Commit Graph

4896 Commits

Author SHA1 Message Date
Ricardo Ardissone
6067eddf83 minetest-server module: fix executable path 2016-05-15 18:46:45 -03:00
Joachim Fasting
3ad0276e7e Merge pull request #15435 from mayflower/nzbget_no_config
nzbget: 16.4 -> 17.0-r1686 and nzbget service
2016-05-15 14:05:31 +02:00
Joachim Fasting
fbdb82cc17 Merge pull request #15473 from romildo/fix.xfce4-screenshooter
xfce4: rename application xfce4screenshooter to xfce4-screenshooter
2016-05-15 12:17:32 +02:00
José Romildo Malaquias
44d347aba5 xfce4: rename application xfce4screenshooter to xfce4-screenshooter 2016-05-15 06:56:46 -03:00
Joachim Fasting
b740e046ab
dnscrypt-proxy service: robust lib references in apparmor profile
Use getLib to avoid future problems caused by re-ordering outputs.
2016-05-15 11:55:17 +02:00
Rok Garbas
03b115f8e0 nixos/i3lock-color: added to pam 2016-05-15 07:47:31 +02:00
Tuomas Tynkkynen
0561e14c3b bind: Split into multiple outputs
A patch is needed to make bind not print its configure flags on
'named -V'.
2016-05-14 22:12:59 +03:00
Joachim Fasting
4e9833d9e8 Merge pull request #15384 from Shados/fix-preshell-terminfo
nixos: ensure TERMINFO is set before user shells are run
2016-05-14 06:21:25 +02:00
Nikolay Amiantov
cd5dd9f82e udev service: fix packages' paths 2016-05-14 05:12:52 +03:00
Nikolay Amiantov
5c39f28a9f Merge pull request #15024 from abbradar/xfce-no-desktop
xfce service: add noDesktop option
2016-05-14 04:55:27 +03:00
Tristan Helmich
36f8b3cad1 nzbget: 16.4 -> 17.0-r1686 and nzbget service 2016-05-13 18:56:39 +02:00
Franz Pletz
939c80c26f jenkins module: Check for 200 & 403 response codes
The new jenkins version shows a setup wizard on first startup that will
throw a 403 HTTP response code instead of 200.
2016-05-13 17:45:39 +02:00
Vladimír Čunát
3e387c3e00 Merge branch 'staging'
Darwin isn't in a perfect state, in particular its bootstrap tools won't
build which will block nixpkgs channel. But on the whole it seems
acceptable.
2016-05-13 10:14:53 +02:00
Franz Pletz
df8958435e grafana: 2.6.0 -> 3.0.1 (#15395)
* grafana: 2.6.0 -> 3.0.1

* grafana module: Fix anonymous auth & add analytics config
2016-05-13 02:28:24 +02:00
Данило Глинський (Danylo Hlynskyi)
bc2fe9f2cd typo in authorizedKeysFiles 2016-05-12 18:01:17 +03:00
Joachim Fasting
639dcffa0b Merge pull request #15403 from Shados/maintain-teamspeak-server
teamspeak-server package & module maintenance
2016-05-12 13:01:38 +02:00
Alexei Robyn
11b0972544 teamspeak-server module: Create data directory by
leveraging users.users.<user>.createHome instead of a preStart script.
preStart script is still required to ensure proper creation of logging
directory.
2016-05-12 20:49:17 +10:00
Domen Kožar
25e3c091a0 Revert "nixos/nat: Allow nat without an externalInterface"
This reverts commit 431a98b12b.

Breaks nixos tests: http://hydra.nixos.org/build/35538207
2016-05-12 11:04:06 +01:00
Joachim Fasting
1aff127b56 Merge pull request #10988 from Shados/improve-rsnapshot-service
rsnapshot service: Avoid package rebuild, create+use /etc/rsnapshot.conf
2016-05-12 05:24:01 +02:00
Vladimír Čunát
6c2fbfbd77 Merge branch 'master' into staging 2016-05-12 04:53:38 +02:00
Franz Pletz
431a98b12b nixos/nat: Allow nat without an externalInterface 2016-05-12 01:52:13 +02:00
Alexei Robyn
1e2ec5817c rsnapshot module: Enable manual rsnapshot usage with module config. 2016-05-12 09:27:59 +10:00
Alexei Robyn
c90d5eb298 rsnapshot module: Avoid package rebuild, pass config file explicitly. 2016-05-12 09:27:52 +10:00
Nikolay Amiantov
700e2952be Merge pull request #15012 from abbradar/unixodbc
UnixODBC updates
2016-05-11 17:42:33 +03:00
Joachim Fasting
a0e8d542c7 Merge pull request #15377 from womfoo/sniproxy
sniproxy: init at 0.4.0 with dependency udns: init at 0.4
2016-05-11 15:14:33 +02:00
Shea Levy
67d430096f Add kerberos mappings for MIT exchange server 2016-05-11 09:09:24 -04:00
Alexei Robyn
ce7a544b92 nixos: ensure TERMINFO is set before user shells are run 2016-05-11 22:16:38 +10:00
Domen Kožar
ccbcf1b6c2 nixos: require pkgs.which
This properly implements revert in
0729f60697.

