Commit graph

8234 commits

Author SHA1 Message Date
Pascal Bach
c68118ce65 glusterfs service: add support for TLS communication
TLS settings are implemented as submodule.
2017-09-17 18:53:14 +02:00
Antoine Eiche
ea6d37c2bb dockerTools.pullImage: release note regarding sha256 argument value 2017-09-17 08:26:02 +01:00
aszlig
3ba2095a42
nixos/dovecot: Fix createMailUser implementation
This option got introduced in 7904499542
and it didn't check whether mailUser and mailGroup are null, which they
are by default.

Now we're only creating the user if createMailUser is set in conjunction
with mailUser and the group if mailGroup is set as well.

I've added a NixOS VM test so that we can verify whether dovecot works
without any additional options set, so it serves as a regression test
for issue #29466 and other issues that might come up with future changes
to the Dovecot service.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #29466
Cc: @qknight, @abbradar, @ixmatus, @siddharthist
2017-09-17 04:57:20 +02:00
Joachim F
8ceb209830 Merge pull request #29462 from joachifm/trivial-misc-tests
nixos/tests: move kernel-params & sysctl test to misc
2017-09-16 19:51:58 +00:00
Jaka Hudoklin
1adaad1371 Merge pull request #28927 from xtruder/nixos/logkeys/init
logkeys module: init
2017-09-16 16:23:13 +02:00
Joachim F
c0616a3234 Merge pull request #28892 from ryantm/matterbridge2
matterbridge, modules/matterbridge: init at 1.1.0
2017-09-16 12:43:35 +00:00
Joachim Fasting
586d04c588
nixos/tests: expand hardened tests 2017-09-16 13:14:07 +02:00
Matt McHenry
cfbac1beb4 systemd: better document enabled, wantedBy, and requiredBy (#29453)
the systemd.unit(5) discussion of wantedBy and requiredBy is in the
[Install] section, and thus focused on stateful 'systemctl enable'.
so, clarify that in NixOS, wantedBy & requiredBy are still what most
users want, and not to be confused with enabled.
2017-09-16 12:48:16 +02:00
Joachim Fasting
e05459584e
nixos/release-combined: remove basic kernel tests
Arguably, breaking linux-latest should not block a release.  Also, booting
the kernel + basic sanity checking is implicitly exercised by every other
vm test.
2017-09-16 12:45:30 +02:00
Joachim Fasting
ffd56ba4f6
nixos/tests: move kernel-params test to misc 2017-09-16 12:45:28 +02:00
Joachim Fasting
c85cf60c83
nixos/tests: move sysctl test to misc 2017-09-16 12:45:23 +02:00
Silvan Mosberger
fea9e081a9
namecoin service: fix typo 2017-09-15 23:08:53 +02:00
Tuomas Tynkkynen
c8e7aab0c8 sd-image-aarch64: Increase CMA memory so RPi3 virtual console works again 2017-09-15 23:15:16 +03:00
Bjørn Forsman
6b7a9376f1 nixos/wpa_supplicant: use literalExample
For various reasons, big Nix attrsets look ugly in the generated manual
page[1]. Use literalExample to fix it.

[1] Quotes around attribute names are lost, newlines inside multi-line
strings are shown as '\n' and attrs written on multiple lines are joined
into one.
2017-09-15 20:27:48 +02:00
joachim schiele
7904499542 dovecot2: added quota, changed pop3 default 2017-09-15 18:01:29 +02:00
Jörg Thalheim
1ecf3e862f zfsUnstable: init at 2017-09-12 2017-09-15 17:59:37 +02:00
Jörg Thalheim
7d5633ea7a Merge pull request #27342 from lheckemann/installer-changes
Installer changes
2017-09-15 16:19:11 +01:00
Eelco Dolstra
6dad1f70ce
nix: 1.11.14 -> 1.11.15 2017-09-15 16:38:33 +02:00
Rob Vermaas
0783efb41c
google-instance-setup: add openssh to path 2017-09-15 10:43:09 +00:00
aszlig
b5fbb4f362
nixos/tests/acme: Use overridePythonAttrs
Quoting from @FRidh:

  Note overridePythonAttrs exists since 17.09. It overrides the call to
  buildPythonPackage.

