Commit graph

11672 commits

Author SHA1 Message Date
Kai Wohlfahrt
337bc20e5f kerberos: Add tests/kerberos to release.nix 2018-12-11 13:33:10 +00:00
Kai Wohlfahrt
ade842f51a kerberos: move user binaries to default output
The intention of the previous change was to move krb5-config to .dev (it
gives the locations of headers), but it grabbed all of the user-facing
binaries too. This puts them back.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt
d752677b1b kerberos: explicitly install krb5Full.dev for tests
This contains all of the user binaries as of 13e6a5c.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt
f5b4918de4 kerberos_server: ensure only one realm configured
Leave options for multiple realms for similarity to krb5, and future
expansion. Currently not tested because I can't make it work and don't need
it.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt
4e4a599e7e kerberos_server: Keep ACL file in store
Could also move kdc.conf, but this makes it inconvenient to use command line
utilities with heimdal, as it would require specifying --config-file with every
command.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt
6cca9c0f9f kerberos-server: add kerberos option
Allow switching out kerberos server implementation.

Sharing config is probably sensible, but implementation is different enough to
be worth splitting into two files. Not sure this is the correct way to split an
implementation, but it works for now.

Uses the switch from config.krb5 to select implementation.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt
fe8f2b8813 kerberos-server: switch to ExecStart
script causes problems for forking services like MIT Kerberos.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt
4f9af77287 kerberos-server: cleanup of kerberos.nix
General cleanup before adding more options.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt
ee3bd730d4 kerberos-server: move kadmind to systemd
Don't use socket activation, as inetd is discouraged by heimdal documentation.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt
dfdd348206 kerberos-server: Fix sbin paths
tcpd doesn't have sbin anymore (so it was broken), and heimdal just symlinks to
bin.
2018-12-11 13:33:10 +00:00
Frederik Rietdijk
e0950ae9ad Merge master into staging-next 2018-12-08 12:40:13 +01:00
Graham Christensen
ca3f089a83
Merge pull request #51314 from Izorkin/mariadb-my.cnf
mariadb: change location configuration file to /etc/my.cnf
2018-12-07 15:37:53 -05:00
Frederik Rietdijk
5f554279ec Merge master into staging-next 2018-12-07 15:22:35 +01:00
Renaud
0eb2f4b5f5
Merge pull request #50809 from sorki/wireguard_containers_wont_modprobe
wireguard: don't modprobe if boot.isContainer is set
2018-12-07 11:06:28 +01:00
lewo
f7e67be1dc
Merge pull request #51528 from grahamc/buildImage-on-layered-image
dockertools buildImage: support new-style image specs
2018-12-07 09:44:58 +01:00
aszlig
776f084cf1
nixos/tests: Fix wrong arch in runInMachine test
Since 83b27f60ce, the tests were moved
into all-tests.nix and some of the tooling has changed so that
subattributes of test expressions are now recursively evaluated until a
derivation with a .test attribute has been found.

Unfortunately this isn't the case for all of the tests and the
runInMachine doesn't use the makeTest function other tests are using but
instead uses runInMachine, which doesn't generate a .test attribute.

Whener a .test attribute wasn't found by the new handleTest function, it
recurses down again until there is no value left that is an attribute
set and subsequently returns its unchanged value. This however has the
drawback that instead of getting different attributes for each
architecture we only get the last architecture in the supportedSystems
list.

In the case of the release.nix, the last architecture in
supportedSystems is "aarch64-linux", so the runInMachine test is always
built on that architecture.

In order to work around this, I changed runInMachine to emit a .test
attribute so that it looks to handleTest like it was a test created via
makeTest.

Signed-off-by: aszlig <aszlig@nix.build>
2018-12-07 05:56:53 +01:00
Peter Hoeg
728aaf4af6
Merge pull request #51622 from dotlambda/home-assistant-0.83
home-assistant: 0.82.1 -> 0.83.3
2018-12-07 09:24:16 +08:00
Samuel Dionne-Riel
70488665fa
Merge pull request #51207 from samueldr/fix/sd-image-slimming
sd-image: Slims the ext4 filesystem even more.
2018-12-06 23:35:09 +00:00
Robert Schütz
b63bb15612 home-assistant: 0.82.1 -> 0.83.3 2018-12-06 14:59:27 +01:00
Graham Christensen
c88337c9ac
dockerTools.buildImage: support using a layered image in fromImage
Docker images used to be, essentially, a linked list of layers. Each
layer would have a tarball and a json document pointing to its parent,
and the image pointed to the top layer:

    imageA  ----> layerA
                    |
                    v
                  layerB
                    |
                    v
                  layerC

The current image spec changed this format to where the Image defined
the order and set of layers:

    imageA  ---> layerA
            |--> layerB
            `--> layerC

For backwards compatibility, docker produces images which follow both
specs: layers point to parents, and images also point to the entire
list:

    imageA  ---> layerA
            |      |
            |      v
            |--> layerB
            |      |
            |      v
            `--> layerC

This is nice for tooling which supported the older version and never
updated to support the newer format.

