Commit graph

4698 commits

Author SHA1 Message Date
obadz
57b7c3c545 nixos-install: more robust way of sourcing fresh version of self 2016-08-09 21:39:40 +01:00
Robin Gloster
3cf5d5ebed nginx module: fixup events in config 2016-08-09 17:11:28 +00:00
aszlig
f8fad62c8e
Merge branch 'nixpkgs-git-revision-fix'
Addresses #17218 in a better way in that it doesn't create a
".git-revision" file on every nixos-rebuild, because we already have
".git" available. Even if we don't nixos-rebuild can't create the
"git-revision" file.

Tested via:

nix-build -E '(import ./nixos/tests/make-test.nix {
  name = "foo";
  machine = {};
  testScript = "startAll; $machine->execute(\"nixos-version >&2\");";
})'

Closes: #17610
Acked-by: @bennofs
2016-08-09 17:34:35 +02:00
aszlig
0b9d9eded1
nixos/version: Try to get Git revison from .git
Let's first try if we can determine the Git revision from the .git
directory and if that fails, fall back to get the info from the
".git-revision" file... and after that use something generic like
"master".

This should address #17218 in better way, because we don't need to
create another redundant file in the source checkout of nixpkgs.

I'm not going to route of falling back to using .git, because after
55d881e, we already have ".git-revision" files in people's Git
repositories, which in turn means that nixos-version will report that
old file every time even if the working tree has updated.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @bennofs, Profpatsch
Reported-by: @devhell
Fixes: #17218
2016-08-09 14:18:20 +02:00
aszlig
55d881eea3
Revert adding .git-revision unconditionally
This reverts commit 1e534e234b.

We already should have a .git directory if it is managed via Git,
otherwise there is no way to get the Git revision if neither
.git-revision or .git is present.

But having .git-revision _and_ .git present seems very much redundant to
me.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @bennofs, @Profpatsch
Issue: #17218
2016-08-09 14:15:06 +02:00
Robin Gloster
b0b0a45bb1 nginx module: fix cfg.config backwards compatibility
fixes #17604
2016-08-09 12:02:21 +00:00
Thomas Tuegel
68922e3f74 nixos/stage-1: use readlink -e in builder
The builder has this convoluted `while` loop which just replicates
`readlink -e`. I'm sure there was a reason at one point, because the
loop has been there since time immemorial. It kept getting copied
around, I suspect because nobody bothered to understand what it actually
did.

Incidentally, this fixes #17513, but I have no idea why.
2016-08-08 09:45:45 -05:00
Thomas Tuegel
ee36bb8588 nixos/stage-1: fix antiquotation 2016-08-08 09:28:17 -05:00
Profpatsch
85ed3ca9c7 libinput.accelProfile: improve docs & new default
The link to some (of course non-existing, i.e. freedesktop) “libinput”
documentation is replaced by a piece of the API documentation.

The default is changed since the documentation suggests `adaptive`
should be it.
https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79

Also fix a missing string conversion for `scrollButton`.
2016-08-08 14:01:07 +02:00
Wout Mertens
db8401f603 Merge pull request #17100 from abbradar/resume-delay
nixos stage-1: wait for resume devices to appear
2016-08-08 11:34:38 +02:00
Nikolay Amiantov
1e8894f085 unity3d: use chromium-suid-sandbox 2016-08-08 10:49:00 +03:00
Nikolay Amiantov
b2413e48ae chromium-suid-sandbox module: fix description 2016-08-08 10:17:31 +03:00
Al Zohali
2aba1c4962 phpfpm service: restructured pool configuration
From @fpletz: Keep poolConfigs option for backwards-compatibility.