We used to have which='type -P' alias, but really it's best to just
rely on which package, only 88K in size.

cc @edolstra
2016-05-11 10:37:46 +01:00
Kranium Gikos Mendoza
356f1bdac8 sniproxy service: init 2016-05-11 13:27:28 +08:00
Joachim Fasting
d4d7bfe07b
grsecurity: add option to disable chroot caps restriction
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293

This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
2016-05-10 16:17:08 +02:00
Joachim Fasting
e38e3dcdb6
dnscrypt-proxy service: allow user to specify their own resolver list 2016-05-10 07:08:37 +02:00
Joachim Fasting
bd448b7139
dnscrypt-proxy service: use up-to-date dnscrypt-resolvers list
The list of public proxies is updated now and again and it's probably a
good idea to always work from the most recent list, rather than the one
that is shipped with the release.  This can be crucial in case of
resolvers that are revealed to have gone rogue or otherwise have been
compromised.
2016-05-10 07:07:58 +02:00
rnhmjoj
e8fff51947
unclutter: prevent service restarting too soon 2016-05-09 23:28:30 +02:00
Vladimír Čunát
65a9fa8cdc Merge branch 'master' into staging 2016-05-08 21:24:48 +02:00
Joachim Fasting
87a28c9385
transmission service: fix libcap lib output reference
After 7382afac40
2016-05-07 21:48:54 +02:00
Joachim Fasting
c5d1bff2b6
apparmor-suid module: fix libcap lib output reference
After 7382afac40
2016-05-07 21:48:29 +02:00
obadz
364a4373cf ec2/create-amis.sh: specify the approriate size on snapshots
Should help with #15148
2016-05-07 19:44:39 +01:00
Joachim Fasting
1d2fcde841
dnscrypt-proxy service: fix libcap output reference
After 7382afac40 shared objects are in
`libcap.lib`
2016-05-07 20:18:27 +02:00
Joachim Fasting
5b90702cd6 Merge pull request #15243 from sindikat/patch-1
update docs for services.dictd.* config options
2016-05-07 16:44:41 +02:00
Nikolay Amiantov
17e4803de7 initrd-ssh service: fix build 2016-05-07 15:38:46 +03:00
Nikolay Amiantov
f7c02f8670 ejabberd service: add image thumbnailing support 2016-05-07 14:31:16 +03:00
Nikolay Amiantov
c99b050af0 Merge commit 'refs/pull/14568/head' of git://github.com/NixOS/nixpkgs into staging 2016-05-07 03:44:06 +03:00
aszlig
64ca91cac9
nixos/tests/boot-stage1: Add myself to maintainers
As @edolstra pointed out that the kernel module might be painful to
maintain. I strongly disagree because it's only a small module and it's
good to have such a canary in the tests no matter how the bootup process
looks like, so I'm going the masochistic route and try to maintain it.

If it *really* becomes too much maintenance burden, we can still drop or
disable kcanary.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-06 21:32:21 +02:00
aszlig
eb6e366446
nixos/release-combined: Add boot-stage1 test
We don't want to push out a channel update whenever this test fails,
because that might have unexpected and confused side effects and it
*really* means that stage 1 of our boot up is broken.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-06 16:56:54 +02:00
aszlig
4f796c28d5
nixos/tests: Add a test for boot stage 1
We already have a small regression test for #15226 within the swraid
installer test. Unfortunately, we only check there whether the md
kthread got signalled but not whether other rampaging processes are
still alive that *should* have been killed.

So in order to do this we provide multiple canary processes which are
checked after the system has booted up:

 * canary1: It's a simple forking daemon which just sleeps until it's
            going to be killed. Of course we expect this process to not
            be alive anymore after boot up.
 * canary2: Similar to canary1, but tries to mimick a kthread to make
            sure that it's going to be properly killed at the end of
            stage 1.
 * canary3: Like canary2, but this time using a @ in front of its
            command name to actually prevent it from being killed.
 * kcanary: This one is a real kthread and it runs until killed, which
            shouldn't be the case.

