diff options
| author | William A. Kennington III <william@wkennington.com> | 2015-06-06 12:04:42 -0700 |
|---|---|---|
| committer | William A. Kennington III <william@wkennington.com> | 2015-06-06 12:04:42 -0700 |
| commit | 9d6555dc0ae65fbed88e6163b79dc322ec46a767 (patch) | |
| tree | 2e1107a978bd3a1a09fca272ec8903f7ebe9110a /nixos | |
| parent | 40b66f613181844dc48a8ef4b0d958687c2cfa31 (diff) | |
| parent | ee8825935f771d7c9c1a68a089b396995d683cc4 (diff) | |
| download | nixlib-9d6555dc0ae65fbed88e6163b79dc322ec46a767.tar nixlib-9d6555dc0ae65fbed88e6163b79dc322ec46a767.tar.gz nixlib-9d6555dc0ae65fbed88e6163b79dc322ec46a767.tar.bz2 nixlib-9d6555dc0ae65fbed88e6163b79dc322ec46a767.tar.lz nixlib-9d6555dc0ae65fbed88e6163b79dc322ec46a767.tar.xz nixlib-9d6555dc0ae65fbed88e6163b79dc322ec46a767.tar.zst nixlib-9d6555dc0ae65fbed88e6163b79dc322ec46a767.zip | |
Merge branch 'master.upstream' into staging.upstream
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/installation/installing.xml | 18 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-unstable.xml | 85 | ||||
| -rw-r--r-- | nixos/modules/config/pulseaudio.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/installer/cd-dvd/installation-cd-graphical.nix | 17 | ||||
| -rw-r--r-- | nixos/modules/installer/cd-dvd/installation-cd-minimal.nix | 5 | ||||
| -rw-r--r-- | nixos/modules/profiles/base.nix | 5 | ||||
| -rw-r--r-- | nixos/modules/security/ca.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/services/misc/mwlib.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/services/misc/nix-daemon.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/monitoring/apcupsd.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/scheduling/marathon.nix | 33 | ||||
| -rw-r--r-- | nixos/modules/system/activation/top-level.nix | 12 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/google-compute-image.nix | 48 | ||||
| -rw-r--r-- | nixos/tests/installer.nix | 6 |
14 files changed, 183 insertions, 65 deletions
diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index c21759bc9261..e40c15e8316d 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -120,7 +120,11 @@ $ nixos-generate-config --root /mnt</screen> $ nano /mnt/etc/nixos/configuration.nix </screen> - The <command>vim</command> text editor is also available.</para> + If you’re using the graphical ISO image, other editors may be + available (such as <command>vim</command>). If you have network + access, you can also install other editors — for instance, you can + install Emacs by running <literal>nix-env -i + emacs</literal>.</para> <para>You <emphasis>must</emphasis> set the option <option>boot.loader.grub.device</option> to specify on which disk @@ -189,11 +193,13 @@ $ reboot</screen> <listitem> - <para>You should now be able to boot into the installed NixOS. The GRUB boot menu shows a list - of <emphasis>available configurations</emphasis> (initially just one). Every time - you change the NixOS configuration (see<link linkend="sec-changing-config">Changing - Configuration</link> ), a new item appears in the menu. This allows you to - easily roll back to another configuration if something goes wrong.</para> + <para>You should now be able to boot into the installed NixOS. The + GRUB boot menu shows a list of <emphasis>available + configurations</emphasis> (initially just one). Every time you + change the NixOS configuration (see <link + linkend="sec-changing-config">Changing Configuration</link> ), a + new item is added to the menu. This allows you to easily roll back + to a previous configuration if something goes wrong.</para> <para>You should log in and change the <literal>root</literal> password with <command>passwd</command>.</para> diff --git a/nixos/doc/manual/release-notes/rl-unstable.xml b/nixos/doc/manual/release-notes/rl-unstable.xml index 755b4bf41541..cf67014a69dd 100644 --- a/nixos/doc/manual/release-notes/rl-unstable.xml +++ b/nixos/doc/manual/release-notes/rl-unstable.xml @@ -8,9 +8,32 @@ <para>In addition to numerous new and upgraded packages, this release has the following highlights: -<!