Commit graph

6973 commits

Author SHA1 Message Date
Graham Christensen
4f3d06dc7d Merge pull request #23214 from grahamc/mcelog-service
mcelog: init Machine Check Exception Logging Daemon service
2017-02-26 11:42:56 -05:00
Graham Christensen
1430506666
mcelog: init Machine Check Exception Logging Daemon service 2017-02-26 11:42:00 -05:00
obadz
4b6f021251 Revert "lightdm: obbey services.xserver.{window/desktop}Manager.default"
This reverts commit 29caa185a7.

Not clear what the proper thing to do is. cf94cdb59b renders this
question mostly moot. Reverting before 17.03 branch to avoid a repeat
of #19054.
2017-02-26 16:22:21 +00:00
Jörg Thalheim
6c36d9fa20
nftables: make default configuration null
reason:
 - We currently have an open discussion regarding a more modular
   firewall (https://github.com/NixOS/nixpkgs/issues/23181) and
   leaving null makes future extension easier.
 - the current default might not cover all use cases (different ssh port)
   and might break setups, if applied blindly
2017-02-26 16:24:20 +01:00
Jookia
e2c95b46e5
nftables module: Add new module for nftables firewall settings
fixes #18842
2017-02-26 13:41:14 +01:00
Tomasz Czyż
0b27c74eb2 pgjwt: init at 0.0.1 (#22644) 2017-02-26 11:14:32 +01:00
Daniel Peebles
2f36be3816 Merge pull request #23190 from primeos/os-release
[RFC] version: Extend /etc/os-release
2017-02-26 00:03:33 -05:00
Dan Peebles
e798f573f0 make-disk-image.nix: set last fsck time on ext4 images to enable resize-on-startup 2017-02-26 02:02:22 +00:00
Michael Weiss
7e97cbe5a4 version: Extend /etc/os-release
- Provide additional link for support and bug reporting.
- Use HTTPS links (related: "The IAB encourages all web servers to
employ TLS to protect their content, and use OCSP stapling to improve
the efficiency and privacy of revocation checking." [0].
- Add VERSION_CODENAME

[0]: https://www.iab.org/documents/correspondence-reports-documents/2017-2/iab-statement-on-ocsp-stapling/
2017-02-25 22:24:34 +01:00
Franz Pletz
26a2822cf0
nginx service: restart instead of stop to reduce downtime
cc #23127
2017-02-25 20:12:37 +01:00
Thomas Tuegel
a1431f35db Merge pull request #23169 from Kendos-Kenlen/kde-hack
kde5: Install default monospace font, Hack
2017-02-25 11:59:33 -06:00
Franz Pletz
3a4dd97c55
nginx module: fix acme if vhost name != serverName
cc #21931 @bobvanderlinden
2017-02-25 08:04:38 +01:00
Gauthier POGAM--LE MONTAGNER
b65cc5c59e kde5: add hack font dependency (fix #22975) 2017-02-25 00:35:59 +01:00
Benjamin Staffin
1c555e772e Merge pull request #23155 from doshitan/fix-prometheus-basic-auth
prometheus service: fix basic auth option
2017-02-24 15:08:35 -05:00
Tanner Doshier
b846ce5243 prometheus service: fix basic auth option
If some configuration is provided, we need to filter out the `_module` key or
else it breaks prometheus.
2017-02-24 13:32:01 -06:00
Ryan Mulligan
41b56b4b8a f2fs module: add crc32 dependency to initrd kernel modules, closes #23093
f2fs.fsck depends on crc32 module being present in the initrd system,
otherwise, if f2fs is used as the root disk, the system is unbootable.
2017-02-24 18:32:50 +01:00
Robin Gloster
8f60b43d9c Merge pull request #23130 from grahamc/insecure-packages-with-docs
nixpkgs: allow packages to be marked insecure (this time with docs)
2017-02-24 13:44:28 +01:00
Graham Christensen
a9c875fc2e
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-24 07:41:05 -05:00
Eelco Dolstra
8e1fa01f3a
nix: 1.11.6 -> 1.11.7 2017-02-24 12:53:53 +01:00
Franz Pletz
4730993ca6 Merge pull request #23109 from dtzWill/update/neo4j
neo4j: update and fix JVM parameters in NixOS module
2017-02-23 19:02:32 +01:00
Franz Pletz
d508ef88f7 Merge pull request #23082 from mayflower/graylog_update
graylog: update + module plugin support
2017-02-23 17:42:57 +01:00
Robin Gloster
940492cef5 Merge pull request #22634 from Ekleog/dhparams
dhparams module: initialize
2017-02-23 17:16:04 +01:00
Franz Pletz
4905c1c54f
prosody service: needs working network connectivity 2017-02-23 16:07:41 +01:00
Franz Pletz
66f553974b
dhcpcd service: fix network-online.target integration
When dhcpcd instead of networkd is used, the network-online.target behaved
the same as network.target, resulting in broken services that need a working
network connectivity when being started.

This commit makes dhcpcd wait for a lease and makes it wanted by
network-online.target. In turn, network-online.target is now wanted by
multi-user.target, so it will be activated at every boot.
2017-02-23 16:07:40 +01:00
Will Dietz
bc15b4222b nixos/neo4j: Update to default JVM options from current release.
The options previously listed here were the defaults back in 2.1.x.
2017-02-23 08:41:29 -06:00
Robin Gloster
274994785d
networking module: remove reference to removed ip-up.target 2017-02-23 15:25:19 +01:00
Tristan Helmich
7420922806 graylog module: add plugin support 2017-02-23 15:21:29 +01:00
Dan Peebles
15c05ad213 google-compute-image.nix: fix evaluation failure 2017-02-22 23:51:57 +00:00
Dan Peebles
49641e0de0 make-disk-image.nix: support additional filesystem contents
This makes make-disk-image.nix slightly more consistent with other image
builders we have. Unfortunately I duplicated some code in doing so, but
this is temporary duplication on the path to consolidating everything.
See https://github.com/NixOS/nixpkgs/issues/23052 for more details on that.