Tested with and without 67223ee and everything works as expected, at
least on my machine.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-06 16:56:43 +02:00
aszlig
dc6d003011
nixos/tests/installer/swraid: Check for safemode
This is a regression test for #15226, so that the test will fail once we
accidentally kill one or more of the md kthreads (aka: if safe mode is
enabled).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-06 16:51:38 +02:00
aszlig
67223ee205
nixos/stage-1: Don't kill kernel threads
Unfortunately, pkill doesn't distinguish between kernel and user space
processes, so we need to make sure we don't accidentally kill kernel
threads.

Normally, a kernel thread ignores all signals, but there are a few that
do. A quick grep on the kernel source tree (as of kernel 4.6.0) shows
the following source files which use allow_signal():

  drivers/isdn/mISDN/l1oip_core.c
  drivers/md/md.c
  drivers/misc/mic/cosm/cosm_scif_server.c
  drivers/misc/mic/cosm_client/cosm_scif_client.c
  drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
  drivers/staging/rtl8188eu/core/rtw_cmd.c
  drivers/staging/rtl8712/rtl8712_cmd.c
  drivers/target/iscsi/iscsi_target.c
  drivers/target/iscsi/iscsi_target_login.c
  drivers/target/iscsi/iscsi_target_nego.c
  drivers/usb/atm/usbatm.c
  drivers/usb/gadget/function/f_mass_storage.c
  fs/jffs2/background.c
  fs/lockd/clntlock.c
  fs/lockd/svc.c
  fs/nfs/nfs4state.c
  fs/nfsd/nfssvc.c

While not all of these are necessarily kthreads and some functionality
may still be unimpeded, it's still quite harmful and can cause
unexpected side-effects, especially because some of these kthreads are
storage-related (which we obviously don't want to kill during bootup).

During discussion at #15226, @dezgeg suggested the following
implementation:

for pid in $(pgrep -v -f '@'); do
    if [ "$(cat /proc/$pid/cmdline)" != "" ]; then
        kill -9 "$pid"
    fi
done

This has a few downsides:

 * User space processes which use an empty string in their command line
   won't be killed.
 * It results in errors during bootup because some shell-related
   processes are already terminated (maybe it's pgrep itself, haven't
   checked).
 * The @ is searched within the full command line, not just at the
   beginning of the string. Of course, we already had this until now, so
   it's not a problem of his implementation.

I posted an alternative implementation which doesn't suffer from the
first point, but even that one wasn't sufficient:

for pid in $(pgrep -v -f '^@'); do
    readlink "/proc/$pid/exe" &> /dev/null || continue
    echo "$pid"
done | xargs kill -9

This one spawns a subshell, which would be included in the processes to
kill and actually kills itself during the process.

So what we have now is even checking whether the shell process itself is
in the list to kill and avoids killing it just to be sure.

Also, we don't spawn a subshell anymore and use /proc/$pid/exe to
distinguish between user space and kernel processes like in the comments
of the following StackOverflow answer:

http://stackoverflow.com/a/12231039

We don't need to take care of terminating processes, because what we
actually want IS to terminate the processes.

The only point where this (and any previous) approach falls short if we
have processes that act like fork bombs, because they might spawn
additional processes between the pgrep and the killing. We can only
address this with process/control groups and this still won't save us
because the root user can escape from that as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #15226
2016-05-06 16:24:42 +02:00
Lluís Batlle i Rossell
9f6afb7d78 Fixing nfsd service, wait on local-fs.
Otherwise, mountd was started exporting directories before local-fs was ready,
and it failed to start nfsd on missing fs.
2016-05-06 15:03:30 +02:00
Vladimír Čunát
25960a52c3 tested job: fix evaluation of chromium tests
It's a bit inconsistent now, but I want mainly unblock the channel.
/cc maintainer @aszlig.
2016-05-06 10:56:17 +02:00
Peter Simons
d270604117 nixos: remove redundant services.dovecot2.package option
Instead of using this option, please modify the dovecot package by means of an
override. For example:

  nixpkgs.config.packageOverrides = super: {
    dovecot = super.dovecot.override { withPgSQL = true; };
  };

Closes https://github.com/NixOS/nixpkgs/issues/14097.
2016-05-06 10:10:06 +02:00