Commit graph

13014 commits

Author SHA1 Message Date
Silvan Mosberger
508fd8f133
Merge pull request #55413 from msteen/bitwarden_rs
bitwarden_rs: init at 1.8.0
2019-04-24 00:25:08 +02:00
Matthijs Steen
ef1a43030b nixos/bitwarden_rs: init 2019-04-23 23:46:57 +02:00
Silvan Mosberger
ca37c23f91
Merge pull request #58096 from pacien/tedicross-init
tedicross: init at 0.8.7
2019-04-23 23:14:22 +02:00
pacien
d3423dd5c2 nixos/tedicross: add module 2019-04-23 22:52:23 +02:00
Jörg Thalheim
d43dc68db3
nixos/openldap: make rootpw option optional
This allows to store passwords in external files outside of the world-readable
nix store.
2019-04-23 16:35:33 +01:00
Janne Heß
5fbf306760 nixos/icingaweb2: Fix environment.etc assignment 2019-04-23 14:04:40 +02:00
ajs124
3e32e150cb nixos/ejabberd: migrate to tmpfiles, drop runit 2019-04-23 14:00:49 +02:00
Dan Elkouby
83c9b6ee39 nginx: use fullchain.pem for ssl_trusted_certificate
Some ACME clients do not generate full.pem, which is the same as
fullchain.pem + the certificate key (key.pem), which is not necessary
for verifying OCSP staples.
2019-04-23 12:33:19 +03:00
markuskowa
d0e70ac2d3
Merge pull request #60010 from JohnAZoidberg/https-urls
HTTPS urls
2019-04-22 23:37:07 +02:00
Daniel Schaefer
92cccb6f83 treewide: Use HTTPS for readthedocs URLs 2019-04-22 20:46:18 +02:00
Samuel Dionne-Riel
8a74ebeb01
nixos/virtualbox: Fixes configuration to evaluate
Fixes issue introduced by #57557
2019-04-22 11:22:00 -04:00
Aaron Andersen
c3f69d1373
Merge pull request #59381 from aanderse/automysqlbackup
automysqlinit: init at 3.0_rc6
2019-04-22 08:30:23 -04:00
Joachim Fasting
b33da46a8e
nixos/hardened: split description of allowUserNamespaces into paras 2019-04-21 13:11:25 +02:00
mlvzk
113bb0a7e9 nixos/display-managers/startx: fix typos for startx option description
`~/.xinintrc` => `~/.xinitrc`
`autmatically` => `automatically`
2019-04-21 07:46:37 +00:00
Samuel Dionne-Riel
429e554714 nixos/virtualbox: Fixes configuration to evaluate
Fixes issue introduced by #57557
2019-04-20 23:04:13 -04:00
Matthew Bauer
2a8ca24215
Merge pull request #59435 from furrycatherder/fix-tarball
nixos: fix system-tarball
2019-04-20 20:58:42 -04:00
Léo Gaspard
451961ead2
Merge pull request #59880 from florianjacob/matrix-synapse-identity-servers
nixos/matrix-synapse: correct trusted_third_party_id_servers default
2019-04-21 02:41:21 +02:00
Matthew Bauer
799fa4d404 Merge remote-tracking branch 'origin/master' into staging 2019-04-20 19:31:35 -04:00
Aaron Andersen
4a11ce7f26
cleanup redundant text in modules utilizing mkEnableOption
Closes #59911
2019-04-20 14:44:02 +02:00
Reno Reckling
abf60791e2 nixos/modules/networking/wg-quick Add wg-quick options support
This is an implementation of wireguard support using wg-quick config
generation.

This seems preferrable to the existing wireguard support because
it handles many more routing and resolvconf edge cases than the
current wireguard support.

It also includes work-arounds to make key files work.

This has one quirk:
We need to set reverse path checking in the firewall to false because
it interferes with the way wg-quick sets up its routing.
2019-04-20 14:02:54 +02:00
Jan Tojnar
d3259ed673
Merge branch 'master' into staging 2019-04-20 12:49:01 +02:00
Matthew Bauer
c1fd154fb6
Merge pull request #57557 from matthewbauer/ova-swap
nixos/virtualbox: add swap file
2019-04-19 10:17:36 -04:00
Matthew Bauer
dbc4543812 nixos/virtualbox: add swap file
Puts 2G swap in /var/swap of OVA. This serves as backup when you hit
the memory cap for the image.

Fixes #57171 and fixes #22696
2019-04-19 10:15:48 -04:00
ajs124
2b84c8d560 nixos/ejabberd: add basic test 2019-04-19 12:44:43 +02:00
Florian Jacob
34aa25b8dc nixos/matrix-synapse: correct trusted_third_party_id_servers default
the servers are equivalent and synchronized, but Riot defaults to use vector.im
Source: https://github.com/matrix-org/synapse/blob/v0.99.3/docs/sample_config.yaml#L701
2019-04-19 11:54:06 +02:00
AmineChikhaoui
548932640b
ec2-amis.nix: add 19.03 amis 2019-04-18 23:07:14 -04:00
Aaron Andersen
3464b50c61
Merge pull request #59389 from aanderse/issue/53853-1
replace deprecated usage of PermissionsStartOnly (part 1)
2019-04-18 20:46:28 -04:00
markuskowa
dac0051e60
Merge pull request #59188 from gnidorah/maxx
maxx: 1.1.0 -> 2.0.1
2019-04-18 21:48:01 +02:00
Linus Heckemann
42c107c2aa
Merge pull request #49537 from mayflower/stage1-symlink-fix
nixos stage-1: fix init existence test
2019-04-18 17:59:08 +02:00
Pierre Bourdon
5d2bb3d715 nixos/stage-1: "find-libs" shell script is for the host 2019-04-18 15:02:51 +02:00
Bas van Dijk
cccc7a93d2
Merge pull request #59828 from basvandijk/prometheus-refactoring
nixos/prometheus: refactored & added more missing options
2019-04-18 13:43:53 +02:00
Bas van Dijk
cdd82681b3 nixos/prometheus: add more missing options 2019-04-18 12:53:13 +02:00
Bas van Dijk
285fd3c05a nixos/prometheus: abstract over optional option creation 2019-04-18 11:55:43 +02:00
Domen Kožar
9bc23f31d2
Merge pull request #48337 from transumption/201810/nginx-etag
nginx: if root is in Nix store, use path's hash as ETag
2019-04-18 16:41:49 +07:00
aszlig
d533285224
nixos/tests/nginx: Add subtest for Nix ETag patch
This is to make sure that we get different ETag values whenever we
switch to a different store path but with the same file contents.

