diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2017-03-23 13:31:28 +0100 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2017-03-23 13:31:28 +0100 |
| commit | c1a9dc3d3753ee02eff4ffdcf6a0238554afd243 (patch) | |
| tree | 0a53ef8069562523a831ff0d835bfd4d68a66314 /nixos | |
| parent | f0875982d17a7478d3ea0051e6a0be1bc98ff364 (diff) | |
| parent | 632e81083caf8821c1c37e8476dac94910237d69 (diff) | |
| download | nixpkgs-c1a9dc3d3753ee02eff4ffdcf6a0238554afd243.tar nixpkgs-c1a9dc3d3753ee02eff4ffdcf6a0238554afd243.tar.gz nixpkgs-c1a9dc3d3753ee02eff4ffdcf6a0238554afd243.tar.bz2 nixpkgs-c1a9dc3d3753ee02eff4ffdcf6a0238554afd243.tar.lz nixpkgs-c1a9dc3d3753ee02eff4ffdcf6a0238554afd243.tar.xz nixpkgs-c1a9dc3d3753ee02eff4ffdcf6a0238554afd243.tar.zst nixpkgs-c1a9dc3d3753ee02eff4ffdcf6a0238554afd243.zip | |
Merge branch 'master' into staging
Diffstat (limited to 'nixos')
19 files changed, 110 insertions, 80 deletions
diff --git a/nixos/doc/manual/installation/installing-usb.xml b/nixos/doc/manual/installation/installing-usb.xml index a4b5dafbed1..dae73306056 100644 --- a/nixos/doc/manual/installation/installing-usb.xml +++ b/nixos/doc/manual/installation/installing-usb.xml @@ -11,7 +11,9 @@ a USB stick. You can use the <command>dd</command> utility to write the image: <command>dd if=<replaceable>path-to-image</replaceable> of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the correct drive; you can use the <command>lsblk</command> command to get a list of -block devices.</para> +block devices. If you're on OS X you can run <command>diskutil list</command> +to see the list of devices; the device you'll use for the USB must be ejected +before writing the image.</para> <para>The <command>dd</command> utility will write the image verbatim to the drive, making it the recommended option for both UEFI and non-UEFI installations. For diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index 49ae296c40c..cae46258b80 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -97,15 +97,6 @@ following incompatible changes:</para> <listitem> <para> - The Yama LSM is now enabled by default in the kernel, - which prevents ptracing non-child processes. - This means you will not be able to attach gdb to an existing process, - but will need to start that process from gdb (so it is a child). - </para> - </listitem> - - <listitem> - <para> The <literal>stripHash</literal> bash function in <literal>stdenv</literal> changed according to its documentation; it now outputs the stripped name to <literal>stdout</literal> instead of putting it in the variable @@ -249,6 +240,13 @@ following incompatible changes:</para> </para> </listitem> + <listitem> + <para> + The <literal>fetch*</literal> functions no longer support md5, + please use sha256 instead. + </para> + </listitem> + </itemizedlist> diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 61b02c5ffa6..a3f7e8f722f 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -64,5 +64,9 @@ in # Removed under grsecurity. boot.kernel.sysctl."kernel.kptr_restrict" = if (config.boot.kernelPackages.kernel.features.grsecurity or false) then null else 1; + + # Disable YAMA by default to allow easy debugging. + boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0; + }; } diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 07623fd591d..0c9981470d7 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,5 +1,5 @@ { - x86_64-linux = "/nix/store/4ssykr786d0wp7y6m4xd4qwqs4nrry1z-nix-1.11.7"; - i686-linux = "/nix/store/61ggxx2072y2g877m01asy0lsn7xpn06-nix-1.11.7"; - x86_64-darwin = "/nix/store/pxf5ri5kdbfqkhd10sw4lpj8sn385ks5-nix-1.11.7"; + x86_64-linux = "/nix/store/j6q3pb75q1sbk0xsa5x6a629ph98ycdl-nix-1.11.8"; + i686-linux = "/nix/store/4m6ps568l988bbr1p2k3w9raq3rblppi-nix-1.11.8"; + x86_64-darwin = "/nix/store/cc5q944yn3j2hrs8k0kxx9r2mk9mni8a-nix-1.11.8"; } diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 