Commit graph

10679 commits

Author SHA1 Message Date
Silvan Mosberger
be2f711342
Merge pull request #58487 from bgamari/gitlab-gitaly-procpc
gitaly: Run gitaly with procps in scope
2019-03-28 18:22:27 +01:00
Ben Gamari
af909b3238 nixos/gitlab: Package gitlab-rails
This utility (particularly `gitlab-rails console`) is packaged by GitLab
Omnibus and is used for diagnostics and maintenance operations.
2019-03-28 11:45:31 -04:00
Ben Gamari
b90f5f03c2 nixos/gitaly: Run gitaly with procps in scope
Gitaly uses `ps` to track the RSS of `gitlab-ruby` and kills it when it
detects excessive memory leakage. See
https://gitlab.com/gitlab-org/gitaly/issues/1562.
2019-03-28 10:48:51 -04:00
Florian Klink
6670b4c37d
Merge pull request #58419 from flokli/ldap-nslcd-startup
nixos/ldap: set proper User= and Group= for nslcd service
2019-03-28 14:30:14 +01:00
Florian Klink
8817bbefdb nixos/ldap: set proper User= and Group= for nslcd service
eb90d97009 broke nslcd, as /run/nslcd was
created/chowned as root user, while nslcd wants to do parts as nslcd
user.

This commit changes the nslcd to run with the proper uid/gid from the
start (through User= and Group=), so the RuntimeDirectory has proper
permissions, too.

In some cases, secrets are baked into nslcd's config file during startup
(so we don't want to provide it from the store).

This config file is normally hard-wired to /etc/nslcd.conf, but we don't
want to use PermissionsStartOnly anymore (#56265), and activation
scripts are ugly, so redirect /etc/nslcd.conf to /run/nslcd/nslcd.conf,
which now gets provisioned inside ExecStartPre=.

This change requires the files referenced to in
users.ldap.bind.passwordFile and users.ldap.daemon.rootpwmodpwFile to be
readable by the nslcd user (in the non-nslcd case, this was already the
case for users.ldap.bind.passwordFile)

fixes #57783
2019-03-28 13:08:47 +01:00
aszlig
52299bccf5
nixos/confinement: Use PrivateMounts option
So far we had MountFlags = "private", but as @Infinisil has correctly
noticed, there is a dedicated PrivateMounts option, which does exactly
that and is better integrated than providing raw mount flags.

When checking for the reason why I used MountFlags instead of
PrivateMounts, I found that at the time I wrote the initial version of
this module (Mar 12 06:15:58 2018 +0100) the PrivateMounts option didn't
exist yet and has been added to systemd in Jun 13 08:20:18 2018 +0200.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 20:34:32 +01:00
aszlig
861a1cec60
nixos/confinement: Remove handling for StartOnly
Noted by @Infinisil on IRC:

   infinisil: Question regarding the confinement PR
   infinisil: On line 136 you do different things depending on
              RootDirectoryStartOnly
   infinisil: But on line 157 you have an assertion that disallows that
              option being true
   infinisil: Is there a reason behind this or am I missing something

I originally left this in so that once systemd supports that, we can
just flip a switch and remove the assertion and thus support
RootDirectoryStartOnly for our confinement module.

However, this doesn't seem to be on the roadmap for systemd in the
foreseeable future, so I'll just remove this, especially because it's
very easy to add it again, once it is supported.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 20:22:37 +01:00
Maximilian Bosch
3fc3096da8
Merge pull request #58432 from aanderse/mailcatcher
nixos/mailcatcher: init module for existing package
2019-03-27 16:11:15 +01:00
Aaron Andersen
395ec8c0d4 nixos/mailcatcher: init module for existing package 2019-03-27 09:15:47 -04:00
Benjamin Hipple
8b3500c650 nixos.cron: fix docstring sentence 2019-03-26 23:22:20 -04:00
Silvan Mosberger
2a72707c1f
nixos/modules: Remove about 50 option renames from <=2015
These are all `mkRenamedOptionModule` ones from 2015 (there are none
from 2014). `mkAliasOptionModule` from 2015 were left in because those
don't give any warning at all.
2019-03-27 03:10:14 +01:00
Florian Klink
0a1451afe3 nixos/ldap: rename password file options properly
users.ldap.daemon.rootpwmodpw -> users.ldap.daemon.rootpwmodpwFile
users.ldap.bind.password -> users.ldap.bind.passwordFile