I've checked this against the old behaviour without the patch and it
fails as expected.

Signed-off-by: aszlig <aszlig@nix.build>
2019-04-18 09:41:13 +02:00
Frederik Rietdijk
2346182c2c Merge staging-next into staging 2019-04-18 08:26:30 +02:00
ajs124
e03932bbca xmpp-sendmessage: init script file, use in prosody test 2019-04-17 23:36:07 +02:00
worldofpeace
7abeda982a gnome3.gsettings-desktop-schemas -> gsettings-desktop-schemas
gnome3.pomodoro is left out because I don't want to create a conflict.
2019-04-17 13:39:23 -04:00
Robin Gloster
b278cd86e1
Merge branch 'master' into kube-apiserver-preferred-address-types 2019-04-17 16:40:06 +00:00
Robin Gloster
44afc81af1
Merge pull request #57693 from mayflower/kube-apiserver-proxy-client-certs
nixos/kubernetes: Add proxy client certs to apiserver
2019-04-17 16:38:51 +00:00
Robin Gloster
7dc6e77bc2
Merge pull request #56789 from mayflower/upstream-k8s-refactor
nixos/kubernetes: stabilize cluster deployment/startup across machines
2019-04-17 16:37:58 +00:00
Bas van Dijk
55ef5d4246 nixos/prometheus: set optional attributes to type types.nullOr
This makes sure that when a user hasn't set a Prometheus option it
won't show up in the prometheus.yml configuration file. This results
in smaller and easier to understand configuration files.
2019-04-17 14:49:09 +02:00
Bas van Dijk
57e5b75f9c nixos/prometheus: filter out the _module attr in a central place
We previously filtered out the `_module` attribute in a NixOS
configuration by filtering it using the option's `apply` function.

This meant that every option that had a submodule type needed to have
this apply function. Adding this function is easy to forget thus this
mechanism is error prone.

We now recursively filter out the `_module` attributes at the place we
construct the Prometheus configuration file. Since we now do the filtering
centrally we don't have to do it per option making it less prone to errors.
2019-04-17 14:08:16 +02:00
Joachim F
d7da5e2af2
Merge pull request #53826 from delroth/randstruct-custom-seed
nixos: allow customizing the kernel RANDSTRUCT seed
2019-04-16 17:49:19 +00:00
Bas van Dijk
a913d0891c nixos/prometheus: filter out empty srcape_configs attributes
This results in a smaller prometheus.yml config file.

It also allows us to use the same options for both prometheus-1 and
prometheus-2 since the new options for prometheus-2 default to null
and will be filtered out if they are not set.
2019-04-16 16:06:11 +02:00
Bas van Dijk
a23db5db08 nixos/prometheus: add new ec2_sd_config options for prometheus2 2019-04-16 16:04:33 +02:00
Andrew Childs
ad7e232f88 nixos/prometheus: add ec2_sd_configs section to scrape_configs 2019-04-16 13:43:52 +02:00
Bas van Dijk
e7fadde7a7 nixos/doc: remove prometheus2 notes from the 19.09 release notes
prometheus2 has been backported to 19.03 so it won't be new for 19.09.
2019-04-16 09:47:45 +02:00
Bas van Dijk
d1940beb3a nixos/prometheus/pushgateway: add module and test 2019-04-16 08:09:38 +02:00
Aaron Andersen
5f4df8e509 automysqlinit: init at 3.0_rc6 2019-04-15 21:51:55 -04:00
worldofpeace
2d6247a414 gnome3.gnome-keyring: CAP_IPC_LOCK gnome-keyring-daemon
From gkd-capability.c:

This program needs the CAP_IPC_LOCK posix capability.
We want to allow either setuid root or file system based capabilies
to work. If file system based capabilities, this is a no-op unless
the root user is running the program. In that case we just drop
capabilities down to IPC_LOCK. If we are setuid root, then change to the
invoking user retaining just the IPC_LOCK capability. The application
is aborted if for any reason we are unable to drop privileges.
2019-04-15 14:59:56 -04:00
worldofpeace
27ac8cb2c4
Merge pull request #59185 from worldofpeace/glib-networking
nixos/glib-networking: init
2019-04-15 13:17:58 -04:00
worldofpeace
7802b18958 nixos/pantheon: use glib-networking module 2019-04-15 13:11:58 -04:00
Eelco Dolstra
5399f34ad9
nix: 2.2 -> 2.2.2 2019-04-15 19:06:57 +02:00
worldofpeace
b0e9f85f47 nixos/glib-networking: init
Note that we were previously didn't have glib-networking
in systemd.packages so the PacRunner was non-functional.
2019-04-15 13:04:06 -04:00
adisbladis
9a176d669a
nixos/tox-node: Add descriptions to module options.
Missing these broke the tarball build
https://hydra.nixos.org/build/92258938/nixlog/1
2019-04-15 17:11:10 +01:00
José Romildo Malaquias
c32b50a5f7
Merge pull request #59520 from romildo/upd.deepin.deepin-daemon
nixos/dde-daemon: init
2019-04-15 10:30:51 -03:00
adisbladis
4b4caa9413
Merge pull request #59368 from suhr/tox-node
nixos/tox-node: init
2019-04-15 12:28:27 +03:00
adisbladis
454aa43213
nixos/tox-node: Dont hardcode bootstrap nodes
Get these from upstream tox-node package instead.
This is likely to cause less maintenance overhead over time and
following upstream bootstrap node changes is automated.
2019-04-15 09:27:32 +01:00
Сухарик
6cb40f7b0b
nixos/tox-node: init 2019-04-15 09:27:27 +01:00
Bas van Dijk
e5724e8e66
Merge pull request #59514 from basvandijk/elk-7.0.0
elk7: init at 7.0.0
2019-04-15 07:05:13 +02:00
José Romildo Malaquias
46a4e92d92 nixos/deepin-daemon: init 2019-04-14 21:47:45 -03:00
Bas van Dijk
13352f28d2 elk7: init at 7.0.0
This adds the following new packages:

+ elasticsearch7
+ elasticsearch7-oss
+ logstash7
+ logstash7-oss
+ kibana7
+ kibana7-oss
+ filebeat7
+ heartbeat7
+ metricbeat7
+ packetbeat7
+ journalbeat7

