Merge branch 'master' into staging

* master: (271 commits) pysmbc: clarify license pysmbc: fix license bazel: 0.5.4 -> 0.6.0 (#29990) googler: init at 3.3 go: declare support for aarch64 firefox-beta-bin: 56.0b5 -> 57.0b4 spotify: 1.0.64.401.g9d720389-21 -> 1.0.64.407.g9bd02c2d-26 gogs: 0.11.19 -> 0.11.29 grafana: 4.5.1 -> 4.5.2 mopidy-iris: 3.4.1 -> 3.4.9 nextcloud: 12.0.2 -> 12.0.3 haskell-json-autotype: jailbreak to fix build within LTS 9.x kore: fix up kore: init at 2.0.0 glusterfs service: fix issues with useRpcbind tig: 2.2.2 -> 2.3.0 haskell-hspec-core: enable test suite again hackage-packages.nix: automatic Haskell package set update librsvg: fix thumbnailer path awscli: 1.11.108 -> 1.11.162 ...
NixOS · Oct 2, 2017 · fda26c8 · fda26c8
2 parents 21976d1 + 6b8806d
commit fda26c8
Show file tree

Hide file tree

Showing 260 changed files with 9,682 additions and 4,403 deletions.
diff --git a/lib/maintainers.nix b/lib/maintainers.nix
@@ -287,6 +287,7 @@
   joelmo = "Joel Moberg <joel.moberg@gmail.com>";
   joelteon = "Joel Taylor <me@joelt.io>";
   johbo = "Johannes Bornhold <johannes@bornhold.name>";
+  johnmh = "John M. Harris, Jr. <johnmh@openblox.org>";
   johnramsden = "John Ramsden <johnramsden@riseup.net>";
   joko = "Ioannis Koutras <ioannis.koutras@gmail.com>";
   jonafato = "Jon Banafato <jon@jonafato.com>";
@@ -373,6 +374,7 @@
   meditans = "Carlo Nucera <meditans@gmail.com>";
   meisternu = "Matt Miemiec <meister@krutt.org>";
   metabar = "Celine Mercier <softs@metabarcoding.org>";
+  mgdelacroix = "Miguel de la Cruz <mgdelacroix@gmail.com>";
   mguentner = "Maximilian Güntner <code@klandest.in>";
   mic92 = "Jörg Thalheim <joerg@thalheim.io>";
   michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
@@ -550,6 +552,7 @@
   siddharthist = "Langston Barrett <langston.barrett@gmail.com>";
   sigma = "Yann Hodique <yann.hodique@gmail.com>";
   simonvandel = "Simon Vandel Sillesen <simon.vandel@gmail.com>";
+  sivteck = "Sivaram Balakrishnan <sivaram1992@gmail.com>";
   sjagoe = "Simon Jagoe <simon@simonjagoe.com>";
   sjmackenzie = "Stewart Mackenzie <setori88@gmail.com>";
   sjourdois = "Stéphane ‘kwisatz’ Jourdois <sjourdois@gmail.com>";
@@ -575,6 +578,7 @@
   swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
   swflint = "Samuel W. Flint <swflint@flintfam.org>";
   swistak35 = "Rafał Łasocha <me@swistak35.com>";
+  symphorien = "Guillaume Girol <symphorien_nixpkgs@xlumurb.eu>";
   szczyp = "Szczyp <qb@szczyp.com>";
   sztupi = "Attila Sztupak <attila.sztupak@gmail.com>";
   taeer = "Taeer Bar-Yam <taeer@necsi.edu>";

diff --git a/maintainers/scripts/gnome.sh b/maintainers/scripts/gnome.sh
@@ -6,7 +6,7 @@ GNOME_FTP=ftp.gnome.org/pub/GNOME/sources
 
 # projects that don't follow the GNOME major versioning, or that we don't want to
 # programmatically update
-NO_GNOME_MAJOR="ghex gtkhtml gdm"
+NO_GNOME_MAJOR="ghex gtkhtml gdm gucharmap"
 
 usage() {
   echo "Usage: $0 <show project>|<update project>|<update-all> [major.minor]" >&2

diff --git a/nixos/doc/manual/release-notes/rl-1709.xml b/nixos/doc/manual/release-notes/rl-1709.xml
diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml
@@ -6,6 +6,14 @@
 
