Commit graph

5040 commits

Author SHA1 Message Date
Peter Simons
f28dc07d49 Merge pull request #257 from oxij/bind-forwarders
bind: allow forwarders to differ from nameservers
2013-09-18 08:13:49 -07:00
Evgeny Egorochkin
b3d7f2945e manual: fix typo, #254. 2013-09-18 10:26:40 +03:00
Eelco Dolstra
58e40f84e1 Regression test for blkio functionality 2013-09-17 16:17:34 +02:00
Peter Simons
9f94a6ffaa modules/misc/ids.nix: document the fact that the uid for tcpcryptd is hard-coded in the daemon 2013-09-17 11:22:48 +02:00
Jan Malakhovski
af2382606c bind: allow forwarders to differ from nameservers 2013-09-17 01:21:17 +00:00
Rob Vermaas
0408858a8a Set CURL_CA_BUNDLE env variable for nix-daemon to allow pulling from a binary cache on https. Did not add to nix.envVars to avoid being added to shellInit. 2013-09-16 19:02:20 +02:00
Eelco Dolstra
b825169404 Add kexec support
You can now do a fast reboot (bypassing the BIOS, which may take
several minutes on servers) by running ‘systemctl kexec’.

Unfortunately the QEMU test for this is unreliable due to a QEMU bug
(it randomly crashes with a message like ‘Guest moved used index from
8 to 0’), so it's commented out.
2013-09-16 17:42:13 +02:00
Eelco Dolstra
5332480454 nixos-install: Fix copying from the CD
Nix 1.6 doesn't run the copy-from-other-stores substituter by default
anymore, so turn it on explicitly.

http://hydra.nixos.org/build/6144173
2013-09-16 13:30:34 +02:00
Eelco Dolstra
639bb95d0a Test whether the transparent fetchurl cache (tarballs.nixos.org) works
Testing this is useful in any case, but it's necessary now because Nix
1.6 doesn't check the binary cache for fetchurl output anymore.

http://hydra.nixos.org/build/6144188
2013-09-16 13:30:34 +02:00
Eelco Dolstra
fbb40e0389 release.nix: Automatically include all of tests/default.nix 2013-09-16 13:30:33 +02:00
Bjørn Forsman
0192c02720 /etc/profile: try all nix profiles for ASPELL_CONF
Aspell can only handle one dict-dir directive and currently we hardocde
that to
  ASPELL_CONF="dict-dir $HOME/.nix-profile/lib/aspell"

This means that aspell doesn't work if it is installed to the system or
default nix profile -- it only works in the user profile.

With this change, aspell can be installed to any of the nix profiles. If
it is installed in more than one profile, the most "local" profile wins
(i.e. sysadmin can set up a default, users can override it).
2013-09-14 13:05:11 +02:00
Oliver Charles
3a1024478a lightdm: Use xserver.nix environment variables when starting X
This reduces code duplication, but more importantly means that the
DRI modules can be found by X enabling hardware acceleration.

Close #249; the PR also refers to more about DRI modules.
2013-09-12 10:09:53 +02:00
Peter Simons
1103ba84fd modules/misc/ids.nix: patch tcpcrypt to use our uid
The default uid 666 exceeds SYS_UID_MAX (499), so it might not be available
anyway.
2013-09-11 18:58:37 +02:00
Peter Simons
4a7d8a84bc modules/services/networking/tcpcrypt.nix: specify start-up dependencies in systemd style
Thanks, Eelco, for pointing this out.
2013-09-11 18:56:09 +02:00
Peter Simons
b6501c0097 modules/misc/ids.nix: add a comment explaining why tcpcryptd has uid 666. 2013-09-11 11:09:30 +02:00
Peter Simons
0afcc637d7 Add support for opportunistic TCP encryption.
Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption
based on the user-space tools available from <http://tcpcrypt.org>.

Network attackers come in two varieties: passive and active (man-in-the-middle).
Passive attacks are much simpler to execute because they just require listening
on the network. Active attacks are much harder as they require listening and
modifying network traffic, often requiring very precise timing that can make
some attacks impractical.

Opportunistic encryption cannot protect against active attackers, but it *does*
protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to
stop active attacks, too, if the application using it performs authentication.

A complete description of the protocol extension can be found at
<http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>.
2013-09-10 23:32:55 +02:00
Eelco Dolstra
c4092f2a8d firewall.nix: Less verbosity 2013-09-10 15:17:52 +02:00
Eelco Dolstra
94bb48be78 firewall.nix: Don't make missing rpfilter support a fatal error
This makes upgrading from Linux 3.2 to 3.4 a bit nicer.
2013-09-10 15:17:52 +02:00
Mathijs Kwik
71365b7478 Merge pull request #247 from bjornfor/wins-nsswitch
Add services.samba.nsswins option
2013-09-07 08:18:01 -07:00
Bjørn Forsman
8a01d244b1 Add services.samba.nsswins option
This option allows for seamless WINS/NetBIOS name lookup, using
nsswitch.
2013-09-07 15:09:44 +02:00
Eelco Dolstra
40342e975d types.list -> types.listOf 2013-09-04 15:12:07 +02:00
Eelco Dolstra
25bd880472 Get firmware from lib/firmware 2013-09-04 14:22:52 +02:00
Eelco Dolstra
17457297cb Update all legacy-style modules
I.e., modules that use "require = [options]".  Nowadays that should be
written as

  {
    options = { ... };
    config = { ... };
  };

Also, use "imports" instead of "require" in places where we actually
import another module.
2013-09-04 13:05:09 +02:00
Eelco Dolstra
3a23e6dd31 Remove reference to non-existant config.tests 2013-09-03 15:14:55 +02:00
Jack Cummings
f2523c08e4 fixiup zfs binaries in initrd
Previously, the zfs binaries were put in $out/sbin where the stage-1
patchelf wouldn't fix them up. This would fail the allowedReferences
test.

