Merge branch 'master' into staging

NixOS · Apr 30, 2017 · 9860e77 · 9860e77
2 parents b8463e9 + eb4792a
commit 9860e77
Show file tree

Hide file tree

Showing 270 changed files with 11,633 additions and 8,072 deletions.
diff --git a/lib/maintainers.nix b/lib/maintainers.nix
@@ -215,6 +215,7 @@
   heel = "Sergii Paryzhskyi <parizhskiy@gmail.com>";
   henrytill = "Henry Till <henrytill@gmail.com>";
   hinton = "Tom Hinton <t@larkery.com>";
+  hodapp = "Chris Hodapp <hodapp87@gmail.com>";
   hrdinka = "Christoph Hrdinka <c.nix@hrdinka.at>";
   iand675 = "Ian Duncan <ian@iankduncan.com>";
   ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
@@ -388,6 +389,7 @@
   paholg = "Paho Lurie-Gregg <paho@paholg.com>";
   pakhfn = "Fedor Pakhomov <pakhfn@gmail.com>";
   palo = "Ingolf Wanger <palipalo9@googlemail.com>";
+  panaeon = "Vitalii Voloshyn <vitalii.voloshyn@gmail.com";
   paperdigits = "Mica Semrick <mica@silentumbrella.com>";
   pashev = "Igor Pashev <pashev.igor@gmail.com>";
   patternspandemic = "Brad Christensen <patternspandemic@live.com>";

diff --git a/lib/systems/doubles.nix b/lib/systems/doubles.nix
@@ -30,7 +30,7 @@ in rec {
   mips = filterDoubles (matchAttrs { cpu = { family = "mips"; }; });
   x86_64 = filterDoubles parse.isx86_64;
 
-  cygwin = filterDoubles (matchAttrs { kernel = parse.kernels.cygwin; });
+  cygwin = filterDoubles parse.isCygwin;
   darwin = filterDoubles parse.isDarwin;
   freebsd = filterDoubles (matchAttrs { kernel = parse.kernels.freebsd; });
   gnu = filterDoubles (matchAttrs { kernel = parse.kernels.linux; abi = parse.abis.gnu; }); # Should be better

diff --git a/lib/systems/parse.nix b/lib/systems/parse.nix
@@ -1,5 +1,9 @@
-# Define the list of system with their properties.  Only systems tested for
-# Nixpkgs are listed below
+# Define the list of system with their properties.
+#
+# See https://clang.llvm.org/docs/CrossCompilation.html and
+# http://llvm.org/docs/doxygen/html/Triple_8cpp_source.html especially
+# Triple::normalize. Parsing should essentially act as a more conservative
+# version of that last function.
 
 with import ../lists.nix;
 with import ../types.nix;
@@ -9,7 +13,7 @@ let
   lib = import ../default.nix;
   setTypesAssert = type: pred:
     mapAttrs (name: value:
-      #assert pred value;
+      assert pred value;
       setType type ({ inherit name; } // value));
   setTypes = type: setTypesAssert type (_: true);
 
@@ -23,7 +27,6 @@ rec {
     littleEndian = {};
   };
 
-
   isCpuType = isType "cpu-type";
   cpuTypes = with significantBytes; setTypesAssert "cpu-type"
     (x: elem x.bits [8 16 32 64 128]
@@ -47,6 +50,7 @@ rec {
   vendors = setTypes "vendor" {
     apple = {};
     pc = {};
+
     unknown = {};
   };
 
@@ -56,39 +60,42 @@ rec {
     elf = {};
     macho = {};
     pe = {};
+
     unknown = {};
   };
 
   isKernelFamily = isType "kernel-family";
   kernelFamilies = setTypes "kernel-family" {
     bsd = {};
     unix = {};
-    windows-nt = {};
-    dos = {};
   };
 
   isKernel = x: isType "kernel" x;
   kernels = with execFormats; with kernelFamilies; setTypesAssert "kernel"
     (x: isExecFormat x.execFormat && all isKernelFamily (attrValues x.families))
   {
-    cygwin  = { execFormat = pe;      families = { inherit /*unix*/ windows-nt; }; };
     darwin  = { execFormat = macho;   families = { inherit unix; }; };
     freebsd = { execFormat = elf;     families = { inherit unix bsd; }; };
     linux   = { execFormat = elf;     families = { inherit unix; }; };
     netbsd  = { execFormat = elf;     families = { inherit unix bsd; }; };
     none    = { execFormat = unknown; families = { inherit unix; }; };
     openbsd = { execFormat = elf;     families = { inherit unix bsd; }; };
     solaris = { execFormat = elf;     families = { inherit unix; }; };
-    win32   = { execFormat = pe;      families = { inherit dos; }; };
+    windows = { execFormat = pe;      families = { }; };
+  } // { # aliases
+    win32 = kernels.windows;
   };
 
