* The module uses `stringSplit` but it should be `splitString`
* `rmilter` doesn't actually support binding to multiple sockets.
Therefore, bind to the last one specified if `socketActivation` is
`false`.
I also believe there is a bug in this module related to systemd
`ListenStream`. If `socketActivation` is true, Postfix gets
connection timeouts trying to connect to one of the `ListenStream`
inet addresses. I don't know enough about `ListenStream` passing
connections on to `fd:3` to understand what's going on.
These changes are in production (with `socketActivation = false`) via NixOps.
This `tsocks` wrapper leaks DNS requests to clearnet, meanwhile Tor comes with
`torsocks` which doesn't.
Previous commits to this file state that all of this still useful somehow.
Assuming that it's true, at least let's not confuse users with two different tools
and don't clash with the `tsocks` binary from nixpkgs by disabling this by default.
Run Firefox inside an XTerm, it doesn't crash mysteriously this way.
Also try opening developer tools and checking that Firefox doesn't
crash in the process.
This option was initially added to make it easier to use an
up-to-date list, but now that we always use an up-to-date list
from upstream, there's no point to the option.
From now on, you can either use a resolver listed by dnscrypt
upstream or a custom resolver.
Removes tcpOnly and ephemeralKeys: reifying them as nixos
options adds little beyond improved discoverability. Until
17.09 we'll automatically translate these options into extraArgs
for convenience.
Unless reifying an option is necessary for conditional
computation or greatly simplifies configuration/reduces risk of
misconfiguration, it should go into extraArgs instead.
* Moved the wordpress sources derivation to the attribute pkgs.wordpress. This
makes it easier to override.
* Also introduce the `package` option for the wordpress virtual host config which
defaults to pkgs.wordpress.
* Also fixed the test in nixos/tests/wordpress.nix.
The Infinality bytecode interpreter is removed in favor of the new v40 TrueType
interpreter. In the past, the Infinality interpreter provided support for
ClearType-style hinting instructions while the default interpreter (then v35)
provided support only for original TrueType-style instructions. The v40
interpreter corrects this deficiency, so the Infinality interpreter is no longer
necessary.
To understand why the Infinality interpreter is no longer necessary, we should
understand how ClearType differs from TrueType and how the v40 interpreter
works. The following is a summary of information available on the FreeType
website [1] mixed with my own editorializing.
TrueType instructions use horizontal and vertical hints to improve glyph
rendering. Before TrueType, fonts were only vertically hinted; horizontal hints
improved rendering by snapping stems to pixel boundaries. Horizontal hinting is
a risk because it can significantly distort glyph shapes and kerning. Extensive
testing at different resolutions is needed to perfect the TrueType
hints. Microsoft invested significant effort to do this with its "Core fonts for
the Web" project, but few other typefaces have seen this level of attention.
With the advent of subpixel rendering, the effective horizontal resolution of
most displays increased significantly. ClearType eschews horizontal hinting in
favor of horizontal supersampling. Most fonts are designed for the Microsoft
bytecode interpreter, which implements a compatibility mode with
TrueType-style (horizontal and vertical) instructions. However, applying the
full horizontal hints to subpixel-rendered fonts leads to color fringes and
inconsistent stem widths. The Infinality interpreter implements several
techniques to mitigate these problems, going so far as to embed font- and
glyph-specific hacks in the interpreter. On the other hand, the v40 interpreter
ignores the horizontal hinting instructions so that glyphs render as they are
intended to on the Microsoft interpreter. Without the horizontal hints, the
problems of glyph and kerning distortion, color fringes, and inconsistent stem
widths--the problems the Infinality interpreter was created to solve--simply
don't occur in the first place.
There are also security concerns which motivate removing the Infinality patches.
Although there is an updated version of the Infinality interpreter for FreeType
2.7, the lack of a consistent upstream maintainer is a security concern. The
interpreter is a Turing-complete virtual machine which has had security
vulnerabilities in the past. While the default interpreter is used in billions
of devices and is maintained by an active developer, the Infinality interpreter
is neither scrutinized nor maintained. We will probably never know if there are
defects in the Infinality interpreter, and if they were discovered they would
likely never be fixed. I do not think that is an acceptable situtation for a
core library like FreeType.
Dropping the Infinality patches means that font rendering will be less
customizable. I think this is an acceptable trade-off. The Infinality
interpreter made many compromises to mitigate the problems with horizontal
hinting; the main purpose of customization is to tailor these compromises to the
user's preferences. The new interpreter does not have to make these compromises
because it renders fonts as their designers intended, so this level of
customization is not necessary.
The Infinality-associated patches are also removed from cairo. These patches
only set the default rendering options in case they aren't set though
Fontconfig. On NixOS, the rendering options are always set in Fontconfig, so
these patches never actually did anything for us!
The Fontconfig test suite is patched to account for a quirk in the way PCF fonts
are named.
