Commit graph

11792 commits

Author SHA1 Message Date
(cdep)illabout
b0f10d2d53
cpufreq: add option for setting the cpu max and min frequencies
This adds a NixOS option for setting the CPU max and min frequencies
with `cpufreq`.  The two options that have been added are:

- `powerManagement.cpufreq.max`
- `powerManagement.cpufreq.min`

It also adds an alias to the `powerManagement.cpuFreqGovernor` option as
`powerManagement.cpufreq.governor`.  This updates the installer to use
the new option name.  It also updates the manual with a note about
the new name.
2019-01-01 19:18:12 +09:00
Frederik Rietdijk
c6e043d57c Remove composableDerivation, closes #18763 2018-12-30 12:33:45 +00:00
Silvan Mosberger
45c073e4da
Merge pull request #52930 from Ekleog/low-prio-syspath
system-path: set implicitly installed packages to be low-priority
2018-12-30 00:29:59 +01:00
Silvan Mosberger
070254317e
Revert "nixos/ddclient: make RuntimeDirectory and configFile private" 2018-12-29 16:53:43 +01:00
adisbladis
0ff4d0a516
fish: 2.7.1 -> 3.0.0 2018-12-28 21:23:24 +00:00
Dmitry Kalinkin
3edd5cb227
Merge pull request #51294 from eadwu/nvidia_x11/legacy_390
nvidia: expose nvidia_x11_legacy390
2018-12-27 09:08:53 -05:00
Joachim Fasting
ea4f371627
nixos/security/misc: expose SMT control option
For the hardened profile disable symmetric multi threading.  There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however.  This is in keeping with OpenBSD
defaults.

TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation.  Write to
/sys/devices/system/cpu/smt/control
2018-12-27 15:00:49 +01:00
Joachim Fasting
e9761fa327
nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
2018-12-27 15:00:48 +01:00
Joachim Fasting
84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Joachim Fasting
9db84f6fcd
nixos/security/misc: use mkMerge for easier extension 2018-12-27 15:00:46 +01:00
Léo Gaspard
fa98337a15
system-path: set implicitly installed packages to be low-priority
The aim is to minimize surprises: when the user explicitly installs a
package in their configuration, it should override any package
implicitly installed by NixOS.
2018-12-26 23:16:17 +09:00
Samuel Dionne-Riel
302d53df2b nixos/sd-image-aarch64-new-kernel: Added to release
This, paired with the previous commit, ensures the channel won't be held
back from a kernel upgrade and a non-building sd image, while still
having a new-kernel variant available.
2018-12-26 11:03:32 +00:00
Samuel Dionne-Riel
207210660f nixos/sd-image-aarch64: Configures it to use the default kernel 2018-12-26 11:03:32 +00:00
Dmitry Kalinkin
c7f26a34e8
Merge pull request #52896 from veprbl/pr/gmane_wo_net-snmp
treewide: Fix broken Gmane URLs
2018-12-25 22:55:03 -05:00
Craig Younkins
8b12b17df3
treewide: Fix broken Gmane URLs 2018-12-25 22:34:55 -05:00
worldofpeace
3f6c81da4d
Merge pull request #52592 from worldofpeace/geoclue/correct-sysconf
geoclue2: correct sysconfdir
2018-12-25 19:03:22 -05:00
worldofpeace
c65edd687f geoclue2: correct sysconfdir 2018-12-25 18:38:19 -05:00
Sander van der Burg
a27aa247c0
Merge pull request #50596 from svanderburg/mobile-updates
Mobile updates
2018-12-24 15:52:33 +01:00
zimbatm
d06f798ce7
Merge pull request #51566 from adisbladis/google-oslogin
GCE OSLogin module: init
2018-12-24 14:11:49 +01:00
msteen
8d217ede58 fix infinite recursion caused by the unnecessary inspection of options + fix is parent of mount point check (#51541) 2018-12-24 14:05:55 +01:00
Samuel Dionne-Riel
772759173d
Merge pull request #52721 from samueldr/aarch64/limited-support
Fixes eval issues in hydra by setting AArch64 as limited support
2018-12-23 13:28:22 -05:00
Jörg Thalheim
044ff3dc66
nixos/vdr: don't delete recordings 2018-12-23 18:54:39 +01:00
Jörg Thalheim
633bc1d09b
Merge pull request #52686 from Mic92/vdr
vdr: revisited version of https://github.com/NixOS/nixpkgs/pull/32050
2018-12-23 16:19:27 +01:00
Emery Hemingway
124d8ccc69
Add IPFS warning 2018-12-22 20:04:19 +01:00
Jörg Thalheim
45986ec587
nixos/vdr: create video directory automatically 2018-12-22 15:13:35 +01:00
Christian Kögler
dd3f755cf4
vdr: initial at 2.4.0 and nixos module
used same plugin mechanism as kodi does
2018-12-22 15:13:25 +01:00
worldofpeace
94af8ebde2 nixos/displayManager: only install wayland sessions if they exist in extraSessionFilePackages
Not everyone is using wayland just yet.
2018-12-22 01:15:09 -05:00
Samuel Dionne-Riel
1bfe8f189b nixos/release-combined.nix: makes aarch64-linux limited support
This is because it will not eval properly with `hydra-eval-jobs`.

```
$ ...hydra/result/bin/hydra-eval-jobs \
    --arg nixpkgs '{ outPath = ./.; revCount = 123; shortRev = "4567"; }' \
    -I "$PWD" \
    nixos/release-combined.nix
```

