The renaming of options define the original value for the new attribute
path. This works well if there is only *one* target, but if there are
more, we end up recursing into the attribute set of the option
definition itself.
We now check for that within the parent recursion node (we can't check
that from the subnode, because we lack that information about whether
it's defined multiple times) and if the subnode consist entirely of a
list of definitions, we use mkMerge on it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The option had been added to the grsec build-support code,
but it hadn't been added to the grsec module.
After this commit, grsec module users will be able to change
the default value. It also serves to document that this option
exists and that NixOS will disable it by default.
Absolute path is required when one has such postfix configuration
where he/she needs to specify the actual (real) path to active dovecot
config.
Without this commit applied, the dovecot is running in such way:
/nix/store/hashAAA-dovecot-ver/sbin/dovecot -F -c /nix/store/hashBBB-dovecot2.conf
and postfix can't be aware of the value of "hashBBB" via services.postfix.extraConfig = '' ... '';
(it can only be aware of "hashAAA" with ${pkgs.dovecot} parameter)
Also enable Restart on-failure.
Edit: set RestartSec to 1s
Adding Restart, RestartSec, StartLimitInterval to ensure that the service
is started in case if it can't assign (bind) the address as often it takes longer
for the network (e.g. dhcpcd) to get the IP assigned.
Now that dbus reload has been moved before restarting units,
the reload may fail if dbus has been stopped before.
The reload-or-restart will reload dbus if it's active,
otherwise start it.
Generating the file was refactored to be completely in nix.
Functionally it should create the same content as before,
only adding the newlines.
CC recent updaters: @aszlig, @rickynils.
This reverts commit 766207ca1d.
We need to solve the problem with `environment.profileRelativeEnvVars`.
The best workaround is to make profileRelativeEnvVars prepend paths.
This patch fixes the AppArmor profile path clause and adds
(currently ignored) network rules.
The AppArmor profile used to be defined for the path sbin/dnscrypt-proxy,
but the real path is bin/dnscrypt-proxy (due to sbin now being a symlink
to bin), which permitted the service to run unconfined.
Adding the network rules has no effect other than improving correctness,
as the version of AppArmor in the NixOS kernel fails to enforce network
rules.
postfix 2.11 is much more humane with respect to disk writes since it uses
sockets (which do not change inodes on accesses) instead of fifos (which do).
Added configurations to `bumblebee` package to easy multiple monitors on Optimus
machines.
The behaviour of the default `bumblebee` package hasn't change, so this change
is backwards compatible. Users who want to connect a monitor to their discrete
card should use the package `bumblebee_display` instead.
Also added new configuration option to nixos bumblebee module:
```
hardware.bumblebee.connectDisplay = true
```
will enable the new configuration, but the default is still false.
During install, the bootloader script gets run inside a chroot after the
/etc/group bind-mount is unmounted. Since we're not doing any building,
this should be safe, but really nix should just not care if the group
does not exist when no build is needed.
Fixes#5494
Since the 4.2.8 upgrade, ntpd is broken on NixOS:
Dec 28 19:06:54 hagbard ntpd[27723]: giving up resolving host 1.nixos.pool.ntp.org: Servname not supported for ai_socktype (-8)
This appears to be because DNS resolution doesn't work in chroots
anymore (due to /etc being missing). So disable chroots for now. It's
probably better to use systemd's containment facilities anyway.
Tested on KDE4, fixed with xfce, and was used with GNOME before.
CC @lethalman.
I did not test e19, as it won't build, probably due to #5392 @shlevy.
CC maintainer @matejc.
Also removed a forgotten unused patch.
Commit 939edb1 reintroduced autoStart, but instead of creating a list of
units for the wantedBy list with optional it became a list of lists of
units.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Added attributes to nixos/tests/mesos.nix to verify that mesos-slave
attributes work. If the generated attributes are invalid, the daemon
should fail to start.
Change-Id: I5511245add30aba658b1af22cd7355b0bbf5d15c
This reverts commit 5d67b17901.
The issues have been resolved by ac603e208c.
Tested this with hostonlyifs and USB support with extension pack.
Conflicts:
nixos/modules/programs/virtualbox-host.nix
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Tested-by: Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>
IMHO, having a short timeout (1h) defeats the point of using
ssh-agent, which is not to have to retype passphrases all the time. Of
course, users who want timeouts can set programs.ssh.agentTimeout.
This restores the 14.04 behaviour.
Because we have to rely on setuid wrappers on NixOS, we can't easily
hardcode the executable paths and set it 4755. So for all calls, we need
to change the runtime path executable directory to /var/setuid-wrappers/
and for verification we need to retain the executable directory.
Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL
and VBoxVolInfo don't reside in directories that are commonly in PATH,
but in /usr/lib/virtualbox in most mainstream distros. But because the
names of these executables are distinctive enough to not cause
collisions with other setuid programs, I'll leave it like that and not
patch up setuid-wrappers.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
/run/opengl-drivers should contain only libGL-related libraries, not
stuff like udev. Injecting anything into LD_LIBRARY_PATH is dangerous
because it can break applications that expect a different version of
the library.
Caused by eef9a8ac2a. Fixes#5371.
- Move lgi to luaPackages
- Use luaPackages in awesome and passthru lua
- Allow to pass lua modules to the awesome WM so that those can be used in the configuration
The warning was displayed whenever services.virtualboxHost.enable was
true, but if people were to enable hardening, they'd still get that
annoying message.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Creates unnecessary cruft in the root users home directory, which we
really don't need. Except the log, but therefore we now cat the log to
stderr and the private temporary directory is cleaned up afterwards.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The current options for the XServer produce a huge amount of log messages. The
server produces around 70-80 messages per minute. The most messages look like
this:
display-manager-start[1846]: GetModeLine - scrn: 0 clock: 75200
display-manager-start[1846]: GetModeLine - hdsp: 1366 hbeg: 1414 hend: 1478 httl: 1582
display-manager-start[1846]: vdsp: 768 vbeg: 772 vend: 779 vttl: 792 flags: 9
Since theses messages aren't very useful, I propose to remove the `-logverbose`
and `-verbose` options from the XServer arguments.