While it's not strictly necessary to do this, because postPatch ends up
in drvAttrs anyway, it's probably better to use overridePythonAttrs so
we don't run into problems when the underlying implementation of
buildPythonPackage changes.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-14 23:18:52 +02:00
Peter Hoeg
4b78d44ab6 mtr nixos module: wrap the proper binary 2017-09-14 19:09:54 +08:00
Jörg Thalheim
bb5b084986 tor: skip ControlPort in torrc, if not set. 2017-09-13 23:33:46 +01:00
Tuomas Tynkkynen
0c368ef02f treewide: Escape backslash in strings properly
"\." is apparently the same as "." wheras the correct one is "\\."
2017-09-14 01:03:39 +03:00
aszlig
01fffd94e5
nixos/tests/acme: Patch certifi with cacert
Since 67651d80bc the requests package now
depends on certifi, which in turn provides the CA root certificates that
we need to replace.

It might also be a good idea to actually patch certifi with our version
of cacert by default so that if we want to override and/or add something
we only need to do it once.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @fpletz, @k0ral, @FRidh
2017-09-13 23:16:43 +02:00
aszlig
bda38317eb
nixos/tests/letsencrypt: Fix nginx options
The enableSSL option has been deprecated in
a912a6a291, so we switch to using onlySSL.

I've also explicitly disabled enableACME, because this is the default
and we don't actually want to have ACME enabled for a host which runs an
actual ACME server.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-13 23:16:40 +02:00
aszlig
11b3ae74e1
nixos/tests: Add a basic test for ACME
The test here is pretty basic and only tests nginx, but it should get us
started to write tests for different webservers and different ACME
implementations.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-13 23:16:37 +02:00
aszlig
b3162a1074
nixos/tests: Add common modules for letsencrypt
These modules implement a way to test ACME based on a test instance of
Letsencrypt's Boulder service. The service implementation is in
letsencrypt.nix and the second module (resolver.nix) is a support-module
for the former, but can also be used for tests not involving ACME.

The second module provides a DNS server which hosts a root zone
containing all the zones and /etc/hosts entries (except loopback) in the
entire test network, so this can be very useful for other modules that
need DNS resolution.

Originally, I wrote these modules for the Headcounter deployment, but
I've refactored them a bit to be generally useful to NixOS users. The
original implementation can be found here:

https://github.com/headcounter/deployment/tree/89e7feafb/modules/testing

Quoting parts from the commit message of the initial implementation of
the Letsencrypt module in headcounter/deployment@95dfb31110:

    This module is going to be used for tests where we need to
    impersonate an ACME service such as the one from Letsencrypt within
    VM tests, which is the reason why this module is a bit ugly (I only
    care if it's working not if it's beautiful).

    While the module isn't used anywhere, it will serve as a pluggable
    module for testing whether ACME works properly to fetch certificates
    and also as a replacement for our snakeoil certificate generator.

Also quoting parts of the commit where I have refactored the same module
in headcounter/deployment@85fa481b34:

    Now we have a fully pluggable module which automatically discovers
    in which network it's used via the nodes attribute.

    The test environment of Boulder used "dns-test-srv", which is a fake
    DNS server that's resolving almost everything to 127.0.0.1. On our
    setup this is not useful, so instead we're now running a local BIND
    name server which has a fake root zone and uses the mentioned node
    attribute to automatically discover other zones in the network of
    machines and generate delegations from the root zone to the
    respective zones with the primaryIPAddress of the node.

    ...

    We want to use real letsencrypt.org FQDNs here, so we can't get away
    with the snakeoil test certificates from the upstream project but
    now roll our own.

    This not only has the benefit that we can easily pass the snakeoil
    certificate to other nodes, but we can (and do) also use it for an
    nginx proxy that's now serving HTTPS for the Boulder web front end.

The Headcounter deployment tests are simulating a production scenario
with real IPs and nameservers so it won't need to rely on
networking.extraHost. However in this implementation we don't
necessarily want to do that, so I've added auto-discovery of
networking.extraHosts in the resolver module.

Another change here is that the letsencrypt module now falls back to
using a local resolver, the Headcounter implementation on the other hand
always required to add an extra test node which serves as a resolver.