The fontconfig option `hintstyle` is no longer configurable in NixOS. This
option selects the TrueType interpreter; the v40 interpreter is `hintslight` and
the older v35 interpreter is `hintmedium` or `hintfull` (which have actually
always been the same thing). The setting may still be changed through the
`localConf` option or by creating a user Fontconfig file.
Users with HiDPI displays should probably disable hinting and antialiasing: at
best they have no visible effect.
The fontconfig-ultimate settings are still available in NixOS, but they are no
longer the default. They still work, but their main purpose is to set rendering
quirks which are no longer necessary and may actually be
detrimental (e.g. setting `hintfull` for some fonts). Also, the vast array of
font substitutions provided is not an appropriate default; the default setting
should be to give the user the font they asked for.
[1]. https://www.freetype.org/freetype2/docs/subpixel-hinting.html
Added extra config options to allow reading passwords from file rather
than the world-readable nix store.
The full config.json file is created at service startup.
Relevant to #18881
Newer versions of DNSCrypt proxy *can* cache lookups (via
plugin); make the wording more neutral wrt. why one might want
to run the proxy in a forwarding setup.
1) The forking behavior of `buildbot start` is temporarily broken for
mysterious reasons that I'm still looking into
2) Let systemd do the forking: no point in using two different process
startup wait loops
The nixbld group belongs to nix-daemon and you really don't want to be
in it. If you are in it, nix-daemon will kill your processes when you
least expect it :)
It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available. We
filter mount syscalls to prevent the process from undoing the fs
isolation.
Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.
We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...). Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
After the change of the bonding options, the examples were not quite correct.
The diff is over-the top because the new `let` needs everything indented.
Also add a small docstring to the `networkd` attr in the networking test.
Set `networking.networkmanager.wifi.macAddress` or `networking.networkmanager.ethernet.macAddress`
to one of these values to change your macAddress.
* "XX:XX:XX:XX:XX:XX": set the MAC address of the interface.
* "permanent": use the permanent MAC address of the device.
* "preserve": don’t change the MAC address of the device upon activation.
* "random": generate a randomized value upon each connect.
* "stable": generate a stable, hashed MAC address.
See https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/ for more information
Version 2.0.0 is installed as a separate package called "couchdb2".
When setting the config option "package" attribute to pkgs.couchdb2, a
corresponding service configuration will be generated. If a previous
1.6 installation exists, the databases can still be found on the local
port (default: 5986) and can be replicated from there.
Note that single-node or cluster setup still needs to be configured
manually, as described in
http://docs.couchdb.org/en/2.0.0/install/index.html.
We only care about /nix/store because its contents might be out of
sync with /nix/var/nix/db. Syncing other filesystems might cause
unnecessary delays or hangs (e.g. I encountered a case where an NFS
mount was taking a very long time to sync).
This is based on a prototype Nicolas B. Pierron worked on during a
discussion we had at FOSDEM.
A new version with a workaround for problems of the reverted original.
Discussion: https://github.com/NixOS/nixpkgs/commit/3f2566689
The implicit behavior of pulling it out of the classpath seemed not
to work properly and could be thrown off by other things on the
classpath also providing the properties file. This guarantees that
our settings stick.
We now make it happen later in the boot process so that multi-user
has already activated, so as to not run afoul of the logic in
switch-to-configuration.pl. It's not my favorite solution, but at
least it works. Also added a check to the VM test to catch the failure
so we don't break in future.
Fixes#23121
phpfpm currently uses `readFile` to read the php.ini file from the
phpPackage. This causes php to be build at evaluation time.
This eliminates the use of readFile and builds the php.ini at build
time.
This reverts commit 29caa185a7.
Not clear what the proper thing to do is. cf94cdb59b renders this
question mostly moot. Reverting before 17.03 branch to avoid a repeat
of #19054.
reason:
- We currently have an open discussion regarding a more modular
firewall (https://github.com/NixOS/nixpkgs/issues/23181) and
leaving null makes future extension easier.
- the current default might not cover all use cases (different ssh port)
and might break setups, if applied blindly
This PR adds support for ```iio-sensor-proxy``` used by GNOME v3 and
others for reading data from the accelerometer, gps, compass and similar sensors
built into some relatively recent laptops.
Additionally, there is a NixOS module exposed via hardware.sensor.iio
for enabling services, udev rules and dbus services.
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
When dhcpcd instead of networkd is used, the network-online.target behaved
the same as network.target, resulting in broken services that need a working
network connectivity when being started.
This commit makes dhcpcd wait for a lease and makes it wanted by
network-online.target. In turn, network-online.target is now wanted by
multi-user.target, so it will be activated at every boot.
This makes make-disk-image.nix slightly more consistent with other image
builders we have. Unfortunately I duplicated some code in doing so, but
this is temporary duplication on the path to consolidating everything.
See https://github.com/NixOS/nixpkgs/issues/23052 for more details on that.
I'm also exposing the option in the amazon-image.nix maintainer module.
Using toJSON on a string value works because the allowed JSON escape
sequences is almost a subset of the systemd allowed escape sequences.