as users.ldap.daemon.rootpwmodpw never was part of a release, no
mkRenamedOptionModule is introduced.
2019-03-27 02:53:56 +01:00
Silvan Mosberger
8471ab7624
Merge pull request #57836 from reanimus/duo-secure-fail
nixos/security: make duo support secure failure correctly
2019-03-27 01:58:42 +01:00
Daiderd Jordan
018d329dbc
Merge pull request #57928 from averelld/plex-update
plex: 1.14.1.5488 -> 1.15.1.791
2019-03-26 20:22:34 +01:00
Florian Klink
476760bfeb
Merge pull request #57578 from bgamari/gitlab-extra-initializers
nixos/gitlab: Allow configuration of extra initializers
2019-03-26 11:08:11 +01:00
aszlig
68efd790b8
nixos: Don't enable Docker by default
Regression introduced by c94005358c.

The commit introduced declarative docker containers and subsequently
enables docker whenever any declarative docker containers are defined.

This is done via an option with type "attrsOf somesubmodule" and a check
on whether the attribute set is empty.

Unfortunately, the check was whether a *list* is empty rather than
wether an attribute set is empty, so "mkIf (cfg != [])" *always*
evaluates to true and thus subsequently enables docker by default:

$ nix-instantiate --eval nixos --arg configuration {} \
    -A config.virtualisation.docker.enable
true

Fixing this is simply done by changing the check to "mkIf (cfg != {})".

Tested this by running the "docker-containers" NixOS test and it still
passes.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @benley, @danbst, @Infinisil, @nlewo
2019-03-26 07:10:18 +01:00
Matthew Bauer
d468f4b27e
Merge pull request #57139 from delroth/firewall-dedup
nixos/firewall: canonicalize ports lists
2019-03-25 22:15:17 -04:00
Ben Gamari
f2bdc91b35 nixos/gitlab: Allow configuration of extra initializers
This adds a configuration option allowing the addition of additional
initializers in config/extra-gitlab.rb.
2019-03-25 15:18:35 -04:00
Jean-Baptiste Giraudeau
0333d877c2
Use same user for both prometheus 1 and 2. Use StateDirectory. 2019-03-25 14:49:22 +01:00
Jean-Baptiste Giraudeau
5ae25922b5
Prometheus2: --web.external-url need two dash. 2019-03-25 14:36:48 +01:00
Jean-Baptiste Giraudeau
bfbae97cfa
Rollback versionning of services.prometheus.{exporters, alertmanager}. 2019-03-25 14:36:46 +01:00
Alberto Berti
e17b464a43
Fix alertmanager service definition. Thanks to @eonpatapon 2019-03-25 14:36:45 +01:00
Alberto Berti
1b6ce80c2b
Make it pass a minimal test 2019-03-25 14:36:44 +01:00
Alberto Berti
11b89720b7
Add prometheus2 configuration to the prometheus modules
As the configuration for the exporters and alertmanager is unchanged
between the two major versions this patch tries to minimize
duplication while at the same time as there's no upgrade path from 1.x
to 2.x, it allows running the two services in parallel. See also #56037
2019-03-25 14:36:44 +01:00
Samuel Dionne-Riel
60847311e6 nixos/virtualbox-image: set the root fsType to reenable root FS resizing
This otherwise does not eval `:tested` any more, which means no nixos
channel updates.

Regression comes from 0eb6d0735f (#57751)
which added an assertion stopping the use of `autoResize` when the
filesystem cannot be resized automatically.
2019-03-24 22:41:26 -04:00
Danylo Hlynskyi
40cc269561
Merge branch 'master' into postgresql-socket-in-run 2019-03-25 01:06:59 +02:00
Benjamin Staffin
c94005358c NixOS: Run Docker containers as declarative systemd services (#55179)
* WIP: Run Docker containers as declarative systemd services

* PR feedback round 1

* docker-containers: add environment, ports, user, workdir options

* docker-containers: log-driver, string->str, line wrapping

* ExecStart instead of script wrapper, %n for container name

* PR feedback: better description and example formatting

* Fix docbook formatting (oops)

