Merge remote-tracking branch 'upstream/master' into HEAD

NixOS · Apr 23, 2017 · 4fc9b18 · 4fc9b18
2 parents 004ecac + f45f2fb
commit 4fc9b18
Show file tree

Hide file tree

Showing 150 changed files with 8,826 additions and 4,006 deletions.
diff --git a/doc/cross-compilation.xml b/doc/cross-compilation.xml
@@ -37,16 +37,9 @@
     </para>
     <para>
       In Nixpkgs, these three platforms are defined as attribute sets under the names <literal>buildPlatform</literal>, <literal>hostPlatform</literal>, and <literal>targetPlatform</literal>.
-      All are guaranteed to contain at least a <varname>platform</varname> field, which contains detailed information on the platform.
       All three are always defined at the top level, so one can get at them just like a dependency in a function that is imported with <literal>callPackage</literal>:
       <programlisting>{ stdenv, buildPlatform, hostPlatform, fooDep, barDep, .. }: ...</programlisting>
     </para>
-    <warning><para>
-      These platforms should all have the same structure in all scenarios, but that is currently not the case.
-      When not cross-compiling, they will each contain a <literal>system</literal> field with a short 2-part, hyphen-separated summering string name for the platform.
-      But, when when cross compiling, <literal>hostPlatform</literal> and <literal>targetPlatform</literal> may instead contain <literal>config</literal> with a fuller 3- or 4-part string in the manner of LLVM.
-      We should have all 3 platforms always contain both, and maybe give <literal>config</literal> a better name while we are at it.
-    </para></warning>
     <variablelist>
       <varlistentry>
         <term><varname>buildPlatform</varname></term>
@@ -83,14 +76,64 @@
             Nixpkgs tries to avoid this where possible too, but still, because the concept of a target platform is so ingrained now in Autoconf and other tools, it is best to support it as is.
             Tools like LLVM that don't need up-front target platforms can safely ignore it like normal packages, and it will do no harm.
           </para>
-          </listitem>
+        </listitem>
       </varlistentry>
     </variablelist>
     <note><para>
       If you dig around nixpkgs, you may notice there is also <varname>stdenv.cross</varname>.
       This field defined as <varname>hostPlatform</varname> when the host and build platforms differ, but otherwise not defined at all.
       This field is obsolete and will soon disappear—please do not use it.
     </para></note>
+    <para>
+      The exact scheme these fields is a bit ill-defined due to a long and convoluted evolution, but this is slowly being cleaned up.
+      For now, here are few fields can count on them containing:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term><varname>system</varname></term>
+        <listitem>
+          <para>
+            This is a two-component shorthand for the platform.
+            Examples of this would be "x86_64-darwin" and "i686-linux"; see <literal>lib.systems.doubles</literal> for more.
+            This format isn't very standard, but has built-in support in Nix, such as the <varname>builtins.currentSystem</varname> impure string.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term><varname>config</varname></term>
+        <listitem>
+          <para>
+            This is a 3- or 4- component shorthand for the platform.
+            Examples of this would be "x86_64-unknown-linux-gnu" and "aarch64-apple-darwin14".
+            This is a standard format called the "LLVM target triple", as they are pioneered by LLVM and traditionally just used for the <varname>targetPlatform</varname>.
+            This format is strictly more informative than the "Nix host double", as the previous format could analogously be termed.
+            This needs a better name than <varname>config</varname>!
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term><varname>parsed</varname></term>
+        <listitem>
+          <para>
+            This is a nix representation of a parsed LLVM target triple with white-listed components.
+            This can be specified directly, or actually parsed from the <varname>config</varname>.
+            [Technically, only one need be specified and the others can be inferred, though the precision of inference may not be very good.]
+            See <literal>lib.systems.parse</literal> for the exact representation, along with some <literal>is*</literal>predicates.
+            These predicates are superior to the ones in <varname>stdenv</varname> as they aren't tied to the build platform (host, as previously discussed, would be a saner default).
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term><varname>platform</varname></term>
+        <listitem>
+          <para>
+            This is, quite frankly, a dumping ground of ad-hoc settings (it's an attribute set).
+            See <literal>lib.systems.platforms</literal> for examples—there's hopefully one in there that will work verbatim for each platform one is working.
+            Please help us triage these flags and give them better homes!
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
   </section>
 
   <section>

diff --git a/lib/attrsets.nix b/lib/attrsets.nix
@@ -116,7 +116,7 @@ rec {
     listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set));
 
 
-  /* Filter an attribute set recursivelly by removing all attributes for
+  /* Filter an attribute set recursively by removing all attributes for
      which the given predicate return false.
 