The default major version of the ELK stack stays at 6. We should
probably set it to 7 in a next commit.
2019-04-14 21:39:46 +02:00
Silvan Mosberger
a63c182d53
Merge pull request #59315 from Infinisil/znc-docs-url
nixos/znc: Fix URL XML for config option
2019-04-14 17:33:49 +02:00
worldofpeace
6846d4ab85 nixos/fprintd: use systemd.packages
Upstream has a systemd service.
2019-04-14 10:19:57 -04:00
worldofpeace
4616b4ec85
Merge pull request #21860 from e-user/bugfix/upstream/gnome-pam
nixos/gdm: use provided PAM login configuration wherever possible
2019-04-14 09:52:17 -04:00
Alexander Kahl
56bd0110e7 nixos/pam: Add GNOME keyring use_authtok directive to password group 2019-04-14 09:50:22 -04:00
Alexander Kahl
5b9895b1a0 nixos/gdm: use provided PAM login configuration wherever possible
Fixes #21859
2019-04-14 09:49:01 -04:00
worldofpeace
c9a925d82b
Merge pull request #59433 from romildo/upd.deepin.deepin-menu
nixos/deepin-menu: init
2019-04-14 09:18:15 -04:00
José Romildo Malaquias
9e99eed443 nixos/deepin-menu: init 2019-04-14 10:00:44 -03:00
Linus Heckemann
0fc80a576a
Merge pull request #59423 from lheckemann/initramfs-improvements
Initramfs improvements
2019-04-14 12:10:26 +02:00
Sarah Brofeldt
f839011719
Merge pull request #58512 from aanderse/solr
solr: init at 8.0.0
2019-04-14 11:16:28 +02:00
gnidorah
1a4072e90f maxx: 1.1.0 -> 2.0.1 2019-04-14 09:51:29 +03:00
Sean Haugh
040d159eb4 nixos: fix system-tarball 2019-04-13 22:14:37 -05:00
Danylo Hlynskyi
eddb31be99
Merge pull request #55121 from Ma27/add-option-support-to-nixos-build-vms
nixos-build-vms: pass `--option` to `nix-build`
2019-04-14 02:57:57 +03:00
Linus Heckemann
b499c52de5 stage-1: provide meaningful names to initrd and module tree 2019-04-13 23:22:56 +02:00
Aaron Andersen
55ddb04a8a nixos/zookeeper: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:01:01 -04:00
Aaron Andersen
a1c48c3f63 nixos/vault: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:01:01 -04:00
Aaron Andersen
053c9a7992 nixos/sonarr: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:01:01 -04:00
Aaron Andersen
bb649d96b0 nixos/smokeping: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:01:00 -04:00
Aaron Andersen
484e896d7a nixos/radarr: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:01:00 -04:00
Aaron Andersen
021b287b84 nixos/peerflix: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:01:00 -04:00
Aaron Andersen
0672f867bc nixos/mysql-backup: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:01:00 -04:00
Aaron Andersen
89cbee4d3e nixos/mxisd: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:01:00 -04:00
Aaron Andersen
cd46038ae5 nixos/jackett: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:59 -04:00
Aaron Andersen
b7f376c01b nixos/ipfs: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:59 -04:00
Aaron Andersen
b1be2f1584 nixos/influxdb: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:59 -04:00
Aaron Andersen
6ac630bad3 nixos/etcd: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:59 -04:00
Aaron Andersen
062efe018d nixos/couchdb: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:58 -04:00
Aaron Andersen
56c7960d66 nixos/codimd: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:58 -04:00
Aaron Andersen
e51f86a018 nixos/clickhouse: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:58 -04:00
Aaron Andersen
e5d8ba59cc nixos/traefik: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:58 -04:00
Aaron Andersen
cefbee3edc nixos/syncthing: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:58 -04:00
Aaron Andersen
0113cc0de9 nixos/stanchion: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:57 -04:00
Aaron Andersen
a585d29bfd nixos/rss2email: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:57 -04:00
Aaron Andersen
2ebbe3988b nixos/rabbitmq: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:57 -04:00
Aaron Andersen
7b2be9b328 nixos/postgresqlBackup: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:57 -04:00
Aaron Andersen
64fdacc580 nixos/nullmailer: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:57 -04:00
Aaron Andersen
a6bbc55ae1 nixos/nexus: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:56 -04:00
Aaron Andersen
7808202b38 nixos/munge: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:56 -04:00
Aaron Andersen
919c87a106 nixos/mpd: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:56 -04:00
Aaron Andersen
8c48c55c2d nixos/minio: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:56 -04:00
Aaron Andersen
89081eef5d nixos/mesos: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:56 -04:00
Aaron Andersen
2f50cd06dc nixos/memcached: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:55 -04:00
Aaron Andersen
5f9a639f69 nixos/liquidsoap: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:55 -04:00
Aaron Andersen
8fe1c5b30f nixos/lidarr: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:55 -04:00
Aaron Andersen
09af9fcd34 nixos/collectd: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:55 -04:00
markuskowa
7d363d46ba
Merge pull request #59362 from matthiasbeyer/ympd-port-int
ympd service: Allow webPort to be int
2019-04-12 20:59:13 +02:00
Maximilian Bosch
f975bbae11
nixos/hostapd: escape interface names for hostapd
Same problem as described in acbadcdbba.

When using multiple interfaces for wifi with `networking.wlanInterfaces`
and the interface for `hostapd` contains a dash, this will fail as
systemd escapes dashes in its device names.
2019-04-12 19:27:19 +02:00
Graham Christensen
628ba24e77
Merge pull request #59349 from mogorman/manual-upgrading
nixos/manual: update 17.03 -> 19.03 in upgrading section
2019-04-12 12:19:12 -04:00
Matthias Beyer
31884f788e ympd service: Allow webPort to be int
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
2019-04-12 18:17:10 +02:00
Matthew O'Gorman
da035d3ad6
nixos/manual: update 17.03 -> 19.03 in upgrading section 2019-04-12 12:16:30 -04:00
Silvan Mosberger
92ae299998
Merge pull request #59081 from Yarny0/hylafax-updates
HylaFAX: fix ModemGroup, also minor metadata updates
2019-04-12 16:30:46 +02:00
Bas van Dijk
08b277e0da
Merge pull request #56017 from elohmeier/prom-tls
prometheus: add tls_config
2019-04-12 12:57:54 +02:00
Joachim F
5dafbb2cb1
Merge pull request #56719 from bricewge/miniflux-service
miniflux: add service
2019-04-12 09:57:30 +00:00
Yarny0
e57156bcaa nixos/hylafax: fix faxq ModemGroup setting
The manpage claims that the "limit" in the setting::
  <name>:[<limit>:]<regex>
is optional and defaults to zero, implying no limit.
However, tests confirmed that it actually isn't optional.

