diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2019-01-10 13:07:21 +0100 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2019-01-10 13:07:21 +0100 |
commit | 287144e34258f353425ba78817439df1f2c9e80d (patch) | |
tree | ec96c46c08855adc24b3664395b20974bd6923ea /nixos | |
parent | 528664e3bb33bae66d4ce41877fe573395010dd9 (diff) | |
parent | e0fd84cf439f39d31e2c317b228b0c035cc6211d (diff) | |
download | nixpkgs-287144e34258f353425ba78817439df1f2c9e80d.tar nixpkgs-287144e34258f353425ba78817439df1f2c9e80d.tar.gz nixpkgs-287144e34258f353425ba78817439df1f2c9e80d.tar.bz2 nixpkgs-287144e34258f353425ba78817439df1f2c9e80d.tar.lz nixpkgs-287144e34258f353425ba78817439df1f2c9e80d.tar.xz nixpkgs-287144e34258f353425ba78817439df1f2c9e80d.tar.zst nixpkgs-287144e34258f353425ba78817439df1f2c9e80d.zip |
Merge branch 'master' into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/lib/make-disk-image.nix | 2 | ||||
-rw-r--r-- | nixos/modules/installer/cd-dvd/channel.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/databases/cassandra.nix | 22 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/datadog-agent.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/nsd.nix | 12 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/atlassian/confluence.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/atlassian/crowd.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/atlassian/jira.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/apache-httpd/wordpress.nix | 8 | ||||
-rw-r--r-- | nixos/modules/services/x11/urxvtd.nix | 28 | ||||
-rw-r--r-- | nixos/modules/system/boot/initrd-network.nix | 3 | ||||
-rw-r--r-- | nixos/modules/system/boot/initrd-ssh.nix | 1 | ||||
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 1 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 2 | ||||
-rw-r--r-- | nixos/tests/hardened.nix | 9 |
16 files changed, 72 insertions, 31 deletions
diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix index bf32a36895c..6fec322f909 100644 --- a/nixos/lib/make-disk-image.nix +++ b/nixos/lib/make-disk-image.nix @@ -84,7 +84,7 @@ let format' = format; in let # FIXME: merge with channel.nix / make-channel.nix. channelSources = pkgs.runCommand "nixos-${config.system.nixos.version}" {} '' mkdir -p $out - cp -prd ${nixpkgs} $out/nixos + cp -prd ${nixpkgs.outPath} $out/nixos chmod -R u+w $out/nixos if [ ! -e $out/nixos/nixpkgs ]; then ln -s . $out/nixos/nixpkgs diff --git a/nixos/modules/installer/cd-dvd/channel.nix b/nixos/modules/installer/cd-dvd/channel.nix index 01cfe8a02e1..e946c4abc57 100644 --- a/nixos/modules/installer/cd-dvd/channel.nix +++ b/nixos/modules/installer/cd-dvd/channel.nix @@ -16,7 +16,7 @@ let { } '' mkdir -p $out - cp -prd ${nixpkgs} $out/nixos + cp -prd ${nixpkgs.outPath} $out/nixos chmod -R u+w $out/nixos if [ ! -e $out/nixos/nixpkgs ]; then ln -s . $out/nixos/nixpkgs diff --git a/nixos/modules/services/databases/cassandra.nix b/nixos/modules/services/databases/cassandra.nix index 86e74d5d5ab..d741ee48c48 100644 --- a/nixos/modules/services/databases/cassandra.nix +++ b/nixos/modules/services/databases/cassandra.nix @@ -34,11 +34,13 @@ let { name = "cassandra-etc"; cassandraYaml = builtins.toJSON cassandraConfigWithAddresses; cassandraEnvPkg = "${cfg.package}/conf/cassandra-env.sh"; + cassandraLogbackConfig = pkgs.writeText "logback.xml" cfg.logbackConfig; buildCommand = '' mkdir -p "$out" echo "$cassandraYaml" > "$out/cassandra.yaml" ln -s "$cassandraEnvPkg" "$out/cassandra-env.sh" + ln -s "$cassandraLogbackConfig" "$out/logback.xml" ''; }; in { @@ -139,7 +141,27 @@ in { correspond to a single address, IP aliasing is not supported. ''; }; + logbackConfig = mkOption { + type = types.lines; + default = '' + <configuration scan="false"> + <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> + <encoder> + <pattern>%-5level %date{HH:mm:ss,SSS} %msg%n</pattern> + </encoder> + </appender> + <root level="INFO"> + <appender-ref ref="STDOUT" /> + </root> + + <logger name="com.thinkaurelius.thrift" level="ERROR"/> + </configuration> + ''; + description = '' + XML logback configuration for cassandra + ''; + }; extraConfig = mkOption { type = types.attrs; default = {}; diff --git a/nixos/modules/services/monitoring/datadog-agent.nix b/nixos/modules/services/monitoring/datadog-agent.nix index 5434fe99347..a4d29d45bac 100644 --- a/nixos/modules/services/monitoring/datadog-agent.nix +++ b/nixos/modules/services/monitoring/datadog-agent.nix @@ -186,7 +186,7 @@ in { type = types.attrs; default = { init_config = {}; - instances = [ { use-mount = "no"; } ]; + instances = [ { use_mount = "false"; } ]; }; }; diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index cde47bf23ea..8b918dab86d 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -435,7 +435,9 @@ let dnssecZones = (filterAttrs (n: v: if v ? dnssec then v.dnssec else false) zoneConfigs); - dnssec = length (attrNames dnssecZones) != 0; + dnssec = dnssecZones != {}; + + dnssecTools = pkgs.bind.override { enablePython = true; }; signZones = optionalString dnssec '' mkdir -p ${stateDir}/dnssec @@ -445,8 +447,8 @@ let ${concatStrings (mapAttrsToList signZone dnssecZones)} ''; signZone = name: zone: '' - ${pkgs.bind}/bin/dnssec-keymgr -g ${pkgs.bind}/bin/dnssec-keygen -s ${pkgs.bind}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} - ${pkgs.bind}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} + ${dnssecTools}/bin/dnssec-keymgr -g ${dnssecTools}/bin/dnssec-keygen -s ${dnssecTools}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} + ${dnssecTools}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} ${nsdPkg}/sbin/nsd-checkzone ${name} ${stateDir}/zones/${name}.signed && mv -v ${stateDir}/zones/${name}.signed ${stateDir}/zones/${name} ''; policyFile = name: policy: pkgs.writeText "${name}.policy" '' @@ -953,10 +955,6 @@ in ''; }; - nixpkgs.config = mkIf dnssec { - bind.enablePython = true; - }; - systemd.timers."nsd-dnssec" = mkIf dnssec { description = "Automatic DNSSEC key rollover"; diff --git a/nixos/modules/services/web-apps/atlassian/confluence.nix b/nixos/modules/services/web-apps/atlassian/confluence.nix index f896d92fd6f..b71887fcc6e 100644 --- a/nixos/modules/services/web-apps/atlassian/confluence.nix +++ b/nixos/modules/services/web-apps/atlassian/confluence.nix @@ -166,7 +166,7 @@ in ln -sf ${cfg.home}/{logs,work,temp,server.xml} /run/confluence ln -sf ${cfg.home} /run/confluence/home - chown -R ${cfg.user} ${cfg.home} + chown ${cfg.user} ${cfg.home} sed -e 's,port="8090",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ '' + (lib.optionalString cfg.proxy.enable '' diff --git a/nixos/modules/services/web-apps/atlassian/crowd.nix b/nixos/modules/services/web-apps/atlassian/crowd.nix index b6cb9f3b7c4..9f48d1e16a4 100644 --- a/nixos/modules/services/web-apps/atlassian/crowd.nix +++ b/nixos/modules/services/web-apps/atlassian/crowd.nix @@ -130,9 +130,10 @@ in mkdir -p ${cfg.home}/{logs,database,work} mkdir -p /run/atlassian-crowd - ln -sf ${cfg.home}/{database,work,server.xml} /run/atlassian-crowd + ln -sf ${cfg.home}/{database,logs,work,server.xml} /run/atlassian-crowd - chown -R ${cfg.user}:${cfg.group} ${cfg.home} + chown ${cfg.user}:${cfg.group} ${cfg.home} + chown ${cfg.user}:${cfg.group} ${cfg.home}/{logs,database,work} sed -e 's,port="8095",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ '' + (lib.optionalString cfg.proxy.enable '' diff --git a/nixos/modules/services/web-apps/atlassian/jira.nix b/nixos/modules/services/web-apps/atlassian/jira.nix index f5ec0a5f31b..dba970c612b 100644 --- a/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixos/modules/services/web-apps/atlassian/jira.nix @@ -171,7 +171,7 @@ in ln -sf ${cfg.home}/{logs,work,temp,server.xml} /run/atlassian-jira ln -sf ${cfg.home} /run/atlassian-jira/home - chown -R ${cfg.user} ${cfg.home} + chown ${cfg.user} ${cfg.home} sed -e 's,port="8080",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ '' + (lib.optionalString cfg.proxy.enable '' diff --git a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix index c810b914e25..c68bfd25f6a 100644 --- a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix +++ b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix @@ -85,10 +85,10 @@ let # remove bundled themes(s) coming with wordpress rm -Rf $out/wp-content/themes/* - # symlink additional theme(s) - ${concatMapStrings (theme: "ln -s ${theme} $out/wp-content/themes/${theme.name}\n") config.themes} - # symlink additional plugin(s) - ${concatMapStrings (plugin: "ln -s ${plugin} $out/wp-content/plugins/${plugin.name}\n") (config.plugins) } + # copy additional theme(s) + ${concatMapStrings (theme: "cp -r ${theme} $out/wp-content/themes/${theme.name}\n") config.themes} + # copy additional plugin(s) + ${concatMapStrings (plugin: "cp -r ${plugin} $out/wp-content/plugins/${plugin.name}\n") (config.plugins) } # symlink additional translation(s) mkdir -p $out/wp-content/languages diff --git a/nixos/modules/services/x11/urxvtd.nix b/nixos/modules/services/x11/urxvtd.nix index 5531d7f153c..d916fa5bb39 100644 --- a/nixos/modules/services/x11/urxvtd.nix +++ b/nixos/modules/services/x11/urxvtd.nix @@ -7,14 +7,24 @@ with lib; let