Merge remote-tracking branch 'upstream/master' into staging

NixOS · Feb 9, 2018 · 20e3109 · 20e3109
2 parents dc0e21d + 78a17f5
commit 20e3109
Show file tree

Hide file tree

Showing 51 changed files with 1,945 additions and 1,259 deletions.
diff --git a/lib/types.nix b/lib/types.nix
@@ -256,6 +256,10 @@ rec {
       functor = (defaultFunctor name) // { wrapped = elemType; };
     };
 
+    nonEmptyListOf = elemType: 
+      let list = addCheck (types.listOf elemType) (l: l != []);
+      in list // { description = "non-empty " + list.description; };
+
     attrsOf = elemType: mkOptionType rec {
       name = "attrsOf";
       description = "attribute set of ${elemType.description}s";

diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix
@@ -289,10 +289,10 @@ in
                     # Create initial databases
                     if ! test -e "${cfg.dataDir}/${database.name}"; then
                         echo "Creating initial database: ${database.name}"
-                        ( echo "create database ${database.name};"
+                        ( echo "create database `${database.name}`;"
 
                           ${optionalString (database ? "schema") ''
-                          echo "use ${database.name};"
+                          echo "use `${database.name}`;"
 
                           if [ -f "${database.schema}" ]
                           then

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
@@ -375,9 +375,6 @@ in
         # LogLevel VERBOSE logs user's key fingerprint on login.
         # Needed to have a clear audit track of which key was used to log in.
         LogLevel VERBOSE
-
-        # Use kernel sandbox mechanisms where possible in unprivileged processes.
-        UsePrivilegeSeparation sandbox
       '';
 
     assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;

diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix
@@ -88,6 +88,9 @@ let
     ${flip concatMapStrings v.map (p: ''
       HiddenServicePort ${toString p.port} ${p.destination}
     '')}
+    ${optionalString (v.authorizeClient != null) ''
+      HiddenServiceAuthorizeClient ${v.authorizeClient.authType} ${concatStringsSep "," v.authorizeClient.clientNames}
+    ''}
   ''))
   + cfg.extraConfig;
 
@@ -619,6 +622,33 @@ in
                }));
              };
 
+             authorizeClient = mkOption {
+               default = null;
+               description = "If configured, the hidden service is accessible for authorized clients only.";
+               type = types.nullOr (types.submodule ({config, ...}: {
+
+                 options = {
+
+                   authType = mkOption {
+                     type = types.enum [ "basic" "stealth" ];
+                     description = ''
+                       Either <literal>"basic"</literal> for a general-purpose authorization protocol
+                       or <literal>"stealth"</literal> for a less scalable protocol
+                       that also hides service activity from unauthorized clients.
+                     '';
+                   };
+
+                   clientNames = mkOption {
+                     type = types.nonEmptyListOf (types.strMatching "[A-Za-z0-9+-_]+");
+                     description = ''
+                       Only clients that are listed here are authorized to access the hidden service.
+                       Generated authorization data can be found in <filename>${torDirectory}/onion/$name/hostname</filename>.
+                       Clients need to put this authorization data in their configuration file using <literal>HidServAuth</literal>.
+                     '';
+                   };
+                 };
+               }));
+             };
           };
 
           config = {

diff --git a/pkgs/applications/editors/emacs-modes/elpa-generated.nix b/pkgs/applications/editors/emacs-modes/elpa-generated.nix
@@ -768,10 +768,10 @@
     el-search = callPackage ({ cl-print, elpaBuild, emacs, fetchurl, lib, stream }:
     elpaBuild {
         pname = "el-search";
-        version = "1.5.3";
+        version = "1.5.4";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/el-search-1.5.3.tar";
-          sha256 = "095gpanpf88j65cbf4r6c787qxi07kqpvdsh0dsdpg9m3ivmxbra";
+          url = "https://elpa.gnu.org/packages/el-search-1.5.4.tar";
+          sha256 = "1k0makrk3p6hknpnr3kbiszqzw3rpw18gnx2m8scr9vv0wif4qmk";
         };
         packageRequires = [ cl-print emacs stream ];
         meta = {
@@ -1637,10 +1637,10 @@
       }) {};
     paced = callPackage ({ async, elpaBuild, emacs, fetchurl, lib }: elpaBuild {
         pname = "paced";
-        version = "1.0.1";
+        version = "1.1.2";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/paced-1.0.1.tar";
-          sha256 = "1y2sl3iqz2vjgkbc859sm3h9jhnrgla9ynazy9d5rql0nsb6sn8p";
+          url = "https://elpa.gnu.org/packages/paced-1.1.2.tar";
+          sha256 = "1hxbzlzmlndj2gs9n741whi7rj6vbcnxdn89lg2l0997pqmsx58y";
         };
         packageRequires = [ async emacs ];
         meta = {