Commit Graph

2369 Commits

Author SHA1 Message Date
Vladimír Čunát
e9379f7416 Merge branch 'staging'
This includes a fix to closure-size regression that moved
share/doc/*/ to share/doc/
2016-04-22 16:49:09 +02:00
Evgeny Egorochkin
a05ba7375d quassel: use qt4 version of the daemon because as of now qt5 version fails to use proxies(connection refused) 2016-04-22 12:59:26 +03:00
Joachim Fasting
2e7b0bbd22
hoogle service: fixups
Basic hardening
- Run as nobody:nogroup with a private /tmp, /home & /run/user
- Create working directory under /run (hoogle insists on writing to cwd
  and otherwise returns "something went wrong" to every query)

Option tweaks
- Provide a default for the haskellPackage option
- Set text values for defaults
- Move hoogleEnv to the top-level & simplify it
2016-04-22 03:58:08 +02:00
William Casarin
9c0997a0ef
hoogle service: init 2016-04-22 03:58:07 +02:00
Thomas Tuegel
2780894b1b kde5.startkde: init at 5.5.5 2016-04-20 10:01:06 -05:00
Eelco Dolstra
b4bf432709 nghttp2: 1.8.0 -> 1.9.2, unify with libnghttp2, and use multiple outputs
Note: I ignored the C++ libraries, but it appears we're not currently
using them. Once we do, we'll probably want to put them in a separate
output as well (to prevent non-C++ users from depending on Boost).
2016-04-18 21:13:18 +02:00
Eelco Dolstra
21a2f2ba3b nix: Add a "dev" output
This gets rid of boehm-dev in the closure (as well as Nix's own
headers).
2016-04-18 21:13:18 +02:00
Joachim Fasting
9de93be6cd
cups service: use cups.out everywhere
Seeing as the dev output is the default, we probably want cups.out
everywhere.
2016-04-16 21:26:33 +02:00
Joachim Fasting
47330b1732
cups service: fix missing upstream systemd units caused by output splitting
Need to pass `cups.out` to `systemd.packages`, lest we end up with an invalid
generated unit containing only directives set in the service module.

This patch gives us a valid cups.service unit but, vexingly, does not fix the
test failure at NixOS/nixpkgs#14748
2016-04-16 09:47:17 +02:00
Joachim Fasting
83aae072f8
dnscrypt-proxy service: fix references to libcap & attr 2016-04-15 17:44:10 +02:00
joachifm
8b3c4348ab Merge pull request #14579 from elitak/factorio
factorio: 0.12.29 headless + server module
2016-04-15 16:14:14 +02:00
Domen Kožar
1834e72555 fix eval (explicit is better than implicit) 2016-04-15 10:39:11 +01:00
Eric Litak
13577e8785 factorio: headless server module 2016-04-14 23:03:36 -07:00
aszlig
1f46decba7
nixos/taskserver: Fix reference to certtool.
With the merge of the closure-size branch, most packages now have
multiple outputs. One of these packages is gnutls, so previously
everything that we needed was to reference "${gnutls}/bin/..." and now
we need to use "${gnutls.bin}/bin/...".

So it's not a very big issue to fix.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-15 00:28:57 +02:00
aszlig
9ed9e268a2
Merge pull request #14476 (taskserver)
This adds a Taskserver module along with documentation and a small
helper tool which eases managing a custom CA along with Taskserver
organisations, users and groups.

Taskserver is the server component of Taskwarrior, a TODO list
application for the command line.

The work has been started by @matthiasbeyer back in mid 2015 and I have
continued to work on it recently, so this merge contains commits from
both of us.

Thanks particularly to @nbp and @matthiasbeyer for reviewing and
suggesting improvements.

I've tested this with the new test (nixos/tests/taskserver.nix) this
branch adds and it fails because of the changes introduced by the
closure-size branch, so we need to do additional work on base of this.
2016-04-15 00:21:49 +02:00
aszlig
940120a711
nixos/taskserver/doc: Improve example org name
Suggested by @nbp:

"Choose a better organization name in this example, such that it is less
confusing. Maybe something like my-company"

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-14 21:16:14 +02:00
Nikolay Amiantov
cb0b0190cb syncthing service: fix mkEnableOption call 2016-04-14 17:44:02 +03:00
Nikolay Amiantov
c9f2753c7b syncthing service: fix invalid conflict resolution 2016-04-14 17:38:25 +03:00
Peter Hoeg
32bc5cfa24 syncthing service: support running from systemd --user instance 2016-04-14 21:22:31 +08:00
joachifm
ca2e555793 Merge pull request #14646 from peterhoeg/flexget
flexget nixos module: run the service and specify configuration
2016-04-14 14:16:04 +02:00
obadz
079e1c76cf Revert "dbus nixos module: add units for systemd user session"
This reverts commit 83cb6ec399.