The only exception is `\/` which JSON allows but systemd doesn't.
Luckily this sequence isn't required and toJSON don't produce it making
the result valid for systemd consumption.
Examples of things that this fixes are environment variables with double
quotes or newlines.
Since systemd version 232 the install subcommand of bootctl opens the
loader.conf with fopen() modes "wxe", where the "e" stands for
exclusive, so the call will fail if the file exists.
For installing the boot loader just once this is fine, but if we're
using NIXOS_INSTALL_BOOTLOADER on a systemd where the bootloader is
already present this will fail.
Exactly this is done within the simpleUefiGummiboot installer test,
where nixos-install is called twice and thus the bootloader is also
installed twice, resulting in an error during the fopen call:
Failed to open loader.conf for writing: File exists
Removing the file prior to calling bootctl should fix this.
I've tested this using the installer.simpleUefiGummiboot test and it now
succeeds.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22925
This leads to the following error when trying to install a new machine
where the machine ID wasn't yet initialized during boot:
Failed to get machine did: No such file or directory
In addition this was also detected by the simpleUefiGummiboot installer
test.
So let's generate a fallback machine ID by using
systemd-machine-id-setup before actually running bootctl.
Tested this by running the installer.simpleUefiGummiboot test, it still
fails but not because of the machine ID.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22561
Add link to "Configuration" chapter from "Changing the Configuration" section.
Also, fix grammar error.
(cherry picked from commit a585f987fa32f2e81b3f273291971151c25f98b7)
This is deliberate because using the taskd binary to configure
Taskserver has a good chance of messing up permissions.
The nixos-taskserver tool now can manage even manual configurations, so
there really is no need anymore to expose the taskd binary.
If people still want to use the taskd binary at their own risk they can
still add taskserver to systemPackages themselves.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This subtest actually serves two purposes:
1. Test manual PKI configuration
2. Test changing of configuration files
In order to only test manual PKI configuration it would have been enough
to just add another server with a manual config.
But as the switch from automatic PKI config to manual config is probably
one of the most fundamental changes in configuration, so it serves
*very* well to also check whether changes in the NixOS configuration
actually have an impact in the real system.
So instead of adding another server, we now create a dummy "newServer"
machine, which is the new configuration for "server" and use
switch-to-configuration to switch "server" to the config of "newServer".
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Putting an include directive in the configuration file referencing a
store path with the real configuration file has the disavantage that
once we change the real configuration file the store path is also a
different one.
So we would have to replace that include directive with the new
configuration file, which is very much error-prone, because whenever
taskd modifies the configuration file on its own it generates a new one
with *only* the key/value options and without any include directives.
Another problem is that we only added the include directive on the first
initalization, so whenever there is *any* configuration change, it won't
affect anything.
We're now passing all the configuration options via command line,
because taskd treats everything in the form of --<name>=<value> to be a
configuration directive.
This also has the effect that we now no longer have extraConfig, because
configuration isn't a file anymore.
Instead we now have an attribute set that is mapped down to
configuration options.
Unfortunately this isn't so easy with the way taskd is configured,
because there is an option called "server" and also other options like
"server.cert", "server.key" and so on, which do not map very well to
attribute sets.
So we have an exception for the "server" option, which is now called
"server.listen", because it specifies the listening address.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #22705
The helper tool so far was only intended for use in automatic PKI
handling, but it also is very useful if you have an existing CA.
One of the main advantages is that you don't need to specify the data
directory anymore and the right permissions are also handled as well.
Another advantage is that we now have an uniform management tool for
both automatic and manual config, so the documentation in the NixOS
manual now applies to the manual PKI config as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The error message displays that a specific user doesn't exist in an
organisation, but uses the User object's name attribute to show which
user it was.
This is basically a very stupid chicken and egg problem and easily fixed
by using the user name provided on the command line.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
A long-time issue and one of the reasons I've never used that function
before. So let's remove that todo-comment and escape the contents
properly.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
reason: after the upgrade of iputils from 20151218 to 20161105
functionality of ping6 and tracepath6 was merged into ping and tracepath.
Ping is now mostly a drop-in replacment for ping6, except that selecting a
specific interface is done by encoding it into the address (ex.: fe80::1%eth0)
rather then specifing it with the `-I` flag.
To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:
programs.wireshark.enable = true;
The setuid wrapper is available for users in the 'wireshark' group.
Changes v1 -> v2:
- add "defaultText" to the programs.wireshark.package option (AFAIK,
that prevents the manual from being needlessly rebuilt when the
package changes)
Since the bonds interface changed to a lot more possible values we create a
mapping of kernel bond attribute names and values to networkd attributes.
Those match for the most part, but have to transformed slightly.
There is also an assert that unknown options won’t slip through silently.
Until now the four attributes available very selectively provided a small
subset, while copying upstream documentation.
We make driver options an arbitrary key-value set and point to kernel
documentation, which is always up-to-date. This way every option can be set.
The four already existing options are deprecated with a warning.