diff --git a/doc/manual/options-to-docbook.xsl b/doc/manual/options-to-docbook.xsl index 660ba6208b3f..0584081fef18 100644 --- a/doc/manual/options-to-docbook.xsl +++ b/doc/manual/options-to-docbook.xsl @@ -156,7 +156,10 @@ or to the local filesystem. --> - https://nixos.org/viewvc/nix/nixos/trunk/modules/?revision= + https://github.com/NixOS/nixos/blob//modules/ + + + https://github.com/NixOS/charon/blob//nix/ file:// @@ -166,8 +169,11 @@ /nix/store/ prefix by the default location of nixos sources. --> - - /etc/nixos/nixos/modules/ + + <nixos/modules/> + + + <charon/> diff --git a/modules/config/swap.nix b/modules/config/swap.nix index 550cd4755af7..163de568d0f7 100644 --- a/modules/config/swap.nix +++ b/modules/config/swap.nix @@ -33,18 +33,30 @@ with pkgs.lib; device = mkOption { example = "/dev/sda3"; - type = types.string; + type = types.uniq types.string; description = "Path of the device."; }; label = mkOption { example = "swap"; - type = types.string; + type = types.uniq types.string; description = '' Label of the device. Can be used instead of device. ''; }; + size = mkOption { + default = null; + example = 2048; + type = types.nullOr types.int; + description = '' + If this option is set, ‘device’ is interpreted as the + path of a swapfile that will be created automatically + with the indicated size (in megabytes) if it doesn't + exist. + ''; + }; + }; config = { diff --git a/modules/installer/cd-dvd/system-tarball-sheevaplug.nix b/modules/installer/cd-dvd/system-tarball-sheevaplug.nix index 381223a078b1..24e7a0063149 100644 --- a/modules/installer/cd-dvd/system-tarball-sheevaplug.nix +++ b/modules/installer/cd-dvd/system-tarball-sheevaplug.nix @@ -1,5 +1,5 @@ # This module contains the basic configuration for building a NixOS -# installation CD. +# tarball for the sheevaplug. { config, pkgs, ... }: @@ -87,6 +87,7 @@ in pkgs.bvi # binary editor pkgs.joe ]; +*/ boot.loader.grub.enable = false; boot.loader.generationsDir.enable = false; diff --git a/modules/programs/shadow.nix b/modules/programs/shadow.nix index 8af94c48cce7..3a348818a97c 100644 --- a/modules/programs/shadow.nix +++ b/modules/programs/shadow.nix @@ -37,7 +37,7 @@ in users.defaultUserShell = pkgs.lib.mkOption { default = "/var/run/current-system/sw/bin/bash"; description = '' - This option defined the default shell assigned to user + This option defines the default shell assigned to user accounts. This must not be a store path, since the path is used outside the store (in particular in /etc/passwd). Rather, it should be the path of a symlink that points to the diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 4e50c661460c..4fab7febc710 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -7,7 +7,7 @@ with pkgs.lib; let - inherit (pkgs) pam_usb pam_ldap pam_krb5 pam_ccreds; + inherit (pkgs) pam_ldap pam_krb5 pam_ccreds; otherService = pkgs.writeText "other.pam" '' @@ -37,6 +37,10 @@ let , # If set, user listed in /etc/pamusb.conf are able to log in with # the associated usb key. usbAuth ? config.security.pam.usb.enable + , # If set, the calling user's SSH agent is used to authenticate + # against the keys in the calling user's ~/.ssh/authorized_keys. + # This is useful for "sudo" on password-less remote systems. + sshAgentAuth ? false , # If set, use ConsoleKit's PAM connector module to claim # ownership of audio devices etc. ownDevices ? false @@ -70,16 +74,17 @@ let # Authentication management. ${optionalString rootOK "auth sufficient pam_rootok.so"} + ${optionalString (config.security.pam.enableSSHAgentAuth && sshAgentAuth) + "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"} ${optionalString usbAuth - "auth sufficient ${pam_usb}/lib/security/pam_usb.so"} - auth sufficient pam_unix.so ${ - optionalString allowNullPassword "nullok"} likeauth + "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} + auth