      Example:
@@ -334,7 +334,7 @@ rec {
       value = f name (catAttrs name sets);
     }) names);
 
-  /* Implentation note: Common names  appear multiple times in the list of
+  /* Implementation note: Common names  appear multiple times in the list of
      names, hopefully this does not affect the system because the maximal
      laziness avoid computing twice the same expression and listToAttrs does
      not care about duplicated attribute names.
@@ -353,7 +353,7 @@ rec {
   zipAttrs = zipAttrsWith (name: values: values);
 
   /* Does the same as the update operator '//' except that attributes are
-     merged until the given pedicate is verified.  The predicate should
+     merged until the given predicate is verified.  The predicate should
      accept 3 arguments which are the path to reach the attribute, a part of
      the first attribute set and a part of the second attribute set.  When
      the predicate is verified, the value of the first attribute set is

diff --git a/lib/composable-derivation.nix b/lib/composable-derivation.nix
@@ -39,7 +39,7 @@ let inherit (lib) nv nvs; in
   #
   # issues:
   # * its complicated to understand
-  # * some "features" such as exact merge behaviour are burried in mergeAttrBy
+  # * some "features" such as exact merge behaviour are buried in mergeAttrBy
   #   and defaultOverridableDelayableArgs assuming the default behaviour does
   #   the right thing in the common case
   # * Eelco once said using such fix style functions are slow to evaluate
@@ -48,7 +48,7 @@ let inherit (lib) nv nvs; in
   #   / add patches the way you want without having to declare function arguments
   #
   # nice features:
-  # declaring "optional featuers" is modular. For instance:
+  # declaring "optional features" is modular. For instance:
   #   flags.curl = {
   #     configureFlags = ["--with-curl=${curl.dev}" "--with-curlwrappers"];
   #     buildInputs = [curl openssl];

diff --git a/lib/customisation.nix b/lib/customisation.nix
@@ -10,7 +10,7 @@ rec {
 
   /* `overrideDerivation drv f' takes a derivation (i.e., the result
      of a call to the builtin function `derivation') and returns a new
-     derivation in which the attributes of the original are overriden
+     derivation in which the attributes of the original are overridden
      according to the function `f'.  The function `f' is called with
      the original derivation attributes.
 

diff --git a/lib/deprecated.nix b/lib/deprecated.nix
@@ -253,11 +253,11 @@ rec {
   # eg { a = 7; } {  a = [ 2 3 ]; } becomes { a = [ 7 2 3 ]; }
   mergeAttrsConcatenateValues = mergeAttrsWithFunc ( a: b: (toList a) ++ (toList b) );
 
-  # merges attributes using //, if a name exisits in both attributes
+  # merges attributes using //, if a name exists in both attributes
   # an error will be triggered unless its listed in mergeLists
   # so you can mergeAttrsNoOverride { buildInputs = [a]; } { buildInputs = [a]; } {} to get
   # { buildInputs = [a b]; }
-  # merging buildPhase does'nt really make sense. The cases will be rare where appending /prefixing will fit your needs?
+  # merging buildPhase doesn't really make sense. The cases will be rare where appending /prefixing will fit your needs?
   # in these cases the first buildPhase will override the second one
   # ! deprecated, use mergeAttrByFunc instead
   mergeAttrsNoOverride = { mergeLists ? ["buildInputs" "propagatedBuildInputs"],

diff --git a/lib/fetchers.nix b/lib/fetchers.nix
@@ -1,4 +1,4 @@
-# snippets that can be shared by mutliple fetchers (pkgs/build-support)
+# snippets that can be shared by multiple fetchers (pkgs/build-support)
 {
 
   proxyImpureEnvVars = [

diff --git a/lib/lists.nix b/lib/lists.nix
@@ -191,7 +191,7 @@ rec {
   */
   optional = cond: elem: if cond then [elem] else [];
 
-  /* Return a list or an empty list, dependening on a boolean value.
+  /* Return a list or an empty list, depending on a boolean value.
 