84c874c17f6..54433e20597 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -200,5 +200,7 @@ with lib; (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "") (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "") (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "") + (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ] + "Set the option `services.xserver.displayManager.sddm.package' instead.") ]; } diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 65d875c3a37..0aca39fd6be 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -177,25 +177,6 @@ in # programs to be wrapped. WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin - # Remove the old /var/setuid-wrappers path from the system... - # - # TODO: this is only necessary for ugprades 16.09 => 17.x; - # this conditional removal block needs to be removed after - # the release. - if [ -d /var/setuid-wrappers ]; then - rm -rf /var/setuid-wrappers - fi - - # Remove the old /run/setuid-wrappers-dir path from the - # system as well... - # - # TODO: this is only necessary for ugprades 16.09 => 17.x; - # this conditional removal block needs to be removed after - # the release. - if [ -d /run/setuid-wrapper-dirs ]; then - rm -rf /run/setuid-wrapper-dirs - fi - # We want to place the tmpdirs for the wrappers to the parent dir. wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) chmod a+rx $wrapperDir diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 028907693a5..9f42f9e59ad 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -35,6 +35,7 @@ let udevRules = pkgs.runCommand "udev-rules" { preferLocalBuild = true; allowSubstitutes = false; + packages = unique (map toString cfg.packages); } '' mkdir -p $out @@ -45,7 +46,7 @@ let echo 'ENV{PATH}="${udevPath}/bin:${udevPath}/sbin"' > $out/00-path.rules # Add the udev rules from other packages. - for i in ${toString cfg.packages}; do + for i in $packages; do echo "Adding rules for package $i" for j in $i/{etc,lib}/udev/rules.d/*; do echo "Copying $j to $out/$(basename $j)" @@ -132,10 +133,11 @@ let hwdbBin = pkgs.runCommand "hwdb.bin" { preferLocalBuild = true; allowSubstitutes = false; + packages = unique (map toString ([udev] ++ cfg.packages)); } '' mkdir -p etc/udev/hwdb.d - for i in ${toString ([udev] ++ cfg.packages)}; do + for i in $packages; do echo "Adding hwdb files for package $i" for j in $i/{etc,lib}/udev/hwdb.d/*; do ln -s $j etc/udev/hwdb.d/$(basename $j) diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 36db4fb9660..ee881edb5ab 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -481,6 +481,7 @@ in { mkdir -p ${cfg.statePath}/repositories mkdir -p ${gitlabConfig.production.shared.path}/artifacts mkdir -p ${gitlabConfig.production.shared.path}/lfs-objects + mkdir -p ${gitlabConfig.production.shared.path}/pages mkdir -p ${cfg.statePath}/log mkdir -p ${cfg.statePath}/shell mkdir -p ${cfg.statePath}/tmp/pids diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index cfb6a860178..4fe89838e29 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -8,7 +8,7 @@ let nix = cfg.package.out; - isNix112 = versionAtLeast (getVersion nix) "1.12pre4997"; + isNix112 = versionAtLeast (getVersion nix) "1.12pre"; makeNixBuildUser = nr: { name = "nixbld${toString nr}"; diff --git a/nixos/modules/services/misc/octoprint.nix b/nixos/modules/services/misc/octoprint.nix index 8faad46a49f..6883993a893 100644 --- a/nixos/modules/services/misc/octoprint.nix +++ b/nixos/modules/services/misc/octoprint.nix @@ -117,7 +117,7 @@ in ''; serviceConfig = { - ExecStart = "${pkgs.octoprint}/bin/octoprint -b ${cfg.stateDir}"; + ExecStart = "${pkgs.octoprint}/bin/octoprint serve -b ${cfg.stateDir}"; User = cfg.user; Group = cfg.group; PermissionsStartOnly = true; diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index 364f18e7543..b8c26a5c89b 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -193,14 +193,26 @@ in }) (mkIf cronCfg.enable { - services.cron.systemCronJobs = [ - "*/5 * * * * munin ${pkgs.munin}/bin/munin-cron --config ${muninConf}" - ]; + systemd.timers.munin-cron = { + description = "batch Munin master programs"; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "*:0/5"; + }; + + systemd.services.munin-cron = { + description = "batch Munin master programs"; + unitConfig.Documentation = "man:munin-cron(8)"; + + serviceConfig = { + Type = "oneshot"; + User = "munin"; + ExecStart = "${pkgs.munin}/bin/munin-cron --config ${muninConf}"; + }; + }; system.activationScripts.munin-cron = stringAfter [ "users" "groups" ] '' mkdir -p /var/{run,log,www,lib}/munin chown -R munin:munin /var/{run,log,www,lib}/munin ''; - })]; } diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 3b4d77a6f7b..10596d6431d 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -140,6 +140,7 @@ in }; privoxy.enable = mkOption { + type = types.bool; default = true; description = '' Whether to enable and configure the system Privoxy to use Tor's diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 4e57b920a7d..ae14aa28ae3 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -185,6 +185,7 @@ let ${optionalString (config.index != null) "index ${config.index};"} ${optionalString (config.tryFiles != null) "try_files ${config.tryFiles};"} ${optionalString (config.root != null) "root ${config.root};"} + ${optionalString (config.alias != null) "alias ${config.alias};"} ${config.extraConfig} } '') locations); @@ -403,6 +404,13 @@ in config = mkIf cfg.enable { # TODO: test user supplied config file pases syntax test + assertions = let hostOrAliasIsNull = l: l.root == null || l.alias == null; in [ + { + assertion = all (host: all hostOrAliasIsNull (attrValues host.locations)) (attrValues virtualHosts); + message = "Only one of nginx root or alias can be specified on a location."; + } + ]; + systemd.services.nginx = { description = "Nginx Web Server"; after = [ "network.target" ]; diff --git a/nixos/modules/services/web-servers/nginx/location-options.nix b/nixos/modules/services/web-servers/nginx/location-options.nix index e1885b16066..83ce0f71734 100644 --- a/nixos/modules/services/web-servers/nginx/location-options.nix +++ b/nixos/modules/services/web-servers/nginx/location-options.nix @@ -45,6 +45,15 @@ with lib; ''; }; + alias = mkOption { + type = types.nullOr types.path; + default = null; + example = "/your/alias/directory"; + description = '' + Alias directory for requests. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index f923d86265f..918841e8f16 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -208,11 +208,7 @@ in services.xserver.displayManager.sddm = { theme = "breeze"; - themes = [ - pkgs.extra-cmake-modules # for the setup-hook - plasma5.plasma-workspace - pkgs.breeze-icons - ]; + package = pkgs.sddmPlasma5; }; security.pam.services.kde = { allowNullPassword = true; }; diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix index dfda90978b1..1d5dcb2c7cb 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix @@ -45,6 +45,7 @@ let theme-name = ${cfg.theme.name} icon-theme-name = ${cfg.iconTheme.name} background = ${ldmcfg.background} + ${cfg.extraConfig} ''; in @@ -103,6 +104,15 @@ in }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration that should be put in the lightdm-gtk-greeter.conf + configuration file. + ''; + }; + }; }; diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index 6630b8257e4..affc1261d19 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -9,7 +9,7 @@ let cfg = dmcfg.sddm; xEnv = config.systemd.services."display-manager".environment; - sddm = pkgs.sddm.override { inherit (cfg) themes; }; + sddm = cfg.package; xserverWrapper = pkgs.writeScript "xserver-wrapper" '' #!