The original commit 6b3f5b5a42 was previously
reverted by c7860cae1a but the issues were
resolved.
2016-08-08 05:53:53 +02:00
Nikolay Amiantov
986a40421a nixos stage-1: wait for devices during resumption attempt
Also a microimprovement -- use `test -n` instead of `test -e`
since we have already checked that the file exists.
2016-08-08 01:35:43 +03:00
Nikolay Amiantov
3ae468e835 nixos stage-1: move resumption below helper functions' definitions 2016-08-08 01:34:23 +03:00
Nikolay Amiantov
59aa3bb5c8 nixos stage-1: factor device waiting into a function 2016-08-08 01:32:18 +03:00
Rok Garbas
a741978f20 Merge pull request #17479 from elitak/factorio
Factorio: 0.13.8 -> 0.13.13, mod support
2016-08-07 04:09:52 +02:00
Paul Hendry
486b8e7f5c Add Terraria server service (#16832) 2016-08-07 03:58:38 +02:00
jokogr
adeab67bd8 syncthing service: add syncthing-inotify (#17320) 2016-08-06 17:20:18 +02:00
obadz
66d5edf654 chromium: add nixos module security.chromiumSuidSandbox
Closes #17460

Changed the wrapper derivation to produce a second output containing the sandbox.
Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store).
This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it.

Does not trigger a Chromium rebuild.

cc @cleverca22 @joachifm @jasom
2016-08-06 10:27:47 +01:00
Gabriel Ebner
22088b4b25 nixos/x11: make nvidia driver work again
The nvidia driver module directly sets the services.xserver.drivers
option, while still having nvidia/nvidiaBeta/... etc. in the
videoDrivers option.
2016-08-06 07:26:25 +02:00
Robin Gloster
f4e1041e31 Merge pull request #17503 from peterhoeg/ssh
ssh module: ignore exit code when socket activated
2016-08-05 19:58:06 +02:00
Joachim F
f044035a9e Merge pull request #17470 from layus/synaptics-conflict
Warn for conflict between synaptics and libinput
2016-08-05 19:26:07 +02:00
Gabriel Ebner
5e6ac5fcf3 nixos/x11: output sections for modesetting driver
See #17487.
2016-08-05 18:31:04 +02:00
Joachim F
632f9060f1 Merge pull request #17363 from MatrixAI/zsh-helpdir
zsh: Added HELPDIR variable for interactive shells
2016-08-05 16:45:28 +02:00
Franz Pletz
792f96fbc7 Merge pull request #17489 from mayflower/pkg/gitlab-8-10
gitlab: 8.5.12 -> 8.10.3, update module
2016-08-04 23:35:22 +02:00
Tuomas Tynkkynen
2ea72fa9c8 nixos/luksroot: Reference correct output of openssl 2016-08-04 23:12:39 +03:00
obadz
037d9c6cab nixos-install: add options --closure, --no-channel-copy, --no-root-passwd, and --no-bootloader
Closes #17236

nix-build -A tests.installer.simple '<nixos/release.nix>' succeeds ✓
2016-08-04 16:22:25 +01:00
Benno Fünfstück
3f3d18c017 Merge pull request #17218 from bennofs/fix-nixos-version
fix nixos-version --hash when building from git
2016-08-04 15:56:08 +02:00
Christian Kauhaus
ea7e705cd9 varnish: fix localstatedir for varnish* tools (#17508)
The varnish tools (varnishstat, varnishlog, ...) tried to load the VSM
file from a spurious var directory in the Nix store. Fix the default so
the tools "just work" when also keeping services.varnish.stateDir at the
default.

Notes:
- The tools use $localstatedir/$HOSTNAME so I've adapted the default for
  stateDir as well to contain hostName.
- Added postStop action to remove the localstatedir. There is no point
  in keeping it around when varnish does not run, as it regenerates it
  on startup anyway.

Fixes #7495
2016-08-04 15:25:23 +02:00
Peter Hoeg
c4cba0e51f ssh module: ignore exit code when socket activated
sshd will at times fail when exiting. When socket activated, this will
leave a number of sshd@ service instances in the failed state, so we
simply ignore the error code if we are running socket activated.

