This prevents insidious errors once systemd begins handling the unit. If
the unit is loaded at boot, any errors of this nature are logged to the
console before the journal service is running. This makes it very hard
to diagnose the issue. Therefore, this assertion helps guarantee the
mistake is not made.
Note that systemd no longer depends on dbus, so we're rid of the
cyclic dependency problem between systemd and dbus.
This commit incorporates from wkennington's systemd branch
(203dcff45002a63f6be75c65f1017021318cc839,
1f842558a95947261ece66f707bfa24faf5a9d88).
Using pkgs.lib.mkOverride in a sysctl option would throw a bogus error.
Also, if you defined a sysctl multiple times in the same configuration,
only one of the values would be picked up, while the others were silently
discarded.
This patch should fix both issues. If you define a sysctl multiple
times at your highest defined priority level, you will get a proper
error with detailed location information.
This mostly upgrades transmission, and does some very minor touchups on
AppArmor support.
In particular, there is now no need to ever specify the umask as part of
the settings, as it will be mixed in by default (which is essentially
always what you want). Also, the default configuration is now more
sensible: Downloads are put in /var/lib/transmission/Downloads, and
incomplete files are put in /var/lib/transmission/.incomplete - this
also allows easy use of file syncing probrams, like BitTorrent Sync.
Finally, this unconditionally enables the AppArmor profiles for the
daemon, if AppArmor is enabled - rather than letting the user specify
profile support, it's best to default to supporting profiles for daemons
transparently in all places.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Previously, if the currently installed Nix is too old to evaluate
Nixpkgs, then nixos-rebuild would fail and the user had to upgrade Nix
manually. Now, as a fallback, we run ‘nix-store -r’ to obtain a binary
Nix directly from the binary cache.
This allows doing any necessary actions that were not in the installed
nixos-rebuild (such as downloading a new version of Nix). This does
require us to be careful that nixos-rebuild is backwards-compatible
(i.e. can run in any old installation).
The style for IDs dictates that groups/users should have the same ID -
so if a user doesn't have a group or vice versa, then we should skip
that ID.
In this case, we had already assigned grsecurity GID 121, but I
accidentally also assigned Hydra UID 121. Instead, let's assign Hydra
UID 122. And also assign a GID (122) as well.
Luckily nobody was depending on this yet (except me).
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
Now you can just say:
$ nix-build '<nixos/tests/login.nix>'
You can still get the driver script for interactive testing:
$ nix-build '<nixos/tests/login.nix>' -A driver
$ ./result/bin/nixos-test-driver
You can now run a test in the nixos/tests directory directly using
nix-build, e.g.
$ nix-build '<nixos/tests/login.nix>' -A test
This gets rid of having to add the test to nixos/tests/default.nix.
(Of course, you still need to add it to nixos/release.nix if you want
Hydra to run the test.)
Enabling by default on gnome3 as now it's possible to create and use
accounts (tested with telepathy_gabble and gtalk).
At this time, empathy x86-64 fails to build on hydra but I'm unable
to reproduce. Therefore, try disabling the parallel build.
Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit
too strict. It doesn't allow a special group (e.g. the grsecurity group
users) to access /proc information - this requires
GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive.
This was also not in line with the default automatic grsecurity
configuration - it actually defaults to USERGROUP (although it has a
default GID of 1001 instead of ours), not USER.
This introduces a new option restrictProcWithGroup - enabled by default
- which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off
restrictProc by default and makes sure both cannot be enabled.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