Without limit, the setting ``any:.*`` places
outbound jobs on infinite hold if no particular
modem was specified on the sendfax command line.
The new default value ``any:0:.*`` from
this commit uses any available modem to
send jobs if not modem was given to sendfax.
2019-04-12 11:11:49 +02:00
Yarny0
1438f7b664 nixos/hylafax: add 'yarny' (= myself) as maintainer
I forgot to do this when I submitted this module with
commit 12fa95f2d6.
2019-04-12 11:11:48 +02:00
Silvan Mosberger
2d1fa68c83
Merge pull request #59044 from teto/strongswan_path
strongswan module: use strings for secrets.
2019-04-11 22:51:24 +02:00
Enno Lohmeier
da7aeb1b7d prometheus: add tls_config 2019-04-11 20:34:31 +02:00
Silvan Mosberger
b8dc0f9a5b
nixos/znc: Fix URL XML for config option 2019-04-11 16:59:19 +02:00
Frederik Rietdijk
230c67f43b Merge master into staging-next 2019-04-11 07:50:23 +02:00
Ryan Mulligan
0960fc72b7
Merge pull request #49868 from jfrankenau/fix-triggerhappy
nixos/triggerhappy: add option user
2019-04-10 20:56:19 -07:00
Matthieu Coudron
08b8c6caf2 nixos/strongswan: use strings for secrets.
The nixos module artifically enforces type.path whereas the ipsec secret configuration files
accept pattern or relative paths.
Enforcing absolute paths already caused problems with l2tp vpn:
https://github.com/nm-l2tp/NetworkManager-l2tp/issues/108
2019-04-11 11:44:49 +09:00
Aaron Andersen
ee7565af9d solr: init at 8.0.0 2019-04-10 20:12:41 -04:00
Bas van Dijk
38ae3fe584
Merge pull request #59270 from basvandijk/alertmanager-DynamicUser
nixos/prometheus/alertmanager: use DynamicUser instead of nobody
2019-04-10 22:56:17 +02:00
Bas van Dijk
cd4486ecc3 nixos/prometheus/alertmanager: use DynamicUser instead of nobody
See issue #55370
2019-04-10 20:38:40 +02:00
Jörg Thalheim
4d4f110ca5
Merge pull request #59181 from Izorkin/nginx-format
nixos/nginx: fix error in writeNginxConfig
2019-04-10 19:23:34 +01:00
Bas van Dijk
739bdff4a4 nixos/prometheus/alertmanager: use ExecStart instead of script
This results in a simpler service unit which doesn't first have to
start a shell:

  > cat /nix/store/s95nsr8zbkblklanqpkiap49mkwbaq45-unit-alertmanager.service/alertmanager.service
  ...
  ExecStart=/nix/store/4g784lwcy7kp69hg0z2hfwkhjp2914lr-alertmanager-0.16.2-bin/bin/alertmanager \
    --config.file /nix/store/p2c7fyi2jkkwq04z2flk84q4wyj2ggry-checked-config \
    --web.listen-address [::1]:9093 \
    --log.level warn
  ...
2019-04-10 15:03:09 +02:00
Linus Heckemann
4557373d68
Merge pull request #58858 from worldofpeace/pantheon/lightdm-gtk-greeter
nixos/pantheon: enable lightdm gtk greeter
2019-04-10 09:36:20 +02:00
Robin Gloster
f370553f8f
Merge pull request #58804 from Ma27/roundcube-fixes
roundcube: minor fixes
2019-04-09 18:30:00 +00:00
aszlig
f98b4b0fda
nixos: Fix build of manual
Commit 29d7d8f44d has introduced another
section with the ID "sec-release-19.09-incompatibilities", which
subsequently causes the build to fail.

I just merged both sections and the manual is now building again.

Signed-off-by: aszlig <aszlig@nix.build>
2019-04-09 17:18:43 +02:00
Frederik Rietdijk
d108b49168 Merge master into staging-next 2019-04-09 16:38:35 +02:00
Bas van Dijk
2f2e2971d6
Merge pull request #58255 from jbgi/prometheus2
Add Prometheus 2 service in parallel with 1.x version (continuation)
2019-04-09 14:14:18 +02:00
Bas van Dijk
b423b73adc nixos/doc: add Prometheus stateDir handling to rl-1909.xml 2019-04-09 13:13:44 +02:00
Bas van Dijk
c95179b52f nixos/prometheus: add back the option services.prometheus.dataDir
This is to ensure more backwards compatibility. Note this is not 100%
backwards compatible because we now require dataDir to begin with /var/lib/.
2019-04-09 13:13:34 +02:00
Bas van Dijk
7062a073e8 elk: 6.5.1 -> 6.7.1 2019-04-09 12:34:01 +02:00
Robin Gloster
a58ab8fc05
Merge pull request #58398 from Ma27/package-documize
documize-community: init at 2.2.1
2019-04-08 22:34:11 +00:00
Maximilian Bosch
acbb74ed18
documize-community: init at 2.2.1
Documize is an open-source alternative for wiki software like Confluence
based on Go and EmberJS. This patch adds the sources for the community
edition[1], for commercial their paid-plan[2] needs to be used.

For commercial use a derivation that bundles the commercial package and
contains a `$out/bin/documize` can be passed to
`services.documize.enable`.

The package compiles the Go sources, the build process also bundles the
pre-built frontend from `gui/public` into the binary.

The NixOS module generates a simple `systemd` unit which starts the
service as a dynamic user, database and a reverse proxy won't be
configured.

[1] https://www.documize.com/get-started/
[2] https://www.documize.com/pricing/
2019-04-08 23:54:57 +02:00
worldofpeace
acedc516fe nixos/pantheon: use evince module 2019-04-08 16:40:54 -04:00
Linus Heckemann
0ce382d868 rl-1903: pantheon notes phrasing/organisation 2019-04-08 16:22:58 -04:00
Ingo Blechschmidt
efff2e1aa6 iodine: improve password handling (#58806)
Before this change, only passwords not containing shell metacharacters could be
used, and because the password was passed as a command-line argument, local
users could (in a very small window of time) record the password and (in an
indefinity window of time) record the length of the password.

