‘nixos-rebuild dry-activate’ builds the new configuration and then
prints what systemd services would be stopped, restarted etc. if the
configuration were actually activated. This could be extended later to
show other activation actions (like uids being deleted).
To prevent confusion, ‘nixos-rebuild dry-run’ has been renamed to
‘nixos-rebuild dry-build’.
Currently just makes sure that by default it's possible to open a
terminal.
And exactly this should be the main point that might confuse users of i3
in NixOS, because i3 doesn't print a warning/error if it is unable to
start the terminal emulator.
Thanks to @waaaaargh for reporting this issue.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock
exists and so prevents switching into a new configuration after enabling
grsecurity.sysctl.
If the host is shutting down, machinectl may fail because it's
bus-activated and D-Bus will be shutting down. So just send a signal
to the leader process directly.
Fixes#6212.
This was lost back in
ffedee6ed5. Getting this to work is
slightly tricky because ssh-agent runs as a user unit, and so doesn't
know the user's $DISPLAY.
* rewrite to systemd.services
* disable forking to give systemd better control
* verifiably run as ddclient user
* expose ssl option
* unset default value for dyndns server
* rename option "web" to "use" to be consistent with ddclient docs
* add descriptions
* add types to options
* clean up formatting
HAProxy fails to start with the default 'config'. Better disable it and
assert that the user provides a suitable 'config'. (AFAICS, there cannot
really be a default config file for HAProxy.)
The networkd implementation sets systemd.services.dhcpcd.enable to
false in nixos/modules/tasks/network-interfaces-systemd.nix. So we need
to respect that in the dhcpcd module.
If we don't, the resumeCommand is set nevertheless, which causes the
post-resume.service to fail after resuming:
Failed to reload dhcpcd.service: Unit dhcpcd.service is masked.
post-resume.service: main process exited, code=exited, status=1/FAILURE
Failed to start Post-Resume Actions.
Dependency failed for Post-Resume Actions.
Unit post-resume.service entered failed state.
post-resume.service failed.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Since Chromium version 42, we have a new user namespaces sandbox in the
upstream project. It's more integrated so the chrome://sandbox page
reports it as "Namespace Sandbox" instead of SUID sandbox, which we were
re-using (or abusing?) in our patch.
So if either "SUID Sandbox" or "Namespace Sandbox" reports with "Yes",
it's fine on our side.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Typical use:
nix.requireSignedBinaryCaches = true;
nix.binaryCachePublicKeys = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
(The public key of cache.nixos.org is included by default.)
Note that this requires Nix 1.9 and that most of cache.nixos.org
hasn't been signed yet.
Update chronos default port to match the one documented on
their website (http://airbnb.github.io/chronos). The one in
their repo (the current one) clashes with the marathon documented
one.
The Nixos Qemu VM that are used for VM tests can now start without
boot menu even when using a bootloader.
The Nixos Qemu VM with bootloader can emulate a EFI boot now.
There is no "standard" location for the certificate bundle, so many
programs/libraries have various hard-coded default locations that
don't exist on NixOS. To make these more likely to work, provide
some symlinks.
Sawfish is a versatile, Lisp-based window manager
In that commit I include all Sawfish stack:
- librep, a lisp system;
- rep-gtk, bindings for gtk
- sawfish, the window manager
The PID 1 shell is executed as the last command in a sh invocation. Some
shells implicitly use exec for that, but the current busybox ash does not,
so the shell gets a wrong PID. Spell out the exec.
This test sometimes fails with
Kernel panic - not syncing: assertion "i && sym_get_cam_status(cp->cmd) == DID_SOFT_ERROR" failed: file "/tmp/nix-build-linux-3.14.32.drv-0/linux-3.14.32/drivers/scsi/sym53c8xx_2/sym_hipd.c", line 3399
after "sd 2:0:0:0: ABORT operation timed-out."
Since we don't care all that much about GRUB 1 anymore, don't make the
release depend on it.
http://hydra.nixos.org/build/19563197
When starting from a clean slate, the couchdb service fails.
First, the pre-start script fails because it tries to chown the uriFile,
which doesn't exist. It also doesn't ensure that the directory in which
the uriFIle is placed is writeable by couchdb, which could also cause
failure (though I didn't observe this).
Additionally, the log file's default location isn't a directory owned by
couchdb, nor is the file guaranteed to exist, nor is it guaranteed to be
chowned to the appropriate user. All of which can cause unexpected
failure.