* Use a list of strings for ports, expand documentation

* docker-continers: add a simple nixos test

* waitUntilSucceeds to avoid potential weird async issues

* Don't enable docker daemon unless we actually need it

* PR feedback: leave ExecReload undefined
2019-03-25 00:59:09 +02:00
Bob van der Linden
d8dc1226f4
nixos/openvswitch: /var/run -> /run 2019-03-24 21:15:34 +01:00
Bob van der Linden
8c1e00095a
nixos/docker: /var/run -> /run 2019-03-24 21:15:34 +01:00
Bob van der Linden
1eefda5595
nixos/xpra: /var/run -> /run 2019-03-24 21:15:33 +01:00
Bob van der Linden
889bb1e91e
nixos/kodi: /var/run -> /run 2019-03-24 21:15:33 +01:00
Bob van der Linden
65710d1df5
nixos/mighttpd2: /var/run -> /run 2019-03-24 21:15:33 +01:00
Bob van der Linden
f09fb4d4dd
nixos/tt-rss: /var/run -> /run 2019-03-24 21:15:32 +01:00
Bob van der Linden
9b100c4e6f
nixos/selfoss: /var/run -> /run 2019-03-24 21:15:32 +01:00
Bob van der Linden
cdc6f2e484
nixos/restya-board: /var/run -> /run 2019-03-24 21:15:31 +01:00
Bob van der Linden
bde23ec9a3
nixos/codimd: /var/run -> /run 2019-03-24 21:15:31 +01:00
Bob van der Linden
60481ba3fd
nixos/hologram-agent: /var/run -> /run 2019-03-24 21:15:30 +01:00
Bob van der Linden
798931135e
nixos/fcron: /var/run -> /run 2019-03-24 21:15:30 +01:00
Bob van der Linden
0cf1944c36
nixos/cups: /var/run -> /run 2019-03-24 21:15:30 +01:00
Bob van der Linden
323e8ef375
nixos/xrdp: /var/run -> /run 2019-03-24 21:15:29 +01:00
Bob van der Linden
210b7134d3
nixos/wpa_supplicant: /var/run -> /run 2019-03-24 21:15:29 +01:00
Bob van der Linden
b9e27ec43e
nixos/supplicant: /var/run -> /run 2019-03-24 21:15:29 +01:00
Bob van der Linden
8062476f73
nixos/raccoon: /var/run -> /run 2019-03-24 21:15:28 +01:00
Bob van der Linden
34738dea2a
nixos/ocserv: /var/run -> /run 2019-03-24 21:15:28 +01:00
Bob van der Linden
cc5f08fed8
nixos/miniupnpd: /var/run -> /run 2019-03-24 21:15:28 +01:00
Bob van der Linden
321bc431cc
nixos/lldpd: /var/run -> /run 2019-03-24 21:15:27 +01:00
Bob van der Linden
1e48222cbe
nixos/ircd-hybrid: /var/run -> /run 2019-03-24 21:15:27 +01:00
Bob van der Linden
937e733c04
nixos/htpdate: /var/run -> /run 2019-03-24 21:15:26 +01:00
Bob van der Linden
1a567685b2
nixos/hostapd: /var/run -> /run 2019-03-24 21:15:26 +01:00
Bob van der Linden
82dee48ef2
nixos/bind: /var/run -> /run 2019-03-24 21:15:26 +01:00
Bob van der Linden
9afbe4c2bd
nixos/avahi-daemon: /var/run -> /run 2019-03-24 21:15:25 +01:00
Bob van der Linden
08558245a4
nixos/asterisk: /var/run -> /run 2019-03-24 21:13:19 +01:00
Dmitry Kalinkin
cf7f234ff5
Merge pull request #57527 from Chiiruno/dev/meguca
Init: statik, Update: easyjson, quicktemplate, meguca, hydron
2019-03-24 15:26:37 -04:00
Andreas Rammhold
af27dbf1d1
Merge pull request #57897 from rnhmjoj/fix-ipv6
nixos/containers: create veths if only IPv6 is configured
2019-03-24 18:17:06 +01:00
worldofpeace
ffe35f3f76 nixos/pantheon: add meta.maintainers 2019-03-24 07:04:28 -04:00
worldofpeace
f812cba2cf nixos/pantheon/files: add meta.maintainers 2019-03-24 07:04:28 -04:00
worldofpeace
415bceed8e nixos/pantheon/contractor: add meta.maintainers 2019-03-24 07:04:28 -04:00
worldofpeace
3565b1775a nixos/gsignond: add meta.maintainers 2019-03-24 07:04:28 -04:00
Tom Fitzhenry
0d67c6a52b syslinux: change serial bit rate to 115200
Prior to this commit an installation over serial via syslinux would
involve:
1. setting bitrate to BIOS's bitrate (typically 115200)
2. setting bitrate to syslinux's bitrate (38400)
3. setting bitrate to stty's bitrate (115200)

By changing syslinux's bitrate to 115200, an installation over serial
is a smoother experience, and consistent with the GRUB2 installation
which is also 115200 bps.