I could have squashed both modules into the final ACME test, but that
would make it not very reusable, so that's the main reason why I put
these modules in tests/common.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-13 23:16:33 +02:00
Robin Gloster
f5e0e94b2a
nixos/redmine: fix create role
postgresql create role no longer supports NOCREATEUSER option. See
https://www.postgresql.org/docs/9.6/static/release-9-6.html for
details.
2017-09-13 21:55:50 +02:00
Joachim F
c9200f8d9c Merge pull request #28874 from ryantm/mattermost
nixos/mattermost: fix create role
2017-09-13 19:41:25 +00:00
Jörg Thalheim
13edd9765a Merge pull request #29125 from geistesk/firehol-3.1.4
firehol: init at 3.1.4, iprange: init at 1.0.3
2017-09-13 18:10:22 +01:00
Vladimír Čunát
97ac29cafc
hpsa service: fallout from #28557 merge and revert 2017-09-13 07:55:48 +02:00
Vladimír Čunát
422adc3063
Merge branch 'staging'
10k staging builds are not yet finished on Hydra (mostly darwin),
but we now have a 20k jobs rebuilding directly on master, so we would
never get to merge this way...
2017-09-12 19:17:52 +02:00
Jörg Thalheim
39e327eeb5 nixos/openafs-client: update cellServDB 2009-06-29 -> 2017-03-14 2017-09-12 13:12:41 +01:00
Bjørn Forsman
6b9ee30672 nixos/gitolite: don't leak nix store hash into gitolite-admin username/key
It doesn't look good when the initial admin user is named
"<hash>-gitolite-admin" and the key stored as
"<hash>-gitolite-admin.pub". Instead, make it simply "gitolite-admin"
and "gitolite-admin.pub".
2017-09-12 10:56:11 +02:00
Edward Tjörnhammar
847ce53ab1
nixos, i2pd: nat option, default true 2017-09-12 10:13:29 +02:00
Jörg Thalheim
26619935d1 Merge pull request #29083 from timor/physlock-11-dev
physlock: 0.5 -> 11-dev
2017-09-12 08:56:52 +01:00
Jörg Thalheim
ebc1127cb9 Merge pull request #29247 from pvgoran/gitolite-RequiresMountsFor
nixos/gitolite: add RequiresMountsFor unit option
2017-09-12 08:02:51 +01:00
Bjørn Forsman
fc02a0265a nixos/samba: remove space in "[ global ]" heading
Use consistent no-space style. (All documentation I've seen use no
space, and the generated section headings from the NixOS module also use
no space.)
2017-09-12 08:03:14 +02:00
Frederik Rietdijk
628b6c0e9d Merge remote-tracking branch 'upstream/master' into HEAD 2017-09-11 22:52:53 +02:00
pvgoran
4c4f73c0eb services.gitolite: Add RequiresMountsFor unit option ...
... to ensure that the filesystem where `dataDir` resides is mounted when we do initialization or upgrade.
2017-09-12 02:03:51 +07:00
Pascal Bach
334e23d244 nixos/prometheus-collectd-exporter: init module (#29212)
* prometheus-collectd-exporter service: init module

Supports JSON and binary (optional) protocol
of collectd.

* nixos/prometheus-collectd-exporter: submodule is not needed for collectdBinary
2017-09-11 19:17:00 +01:00
lewo
3a377e26b2 nixos/nova-image: cleanup image builders (#29242)
There are currently two ways to build Openstack image. This just picks
best of both, to keep only one!

- Image is resizable
- Cloudinit is enable
- Password authentication is disable by default
- Use the same layer than other image builders (ec2, gce...)
2017-09-11 17:33:33 +01:00
Robert
1b1fc65505 NixOS Manual: document assertions and warnings (#29206)
* NixOS Manual: document assertions and warnings

* NixOS manual: re-wrap assertions text
2017-09-11 17:12:50 +01:00
Vladimír Čunát
d6f9c0b353
nixos tests: restrict sysctl and plasma5 to x86_64-linux
- sysctl is new and never succeeded on i686-linux
  > cannot stat /proc/sys/net/core/bpf_jit_enable: No such file or directory
- testing plasma5 on i686 would defeat part of the reason why we ended
  supporting i686 (lots of stuff built on Hydra)
2017-09-11 07:35:19 +02:00
timor
ae87a30a83 physlock: 0.5 -> 11-dev
Update physlock to a more current version which supports PAM and
systemd-logind.  Amongst others, this should work now with the slim
login manager without any additional configuration, because it does
not rely on the utmp mechanism anymore.
2017-09-10 22:43:05 +02:00
Thomas Bach
4d101993bf manual: reworked submodule section for better readability
The section was strange to read, as the initial example already used
`listOf' which is mentioned in the very first paragraph. Then you read
in a subsection about `listOf' and the exact same example is given
once again.
2017-09-10 20:51:50 +02:00
Thomas Bach
f37a1e155e manual: fixed remaining placeholder literal 2017-09-10 20:51:50 +02:00
Thomas Bach
572726a570 manual: name' is not an argument for mkOption' 2017-09-10 20:51:50 +02:00
Ryan Mulligan
9c786d82f2 matterbridge, modules/matterbridge: init at 1.1.0 2017-09-10 08:57:28 -07:00
Jörg Thalheim
7641d0e335 Merge pull request #29171 from vaibhavsagar/znc-open-firewall
znc: open firewall with configured port
2017-09-10 14:34:29 +01:00