: 2.5 -> 2.6, mark as broken 2016-04-12 03:09:44 +03:00
Nikolay Amiantov
6a5387e68c mygui: disable ogre by default 2016-04-12 03:09:11 +03:00
Nikolay Amiantov
c74e2b51e8 mygui: disable some components, support OpenGL renderer 2016-04-12 03:08:16 +03:00
Nikolay Amiantov
c322c042cf Merge commit 'refs/pull/14593/head' of git://github.com/NixOS/nixpkgs 2016-04-12 03:07:40 +03:00
aszlig
cfb6ce2abe
nixos/tests/taskserver: Make tests less noisy
We were putting the whole output of "nixos-taskserver export-user" from
the server to the respective client and on every such operation the
whole output was shown again in the test log.

Now we're *only* showing these details whenever a user import fails on
the client.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:49:47 +02:00
aszlig
7889fcfa41
nixos/taskserver/helper: Implement deletion
Now we finally can delete organisations, groups and users along with
certificate revocation. The new subtests now make sure that the client
certificate is also revoked (both when removing the whole organisation
and just a single user).

If we use the imperative way to add and delete users, we have to restart
the Taskserver in order for the CRL to be effective.

However, by using the declarative configuration we now get this for
free, because removing a user will also restart the service and thus its
client certificate will end up in the CRL.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:41:41 +02:00
Tobias Geerinckx-Rice
f019db633f
borgbackup: 1.0.0 -> 1.0.1
Changes: https://github.com/borgbackup/borg/blob/1.0.1/docs/changes.rst
2016-04-12 01:35:24 +02:00
Joachim Fasting
27035365ec build-support/grsecurity: simplify the grsecurityOverrider
Adding inputs required by gcc plugins to the ambient environment is sufficient.
2016-04-12 01:23:32 +02:00
Joachim Fasting
cee752b8e2 torbrowser: remove unnecessary stdenv override
Now that gcc = gcc5
2016-04-12 01:23:23 +02:00
joachifm
892dbdbabb Merge pull request #14608 from markus1189/sysdig
sysdig: 0.8.0 -> 0.9.0
2016-04-12 01:14:49 +02:00
aszlig
3008836fee
nixos/taskserver: Add a command to reload service
Unfortunately we don't have a better way to check whether the reload has
been done successfully, but at least we now *can* reload it without
figuring out the exact signal to send to the process.

Note that on reload, Taskserver will not reload the CRL file. For that
to work, a full restart needs to be done.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:04:34 +02:00
Tobias Geerinckx-Rice
ad794fed9c
{lib,pcman}fm: 1.2.3 -> 1.2.4 2016-04-11 23:39:47 +02:00
Tobias Geerinckx-Rice
06dceaa5b2
geoclue2: 2.4.2 -> 2.4.3 2016-04-11 23:39:47 +02:00
Tobias Geerinckx-Rice
d6c50706be
zpaq: 709 -> 710
Adds multi-part archives, -index. Some UI changes.
2016-04-11 23:39:47 +02:00
joachifm
2e2a87e57a Merge pull request #14376 from acowley/qhull
qhull: darwin compatibility
2016-04-11 23:17:20 +02:00
joachifm
b70f9dc172 Merge pull request #14353 from acowley/tbb
tbb: darwin compatibility
2016-04-11 23:15:31 +02:00
aszlig
b6643102d6
nixos/taskserver: Generate a cert revocation list
If we want to revoke client certificates and want the server to actually
notice the revocation, we need to have a valid certificate revocation
list.

Right now the expiration_days is set to 10 years, but that's merely to
actually get certtool to actually generate the CRL without trying to
prompt for user input.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 23:07:58 +02:00
aszlig
d0ab617974
nixos/taskserver: Constrain server cert perms
It doesn't do much harm to make the server certificate world readable,
because even though it's not accessible anymore via the file system,
someone can still get it by simply doing a TLS handshake with the
server.

So this is solely for consistency.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:59:30 +02:00
aszlig
6e10705754
nixos/taskserver: Handle declarative conf via JSON
We now no longer have the stupid --service-helper option, which silences
messages about already existing organisations, users or groups.

