Commit graph

1088 commits

Author SHA1 Message Date
José Romildo Malaquias
9e99eed443 nixos/deepin-menu: init 2019-04-14 10:00:44 -03:00
Joachim F
5dafbb2cb1
Merge pull request #56719 from bricewge/miniflux-service
miniflux: add service
2019-04-12 09:57:30 +00:00
Frederik Rietdijk
d108b49168 Merge master into staging-next 2019-04-09 16:38:35 +02:00
Robin Gloster
a58ab8fc05
Merge pull request #58398 from Ma27/package-documize
documize-community: init at 2.2.1
2019-04-08 22:34:11 +00:00
Maximilian Bosch
acbb74ed18
documize-community: init at 2.2.1
Documize is an open-source alternative for wiki software like Confluence
based on Go and EmberJS. This patch adds the sources for the community
edition[1], for commercial their paid-plan[2] needs to be used.

For commercial use a derivation that bundles the commercial package and
contains a `$out/bin/documize` can be passed to
`services.documize.enable`.

The package compiles the Go sources, the build process also bundles the
pre-built frontend from `gui/public` into the binary.

The NixOS module generates a simple `systemd` unit which starts the
service as a dynamic user, database and a reverse proxy won't be
configured.

[1] https://www.documize.com/get-started/
[2] https://www.documize.com/pricing/
2019-04-08 23:54:57 +02:00
Jeremy Apthorp
e8b68dd4f4 miniflux: add service 2019-04-06 03:52:15 +02:00
Gabriel Ebner
ad5cabf575 nixos/evince: init 2019-04-05 15:03:31 +02:00
Peter Hoeg
61613a2512
Merge pull request #57337 from peterhoeg/m/logitech
nixos: better support for logitech devices and update relevant packages
2019-04-03 21:19:56 +08:00
Franz Pletz
ff36d95878
nixos/quicktun: init 2019-04-02 12:16:48 +02:00
aszlig
dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
Aaron Andersen
395ec8c0d4 nixos/mailcatcher: init module for existing package 2019-03-27 09:15:47 -04:00
Benjamin Staffin
c94005358c NixOS: Run Docker containers as declarative systemd services (#55179)
* WIP: Run Docker containers as declarative systemd services

* PR feedback round 1

* docker-containers: add environment, ports, user, workdir options

* docker-containers: log-driver, string->str, line wrapping

* ExecStart instead of script wrapper, %n for container name

* PR feedback: better description and example formatting

* Fix docbook formatting (oops)

* Use a list of strings for ports, expand documentation

* docker-continers: add a simple nixos test

* waitUntilSucceeds to avoid potential weird async issues

* Don't enable docker daemon unless we actually need it

* PR feedback: leave ExecReload undefined
2019-03-25 00:59:09 +02:00
Gabriel Ebner
03f7c82e62
Merge pull request #57826 from gebner/anbox
anbox: init at 2019-03-07
2019-03-22 19:19:47 +01:00
Alyssa Ross
0cd7f32a4c
Merge pull request #54627 from FlorianFranzen/waybar
waybar: init at 0.4.0
2019-03-20 23:38:04 +00:00
Samuel Leathers
cafd07a54e
Merge pull request #56423 from Izorkin/nginx-unit
unit: add service unit and update package
2019-03-20 13:08:05 -04:00
Alexey Shmalko
89845931e4
acpilight: add to module-list
acpilight package and module have been added to nixpkgs, but the
module hasn't been added to module-list.nix, so using it results in
the following error.

```
The option `hardware.acpilight' defined in `/etc/nixos/configuration.nix' does not exist.
```

Add the module to module-list.nix.
2019-03-19 23:21:36 +02:00
Peter Hoeg
fe97297bb1 logitech (nixos): support module for logitech input devices 2019-03-19 09:58:57 +08:00
Florian Franzen
52d0db7e73 nixos/waybar: init module 2019-03-18 09:56:27 +01:00
Edward Tjörnhammar
0f03f28b75 nixos/anbox: init module
Co-authored-by: Luke Adams <luke.adams@belljar.io>
Co-authored-by: Volth <volth@webmaster.ms>
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
Co-authored-by: Edward Tjörnhammar <ed@cflags.cc>
Co-authored-by: Gabriel Ebner <gebner@gebner.org>
2019-03-18 09:28:02 +01:00
Izorkin
42a99b1be2 nixos/unit: init service unit 2019-03-16 19:54:21 +03:00
Vladimír Čunát
3aecf21239
Merge #56922: nixos/knot: init basic service + tests 2019-03-16 09:17:15 +01:00
Ryan Mulligan
4b6a41a939
Merge pull request #57077 from callahad/brother-dsseries
dsseries: init at 1.0.5-1
2019-03-14 21:17:31 -07:00
aszlig
0ba48f46da
nixos/systemd-chroot: Rename chroot to confinement
Quoting @edolstra from [1]:

  I don't really like the name "chroot", something like "confine[ment]"
  or "restrict" seems better. Conceptually we're not providing a
  completely different filesystem tree but a restricted view of the same
  tree.

I already used "confinement" as a sub-option and I do agree that
"chroot" sounds a bit too specific (especially because not *only* chroot
is involved).

So this changes the module name and its option to use "confinement"
instead of "chroot" and also renames the "chroot.confinement" to
"confinement.mode".

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:03 +01:00
aszlig
ac64ce9945
nixos: Add 'chroot' options to systemd.services
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.

However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.yourservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      chroot.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.

In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".

Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.

However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).

Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.

Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.