We also use the opportunity to add a call to `exec` in the systemd start
script, so that no shell needs to hang around waiting for iodine to stop.
2019-04-08 21:20:26 +02:00
Bas van Dijk
29d7d8f44d nixos/doc: added the Prometheus changes to the 19.09 release notes 2019-04-08 19:39:22 +02:00
Bas van Dijk
eed84d1f8d nixos/prometheus: fix indentation and unnecessary parenthesis 2019-04-08 19:14:42 +02:00
Samuel Dionne-Riel
ef0ca61215
Merge pull request #58027 from DanielFabian/gfxpayload
grub: Add gfxpayload
2019-04-08 10:06:59 -04:00
Izorkin
496a73d46d nixos/nginx: fix error in writeNginxConfig 2019-04-08 16:44:23 +03:00
Bas van Dijk
394970047e nixos/tests: register the prometheus2 test 2019-04-08 15:24:23 +02:00
Bas van Dijk
7cf27feb2f
nixos/prometheus: get rid of empty arguments
Previously the prometheus.service file looked like:

  ExecStart=/nix/store/wjkhfw3xgkmavz1akkqir99w4lbqhak7-prometheus-1.8.2-bin/bin/prometheus -storage.local.path=/var/lib/prometheus/metrics \
    -config.file=/nix/store/zsnvzw51mk3n1cxjd0351bj39k1j6j27-prometheus.yml-check-config-checked \
    -web.listen-address=0.0.0.0:9090 \
    -alertmanager.notification-queue-capacity=10000 \
    -alertmanager.timeout=10s \
     \

  Restart=always

Now it's:

  ExecStart=/nix/store/wjkhfw3xgkmavz1akkqir99w4lbqhak7-prometheus-1.8.2-bin/bin/prometheus \
    -storage.local.path=/var/lib/prometheus/metrics \
    -config.file=/nix/store/zsnvzw51mk3n1cxjd0351bj39k1j6j27-prometheus.yml-check-config-checked \
    -web.listen-address=0.0.0.0:9090 \
    -alertmanager.notification-queue-capacity=10000 \
    -alertmanager.timeout=10s
  Restart=always
2019-04-08 14:59:12 +02:00
Bas van Dijk
a59c92903e
nixos/prometheus: use ExecStart instead of a shell script
This uses fewer lines of code and one less process.
2019-04-08 14:59:12 +02:00
Daniel Fabian
84ff0956a8 grub: Add support for gfxpayload in grub. Needed for NVIDIA drivers before KMS, afaik 2019-04-08 11:34:39 +01:00
Aneesh Agrawal
24ae4ae604 nixos/sshd: Remove obsolete Protocol options (#59136)
OpenSSH removed server side support for the v.1 Protocol
in version 7.4: https://www.openssh.com/txt/release-7.4,
making this option a no-op.
2019-04-08 09:49:31 +02:00
Samuel Dionne-Riel
40d59c6e8e
Merge pull request #58976 from gilligan/remove-nodejs6
Remove nodejs-6_x which is about to enter EOL
2019-04-07 19:49:24 -04:00
worldofpeace
8f93650fe4 nixos/pantheon: add warning when not using LightDM 2019-04-07 17:51:41 -04:00
worldofpeace
d3d5c674ba nixos/lightdm-greeters/pantheon: add warning 2019-04-07 17:51:19 -04:00
Florian Klink
2457510db4
Merge pull request #51918 from bobvanderlinden/var-run
tree-wide: nixos: /var/run -> /run
2019-04-07 20:09:46 +02:00
Frederik Rietdijk
7f7da0a16f Merge master into staging-next 2019-04-07 15:14:52 +02:00
Robin Gloster
0498ba6e06
Merge pull request #59078 from dtzWill/fix-and-update/nextcloud
nextcloud: fix use of mismatched php versions, updates
2019-04-07 09:55:39 +00:00
Frederik Rietdijk
4a125f6b20 Merge master into staging-next 2019-04-07 08:33:41 +02:00
Léo Gaspard
07fdcb348f
Merge pull request #59056 from aanderse/mod_php-sendmail
nixos/httpd: replace ssmtp with system-sendmail
2019-04-06 20:57:58 +02:00
Will Dietz
27d78f4c6c nextcloud: use same php package throughout!
`phpPackage` is 7.3 by default, but `pkgs.php` is 7.2,
so this saves the need for an extra copy of php
for the purpose of running nextcloud's cron;
more importantly this fixes problems with extensions
not loading since they are built against a different php.
2019-04-06 10:34:14 -05:00
aszlig
6fe989eaed
nixos/tests/acme: Use exact match in TOS location
Since the switch to check the nginx config with gixy in
59fac1a6d7, the ACME test doesn't build
anymore, because gixy reports the following false-positive (reindented):

  >> Problem: [alias_traversal] Path traversal via misconfigured alias.
  Severity: MEDIUM
  Description: Using alias in a prefixed location that doesn't ends with
               directory separator could lead to path traversal
               vulnerability.
  Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
  Pseudo config:

  server {
    server_name letsencrypt.org;

    location /documents/2017.11.15-LE-SA-v1.2.pdf {
      alias /nix/store/y4h5ryvnvxkajkmqxyxsk7qpv7bl3vq7-2017.11.15-LE-SA-v1.2.pdf;
    }
  }

The reason this is a false-positive is because the destination is not a
directory, so something like "/foo.pdf../other.txt" won't work here,
because the resulting path would be ".../destfile.pdf../other.txt".

Nevertheless it's a good idea to use the exact match operator (=), to
not only shut up gixy but also gain a bit of performance in lookup (not
that it would matter in our test).

