Commit graph

717 commits

Author SHA1 Message Date
Eelco Dolstra 00372ca638 nixos-rebuild: Fallback for upgrading Nix
Previously, if the currently installed Nix is too old to evaluate
Nixpkgs, then nixos-rebuild would fail and the user had to upgrade Nix
manually. Now, as a fallback, we run ‘nix-store -r’ to obtain a binary
Nix directly from the binary cache.
2014-04-15 12:07:34 +02:00
Eelco Dolstra f9e6181478 nixos-rebuild: Exec nixos-rebuild from the new Nixpkgs tree
This allows doing any necessary actions that were not in the installed
nixos-rebuild (such as downloading a new version of Nix). This does
require us to be careful that nixos-rebuild is backwards-compatible
(i.e. can run in any old installation).
2014-04-15 12:07:29 +02:00
Eelco Dolstra 35bf0f4810 Don't restart container-startup-done 2014-04-15 12:07:24 +02:00
Eelco Dolstra 596bd37163 Don't restart container shells in switch-to-configuration 2014-04-15 12:07:18 +02:00
Austin Seipp ae207efc07 nixos: add spiped service module
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 03:33:47 -05:00
Austin Seipp 42954a2d20 Fix hydra UID
The style for IDs dictates that groups/users should have the same ID -
so if a user doesn't have a group or vice versa, then we should skip
that ID.

In this case, we had already assigned grsecurity GID 121, but I
accidentally also assigned Hydra UID 121. Instead, let's assign Hydra
UID 122. And also assign a GID (122) as well.

Luckily nobody was depending on this yet (except me).

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 02:29:13 -05:00
Vladimír Čunát 8340454544 mesa: have all output on /run/opengl-driver{,-32}
Fixes #2242 in a different way (cleaner, I hope).
2014-04-14 21:38:23 +02:00
Vladimír Čunát 557dff54aa nixos opengl: add s2tc to mesa drivers by default
Close #2200. Thanks to @cpages for suggesting and testing this.
2014-04-14 21:38:23 +02:00
Eelco Dolstra 269bd7ef83 Add missing file 2014-04-14 21:03:43 +02:00
Eelco Dolstra 7ce743b422 Manual: Add some IDs 2014-04-14 19:27:26 +02:00
Eelco Dolstra e1a1146690 Update section on writing tests 2014-04-14 19:19:39 +02:00
Eelco Dolstra 29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Eelco Dolstra 4f2aa2f706 Fix installer test evaluation 2014-04-14 16:24:08 +02:00
Rob Vermaas 3f15f8b703 Add script to create and upload GCE image. 2014-04-14 14:38:52 +02:00
Eelco Dolstra 36c05d5e5b Simplify running tests even further
Now you can just say:

  $ nix-build '<nixos/tests/login.nix>'

You can still get the driver script for interactive testing:

  $ nix-build '<nixos/tests/login.nix>' -A driver
  $ ./result/bin/nixos-test-driver
2014-04-14 14:23:38 +02:00
Eelco Dolstra abe218950c Make it easier to run the tests
You can now run a test in the nixos/tests directory directly using
nix-build, e.g.

  $ nix-build '<nixos/tests/login.nix>' -A test

This gets rid of having to add the test to nixos/tests/default.nix.
(Of course, you still need to add it to nixos/release.nix if you want
Hydra to run the test.)
2014-04-14 14:02:44 +02:00
Eelco Dolstra 30d0864dc6 Simplify 2014-04-14 10:26:12 +02:00
Eelco Dolstra ba29614578 Manual: Generate stable ids for options
E.g. ‘#opt-boot.initrd.kernelModules’.

Also, shut up a stupid XSLT warning (‘attribute value is not an NCName’).
2014-04-14 10:26:12 +02:00
Bjørn Forsman 6fa1ad04da nixos: extend documentation example for security.setuidOwners
Show that it is possible to set custom permission bits.
2014-04-13 12:31:08 +02:00
Austin Seipp a3155a0e2a nixos: add a UID for Hydra
Otherwise the Hydra module can't be used when mutableUsers = false;

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 21:20:18 -05:00
Austin Seipp 64efd184ed grsecurity: Fix GRKERNSEC_PROC restrictions
Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit
too strict. It doesn't allow a special group (e.g. the grsecurity group
users) to access /proc information - this requires
GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive.

This was also not in line with the default automatic grsecurity
configuration - it actually defaults to USERGROUP (although it has a
default GID of 1001 instead of ours), not USER.

This introduces a new option restrictProcWithGroup - enabled by default
- which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off
restrictProc by default and makes sure both cannot be enabled.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 11:16:05 -05:00
Austin Seipp 172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Shea Levy 0122697550 Revert "Merge branch 'postgresql-user' of git://github.com/ocharles/nixpkgs"
Reverting postgres superuser changes until after stable.

