Commit graph

311 commits

Author SHA1 Message Date
Vladimír Čunát b80d1c5923 Merge x-updates 2013-12-25 23:56:41 +01:00
Peter Simons 6bc4007e60 nixos: don't white-list port 8200 in the firewall when minidlna is enabled
If you want minidla to accept connections from the rest of the world, please
add

    networking.firewall.allowedTCPPorts = [ 8200 ];
    networking.firewall.allowedUDPPorts = [ 1900 ];

to /etc/nixos/configuration.nix.

See <http://lists.science.uu.nl/pipermail/nix-dev/2013-November/011997.html>
for the discussion that lead to this.
2013-12-23 21:32:13 +01:00
Peter Simons 7bb7ea52e9 nixos: don't white-list port 5900 in the firewall when x11vnc is enabled
If you want x11vnc to receive TCP connections from the rest of the world,
please add

    networking.firewall.allowedTCPPorts = [ 5900 ];

to /etc/nixos/configuration.nix.

See <http://lists.science.uu.nl/pipermail/nix-dev/2013-November/011997.html>
for the discussion that lead to this.
2013-12-23 21:30:10 +01:00
Peter Simons 19a79fc71d nixos: don't white-list port 631 in the firewall when CUPS is enabled
If you want CUPS to receive UDP printer announcements from the rest of the
world, please add

  networking.firewall.allowedUDPPorts = [ 631 ];

to /etc/nixos/configuration.nix.

See <http://lists.science.uu.nl/pipermail/nix-dev/2013-November/011997.html>
for the discussion that lead to this.
2013-12-23 21:27:07 +01:00
Vladimír Čunát 50ac037864 Merge master into x-updates 2013-12-23 19:27:14 +01:00
Lluís Batlle i Rossell 152da7671c nixos initrd: load atkbd, not xtkbd
I don't think anyone has a XT keyboard in a computer running nixos.
2013-12-23 09:01:45 +01:00
Vladimír Čunát 2b24f1349a Merge master into x-updates 2013-12-21 10:20:55 +01:00
Michael Raskin 997778c820 Make Ejabberd service work 2013-12-20 18:16:56 +04:00
Eelco Dolstra f5844f98ac mediawiki: Update to 1.20.8
CVE-2013-4567, CVE-2013-4568
2013-12-20 14:46:57 +01:00
Vladimír Čunát 4c5a71f777 Merge master into x-updates
Conflicts:
	pkgs/desktops/gnome-2/desktop/gvfs/default.nix
	pkgs/development/libraries/cogl/default.nix
	pkgs/development/libraries/libsoup/2.44.nix
2013-12-18 23:21:29 +01:00
Michael Raskin bdd1fea87b Merge pull request #1373 from offlinehacker/nixos/memcached/user_fix
memcached: set uid to make it work with #1076
2013-12-14 22:55:00 -08:00
Michael Raskin 654627fe4c Merge pull request #1362 from tomberek/ddclient_correction
Correct web-skip value to match behavior of checkip.dyndns.com
2013-12-14 22:51:44 -08:00
Michael Raskin 152f7666af Merge pull request #1340 from bjornfor/ntopng
Add ntopng package and nixos service module
2013-12-14 22:46:49 -08:00
David Virgilio 2f69aaf721 add herbstluftwm enable option 2013-12-14 14:45:33 +01:00
Jaka Hudoklin 24e2ef5126 memcached: set uid to make it work with #1076 2013-12-13 10:09:08 +01:00
Rob Vermaas 61d346eaaf Google Compute image: fix punctuation in description, give disk image proper name with version and revision. 2013-12-12 12:48:09 +01:00
Eelco Dolstra 8c2dd86fe2 Manual: Fix typo
Fixes #1363.
2013-12-12 10:38:13 +01:00
Thomas Bereknyei 6129be5a7a Correct web-skip value to match behavior of checkip.dyndns.com 2013-12-11 23:22:43 -05:00
Eelco Dolstra 14018c2de1 fail2ban: Fix preStart action
Creating /run/fail2ban didn't work since it didn't have write
permission to /run.  Now it does.

Reported by Thomas Bereknyei.
2013-12-11 21:16:58 +01:00
Rob Vermaas ee8a58a72f Remove a hardcoded SSH public key from the Google Compute image. 2013-12-11 16:18:12 +01:00
Rob Vermaas f7b256a221 Add initial configuration for Google Compute Engine 2013-12-11 15:32:27 +01:00
Vladimír Čunát 089da3ee5c Merge master into x-updates
Conflicts (simple):
	pkgs/top-level/all-packages.nix
2013-12-10 13:00:02 +01:00
Bjørn Forsman 9474fbae65 nixos: add ntopng service
ntopng is a high-speed web-based traffic analysis and flow collection
tool. Enable it by adding this to configuration.nix:

  services.ntopng.enable = true;

Open a browser at http://localhost:3000 and login with the default
username/password: admin/admin.
2013-12-09 21:35:01 +01:00
Bjørn Forsman 0856500f3e nixos/libvirtd-service: fix fail-to-start when no machines are configured
Don't fail to start the libvirtd service just because there are no files
that match the /etc/libvirt/qemu/*.xml pattern.
2013-12-09 19:41:44 +01:00
Vladimír Čunát 6690c97569 Merge branch 'master' into x-updates
Conflicts (just different styles, same semantics):
	pkgs/development/libraries/libusb1/default.nix
2013-12-07 14:17:16 +01:00
Bjørn Forsman ca26e75a73 nixos/avahi-service: small documentation update 2013-12-07 12:03:50 +01:00
Eelco Dolstra 7809134e29 postgresql: Fix shutdown
Postgres was taking a long time to shutdown.  This is because we were
sending SIGINT to all processes, apparently confusing the autovacuum
launcher.  Instead it should only be sent to the main process (which
takes care of shutting down the others).