      Example:
        optionals true [ 2 3 ]

diff --git a/lib/maintainers.nix b/lib/maintainers.nix
@@ -452,7 +452,7 @@
   romildo = "José Romildo Malaquias <malaquias@gmail.com>";
   rongcuid = "Rongcui Dong <rongcuid@outlook.com>";
   ronny = "Ronny Pfannschmidt <nixos@ronnypfannschmidt.de>";
-  rszibele = "Richard Szibele <richard_szibele@hotmail.com>";
+  rszibele = "Richard Szibele <richard@szibele.com>";
   rtreffer = "Rene Treffer <treffer+nixos@measite.de>";
   rushmorem = "Rushmore Mushambi <rushmore@webenchanter.com>";
   rvl = "Rodney Lorrimar <dev+nix@rodney.id.au>";

diff --git a/lib/modules.nix b/lib/modules.nix
@@ -423,7 +423,7 @@ rec {
     in concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
 
   /* Sort a list of properties.  The sort priority of a property is
-     1000 by default, but can be overriden by wrapping the property
+     1000 by default, but can be overridden by wrapping the property
      using mkOrder. */
   sortProperties = defs:
     let

diff --git a/lib/strings.nix b/lib/strings.nix
@@ -126,8 +126,8 @@ rec {
   */
   makePerlPath = makeSearchPathOutput "lib" "lib/perl5/site_perl";
 
-  /* Dependening on the boolean `cond', return either the given string
-     or the empty string. Useful to contatenate against a bigger string.
+  /* Depending on the boolean `cond', return either the given string
+     or the empty string. Useful to concatenate against a bigger string.
 
      Example:
        optionalString true "some-string"

diff --git a/lib/tests.nix b/lib/tests.nix
@@ -231,7 +231,7 @@ runTests {
     };
     in {
       expr = generators.toJSON {} val;
-      # trival implementation
+      # trivial implementation
       expected = builtins.toJSON val;
   };
 
@@ -243,7 +243,7 @@ runTests {
     };
     in {
       expr = generators.toYAML {} val;
-      # trival implementation
+      # trivial implementation
       expected = builtins.toJSON val;
   };
 

diff --git a/lib/types.nix b/lib/types.nix
@@ -52,7 +52,7 @@ rec {
     { # Human-readable representation of the type, should be equivalent to
       # the type function name.
       name
-    , # Description of the type, defined recursively by embedding the the wrapped type if any.
+    , # Description of the type, defined recursively by embedding the wrapped type if any.
       description ? null
     , # Function applied to each definition that should return true if
       # its type-correct, false otherwise.

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -420,6 +420,7 @@
   ./services/networking/i2p.nix
   ./services/networking/iodine.nix
   ./services/networking/ircd-hybrid/default.nix
+  ./services/networking/keepalived/default.nix
   ./services/networking/kippo.nix
   ./services/networking/kresd.nix
   ./services/networking/lambdabot.nix

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
@@ -0,0 +1,35 @@
+# A profile with most (vanilla) hardening options enabled by default,
+# potentially at the cost of features and performance.
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  security.hideProcessInformation = mkDefault true;
+
+  security.apparmor.enable = mkDefault true;
+
+  # Restrict ptrace() usage to processes with a pre-defined relationship
+  # (e.g., parent/child)
+  boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
+
+  # Prevent replacing the running kernel image w/o reboot
+  boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
+
+  # Restrict access to kernel ring buffer (information leaks)
+  boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
+
+  # Hide kptrs even for processes with CAP_SYSLOG
+  boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
+
+  # Unprivileged access to bpf() has been used for privilege escalation in
+  # the past
+  boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
+
+  # Disable bpf() JIT (to eliminate spray attacks)
+  boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
+
+  # ... or at least apply some hardening to it
+  boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
+}
diff --git a/nixos/modules/programs/command-not-found/command-not-found.nix b/nixos/modules/programs/command-not-found/command-not-found.nix
@@ -8,64 +8,81 @@
 with lib;
 