Signed-off-by: aszlig <aszlig@nix.build>
2019-04-06 12:51:56 +02:00
Aaron Andersen
9c9a6f380e nixos/httpd: replace ssmtp with system-sendmail 2019-04-06 06:34:46 -04:00
Pierre Bourdon
f8eec8dc34 environment.noXlibs: disable gnome3 support for pinentry (#59051) 2019-04-06 10:06:55 +00:00
Silvan Mosberger
82b8ff405b
Merge pull request #58778 from aanderse/davmail
nixos/davmail: set logging default to warn, instead of debug
2019-04-06 06:23:48 +02:00
Jeremy Apthorp
e8b68dd4f4 miniflux: add service 2019-04-06 03:52:15 +02:00
Silvan Mosberger
cddafbcc60
Merge pull request #57782 from bkchr/gnupg_program
programs.gnupg: Support setting the gnupg program
2019-04-05 15:43:18 +02:00
Gabriel Ebner
ad5cabf575 nixos/evince: init 2019-04-05 15:03:31 +02:00
Tor Hedin Brønner
c99a666aac
nixos/gnome3: add new default fonts
- source-code-pro is now the default monospace font
- source-sans-pro seems to be used somewhere too:
  https://wiki.gnome.org/Engagement/BrandGuidelines
2019-04-05 12:13:39 +02:00
Jan Tojnar
cb1a20499a
Merge branch 'master' into staging 2019-04-05 11:37:15 +02:00
Bastian Köcher
c0deb007fc programs.gnupg: Support setting the gnupg package 2019-04-05 08:49:53 +02:00
Jörg Thalheim
4aeafc6b63
tests/pdns-recursor: use waitForOpenPort as port check
This should be safer w.r.t. race conditions.
2019-04-05 02:30:28 +01:00
Jörg Thalheim
e49a143ac7
Merge pull request #58982 from Mic92/pdns
pdns-recursor: 4.1.11 -> 4.1.12
2019-04-05 02:23:48 +01:00
Jörg Thalheim
6dd7483ce1
Merge pull request #57979 from 4z3/writeNginxConfig
nixos/nginx: use nginxfmt and gixy
2019-04-04 20:23:58 +01:00
Silvan Mosberger
fab50f0e91
Merge pull request #57716 from dasJ/redo-icingaweb2
nixos/icingaweb2: Replace most options with toINI
2019-04-04 21:20:01 +02:00
Jörg Thalheim
d8445c9925
tests/pdns-recursor: add 2019-04-04 19:42:49 +01:00
tobias pflug
0e296d5fcd
Remove nodejs-6_x which is about to enter EOL
- Remove nodejs-6_x
- Set nodejs / nodejs-slim to nodejs-8_x / nodejs-slim-8_x
- Re-generate node2nix generated files using nodejs-8_x instead
2019-04-04 18:43:06 +01:00
Peter Hoeg
61613a2512
Merge pull request #57337 from peterhoeg/m/logitech
nixos: better support for logitech devices and update relevant packages
2019-04-03 21:19:56 +08:00
Silvan Mosberger
c978593908
Merge pull request #58509 from symphorien/all-fw
nixos: make hardware.enableAllFirmware enable *all* firmware
2019-04-03 06:32:16 +02:00
Maximilian Bosch
6b6348eaba
nixos/roundcube: only configure postgres config if localhost is used as database
When using a different database, the evaluation fails as
`config.services.postgresql.package` is only set if `services.postgresql` is enabled.

Also, the systemd service shouldn't have a relation to postgres if a
remote database is used.
2019-04-02 16:02:53 +02:00
Aaron Andersen
01cec5155f nixos/davmail: set logging default to warn, instead of debug 2019-04-02 09:52:32 -04:00
Franz Pletz
ff36d95878
nixos/quicktun: init 2019-04-02 12:16:48 +02:00
Franz Pletz
ab574424a0
Merge pull request #57789 from Ma27/wireguard-test
nixos/wireguard: add test
2019-04-02 08:11:52 +00:00
Florian Jacob
14571f5ed0 nixos/mysql: fix initialScript option
which was wrongly specified as types.lines
Prevent it from getting copied to nix store as people might use it for
credentials, and make the tests cover it.
2019-04-01 21:08:47 +02:00
Florian Jacob
77978c1518 nixos/mysql: fix support for non-specified database schema
and increase test coverage to catch this
2019-04-01 20:01:29 +02:00
Léo Gaspard
e3b87b04b7 Revert "Merge pull request #57559 from Ekleog/iso-image-reproducibilization"
This reverts commit bb32e322a5, reversing
changes made to e0b4356c0d.
2019-04-01 18:17:42 +02:00
Silvan Mosberger
86956b98e6
Merge pull request #58639 from Infinisil/update/browserpass
browserpass: 2.0.22 -> 3.0.1
2019-04-01 17:31:41 +02:00
Simon Lackerbauer
88c31ae57c
nixos/openldap: add new options 2019-04-01 17:24:33 +02:00
Florian Klink
8313a5dcd3
Merge pull request #58588 from shazow/fix/vlc
vlc: Add chromecast support; libmicrodns: Init at 0.0.10
2019-04-01 17:16:42 +02:00
Tim Steinbach
03389563a2
linux: Fix kernel-testing test 2019-04-01 10:04:54 -04:00
Andrey Petrov
c37aa79639 vlc: add chromecastSupport option
Enables Chromecast support by default in VLC.

Fixes #58365.

Includes release note.
2019-04-01 09:44:56 -04:00
Tim Steinbach
5aef5c5931
kafka: Add test for 2.2
Also add back tests, don't seem broken anymore.

This is just fine:
nix-build ./nixos/release.nix -A tests.kafka.kafka_2_1.x86_64-linux -A tests.kafka.kafka_2_2.x86_64-linux
2019-04-01 08:39:25 -04:00
Tim Steinbach
3db50cc82f
linux: Add testing test 2019-04-01 08:31:36 -04:00
John Ericson
4ccb74011f Merge commit '18aa59b0f26fc707e7313f8467e67159e61600c2' from master into staging
There was one conflict in the NixOS manual; I checked that it still
built after resolving it.
2019-04-01 00:40:03 -04:00
Silvan Mosberger
e98ee8d70c
nixos/browserpass: update for v3
See https://github.com/browserpass/browserpass-native/issues/31

