diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 17 | ||||
-rw-r--r-- | nixos/modules/services/continuous-integration/jenkins/default.nix | 12 | ||||
-rw-r--r-- | nixos/modules/services/x11/window-managers/bspwm.nix | 1 | ||||
-rw-r--r-- | nixos/release-combined.nix | 2 | ||||
-rw-r--r-- | nixos/release.nix | 2 | ||||
-rw-r--r-- | nixos/tests/containers-imperative.nix | 13 |
6 files changed, 33 insertions, 14 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 11668162808f..12401f044a7f 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -194,6 +194,23 @@ in ''; }; + disableSimultConnect = mkOption { + type = types.bool; + default = false; + description = '' + Disable TCP simultaneous connect. The TCP simultaneous connect + feature allows two clients to connect without either of them + entering the listening state. This feature of the TCP specification + is claimed to enable an attacker to deny the target access to a given + server by guessing the source port the target would use to make the + connection. + + This option is OFF by default because TCP simultaneous connect has + some legitimate uses. Enable this option if you know what this TCP + feature is for and know that you do not need it. + ''; + }; + verboseVersion = mkOption { type = types.bool; default = false; diff --git a/nixos/modules/services/continuous-integration/jenkins/default.nix b/nixos/modules/services/continuous-integration/jenkins/default.nix index 6fd39e68b1d9..4a6ffb9c2616 100644 --- a/nixos/modules/services/continuous-integration/jenkins/default.nix +++ b/nixos/modules/services/continuous-integration/jenkins/default.nix @@ -161,16 +161,8 @@ in { ''; postStart = '' - until ${pkgs.curl.bin}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} ; do - sleep 10 - done - while true ; do - index=`${pkgs.curl.bin}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix}` - if [[ !("$index" =~ 'Please wait while Jenkins is restarting' || - "$index" =~ 'Please wait while Jenkins is getting ready to work') ]]; then - exit 0 - fi - sleep 30 + until ${pkgs.curl.bin}/bin/curl -s -L --fail --head http://${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} >/dev/null; do + sleep 2 done ''; diff --git a/nixos/modules/services/x11/window-managers/bspwm.nix b/nixos/modules/services/x11/window-managers/bspwm.nix index 271b1b6cf5da..03a1b7a72e88 100644 --- a/nixos/modules/services/x11/window-managers/bspwm.nix +++ b/nixos/modules/services/x11/window-managers/bspwm.nix @@ -38,6 +38,7 @@ in start = if cfg.startThroughSession then cfg.sessionScript else '' + export _JAVA_AWT_WM_NONREPARENTING=1 SXHKD_SHELL=/bin/sh ${pkgs.sxhkd}/bin/sxhkd -f 100 & ${pkgs.bspwm}/bin/bspwm ''; diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index abb69f121da0..5fc0bf9c9456 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -48,7 +48,7 @@ in rec { nixos.ova.x86_64-linux #(all nixos.tests.containers) - (all nixos.tests.chromium.stable) + (all nixos.tests.chromium) (all nixos.tests.firefox) (all nixos.tests.firewall) nixos.tests.gnome3.x86_64-linux # FIXME: i686-linux diff --git a/nixos/release.nix b/nixos/release.nix index 8409191200c8..97f6df16dc99 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -210,7 +210,7 @@ in rec { tests.blivet = callTest tests/blivet.nix {}; tests.boot = callSubTests tests/boot.nix {}; tests.cadvisor = hydraJob (import tests/cadvisor.nix { system = "x86_64-linux"; }); - tests.chromium = callSubTests tests/chromium.nix {}; + tests.chromium = (callSubTests tests/chromium.nix { system = "x86_64-linux"; }).stable; tests.cjdns = callTest tests/cjdns.nix {}; tests.containers-ipv4 = callTest tests/containers-ipv4.nix {}; tests.containers-ipv6 = callTest tests/containers-ipv6.nix {}; diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index 8d100fedf78c..89babdcc4761 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -7,11 +7,20 @@ import ./make-test.nix ({ pkgs, ...} : { }; machine = - { config, pkgs, ... }: + { config, pkgs, lib, ... }: { imports = [ ../modules/installer/cd-dvd/channel.nix ]; virtualisation.writableStore = true; virtualisation.memorySize = 768; - virtualisation.pathsInNixDB = [ pkgs.stdenv ]; + # Make sure we always have all the required dependencies for creating a + # container available within the VM, because we don't have network access. + virtualisation.pathsInNixDB = let + emptyContainer = import ../lib/eval-config.nix { + inherit (config.nixpkgs) system; + modules = lib.singleton { + containers.foo.config = {}; + }; + }; + in [ pkgs.stdenv emptyContainer.config.containers.foo.path ]; }; testScript = |