 <title>Release 18.03 (“Impala”, 2018/03/??)</title>
 
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-highlights">
+
+<title>Highlights</title>
+
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
 
@@ -16,6 +24,15 @@ has the following highlights: </para>
   </listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-new-services">
+
+<title>New Services</title>
+
 <para>The following new services were added since the last release:</para>
 
 <itemizedlist>
@@ -24,6 +41,15 @@ has the following highlights: </para>
   </listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-incompatibilities">
+
+<title>Backward Incompatibilities</title>
+
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
 
@@ -33,7 +59,14 @@ following incompatible changes:</para>
   </listitem>
 </itemizedlist>
 
-<para>Other notable improvements:</para>
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-notable-changes">
+
+<title>Other Notable Changes</title>
 
 <itemizedlist>
   <listitem>
@@ -43,3 +76,4 @@ following incompatible changes:</para>
 </itemizedlist>
 
 </section>
+</section>
diff --git a/nixos/maintainers/scripts/ec2/create-amis.sh b/nixos/maintainers/scripts/ec2/create-amis.sh
@@ -17,7 +17,7 @@ mkdir -p $stateDir
 rm -f ec2-amis.nix
 
 types="hvm"
-stores="ebs s3"
+stores="ebs"
 regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
 
 for type in $types; do

diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix
@@ -42,7 +42,7 @@ in
   config = mkIf enabled {
     assertions = [
       {
-        assertion = services.xserver.displayManager.gdm.wayland;
+        assertion = config.services.xserver.displayManager.gdm.wayland;
         message = "NVidia drivers don't support wayland";
       }
     ];

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -73,6 +73,7 @@
   ./programs/adb.nix
   ./programs/atop.nix
   ./programs/bash/bash.nix
+  ./programs/bcc.nix
   ./programs/blcr.nix
   ./programs/browserpass.nix
   ./programs/cdemu.nix
@@ -102,6 +103,7 @@
   ./programs/spacefm.nix
   ./programs/ssh.nix
   ./programs/ssmtp.nix
+  ./programs/sysdig.nix
   ./programs/thefuck.nix
   ./programs/tmux.nix
   ./programs/venus.nix

diff --git a/nixos/modules/programs/bcc.nix b/nixos/modules/programs/bcc.nix
@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+{
+  options.programs.bcc.enable = lib.mkEnableOption "bcc";
+
+  config = lib.mkIf config.programs.bcc.enable {
+    environment.systemPackages = [ config.boot.kernelPackages.bcc ];
+    boot.extraModulePackages = [ config.boot.kernelPackages.bcc ];
+  };
+}
diff --git a/nixos/modules/programs/sysdig.nix b/nixos/modules/programs/sysdig.nix
@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.sysdig;
+in {
+  options.programs.sysdig.enable = mkEnableOption "sysdig";
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.sysdig ];
+    boot.extraModulePackages = [ config.boot.kernelPackages.sysdig ];
+  };
+}
diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix
@@ -22,7 +22,7 @@ in
         description = ''
           Enable USB login for all login systems that support it.  For
           more information, visit <link
-          xlink:href="http://pamusb.org/doc/quickstart#setting_up" />.
+          xlink:href="https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users" />.
         '';
       };
 

diff --git a/nixos/modules/services/cluster/kubernetes/dashboard.nix b/nixos/modules/services/cluster/kubernetes/dashboard.nix
@@ -11,7 +11,7 @@ let
   image = pkgs.dockerTools.pullImage {
     imageName = name;
     imageTag = version;
-    sha256 = "0b5v7xa3s91yi9yfsw2b8wijiprnicbb02f5kqa579h4yndb3gfz";
+    sha256 = "1sf54d96nkgic9hir9c6p14gw24ns1k5d5a0r1sg414kjrvic0b4";
   };
 in {
   options.services.kubernetes.addons.dashboard = {

diff --git a/nixos/modules/services/cluster/kubernetes/dns.nix b/nixos/modules/services/cluster/kubernetes/dns.nix
@@ -8,19 +8,19 @@ let
   k8s-dns-kube-dns = pkgs.dockerTools.pullImage {
     imageName = "gcr.io/google_containers/k8s-dns-kube-dns-amd64";
     imageTag = version;
-    sha256 = "0g64jc2076ng28xl4w3w9svf7hc6s9h8rq9mhvvwpfy2p6lgj6gy";
+    sha256 = "0q97xfqrigrfjl2a9cxl5in619py0zv44gch09jm8gqjkxl80imp";
   };
 