/bin/sh @@ -105,11 +105,12 @@ in ''; }; - themes = mkOption { - type = types.listOf types.package; - default = []; + package = mkOption { + type = types.package; + default = pkgs.sddm; description = '' - Extra packages providing themes. + The SDDM package to install. + The default package can be overridden to provide extra themes. ''; }; diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index c7559cd634a..5fcac5c8c6a 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -443,9 +443,40 @@ my $confFile = $grubVersion == 1 ? "$bootPath/grub/menu.lst" : "$bootPath/grub/g my $tmpFile = $confFile . ".tmp"; writeFile($tmpFile, $conf); + +# check whether to install GRUB EFI or not +sub getEfiTarget { + if ($grubVersion == 1) { + return "no" + } elsif (($grub ne "") && ($grubEfi ne "")) { + # EFI can only be installed when target is set; + # A target is also required then for non-EFI grub + if (($grubTarget eq "") || ($grubTargetEfi eq "")) { die } + else { return "both" } + } elsif (($grub ne "") && ($grubEfi eq "")) { + # TODO: It would be safer to disallow non-EFI grub installation if no taget is given. + # If no target is given, then grub auto-detects the target which can lead to errors. + # E.g. it seems as if grub would auto-detect a EFI target based on the availability + # of a EFI partition. + # However, it seems as auto-detection is currently relied on for non-x86_64 and non-i386 + # architectures in NixOS. That would have to be fixed in the nixos modules first. + return "no" + } elsif (($grub eq "") && ($grubEfi ne "")) { + # EFI can only be installed when target is set; + if ($grubTargetEfi eq "") { die } + else {return "only" } + } else { + # prevent an installation if neither grub nor grubEfi is given + return "neither" + } +} + +my $efiTarget = getEfiTarget(); + # Append entries detected by os-prober if (get("useOSProber") eq "true") { - system(get("shell"), "-c", "pkgdatadir=$grub/share/grub $grub/etc/grub.d/30_os-prober >> $tmpFile"); + my $targetpackage = ($efiTarget eq "no") ? $grub : $grubEfi; + system(get("shell"), "-c", "pkgdatadir=$targetpackage/share/grub $targetpackage/etc/grub.d/30_os-prober >> $tmpFile"); } # Atomically switch to the new config @@ -498,36 +529,7 @@ sub getDeviceTargets { } return @devices; } - -# check whether to install GRUB EFI or not -sub getEfiTarget { - if ($grubVersion == 1) { - return "no" - } elsif (($grub ne "") && ($grubEfi ne "")) { - # EFI can only be installed when target is set; - # A target is also required then for non-EFI grub - if (($grubTarget eq "") || ($grubTargetEfi eq "")) { die } - else { return "both" } - } elsif (($grub ne "") && ($grubEfi eq "")) { - # TODO: It would be safer to disallow non-EFI grub installation if no taget is given. - # If no target is given, then grub auto-detects the target which can lead to errors. - # E.g. it seems as if grub would auto-detect a EFI target based on the availability - # of a EFI partition. - # However, it seems as auto-detection is currently relied on for non-x86_64 and non-i386 - # architectures in NixOS. That would have to be fixed in the nixos modules first. - return "no" - } elsif (($grub eq "") && ($grubEfi ne "")) { - # EFI can only be installed when target is set; - if ($grubTargetEfi eq "") { die } - else {return "only" } - } else { - # prevent an installation if neither grub nor grubEfi is given - return "neither" - } -} - my @deviceTargets = getDeviceTargets(); -my $efiTarget = getEfiTarget(); my $prevGrubState = readGrubState(); my @prevDeviceTargets = split/,/, $prevGrubState->devices; diff --git a/nixos/tests/munin.nix b/nixos/tests/munin.nix index 50746d17b45..40fafc62514 100644 --- a/nixos/tests/munin.nix +++ b/nixos/tests/munin.nix @@ -29,6 +29,7 @@ import ./make-test.nix ({ pkgs, ...} : { startAll; $one->waitForUnit("munin-node.service"); + $one->succeed('systemctl start munin-cron'); $one->waitForFile("/var/lib/munin/one/one-uptime-uptime-g.rrd"); $one->waitForFile("/var/www/munin/one/index.html"); ''; |