This should display a big fat warning that people can hardly miss until
we have fixed the issues with the host-only-interfaces that persist when
hardining is enabled.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Hardening mode in VirtualBox is quite restrictive and on some systems it
could make sense to disable hardening mode, especially while we still
have issues with hostonly networking and other issues[TM] we don't know
or haven't tested yet.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It turns out that installing therubytracer, with dependency on old v8, even
when using source libv8 version is problematic.
(see
http://stackoverflow.com/questions/21666379/problems-installing-gitlab-on-odroid-v8-lib-not-available).
But wait, rails does not even need therubytracer, just any kind of javascript
server side execution framework like nodejs. Well just use that, as also
suggested from different internet sources (look link above), it works just
fine.
We only need to have setuid-root wrappers for VBox{Headless,SDL} and
VirtualBox, otherwise VBoxManage will run as root and NOT drop
privileges!
Fixes#5283.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I had to make several adjustments to make it work with nixos:
* Replace relative config file lookups with ENV variable.
* Modify gitlab-shell to not clear then environment when running
pre-receive.
* Modify gitlab-shell to write some environment variables into
the .authorized_keys file to make sure gitlab-shell reads the
correct config file.
* Log unicorn output to syslog.
I tried various ways of adding a syslog package but the bundler would
not pick them up. Please fix in a better way if possible.
* Gitlab-runner program wrapper.
This is useful to run e.g. backups etc. with the correct
environment set up.
Since we're using HTTPS for the binary cache (introduced in faf0797) by
default, the binary cache should also be available during installation.
The file that is defined in SSL_CERT_FILE outside of the chroot is
copied over to /tmp/ca-cert.crt inside the chroot, so we have an
absolute path we can reference during nixos-install. However, this might
end up with the file not being cleaned up properly from outside of the
store, but neither would be /tmp/root so the cleanup issue needs to be
solved in another place (or commit to be more exact).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The current nixos module for VirtualBox unconditionally configures a vboxnet0
network interface at boot. This may be undesired, especially when the user wants
to manage network interfaces in a centralized manner.
- Create container nixos profile
- Create lxc-container nixos config using container nixos profile
- Docker nixos image, use nixos profile for its base config
The default configuration installed the Bitstream Vera fonts, but DejaVu
is a superior replacement, and the default Fontconfig settings need it
now for the generic faces monospace, sans-serif, and serif.
Details:
* The option `fonts.fontconfig.ultimate.enable` can be used to disable
the fontconfig-ultimate configuration.
* The user-configurable options provided by fontconfig-ultimate are
exposed in the NixOS module: `allowBitmaps` (default: true),
`allowType1` (default: false), `useEmbeddedBitmaps` (default: false),
`forceAutohint` (default: false), `renderMonoTTFAsBitmap` (default:
false).
* Upstream provides three substitution modes for substituting TrueType
fonts for Type 1 fonts (which do not render well). The default,
"free", substitutes free fonts for Type 1 fonts. The option "ms"
substitutions Microsoft fonts for Type 1 fonts. The option "combi"
uses a combination of Microsoft and free fonts. Substitutions can also
be disabled.
* All 21 of the Infinality rendering modes supported by fontconfig-ultimate
or by the original Infinality distribution can be selected through
`fonts.fontconfig.ultimate.rendering`. The default is the medium style
provided by fontconfig-ultimate. Any of the modes may be customized,
or Infinality rendering can be disabled entirely.
Details:
* The option `fonts.enableFontConfig` has (finally) been renamed
`fonts.fontconfig.enable`.
* Configurations are loaded in this order: first the Fontconfig-upstream
configuration is loaded, then the NixOS-specific font directories are
set, the system-wide default configuration is loaded, and finally the
user configuration is loaded (if enabled).
* The NixOS options `fonts.fontconfig.defaultFonts.monospace`,
`fonts.fontconfig.defaultFonts.sansSerif` and
`fonts.fontconfig.defaultFonts.serif` are added to allow setting the
default system-wide font used for these generic faces. The defaults
are the appropriate faces from the DejaVu collection because of their
comprehensive Unicode coverage, clean rendering, and excellent
legibility.
* The NixOS option `fonts.fontconfig.antialias` can be used to disable
antialiasing (it is enabled by default).
* The options `fonts.fontconfig.subpixel.rgba` and
`fonts.fontconfig.subpixel.lcdfilter` control the system-wide default
settings for subpixel order and LCD filtering algorithm,
respectively.
* `fonts.fontconfig.hinting.enable` can be used to disable TrueType font
hinting (it is enabled by default).
`fonts.fontconfig.hinting.autohint` controls the FreeType autohinter.
`fonts.fontconfig.hinting.style` controls the hint style; it is "full"
by default.
* User configurations can be disabled system-wide by setting
`fonts.fontconfig.includeUserConf = false`. They are enabled by
default so users can set Fontconfig options in the desktop environment
of their choice.
This overhauls the Tor module in a few ways:
- Uses systemd service files, including hardening/config checks
- Removed old privoxy support; users should use the Tor Browser
instead.
- Remove 'fast' circuit/SOCKS port; most users don't care (and it adds
added complexity and confusion)
- Added support for bandwidth accounting
- Removed old relay listenAddress option; taken over by portSpec
- Formatting, description, code cleanups.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Rather than trying to override the 'torsocks' executable in $PATH, the
new module instead properly configures `/etc/tor/torsocks.conf` and puts
the normal `torsocks` executable in $PATH so it can work out of the box.
As a bonus, I think this module actually works now, because the torsocks
configuration has changed a lot from when this was written, it seems...
Signed-off-by: Austin Seipp <aseipp@pobox.com>
'torify' now ships with the tor bundle itself; and using torsocks is
recommended over tsocks (torify will use torsocks automatically.)