--<itemizedlist> + <itemizedlist> + <listitem> + <para> + The Haskell packages infrastructure has been re-designed from the ground up. + NixOS now distributes the latest version of every single package registered on + <link xlink:href="http://hackage.haskell.org/">Hackage</link>, i.e. well over + 8000 Haskell packages. Further information and usage instructions for the + improved infrastructure are available at <link + xlink:href="https://nixos.org/wiki/Haskell">https://nixos.org/wiki/Haskell</link>. + Users migrating from an earlier release will find also find helpful information + below, in the list of backwards-incompatible changes. + </para> + </listitem> + + <listitem> + <para> + Users running an SSH server who worry about the quality of their + <literal>/etc/ssh/moduli</literal> file with respect to the <link + xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities + discovered in the Diffie-Hellman key exchange</link> can now replace OpenSSH's + default version with one they generated themselves using the new + <literal>services.openssh.moduliFile</literal> option. + </para> + </listitem> + </itemizedlist> -</itemizedlist>--> </para> <para>Following new services were added since the last release: @@ -71,6 +94,64 @@ was accordingly renamed to <literal>bomi</literal> </para> </listitem> +<listitem> + <para> + Haskell packages can no longer be found by name, i.e. the commands + <literal>nix-env -qa cabal-install</literal> and <literal>nix-env -i + ghc</literal> will fail, even though we <emphasis>do</emphasis> ship + both <literal>cabal-install</literal> and <literal>ghc</literal>. + The reason for this inconvenience is the sheer size of the Haskell + package set: name-based lookups such as these would become much + slower than they are today if we'd add the entire Hackage database + into the top level attribute set. Instead, the list of Haskell + packages can be displayed by + </para> + <programlisting> +nix-env -f "<nixpkgs>" -qaP -A haskellPackages +</programlisting> + <para> + and packages can be installed with: + </para> + <programlisting> +nix-env -f "<nixpkgs>" -iA haskellPackages.cabal-install +</programlisting> +</listitem> + +<listitem> + <para> + Previous versions of NixOS come with a feature called + <literal>ghc-wrapper</literal>, a small wrapper script that allows + GHC to transparently pick up on libraries installed in the user's + profile. This feature has been deprecated; + <literal>ghc-wrapper</literal> was removed from the distribution. + The proper way to register Haskell libraries with the compiler now + is the <literal>haskellPackages.ghcWithPackages</literal> + function. + <link xlink:href="https://nixos.org/wiki/Haskell">https://nixos.org/wiki/Haskell</link> + provides much information about this subject. + </para> +</listitem> + +<listitem> + <para> + All Haskell builds that have been generated with version 1.x of + the <literal>cabal2nix</literal> utility are now invalid and need + to be re-generated with a current version of + <literal>cabal2nix</literal> to function. The most recent version + of this tool can be installed by running + <literal>nix-env -i cabal2nix</literal>. + </para> +</listitem> + +<listitem> + <para> + The <literal>haskellPackages</literal> set in Nixpkgs used to have a + function attribute called <literal>extension</literal> that users + could override in their <literal>~/.nixpkgs/config.nix</literal> + files to configure additional attributes, etc. That function still + exists, but it's now called <literal>overrides</literal>. + </para> +</listitem> </itemizedlist> </para> diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix index 04f274e99e10..566130feb6de 100644 --- a/nixos/modules/config/pulseaudio.nix +++ b/nixos/modules/config/pulseaudio.nix @@ -89,12 +89,12 @@ in { package = mkOption { type = types.package; - default = pulseaudioFull; + default = pulseaudioLight; example = literalExample "pkgs.pulseaudioFull"; description = '' - The PulseAudio derivation to use. This can be used to disable - features (such as JACK support, Bluetooth) that are enabled in the - pulseaudioFull package in Nixpkgs. + The PulseAudio derivation to use. This can be used to enable + features (such as JACK support, Bluetooth) via the + <literal>pulseaudioFull</literal> package. ''; }; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical.nix index 189cca9e23b9..d14768bc1079 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical.nix @@ -11,9 +11,16 @@ with lib; # Provide wicd for easy wireless configuration. #networking.wicd.enable = true; - # Include gparted for partitioning disks - environment.systemPackages = [ pkgs.gparted ]; - + environment.systemPackages = + [ # Include gparted for partitioning disks. + pkgs.gparted + + # Include some editors. + pkgs.vim + pkgs.bvi # binary editor + pkgs.joe + ]; + # Provide networkmanager for easy wireless configuration. networking.networkmanager.enable = true; networking.wireless.enable = mkForce false; @@ -67,7 +74,7 @@ with