    [root@nixos:~]# stty
    speed 115200 baud; line = 0;
    -brkint ixoff iutf8
    -iexten

In a future commit I will add default serial terminals to the syslinux
kernel lines.
2019-03-24 19:36:30 +11:00
Dmitry Kalinkin
6f95ac3588
Merge pull request #57988 from lopsided98/buildbot-update
buildbot: 1.8.1 -> 2.1.0
2019-03-23 20:38:20 -04:00
markuskowa
d71472beaf
Merge pull request #57434 from ck3d/user-dwm
nixos dwm: start user installed dwm if available
2019-03-23 23:49:34 +01:00
Ben Gamari
2036550a46 nixos/docker-registry: Allow use of non-filesystem storage
Previously this module precluded use of storage backends other than
`filesystem`. It is now possible to configure another storage backend
manually by setting `services.dockerRegistry.storagePath` to `null` and
configuring the other backend via `extraConfig`.
2019-03-23 10:32:56 +00:00
tv
59fac1a6d7 nixos/nginx: use writeNginxConfig 2019-03-23 11:16:14 +01:00
Frederik Rietdijk
23e431387b Merge staging-next into staging 2019-03-23 09:20:09 +01:00
Okina Matara
40d7079f79
nixos/meguca: Add videoPaths, set postgresql version to 11 2019-03-23 01:19:29 -05:00
Ben Wolsieffer
b2e11e0cdf buildbot: 1.8.1 -> 2.1.0 2019-03-22 18:43:15 -04:00
Averell Dalton
028a4b6a53 plex: 1.14.1.5488 -> 1.15.2.793 2019-03-22 20:33:22 +01:00
Sarah Brofeldt
78c95f561f
Merge pull request #58031 from dotlambda/elasticsearch-curator-application
elasticsearch-curator: add top-level package using older click
2019-03-22 20:11:54 +01:00
Gabriel Ebner
03f7c82e62
Merge pull request #57826 from gebner/anbox
anbox: init at 2019-03-07
2019-03-22 19:19:47 +01:00
Dmitry Kalinkin
0e57b98b2c
Merge pull request #57596 from artemist/nginx-return
nixos/nginx: add return option to location
2019-03-22 14:08:33 -04:00
Vladimír Čunát
4c3ec0e325
nixos docs: run the formatting tool (no content change)
As documented in the docs themselves :-)
2019-03-22 14:44:11 +01:00
lewo
715365ee02
Merge pull request #58024 from nlewo/openstack-fstype
openstackImage: set the / fsType to reenable root FS resizing
2019-03-22 14:40:27 +01:00
lewo
c8a65c2d71
Merge pull request #57751 from talyz/master
filesystems: Add autoResize assertion
2019-03-22 14:35:57 +01:00
Vladimír Čunát
11d204a9c4
nixos docs: improve GPU driver documentation
I'm not 100% sure about the incompatibility lines,
but I believe it's better to discourage these anyway.
If you find better information, feel free to amend...