Signed-off-by: Austin Seipp <aseipp@pobox.com>
From http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
You disable the assignment of fixed names, so that the unpredictable
kernel names are used again. For this, simply mask udev's rule file for
the default policy: ln -s /dev/null
/etc/udev/rules.d/80-net-setup-link.rules (since v209: this file was
called 80-net-name-slot.rules in release v197 through v208)
From http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
You disable the assignment of fixed names, so that the unpredictable
kernel names are used again. For this, simply mask udev's rule file for
the default policy: ln -s /dev/null
/etc/udev/rules.d/80-net-setup-link.rules (since v209: this file was
called 80-net-name-slot.rules in release v197 through v208)
Following the discussion NixOS#5021:
- obsolete the nix.proxy option
- add the networking.proxy option
- open a default no_proxy environment variable
- add a rsync option
- Manual tests ok.
- Automatic tests ok.
Amended by lethalman to simplify the option descriptions.
Using primusrun will work as expected in a multilib environment. Even if the initial program
executes a antoehr program of the another architecture. Assuming the program does not modify
LD_LIBRARY_PATH inappropriately.
This does not update virtualgl for seemless multilib. I was unable to get a mixed 64/32 bit
environment to work with VirtualGL. The mechanism VirtualGL uses to inject the fake GL library would
fail if both 32bit and 64 bit libraries were in the environment. Instead the bumblebee package
creates a optirun32 executable that can be used to run a 32bit executable with optimus on a 64 bit
host. This is not created if the host is 32bit.
For my usage, gaming under wine, the primusrun executable works as expected regardless of
32bit/64bit.
VirtualBox with hardening support requires the main binaries to be
setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are
pointing to the libexec directory and we also need to unset
VBOX_WITH_ORIGIN to make sure that the build system is actually setting
those RPATHs.
The hardened.patch implements two things:
* Set the binary directory to the setuid-wrappers dir so that
VboxSVC calls them instead of the binaries from the store path. The
reason behind this is because nothing in the Nix store can have the
setuid flag.
* Excempt /nix/store from the group permission check, because while it
is group-writeable indeed it also has the sticky bit set (and also
the whole store is mounted read-only on most NixOS systems), so we're
checking on that as well.
Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers
directly, so someone would ever want to change those on a NixOS system,
please provide a patch to set those paths on build time. However, for
simplicity, it's best to do it when we _really_ need it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We will simply rename the previous module and add a warning whenever the
module is included directly, pointing the user to the right option and
also enable it as well (in case somebody has missed the option and is
wondering why VirtualBox doesn't work anymore).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Especially new users could be confused by this, so we're now marking
services.virtualbox.enable as obsolete and defaulting to
services.virtualboxGuest.enable instead. I believe this now makes it
clear, that this option is for guest additions only.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is needed when /etc/resolv.conf is being overriden by networkd
and other configurations. If the file is destroyed by an environment
activation then it must be rebuilt so that applications which interface
with /etc/resolv.conf directly don't break.
There currently are collisions between the main CUPS package and the
filters package, which are:
* $storepath/share/cups/banners/classified
* $storepath/share/cups/banners/confidential
* $storepath/share/cups/banners/secret
* $storepath/share/cups/banners/standard
* $storepath/share/cups/banners/topsecret
* $storepath/share/cups/banners/unclassified
* $storepath/share/cups/data/testprint
And they actually have different content, so let's ignore those for now
until we have a better fix.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The NixOS manual says modules have the following signature:
{ config, lib, pkgs, ... }:
But our generated configuration.nix file lacks the 'lib' part. Add it.
The host id value gets generated by reading a 32-bit value from
/dev/urandom.
This makes programs that rely on a correct host id more reliable.
It also makes using ZFS more seamless, as you don't need to configure
the hostId manually; instead, it becomes part of your config from the
moment you install NixOS.
The old boot.spl.hostid option was not working correctly due to an
upstream bug.
Instead, now we will create the /etc/hostid file so that all applications
(including the ZFS kernel modules, ZFS user-space applications and other
unrelated programs) pick-up the same system-wide host id. Note that glibc
(and by extension, the `hostid` program) also respect the host id configured in
/etc/hostid, if it exists.
The hostid option is now mandatory when using ZFS because otherwise, ZFS will
require you to force-import your ZFS pools if you want to use them, which is
undesirable because it disables some of the checks that ZFS does to make sure it
is safe to import a ZFS pool.
The /etc/hostid file must also exist when booting the initrd, before the SPL
kernel module is loaded, so that ZFS picks up the hostid correctly.
The complexity in creating the /etc/hostid file is due to having to
write the host ID as a 32-bit binary value, taking into account the
endianness of the machine, while using only shell commands and/or simple
utilities (to avoid exploding the size of the initrd).
It turns out that the upstream systemd services that import ZFS pools contain
serious bugs. The first major problem is that importing pools fails if there
are no pools to import. The second major problem is that if a pool ends up in
/etc/zfs/zpool.cache but it disappears from the system (e.g. if you
reboot but during the reboot you unplug your ZFS-formatted USB pen drive),
then the import service will always fail and it will be impossible to get rid
of the pool from the cache (unless you manually delete the cache).
Also, the upstream service would always import all available ZFS pools every
boot, which may not be what is desired in some cases.
This commit will solve these problems in the following ways:
1. Ignore /etc/zfs/zpool.cache. This seems to be a major source of
issues, and also does not play well with NixOS's philosophy of
reproducible configurations. Instead, on every boot NixOS will try to import
the set of pools that are specified in its configuration. This is also the
direction that upstream is moving towards.
2. Instead of trying to import all ZFS pools, only import those that are
actually necessary. NixOS will automatically determine these from the
config.fileSystems.* option. Also, the user can import any additional
pools every boot by adding them to the config.boot.zfs.extraPools
option, but this is only necessary if their filesystems are not
specified in config.fileSystems.*.
3. Added options to configure if ZFS should force-import ZFS pools. This may
currently be necessary, especially if your pools have not been correctly
imported with a proper host id configuration (which is probably true for 99% of
current NixOS ZFS users). Once host id configuration becomes mandatory when
using ZFS in NixOS and we are sure that most users have updated their
configurations and rebooted at least once, we should disable force-import by
default. Probably, this shouldn't be done before the next stable release.