Instead of that option, we now have a new subcommand called
"process-json", which accepts a JSON file directly from the specified
NixOS module options and creates/deletes the users accordingly.

Note that this still has a two issues left to solve in this area:

 * Deletion is not supported yet.
 * If a user is created imperatively, the next run of process-json will
   delete it once deletion is supported.

So we need to implement deletion and a way to mark organisations, users
and groups as "imperatively managed".

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:24:58 +02:00
aszlig
cf0501600a
nixos/taskserver/helper: Factor out program logic
The Click functions really are for the command line and should be solely
used for that.

What I have in mind is that instead of that crappy --service-helper
argument, we should really have a new subcommand that is expecting JSON
which is directly coming from the services.taskserver.organisations
module option.

That way we can decrease even more boilerplate and we can also ensure
that organisations, users and groups get properly deleted if they're
removed from the NixOS configuration.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:19:50 +02:00
Markus Hauck
f51f993be2 sysdig: 0.8.0 -> 0.9.0 2016-04-11 21:51:09 +02:00
Graham Christensen
43bf20def9 imagemagick: 8.9.2-0 -> 8.9.3-8 2016-04-11 14:47:16 -05:00
aszlig
7875885fb2
nixos/taskserver: Link to manual within .enable
With <olink/> support in place, we can now reference the Taskserver
section within the NixOS manual, so that users reading the manpage of
configuration.nix(5) won't miss this information.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 18:45:09 +02:00
aszlig
1d77dcaed3
nixos/doc: Allow refs from options to the manual
My first attempt to do this was to just use a conditional <refsection/>
in order to not create exact references in the manpage but create the
reference in the HTML manual, as suggested by @edolstra on IRC.

Later I went on to use <olink/> to reference sections of the manual, but
in order to do that, we need to overhaul how we generate the manual and
manpages.

So, that's where we are now:

There is a new derivation called "manual-olinkdb", which is the olinkdb
for the HTML manual, which in turn creates the olinkdb.xml file and the
manual.db. The former contains the targetdoc references and the latter
the specific targetptr elements.

The reason why I included the olinkdb.xml verbatim is that first of all
the DTD is dependent on the Docbook XSL sources and the references
within the olinkdb.xml entities are relative to the current directory.

So using a store path for that would end up searching for the manual.db
directly in /nix/store/manual.db.

Unfortunately, the <olinks/> that end up in the output file are
relative, so for example if you're clicking on one of these within the
PDF, the URL is searched in the current directory.

However, the sections from the olink's text are still valid, so we could
use an alternative URL for that in the future.

The manual doesn't contain any links, so even referencing the relative
URL shouldn't do any harm.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
2016-04-11 18:38:04 +02:00
Pascal Wittmann
a2aec04abc Merge pull request #14601 from NeQuissimus/slack203
slack: 2.0.1 -> 2.0.3
2016-04-11 18:25:29 +02:00
obadz
c3860bf008 haskellPackages.haste-compiler: fix build issue in #14581 2016-04-11 17:21:18 +01:00
Nikolay Amiantov
b3d3a1c7ea openscenegraph: enable parallel building 2016-04-11 18:34:15 +03:00
Tim Steinbach
0dfcc687be slack: 2.0.1 -> 2.0.3 2016-04-11 11:12:50 -04:00
Peter Simons
62baa5df29 Merge pull request #14581 from obadz/haste-compiler
haskellPackages.haste-compiler: fix so that it now builds and runs
2016-04-11 16:43:16 +02:00
Tobias Geerinckx-Rice
57ef1712e3
Substite new GitHub username ‘timbertson’ for ‘gfxmonk’ 2016-04-11 16:35:18 +02:00
obadz
7f2163fc97 haskellPackages.haste-compiler: fix so that it now builds and runs
Required adding:
haskellPackages.haste-Cabal, and
haskellPackages.haste-cabal-install
2016-04-11 15:24:56 +01:00
Tobias Geerinckx-Rice
613cef6240
gup: 0.5.4 -> 0.5.5; use fetchFromGitHub 2016-04-11 16:21:12 +02:00