Commit graph

5976 commits

Author SHA1 Message Date
Bjørn Forsman
8f3e6fdd8c
nixos: add programs.wireshark option
To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:

  programs.wireshark.enable = true;

The setuid wrapper is available for users in the 'wireshark' group.

Changes v1 -> v2:
  - add "defaultText" to the programs.wireshark.package option (AFAIK,
    that prevents the manual from being needlessly rebuilt when the
    package changes)
2017-02-17 15:42:54 +01:00
Robin Gloster
070825d443
setcapWrapper: add support for setting permissions 2017-02-17 15:42:54 +01:00
Robin Gloster
6e12406e30
Revert "nginx: Format the config file"
This reverts commit e362a3d5c9.

See #22883
2017-02-16 22:45:00 +01:00
Profpatsch
bb797c1390 networking.networkd: adjust autmatic mapping of bonds
Since the bonds interface changed to a lot more possible values we create a
mapping of kernel bond attribute names and values to networkd attributes.
Those match for the most part, but have to transformed slightly.

There is also an assert that unknown options won’t slip through silently.
2017-02-16 21:24:40 +01:00
Profpatsch
9debdaf512 networking.bonds: add support for arbitrary driverOptions
Until now the four attributes available very selectively provided a small
subset, while copying upstream documentation.