WARNING: This commit may change the order in which your non-ZFS vs ZFS
filesystems are mounted. To avoid this problem (now or in the future)
it is recommended that you set the 'mountpoint' property of your ZFS
filesystems to 'legacy', and that you manage them using
config.fileSystems, just like any other non-ZFS filesystem is usually
managed in NixOS.
Also remove custom zfs services from NixOS. This makes NixOS more aligned with
upstream.
More importantly, it prepares the way for NixOS to use ZED (the ZFS event
daemon). This service will automatically be enabled but it is not possible to
configure it via configuration.nix yet.
The dnscrypt-proxy service relays regular DNS queries to
a DNSCrypt enabled upstream resolver.
The traffic between the client and the upstream resolver is
encrypted and authenticated, which may mitigate the risk of
MITM attacks and third-party snooping (assuming a trustworthy
upstream).
Though dnscrypt-proxy can run as a standalone DNS client,
the recommended setup is to use it as a forwarder for a
caching DNS client.
To use dnscrypt-proxy as a forwarder for dnsmasq, do
```nix
{
# ...
networking.nameservers = [ "127.0.0.1" ];
networking.dhcpcd.extraConfig = "nohook resolv.conf";
services.dnscrypt-proxy.enable = true;
services.dnscrypt-proxy.localAddress = "127.0.0.1";
services.dnscrypt-proxy.port = 40;
services.dnsmasq.enable = true;
services.dnsmasq.extraConfig = ''
no-resolv
server=127.0.0.1#40
listen-address=127.0.0.1
'';
# ...
}
```
Perl seems to write the file in latin1 independent of the actual input
encoding. This can corrupt the "description" field of /etc/passwd. By
setting "binmode" to ":utf8" Perl can be forced to write UTF-8. Ideally
the program would simply read/write the fields by value without any
changes in encoding. However, assuming/enforcing UTF-8 is a lot better
than using an obsolete coding like latin1.
Regression introduced in f496c3cbe4.
Previously when we used security.initialRootPassword, the default
priority for this option was 1001, because it was a default value set by
the option itself.
With the mentioned commit, it is no longer an option default but a
mkDefault, which is priority 1000.
I'm setting this to 150 now, as test-instrumentation.nix is using this
for overriding other options and because I think it still makes it
possible to simple-override it, because if no priority is given, we get
priority 100.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
In this case, they're equivalent to setting ‘password’ and
‘hashedPassword’ (since there is no distinction between an initial and
non-initial user account state).
This changes the bootloader for iso generation from Grub to
syslinux. In addition this adds USB booting support, so that
"dd" can be used to burn the generated ISO to USB thumbdrives
instead of needing applications like UnetBootin.
from sudoers (5):
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not necessarily the most specific match).
I'm not sure what exactly this user is needed for, i.e. under what circumstances
it must exist or not, but creating it unconditionally seems like the wrong thing
to do. I complained to @offlinehacker about this on Github, but got no response
for a week or so. I'm disabling the extraUsers bit to put out the fire, and now
hope that someone who actually knows about Graphite implements a proper solution
later.
I.e. don't call "passwd" to update /etc/shadow from the "password"
option. This has the side-effect of not updating the password if
mutableUsers = true (since the code path for "hashedPassword" has a
check for mutableUsers).
Fixes#4747.
Partially and temporarily addresses NixOS/nixops#228.
We now have an up-to-date version of Blivet and a bunch of its dependen-
cies as well as the old nixpart 0.4 with all its old and crappy
dependencies, which should fix _simple_ partitioning layouts for NixOps.
Also, nixpart 1.0 is now marked as broken, because it is not yet
released and this branch is more of a preparation and "damage control"
in case I shouldn't manage to finish nixpart + nixos-assimilate in time
for the next NixOS release.
I'm not using JFS, but this is to mainly make jfsutils available if you
have defined a JFS filesystem in your configuration.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This helps in setting a fixed firewall open port for NFS lockd.
Based on:
http://rlworkman.net/howtos/NFS_Firewall_HOWTO
(cherry picked from commit b32ca0616ff70795f71995fa79ea508b82f30b3a)
Conflicts:
nixos/modules/services/network-filesystems/nfsd.nix
This option makes the coupling between lighttpd and its sub-services
more "loose".
While the option is a list, its purpose is to provide a "set" of needed
modules to load for lighttpd to function correctly with its config. The
NixOS lighttpd module ensures that lighttpd modules are loaded no more
than once (because lighttpd dislikes that), and in the correct order.
Also add an assertion that all modules listed in .enableModules are
valid.
Any reasonably new version of fontconfig does search that path by default,
and setting this globally causes problems, as 2.10 and 2.11 need
incompatible configs.
Tested: slim+xfce desktop, chrootenv-ed steam.
I have no idea why we were setting the global variable;
e.g., neither Fedora nor Ubuntu does that.
This commit updates the stumpwm to version 0.9.8. Futhermore, it
refactors the expression quite a lot:
* stumpwm has been moved from lisp modules to window-managers.
* stumpwm has been added to the window managers NixOS knows about, this
enables the user to add stumpwm as a default window manager in his
NixOS configuration like with Xmonad or i3.
* the package has been split into stumpwm and stumpwmContrib. This is
due to the fact that development of stumpwm and its extension modules
has been split into two repositories. As of today, the release is the
last one before this split. This split into two packages only reflect
those upcoming upstream changes already.
It is planned to make the addition of the extension modules voluntarily,
like with Xmonads option "enableContribAndExtras". Furthermore it might
be possible to add an option to compile stumpwm with clisp instead of
sbcl.
This allows you to configure extra files that should be appended to your
crontab. Implemented by writing to /etc/crontab when the cron service starts.
Would be nicer to use a cron that supports /etc/cron.d but that would require
us to patch vixie-cron.
3.16.0 introduced a regression where vlan and veth devices could not be
created due to a check in the code for existing devices. This applies
the upstream patch which fixes the issue.
Additionally, this corrects the nixos network-interfaces task which now
needs to specify the name parameter when adding links.