   k8s-dns-dnsmasq-nanny = pkgs.dockerTools.pullImage {
     imageName = "gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64";
     imageTag = version;
-    sha256 = "0sdpsbj1vismihy7ass1cn96nwmav6sf3r5h6i4k2dxha0y0jsh5";
+    sha256 = "051w5ca4qb88mwva4hbnh9xzlsvv7k1mbk3wz50lmig2mqrqqx6c";
   };
 
   k8s-dns-sidecar = pkgs.dockerTools.pullImage {
     imageName = "gcr.io/google_containers/k8s-dns-sidecar-amd64";
     imageTag = version;
-    sha256 = "01zpi189hpy2z62awl38fap908s8rrhc3v5gb6m90y2pycl4ad6q";
+    sha256 = "1z0d129bcm8i2cqq36x5jhnrv9hirj8c6kjrmdav8vgf7py78vsm";
   };
 
   cfg = config.services.kubernetes.addons.dns;

diff --git a/nixos/modules/services/mail/nullmailer.nix b/nixos/modules/services/mail/nullmailer.nix
@@ -35,6 +35,18 @@ with lib;
         description = "Whether to set the system sendmail to nullmailer's.";
       };
 
+      remotesFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          Path to the <code>remotes</code> control file. This file contains a
+          list of remote servers to which to send each message.
+
+          See <code>man 8 nullmailer-send</code> for syntax and available
+          options.
+        '';
+      };
+
       config = {
         adminaddr = mkOption {
           type = types.nullOr types.str;
@@ -142,7 +154,16 @@ with lib;
           type = types.nullOr types.str;
           default = null;
           description = ''
-            If set, content will override the envelope sender on all messages.
+            A list of remote servers to which to send each message. Each line
+            contains a remote host name or address followed by an optional
+            protocol string, separated by white space.
+
+            See <code>man 8 nullmailer-send</code> for syntax and available
+            options.
+
+            WARNING: This is stored world-readable in the nix store. If you need
+            to specify any secret credentials here, consider using the
+            <code>remotesFile</code> option instead.
           '';
         };
 
@@ -164,13 +185,19 @@ with lib;
     cfg = config.services.nullmailer;
   in mkIf cfg.enable {
 
+    assertions = [
+      { assertion = cfg.config.remotes == null || cfg.remotesFile == null;
+        message = "Only one of `remotesFile` or `config.remotes` may be used at a time.";
+      }
+    ];
+
     environment = {
       systemPackages = [ pkgs.nullmailer ];
       etc = let
-        getval  = attr: builtins.getAttr attr cfg.config;
-        attrs   = builtins.attrNames cfg.config;
-        attrs'  = builtins.filter (attr: ! isNull (getval attr)) attrs;
-      in foldl' (as: attr: as // { "nullmailer/${attr}".text = getval attr; }) {} attrs';
+        validAttrs = filterAttrs (name: value: value != null) cfg.config;
+      in
+        (foldl' (as: name: as // { "nullmailer/${name}".text = validAttrs.${name}; }) {} (attrNames validAttrs))
+          // optionalAttrs (cfg.remotesFile != null) { "nullmailer/remotes".source = cfg.remotesFile; };
     };
 
     users = {
@@ -192,7 +219,7 @@ with lib;
 
       preStart = ''
         mkdir -p /var/spool/nullmailer/{queue,tmp}
-        rm -f var/spool/nullmailer/trigger && mkfifo -m 660 /var/spool/nullmailer/trigger
+        rm -f /var/spool/nullmailer/trigger && mkfifo -m 660 /var/spool/nullmailer/trigger
         chown ${cfg.user} /var/spool/nullmailer/*
       '';
 

diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
@@ -635,6 +635,13 @@ in {
         chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}
         chmod -R ug+rwX,o-rwx+X ${cfg.statePath}
         chmod -R u+rwX,go-rwx+X ${gitlabEnv.HOME}
+        chmod -R ug+rwX,o-rwx ${cfg.statePath}/repositories
+        chmod -R ug-s ${cfg.statePath}/repositories
+        find ${cfg.statePath}/repositories -type d -print0 | xargs -0 chmod g+s
+        chmod 700 ${cfg.statePath}/uploads
+        chown -R git ${cfg.statePath}/uploads
+        find ${cfg.statePath}/uploads -type f -exec chmod 0644 {} \;
+        find ${cfg.statePath}/uploads -type d -not -path ${cfg.statePath}/uploads -exec chmod 0700 {} \;
       '';
 
       serviceConfig = {

diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix
@@ -41,6 +41,57 @@ in
         default = "INFO";
       };
 