We make driver options an arbitrary key-value set and point to kernel
documentation, which is always up-to-date. This way every option can be set.
The four already existing options are deprecated with a warning.
2017-02-16 21:24:40 +01:00
Daniel Peebles
19a9099eb2 Merge pull request #22869 from copumpkin/amazon-init-fix
amazon-init NixOS module: fix (I think) race condition with network
2017-02-16 12:44:49 -05:00
Thomas Tuegel
7c260ad2cc Merge pull request #22813 from benley/pam-kwallet
nixos: add optional pam_kwallet5 integration
2017-02-16 10:20:47 -06:00
Dan Peebles
b172684c17 amazon-init NixOS module: fix (I think) race condition with network
The initialization code is now a systemd service that explicitly
waits for network-online, so the occasional failure I was seeing
because the `nixos-rebuild` couldn't get anything from the binary
cache should stop. I hope!
2017-02-16 16:03:58 +00:00
Nikolay Amiantov
0c81594a29 kbd service: use /dev/tty1 for systemd-vconsole-setup
Fixes #22470
2017-02-16 17:08:14 +03:00
Nikolay Amiantov
109ee2a338 kbd service: use systemd-vconsole-setup even with early setup
This way we have fonts reloaded on switches.
2017-02-16 17:08:13 +03:00
Benjamin Staffin
463e90273f pam: add optional pam_kwallet5 integration 2017-02-16 02:26:42 -05:00
Kier Davis
5e3a26e07b
Fix typo introduced by #22677 2017-02-15 23:44:11 +00:00
Bjørn Forsman
d4e5bb34b7 nixos/geoip-updater: run as user 'geoip' instead of 'nobody'
That way 'nobody' is prevented from messing with the databases.
2017-02-15 23:25:27 +01:00
Bjørn Forsman
ce0a52f9bf nixos/security.wrappers: improve documentation
* The source attribute is mandatory, not optional
* The program attribute is optional
* Move the info about the mandatory attribute first (most important,
  IMHO)
2017-02-15 20:05:27 +01:00
Profpatsch
91d0260feb modules/filesystems: disallow non-empty fstab fields (#22803)
It was possible to pass empty strings / strings with only separator characters;
this lead to broken fstab formatting.
2017-02-15 13:22:48 +01:00
Franz Pletz
188526da3d
prometheus.blackboxExporter service: add CAP_NET_RAW
The blackbox-exporter for prometheus needs CAP_NET_RAW for sending icmp
probes.
2017-02-15 09:35:27 +01:00
Bjørn Forsman
f9cb2b5640 nixos/security.wrappers: use literalExample in documentation
It's much more readable when the example attrset is pretty printed
instead of written as one line.
2017-02-15 09:08:41 +01:00
Bjørn Forsman
a45821e7a8 nixos/cron: unbreak since new security.wrapper 2017-02-15 08:30:58 +01:00
Bjørn Forsman
aaac02f6c4 nixos/atd: unbreak after new security.wrappers
* convert list -> attrset
* 'atd' doesn't exist, 'at' does
2017-02-15 08:25:59 +01:00
Bjørn Forsman
b1bfe9d3db nixos: hint about security.setuidOwners/Programs -> security.wrappers
Let users know about the option rename / change during nixos-rebuild
with a useful message instead of an error (with no way forward).
2017-02-15 07:25:33 +01:00
Bjørn Forsman
34c1b74421 nixos/virtualbox: unbreak wrt. new security.wrappers
The new option takes an attrset, not a list.
2017-02-15 07:25:33 +01:00
Bjørn Forsman
448acd8e5e nixos: remove remaining reference to setuidPrograms
The option doesn't exist anymore.
2017-02-15 07:25:33 +01:00
Ian-Woo Kim
5ca0f72472 nixos-container: break lines in description of forwardPorts. 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
4f0b663c2e nixos-container: hostPort -> forwardPort and forwardPort is now a list of (protocol,hostPort,containerPort). 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
0bfc631de2 nixos-container: support multiple port forwarding. change type of hostPort from 'string' to 'listOf str' 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
8684285251 nixos-container: introduce hostPort in declarative container options. 2017-02-15 05:12:46 +01:00
Ian-Woo Kim
a238c8a575 nixos-container: add --port option for nixos-container (forward network ports to systemd-nspawn container) 2017-02-15 05:12:46 +01:00
Parnell Springmeyer
1f83f1c878
security-wrapper: Wrap <para> tags in a <note> tag 2017-02-14 21:30:04 -06:00
Graham Christensen
7483ba0932
Revert "nix-daemon: default useSandbox to true"
This reverts commit d0a086770a.
2017-02-14 14:13:39 -05:00
Graham Christensen
3be1388963 Merge pull request #22767 from grahamc/sandbox-by-default
nix-daemon: default useSandbox to true
2017-02-14 13:57:44 -05:00
Eelco Dolstra
14c47bd546 Merge pull request #22758 from dezgeg/pr-nixos-rebuild
nixos-rebuild: Don't rebuild nixos-rebuild when --fast is used
2017-02-14 16:35:43 +01:00
Parnell Springmeyer
69794e333a
Using para tags for manual formatting 2017-02-14 08:53:30 -06:00
Parnell Springmeyer
794b3721bc
Syntax wibble 2017-02-14 08:42:08 -06:00
Parnell Springmeyer
e856d6efe8
Default should be to set owner and group to root on setcap wrappers too 2017-02-14 08:40:12 -06:00
Parnell Springmeyer
c01689f8da
Fixing ref to old-wrappersDir 2017-02-14 08:33:07 -06:00
Parnell Springmeyer
f8b8c353ff
Simplifying the wrapper program derivation 2017-02-14 08:27:40 -06:00
Parnell Springmeyer
fb6d13c01a
Addressing feedback and fixing a bug 2017-02-14 07:38:45 -06:00
Parnell Springmeyer
467bb3f674
/run/wrapper is not a filesystem, no need to skip it 2017-02-14 07:32:24 -06:00
Parnell Springmeyer
ba499e3aa0
Removing unused module option old-wrapperDir 2017-02-14 07:30:21 -06:00
Parnell Springmeyer
a27f35993d
Derp, correctly write the source program's path 2017-02-13 18:28:13 -06:00
Parnell Springmeyer
cca2e11556
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00
Parnell Springmeyer
9e36a58649
Merging against upstream master 2017-02-13 17:16:28 -06:00
Graham Christensen
d0a086770a
nix-daemon: default useSandbox to true 2017-02-13 18:06:01 -05:00
Rickard Nilsson
cda4a4dcfc nixos/grafana: Don't print password warning if no password has been set 2017-02-13 23:11:40 +01:00
Tuomas Tynkkynen
2000f0941e nixos-rebuild: Don't build nixos-rebuild with --fast 2017-02-13 21:52:32 +02:00
Tuomas Tynkkynen
23fee8bfbd nixos-rebuild: Support passing e.g. '-j8'
Where there is no space between '-j' and the number.
2017-02-13 21:52:30 +02:00
Graham Christensen
1d2548772e Merge pull request #22724 from grahamc/pam-oath-fixup
pam_oath: require OATH and pam_unix credentials to be valid
2017-02-13 09:36:35 -05:00
Robin Gloster
af9f44dd57
grub: fix capitalisation
Missed this occurence while renaming the option
2017-02-13 14:55:36 +01:00
symphorien
0b87efacb1 grub: add grub.useOSProber option (#22558) 2017-02-13 14:53:15 +01:00
Eelco Dolstra
a4ec1841da
VM tests: veryloose -> cache=loose 2017-02-13 12:18:10 +01:00