-
   isAbi = isType "abi";
   abis = setTypes "abi" {
+    cygnus = {};
     gnu = {};
     msvc = {};
     eabi = {};
     androideabi = {};
+    gnueabi = {};
+    gnueabihf = {};
+
     unknown = {};
   };
 
@@ -107,19 +114,25 @@ rec {
   isDarwin = matchAttrs { kernel = kernels.darwin; };
   isLinux = matchAttrs { kernel = kernels.linux; };
   isUnix = matchAttrs { kernel = { families = { inherit (kernelFamilies) unix; }; }; };
-  isWindows = s: matchAttrs { kernel = { families = { inherit (kernelFamilies) windows-nt; }; }; } s
-              || matchAttrs { kernel = { families = { inherit (kernelFamilies) dos; }; }; } s;
+  isWindows = matchAttrs { kernel = kernels.windows; };
+  isCygwin = matchAttrs { kernel = kernels.windows; abi = abis.cygnus; };
+  isMinGW = matchAttrs { kernel = kernels.windows; abi = abis.gnu; };
 
 
   mkSkeletonFromList = l: {
-    "2" =    { cpu = elemAt l 0;                      kernel = elemAt l 1;                   };
-    "4" =    { cpu = elemAt l 0; vendor = elemAt l 1; kernel = elemAt l 2; abi = elemAt l 3; };
+    "2" = # We only do 2-part hacks for things Nix already supports
+      if elemAt l 1 == "cygwin"
+        then { cpu = elemAt l 0;                      kernel = "windows"; abi = "cygnus";    }
+      else   { cpu = elemAt l 0;                      kernel = elemAt l 1;                   };
     "3" = # Awkwards hacks, beware!
       if elemAt l 1 == "apple"
         then { cpu = elemAt l 0; vendor = "apple";    kernel = elemAt l 2;                   }
       else if (elemAt l 1 == "linux") || (elemAt l 2 == "gnu")
         then { cpu = elemAt l 0;                      kernel = elemAt l 1; abi = elemAt l 2; }
+      else if (elemAt l 2 == "mingw32") # autotools breaks on -gnu for window
+        then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = "windows";  abi = "gnu"; }
       else throw "Target specification with 3 components is ambiguous";
+    "4" =    { cpu = elemAt l 0; vendor = elemAt l 1; kernel = elemAt l 2; abi = elemAt l 3; };
   }.${toString (length l)}
     or (throw "system string has invalid number of hyphen-separated components");
 
@@ -132,18 +145,10 @@ rec {
                          , # Also inferred below
                            abi    ? assert false; null
                          } @ args: let
-    getCpu = name:
-      attrByPath [name] (throw "Unknown CPU type: ${name}")
-        cpuTypes;
-    getVendor = name:
-      attrByPath [name] (throw "Unknown vendor: ${name}")
-        vendors;
-    getKernel = name:
-      attrByPath [name] (throw "Unknown kernel: ${name}")
-        kernels;
-    getAbi = name:
-      attrByPath [name] (throw "Unknown ABI: ${name}")
-        abis;
+    getCpu    = name: cpuTypes.${name} or (throw "Unknown CPU type: ${name}");
+    getVendor = name:  vendors.${name} or (throw "Unknown vendor: ${name}");
+    getKernel = name:  kernels.${name} or (throw "Unknown kernel: ${name}");
+    getAbi    = name:     abis.${name} or (throw "Unknown ABI: ${name}");
 
     system = rec {
       cpu = getCpu args.cpu;
@@ -164,7 +169,10 @@ rec {
 
   mkSystemFromString = s: mkSystemFromSkeleton (mkSkeletonFromList (lib.splitString "-" s));
 
