| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
| |
This option is defined in qemu-vm.nix, but that module is not always
imported.
http://hydra.nixos.org/build/44817443
(cherry picked from commit 03c55005dfd6fbcd5cf8e00128a3bb6336b3bc0f)
|
| | |
|
| |
|
|
| |
Signed-off-by: Maximilian Güntner <code@klandest.in>
|
| |
|
|
|
|
| |
RuntimeDirectoryPermissions -> RuntimeDirectoryMode
Would result in warnings like "unknown lvalue" on startup
|
| |
|
|
|
|
|
| |
Otherwise it starts way too early, only to fail and having to restart
until devices are available. It is less wasteful to simply wait until
there's a reasonable chance of success. This is consistent with
upstream.
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 4358d3d43938666834d3e1fd5a8ea69b49c08112.
Not having a default was deliberate, see
https://github.com/NixOS/nixpkgs/commit/1ce6fff4e21906a3e6cfd26fdf4372f7501541cd
Thanks to @ocharles for making me aware of this.
|
| |
|
|
| |
This reverts commit 52d12b473af0dfbf7f5af1bd75ac5a5f2366f887.
|
| |
|
|
| |
fixes #18183
|
| |
|
|
|
|
| |
networkd options are always correct or up to date. This option allows to by
pass type checking. It is also easier to write because examples can be just copy
and paste from manpages.
|
| |
|
|
|
|
|
|
|
|
| |
Networkd units can contain secrets. In future also wireguard vpn will be supported by
networkd. To avoid leakage of private keys, those could be then also put outside
of the /nix/store
Having a writeable /etc/systemd/network also allows to quick fix network issues,
when upgrading `nixos-rebuild switch` would require network on its own (due
updates).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
boot.loader.grub.efiInstallAsRemovable"
This reverts commit 656cc3acafcb30e3503f4d3e39694ca996c66015 because it
causes building the manual to fail:
$ nixos-rebuild build
...
building path(s) ‘/nix/store/s9y5z78z5pssvmixcmv9ix13gs8xj87f-manual-olinkdb’
Writing /nix/store/s9y5z78z5pssvmixcmv9ix13gs8xj87f-manual-olinkdb/manual.db for book(book-nixos-manual)
./man-pages.xml:625: element para: Relax-NG validity error : Did not expect element para there
./man-pages.xml:3: element variablelist: Relax-NG validity error : Element refsection has extra content: variablelist
./man-pages.xml:29: element refsection: Relax-NG validity error : Element refentry has extra content: refsection
./man-pages.xml:3: element reference: Relax-NG validity error : Element reference failed to validate content
./man-pages.xml fails to validate
CC @cleverca22, @Mic92
|
| |
|
|
|
|
|
|
| |
- most nixos user only require time synchronisation,
while ntpd implements a battery-included ntp server (1,215 LOCs of C-Code vs 64,302)
- timesyncd support ntp server per interface (if configured through dhcp for instance)
- timesyncd is already included in the systemd package, switching to it would
save a little disk space (1,5M)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The collectd service runs as an unprivileged user by default, so it does
not leak more information to its data directory than any user can obtain
elsewhere by other means.
If people are running it as root and are worried about information leak,
we can add collectd group and set perms to 750.
CC @offlinehacker.
Fixes #21198.
|
| |
|
|
|
|
|
| |
A secret can be stored in a file. It is written at runtime in the
configuration file.
Note it is also possible to write them in the nix store for dev
purposes.
|
| |
|
|
|
|
|
|
|
|
|
| |
This commit introduces a nixos module for the Openstack Keystone
service. It also provides a optional bootstrap step that creates some
basic initial resources (tenants, endpoints,...).
The provided test starts Keystone by enabling bootstrapping and checks
if user creation works well.