This reverts commit 6cc0cc7ff6, reversing
changes made to 3c4be425db.
2014-04-11 19:23:03 -04:00
Shea Levy 9b077bac58 Revert "postgresql: properly fix permissions issue by in postStart"
Reverting postgres superuser changes until after stable.

This reverts commit c66be6378d.
2014-04-11 19:22:43 -04:00
Shea Levy e9e60103de Revert "Create the 'postgres' superuser"
Reverting postgres superuser changes until after stable.

This reverts commit 7de29bd26f.
2014-04-11 19:22:39 -04:00
Shea Levy c23050e231 Revert "Use PostgreSQL 9.3's pg_isready to wait for connectivity"
Reverting postgres superuser changes until after stable.

This reverts commit e206684110.
2014-04-11 19:21:50 -04:00
Eelco Dolstra e2bc9a3d14 Include Archive::Cpio in the installation CD
http://hydra.nixos.org/build/10268978
2014-04-11 17:16:44 +02:00
Eelco Dolstra 13185280fe Fix tests broken due to the firewall being enabled by default 2014-04-11 17:16:44 +02:00
Eelco Dolstra 017408e048 Use iptables' ‘-w’ flag
This prevents errors like "Another app is currently holding the
xtables lock" if the firewall and NAT services are starting in
parallel.  (Longer term, we should probably move to a single service
for managing the iptables rules.)
2014-04-11 17:16:44 +02:00
Eelco Dolstra b9281e6a2d Fix NAT module 2014-04-11 17:16:44 +02:00
Eelco Dolstra 2da09363bf nix: Update to 1.7 2014-04-11 12:24:48 +02:00
Peter Simons ad65a1e064 Revert "nixos: fix shell on conatiners"
This reverts commit c69577b7d6.
See https://github.com/NixOS/nixpkgs/pull/2198 for further details.
2014-04-11 12:07:00 +02:00
Eelco Dolstra d2155649af Merge branch 'containers'
Fixes #2105.
2014-04-10 15:55:51 +02:00
Eelco Dolstra 6a7a8a144f Document NixOS containers 2014-04-10 15:07:29 +02:00
Eelco Dolstra a34bfbab4c Add option networking.nat.internalInterfaces
This allows applying NAT to an interface, rather than an IP range.
2014-04-10 15:07:29 +02:00
Eelco Dolstra ac8c924c09 nixos-container: Add ‘run’ and ‘root-login’ commands
And remove ‘root-shell’.
2014-04-10 15:07:29 +02:00
Eelco Dolstra da4f180252 Bring back ‘nixos-container update’ 2014-04-10 15:07:29 +02:00
Eelco Dolstra 3dca6b98cb Fix permissions on /var/lib/startup-done 2014-04-10 15:07:28 +02:00
Peter Simons 26d8f54587 Merge pull request #2198 from offlinehacker/nixos/shadow/login_containers_fix
nixos: fix shell on conatiners
2014-04-10 12:39:19 +02:00
Peter Simons 0e147530ef Merge pull request #2199 from offlinehacker/nixos/ntp/containers_fix
nixos: disable ntp on containers by default
2014-04-10 12:33:35 +02:00
Jaka Hudoklin 0b170187e3 nixos: disable ntp on containers by default 2014-04-10 12:30:03 +02:00
Jaka Hudoklin c69577b7d6 nixos: fix shell on conatiners 2014-04-10 12:28:09 +02:00
aszlig 5dd14a1059
nixos/phpfpm: Add option to set PHP package.
This allows to easily override the used PHP package, especially for
example if you want to use PHP 5.5 or if you want to override the
derivation.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-04-10 07:52:26 +02:00
Shea Levy 9dcffe951d Merge branch 'cjdns' of git://github.com/ehmry/nixpkgs
cjdns: update to 20130303
2014-04-09 20:34:32 -04:00
Bjørn Forsman e856584e1a nixos/jenkins-service: fix 'group' option documentation
Both for master and slave.
2014-04-09 21:52:46 +02:00
Emery Hemingway 316e809ff8 cjdns: update to 20130303
build system is now nodejs based
new nixos module to start cjdns
2014-04-09 10:30:57 -04:00
Domen Kožar e5e27cfd64 Merge pull request #2153 from lethalman/gnome3
accounts-daemon service, fix gnome-shell, add libgnomekbd, musicbrainz5, sushi, gnome-contacts
2014-04-09 15:01:17 +02:00
Luca Bruno a3115707dd Add environment.gnome3.excludePackages
Give the user a full desktop, and the possibility to exclude
non-base packages from the default list of packages.
2014-04-09 00:36:53 +02:00
Luca Bruno c56af6102a at-spi2-core: add dbus module, enabled on gnome3 by default 2014-04-09 00:36:53 +02:00
Luca Bruno 8553993887 telepathy-mission-control: add dbus service, enabled by default on gnome3 2014-04-09 00:36:52 +02:00