Our `buildImage` code only supported the old version, so in order for
`buildImage` to properly generate an image based on another image
with `fromImage`, the parent image's layers must fully support the old
mechanism.

This is not a problem in general, but is a problem with
`buildLayeredImage`.

`buildLayeredImage` creates images with newer image spec, because
individual store paths don't have a guaranteed parent layer. Including
a specific parent ID in the layer's json makes the output less likely
to cache hit when published or pulled.

This means until now, `buildLayeredImage` could not be the input to
`buildImage`.

The changes in this PR change `buildImage` to only use the layer's
manifest when locating parent IDs. This does break buildImage on
extremely old Docker images, though I do wonder how many of these
exist.

This work has been sponsored by Target.
2018-12-05 14:25:54 -05:00
Pierre Bourdon
3873f43fc3 prometheus/exporters: fix regression in DynamicUser behavior
Instead of setting User/Group only when DynamicUser is disabled, the
previous version of the code set it only when it was enabled. This
caused services with DynamicUser enabled to actually run as nobody, and
services without DynamicUser enabled to run as root.

Regression from fbb7e0c82f.
2018-12-05 11:26:38 +01:00
Pierre Bourdon
199b4c4743 prometheus/exporters/tor: make CPython happy by defining $HOME 2018-12-05 11:26:38 +01:00
Florian Klink
5c82aa8854 pkgsi686Linux.nixosTests.gitlab: fix 32 bit tests
GitLab 11.5.1 dropped the dependency to posix_spawn, which is broken on
32bit. (See https://gitlab.com/gitlab-org/gitlab-ce/issues/53525)

The only part missing is decreasing virtualisation.memorySize to
something that a 32 bit qemu still executes.

The maximum seems to be 2047, and tests passed with that value for me.
2018-12-05 10:47:18 +01:00
Austin Seipp
2a22554092 nixos/cockroachdb: simplify dataDir management, tweaks
This cleans up the CockroachDB expression, with a few suggestions from
@aszlig.

However, it brought up the note of using systemd's StateDirectory=
directive, which is a nice feature for managing long-term data files,
especially for UID/GID assigned services. However, it can only manage
directories under /var/lib (for global services), so it has to introduce
a special path to make use of it at all in the case someone wants a path
at a different root.

While the dataDir directive at the NixOS level is _occasionally_ useful,
I've gone ahead and removed it for now, as this expression is so new,
and it makes the expression cleaner, while other kinks can be worked out
and people can test drive it.

CockroachDB's dataDir directive, instead, has been replaced with
systemd's StateDirectory management to place the data under
/var/lib/cockroachdb for all uses.

There's an included RequiresMountsFor= clause like usual though, so if
people want dependencies for any kind of mounted device at boot
time/before database startup, it's easy to specify using their own
mount/filesystems clause.

This can also be reverted if necessary, but, we can see if anyone ever
actually wants that later on before doing it -- it's a backwards
compatible change, anyway.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-04 19:44:16 -06:00
Florian Klink
0834e98ece
Merge pull request #51393 from arianvp/container-names
nixos/containers: Add assertion for container name length
2018-12-05 01:25:16 +01:00
Tim Steinbach
16f42b3694 kafka: Add 2.1 2018-12-05 00:06:07 +00:00
Tim Steinbach
7c5d43f4f5 kafka: Add test for 2.0 2018-12-05 00:06:07 +00:00
Jörg Thalheim
7dbb64aca4
Merge pull request #51493 from marsam/feature/docs-remove-nix-repl-references
docs: Remove nix-repl references
2018-12-04 10:53:09 +00:00
Renaud
68b17ada12
Merge pull request #51475 from redvers/update/mediawiki
mediawiki: 1.29.1 -> 1.31.1
2018-12-04 08:06:57 +01:00
Mario Rodas
f1dd6faaaa
docs: Remove nix-repl references
nix-repl has been deprecated
2018-12-03 21:37:54 -05:00
Jörg Thalheim
958d8e625e
Merge pull request #49392 from uvNikita/nixos/containers/veths
nixos/containers: don't create veths if not configured
2018-12-03 23:44:50 +00:00
Red Davies
4173b845ca mediawiki: 1.29.1 -> 1.31.1
1.29.1 is out of support and has security vulnerabilities. 1.31.1 is current LTS.
2018-12-03 21:04:08 +00:00
Bjørn Forsman
bb94d419fb nixos/jenkins-job-builder: add accessTokenFile option
The new option allows storing the secret access token outside the world
readable Nix store.
2018-12-03 17:07:29 +01:00
Bjørn Forsman
8ebfd5c45c nixos/jenkins-job-builder: stop reloadScript on error
Currently there are two calls to curl in the reloadScript, neither which
check for errors. If something is misconfigured (like wrong authToken),
the only trace that something wrong happened is this log message:

  Asking Jenkins to reload config
  <h1>Bad Message 400</h1><pre>reason: Illegal character VCHAR='<'</pre>

The service isn't marked as failed, so it's easy to miss.