As a bonus I made a small change in the description of the configFile
attribute, in the hopes of making it a little more obvious why it
existed.
When gummiboot.timeout == null, the menu will still be skipped.
When gummiboot.timeout == 0, the menu will also be skipped.
The only way to show the menu 'indefinitely' is to show it a long time.
Chromium is quite memory hungry and we frequently get random crashes in
the tests, so let's set it to 1024 MB because new releases of Chromium
most probably won't consume *less* memory.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I think this has been accidentally dropped by a099ca4, at least there is
no reason stated, why it shouldn't be included, so I'm bringing it back.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The renaming of options define the original value for the new attribute
path. This works well if there is only *one* target, but if there are
more, we end up recursing into the attribute set of the option
definition itself.
We now check for that within the parent recursion node (we can't check
that from the subnode, because we lack that information about whether
it's defined multiple times) and if the subnode consist entirely of a
list of definitions, we use mkMerge on it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The option had been added to the grsec build-support code,
but it hadn't been added to the grsec module.
After this commit, grsec module users will be able to change
the default value. It also serves to document that this option
exists and that NixOS will disable it by default.
Absolute path is required when one has such postfix configuration
where he/she needs to specify the actual (real) path to active dovecot
config.
Without this commit applied, the dovecot is running in such way:
/nix/store/hashAAA-dovecot-ver/sbin/dovecot -F -c /nix/store/hashBBB-dovecot2.conf
and postfix can't be aware of the value of "hashBBB" via services.postfix.extraConfig = '' ... '';
(it can only be aware of "hashAAA" with ${pkgs.dovecot} parameter)
Also enable Restart on-failure.
Edit: set RestartSec to 1s
Adding Restart, RestartSec, StartLimitInterval to ensure that the service
is started in case if it can't assign (bind) the address as often it takes longer
for the network (e.g. dhcpcd) to get the IP assigned.
Now that dbus reload has been moved before restarting units,
the reload may fail if dbus has been stopped before.
The reload-or-restart will reload dbus if it's active,
otherwise start it.
Generating the file was refactored to be completely in nix.
Functionally it should create the same content as before,
only adding the newlines.
CC recent updaters: @aszlig, @rickynils.
This reverts commit 766207ca1d.
We need to solve the problem with `environment.profileRelativeEnvVars`.
The best workaround is to make profileRelativeEnvVars prepend paths.
This patch fixes the AppArmor profile path clause and adds
(currently ignored) network rules.
The AppArmor profile used to be defined for the path sbin/dnscrypt-proxy,
but the real path is bin/dnscrypt-proxy (due to sbin now being a symlink
to bin), which permitted the service to run unconfined.
Adding the network rules has no effect other than improving correctness,
as the version of AppArmor in the NixOS kernel fails to enforce network
rules.
postfix 2.11 is much more humane with respect to disk writes since it uses
sockets (which do not change inodes on accesses) instead of fifos (which do).
Added configurations to `bumblebee` package to easy multiple monitors on Optimus
machines.
The behaviour of the default `bumblebee` package hasn't change, so this change
is backwards compatible. Users who want to connect a monitor to their discrete
card should use the package `bumblebee_display` instead.
Also added new configuration option to nixos bumblebee module:
```
hardware.bumblebee.connectDisplay = true
```
will enable the new configuration, but the default is still false.
During install, the bootloader script gets run inside a chroot after the
/etc/group bind-mount is unmounted. Since we're not doing any building,
this should be safe, but really nix should just not care if the group
does not exist when no build is needed.
Fixes#5494
Since the 4.2.8 upgrade, ntpd is broken on NixOS:
Dec 28 19:06:54 hagbard ntpd[27723]: giving up resolving host 1.nixos.pool.ntp.org: Servname not supported for ai_socktype (-8)
This appears to be because DNS resolution doesn't work in chroots
anymore (due to /etc being missing). So disable chroots for now. It's
probably better to use systemd's containment facilities anyway.
Tested on KDE4, fixed with xfce, and was used with GNOME before.
CC @lethalman.
I did not test e19, as it won't build, probably due to #5392 @shlevy.
CC maintainer @matejc.
Also removed a forgotten unused patch.
Commit 939edb1 reintroduced autoStart, but instead of creating a list of
units for the wantedBy list with optional it became a list of lists of
units.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Add a script to add git branches for each channel.