The 32-bit thing is completely GPU-agnostic, so I can't see why we had
it separately for proprietary drivers and missing for the rest.
2019-03-22 14:31:17 +01:00
Jörg Thalheim
e6ad7eeecd
Merge pull request #58055 from dtzWill/fix/zsh-history-dont-export-vars
zsh: don't export HISTFILE and friends
2019-03-22 07:02:29 +00:00
Wael M. Nasreddine
5af0780492
Merge remote-tracking branch 'origin/master' into staging
* origin/master: (693 commits)
  buildGoModule: use go_1_12 instead of go_1_11 (#58103)
  gitAndTools.lab: 0.15.2 -> 0.15.3 (#58091)
  signal-desktop: 1.22.0 -> 1.23.0
  added missing semicolon to documentation
  terminus_font_ttf: 4.46.0 -> 4.47.0
  buildGoModule: remove SSL env vars in favor of cacert in buildInputs (#58071)
  dav1d: init at 0.2.1
  dropbox-cli: 2018.11.28 -> 2019.02.14
  atlassian-confluence: 6.14.1 -> 6.14.2
  maintainers: update email for dywedir
  python.pkgs.hglib: use patch to specify hg path (#57926)
  chkrootkit: 0.52 -> 0.53
  radare2-cutter: 1.7.2 -> 1.8.0
  autorandr: 1.7 -> 1.8
  pythonPackages.pyhepmc: fix build
  llvm-polly/clang-polly: use latest llvm
  apulse: 0.1.11.1 -> 0.1.12, cleanup
  factorio: experimental 0.17.14 → 0.17.16 (#58000)
  sequeler: 0.6.7 -> 0.6.8
  nasc: 0.5.1 -> 0.5.2
  ...
2019-03-21 21:01:25 -07:00
Matthew Bauer
73be6fba8b
Merge pull request #54625 from FlorianFranzen/efi32
grub: Support 32bit EFI on 64bit platforms
2019-03-21 11:39:45 -04:00
Will Dietz
173f79f690 zsh: don't export HISTFILE and friends
Just set them normally.
Exporting them will propagate them to all executed programs
such as bash (as used by nix-shell or nix run),
and badness ensues when different formats are used.
2019-03-21 10:28:20 -05:00
Robert Schütz
c0409de98d elasticsearch-curator: add top-level package using older click
See https://github.com/NixOS/nixpkgs/pull/58023 for a discussion
of why this is necessary. The upstream issue can be found at
https://github.com/elastic/curator/pull/1280.
2019-03-21 11:53:32 +01:00
Antoine Eiche
f116d046f6 openstackImage: set the / fsType to reenable root FS resizing
Since 34234dcb51, the reisizefs tool is
embeded only if the `fsType` starts with `ext`. The default `fsType`
value is `auto`.
2019-03-21 10:04:07 +01:00
Alyssa Ross
0cd7f32a4c
Merge pull request #54627 from FlorianFranzen/waybar
waybar: init at 0.4.0
2019-03-20 23:38:04 +00:00
Samuel Leathers
439936101c
Merge pull request #57856 from Izorkin/zsh-options
nixos/zsh: enable configure history and custom options
2019-03-20 13:08:43 -04:00
Samuel Leathers
cafd07a54e
Merge pull request #56423 from Izorkin/nginx-unit
unit: add service unit and update package
2019-03-20 13:08:05 -04:00
rnhmjoj
552e583ef0
nixos/containers: create veths if only IPv6 is configured
This fixes the failing nixos.tests.containers-ipv6 test. Thanks to andir.
2019-03-20 04:38:10 +01:00
Bob van der Linden
40679eb3c8 nixos/zabbix: /var/run -> /run 2019-03-20 00:02:46 +01:00
Bob van der Linden
3068252913 nixos/nagios: /var/run -> /run 2019-03-20 00:02:45 +01:00
Bob van der Linden
78acc82432 nixos/svnserve: /var/run -> /run 2019-03-20 00:02:45 +01:00
Bob van der Linden
3f17dcbbfd nixos/spice-vdagentd: /var/run -> /run 2019-03-20 00:02:45 +01:00
Bob van der Linden
231d815721 nixos/mbpfan: /var/run -> /run 2019-03-20 00:02:45 +01:00
Bob van der Linden
e1376ddd3d nixos/matrix-synapse: /var/run -> /run 2019-03-20 00:02:45 +01:00
Bob van der Linden
c67f2f0815 nixos/spamassassin: /var/run -> /run 2019-03-20 00:02:44 +01:00
Bob van der Linden
edd5c88086 nixos/postgrey: /var/run -> /run 2019-03-20 00:02:44 +01:00
Bob van der Linden
0438ad4712 nixos/pfix-srsd: /var/run -> /run 2019-03-20 00:02:44 +01:00
Bob van der Linden
e8434784bd nixos/rethinkdb: /var/run -> /run 2019-03-20 00:02:43 +01:00
Bob van der Linden
af0380997f nixos/redis: /var/run -> /run 2019-03-20 00:02:43 +01:00
Bob van der Linden
09d3ea4f67 nixos/openldap: /var/run -> /run 2019-03-20 00:02:43 +01:00
Bob van der Linden
660ee99293 nixos/mongodb: /var/run -> /run 2019-03-20 00:02:43 +01:00
Bob van der Linden
651f05c47c nixos/couchdb: /var/run -> /run 2019-03-20 00:02:42 +01:00
Bob van der Linden
66fb3aa1be nixos/bacula: /var/run -> /run 2019-03-20 00:01:45 +01:00
Bob van der Linden
9d4bc79003 nixos/zsh: do not use /var/run 2019-03-20 00:01:45 +01:00
Bob van der Linden
8f6aaa8b78 nixos/xonsh: do not use /var/run 2019-03-20 00:01:45 +01:00
Bob van der Linden
45d43a6472 nixos/fish: do not use /var/run 2019-03-20 00:01:45 +01:00
Bob van der Linden
bad7d82487 nixos/bash: do not use /var/run 2019-03-20 00:01:45 +01:00
Jörg Thalheim
b488c60cdb network-manager: rename systemd service back to match upstream
Compatibility with other distributions/software and expectation
of users coming from other systems should have higher priority over consistency.
In particular this fixes #51375, where the NetworkManager-wait-online.service
broke as a result of this.
2019-03-19 23:48:08 +01:00
Alexey Shmalko
89845931e4
acpilight: add to module-list
acpilight package and module have been added to nixpkgs, but the
module hasn't been added to module-list.nix, so using it results in
the following error.

```
The option `hardware.acpilight' defined in `/etc/nixos/configuration.nix' does not exist.
```

