Commit graph

11771 commits

Author SHA1 Message Date
zimbatm
d06f798ce7
Merge pull request #51566 from adisbladis/google-oslogin
GCE OSLogin module: init
2018-12-24 14:11:49 +01:00
msteen
8d217ede58 fix infinite recursion caused by the unnecessary inspection of options + fix is parent of mount point check (#51541) 2018-12-24 14:05:55 +01:00
Samuel Dionne-Riel
772759173d
Merge pull request #52721 from samueldr/aarch64/limited-support
Fixes eval issues in hydra by setting AArch64 as limited support
2018-12-23 13:28:22 -05:00
Jörg Thalheim
044ff3dc66
nixos/vdr: don't delete recordings 2018-12-23 18:54:39 +01:00
Jörg Thalheim
633bc1d09b
Merge pull request #52686 from Mic92/vdr
vdr: revisited version of https://github.com/NixOS/nixpkgs/pull/32050
2018-12-23 16:19:27 +01:00
Emery Hemingway
124d8ccc69
Add IPFS warning 2018-12-22 20:04:19 +01:00
Jörg Thalheim
45986ec587
nixos/vdr: create video directory automatically 2018-12-22 15:13:35 +01:00
Christian Kögler
dd3f755cf4
vdr: initial at 2.4.0 and nixos module
used same plugin mechanism as kodi does
2018-12-22 15:13:25 +01:00
worldofpeace
94af8ebde2 nixos/displayManager: only install wayland sessions if they exist in extraSessionFilePackages
Not everyone is using wayland just yet.
2018-12-22 01:15:09 -05:00
Samuel Dionne-Riel
1bfe8f189b nixos/release-combined.nix: makes aarch64-linux limited support
This is because it will not eval properly with `hydra-eval-jobs`.

```
$ ...hydra/result/bin/hydra-eval-jobs \
    --arg nixpkgs '{ outPath = ./.; revCount = 123; shortRev = "4567"; }' \
    -I "$PWD" \
    nixos/release-combined.nix
```

It fails with:

```
Too many heap sections: Increase MAXHINCR or MAX_HEAP_SECTS
```
2018-12-21 20:43:23 -05:00
Samuel Dionne-Riel
16316a1288 nixos/release-combined.nix: Adds missing aarch64 constituents
This will block channel advancing, even if it is limited support.
2018-12-21 20:28:04 -05:00
Florian Klink
3539f3875a release-notes/rl-1903: add security.googleOsLogin 2018-12-21 18:01:36 +01:00
Florian Klink
706efadcb6 nixos/modules/virtualisation/google-compute-config.nix: remove google-accounts-daemon
Use googleOsLogin for login instead.
This allows setting users.mutableUsers back to false, and to strip the
security.sudo.extraConfig.

security.sudo.enable is default anyhow, so we can remove that as well.
2018-12-21 17:52:37 +01:00
Florian Klink
0f46188ca1 nixos/tests: add google-oslogin test 2018-12-21 17:52:37 +01:00
Florian Klink
04f3562fc4 config.nsswitch: load cache_oslogin and oslogin nss modules if config.security.googleOsLogin.enable is set 2018-12-21 17:52:37 +01:00
Florian Klink
c6de45c0d7 config.security.googleOsLogin: add module
The OS Login package enables the following components:
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
profile during ssh authentication phase.
NSS Module to provide user and group information
PAM Module for the sshd service, providing authorization and
authentication support, allowing the system to use data stored in
Google Cloud IAM permissions to control both, the ability to log into
an instance, and to perform operations as root (sudo).
2018-12-21 17:52:37 +01:00
Florian Klink
be5ad774bf security.pam.services.<name?>.: add googleOsLogin(AccountVerification|Authentication) 2018-12-21 17:52:37 +01:00
Florian Klink
d180bf3862 security.pam: make pam_unix.so required, not sufficient
Having pam_unix set to "sufficient" means early-succeeding account
management group, as soon as pam_unix.so is succeeding.

This is not sufficient. For example, nixos modules might install nss
modules for user lookup, so pam_unix.so succeeds, and we end the stack
successfully, even though other pam account modules might want to do
more extensive checks.

Other distros seem to set pam_unix.so to 'required', so if there are
other pam modules in that management group, they get a chance to do some
validation too.

For SSSD, @PsyanticY already added a workaround knob in
https://github.com/NixOS/nixpkgs/pull/31969, while stating this should
be the default anyway.

