The nixbld group doesn't need read permission, it only needs write and
execute permission.
(cherry picked from commit 066758758e7c0768ff8da51d208cdae0f33b368c)
Rather than using openssl to hash the password at build time, and hence
leaving the plaintext password world-readable in the nix store, we can
instead hash the password in the nix expression itself using
builtins.hashString.
This patch resolves all uid/gid conflicts except for nobody/nogroup (seems
to make sense that these are the same).
All conflicts where determined mechanically, but resolutions were manual.
This patch also marks uids/gids with no corresponding group/user as "unused"
(aka. reserved).
Briefly,
- tss group conflicts with dhcpcd
The tss group id conflicts with dhcpcd: assign
a new number and add a corresponding tss user.
- elasticsearch uid conflicts with haproxy gid
- resolve firebird/munin conflict
- fix fourstorehttp{,d} typo
- fix ghostOne typo: the service module refers to gids.ghostone, so use that
in ids
- memcached uid conflicts with users gid
- nagios uid conflicts with disks gid
- nscd uid conflicts with wheel gid
- ntp uid conflicts with tty gid
- resolve postfix/postdrop id uid
- redis uid conflicts with keys gid
- sshd uid conflicts with kmem gid
- tcryptd uid conflicts with openldap gid
- unifi uid conflicts with docker gid
- uptimed uid conflicts with utmp gid
- zope2 uid conflicts with connman gid
- tomcat uid/gid mismatch
With the new evaluation of arguments, pkgs is now defined by the
configuration, which implies that option declaration with pkgs.lib
will cause an infinite loop.
Ideally the module system could be configured pretty much completely by
the contents of the modules themselves, so add comments about avoiding
complicating it further and possibly removing now-redundant
configurability from the existing interface.
This allows for module arguments to be handled modularly, in particular
allowing the nixpkgs module to handle the nixpkgs import internally.
This creates the __internal option namespace, which should only be added
to by the module system itself.
- forgotten mousepad update, including some wrapping magic
- dealing with panel plugins (either fix or mark as broken)
CC maintainer @AndersonTorres.
- remove some libxfcegui4 occurrences, as it's being phased out
- minor stuff
By making askPassword an option, desktop environment modules can
override the default x11_ssh_askpassword with their own equivalent for
better integration. For example, KDE 5 uses plasma5.ksshaskpass instead.
Major changes
- Port to systemd timers: for each archive configuration is created a
tarsnap@archive-name.timer which triggers the instanced service unit
- Rename the `config` option to `archives`
Minor/superficial improvements
- Restrict tarsnap service capabilities
- Use dirOf builtin
- Set executable bit for owner of tarsnap cache directory
- Set IOSchedulingClass to idle
- Humanize numbers when printing stats
- Rewrite most option descriptions
- Simplify assertion
Since we restart all active target units (of which there are many),
it's hard to see the units that actually matter. So don't print that
we're starting target units that are already active.
‘nixos-rebuild dry-activate’ builds the new configuration and then
prints what systemd services would be stopped, restarted etc. if the
configuration were actually activated. This could be extended later to
show other activation actions (like uids being deleted).
To prevent confusion, ‘nixos-rebuild dry-run’ has been renamed to
‘nixos-rebuild dry-build’.
Currently just makes sure that by default it's possible to open a
terminal.
And exactly this should be the main point that might confuse users of i3
in NixOS, because i3 doesn't print a warning/error if it is unable to
start the terminal emulator.
Thanks to @waaaaargh for reporting this issue.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock
exists and so prevents switching into a new configuration after enabling
grsecurity.sysctl.
If the host is shutting down, machinectl may fail because it's
bus-activated and D-Bus will be shutting down. So just send a signal
to the leader process directly.
Fixes#6212.
This was lost back in
ffedee6ed5. Getting this to work is
slightly tricky because ssh-agent runs as a user unit, and so doesn't
know the user's $DISPLAY.
* rewrite to systemd.services
* disable forking to give systemd better control
* verifiably run as ddclient user
* expose ssl option
* unset default value for dyndns server
* rename option "web" to "use" to be consistent with ddclient docs
* add descriptions
* add types to options
* clean up formatting
HAProxy fails to start with the default 'config'. Better disable it and
assert that the user provides a suitable 'config'. (AFAICS, there cannot
really be a default config file for HAProxy.)
The networkd implementation sets systemd.services.dhcpcd.enable to
false in nixos/modules/tasks/network-interfaces-systemd.nix. So we need
to respect that in the dhcpcd module.
If we don't, the resumeCommand is set nevertheless, which causes the
post-resume.service to fail after resuming:
Failed to reload dhcpcd.service: Unit dhcpcd.service is masked.
post-resume.service: main process exited, code=exited, status=1/FAILURE
Failed to start Post-Resume Actions.
Dependency failed for Post-Resume Actions.
Unit post-resume.service entered failed state.
post-resume.service failed.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Since Chromium version 42, we have a new user namespaces sandbox in the
upstream project. It's more integrated so the chrome://sandbox page
reports it as "Namespace Sandbox" instead of SUID sandbox, which we were
re-using (or abusing?) in our patch.
So if either "SUID Sandbox" or "Namespace Sandbox" reports with "Yes",
it's fine on our side.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Typical use:
nix.requireSignedBinaryCaches = true;
nix.binaryCachePublicKeys = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
(The public key of cache.nixos.org is included by default.)
Note that this requires Nix 1.9 and that most of cache.nixos.org
hasn't been signed yet.
Update chronos default port to match the one documented on
their website (http://airbnb.github.io/chronos). The one in
their repo (the current one) clashes with the marathon documented
one.
The Nixos Qemu VM that are used for VM tests can now start without
boot menu even when using a bootloader.
The Nixos Qemu VM with bootloader can emulate a EFI boot now.
There is no "standard" location for the certificate bundle, so many
programs/libraries have various hard-coded default locations that
don't exist on NixOS. To make these more likely to work, provide
some symlinks.
Sawfish is a versatile, Lisp-based window manager
In that commit I include all Sawfish stack:
- librep, a lisp system;
- rep-gtk, bindings for gtk
- sawfish, the window manager
The PID 1 shell is executed as the last command in a sh invocation. Some
shells implicitly use exec for that, but the current busybox ash does not,
so the shell gets a wrong PID. Spell out the exec.
This test sometimes fails with
Kernel panic - not syncing: assertion "i && sym_get_cam_status(cp->cmd) == DID_SOFT_ERROR" failed: file "/tmp/nix-build-linux-3.14.32.drv-0/linux-3.14.32/drivers/scsi/sym53c8xx_2/sym_hipd.c", line 3399
after "sd 2:0:0:0: ABORT operation timed-out."
Since we don't care all that much about GRUB 1 anymore, don't make the
release depend on it.
http://hydra.nixos.org/build/19563197
When starting from a clean slate, the couchdb service fails.
First, the pre-start script fails because it tries to chown the uriFile,
which doesn't exist. It also doesn't ensure that the directory in which
the uriFIle is placed is writeable by couchdb, which could also cause
failure (though I didn't observe this).
Additionally, the log file's default location isn't a directory owned by
couchdb, nor is the file guaranteed to exist, nor is it guaranteed to be
chowned to the appropriate user. All of which can cause unexpected
failure.
As a bonus I made a small change in the description of the configFile
attribute, in the hopes of making it a little more obvious why it
existed.