We only need to have setuid-root wrappers for VBox{Headless,SDL} and
VirtualBox, otherwise VBoxManage will run as root and NOT drop
privileges!
Fixes#5283.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I had to make several adjustments to make it work with nixos:
* Replace relative config file lookups with ENV variable.
* Modify gitlab-shell to not clear then environment when running
pre-receive.
* Modify gitlab-shell to write some environment variables into
the .authorized_keys file to make sure gitlab-shell reads the
correct config file.
* Log unicorn output to syslog.
I tried various ways of adding a syslog package but the bundler would
not pick them up. Please fix in a better way if possible.
* Gitlab-runner program wrapper.
This is useful to run e.g. backups etc. with the correct
environment set up.
This commit includes a patch to telepathy's derivation, written by
Lethalman. This patch makes public the Telepathy's dependency to
dbus_glib. This patch will become problematic with the next pkgconfig
upgrade but this upgrade should make the patch irrelevant. See these 2
links for more information:
- https://bugs.freedesktop.org/show_bug.cgi?id=15199
- https://bugzilla.redhat.com/show_bug.cgi?id=436773
Modified by Luca Bruno:
- Moved telepathy_idle to propagatedUserEnvPkgs
- Added myself to maintainers
- Enable parallel building
Now that https://github.com/OpenTSDB/opentsdb/issues/420 is resolved
we can use the official release tarball. This includes all third
party JARs, which vastly simplifies the build expression.
Since we're using HTTPS for the binary cache (introduced in faf0797) by
default, the binary cache should also be available during installation.
The file that is defined in SSL_CERT_FILE outside of the chroot is
copied over to /tmp/ca-cert.crt inside the chroot, so we have an
absolute path we can reference during nixos-install. However, this might
end up with the file not being cleaned up properly from outside of the
store, but neither would be /tmp/root so the cleanup issue needs to be
solved in another place (or commit to be more exact).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This small patch makes it possible to control java's truststore path through
the environment. This lets you add (system- or session-wide) CAs that should
be allowed by Java. Java users can still use -Djavax.net.ssl.truststore to
override the truststore set by JAVAX_NET_SSL_TRUSTSTORE.
Something like this can be used to build the truststore (in this example just
using the standard pkgs.cacert CA-bundle):
{
environment.variables.JAVAX_NET_SSL_TRUSTSTORE = "${
pkgs.runCommand "cacerts" {} ''
${pkgs.perl}/bin/perl \
${pkgs.path}/pkgs/development/compilers/openjdk/generate-cacerts.pl \
${pkgs.jre}/bin/keytool \
${pkgs.cacert}/etc/ca-bundle.crt
mv cacerts $out
''
}";
}
Ideally, the dependency on pkgs.cacert should also be removed from pkgs.openjdk
to avoid rebuilding java each time the standard CA-bundle changes. Something
along the example above must then be added to NixOS (however, it would be
nice to not depend on ${pkgs.jre}/bin/keytool to generate that environment
variable).
The current nixos module for VirtualBox unconditionally configures a vboxnet0
network interface at boot. This may be undesired, especially when the user wants
to manage network interfaces in a centralized manner.
- Create container nixos profile
- Create lxc-container nixos config using container nixos profile
- Docker nixos image, use nixos profile for its base config