To create / update references to remote / local channels, you have to run `./maintainers/scripts/update-channel-branches.sh` while you are at the top-level of nixpkgs work directory. To make this convenient for Nixpkgs / NixOS developer, one can run the following command:
```
$ git config --add alias.fetch-channels '!sh -c "$(git rev-parse --show-cdup)maintainers/scripts/update-channel-branches.sh"'
```
Which will register the alias fetch-channels such that the script can used from sub-directory of nixpkgs by running `git fetch-channels`.
Added attributes to nixos/tests/mesos.nix to verify that mesos-slave
attributes work. If the generated attributes are invalid, the daemon
should fail to start.
Change-Id: I5511245add30aba658b1af22cd7355b0bbf5d15c
This reverts commit 5d67b17901.
The issues have been resolved by ac603e208c.
Tested this with hostonlyifs and USB support with extension pack.
Conflicts:
nixos/modules/programs/virtualbox-host.nix
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Tested-by: Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>
IMHO, having a short timeout (1h) defeats the point of using
ssh-agent, which is not to have to retype passphrases all the time. Of
course, users who want timeouts can set programs.ssh.agentTimeout.
This restores the 14.04 behaviour.
Especially if the user isn't in the vboxusers group anymore, this gets
VERY noisy, because the VBoxSVC process emits warnings for every single
USB device noting that it's only possible to access it when the user is
in the vboxusers group.
So, we now have a debug attribute, where we can enable it when
necessary.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The "nix-store" command within the VM test is running without
NIX_REMOTE=daemon and since Nix 1.8 tries to open the store database in
read-write mode even for nix-store -qR.
Now, we're doing this properly and rely on setup hooks, which is the
same method that's used when you're building a library which depends on
blivet.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Because we have to rely on setuid wrappers on NixOS, we can't easily
hardcode the executable paths and set it 4755. So for all calls, we need
to change the runtime path executable directory to /var/setuid-wrappers/
and for verification we need to retain the executable directory.
Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL
and VBoxVolInfo don't reside in directories that are commonly in PATH,
but in /usr/lib/virtualbox in most mainstream distros. But because the
names of these executables are distinctive enough to not cause
collisions with other setuid programs, I'll leave it like that and not
patch up setuid-wrappers.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
/run/opengl-drivers should contain only libGL-related libraries, not
stuff like udev. Injecting anything into LD_LIBRARY_PATH is dangerous
because it can break applications that expect a different version of
the library.
Caused by eef9a8ac2a. Fixes#5371.
- Move lgi to luaPackages
- Use luaPackages in awesome and passthru lua
- Allow to pass lua modules to the awesome WM so that those can be used in the configuration
This is useful for adding extra functionality or defaults to _every_
nixos evaluation.
My use case is overriding behaviour for all nixos tests, for example
setting packageOverrides to newer versions and changing some default
dependencies/settings.
By making this accessible through an environment variable, this can now
be fully accomplished externally. No more need to fork
nixos/nixpkgs (which becomes a maintenance burden), just use the channel
instead and plug in via this envvar.
The warning was displayed whenever services.virtualboxHost.enable was
true, but if people were to enable hardening, they'd still get that
annoying message.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Creates unnecessary cruft in the root users home directory, which we
really don't need. Except the log, but therefore we now cat the log to
stderr and the private temporary directory is cleaned up afterwards.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The current options for the XServer produce a huge amount of log messages. The
server produces around 70-80 messages per minute. The most messages look like
this:
display-manager-start[1846]: GetModeLine - scrn: 0 clock: 75200
display-manager-start[1846]: GetModeLine - hdsp: 1366 hbeg: 1414 hend: 1478 httl: 1582
display-manager-start[1846]: vdsp: 768 vbeg: 772 vend: 779 vttl: 792 flags: 9
Since theses messages aren't very useful, I propose to remove the `-logverbose`
and `-verbose` options from the XServer arguments.
This should display a big fat warning that people can hardly miss until
we have fixed the issues with the host-only-interfaces that persist when
hardining is enabled.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Essentially adds two more VirtualBox VMs to the test and also increases
the memory size of the qemu VM to 768 MB to make sure we don't run out
of memory too soon.
We're testing whether those two VMs can talk to either each other
(currently via ICMP only) or to/from the host via TCP/IP.
Also, this restructures the VM test a bit, so that we now pass in a
custom stage2Init script that has access to the store via a private
mount over the /nix/store that's already in the initrd. The reason why
this is a private mount is that we don't want to shadow the Nix store of
the initrd, essentially breaking cleanup functionality after the custom
stage 2 script (currently this is only "poweroff -f").