[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
     to make room for a *real* "full" confinement mode, which is more
     restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:01 +01:00
Martin Weinelt
a978d3dcd2
nixos/knot: init 2019-03-14 01:28:53 +01:00
Michael Weiss
45004c6f63
sway: Switch to 1.0
This is the result of executing:
git mv -f pkgs/applications/window-managers/sway/beta.nix pkgs/applications/window-managers/sway/default.nix
git mv -f nixos/modules/programs/sway-beta.nix nixos/modules/programs/sway.nix

And removing sway-beta from the following files:
pkgs/top-level/all-packages.nix
nixos/modules/module-list.nix
2019-03-12 22:29:39 +01:00
Silvan Mosberger
6ad76ff1ba
Merge pull request #52096 from furrycatherder/davmail
nixos/davmail: init
2019-03-09 22:41:55 +01:00
Sean Haugh
f2730d881b nixos/davmail: init
Co-authored-by: Aaron Andersen <aaron@fosslib.net>
Co-authored-by: Silvan Mosberger <infinisil@icloud.com>
2019-03-09 12:05:15 -06:00
Silvan Mosberger
a540993d62
Merge pull request #56171 from bachp/tautulli
tautulli/plexpy: 1.4.25 -> 2.1.26 (renamed)
2019-03-08 16:52:40 +01:00
Dan Callahan
c80385d934
dsseries: init at 1.0.5-1 2019-03-08 15:02:22 +00:00
Silvan Mosberger
502a4263a3
Merge pull request #55936 from tobim/modules/snapserver
nixos/snapserver: init
2019-03-07 00:00:48 +01:00
Tobias Mayer
085751b63b nixos/snapserver: init
A nixos module for configuring the server side of pkgs.snapcast.
The module is named "snapserver" following upstream convention.
This commit does not provide module for the corresponding client.

Fix handling of port and controlPort

Fix stream uri generation & address review

Remove unused streams options & add description

Add missing description & Remove default fs path

Use types.port for ports & formatting improvements

Force mpd and mopidy to wait for snapserver
2019-03-06 23:40:05 +01:00
Silvan Mosberger
8c4babb8ba
Merge pull request #53463 from OlivierMarty/master
nixos/duplicity: init
2019-03-04 01:22:29 +01:00
worldofpeace
a589f6e1dc
Merge pull request #56562 from worldofpeace/module/gsd
nixos/gnome-settings-daemon: init
2019-03-01 22:01:26 -05:00
worldofpeace
5ce2eba776 nixos/gnome-settings-daemon: init 2019-03-01 14:55:12 -05:00
David Duarte
b381c27b58 nixos/coredns: init (#54931) 2019-03-01 11:10:44 +02:00
Pascal Bach
8b3ffebcdc tautulli/plexpy: 1.4.25 -> 2.1.26 (renamed)
PlexPy was renamed to Tautulli.

This renames the module as well as the application accordingly.
Aliases are kept for backwards compatibility.

# Conflicts:
#	nixos/modules/services/misc/tautulli.nix
2019-02-28 19:07:00 +01:00
Lorenzo Manacorda
1bc0d79650 nixos/ledger: init 2019-02-22 19:26:47 +01:00
aanderse
e5405f9ae8 nixos/beanstalkd: new service for existing package (#55953) 2019-02-22 14:10:02 +01:00
Franz Pletz
2935a67eb9
Merge pull request #45670 from johanot/kubernetes-1.11
nixos/kubernetes: Module refactor
2019-02-20 23:31:47 +00:00
Tor Hedin Brønner
bba6de611a
Merge pull request #56046 from callahad/bolt
Add and enable Bolt to support Thunderbolt 3 settings in GNOME
2019-02-20 21:43:02 +01:00
Johan Thomsen
e2380e79e1
nixos/kubernetes: major module refactor
- All kubernetes components have been seperated into different files
- All TLS-enabled ports have been deprecated and disabled by default
- EasyCert option added to support automatic cluster PKI-bootstrap
- RBAC has been enforced for all cluster components by default
- NixOS kubernetes test cases make use of easyCerts to setup PKI
2019-02-20 21:08:01 +01:00
Vladimír Čunát
32767d139f
Merge branch 'staging-next'
This round is without the systemd CVE,
as we don't have binaries for that yet.
BTW, I just ignore darwin binaries these days,
as I'd have to wait for weeks for them.
2019-02-20 09:38:45 +01:00
Domen Kožar
ae3a807a21
Merge pull request #47334 from bfortz/autojump
autojump: new program.autojump.enable flag to automatically load autojump
2019-02-20 15:12:51 +07:00
Dan Callahan
139e12323f
nixos/bolt: init at 0.7 2019-02-19 20:54:38 +00:00
Frederik Rietdijk
815b77cbe6 Merge master into staging-next 2019-02-18 14:18:04 +01:00
rembo10
8e151c1e86
Merge branch 'master' into headphones 2019-02-18 09:14:14 +08:00
Janne Heß
1caa886f6c nixos/icingaweb2: Init the module
The module is indeed very large but allows configuring every aspect of
icingaweb2. The built-in monitoring module is in an own file because
there are actually more (third-party) modules and this structure means
every module can get an own file.
2019-02-17 19:08:47 +01:00
Matthew Bauer
5c09d977c7 Merge remote-tracking branch 'origin/master' into staging 2019-02-09 12:14:06 -05:00
Maximilian Bosch
1ac5612be8
Merge pull request #51749 from Ma27/add-iotop-module
nixos/iotop: add module
2019-02-07 16:12:11 +01:00