-  doubleFromSystem = { cpu, vendor, kernel, abi, ... }: "${cpu.name}-${kernel.name}";
+  doubleFromSystem = { cpu, vendor, kernel, abi, ... }:
+    if vendor == kernels.windows && abi == abis.cygnus
+    then "${cpu.name}-cygwin"
+    else "${cpu.name}-${kernel.name}";
 
   tripleFromSystem = { cpu, vendor, kernel, abi, ... } @ sys: assert isSystem sys; let
     optAbi = lib.optionalString (abi != abis.unknown) "-${abi.name}";

diff --git a/lib/trivial.nix b/lib/trivial.nix
@@ -38,7 +38,7 @@ rec {
   /* Merge two attribute sets shallowly, right side trumps left
 
      Example:
-       mergeAttrs { a = 1; b = 2; } // { b = 3; c = 4; }
+       mergeAttrs { a = 1; b = 2; } { b = 3; c = 4; }
        => { a = 1; b = 3; c = 4; }
   */
   mergeAttrs = x: y: x // y;

diff --git a/nixos/doc/manual/administration/imperative-containers.xml b/nixos/doc/manual/administration/imperative-containers.xml
@@ -29,8 +29,10 @@ line. For instance, to create a container that has
 <literal>root</literal>:
 
 <screen>
-# nixos-container create foo --config 'services.openssh.enable = true; \
-  users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];'
+# nixos-container create foo --config '
+  services.openssh.enable = true;
+  users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];
+'
 </screen>
 
 </para>
@@ -97,8 +99,11 @@ This will build and activate the new configuration. You can also
 specify a new configuration on the command line:
 
 <screen>
-# nixos-container update foo --config 'services.httpd.enable = true; \
-  services.httpd.adminAddr = "foo@example.org";'
+# nixos-container update foo --config '
+  services.httpd.enable = true;
+  services.httpd.adminAddr = "foo@example.org";
+  networking.firewall.allowedTCPPorts = [ 80 ];
+'
 
 # curl http://$(nixos-container show-ip foo)/
 &lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…

diff --git a/nixos/doc/manual/configuration/file-systems.xml b/nixos/doc/manual/configuration/file-systems.xml
@@ -35,6 +35,12 @@ or <literal>ext4</literal>, then it’s best to specify
 <option>fsType</option> to ensure that the kernel module is
 available.</para>
 
+<note><para>System startup will fail if any of the filesystems fails to mount,
+dropping you to the emergency shell.
+You can make a mount asynchronous and non-critical by adding
+<literal>options = [ "nofail" ];</literal>.
+</para></note>
+
 <xi:include href="luks-file-systems.xml" />
 
 </chapter>
diff --git a/nixos/doc/manual/installation/installing-usb.xml b/nixos/doc/manual/installation/installing-usb.xml
@@ -34,6 +34,11 @@ ISO, copy its contents verbatim to your drive, then either:
     in <link xlink:href="https://www.kernel.org/doc/Documentation/kernel-parameters.txt">
     the kernel documentation</link> for more details).</para>
   </listitem>
+  <listitem>
+    <para>If you want to load the contents of the ISO to ram after bootin
+    (So you can remove the stick after bootup) you can append the parameter
+    <literal>copytoram</literal>to the <literal>options</literal> field.</para>
+  </listitem>
 </itemizedlist>
 </para>
 

diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix
@@ -1,5 +1,5 @@
 {
-  x86_64-linux = "/nix/store/j6q3pb75q1sbk0xsa5x6a629ph98ycdl-nix-1.11.8";
-  i686-linux = "/nix/store/4m6ps568l988bbr1p2k3w9raq3rblppi-nix-1.11.8";
-  x86_64-darwin = "/nix/store/cc5q944yn3j2hrs8k0kxx9r2mk9mni8a-nix-1.11.8";
+  x86_64-linux = "/nix/store/71im965h634iy99zsmlncw6qhx5jcclx-nix-1.11.9";
+  i686-linux = "/nix/store/cgvavixkayc36l6kl92i8mxr6k0p2yhy-nix-1.11.9";
+  x86_64-darwin = "/nix/store/w1c96v5yxvdmq4nvqlxjvg6kp7xa2lag-nix-1.11.9";
 }
diff --git a/nixos/modules/misc/extra-arguments.nix b/nixos/modules/misc/extra-arguments.nix
@@ -2,16 +2,6 @@
 