cfg = config.services.urxvtd; in { + options.services.urxvtd = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable urxvtd, the urxvt terminal daemon. To use urxvtd, run + "urxvtc". + ''; + }; - options.services.urxvtd.enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable urxvtd, the urxvt terminal daemon. To use urxvtd, run - "urxvtc". - ''; + package = mkOption { + default = pkgs.rxvt_unicode-with-plugins; + defaultText = "pkgs.rxvt_unicode-with-plugins"; + description = '' + Package to install. Usually pkgs.rxvt_unicode-with-plugins or pkgs.rxvt_unicode + ''; + type = types.package; + }; }; config = mkIf cfg.enable { @@ -24,14 +34,14 @@ in { partOf = [ "graphical-session.target" ]; path = [ pkgs.xsel ]; serviceConfig = { - ExecStart = "${pkgs.rxvt_unicode-with-plugins}/bin/urxvtd -o"; + ExecStart = "${cfg.package}/bin/urxvtd -o"; Environment = "RXVT_SOCKET=%t/urxvtd-socket"; Restart = "on-failure"; RestartSec = "5s"; }; }; - environment.systemPackages = [ pkgs.rxvt_unicode-with-plugins ]; + environment.systemPackages = [ cfg.package ]; environment.variables.RXVT_SOCKET = "/run/user/$(id -u)/urxvtd-socket"; }; diff --git a/nixos/modules/system/boot/initrd-network.nix b/nixos/modules/system/boot/initrd-network.nix index dd0ea69e968..cb8fc957a99 100644 --- a/nixos/modules/system/boot/initrd-network.nix +++ b/nixos/modules/system/boot/initrd-network.nix @@ -56,7 +56,8 @@ in is acquired using DHCP. You should add the module(s) required for your network card to - boot.initrd.availableKernelModules. lspci -v -s <ethernet controller> + boot.initrd.availableKernelModules. + <literal>lspci -v | grep -iA8 'network\|ethernet'</literal> will tell you which. ''; }; diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index 53e993603e2..2d3e3b05c98 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -82,6 +82,7 @@ in default = config.users.users.root.openssh.authorizedKeys.keys; description = '' Authorized keys for the root user on initrd. + Note that Dropbear doesn't support OpenSSH's Ed25519 key type. ''; }; diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 018e7b2e7f8..aa4a5f8abcc 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -144,7 +144,7 @@ let fi fi done - echo -n "Verifiying passphrase for ${device}..." + echo -n "Verifying passphrase for ${device}..." echo -n "$passphrase" | ${csopen} --key-file=- if [ $? == 0 ]; then echo " - success" diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index d1029bb5798..860268ab23a 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -898,6 +898,7 @@ in systemd.services.systemd-remount-fs.restartIfChanged = false; systemd.services.systemd-update-utmp.restartIfChanged = false; systemd.services.systemd-user-sessions.restartIfChanged = false; # Restart kills all active sessions. + systemd.services.systemd-udev-settle.restartIfChanged = false; # Causes long delays in nixos-rebuild # Restarting systemd-logind breaks X11 # - upstream commit: https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc48bd653c7e101 # - systemd announcement: https://github.com/systemd/systemd/blob/22043e4317ecd2bc7834b48a6d364de76bb26d91/NEWS#L103-L112 diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 38fa9ffad3c..7bd7df9b177 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -92,7 +92,7 @@ in hadoop.yarn = handleTestOn [ "x86_64-linux" ] ./hadoop/yarn.nix {}; handbrake = handleTestOn ["x86_64-linux"] ./handbrake.nix {}; haproxy = handleTest ./haproxy.nix {}; - #hardened = handleTest ./hardened.nix {}; # broken due useSandbox = true + hardened = handleTest ./hardened.nix {}; hibernate = handleTest ./hibernate.nix {}; hitch = handleTest ./hitch {}; hocker-fetchdocker = handleTest ./hocker-fetchdocker {}; diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index 683f56c45af..07bd10963ba 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -5,7 +5,7 @@ import ./make-test.nix ({ pkgs, ...} : { }; machine = - { lib, pkgs, ... }: + { lib, pkgs, config, ... }: with lib; { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; users.users.sybil = { isNormalUser = true; group = "wheel"; }; @@ -22,12 +22,19 @@ import ./make-test.nix ({ pkgs, ...} : { options = [ "noauto" ]; }; }; + boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + boot.kernelModules = [ "wireguard" ]; }; testScript = '' $machine->waitForUnit("multi-user.target"); + # Test loading out-of-tree modules + subtest "extra-module-packages", sub { + $machine->succeed("grep -Fq wireguard /proc/modules"); + }; + # Test hidepid subtest "hidepid", sub { $machine->succeed("grep -Fq hidepid=2 /proc/mounts"); |