The .configText option is for providing verbatim content of smb.conf.
I'm adding this because I cannot seem to find any other way to override
(with mkForce) the generated smb.conf with the current samba module. All
attempts ends with errors ("duplicate entry samba/smb.conf").
It's not that difficult to define shares using standard samba config
file syntax, so why do we need the semi-configurable .defaultShare
option?
Also:
* It uses /home/smbd and I think /home should be reserved
for real human users.
* If enabled, it breaks the assumption that .extraConfig continues in
the [global] section.
Without .defaultShare there is no need for the "smbguest" user and group
either, mark them as unused.
Option defaults should not refer to store paths, because they cause
the manual to be rebuilt gratuitously. It's especially bad to refer to
a highly variable path like a computed configuration file.
This fixes the issue when the LXC emulator binary is garbage collected
and breaks libvirtd containers, because libvirtd XML file still refers
to GC'ed store path.
We already have a fix for QEMU, this commit extends the fix to cover LXC
too.
This tells the sad tale of @the-kenny who had bind-mounted his home
directory into a container. After doing `nixos-container destroy` he
discovered that his home directory went from "full of precious data" to
"no more data".
We want to avoid having similar sad tales in the future, so this now also
check this in the containers VM test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes a leftover from 330fadb706.
We're using systemd dbus notifications now and this leftover caused the
startup notification to fail.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I'm not really sure which one of types.lines or types.str that fit
better, but I'm going for types.lines because it behaves more like the
current type (i.e. have the ability to merge).
Within the module it's referenced with an uppercase "P" and ipv6Address
also begins with an uppercase "A" after the "6", so let's make it
consistent.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
For Nix, we indent using two spaces, but in this module somehow 4 spaces
were snuck in. Other than that, remoteControl and ratelimit are just
nested attribute sets, so we don't need to make another submodule type
for no particular reason.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is proprietary software, and NixOS is intended as a free software
distribution. We currently don't have a mechanism like allowUnfree for
NixOS modules, so it's better to leave out modules for such
packages. Of couse, they can still be activated by doing:
imports = [ <nixpkgs/nixos/services/networking/copy-com.nix ];
Currently, nixos will allow for interface names with special characters
such as the hyphen to be used. This presents a problem when using
systemd device names as the namespace paths are separated using hyphens.
Within systemd, if a device name has a hyphen it should be replaced with
the escape sequence \x2d.
This patch sanitizes all interface names before they are used in a
systemd device string.
The gummiboot-builder.py script is expecting the @timeout@ metavar to be
substituted for either an empty string (in the case where a user has
left the timeout unset) or the actual value set in the system
configuration.
However, the config.boot.loader.gummiboot.timeout option defaults to
'null', and due to the way pkgs.substituteAll works, the substitution
for '@timeout@' is _never_ set to the empty string. This causes the
builder script to put a bogus line into /boot/loader/loader.conf:
timeout @timeout@
Fix this by explicitly setting 'timeout' to the empty string when it's
unset in the system configuration.
Signed-off-by: Josh Cartwright <joshc@eso.teric.us>
This conflicts with the existing reference NTP daemon, so we're using
services.ntp.enable = mkForce false here to make sure both services
aren't enabled in par.
I was already trying to merge the module with services.ntp, but it would
have been quite a mess with a bunch of conditions on the package name.
They both have a bit in common if it comes to the configuration files,
but differ in handling of the state dir (for example, OpenNTPd doesn't
allow it to be owned by anything other than root).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This reverts commit 469f22d717, reversing
changes made to 0078bc5d8f.
Conflicts:
nixos/modules/installer/tools/nixos-generate-config.pl
nixos/modules/system/boot/loader/grub/install-grub.pl
nixos/release.nix
nixos/tests/installer.nix
I tried to keep apparently-safe code in conflicts.
Currently, device units are named directly after the name the user
specifies for the device. A bridge device named lan will be defined
within lan.service. This becomes a problem if you want your interface
named nginx but also want to run the nginx service.
This patch fixes the issue by appending netdev to all virtually created
network device units. Therefore, the lan bridge -> lan-netdev.service.
This naming convention is used for all types of network devices in order
to ensure that all network devices are unique.
This hopefully fixes a regression introduced by 08b214a.
In bf129a2, it was already fixed for normal uid/gid values and it got
reintroduced by sub-uid/gid-handling again, so I've refactored it a bit
into a filterNull function which takes care of also the filtering
introduced by bf129a2.
I have not tested this extensively, but master is already broken for
systems with `mutableUsers = true` and no uid values set.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
* The module now has systemd config
* Add resolveLocalQueries option which sets up it as a dns server for
local host (including reasonable setup of resolvconf)
* Add "dnsmasq" user for running daemon
* Enabled dbus and dnssec support for the package
Conflicts:
nixos/modules/misc/ids.nix
Should bring most of the examples into a better consistency regarding
syntactic representation in the manual.
Thanks to @devhell for reporting.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
If Mediawiki was served from the root directory of the server
it was impossible to serve other directories.
Make sure that URLs defined in servedDirs are not rewritten.
Use case: serving local copy of MathJax
For example in VM tests, this causes firmware to be included in the
initrd. So until we have a better fix for adding early-stage module
options, I'll remove this.
Fixes a regression introduced by 0aa2c1d and closes#3764.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Now that the fail2ban service has the ".enable" option, I think it's
time to add it to the module list, so that we can enable it in
configuration.nix like this:
services.fail2ban.enable = true;
Additionally, remove the automatic initialization of the ipv6 forwarding
sysctl as this should be handled by the end user. This really should not
be an issue as most people running radvd are likely forwarding ipv6
packets.
This allows creating a container from an existing system store path,
which is especially nice for NixOps-deployed hosts because they don't
need a Nixpkgs tree anymore.
Systemd in a container will call sd_notify when it has finished
booting, so we can use that to signal that the container is
ready. This does require some fiddling with $NOTIFY_SOCKET.
Previously "machinectl reboot/poweroff" brutally killed the container,
as did "systemctl stop/restart". And reboot didn't actually work. Now
everything is fine.