The downside is that systemd will also send the final SIGKILL only to
the main process, so other processes in the cgroup may be left behind.
There should be an option for this...
2013-12-03 12:04:20 -05:00
Vladimír Čunát d09b722f77 Merge master into x-updates 2013-12-02 21:41:16 +01:00
Eelco Dolstra 09dd7f9afc Fix passing of kernel parameters
Broken in 9ee30cd9b5.  Reported by Arvin
Moezzi.
2013-12-02 11:56:58 -05:00
Eelco Dolstra 2cb492a847 cups: Allow users in the wheel group to do admin actions 2013-12-01 17:30:12 -05:00
Song Wenwu c4885173b6 systemd: add services.journald.extraConfig option 2013-11-30 22:42:01 +01:00
Domen Kožar 4da388351a Merge pull request #1292 from jozko/openldap-fixes
Added openldap user, group and configure service so its not running as root
2013-11-28 13:40:11 -08:00
Jozko Skrablin cb691265b6 Added openldap user, group and configure service so its not running as root. 2013-11-28 22:21:50 +01:00
Bjørn Forsman f52f9bf7cd nixos/libvirtd-service: fix for garbage collected emulator paths
libvirtd puts the full path of the emulator binary in the machine config
file. But this path can unfortunately be garbage collected while still
being used by the virtual machine. Then this happens:

Error starting domain: Cannot check QEMU binary /nix/store/z5c2xzk9x0pj6x511w0w4gy9xl5wljxy-qemu-1.5.2-x86-only/bin/qemu-kvm: No such file or directory

Fix by updating the emulator path on each service startup to something
valid (re-scan $PATH).
2013-11-27 23:09:57 +01:00
Eelco Dolstra 9ee30cd9b5 Add support for lightweight NixOS containers
You can now say:

  systemd.containers.foo.config =
    { services.openssh.enable = true;
      services.openssh.ports = [ 2022 ];
      users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-dss ..." ];
    };

which defines a NixOS instance with the given configuration running
inside a lightweight container.

You can also manage the configuration of the container independently
from the host:

  systemd.containers.foo.path = "/nix/var/nix/profiles/containers/foo";

where "path" is a NixOS system profile.  It can be created/updated by
doing:

  $ nix-env --set -p /nix/var/nix/profiles/containers/foo \
      -f '<nixos>' -A system -I nixos-config=foo.nix

The container configuration (foo.nix) should define

  boot.isContainer = true;

to optimise away the building of a kernel and initrd.  This is done
automatically when using the "config" route.

On the host, a lightweight container appears as the service
"container-<name>.service".  The container is like a regular NixOS
(virtual) machine, except that it doesn't have its own kernel.  It has
its own root file system (by default /var/lib/containers/<name>), but
shares the Nix store of the host (as a read-only bind mount).  It also
has access to the network devices of the host.

Currently, if the configuration of the container changes, running
"nixos-rebuild switch" on the host will cause the container to be
rebooted.  In the future we may want to send some message to the
container so that it can activate the new container configuration
without rebooting.

Containers are not perfectly isolated yet.  In particular, the host's
/sys/fs/cgroup is mounted (writable!) in the guest.
2013-11-27 17:14:10 +01:00
Eelco Dolstra 57f145a7f8 When setting $NIX_REMOTE, check whether /nix/var/nix/db is writable
In NixOS containers, root doesn't have write permission to
/nix/var/nix/db, so it has to use the daemon.
2013-11-27 17:09:17 +01:00
Eelco Dolstra c6529ac9eb postgresql: Fix the port option
Also clarify the description of the enableTCPIP option.
2013-11-27 17:09:17 +01:00
Eelco Dolstra e8baaba044 Add a regression test for hostname / nss_myhostname
Issue #1248.
2013-11-26 18:52:34 +01:00
Eelco Dolstra 953f12995b nscd: Fix LD_LIBRARY_PATH
This ensures that nscd can find the NSS modules.

Fixes #1248.
2013-11-26 18:38:22 +01:00
Eelco Dolstra 14cd8bc248 Allow services to specify a pre-stop script 2013-11-26 18:24:55 +01:00
Eelco Dolstra 2b1f212494 Disable various services when running inside a container 2013-11-26 18:19:45 +01:00
Vladimír Čunát b5fba47147 Merge branch master into x-updates
Conflicts (not used, deleted):
	pkgs/desktops/xfce/common.nix
2013-11-23 10:22:26 +01:00
Rob Vermaas a383fe887f Make dd-agent services restart when killed. 2013-11-22 15:23:45 +01:00
William A. Kennington III f48af13c5a Add a nix module for AMD Hybrid Graphics 2013-11-20 11:27:28 -06:00
Eelco Dolstra 4df8a04f14 Don't include the code name in the EBS AMI name 2013-11-19 19:09:48 +01:00
Vladimír Čunát c33c2e68e4 xfce4notifyd: minor update, add to the default installation 2013-11-18 21:08:25 +01:00
Eelco Dolstra bc56bb7546 polkit: Add some examples 2013-11-18 18:04:17 +01:00
Eelco Dolstra 7ea47df0a4 polkit: Fix authenticating as a wheel user
In Javascript-based PolKit, "unix-user:0;unix-group:wheel" is not
valid; it should be a list "unix-user:0", "unix-group:wheel".
2013-11-18 18:04:17 +01:00
Eelco Dolstra 1ce709ee00 polkit: The rule file needs to end in .rules
Otherwise it's ignored.
2013-11-18 18:04:17 +01:00
Eelco Dolstra 886b9e27a6 httpd.nix: Support non-root operation 2013-11-18 18:04:17 +01:00