Additionally browserpass was removed from systemPackages, because it
doesn't need to be installed, browsers will get the path to the binary
from the native messaging host JSON.
2019-04-01 01:24:54 +02:00
Will Dietz
c8a9c1c2b8 yubico-pam: add nixos integration 2019-03-31 12:04:35 -05:00
worldofpeace
ffd2e9b572 nixos/rename: drop system.nixos.{stateVersion, defaultChannel}
Comment said to remove these before 18.09 was released :(
2019-03-30 18:18:39 -04:00
Silvan Mosberger
81e2fb5303
Merge pull request #58458 from worldofpeace/colord/no-root
nixos/colord: don't run as root
2019-03-30 04:06:55 +01:00
worldofpeace
099cc0482b nixos/pantheon: enable lightdm gtk greeter
Pantheon's greeter has numerous issues that cannot be
fixed in a timely manner, and users are better off if they just
didn't use it by default.
2019-03-29 21:29:59 -04:00
worldofpeace
f22fbe1175 nixos/colord: don't run as root
Using systemd.packages because there's
a system colord service and colord-session user service
included.
2019-03-29 20:56:06 -04:00
Florian Klink
a6abf97e05
Merge pull request #58420 from Infinisil/remove-renames
Remove a bunch of old option renames
2019-03-30 00:48:25 +01:00
Peter Romfeld
364cbd088e minio: init at 4.0.13 2019-03-29 15:50:36 +01:00
Graham Christensen
bb32e322a5
Merge pull request #57559 from Ekleog/iso-image-reproducibilization
iso-image: make reproducible by not relying on mcopy's readdir
2019-03-29 08:02:56 -04:00
aszlig
dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Maximilian Bosch
673c8193cd
Merge pull request #58489 from aanderse/mailcatcher
nixos/mailcatcher: fix test to be compatible with mailcatcher 7.x series
2019-03-29 04:01:02 +01:00
Symphorien Gibol
15229e1a62 nixos: make hardware.enableAllFirmware enable *all* firmware 2019-03-28 23:59:57 +01:00
Silvan Mosberger
1660845954
Merge pull request #58196 from tomfitzhenry/iso-syslinux-serial-consistent
syslinux: change serial bit rate to 115200
2019-03-28 22:51:48 +01:00
Florian Klink
aa2878cfcf
Merge pull request #58284 from bgamari/gitlab-rails
nixos/gitlab: Package gitlab-rails
2019-03-28 21:12:15 +01:00
Silvan Mosberger
9d4a6cceb7
Merge pull request #57550 from florianjacob/typed-mysql-options
nixos/mysql: specify option types, add tests
2019-03-28 18:55:53 +01:00
Silvan Mosberger
be2f711342
Merge pull request #58487 from bgamari/gitlab-gitaly-procpc
gitaly: Run gitaly with procps in scope
2019-03-28 18:22:27 +01:00
Ben Gamari
af909b3238 nixos/gitlab: Package gitlab-rails
This utility (particularly `gitlab-rails console`) is packaged by GitLab
Omnibus and is used for diagnostics and maintenance operations.
2019-03-28 11:45:31 -04:00
lewo
dc3ed336df
Merge pull request #58345 from xtruder/pkgs/dockerTools/pullImage/finalImageName
dockerTools: add finalImageName parameter for pullImage
2019-03-28 16:25:01 +01:00
Aaron Andersen
417da42c02 nixos/mailcatcher: fix test to be compatible with mailcatcher 7.x series 2019-03-28 11:15:20 -04:00
Ben Gamari
b90f5f03c2 nixos/gitaly: Run gitaly with procps in scope
Gitaly uses `ps` to track the RSS of `gitlab-ruby` and kills it when it
detects excessive memory leakage. See
https://gitlab.com/gitlab-org/gitaly/issues/1562.
2019-03-28 10:48:51 -04:00
Florian Klink
6670b4c37d
Merge pull request #58419 from flokli/ldap-nslcd-startup
nixos/ldap: set proper User= and Group= for nslcd service
2019-03-28 14:30:14 +01:00
Florian Klink
8817bbefdb nixos/ldap: set proper User= and Group= for nslcd service
eb90d97009 broke nslcd, as /run/nslcd was
created/chowned as root user, while nslcd wants to do parts as nslcd
user.

This commit changes the nslcd to run with the proper uid/gid from the
start (through User= and Group=), so the RuntimeDirectory has proper
permissions, too.

In some cases, secrets are baked into nslcd's config file during startup
(so we don't want to provide it from the store).

This config file is normally hard-wired to /etc/nslcd.conf, but we don't
want to use PermissionsStartOnly anymore (#56265), and activation
scripts are ugly, so redirect /etc/nslcd.conf to /run/nslcd/nslcd.conf,
which now gets provisioned inside ExecStartPre=.

This change requires the files referenced to in
users.ldap.bind.passwordFile and users.ldap.daemon.rootpwmodpwFile to be
readable by the nslcd user (in the non-nslcd case, this was already the
case for users.ldap.bind.passwordFile)

fixes #57783
2019-03-28 13:08:47 +01:00
Aaron Andersen
7f3d0aee1c nixos/redmine: test configuration with postgresql as well as mysql 2019-03-27 21:21:17 -04:00
Aaron Andersen
44a798e36f nixos/postgresql: added new options to mimic mysql module 2019-03-27 21:21:12 -04:00
aszlig
ada3239253
nixos/release-notes: Add entry about confinement
First of all, the reason I added this to the "highlights" section is
that we want users to be aware of these options, because in the end we
really want to decrease the attack surface of NixOS services and this is
a step towards improving that situation.

The reason why I'm adding this to the changelog of the NixOS 19.03
release instead of 19.09 is that it makes backporting services that use
these options easier. Doing the backport of the confinement module after
the official release would mean that it's not part of the release
announcement and potentially could fall under the radar of most users.

These options and the whole module also do not change anything in
existing services or affect other modules, so they're purely optional.

Adding this "last minute" to the 19.03 release doesn't hurt and is
probably a good preparation for the next months where we hopefully
confine as much services as we can :-)

I also have asked @samueldr and @lheckemann, whether they're okay with
the inclusion in 19.03. While so far only @samueldr has accepted the
change, we can still move the changelog entry to the NixOS 19.09 release
notes in case @lheckemann rejects it.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 21:07:07 +01:00
aszlig
52299bccf5
nixos/confinement: Use PrivateMounts option
So far we had MountFlags = "private", but as @Infinisil has correctly
noticed, there is a dedicated PrivateMounts option, which does exactly
that and is better integrated than providing raw mount flags.

When checking for the reason why I used MountFlags instead of
PrivateMounts, I found that at the time I wrote the initial version of
this module (Mar 12 06:15:58 2018 +0100) the PrivateMounts option didn't
exist yet and has been added to systemd in Jun 13 08:20:18 2018 +0200.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 20:34:32 +01:00
aszlig
861a1cec60
nixos/confinement: Remove handling for StartOnly
Noted by @Infinisil on IRC:

   infinisil: Question regarding the confinement PR
   infinisil: On line 136 you do different things depending on
              RootDirectoryStartOnly
   infinisil: But on line 157 you have an assertion that disallows that
              option being true
   infinisil: Is there a reason behind this or am I missing something

I originally left this in so that once systemd supports that, we can
just flip a switch and remove the assertion and thus support
RootDirectoryStartOnly for our confinement module.