On some non-NixOS systems (for example those using "resolvconf"),
/etc/resolv.conf is a symlink. So let's dereference when copying hasts
and resolv.conf.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With mutableUsers = true, we now ensure that all users and groups that
were created declaratively, are updated or removed
appropriately. Thus, adding a user to users.extraUsers and then
removing it now causes the acoount to be removed from
/etc/passwd. Thus user/group management is fully congruent except that
users and groups that were created imperatively (via useradd/groupadd)
are not touched. We distinguish between declarative and imperative
users/groups by tracking the former in
/var/lib/nixos/declarative-{groups,users}.
With mutableUsers = false, you are now no longer required to specify
UIDs/GIDs for all users. The handling of mutableUsers = true/false is
the same code path; the only difference is that the "false" mode
ignores the existing contents of /etc/{passwd,group}.
The attribute ‘createUser’ is gone. It doesn't really make sense to
specify users that shouldn't be created.
Used to add GI_TYPELIB_PATH and LD_LIBRARY_PATH for gnome shell extensions
or other libraries and services.
Not a great solution but may be the start for further work. Let's make
some cool packages work for now.
Previously, we had no method for creating 6-to-4 tunneled interfaces.
This patch adds the option networking.sits, which allows the user to
create named 6-to-4 sit devices.
Setting "services.lighttpd.gitweb.enable" to true doesn't enable the
required lighttpd modules to actually make it work. The problem is that
"or" and "||" don't mean the same thing: "or" falls back to the second
operand if the first is not defined, whereas "||" is the normal logical
operator. When cfg.cgit.enable is defined, as false, the expressions
don't have the desired effect.
[Bjørn: modify commit message]
Previously "machinectl reboot/poweroff" brutally killed the container,
as did "systemctl stop/restart". And reboot didn't actually work. Now
everything is fine.
curl does not retry if it is unable to connect to the metadata server.
For some reason, when creating a new AMI with a recent nixpkgs, the
metadata server would not be available when fetch-ec2-data ran. Switching
to wget that can retry even on TCP connection errors solved this problem.
I also made the fetch-ec2-data depend on ip-up.target, to get it to start
a bit later.
Removed the 'wait for GCE metadata service' job, as it was causing
issues with the metadata service (likely some firewall or something).
In stead, use wget with retries (including connection refused) in
stead or curl for fetching the SSH keys. Also made the stdout/-err
of this job appear in the console.
/tmp cleaning is done by systemd rather than stage-2-init
enableEmergencyMode moved from systemd to seperate module
new option to mount tmp on tmpfs
new option to enable additional units shipped with systemd
This version of module has disabled socketActivation, because until
nixos upgrade systemd to at least 214, systemd does not support
SocketGroup. So socket is created with "root" group when
socketActivation enabled. Should be fixed as soon as systemd upgraded.
Includes changes from #3015 and supersedes #3028
It's more standard than $OPENSSL_X509_CERT_FILE (which I guess was a
totally unnecessary patch to OpenSSL). Since curl respects
$SSL_CERT_FILE, it's no longer needed to set $CURL_CA_BUNDLE. Git
unfortunately doesn't.
All activation scripts run in serial upon boot and nixos-rebuild switch
etc., in contrast to preStart which run before a service starts, and can
run in parallel with other services.
The munin(-node) activation script is particularly slow. Change it to a
preStart script so that it can run in parallel with other services and
not slow down boot (or nixos-rebuild switch).
This reduces (repeated) "nixos-rebuild test" time from ~16 seconds to ~8
on my (old) laptop.
We now track copied files in /etc/.clean. This is important, because
otherwise files that are removed from environment.etc will not
actually be removed from the file system. In particular, changing
users.extraUsers.<user>.openssh.authorizedKeys.keys to an empty list
would not cause /etc/ssh/authorized_keys.d/<user> to be removed, which
was a security issue.
This is due to breaking evaluation; see the PR discussion.
This reverts commit 6a77d5fd3e, reversing
changes made to 07a09fbe63.
Conflicts:
nixos/modules/services/x11/desktop-managers/default.nix
Hydra: ?compare=1138350
Conflicts:
nixos/modules/services/x11/desktop-managers/default.nix
Two imports were added independently on the same line.
I split it as well, as it was very long now.
It only needs to be started during boot. Starting it at other times
shouldn't hurt, except that if systemd-journald is restarting at the
same time, the latter might not have a SIGUSR1 signal handler
installed yet, so it might be killed by systemd-journal-flush. (At
least that's my theory about the dead systemd-journald instances in
the build farm...)
Commit 89fee1006c ("nixos/redis: clean up
option types") broke nixos evaluation:
error: attempt to call something which is not a function but a set, at .../nixpkgs/nixos/modules/services/databases/redis.nix:111:28
Fix it.
Reported by Oliver Charles (thanks!).
Apart from s/types.string/types.str/ (or types.lines where appropriate):
* port is changed from string to int.
* extraFlags is changed from types.string (with unfortunate merge
semantics) into a list of strings. A list of strings merge better:
one space is added between elements.
It's only needed during early boot (in fact, it's probably not needed
at all on NixOS). Restarting it is expensive because it does a sync()
of the root file system.
This reverts commit a3331eb87b.
See https://github.com/NixOS/nixpkgs/issues/2559#issuecomment-47313334
for a description why this is not a good idea.
I guess it's better to implement a sane way to remove all files in
authorized_keys.d, especially because it is also backwards-compatible.
Reopens#2559.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This updates the new stable kernel to 3.14, and the new testing kernel
to 3.15.
This also removes the vserver kernel, since it's probably not nearly as
used.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
- Upgrade Nagios Core to 4.x
- Expose mainConfigFile and cgiConfigFile in module for finer
configuration control.
- Upgrade Plugins to 2.x
- Remove default objectDefs, which users probably want to customize.