Was breaking: nix-build '<nixos/release.nix>' -A tests.xfce.x86_64-linux
2016-04-14 12:38:36 +01:00
Tuomas Tynkkynen
b3df6530f7 treewide: Mass replace 'sqlite}/bin' to refer to the correct outputs 2016-04-14 08:32:20 +03:00
Tuomas Tynkkynen
897e0d1224 treewide: Mass replace 'openssl}/bin' to refer to the correct outputs 2016-04-14 08:32:20 +03:00
Tuomas Tynkkynen
4d90f2d73d treewide: Mass replace 'ffmpeg}/bin' to refer to the correct outputs 2016-04-14 08:32:20 +03:00
Tuomas Tynkkynen
b9eb944990 treewide: Mass replace 'dbus_daemon}/bin' to refer to the correct outputs 2016-04-14 08:32:20 +03:00
Nikolay Amiantov
8b7ebaffeb replace makeSearchPath tree-wise to take care of possible multiple outputs 2016-04-13 22:09:41 +03:00
zimbatm
04267ed630 Merge pull request #14647 from MostAwesomeDude/tahoe
Tahoe-LAFS improvements
2016-04-13 16:39:53 +01:00
Vladimír Čunát
39ebb01d6e Merge branch 'staging', containing closure-size #7701 2016-04-13 09:25:28 +02:00
Peter Hoeg
34afbea236 flexget nixos module: run the service and specify configuration
This module adds support for defining a flexget service.

Due to flexget insisting on being able to write all over where it finds
its configuration file, we use a ExecStartPre hook to copy the generated
configuration file into place under the user's home. It's fairly ugly
and I'm very open to suggestions
2016-04-13 12:08:02 +08:00
Corbin
d5c9a80ccd services/tahoe: Add tub.location for specifying external IPs.
Invaluable for wiring up clouds.
2016-04-12 18:44:25 -07:00
Eelco Dolstra
9153d8ed64 Fix X11 tests broken by the removal of -ac
Probably missed a few. Also adding xauth to the system path (it was
already in the closure).
2016-04-12 19:13:47 +02:00
Eelco Dolstra
1541fa351b X server: Enable local access control
For the last ten years we have been passing -ac to the X server, which
is very bad idea.

Fixes #14623.
2016-04-12 18:39:40 +02:00
aszlig
394e64e4fb
nixos/taskserver/helper: Fix docstring of add_user
We have already revamped the CLI subcommands in commit
e2383b84f8.

This was just an artifact that was left because of this.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 07:13:43 +02:00
aszlig
e06dd999f7
nixos/taskserver: Fix wrong option doc references
The options client.allow and client.deny are gone since the commit
8b793d1916, so let's fix that.

No feature changes, only fixes the descriptions of allowedClientIDs and
disallowedClientIDs.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 07:03:19 +02:00
aszlig
980f557c46
nixos/taskserver: Restart service on failure
This is the recommended way for long-running services and ensures that
Taskserver will keep running until it has been stopped manually.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:43:21 +02:00
aszlig
cf46256bbb
nixos/taskserver: Improve service dependencies
Using requiredBy is a bad idea for the initialisation units, because
whenever the Taskserver service is restarted the initialisation units
get restarted as well.

Also, make sure taskserver-init.service will be ordered *before*
taskserver.service.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:33:04 +02:00
aszlig
bb7a819735
nixos/taskserver: Set up service namespaces
The Taskserver doesn't need access to the full /dev nor does it need a
shared /tmp. In addition, the initialisation services don't need network
access, so let's constrain them to the loopback device.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:30:05 +02:00
aszlig
dd0d64afea
nixos/taskserver: Finish module documentation
Apart from the options manual, this should cover the basics for setting
up a Taskserver. I am not a native speaker so this can and (probably)
should be improved, especially the wording/grammar.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:19:59 +02:00
aszlig
e2383b84f8
nixos/taskserver/helper: Improve CLI subcommands
Try to match the subcommands to act more like the subcommands from the
taskd binary and also add a subcommand to list groups.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:38:37 +02:00
aszlig
ce0954020c
nixos/taskserver: Set allowedTCPPorts accordingly
As suggested by @matthiasbeyer:

"We might add a short note that this port has to be opened in the
firewall, or is this done by the service automatically?"