However, this doesn't seem to be on the roadmap for systemd in the
foreseeable future, so I'll just remove this, especially because it's
very easy to add it again, once it is supported.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 20:22:37 +01:00
Maximilian Bosch
3fc3096da8
Merge pull request #58432 from aanderse/mailcatcher
nixos/mailcatcher: init module for existing package
2019-03-27 16:11:15 +01:00
Aaron Andersen
c99ea1c203 nixos/mailcatcher: add nixos test 2019-03-27 09:56:46 -04:00
Aaron Andersen
395ec8c0d4 nixos/mailcatcher: init module for existing package 2019-03-27 09:15:47 -04:00
Benjamin Hipple
8b3500c650 nixos.cron: fix docstring sentence 2019-03-26 23:22:20 -04:00
Silvan Mosberger
2a72707c1f
nixos/modules: Remove about 50 option renames from <=2015
These are all `mkRenamedOptionModule` ones from 2015 (there are none
from 2014). `mkAliasOptionModule` from 2015 were left in because those
don't give any warning at all.
2019-03-27 03:10:14 +01:00
Florian Klink
0a1451afe3 nixos/ldap: rename password file options properly
users.ldap.daemon.rootpwmodpw -> users.ldap.daemon.rootpwmodpwFile
users.ldap.bind.password -> users.ldap.bind.passwordFile

as users.ldap.daemon.rootpwmodpw never was part of a release, no
mkRenamedOptionModule is introduced.
2019-03-27 02:53:56 +01:00
Silvan Mosberger
8471ab7624
Merge pull request #57836 from reanimus/duo-secure-fail
nixos/security: make duo support secure failure correctly
2019-03-27 01:58:42 +01:00
Daiderd Jordan
018d329dbc
Merge pull request #57928 from averelld/plex-update
plex: 1.14.1.5488 -> 1.15.1.791
2019-03-26 20:22:34 +01:00
Jaka Hudoklin
468df177c4
dockerTools: add finalImageName parameter for pullImage 2019-03-26 19:35:14 +01:00
Florian Klink
476760bfeb
Merge pull request #57578 from bgamari/gitlab-extra-initializers
nixos/gitlab: Allow configuration of extra initializers
2019-03-26 11:08:11 +01:00
aszlig
68efd790b8
nixos: Don't enable Docker by default
Regression introduced by c94005358c.

The commit introduced declarative docker containers and subsequently
enables docker whenever any declarative docker containers are defined.

This is done via an option with type "attrsOf somesubmodule" and a check
on whether the attribute set is empty.

Unfortunately, the check was whether a *list* is empty rather than
wether an attribute set is empty, so "mkIf (cfg != [])" *always*
evaluates to true and thus subsequently enables docker by default:

$ nix-instantiate --eval nixos --arg configuration {} \
    -A config.virtualisation.docker.enable
true

Fixing this is simply done by changing the check to "mkIf (cfg != {})".

Tested this by running the "docker-containers" NixOS test and it still
passes.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @benley, @danbst, @Infinisil, @nlewo
2019-03-26 07:10:18 +01:00
Matthew Bauer
2924563f88
Merge pull request #57925 from rnhmjoj/ifnames-fix
nixos/tests/predictable-interfaces: fix failure on aarch64
2019-03-25 22:23:11 -04:00
Matthew Bauer
38c6c7c8a3
Merge pull request #57617 from aaronjanse/patch-20190313a
nixos/manual: clarify declarative packages section
2019-03-25 22:16:47 -04:00
Matthew Bauer
d468f4b27e
Merge pull request #57139 from delroth/firewall-dedup
nixos/firewall: canonicalize ports lists
2019-03-25 22:15:17 -04:00
Ben Gamari
f2bdc91b35 nixos/gitlab: Allow configuration of extra initializers
This adds a configuration option allowing the addition of additional
initializers in config/extra-gitlab.rb.
2019-03-25 15:18:35 -04:00
Jean-Baptiste Giraudeau
0333d877c2
Use same user for both prometheus 1 and 2. Use StateDirectory. 2019-03-25 14:49:22 +01:00
Jean-Baptiste Giraudeau
5ae25922b5
Prometheus2: --web.external-url need two dash. 2019-03-25 14:36:48 +01:00
Jean-Baptiste Giraudeau
bfbae97cfa
Rollback versionning of services.prometheus.{exporters, alertmanager}. 2019-03-25 14:36:46 +01:00
Alberto Berti
e17b464a43
Fix alertmanager service definition. Thanks to @eonpatapon 2019-03-25 14:36:45 +01:00
Alberto Berti
1b6ce80c2b
Make it pass a minimal test 2019-03-25 14:36:44 +01:00
Alberto Berti
11b89720b7
Add prometheus2 configuration to the prometheus modules
As the configuration for the exporters and alertmanager is unchanged
between the two major versions this patch tries to minimize
duplication while at the same time as there's no upgrade path from 1.x
to 2.x, it allows running the two services in parallel. See also #56037
2019-03-25 14:36:44 +01:00
Samuel Dionne-Riel
60847311e6 nixos/virtualbox-image: set the root fsType to reenable root FS resizing
This otherwise does not eval `:tested` any more, which means no nixos
channel updates.

Regression comes from 0eb6d0735f (#57751)
which added an assertion stopping the use of `autoResize` when the
filesystem cannot be resized automatically.
2019-03-24 22:41:26 -04:00
Danylo Hlynskyi
40cc269561
Merge branch 'master' into postgresql-socket-in-run 2019-03-25 01:06:59 +02:00
Benjamin Staffin
c94005358c NixOS: Run Docker containers as declarative systemd services (#55179)
* WIP: Run Docker containers as declarative systemd services

* PR feedback round 1

* docker-containers: add environment, ports, user, workdir options

* docker-containers: log-driver, string->str, line wrapping

* ExecStart instead of script wrapper, %n for container name

* PR feedback: better description and example formatting

* Fix docbook formatting (oops)

* Use a list of strings for ports, expand documentation

* docker-continers: add a simple nixos test

* waitUntilSucceeds to avoid potential weird async issues

* Don't enable docker daemon unless we actually need it

* PR feedback: leave ExecReload undefined
2019-03-25 00:59:09 +02:00
Bob van der Linden
4c1af9b371
nixos/tests: nghttpx: /var/run -> /run 2019-03-24 21:15:35 +01:00
Bob van der Linden
09bff929df
nixos/tests: osquery: /var/run -> /run 2019-03-24 21:15:34 +01:00
Bob van der Linden
d8dc1226f4
nixos/openvswitch: /var/run -> /run 2019-03-24 21:15:34 +01:00
Bob van der Linden
8c1e00095a
nixos/docker: /var/run -> /run 2019-03-24 21:15:34 +01:00
Bob van der Linden
1eefda5595
nixos/xpra: /var/run -> /run 2019-03-24 21:15:33 +01:00
Bob van der Linden
889bb1e91e
nixos/kodi: /var/run -> /run 2019-03-24 21:15:33 +01:00
Bob van der Linden
65710d1df5
nixos/mighttpd2: /var/run -> /run 2019-03-24 21:15:33 +01:00