Recommended by upstream:
http://systemd-devel.freedesktop.narkive.com/d0eapMCG/socket-activated-sshd-service-showing-up-as-a-failure-when-the-client-connection-fails

Fixes: #3279
2016-08-04 16:47:44 +08:00
Damien Cassou
c5d9dc9cfa Merge pull request #17418 from DamienCassou/offlineimap-module-reporting
offlineimap's module: change UI to syslog
2016-08-04 08:33:20 +02:00
Franz Pletz
8a8971788c gitlab module: update documentation 2016-08-04 02:29:50 +02:00
Franz Pletz
d8fd06641a gitlab module: split up gitlab-runner script
The name gitlab-runner clashes with a component of Gitlab CI with the
same name and only confuses people. It's now called gitlab-bundle and
a convenience-script gitlab-rake for easier invocation of rake tasks
was added. This was the primary use case of gitlab-runner.
2016-08-04 02:29:45 +02:00
Franz Pletz
c39b6025d8 gitlab: 8.5.12 -> 8.10.3, update module
Fixes #14795.
2016-08-04 02:29:44 +02:00
Eric Litak
d33540734f factorio: rudimentary mod support for factorio's nixos module 2016-08-03 16:44:51 -07:00
Joachim F
772a7bb49b Merge pull request #17425 from joachifm/grsec-efi
grsecurity module: disable EFI runtime services by default
2016-08-03 10:48:25 +02:00
Guillaume Maudoux
0f0be5e498 Warn for conflict between synaptics and libinput 2016-08-03 08:15:18 +02:00
Eric Sagnes
338c425e08 hydra-module: add default to buildMachinesFiles 2016-08-03 13:14:12 +09:00
Eric Sagnes
128389b60c hydra-module: honor user and group ids 2016-08-03 13:13:57 +09:00
Casey Ransom
9ecc587e3b cassandra service: init
The module will configure a Cassandra server with common options being
tweakable. Included is also a test which will spin up 3 nodes and
verify that the cluster can be formed, broken, and repaired.
2016-08-02 20:58:35 -04:00
Rodney Lorrimar
6711e62d51 nixos manual: add Emacs section (fixes #13217)
In light of Emacs packaging improvements such as those mentioned
in #11503, and with the addition of a systemd service (#15807
and #16356), and considering that the wiki page is completely
out of date (#13217), it seems that some documentation is in order.
2016-08-02 11:17:52 +01:00
Joachim Fasting
43fc394a5c
grsecurity module: disable EFI runtime services by default
Enabling EFI runtime services provides a venue for injecting code into
the kernel.

When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services.  The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).

This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
2016-08-02 10:24:49 +02:00
Joachim Fasting
79ac02ed64
dnscrypt-proxy service: update resolver list 2016-08-02 09:36:22 +02:00
Franz Pletz
c90a43f4c5 nginx module: fix evaluation of root location option 2016-08-01 19:38:10 +02:00
Joachim Fasting
d1572d06fe
grsecurity module: correct internal note 2016-08-01 16:27:14 +02:00
Rok Garbas
34237beca6 Merge pull request #15862 from mayflower/nginx-module
Declarative nginx module with ACME support
2016-08-01 13:10:06 +02:00
Joachim Fasting
c91d07b668
dnscrypt-proxy module: types.string should be types.str 2016-08-01 12:55:42 +02:00
Eric Sagnes
c7bd26e537 version module: refactor with fileContents 2016-08-01 18:40:36 +09:00
Eelco Dolstra
83eb49220b Manual: Only include the release number (e.g. 16.03)
This prevents gratuitous rebuilds of the manual every time the Git
revision changes.

Should help a bit with #17261.
2016-08-01 11:10:21 +02:00
Eelco Dolstra
2a05368ff3 Remove $NIXOS_LABEL and $NIXOS_VERSION
Relying on environment variables to override configuration options is
ugly, and there is no reason for them.
2016-08-01 11:10:02 +02:00
Damien Cassou
19af5b444e offlineimap's module: change UI to syslog
The 'syslog' UI "allows better integration with systemd":
http://www.offlineimap.org/doc/Changelog.html#offlineimap-v660-rc2-2015-10-15
2016-08-01 09:37:53 +02:00
Franz Pletz
d7f7ef4c21 Merge pull request #15496 from kampfschlaefer/containers_more_veth_interfaces
Declarative containers: more veth interfaces
2016-07-31 19:13:59 +02:00
Langston Barrett
a28273df32 mopidy service: add default value for configuration (#17385)
Mopidy will start if the configuration is empty.