Move the zfs binaries to $out/bin.
2013-09-02 13:53:28 +03:00
Evgeny Egorochkin
e0dcfac2e2 Merge pull request #240 from ivan/typo-fix-2
Fix typo and incorrect package name
2013-09-02 03:29:17 -07:00
Eelco Dolstra
e06cd403b8 Execute NixOS VM tests on a separate machine 2013-09-02 11:18:22 +02:00
Eelco Dolstra
cf7cbdb67c Bump the NixOS version
July was a bit optimistic for a release :-)
2013-09-02 11:18:22 +02:00
Ivan Kozik
a7a9818795 Fix typo and incorrect package name 2013-09-02 04:54:09 +00:00
Evgeny Egorochkin
dd02d2bfbe Merge pull request #239 from NixOS/openbox
Openbox
2013-09-01 13:06:37 -07:00
Antono Vasiljev
16c0a24cad Openbox 2013-09-01 21:18:48 +03:00
Mathijs Kwik
388f1d48fb do not activate hybrid-sleep during config switches 2013-08-31 12:05:50 +02:00
Domen Kožar
e45e62e078 merge 2013-08-30 18:05:08 +02:00
Domen Kožar
718efd02b6 Merge pull request #235 from the-kenny/fix-minidlna
minidlna: Start after networking.target.
2013-08-27 12:02:00 -07:00
Moritz Ulrich
f8d1aac7d8 minidlna: Start after networking.target.
Signed-off-by: Moritz Ulrich <moritz@tarn-vedra.de>
2013-08-27 20:51:34 +02:00
Jaka Hudoklin
c613ae7b82 Add elasticsearch, a powerful open source search and analytics engine 2013-08-27 20:42:59 +02:00
Mathijs Kwik
2dd8b19eac Fix description for PowerManagement units. 2013-08-27 08:06:53 +02:00
Evgeny Egorochkin
7021b07a8d Move the compose-cache code from kde4 to xsession since it is supposedly useful for all X-based stuff. 2013-08-26 17:06:05 +03:00
Rickard Nilsson
b0b5e08e86 Add some more missing uids/gids 2013-08-26 15:20:25 +02:00
Eelco Dolstra
7f7208663d Add vdi.i686-linux to the release-critical jobs 2013-08-26 14:11:56 +02:00
Eelco Dolstra
3395e4398f Build 32-bit VirtualBox image
Issue #200.
2013-08-26 14:06:00 +02:00
Eelco Dolstra
40c6f6252e Fix spelling
Also, it's not necessary to order a unit after "sysinit.target" since
that's implied.
2013-08-26 12:18:26 +02:00
Eelco Dolstra
8bfbe7ef84 Don't try to guess the location of the NixOS config file
The NixOS config need not be $NIXOS_CONFIG, it can also be set through
-I nixos-config=... or not exist in a separate file at all (e.g. in a
NixOps deployment).

Issue #212.
2013-08-26 12:14:14 +02:00
Bjørn Forsman
c3931d2e42 Add programs.ssh.extraConfig option 2013-08-25 21:54:21 +02:00
Mathijs Kwik
d860f9f78e power management: provide a post-resume target and unify
suspend/hibernate/hybrid-sleep handling
2013-08-25 13:58:09 +02:00
Mathijs Kwik
651686626f convert bbswitch job to systemd unit
dramatically speeds up my boot time because it was the last
service (for me) that depended on udev-settle.service

udev-settle isn't needed for modern system initialization but some
oldschool services (mdadm/lvm/cryptsetup) depend on it so they can
just enumerate devices instead of having to react to changes
dynamically. In NixOS these things are usually already taken care of
during stage 1 (early ramdisk) if you use them.
2013-08-25 13:58:09 +02:00
Lluís Batlle i Rossell
48cdd60e02 Fixing handling of parameters with spaces in torsocks/torify 2013-08-24 23:23:48 +02:00
Eelco Dolstra
9771f0c96c sshd: Support multiple host keys
The option services.openssh.hostKeys now allows specifying multiple
host keys.  The default value enables both a DSA and ECDSA key.
(Clients by default will use the ECDSA key, unless known_hosts already
has a DSA key for that host.)  To use only an ECDSA key, you can say:

  services.openssh.hostKeys =
    [ { path = "/etc/ssh/ssh_host_ecdsa_key";
        type = "ecdsa";
        bits = 521;
      }
    ];
2013-08-24 01:01:10 +02:00
Eelco Dolstra
c9b9f7ee1d Manual: Fix some links 2013-08-23 19:05:19 +02:00
Evgeny Egorochkin
f8a6fa774e SSH daemon: change default key size for RSA, add alert for weak keys. 2013-08-23 14:50:14 +03:00