Add the module to module-list.nix.
2019-03-19 23:21:36 +02:00
Peter Hoeg
fe97297bb1 logitech (nixos): support module for logitech input devices 2019-03-19 09:58:57 +08:00
Yurii Izorkin
f56d507e06 nixos/datadog-agent: change start command (#57871) 2019-03-18 13:31:04 -07:00
Izorkin
53d05fd0cc nixos/zsh: enable configure history and custom options 2019-03-18 19:57:54 +03:00
Florian Franzen
e51a840259 grub: Support 32bit EFI on 64bit x86 platforms 2019-03-18 10:38:07 +01:00
Florian Franzen
52d0db7e73 nixos/waybar: init module 2019-03-18 09:56:27 +01:00
Edward Tjörnhammar
0f03f28b75 nixos/anbox: init module
Co-authored-by: Luke Adams <luke.adams@belljar.io>
Co-authored-by: Volth <volth@webmaster.ms>
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
Co-authored-by: Edward Tjörnhammar <ed@cflags.cc>
Co-authored-by: Gabriel Ebner <gebner@gebner.org>
2019-03-18 09:28:02 +01:00
Alex Guzman
0c34b9fcf8
nixos/security: make duo support secure failure correctly
seems that this got broken when the config option was made to use enums. "secure" got replaced with "enum", which isn't a valid option for the failure mode.
2019-03-17 18:25:20 -07:00
Izorkin
42a99b1be2 nixos/unit: init service unit 2019-03-16 19:54:21 +03:00
talyz
0eb6d0735f filesystems: Add autoResize assertion
Assert that autoResize is only used when fsType is explicitly set to a
supported filesystem: if it's set to "auto", the default, the required
resizing tools won't be copied into the initrd even if the actual
filesystem is supported.
2019-03-16 13:01:35 +01:00
Vladimír Čunát
3aecf21239
Merge #56922: nixos/knot: init basic service + tests 2019-03-16 09:17:15 +01:00
Silvan Mosberger
056b9d0085
Merge pull request #57633 from talyz/master
amazon-image.nix: Resolve failure to include resize2fs
2019-03-16 05:12:05 +01:00
Janne Heß
b0daedd371 nixos/icingaweb2: Replace most options with toINI 2019-03-15 20:35:29 +01:00
talyz
261372b69c amazon-image.nix: Resolve failure to include resize2fs
Since 34234dcb51, for resize2fs to be automatically included in
initrd, a filesystem needed for boot must be explicitly defined as an
ext* type filesystem.
2019-03-15 17:33:45 +01:00
Florian Jacob
5bec5e8cb1 nixos/mysql: specify option types 2019-03-15 16:32:36 +01:00
Silvan Mosberger
f8de52a2fe
Revert "nixos/nginx: support h2c" 2019-03-15 14:31:11 +01:00
Ryan Mulligan
4b6a41a939
Merge pull request #57077 from callahad/brother-dsseries
dsseries: init at 1.0.5-1
2019-03-14 21:17:31 -07:00
aszlig
ef553788d0
postgresql: Move socket dir to /run/postgresql
The default, which is /tmp, has a few issues associated with it:

One being that it makes it easy for users on the system to spoof a
PostgreSQL server if it's not running, causing applications to connect
to their provided sockets instead of just failing to connect.

Another one is that it makes sandboxing of PostgreSQL and other services
unnecessarily difficult. This is already the case if only PrivateTmp is
used in a systemd service, so in order for such a service to be able to
connect to PostgreSQL, a bind mount needs to be done from /tmp to some
other path, so the service can access it. This pretty much defeats the
whole purpose of PrivateTmp.