Note that setting the hostname inside the VirtualBox VM is *not* for
additional fanciness but to produce a different store path for the VM
image, so that VirtualBox doesn't bail out when trying to use an image
which is already attached to another VM.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Hardening mode in VirtualBox is quite restrictive and on some systems it
could make sense to disable hardening mode, especially while we still
have issues with hostonly networking and other issues[TM] we don't know
or haven't tested yet.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We're going to create more than one VirtualBox VM, so let's dynamically
generate subs specific to a particular VirtualBox VM, merging everything
into the testScript and machine expressions.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It turns out that installing therubytracer, with dependency on old v8, even
when using source libv8 version is problematic.
(see
http://stackoverflow.com/questions/21666379/problems-installing-gitlab-on-odroid-v8-lib-not-available).
But wait, rails does not even need therubytracer, just any kind of javascript
server side execution framework like nodejs. Well just use that, as also
suggested from different internet sources (look link above), it works just
fine.
Currently it pretty much tests starting up virtual machines and just
shutting down afterwards, but for both VBoxManage and the VirtualBox
GUI.
This helps catching errors in hardened mode, however we still need to
test whether networking works the way intended (and I fear that this is
broken at the moment).
The VirtualBox VM is _not_ using hardware virtualization support (thus
we use system = "i686-linux", because x86_64 has no emulation support),
because we're already within a qemu VM, which means it's going to be
slow as hell (that's why I've written own subs just for testing
startup/shutdown/whatnot with respective timeouts).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We only need to have setuid-root wrappers for VBox{Headless,SDL} and
VirtualBox, otherwise VBoxManage will run as root and NOT drop
privileges!
Fixes#5283.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I had to make several adjustments to make it work with nixos:
* Replace relative config file lookups with ENV variable.
* Modify gitlab-shell to not clear then environment when running
pre-receive.
* Modify gitlab-shell to write some environment variables into
the .authorized_keys file to make sure gitlab-shell reads the
correct config file.
* Log unicorn output to syslog.
I tried various ways of adding a syslog package but the bundler would
not pick them up. Please fix in a better way if possible.
* Gitlab-runner program wrapper.
This is useful to run e.g. backups etc. with the correct
environment set up.
Since we're using HTTPS for the binary cache (introduced in faf0797) by
default, the binary cache should also be available during installation.
The file that is defined in SSL_CERT_FILE outside of the chroot is
copied over to /tmp/ca-cert.crt inside the chroot, so we have an
absolute path we can reference during nixos-install. However, this might
end up with the file not being cleaned up properly from outside of the
store, but neither would be /tmp/root so the cleanup issue needs to be
solved in another place (or commit to be more exact).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Eelco Dolstra
lethalman
Anders Papitto
William A. Kennington III
obadz
Nikita Mikhailov
Unai Zalakain
Jesse Haber-Kucharsky
Vladimír Čunát
Nikolay Amiantov
Arseniy Seroka
aszlig
Luca Bruno
Joachim Fasting
Tobias Geerinckx-Rice
AndersonTorres
Jaka Hudoklin
Lane Seppala
Rob Vermaas
koral
Sander van der Burg
Thomas Strobel
Lluís Batlle i Rossell
Eduard Bachmakov
Emery Hemingway
Bjørn Forsman
Thomas Tuegel
Peter Simons
Shea Levy
tv
rushmorem
Sou Bunnbu
Sergey Mironov
Mathijs Kwik
James Cook
Evgeny Egorochkin
Wout Mertens
Brian McKenna
Harald van Dijk
Domen Kožar
Michael Alan Dorman
Herwig Hochleitner
devhell
Matej Cotman
Edward Tjörnhammar
Lukas Lihotzki
Bob van der Linden
Ragnar Dahlén
Longrin Wischnewski
Charles Strahan
j-keck
Ricardo M. Correia
Andrey Arapov
Nicolas B. Pierron
Damien Cassou
Eric Seidel
Ryan Mulligan
Matthias Beyer
mokasin
Spencer Whitt
Jan Malakhovski
j-keck
Russell O'Connor
Khalid Jebbari
Kirill Elagin
Sebastián Bernardo Galkin
Alexander Kjeldaas
Luke Clifton
Igor Pashev
Benno Fünfstück
Benjamin Staffin
Sven Keidel
Pavan Rikhi
Thomas Hunger
ambrop7@gmail.com