Fix it by passing --fail to curl.

While at it:
* Add $curl_opts and $jenkins_url variables to keep the curl command
  lines DRY.
* Add --show-error to curl to show short error message explanation when
  things go wrong (like HTTP 401 error).
* Lower-case the $CRUMB variable as upper case is for exported environment
  variables.

The new behaviour, when having wrong accessToken:

  Asking Jenkins to reload config
  curl: (22) The requested URL returned error: 401

And the service is clearly marked as failed in `systemctl --failed`.
2018-12-03 17:07:29 +01:00
Frederik Rietdijk
a510aa2672 Merge master into staging-next 2018-12-03 12:18:43 +01:00
Piotr Bogdan
9ca3414e05 nixos/cockroachdb: supply defaultText for the package option 2018-12-02 20:50:57 -06:00
Austin Seipp
4594b18070 nixos/chrony: fix misplaced ConditionCapability= directive
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-02 20:32:47 -06:00
Michael Weiss
fa5b8f82c5
Merge pull request #51316 from primeos/sway
nixos/sway-beta: Improve the wrapper
2018-12-02 22:03:31 +01:00
Izorkin
953be3e283 mariadb: change location configuration file to /etc/my.cnf 2018-12-02 22:15:02 +03:00
Silvan Mosberger
4afae70e2b
Merge pull request #48423 from charles-dyfis-net/bees
bees: init at 0.6.1; nixos/modules: services.bees init
2018-12-02 18:38:47 +01:00
Jörg Thalheim
50071c4475
Revert "nixos/luksroot: Check whether the device already exists"
This reverts commit 9cd4ce98bf.

This might be broken for some people: https://github.com/NixOS/nixpkgs/pull/50281#issuecomment-443516289
2018-12-02 17:27:35 +00:00
markuskowa
506d4c7e44
Merge pull request #51329 from c0bw3b/cleanup/gnu-https
Favor HTTPS URLs - the GNU edition
2018-12-02 16:52:33 +01:00
c0bw3b
0498ccd076 Treewide: use HTTPS on GNU domains
HTTP -> HTTPS for :
- http://gnu.org/
- http://www.gnu.org/
- http://elpa.gnu.org/
- http://lists.gnu.org/
- http://gcc.gnu.org/
- http://ftp.gnu.org/ (except in fetchurl mirrors)
- http://bugs.gnu.org/
2018-12-02 15:51:59 +01:00
Arian van Putten
bf102825ef nixos/containers: Add assertion for container name length
When privateNetwork is enabled, currently the container's interface name
is derived from the container name. However, there's a hard limit
on the size of interface names. To avoid conflicts and other issues,
we set a limit on the container name when privateNetwork is enabled.

Fixes #38509
2018-12-02 15:26:39 +01:00
Bas van Dijk
7035598251
Merge pull request #51225 from LumiGuide/elk-6.5.1
elk: 6.3.2 -> 6.5.1
2018-12-02 14:44:47 +01:00
Jörg Thalheim
31f67bed5b
Merge pull request #51379 from Gerschtli/add/programs-nm-applet
nixos/nm-applet: add nm-applet program
2018-12-02 11:49:45 +00:00
Jan Tojnar
a51a99c690
gobject-introspection: rename package
camelCase package name was a huge inconsistency in GNOME package set.
2018-12-02 12:42:29 +01:00
Jörg Thalheim
b3662053b3
nixos/nm-applet: make the module smaller
more readable imho
2018-12-02 11:38:47 +00:00
Tobias Happ
95cbb71abe nixos/nm-applet: add nm-applet program 2018-12-02 12:18:47 +01:00
John Boehr
4226ddc034 nixos/cockroachdb: create new service
This also includes a full end-to-end CockroachDB clustering test to
ensure everything basically works. However, this test is not currently
enabled by default, though it can be run manually. See the included
comments in the test for more information.

Closes #51306. Closes #38665.

Co-authored-by: Austin Seipp <aseipp@pobox.com>
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-01 19:07:49 -06:00