Fixes #17381.
2016-07-31 18:35:09 +02:00
Franz Pletz
76b21b7adb nixos/firewall: Refactor rpfilter, allow DHCPv4 (#17325)
Adds a new chain in the raw table for reverse path filtering and optional
logging. A rule to allow serving DHCPv4 was also added as it is commonly
needed and poses no security risk even when no DHCPv4 server is running.

Fixes #10101.
2016-07-31 13:49:24 +02:00
Profpatsch
8a6047a525 nixos/pulseaudio: increase service restart time
Pulseaudio doesn’t like being restarted too quickly.
2016-07-30 23:42:54 +02:00
Profpatsch
5074a79937 nixos/pulseaudio: tcp streaming & zeroconf
Adds options for tcp streaming and avahi zeroconf support (so that the
server can be easily found by clients).
There is also an option to allow anonymous clients to stream to the
server (by default pulseaudio uses a cookie mechanism, see manpage).
2016-07-30 23:42:54 +02:00
Thomas Tuegel
d5bec1a145 kde5: rename extra-cmake-modules variants
Instead of one package `extra-cmake-modules`, there is now `ecm` and
`ecmNoHooks`. The latter is used when one does not want to incur a Qt 5
dependency; it is also available as a top-level package
`extra-cmake-modules`.
2016-07-30 14:06:43 -05:00
Gabriel Ebner
07fc65289a nixos/x11: remove unneccessary special cases 2016-07-30 17:03:16 +02:00
Gabriel Ebner
5c9309c231 xorg.xorgserver: enable glamor support 2016-07-30 13:37:51 +02:00
Thomas Tuegel
3dea00d90e nixos/kde: phonon moved to qt5 2016-07-29 10:29:15 -05:00
Rob Vermaas
9494b764d2 dd-agent: support jmx, needs a separate daemon nowadays.
(cherry picked from commit 1425a1f964adc2e2eb668810f3f158089035cd3d)
2016-07-29 12:42:07 +00:00
Roger Qiu
c0ff64c2e8 zsh: Added HELPDIR variable for interactive shells, as the help directory is distribution specific, and will be useful for using run-help 2016-07-29 20:36:06 +10:00
Arnold Krille
9045a8e24c declarative containers: additional veths
With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network.

The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers.

Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing.
2016-07-28 23:06:41 +02:00
Eelco Dolstra
fd5bbdb436 nixos-containers: Set DevicePolicy=closed
This makes the container a bit more secure, by preventing root
creating device nodes to access the host file system, for
instance. (Reference: systemd-nspawn@.service in systemd.)
2016-07-28 17:58:55 +02:00
Eelco Dolstra
bf3edfbb3c nixos-containers: Use systemd 231's --notify-ready flag 2016-07-28 17:58:52 +02:00
Robin Gloster
a193fecf0e nginx module: improve statusPage generated code
Adds ::1 as allowed host and turns of access_log for the status page.
2016-07-28 11:59:13 +00:00
Robin Gloster
3ccfca7d6b nginx module: httpConfig backward compatibility
Revert httpConfig its old behaviour and make it mutually exclusive to
the new structured configuration. Adds appendHttpConfig to have the
ability to write custom config in the generated http block.
2016-07-28 11:59:13 +00:00
Robin Gloster
511410789b nginx module: make client_max_body_size configurable 2016-07-28 11:59:13 +00:00
Tristan Helmich
8c61b3af03 nginx: fixed duplicate http declaration 2016-07-28 11:59:13 +00:00
Robin Gloster
91680de317 nginx module: add statusPage option 2016-07-28 11:59:13 +00:00
Robin Gloster
a294ad01b3 nginx module: make recommended settings optional 2016-07-28 11:59:13 +00:00
Robin Gloster
186a8400ed nginx module: make httpConfig backward compatible 2016-07-28 11:59:13 +00:00
Robin Gloster
5dd7cf964a nginx module: improve documentation 2016-07-28 11:59:13 +00:00
Franz Pletz
de8008a1b1 nginx module: Enable http2 2016-07-28 11:59:13 +00:00
Franz Pletz
e982aeae6a nginx module: Add default proxy headers for tomcat 2016-07-28 11:59:13 +00:00
Robin Gloster
3830a890ab nginx module: add option to make vhost default 2016-07-28 11:59:13 +00:00
Robin Gloster
138945500e nginx module: implement basic auth 2016-07-28 11:59:13 +00:00
Robin Gloster
ff12ee35b7 nginx module: redirect to same protocol 2016-07-28 11:59:13 +00:00
Robin Gloster
e18f8e8b66 nginx module: turn off basic auth on acme locations 2016-07-28 11:59:13 +00:00
Franz Pletz
4e5c7913e9 nginx module: Add acmeFallbackHost vhost option 2016-07-28 11:59:13 +00:00
Franz Pletz
811f243ce6 nginx module: Add extraConfig for locations 2016-07-28 11:59:13 +00:00
Franz Pletz
d5a097fdb6 nginx module: Don't create acme certs if acme is not enabled 2016-07-28 11:59:13 +00:00
Tristan Helmich
c61157b7e6 nginx module: Add dhParams option 2016-07-28 11:59:13 +00:00
Tristan Helmich
35d76a72ab nginx module: Add sslCiphers option 2016-07-28 11:59:13 +00:00
Tristan Helmich
8bd1f401bb nginx module: Add sslProtocols option 2016-07-28 11:59:13 +00:00
Tristan Helmich
900b311a38 nginx module: Fix ACME extraDomains, fix challenge url to not redirect to allow renewals 2016-07-28 11:59:13 +00:00
Tristan Helmich
4676983990 nginx module: Add ACME support for ssl sites 2016-07-28 11:59:13 +00:00
Robin Gloster
f298be9ef4 nginx module: declarative config 2016-07-28 11:58:37 +00:00
Robin Gloster
356c2fe00d Revert "nginx: Verify that configuration is syntactically correct" (#17337) 2016-07-28 13:55:06 +02:00
Peter Hoeg
62f2f72e98 tmux module: do not override keys by default in VI mode (#17330)
We want to stick to upstream defaults as much as possible.

As pointed out by @8573 in #16999, this was not the case.
2016-07-28 13:10:42 +02:00
Peter Hoeg
65ef5d8f5b rspam module: use mkEnableOption
See #17329.
2016-07-28 07:06:35 +02:00
Franz Pletz
8a1e7cd556 rspamd service: fix runtime directory, log to syslog
Fixes #17144.
2016-07-28 06:22:29 +02:00
Franz Pletz
d23521b16c rmilter service: use runtime dirctory for socket 2016-07-28 06:22:23 +02:00
Robin Lambertz
b65e9d87e2 matrix-synapse: Only run StartPre script when data folder doesn't exist (#17216) 2016-07-28 04:13:21 +02:00
Franz Pletz
996c9837fa Merge pull request #17322 from RamKromberg/init/motif
motif: init at 2.3.6 & nedit: 5.6 -> 5.6a
2016-07-28 03:53:38 +02:00
Ram Kromberg
3800bb5017 motif: init at 2.3.6 2016-07-28 01:33:45 +03:00
Bjørn Forsman
c7860cae1a Revert "phpfpm service: restructured pool configuration"
This reverts commit 6b3f5b5a42 because it
introduced a non-backwards compatible change in the phpfpm interface,
without really needing to. The new interface, if needed, can be re-added
alongside the old interface.

Commit 98e419c0e2 ("tt-rss service: init at 16.3")
depends on the new interface, so this commit updates the tt-rss service
to work with the old services.phpfpm.poolConfigs interface.
2016-07-27 23:53:58 +02:00
Robin Lambertz
103805dec5 nginx: Verify that configuration is syntactically correct (#17208) 2016-07-27 22:24:08 +02:00
Shawn Warren
7234275cd5 bump gocd-server version to 16.6.0-3590 (#17304)
Update gocd-server package version to 16.6.0-3590 including new sha.  Modify heapSize
and maxMemory mkOption to accurately reflect their intended purpose of configuring
initial java heap sizes.
2016-07-27 18:44:28 +02:00