 {
   _module.args = {
-    pkgs_i686 = import ../../.. {
-      system = "i686-linux";
-      # FIXME: we enable config.allowUnfree to make packages like
-      # nvidia-x11 available. This isn't a problem because if the user has
-      # ‘nixpkgs.config.allowUnfree = false’, then evaluation will fail on
-      # the 64-bit package anyway. However, it would be cleaner to respect
-      # nixpkgs.config here.
-      config.allowUnfree = true;
-    };
-
     utils = import ../../lib/utils.nix pkgs;
   };
 }
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
@@ -289,6 +289,10 @@
       rpc = 271;
       geoip = 272;
       fcron = 273;
+      sonarr = 274;
+      radarr = 275;
+      jackett = 276;
+      aria2 = 277;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -547,6 +551,10 @@
       #rpc = 271; # unused
       #geoip = 272; # unused
       fcron = 273;
+      sonarr = 274;
+      radarr = 275;
+      jackett = 276;
+      aria2 = 277;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix
@@ -42,6 +42,8 @@ let
     merge = lib.mergeOneOption;
   };
 
+  _pkgs = import ../../.. config.nixpkgs;
+
 in
 
 {
@@ -97,6 +99,9 @@ in
   };
 
   config = {
-    _module.args.pkgs = import ../../.. config.nixpkgs;
+    _module.args = {
+      pkgs = _pkgs;
+      pkgs_i686 = _pkgs.pkgsi686Linux;
+    };
   };
 }
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -116,6 +116,7 @@
   ./security/duosec.nix
   ./security/grsecurity.nix
   ./security/hidepid.nix
+  ./security/lock-kernel-modules.nix
   ./security/oath.nix
   ./security/pam.nix
   ./security/pam_usb.nix

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
@@ -6,10 +6,25 @@
 with lib;
 
 {
+  boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
+
   security.hideProcessInformation = mkDefault true;
 
+  security.lockKernelModules = mkDefault true;
+
   security.apparmor.enable = mkDefault true;
 
+  boot.kernelParams = [
+    # Overwrite free'd memory
+    "page_poison=1"
+
+    # Disable legacy virtual syscalls
+    "vsyscall=none"
+
+    # Disable hibernation (allows replacing the running kernel)
+    "nohibernate"
+  ];
+
   # Restrict ptrace() usage to processes with a pre-defined relationship
   # (e.g., parent/child)
   boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;

diff --git a/nixos/modules/programs/command-not-found/command-not-found.nix b/nixos/modules/programs/command-not-found/command-not-found.nix
@@ -44,7 +44,7 @@ in
       ''
         # This function is called whenever a command is not found.
         command_not_found_handle() {
-          local p=${commandNotFound}
+          local p=${commandNotFound}/bin/command-not-found
           if [ -x $p -a -f ${cfg.dbPath} ]; then
             # Run the helper program.
             $p "$@"
@@ -65,7 +65,7 @@ in
       ''
         # This function is called whenever a command is not found.
         command_not_found_handler() {
-          local p=${commandNotFound}
+          local p=${commandNotFound}/bin/command-not-found
           if [ -x $p -a -f ${cfg.dbPath} ]; then
             # Run the helper program.
             $p "$@"

diff --git a/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix b/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix
@@ -18,7 +18,17 @@ in
 
         highlighters = mkOption {
           default = [ "main" ];
-          type = types.listOf(types.str);
+
+          # https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md
+          type = types.listOf(types.enum([
+            "main"
+            "brackets"
+            "pattern"
+            "cursor"
+            "root"
+            "line"
+          ]));
+
           description = ''
             Specifies the highlighters to be used by zsh-syntax-highlighting.
 

diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
@@ -13,7 +13,7 @@ in
 
 {
   meta = {
-    maintainers = with maintainers; [ joachifm ];
+    maintainers = with maintainers; [ ];
     doc = ./grsecurity.xml;
   };
 

diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml
@@ -26,9 +26,11 @@
     <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
     Linux wiki page on grsecurity</link>.
 
-    <note><para>grsecurity/PaX is only available for the latest linux -stable
-    kernel; patches against older kernels are available from upstream only for
-    a fee.</para></note>
+    <warning><para>Upstream has ceased free support for grsecurity/PaX.  See
+    <link xlink:href="https://grsecurity.net/passing_the_baton.php">
+    the announcement</link> for more information.  Consequently, NixOS
+    support for grsecurity/PaX also must cease.  Enabling this module will
+    result in a build error.</para></warning>
     <note><para>We standardise on a desktop oriented configuration primarily due
     to lack of resources.  The grsecurity/PaX configuration state space is huge
     and each configuration requires quite a bit of testing to ensure that the