It fails with:

```
Too many heap sections: Increase MAXHINCR or MAX_HEAP_SECTS
```
2018-12-21 20:43:23 -05:00
Samuel Dionne-Riel
16316a1288 nixos/release-combined.nix: Adds missing aarch64 constituents
This will block channel advancing, even if it is limited support.
2018-12-21 20:28:04 -05:00
Florian Klink
3539f3875a release-notes/rl-1903: add security.googleOsLogin 2018-12-21 18:01:36 +01:00
Florian Klink
706efadcb6 nixos/modules/virtualisation/google-compute-config.nix: remove google-accounts-daemon
Use googleOsLogin for login instead.
This allows setting users.mutableUsers back to false, and to strip the
security.sudo.extraConfig.

security.sudo.enable is default anyhow, so we can remove that as well.
2018-12-21 17:52:37 +01:00
Florian Klink
0f46188ca1 nixos/tests: add google-oslogin test 2018-12-21 17:52:37 +01:00
Florian Klink
04f3562fc4 config.nsswitch: load cache_oslogin and oslogin nss modules if config.security.googleOsLogin.enable is set 2018-12-21 17:52:37 +01:00
Florian Klink
c6de45c0d7 config.security.googleOsLogin: add module
The OS Login package enables the following components:
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
profile during ssh authentication phase.
NSS Module to provide user and group information
PAM Module for the sshd service, providing authorization and
authentication support, allowing the system to use data stored in
Google Cloud IAM permissions to control both, the ability to log into
an instance, and to perform operations as root (sudo).
2018-12-21 17:52:37 +01:00
Florian Klink
be5ad774bf security.pam.services.<name?>.: add googleOsLogin(AccountVerification|Authentication) 2018-12-21 17:52:37 +01:00
Florian Klink
d180bf3862 security.pam: make pam_unix.so required, not sufficient
Having pam_unix set to "sufficient" means early-succeeding account
management group, as soon as pam_unix.so is succeeding.

This is not sufficient. For example, nixos modules might install nss
modules for user lookup, so pam_unix.so succeeds, and we end the stack
successfully, even though other pam account modules might want to do
more extensive checks.

Other distros seem to set pam_unix.so to 'required', so if there are
other pam modules in that management group, they get a chance to do some
validation too.

For SSSD, @PsyanticY already added a workaround knob in
https://github.com/NixOS/nixpkgs/pull/31969, while stating this should
be the default anyway.

I did some thinking in what could break - after this commit, we require
pam_unix to succeed, means we require `getent passwd $username` to
return something.
This is the case for all local users due to the passwd nss module, and
also the case for all modules installing their nss module to
nsswitch.conf - true for ldap (if not explicitly disabled) and sssd.