- Systemd-ify Nagios module and simplify directory structure
- Upgrade Nagios package with more modern patch, and ensure the
statedir is set to /var/lib/nagios
Signed-off-by: Austin Seipp <aseipp@pobox.com>
music_directory "${cfg.musicDirectory}"
playlist_directory "${cfg.dataDir}/playlists"
db_file "${cfg.dataDir}/tag_cache"
state_file "${cfg.dataDir}/state"
sticker_file "${cfg.dataDir}/sticker.sql"
all refer to ${cfg.datadir}, which by default is "/var/lib/mpd/".
Parsing for instance ${cfg.datadir}/playlists results in:
/var/lib/mpd//playlists - NOT FOUND.
An escape char is needed to prevent "$ nix" from being evaluated and
expanded to an empty string. With this change the resulting text is
$ nix-env -qaP | grep wget
instead of
-env -qaP | grep wget
systemd escaping rules translate this into a string containing '\'
which is treated by some code paths as quoted, and by others as unquoted
causing the affected units to fail.
Currently, the restartTriggers are abusing the systemd unit file in that
the cfg.carbon.config/storageAggregation/... option text is pasted into
the unit file. Even though this sort-of works (the service is restarted
if the config changes) this causes systemd to print error messages about
invalid sections (rightfully so!).
The correct use of restartTriggers is to list storage paths, which is
what this change does. If any of the
cfg.carbon/config/storageAggregation/... options change, configDir will
get a new hash. It is not as "fine grained" as the current version, but
it is not abusing the interface.
Also, remove unneeded 'waitress' in one of the restartTriggers, because
it is already listed as part of the service config.
When formatting a nixos usb using my windows machine I noticed that the
disk labeling using periods was not compatible with my linux kernel /
udev recognition. When labeling a volume NIXOS_14.10 under Windows, it would
show up as NIXOS_14_10 on NixOS. This meant that /dev/root would never come
up at boot time, preventing the livecd from starting.
This patch works around this issue by eliminating any special characters
other than underscores. The previous versioning didn't seem all that
useful, especially when consdering there are many different version of
the year.month named iso.
graphitePort must point to the port that carbon-cache listens on, not
the graphite webUI port.
With this change I finally got data from statsd to graphite.
It's "aggregation" with two 'g's.
Fixes this:
carbon-cache[9363]: [console] /nix/store/drxq4jj92sjk3cjik2l4hnsndbray3i4-graphite-config/storage-aggregation.conf not found, ignoring.
One reason for adding this is to make Chromium able to open files it has
downloaded.
Currently this happens:
/run/current-system/sw/bin/xdg-open: line 364: gnome-open: command not found
(And nothing happens in the GUI when clicking a downloaded file.)
Looking into xdg-open, one can see that it first tries to run gvfs-open
and then falls back to gnome-open. Adding 'gvfs' makes the first command
succeed.
Restarting user@ instances is bad because it causes all user services
(such as ssh-agent.service) to be restarted. Maybe one day we can have
switch-to-configuration restart user units in a fine-grained way, but
for now we should just ignore user systemd instances.
Backport: 14.04
This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
AppArmor only requires a few patches to the 3.2 and 3.4 kernels in order
to work properly (with the minor catch grsecurity -stable includes the
3.2 patches.) This adds them to the kernel builds by default, removes
features.apparmor (since it's always true) and makes it the default MAC
system.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
"nixos-install --chroot" runs a command (by default a login shell) in
a chroot inside the NixOS installation in /mnt. This might useful for
poking around a new installation.
By setting a line like
MACVLANS="eno1"
in /etc/containers/<name>.conf, the container will get an Ethernet
interface named mv-eno1, which represents an additional MAC address on
the physical eno1 interface. Thus the container has direct access to
the physical network. You can specify multiple interfaces in MACVLANS.
Unfortunately, you can't do this with wireless interfaces.
Note that dhcpcd is disabled in containers by default, so you'll
probably want to set
networking.useDHCP = true;
in the container, or configure a static IP address.
To do: add a containers.* option for this, and a flag for
"nixos-container create".
This allows you to use the Linux kernel's built-in compressed memory as
swap space functionality.
It is recommended to enable only for kernel 3.14 (which is when zram came out of
the staging drivers area) or higher.
Personal information management application that provides integrated mail,
calendaring and address book functionality
https://wiki.gnome.org/Apps/Evolution
This overhauls the Datadog module a bit to be much more useful. In
particular, it adds support for nginx and postgresql monitoring
integrations to dd-agent. These have to exist in separate files under
/etc/dd-agent, so the module just exposes then as separate options. In
the future, more integrations could be added this way.
In the process of doing this, I also had to rename the dd-agent user to
datadog. Note the UIDs did not change, so this is strictly backwards
compatible. The reason for this is to make it easier to create a
'datadog' postgres user with access to pg_stats, as 'dd-agent' typically
isn't a valid username. This allows the out of the box configurations to
be used.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
If /boot is a btrfs subvolume, it will be on a different device than /
but not be at the root from grub's perspective. This should be fixed in
a nicer way by #2449, but that can't go into 14.04.
Dmidecode fails in our EFI test with the error "SMBIOS entry point
missing". But we don't need dmidecode because we have already have
systemd-detect-virt.
NixOS has a pervasive dependency on bash. For instance, the X11
session script sources /etc/profile to get a reasonable
environment. Thus we should not provide an option to disable bash.
Also, enabling zsh no longer sets ‘users.defaultUserShell’ to zsh, to
prevent a collision with bash's definition of the same
option. (Changing the default shell is also something that should be
left to the user.)
Previously all card-specific stuff was scattered across xserver.nix
and opengl.nix, which is ugly. Now it can be kept together in a single
card-specific module. This required the addition of a few internal
options:
- services.xserver.drivers: A list of { name, driverName, modules,
libPath } sets.
- hardware.opengl.package: The OpenGL implementation. Note that there
can be only one OpenGL implementation at a time in a system
configuration (i.e. no dynamic detection).
- hardware.opengl.package32: The 32-bit OpenGL implementation.
Fixes#2379.
The new name was a misnomer because the values really are X11 video
drivers (e.g. ‘cirrus’ or ‘nvidia’), not OpenGL implementations. That
it's also used to set an OpenGL implementation for kmscon is just
confusing overloading.