lib; loadTemplate("org.kde.plasma-desktop.defaultPanel") for (var i = 0; i < screenCount; ++i) { - var desktop = new Activity + var desktop = new Activity desktop.name = i18n("Desktop") desktop.screen = i desktop.wallpaperPlugin = 'image' @@ -75,7 +82,7 @@ with lib; var folderview = desktop.addWidget("folderview"); folderview.writeConfig("url", "desktop:/"); - + //Create more panels for other screens if (i > 0){ var panel = new Panel diff --git a/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix b/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix index a7498906a86b..f34e789e28c5 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix @@ -1,11 +1,14 @@ # This module defines a small NixOS installation CD. It does not # contain any graphical stuff. -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = [ ./installation-cd-base.nix ../../profiles/minimal.nix ]; + + # Enable in installer, even if minimal profile disables it + services.nixosManual.enable = lib.mkOverride 999 true; } diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index 6c8e99943797..c207829aabd6 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -44,11 +44,6 @@ pkgs.zip pkgs.dar # disk archiver pkgs.cabextract - - # Some editors. - pkgs.vim - pkgs.bvi # binary editor - pkgs.joe ]; # Include support for various filesystems. diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index dec5a62dcf04..008ca1f6df52 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -22,7 +22,7 @@ in security.pki.certificateFiles = mkOption { type = types.listOf types.path; default = []; - example = literalExample "[ \"\${pkgs.cacert}/ca-bundle.crt\" ]"; + example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]"; description = '' A list of files containing trusted root certificates in PEM format. These are concatenated to form @@ -53,7 +53,7 @@ in config = { - security.pki.certificateFiles = [ "${pkgs.cacert}/ca-bundle.crt" ]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; diff --git a/nixos/modules/services/misc/mwlib.nix b/nixos/modules/services/misc/mwlib.nix index fb4a24253df4..d02e1e021a70 100644 --- a/nixos/modules/services/misc/mwlib.nix +++ b/nixos/modules/services/misc/mwlib.nix @@ -226,10 +226,11 @@ in chmod -Rc u=rwX,go= '${cfg.nslave.cachedir}' ''; + path = with pkgs; [ imagemagick ]; environment = { PYTHONPATH = concatMapStringsSep ":" (m: "${pypkgs.${m}}/lib/${python.libPrefix}/site-packages") - [ "mwlib-rl" "mwlib-ext" "pygments" ]; + [ "mwlib-rl" "mwlib-ext" "pygments" "pyfribidi" ]; }; serviceConfig = { diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 6d25fef45768..42a9d46f1d63 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -63,7 +63,7 @@ in package = mkOption { type = types.package; - default = pkgs.nix; + default = pkgs.nixUnstable; description = '' This option specifies the Nix package instance to use throughout the system. ''; diff --git a/nixos/modules/services/monitoring/apcupsd.nix b/nixos/modules/services/monitoring/apcupsd.nix index ffa7be7dd301..6cd0254dbe34 100644 --- a/nixos/modules/services/monitoring/apcupsd.nix +++ b/nixos/modules/services/monitoring/apcupsd.nix @@ -39,7 +39,7 @@ let shellCmdsForEventScript = eventname: commands: '' echo "#!${pkgs.stdenv.shell}" > "$out/${eventname}" - echo "${commands}" >> "$out/${eventname}" + echo '${commands}' >> "$out/${eventname}" chmod a+x "$out/${eventname}" ''; diff --git a/nixos/modules/services/scheduling/marathon.nix b/nixos/modules/services/scheduling/marathon.nix index ab93334f5fc9..b9f4a808b0ce 100644 --- a/nixos/modules/services/scheduling/marathon.nix +++ b/nixos/modules/services/scheduling/marathon.nix @@ -19,14 +19,6 @@ in { ''; }; - httpPort = mkOption { - type = types.int; - default = 8080; - description = '' - Marathon listening port for HTTP connections. - ''; - }; - master = mkOption { type = types.str; default = "zk://${concatStringsSep "," cfg.zookeeperHosts}/mesos"; @@ -45,6 +37,25 @@ in { ''; }; + user = mkOption { + type = types.str; + default = "marathon"; + example = "root"; + description = '' + The user that the Marathon framework will be launched as. If the user doesn't exist it will be created. + If you want to run apps that require root access or you want to launch apps using arbitrary users, that + is using the `--mesos_user` flag then you need to change this to `root`. + ''; + }; + + httpPort = mkOption { + type = types.int; + default = 8080; + description = '' + Marathon listening port for HTTP connections. + ''; + }; + extraCmdLineOptions = mkOption { type = types.listOf types.str; default = [ ]; @@ -76,14 +87,12 @@ in { serviceConfig = { ExecStart = "${pkgs.marathon}/bin/marathon --master ${cfg.master} --zk zk://${concatStringsSep "," cfg.zookeeperHosts}/marathon --http_port ${toString cfg.httpPort} ${concatStringsSep " " cfg.extraCmdLineOptions}"; - User = "marathon"; + User = cfg.user; Restart = "always"; RestartSec = "2"; }; }; - users.extraUsers.marathon = { - description = "Marathon mesos framework user"; - }; + users.extraUsers.