I did some thinking in what could break - after this commit, we require
pam_unix to succeed, means we require `getent passwd $username` to
return something.
This is the case for all local users due to the passwd nss module, and
also the case for all modules installing their nss module to
nsswitch.conf - true for ldap (if not explicitly disabled) and sssd.

I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss
module loaded? Should the pam account module be placed before pam_unix?

We don't drop the `security.pam.services.<name?>.sssdStrictAccess`
option, as it's also used some lines below to tweak error behaviour
inside the pam sssd module itself (by changing it's 'control' field).

This is also required to get admin login for Google OS Login working
(#51566), as their pam_oslogin_admin accounts module takes care of sudo
configuration.
2018-12-21 15:31:07 +01:00
Samuel Dionne-Riel
3c38cc8058
Merge pull request #51813 from samueldr/aarch64/disable-non-arm-builds-part-1
aarch64: ZHF for aarch64 (1/??)
2018-12-20 21:06:52 -05:00
Samuel Dionne-Riel
7b2b5b3f47
Merge pull request #52534 from samueldr/aarch64/supported
nixos/release-combined: adds aarch64-linux as supported
2018-12-20 20:58:59 -05:00
Maximilian Bosch
87ebc2ad0b
Merge pull request #52345 from r-ryantm/auto-update/clickhouse
clickhouse: 18.14.9 -> 18.14.18
2018-12-20 18:48:37 +01:00
Michael Raskin
ede54f9144
Merge pull request #52379 from erikarvstedt/tesseract
Major tesseract improvements
2018-12-20 14:41:48 +00:00
Maximilian Bosch
64d05bbdd2
clickhouse: fix module and package runtime
Although the package itself builds fine, the module fails because it
tries to log into a non-existant file in `/var/log` which breaks the
service. Patching to default config to log to stdout by default fixes
the issue. Additionally this is the better solution as NixOS heavily
relies on systemd (and thus journald) for logging.

Also, the runtime relies on `/etc/localtime` to start, as it's not
required by the module system we set UTC as sensitive default when using
the module.

To ensure that the service's basic functionality is available, a simple
NixOS test has been added.
2018-12-20 13:03:41 +01:00
Jeremy Apthorp
654c3124b2
shairport-sync: don't daemonize
This flag causes the shairport-sync server to attempt to daemonize, but it looks like systemd is already handling that. With the `-d` argument, shairport-sync immediately exits—it seems that something (systemd I'm guessing?) is sending it SIGINT or SIGTERM.

The [upstream systemd unit](https://github.com/mikebrady/shairport-sync/blob/master/scripts/shairport-sync.service.in#L10) doesn't pass `-d`.
2018-12-19 22:37:25 -08:00
Samuel Dionne-Riel
42e7e39cd3 nixos/release-combined.nix: Filters failing tests
And filters out JDK which can't be built on aarch64-linux.
2018-12-19 22:28:10 -05:00
Samuel Dionne-Riel
8ab5ef773b nixos/release: build iso_minimal_new_kernel for aarch64-linux too 2018-12-19 13:10:48 -05:00
Samuel Dionne-Riel
36a0c13cf3 nixos/release-combined: adds aarch64-linux as supported
This was previously removed in 74c4e30842.