I'm also exposing the option in the amazon-image.nix maintainer module.
2017-02-22 23:49:49 +00:00
Vladimír Čunát
4509487e82
nixos polkit: fixup setuid wrapper of pkexec
Broken in 628e6a8.  Fixes #23083.
2017-02-22 23:04:21 +01:00
Franz Pletz
9b81dcfda2
nixos/release-notes: fix typos 2017-02-22 08:45:30 +01:00
Jörg Thalheim
27d4f8c717 Merge pull request #23046 from Zimmi48/patch-2
nixos/manual/networkmanager: add info on nm-applet
2017-02-22 01:40:50 +01:00
Jörg Thalheim
6a044f1841 Merge pull request #23045 from Zimmi48/patch-1
nixos/manual/xserver: propose more alternatives
2017-02-22 01:38:25 +01:00
Jörg Thalheim
5b14e91717 Merge pull request #22822 from Mic92/iputils
iputils: 20151218 -> 20161105
2017-02-22 00:37:13 +01:00
Jörg Thalheim
45719174c3
nixos/release-notes: mention iputils changes 2017-02-22 00:32:52 +01:00
Tristan Helmich
1d64f5f41b
libvirt: expose libvirt qemu configuration file
fixes #22823
2017-02-21 19:20:22 +01:00
Robin Gloster
f1e6dc8750
networking.defaultGateway{,6}: fix example 2017-02-21 15:46:00 +01:00
Théo Zimmermann
0994d6af9d nixos/manual/networkmanager: add info on nm-applet 2017-02-21 15:20:10 +01:00
Théo Zimmermann
361d730f35 nixos/manual/xserver: propose more alternatives 2017-02-21 14:56:26 +01:00
Jörg Thalheim
0338817f62 vnstat: provide full path of "kill" in ExecReload 2017-02-21 09:26:25 +00:00
Nikolay Amiantov
2cc4703a2d wrappers service: make /run/wrappers a mountpoint
Also remove some compatibility code because the directory in question would be
shadowed by a mountpoint anyway.
2017-02-21 12:13:35 +03:00
Peter Hoeg
8e5b630b49 Merge pull request #22264 from peterhoeg/m/modeswitch
usb-modeswitch: 2.2.1 -> 2.5.0 and nixos module
2017-02-21 16:49:04 +08:00
Peter Hoeg
0789a2a4d6 usb-wwan: nixos module 2017-02-21 16:35:27 +08:00
Franz Pletz
05c2c13182 Merge pull request #22715 from phi-gamma/fix-22709-xen-domU
xen: update domU config for pvgrub2
2017-02-21 06:14:12 +01:00
Anders Papitto
3d963c3e8f herbstluftwm module: add configFile option
based on the equivalent for i3
2017-02-21 05:46:13 +01:00
Kevin Cox
da33c8a19d
systemd: Properly escape environment options.
Using toJSON on a string value works because the allowed JSON escape
sequences is almost a subset of the systemd allowed escape sequences.
The only exception is `\/` which JSON allows but systemd doesn't.
Luckily this sequence isn't required and toJSON don't produce it making
the result valid for systemd consumption.

Examples of things that this fixes are environment variables with double
quotes or newlines.
2017-02-20 22:20:13 -05:00
Robin Gloster
2f8aaf0c0a Merge pull request #22941 from mayflower/systemd-tmpfiles
systemd: setup tmpfiles on switching configuration
2017-02-20 23:14:31 +01:00
Ricardo M. Correia
d9ae886946 nixos.openntpd: don't spam systemd journal
Starting `ntpd` with the `-d` option spams the systemd journal.
Instead, let the server fork.
2017-02-20 22:35:51 +01:00
aszlig
dc31a1ea29
systemd-boot: Unlink loader.conf if it exists
Since systemd version 232 the install subcommand of bootctl opens the
loader.conf with fopen() modes "wxe", where the "e" stands for
exclusive, so the call will fail if the file exists.

For installing the boot loader just once this is fine, but if we're
using NIXOS_INSTALL_BOOTLOADER on a systemd where the bootloader is
already present this will fail.

Exactly this is done within the simpleUefiGummiboot installer test,
where nixos-install is called twice and thus the bootloader is also
installed twice, resulting in an error during the fopen call:

Failed to open loader.conf for writing: File exists

Removing the file prior to calling bootctl should fix this.

I've tested this using the installer.simpleUefiGummiboot test and it now
succeeds.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22925
2017-02-20 14:54:48 +01:00
aszlig
4daccf208f
systemd-boot: Make sure /etc/machine-id exists
This leads to the following error when trying to install a new machine
where the machine ID wasn't yet initialized during boot:

Failed to get machine did: No such file or directory

In addition this was also detected by the simpleUefiGummiboot installer
test.

So let's generate a fallback machine ID by using
systemd-machine-id-setup before actually running bootctl.

Tested this by running the installer.simpleUefiGummiboot test, it still
fails but not because of the machine ID.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22561
2017-02-20 14:54:44 +01:00