We regularily run into issues with this in the past already (one example
would be https://github.com/NixOS/nixpkgs/pull/24317) and with the new
systemd-confinement mode upcoming in
https://github.com/NixOS/nixpkgs/pull/57519, it makes it even more
tedious to sandbox services.

I've tested this change against all the postgresql NixOS VM tests and
they still succeed and I also grepped through the source tree to replace
other occasions where we might have /tmp hardcoded. Luckily there were
very few occasions.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @ocharles, @thoughtpolice, @danbst
2019-03-15 04:52:35 +01:00
aszlig
d13ad389b4
nixos/confinement: Explicitly set serviceConfig
My implementation was relying on PrivateDevices, PrivateTmp,
PrivateUsers and others to be false by default if chroot-only mode is
used.

However there is an ongoing effort[1] to change these defaults, which
then will actually increase the attack surface in chroot-only mode,
because it is expected that there is no /dev, /sys or /proc.

If for example PrivateDevices is enabled by default, there suddenly will
be a mounted /dev in the chroot and we wouldn't detect it.

Fortunately, our tests cover that, but I'm preparing for this anyway so
that we have a smoother transition without the need to fix our
implementation again.

Thanks to @Infinisil for the heads-up.

[1]: https://github.com/NixOS/nixpkgs/issues/14645

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-15 04:13:01 +01:00
Silvan Mosberger
fb879ae920
Merge pull request #57174 from worldofpeace/pantheon/cleanup
nixos/pantheon cleanup
2019-03-15 01:26:49 +01:00
aszlig
9e9af4f9c0
nixos/confinement: Allow to include the full unit
From @edolstra at [1]:

  BTW we probably should take the closure of the whole unit rather than
  just the exec commands, to handle things like Environment variables.

With this commit, there is now a "fullUnit" option, which can be enabled
to include the full closure of the service unit into the chroot.

However, I did not enable this by default, because I do disagree here
and *especially* things like environment variables or environment files
shouldn't be in the closure of the chroot.

For example if you have something like:

  { pkgs, ... }:

  {
    systemd.services.foobar = {
      serviceConfig.EnvironmentFile = ${pkgs.writeText "secrets" ''
        user=admin
        password=abcdefg
      '';
    };
  }

We really do not want the *file* to end up in the chroot, but rather
just the environment variables to be exported.

Another thing is that this makes it less predictable what actually will
end up in the chroot, because we have a "globalEnvironment" option that
will get merged in as well, so users adding stuff to that option will
also make it available in confined units.

I also added a big fat warning about that in the description of the
fullUnit option.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 20:04:33 +01:00
aszlig
46f7dd436f
nixos/confinement: Allow to configure /bin/sh
Another thing requested by @edolstra in [1]:

  We should not provide a different /bin/sh in the chroot, that's just
  asking for confusion and random shell script breakage. It should be
  the same shell (i.e. bash) as in a regular environment.

While I personally would even go as far to even have a very restricted
shell that is not even a shell and basically *only* allows "/bin/sh -c"
with only *very* minimal parsing of shell syntax, I do agree that people
expect /bin/sh to be bash (or the one configured by environment.binsh)
on NixOS.

So this should make both others and me happy in that I could just use
confinement.binSh = "${pkgs.dash}/bin/dash" for the services I confine.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:05 +01:00
aszlig
0ba48f46da
nixos/systemd-chroot: Rename chroot to confinement
Quoting @edolstra from [1]:

  I don't really like the name "chroot", something like "confine[ment]"
  or "restrict" seems better. Conceptually we're not providing a
  completely different filesystem tree but a restricted view of the same
  tree.

I already used "confinement" as a sub-option and I do agree that
"chroot" sounds a bit too specific (especially because not *only* chroot
is involved).

So this changes the module name and its option to use "confinement"
instead of "chroot" and also renames the "chroot.confinement" to
"confinement.mode".

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:03 +01:00
aszlig
ac64ce9945
nixos: Add 'chroot' options to systemd.services
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.

However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.yourservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      chroot.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.

In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".

Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.

However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).

Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.

Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.