This will allow hydra to build iso and sd images for aarch64-linux, and
share a common channel with the x86-based platforms.
2018-12-19 12:57:17 -05:00
Erik Arvstedt
8d1ba999cb
tesseract: rename to tesseract4, add alias
This is more consistent with the naming of the most popular versioned pkgs.
2018-12-19 18:09:56 +01:00
Robert Schütz
52b1973283 home-assistant-cli: init at 0.3.0 2018-12-19 15:54:28 +01:00
Frederik Rietdijk
a06b90a7dc lapp: change postgresql version, fixes metrics 2018-12-19 10:04:00 +01:00
Maximilian Bosch
6c6341335b
nixos/test-driver: fix wording in error message about invalid node names
Since 113a6b9325 the test driver
explicitly ensures if the node names won't break the resulting Perl
script at runtime. This slightly improves the correctness of the error
message.
2018-12-18 23:46:54 +01:00
Maximilian Bosch
83fe20e57f
Merge pull request #52485 from pablode/master
nixos/oh-my-zsh: fix wrong manual information
2018-12-18 23:18:27 +01:00
Pablo Delgado Krämer
685c4f5608 nixos/oh-my-zsh: fix wrong manual information
Manual still refers to 'programs.ohMyZsh' although it should be 'programs.zsh.ohMyZsh'.
2018-12-18 14:31:35 +01:00
Jörg Thalheim
f2180a5367
Merge pull request #52458 from tadfisher/emacs-bash-prompt
nixos/bash: Fix prompt regression in Emacs term mode
2018-12-18 09:19:48 +00:00
markuskowa
5289fcc422
Merge pull request #47297 from greydot/bladerf
Introduce hardware/bladeRF module
2018-12-18 09:29:32 +01:00
Lana Black
7112cd8822 nixos/hardware/bladeRF: init at 2.0.2
This allows to easily enable bladerf-related udev rules with nixos
configuration.
2018-12-18 08:11:18 +00:00
Franz Pletz
670c5ac8ef
Merge pull request #46806 from Ma27/disallow-dash-separators-in-machine-declarations
nixos/testing: disallow special chars in machine names in network expressions
2018-12-18 01:03:34 +00:00
Maximilian Bosch
113a6b9325
nixos/testing: disallow special chars in machine names in network expressions
These names are referenced by Perl variables inside the testing
frameworks which don't allow chars like `-` as character inside. An exemplary
expression may look like this:

```
{
  x11-vm = {
    services.xserver.enable = true;
  };
}
```

This expression evaluates, e.g. when running `nixos-build-vms`, but when
trying to run `./result/bin/nixos-run-vms`, an error like this occurs:

```
starting VDE switch for network 1
running the VM test script
error: Can't modify subtraction (-) in scalar assignment at (eval 17) line 1, at EOF
Bareword "test" not allowed while "strict subs" in use at (eval 17) line 1.
Can't modify subtraction (-) in scalar assignment at (eval 17) line 1, at EOF
Bareword "test" not allowed while "strict subs" in use at (eval 17) line 1.
vde_switch: EOF on stdin, cleaning up and exiting
cleaning up
```

This can be very confusing for beginners, this change breaks evaluation
if such names are used for machines.
2018-12-18 01:58:56 +01:00
Samuel Dionne-Riel
321d48d5db
Merge pull request #51397 from samueldr/feature/aarch64-uefi
installer: Adds AArch64 UEFI installer support. (Work towards SBBR and EBBR support)
2018-12-17 18:56:57 -05:00
Tad Fisher
b4b67177b5 nixos/bash: Fix prompt regression in Emacs term mode 2018-12-17 15:42:41 -08:00
Michael Peyton Jones
f64bc036a5
nixos: add XDG sounds module 2018-12-18 00:32:13 +01:00
Jan Tojnar
aacb244889
Merge pull request #51520 from michaelpj/imp/appstream
nixos: add AppStream module
2018-12-18 00:27:23 +01:00
Franz Pletz
58db4c1a7e
Revert "nixos/tests: add clamav test"
This reverts commit 6433f3b13b.

Fixes #52446.
2018-12-17 19:24:44 +01:00
Silvan Mosberger
9673380261
Merge pull request #52168 from cdepillabout/add-bluezFull-package
Add bluez full package
2018-12-17 03:01:49 +01:00
Satoshi Shishiku
5a93f6149a
prosody service: set cafile
Fix s2s_secure_auth.
2018-12-17 01:01:41 +01:00
Florian Klink
a9eae44ee5 gitlab: run test with 4096 bits if on 64bit, else the the maximum for 32bit 2018-12-16 19:47:35 +01:00
Franz Pletz
6433f3b13b
nixos/tests: add clamav test 2018-12-16 19:04:07 +01:00
Florian Klink
91c65721f7 owncloud: remove server
pkgs.owncloud still pointed to owncloud 7.0.15 (from May 13 2016)

Last owncloud server update in nixpkgs was in Jun 2016.
At the same time Nextcloud forked away from it, indicating users
switched over to that.

cc @matej (original maintainer)
2018-12-16 15:05:53 +01:00
Florian Klink
50500219af apache-httpd/limesurvey.nix: fix copypasta from owncloud 2018-12-16 15:05:53 +01:00
Johan Thomsen
d2048b0d7e nixos/kubernetes: don't enable all alpha feature gates for the test cases 2018-12-16 13:41:48 +01:00