This commit is based on initial works made by domenkozar.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Split packages in three categories, all of them going into the system
package list:
- pre-requisite packages
- core packages
- optional packages
Add a new configuration option 'environment.lxqt.excludePackages' to
specify optional LXQt packages that should be excluded from system
packages.
Add 'gvfs' as a pre-requisite package, needed by 'pcmanfm-qt' to
handle virtual places, like "Computer" and "Network".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The boot tests import test-instrumentation.nix directly to create a VM
image that only contains things such as the backdoor and serial console
the same way as used by other NixOS VM tests.
With one difference though: It doesn't need nor want to have 9p
filesystems mounted, because we actually want to test an image rather
than re-using most stuff from the host's store.
Change tested against the boot.uefiUsb and ipv6 tests, just that it
becomes clear we don't break either the tests with 9p nor the boot
tests (which were already broken but now succeed).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
| |
fixes libnss_myhost, libnss_mymachines, libnss_resolve are located here
|
| |\
| |
| | |
nixos/tests: Use a patched QEMU for testing
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The reason to patch QEMU is that with latest Nix, tests like "printing"
or "misc" fail because they expect the store paths to be owned by uid 0
and gid 0.
Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix
builds inside of a new user namespace. Unfortunately this also means
that bind-mounted store paths that are part of the derivation's inputs
are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534.
This in turn causes things like sudo or cups to fail with errors about
insecure file permissions.
So in order to avoid that, let's make sure the VM always gets files
owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store
path.
In addition, this adds a virtualisation.qemu.program option so that we
can make sure that we only use the patched version if we're *really*
running NixOS VM tests (that is, whenever we have imported
test-instrumentation.nix).
Tested against the "misc" and "printing" tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| | |
| |
| |
| |
| |
| | |
- syntax check before deploying configuration
- remove static unnessary static uid/gid (configuration is opened as root)
- add service hardening
|
| |\ \
| | |
| | | |
kubernetes module: fix default dns ip
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Improvement to the ssh-iptables to block the port(s) actually defined
for sshd in config.services.openssh.ports
|
| |\ \ \
| | | |
| | | | |
use symlink to ensure cupsd.conf PATH always points to a valid store path
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
even if cups rewrites its config file due to config changes made through
its web-based management UI, we need to keep the PATH pointing to
currently-live nix store directories. fixes #20806.
|
| | | | |
| | | |
| | | |
| | | | |
Otherwise, using the defaults results in a type error.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
tmux.bin was removed in 5535d9439415454abe00589bd7575b61e7fbb8db
Use `lib.getBin` to be more robust to future changes.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- updates buildbot to version 9 release
- adds nixos configuration module
- fixes buildbot-www package deps
- re-hardcode path to tail
- builbot configuration via module vars
fixes #19759
|
| | | | | |
|
| | | | | |
|
| | |/ /
|/| |
| | |
| | | |
fixes #19933
|
| |\ \ \
| | | |
| | | | |
boinc service: add to module list
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
The module itself was added in 811c39c6a4156af42558f95945add2795083d1a7,
but it looks like I forgot to reference it to module-list.nix.
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Using the default config, a user will experience a run-time failure.
This is poor UX, assert the requirement up-front.
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Explain why the assertion fails; the user already knows that it *has*
failed.
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
The type was simply str but the default is null, thus resulting in a
conversion error if the user fails to declare a value.
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Enabling both these at the same time fails because they implement the
same interface.
|
| | | | |
| | | |
| | | |
| | | | |
Otherwise you'd get errors like "-f no such command".
|
| |/ / / |
|
| |/ /
| |
| |
| | |
Fixes https://github.com/NixOS/nixpkgs/issues/20959
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.
systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.
Fixes https://github.com/NixOS/nixpkgs/issues/20948
|
| |\ \
| | |
| | | |
Privoxy service improvements
|
| | | |
| | |
| | |
| | |
| | |
| | | |
The service owns no data, having a static uid serves no purpose.
This frees up uid/gid 32
|
| | | | |
|