[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
     to make room for a *real* "full" confinement mode, which is more
     restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:01 +01:00
Matthew Bauer
b703c4d998 plasma5: fix typo from pr #57037
Thanks @Yarny0
2019-03-14 14:09:13 -04:00
Martin Weinelt
a978d3dcd2
nixos/knot: init 2019-03-14 01:28:53 +01:00
Michael Weiss
9179a3a406
Merge pull request #57414 from primeos/sway-1.0
sway: Switch to 1.0
2019-03-13 22:40:37 +01:00
Artemis Tosini
fee854ed01
nixos/nginx: add return option to location 2019-03-13 17:31:01 +00:00
Andrew Childs
c53703a6b2 nixos/prometheus: use append instead of insert for opening firewalls (#55224)
Inserting with `-I` causes the rules to placed before `ctstate`
tracking, while `-A` places them alongside all other allow rules.
2019-03-13 12:44:36 +02:00
Michael Weiss
578fe3f5a0
nixos/sway: Improve the module and adapt it to NixOS
This commit contains the following changes:
- nixos/sway: Remove the beta references
- sway: Drop buildDocs
- nixos/sway: Improve the documentation
- sway,nixos/sway: Adapt Sway to NixOS
  - Copy the default configuration file to /etc/sway/config (Sway will
    still load the identical file from the Nix store but this makes it
    easier to copy the default configuration file).
  - This will also remove all references to the Nix store from the
    default configuration file as they will eventually be garbage
    collected which is a problem if the user copies it.
  - I've also decided to drop the default wallpaper (alternatively we
    could copy it to a fixed location).
- nixos/sway: Drop the package option
2019-03-13 11:37:11 +01:00
Léo Gaspard
f7fb88c324
iso-image: make reproducible by not relying on mcopy's readdir 2019-03-13 03:19:40 +01:00
Michael Weiss
45004c6f63
sway: Switch to 1.0
This is the result of executing:
git mv -f pkgs/applications/window-managers/sway/beta.nix pkgs/applications/window-managers/sway/default.nix
git mv -f nixos/modules/programs/sway-beta.nix nixos/modules/programs/sway.nix

And removing sway-beta from the following files:
pkgs/top-level/all-packages.nix
nixos/modules/module-list.nix
2019-03-12 22:29:39 +01:00
Markus
7e71cd8292 nixos/flannel: Add iptables package to service path 2019-03-12 15:30:33 +00:00
Johan Thomsen
292c1ce7ff nixos/gitlab: added gzip and bzip2 as dependencies for gitaly 2019-03-12 15:04:45 +00:00
Matthew Bauer
7890494813
Merge pull request #57037 from matthewbauer/remove-xdg-desktop-menu-dummy
plasma: handle kbuildsycoca5 better
2019-03-11 22:58:40 -04:00
Christian Kögler
9f7f16cd7b nixos dwm: start user installed dwm if available
dwm has no configuration file. The user has to install his own version.
2019-03-11 20:18:08 +01:00
Vladimír Čunát
8d502fd425
Merge branch 'staging-next' into staging 2019-03-10 08:05:27 +01:00
Matthew Bauer
8a08d7e7cc
Merge pull request #56031 from matthewbauer/priorities
Add some more priorities
2019-03-09 18:02:55 -05:00
worldofpeace
36d4dba317 nixos/pantheon: more mkDefault 2019-03-09 17:29:29 -05:00
worldofpeace
c41a2d28d3 nixos/pantheon: cleanup systemPackages
We don't need gnome-bluetooth because its executables
path is already hardcoded into the contractor file, as that's
the only place it is needed.
Don't think we need gnome-power-manager either.

Also add programs like geary to removePackagesByName.
2019-03-09 17:29:08 -05:00
Silvan Mosberger
6ad76ff1ba
Merge pull request #52096 from furrycatherder/davmail
nixos/davmail: init
2019-03-09 22:41:55 +01:00
Matthew Bauer
a923a5bbdc
ova: remove stateVersion
This is undefined in the default configuration.nix template.
2019-03-09 14:25:05 -05:00
Pierre Bourdon
18bc8203a1
nixos/firewall: canonicalize firewall ports lists
Fixes #56086.
2019-03-09 20:02:04 +01:00
Pierre Bourdon
843215ac1c
nixos/firewall: use types.port where appropriate 2019-03-09 19:45:11 +01:00
Sean Haugh
f2730d881b nixos/davmail: init
Co-authored-by: Aaron Andersen <aaron@fosslib.net>
Co-authored-by: Silvan Mosberger <infinisil@icloud.com>
2019-03-09 12:05:15 -06:00
scaroo
56aa491ad7 zonminder: Fix database name and username
PR #56889 messed up db and use naming while fixing the scope of the initialDatabases property.
This patch fixes the issue.
2019-03-09 17:21:29 +01:00