+      useRpcbind = mkOption {
+        type = types.bool;
+        description = ''
+          Enable use of rpcbind. This is required for Gluster's NFS functionality.
+
+          You may want to turn it off to reduce the attack surface for DDoS reflection attacks.
+
+          See https://davelozier.com/glusterfs-and-rpcbind-portmap-ddos-reflection-attacks/
+          and https://bugzilla.redhat.com/show_bug.cgi?id=1426842 for details.
+        '';
+        default = true;
+      };
+
+      enableGlustereventsd = mkOption {
+        type = types.bool;
+        description = "Whether to enable the GlusterFS Events Daemon";
+        default = true;
+      };
+
+      killMode = mkOption {
+        type = types.enum ["control-group" "process" "mixed" "none"];
+        description = ''
+          The systemd KillMode to use for glusterd.
+
+          glusterd spawns other daemons like gsyncd.
+          If you want these to stop when glusterd is stopped (e.g. to ensure
+          that NixOS config changes are reflected even for these sub-daemons),
+          set this to 'control-group'.
+          If however you want running volume processes (glusterfsd) and thus
+          gluster mounts not be interrupted when glusterd is restarted
+          (for example, when you want to restart them manually at a later time),
+          set this to 'process'.
+        '';
+        default = "control-group";
+      };
+
+      stopKillTimeout = mkOption {
+        type = types.str;
+        description = ''
+          The systemd TimeoutStopSec to use.
+
+          After this time after having been asked to shut down, glusterd
+          (and depending on the killMode setting also its child processes)
+          are killed by systemd.
+
+          The default is set low because GlusterFS (as of 3.10) is known to
+          not tell its children (like gsyncd) to terminate at all.
+        '';
+        default = "5s";
+      };
+
       extraFlags = mkOption {
         type = types.listOf types.str;
         description = "Extra flags passed to the GlusterFS daemon";
@@ -89,7 +140,7 @@ in
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.glusterfs ];
 
-    services.rpcbind.enable = true;
+    services.rpcbind.enable = cfg.useRpcbind;
 
     environment.etc = mkIf (cfg.tlsSettings != null) {
       "ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem;
@@ -104,9 +155,8 @@ in
 
       wantedBy = [ "multi-user.target" ];
 
-      requires = [ "rpcbind.service" ];
-      after = [ "rpcbind.service" "network.target" "local-fs.target" ];
-      before = [ "network-online.target" ];
+      requires = lib.optional cfg.useRpcbind "rpcbind.service";
+      after = [ "network.target" "local-fs.target" ] ++ lib.optional cfg.useRpcbind "rpcbind.service";
 
       preStart = ''
         install -m 0755 -d /var/log/glusterfs
@@ -130,11 +180,12 @@ in
         PIDFile="/run/glusterd.pid";
         LimitNOFILE=65536;
         ExecStart="${glusterfs}/sbin/glusterd -p /run/glusterd.pid --log-level=${cfg.logLevel} ${toString cfg.extraFlags}";
-        KillMode="process";
+        KillMode=cfg.killMode;
+        TimeoutStopSec=cfg.stopKillTimeout;
       };
     };
 
-    systemd.services.glustereventsd = {
+    systemd.services.glustereventsd = mkIf cfg.enableGlustereventsd {
       inherit restartTriggers;
 
       description = "Gluster Events Notifier";
@@ -143,6 +194,10 @@ in
 
       after = [ "syslog.target" "network.target" ];
 
+      preStart = ''
+        install -m 0755 -d /var/log/glusterfs
+      '';
+
       serviceConfig = {
         Type="simple";
         Environment="PYTHONPATH=${glusterfs}/usr/lib/python2.7/site-packages";