I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss
module loaded? Should the pam account module be placed before pam_unix?

We don't drop the `security.pam.services.<name?>.sssdStrictAccess`
option, as it's also used some lines below to tweak error behaviour
inside the pam sssd module itself (by changing it's 'control' field).

This is also required to get admin login for Google OS Login working
(#51566), as their pam_oslogin_admin accounts module takes care of sudo
configuration.
2018-12-21 15:31:07 +01:00
Samuel Dionne-Riel
3c38cc8058
Merge pull request #51813 from samueldr/aarch64/disable-non-arm-builds-part-1
aarch64: ZHF for aarch64 (1/??)
2018-12-20 21:06:52 -05:00
Samuel Dionne-Riel
7b2b5b3f47
Merge pull request #52534 from samueldr/aarch64/supported
nixos/release-combined: adds aarch64-linux as supported
2018-12-20 20:58:59 -05:00
Sander van der Burg
e37f0454ac Remove relatedPackages to fix ofborg evaluation 2018-12-20 19:29:00 +01:00
Maximilian Bosch
87ebc2ad0b
Merge pull request #52345 from r-ryantm/auto-update/clickhouse
clickhouse: 18.14.9 -> 18.14.18
2018-12-20 18:48:37 +01:00
Michael Raskin
ede54f9144
Merge pull request #52379 from erikarvstedt/tesseract
Major tesseract improvements
2018-12-20 14:41:48 +00:00
Maximilian Bosch
64d05bbdd2
clickhouse: fix module and package runtime
Although the package itself builds fine, the module fails because it
tries to log into a non-existant file in `/var/log` which breaks the
service. Patching to default config to log to stdout by default fixes
the issue. Additionally this is the better solution as NixOS heavily
relies on systemd (and thus journald) for logging.

Also, the runtime relies on `/etc/localtime` to start, as it's not
required by the module system we set UTC as sensitive default when using
the module.

To ensure that the service's basic functionality is available, a simple
NixOS test has been added.
2018-12-20 13:03:41 +01:00
Jeremy Apthorp
654c3124b2
shairport-sync: don't daemonize
This flag causes the shairport-sync server to attempt to daemonize, but it looks like systemd is already handling that. With the `-d` argument, shairport-sync immediately exits—it seems that something (systemd I'm guessing?) is sending it SIGINT or SIGTERM.

The [upstream systemd unit](https://github.com/mikebrady/shairport-sync/blob/master/scripts/shairport-sync.service.in#L10) doesn't pass `-d`.
2018-12-19 22:37:25 -08:00
Samuel Dionne-Riel
42e7e39cd3 nixos/release-combined.nix: Filters failing tests
And filters out JDK which can't be built on aarch64-linux.
2018-12-19 22:28:10 -05:00
Samuel Dionne-Riel
8ab5ef773b nixos/release: build iso_minimal_new_kernel for aarch64-linux too 2018-12-19 13:10:48 -05:00
Samuel Dionne-Riel
36a0c13cf3 nixos/release-combined: adds aarch64-linux as supported
This was previously removed in 74c4e30842.

This will allow hydra to build iso and sd images for aarch64-linux, and
share a common channel with the x86-based platforms.
2018-12-19 12:57:17 -05:00
Erik Arvstedt
8d1ba999cb
tesseract: rename to tesseract4, add alias
This is more consistent with the naming of the most popular versioned pkgs.
2018-12-19 18:09:56 +01:00
Robert Schütz
52b1973283 home-assistant-cli: init at 0.3.0 2018-12-19 15:54:28 +01:00
Frederik Rietdijk
a06b90a7dc lapp: change postgresql version, fixes metrics 2018-12-19 10:04:00 +01:00
Maximilian Bosch
6c6341335b
nixos/test-driver: fix wording in error message about invalid node names
Since 113a6b9325 the test driver
explicitly ensures if the node names won't break the resulting Perl
script at runtime. This slightly improves the correctness of the error
message.
2018-12-18 23:46:54 +01:00