The Tarsnap module is now far more flexible, allowing individual
archives with individual options to be specified at will, allowing
granular backup schedules, etc.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This reverts commit 6eaced3582. Doesn't
work very well, e.g. if you actually have the FUSE module loaded. And
in any case it's already fixed in NixOps.
Otherwise, when switching from systemd 203 to 212, you get errors like:
Failed to stop remote-fs.target: Bad message
Failed to stop systemd-udevd-control.socket: Bad message
...
These fail to mount if you don't have the appropriate kernel support,
and this confuses NixOps' ‘check’ command. We should teach NixOps not
to complain about non-essential mount points, but in the meantime it's
better to turn them off.
By default, socat only waits 0.5s for the remote side to finish after
getting EOF on the local side. So don't close the local side, instead
wait for socat to exit when the remote side finishes.
http://hydra.nixos.org/build/10663282
This fixes several problems in the dhcpcd service:
* A segfault during startup, due to a race with udev (dhcpcd would get
an ADD event from udev, causing it to re-add an interface that it
already had, leading to a segfault later on).
* A hang/segfault processing "dhcpcd rebind" (which NixOS calls after
waking up from suspend).
Also, add "lo" to the list of ignored interfaces. It usually ignores
"lo", but apparently not when it gets an ADD event from udev.
Upstream has not been tagging new versions for a long time, but we need
compatibility with newer kernels. The 0.6.2 versions already have a bunch of
backported compatibility patches, but 3.14 kernels need even more.
Also, the git versions have fixed a bunch of crashes and other bugs, so perhaps
we should just bite the bullet and just use recent git versions (as sometimes
upstream recommends, when people run into bugs).
This adds a new "boot.zfs.useGit" boolean option, so that a user can
easily opt into using the git versions.
By enabling ‘services.openssh.startWhenNeeded’, sshd is started
on-demand by systemd using socket activation. This is particularly
useful if you have a zillion containers and don't want to have sshd
running permanently. Note that socket activation is not noticeable
slower, contrary to what the manpage for ‘sshd -i’ says, so we might
want to make this the default one day.
Only one process can interact with the TPM module and
that process should be tcsd. The tpm_rng kernel module
should instead be loaded and /dev/hwrnd be used to
read the TPM random generator.
Also, log which random generator devices are used by
rngd on startup.
This causes OpenVPN services to reach the "active" state when the VPN
connection is up (i.e., after OpenVPN prints "Initialization Sequence
Completed"). This allows units to be ordered correctly after openvpn-*
units, and makes systemctl present a password prompt:
$ start openvpn-foo
Enter Private Key Password: *************
(I first tried to implement this by calling "systemd-notify --ready"
from the "up" script, but systemd-notify is not reliable.)
This seems to have combined badly with the systemd upgrade, we'll revert
for now and revisit after the 14.04 branch.
This reverts commit ad80532881, reversing
changes made to 1c5d3c7883.
The ability for unprivileged users to mount external media is useful
regardless of the desktop environment. Also, since udisks2 is
activated on-demand, it doesn't add any overhead if you're not using it.
Apparently systemd is now smart enough to figure out predictable names
for QEMU network interfaces. But since our tests expect them to be
named eth0/eth1..., this is not desirable at the moment.
http://hydra.nixos.org/build/10418789
This used to work with systemd-nspawn 203, because it bind-mounted
/etc/resolv.conf (so openresolv couldn't overwrite it). Now it's just
copied, so we need some special handling.
This led to the container test failing, which made no sense
whatsoever, until I realized nix-daemon.socket creates the socket
directory as a side effect, which systemd-nspawn then bind-mounts.
http://hydra.nixos.org/build/10397575
This has some advantages:
* You get ssh-agent regardless of how you logged in. Previously it was
only started for X11 sessions.
* All sessions of a user share the same agent. So if you added a key
on tty1, it will also be available on tty2.
* Systemd will restart ssh-agent if it dies.
* $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is
more secure than /tmp.
For bonus points, we should patch ssh-agent to support socket-based
activation...
With ‘systemd.user.units’ and ‘systemd.user.services’, you can specify
units used by per-user systemd instances. For example,
systemd.user.services.foo =
{ description = "foo";
wantedBy = [ "default.target" ];
serviceConfig.ExecStart = "${pkgs.foo}/bin/foo";
};
declares a unit ‘foo.service’ that gets started automatically when the
user systemd instance starts, and is stopped when the user systemd
instance stops.
Note that there is at most one systemd instance per user: it's created
when a user logs in and there is no systemd instance for that user
yet, and it's removed when the user fully logs out (i.e. has no
sessions anymore). So if you're simultaneously logged in via X11 and a
virtual console, you get only one copy of foo.
If you define a unit, and either systemd or a package in
systemd.packages already provides that unit, then we now generate a
file /etc/systemd/system/<unit>.d/overrides.conf. This makes it
possible to use upstream units, while allowing them to be customised
from the NixOS configuration. For instance, the module nix-daemon.nix
now uses the units provided by the Nix package. And all unit
definitions that duplicated upstream systemd units are finally gone.
This makes the baseUnit option unnecessary, so I've removed it.
This allows specifying rules for systemd-tmpfiles.
Also, enable systemd-tmpfiles-clean.timer so that stuff is cleaned up
automatically 15 minutes after boot and every day, *if* you have the
appropriate cleanup rules (which we don't have by default).
mkdir -m will only set the permissions if it *creates* the directory.
Existing directories, with possibly wrong permissions, will not be
updated.
Use explicit chmod so permissions will always be correct.
The preStart snippets (graphite, carbon) try to create directories under
/var/db/. That currently fails because the code is run as user
"graphite". Fix by setting "PermissionsStartOnly = true" so that the
preStart stuff is run as 'root'.
Further:
* graphite-web-0.9.12/bin/build-index.sh needs perl, so add it to PATH.
* Now that preStart runs as root, we must wait with "chown graphite"
until we're done creating files/directories.
* Drop needless check for root (uid 0) before running chown.