This commit now adds the listenPort to
networking.firewall.allowedTCPPorts as soon as the listenHost is not
"localhost".

In addition to that, this is now also documented in the listenHost
option declaration and I have removed disabling of the firewall from the
VM test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:16:15 +02:00
aszlig
5be76d0b55
nixos/taskserver: Reorder into one mkMerge
No changes in functionality but rather just restructuring the module
definitions to be one mkMerge, which now uses mkIf from the top-level
scope of the CA initialization service so we can better abstract
additional options we might need there.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:07:52 +02:00
aszlig
5062bf1b84
nixos/taskserver/helper: Assert CA existence
We want to make sure that the helper tool won't work if the automatic CA
wasn't properly set up. This not only avoids race conditions if the tool
is started before the actual service is running but it also fails if
something during CA setup has failed so the user can investigate what
went wrong.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:57:03 +02:00
aszlig
2ced6fcc75
nixos/taskserver: Setup CA before main service
We need to explicitly make sure the CA is created before we actually
launch the main Taskserver service in order to avoid race conditions
where the preStart phase of the main service could possibly corrupt
certificates if it would be started in parallel.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:53:53 +02:00
aszlig
9279ec732b
nixos/taskserver: Introduce an extraConfig option
This is simply to add configuration lines to the generated configuration
file. The reason why I didn't went for an attribute set is that the
taskdrc file format doesn't map very well on Nix attributes, for example
the following can be set in taskdrc:

server = somestring
server.key = anotherstring

In order to use a Nix attribute set for that, it would be way too
complicated, for example if we want to represent the mentioned example
we'd have to do something like this:

{ server._top = somestring;
  server.key = anotherstring;
}

Of course, this would work as well but nothing is more simple than just
appending raw strings.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:21:55 +02:00
aszlig
9f1e536948
nixos/taskserver: Allow to specify expiration/bits
At least this should allow for some customisation of how the
certificates and keys are created. We now have two sub-namespaces within
PKI so it should be more clear which options you have to set if you want
to either manage your own CA or let the module create it automatically.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:14:33 +02:00
aszlig
a41b109bc1
nixos/taskserver: Don't change imperative users
Whenever the nixos-taskserver tool was invoked manually for creating an
organisation/group/user we now add an empty file called .imperative to
the data directory.

During the preStart of the Taskserver service, we use process-json which
in turn now checks whether those .imperative files exist and if so, it
doesn't do anything with it.

This should now ensure that whenever there is a manually created user,
it doesn't get killed off by the declarative configuration in case it
shouldn't exist within that configuration.

In addition, we also add a small subtest to check whether this is
happening or not and fail if the imperatively created user got deleted
by process-json.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 03:42:13 +02:00
aszlig
9586795ef2
nixos/taskserver: Silence certtool everywhere
We only print the output whenever there is an error, otherwise let's
shut it up because it only shows information the user can gather through
other means. For example by invoking certtool manually, or by just
looking at private key files (the whole blurb it's outputting is in
there as well).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 02:16:35 +02:00
aszlig
7889fcfa41
nixos/taskserver/helper: Implement deletion
Now we finally can delete organisations, groups and users along with
certificate revocation. The new subtests now make sure that the client
certificate is also revoked (both when removing the whole organisation
and just a single user).

If we use the imperative way to add and delete users, we have to restart
the Taskserver in order for the CRL to be effective.

However, by using the declarative configuration we now get this for
free, because removing a user will also restart the service and thus its
client certificate will end up in the CRL.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:41:41 +02:00
aszlig
3008836fee
nixos/taskserver: Add a command to reload service
Unfortunately we don't have a better way to check whether the reload has
been done successfully, but at least we now *can* reload it without
figuring out the exact signal to send to the process.

Note that on reload, Taskserver will not reload the CRL file. For that
to work, a full restart needs to be done.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:04:34 +02:00
aszlig
b6643102d6
nixos/taskserver: Generate a cert revocation list
If we want to revoke client certificates and want the server to actually
notice the revocation, we need to have a valid certificate revocation
list.

Right now the expiration_days is set to 10 years, but that's merely to
actually get certtool to actually generate the CRL without trying to
prompt for user input.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 23:07:58 +02:00