${cfg.user} = { }; }; } diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index d7a1e205b4d4..b19fea57f6bf 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -81,6 +81,8 @@ let substituteAll ${./switch-to-configuration.pl} $out/bin/switch-to-configuration chmod +x $out/bin/switch-to-configuration + echo -n "${toString config.system.extraDependencies}" > $out/extra-dependencies + ${config.system.extraSystemBuilderCmds} ''; @@ -188,6 +190,16 @@ in ''; }; + system.extraDependencies = mkOption { + type = types.listOf types.package; + default = []; + description = '' + A list of packages that should be included in the system + closure but not otherwise made available to users. This is + primarily used by the installation tests. + ''; + }; + system.replaceRuntimeDependencies = mkOption { default = []; example = lib.literalExample "[ ({ original = pkgs.openssl; replacement = pkgs.callPackage /path/to/openssl { ... }; }) ]"; diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index ee5485071a35..516da926f847 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -137,40 +137,50 @@ in after = [ "network-online.target" "ip-up.target" ]; wants = [ "network-online.target" "ip-up.target" ]; - script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'"; in + script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'"; + mktemp = "mktemp --tmpdir=/run"; in '' # When dealing with cryptographic keys, we want to keep things private. umask 077 # Don't download the SSH key if it has already been downloaded - if ! [ -e /root/.ssh/authorized_keys ]; then - echo "obtaining SSH key..." - mkdir -m 0700 -p /root/.ssh - ${wget} -O /root/authorized-keys-metadata http://metadata.google.internal/0.1/meta-data/authorized-keys - if [ $? -eq 0 -a -e /root/authorized-keys-metadata ]; then - cat /root/authorized-keys-metadata | cut -d: -f2- > /root/key.pub - if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then - cat /root/key.pub >> /root/.ssh/authorized_keys - echo "new key added to authorized_keys" - fi - chmod 600 /root/.ssh/authorized_keys - fi - rm -f /root/key.pub /root/authorized-keys-metadata + if ! [ -s /root/.ssh/authorized_keys ]; then + echo "obtaining SSH key..." + mkdir -m 0700 -p /root/.ssh + AUTH_KEYS=$(${mktemp}) + ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys + if [ -s $AUTH_KEYS ]; then + KEY_PUB=$(${mktemp}) + cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB + if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then + cat $KEY_PUB >> /root/.ssh/authorized_keys + echo "New key added to authorized_keys." + fi + chmod 600 /root/.ssh/authorized_keys + rm -f $KEY_PUB + else + echo "Downloading http://metadata.google.internal/0.1/meta-data/authorized-keys failed." + false + fi + rm -f $AUTH_KEYS fi countKeys=0 ${flip concatMapStrings config.services.openssh.hostKeys (k : let kName = baseNameOf k.path; in '' + PRIV_KEY=$(${mktemp}) echo "trying to obtain SSH private host key ${kName}" - ${wget} -O /root/${kName} http://metadata.google.internal/0.1/meta-data/attributes/${kName} && : - if [ $? -eq 0 -a -e /root/${kName} ]; then + ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && : + if [ $? -eq 0 -a -s $PRIV_KEY ]; then countKeys=$((countKeys+1)) - mv -f /root/${kName} ${k.path} - echo "downloaded ${k.path}" + mv -f $PRIV_KEY ${k.path} + echo "Downloaded ${k.path}" chmod 600 ${k.path} ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub chmod 644 ${k.path}.pub + else + echo "Downloading http://metadata.google.internal/0.1/meta-data/attributes/${kName} failed." fi - rm -f /root/${kName} + rm -f $PRIV_KEY '' )} diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 603dfbe224f9..fc65f392a1f7 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -98,12 +98,6 @@ let channelContents = [ pkgs.rlwrap ]; - efiBios = pkgs.runCommand "ovmf-bios" {} '' - mkdir $out - ln -s ${pkgs.OVMF}/FV/OVMF.fd $out/bios.bin - ''; - - # The test script boots the CD, installs NixOS on an empty hard # disk, and then reboot from the hard disk. It's parameterized with # a test script fragment `createPartitions', which must create |