 let
-
+  cfg = config.programs.command-not-found;
   commandNotFound = pkgs.substituteAll {
     name = "command-not-found";
     dir = "bin";
     src = ./command-not-found.pl;
     isExecutable = true;
     inherit (pkgs) perl;
+    inherit (cfg) dbPath;
     perlFlags = concatStrings (map (path: "-I ${path}/lib/perl5/site_perl ")
       [ pkgs.perlPackages.DBI pkgs.perlPackages.DBDSQLite pkgs.perlPackages.StringShellQuote ]);
   };
 
 in
 
 {
+  options.programs.command-not-found = {
+
+    enable = mkEnableOption "command-not-found hook for interactive shell";
+
+    dbPath = mkOption {
+      default = "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite" ;
+      description = ''
+        Absolute path to programs.sqlite.
+
+        By default this file will be provided by your channel
+        (nixexprs.tar.xz).
+      '';
+      type = types.path;
+    };
+  };
 
-  programs.bash.interactiveShellInit =
-    ''
-      # This function is called whenever a command is not found.
-      command_not_found_handle() {
-        local p=/run/current-system/sw/bin/command-not-found
-        if [ -x $p -a -f /nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite ]; then
-          # Run the helper program.
-          $p "$@"
-          # Retry the command if we just installed it.
-          if [ $? = 126 ]; then
-            "$@"
+  config = mkIf cfg.enable {
+    programs.bash.interactiveShellInit =
+      ''
+        # This function is called whenever a command is not found.
+        command_not_found_handle() {
+          local p=${commandNotFound}
+          if [ -x $p -a -f ${cfg.dbPath} ]; then
+            # Run the helper program.
+            $p "$@"
+            # Retry the command if we just installed it.
+            if [ $? = 126 ]; then
+              "$@"
+            else
+              return 127
+            fi
           else
+            echo "$1: command not found" >&2
             return 127
           fi
-        else
-          echo "$1: command not found" >&2
-          return 127
-        fi
-      }
-    '';
+        }
+      '';
 
-  programs.zsh.interactiveShellInit =
-    ''
-      # This function is called whenever a command is not found.
-      command_not_found_handler() {
-        local p=/run/current-system/sw/bin/command-not-found
-        if [ -x $p -a -f /nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite ]; then
-          # Run the helper program.
-          $p "$@"
+    programs.zsh.interactiveShellInit =
+      ''
+        # This function is called whenever a command is not found.
+        command_not_found_handler() {
+          local p=${commandNotFound}
+          if [ -x $p -a -f ${cfg.dbPath} ]; then
+            # Run the helper program.
+            $p "$@"
 
-          # Retry the command if we just installed it.
-          if [ $? = 126 ]; then
-            "$@"
+            # Retry the command if we just installed it.
+            if [ $? = 126 ]; then
+              "$@"
+            fi
+          else
+            # Indicate than there was an error so ZSH falls back to its default handler
+            echo "$1: command not found" >&2
+            return 127
           fi
-        else
-          # Indicate than there was an error so ZSH falls back to its default handler
-          return 127
-        fi
-      }
-    '';
+        }
+      '';
 
-  environment.systemPackages = [ commandNotFound ];
-
-  # TODO: tab completion for uninstalled commands! :-)
+    environment.systemPackages = [ commandNotFound ];
+  };
 
 }
diff --git a/nixos/modules/programs/command-not-found/command-not-found.pl b/nixos/modules/programs/command-not-found/command-not-found.pl
@@ -8,7 +8,7 @@
 
 my $program = $ARGV[0];
 
-my $dbPath = "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite";
+my $dbPath = "@dbPath@";
 
 my $dbh = DBI->connect("dbi:SQLite:dbname=$dbPath", "", "")
     or die "cannot open database `$dbPath'";