sufficient pam_unix.so ${optionalString allowNullPassword "nullok"} likeauth ${optionalString config.users.ldap.enable "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} - ${optionalString config.krb5.enable -''auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass -auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass -auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass + ${optionalString config.krb5.enable '' + auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass + auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass + auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass ''} auth required pam_deny.so @@ -184,6 +189,17 @@ in ''; }; + security.pam.enableSSHAgentAuth = mkOption { + default = false; + description = + '' + Enable sudo logins if the user's SSH agent provides a key + present in ~/.ssh/authorized_keys. + This allows machines to exclusively use SSH keys instead of + passwords. + ''; + }; + }; @@ -216,9 +232,11 @@ in [ { name = "cups"; } { name = "ejabberd"; } { name = "ftp"; } + { name = "i3lock"; } { name = "lshd"; } { name = "samba"; } { name = "sshd"; } + { name = "vlock"; } { name = "xlock"; } ]; diff --git a/modules/security/sudo.nix b/modules/security/sudo.nix index 3f01633d67ad..76c325d8d8f6 100644 --- a/modules/security/sudo.nix +++ b/modules/security/sudo.nix @@ -30,13 +30,16 @@ in # configuration will fail to build. default = '' - # Don't edit this file. Set nixos option security.sudo.configFile instead + # Don't edit this file. Set the NixOS option ‘security.sudo.configFile’ instead. - # env vars to keep for root and %wheel also if not explicitly set + # Environment variables to keep for root and %wheel. Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE Defaults:root,%wheel env_keep+=NIX_PATH Defaults:root,%wheel env_keep+=TERMINFO_DIRS + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. + Defaults env_keep+=SSH_AUTH_SOCK + # "root" is allowed to do anything. root ALL=(ALL) SETENV: ALL @@ -60,15 +63,13 @@ in environment.systemPackages = [ sudo ]; - security.pam.services = [ { name = "sudo"; } ]; + security.pam.services = [ { name = "sudo"; sshAgentAuth = true; } ]; environment.etc = singleton - { source = pkgs.runCommand "sudoers" - { src = pkgs.writeText "sudoers-in" cfg.configFile; } + { source = pkgs.writeText "sudoers-in" cfg.configFile; # Make sure that the sudoers file is syntactically valid. # (currently disabled - NIXOS-66) #"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out"; - "cp $src $out"; target = "sudoers"; mode = "0440"; }; diff --git a/modules/services/mail/dovecot2.nix b/modules/services/mail/dovecot2.nix index c7ae59afa203..c5f5da41d317 100644 --- a/modules/services/mail/dovecot2.nix +++ b/modules/services/mail/dovecot2.nix @@ -25,7 +25,7 @@ let + '' default_internal_user = ${cfg.user} - mail_location = maildir:/var/spool/mail/%u + mail_location = ${cfg.mailLocation} maildir_copy_with_hardlinks = yes @@ -76,6 +76,14 @@ in description = "Dovecot group name."; }; + mailLocation = mkOption { + default = "maildir:/var/spool/mail/%u"; /* Same as inbox, as postfix */ + example = "maildir:~/mail:INBOX=/var/spool/mail/%u"; + description = '' + Location that dovecot will use for mail folders. Dovecot mail_location option. + ''; + }; + sslServerCert = mkOption { default = ""; description = "Server certificate"; diff --git a/modules/services/mail/postfix.nix b/modules/services/mail/postfix.nix index d4314236a9b4..842427f6d059 100644 --- a/modules/services/mail/postfix.nix +++ b/modules/services/mail/postfix.nix @@ -307,7 +307,7 @@ in # accurate way is unlikely to be better. { description = "Postfix mail server"; - startOn = "started networking"; + startOn = "started networking and filesystem"; daemonType = "none"; diff --git a/modules/services/networking/avahi-daemon.nix b/modules/services/networking/avahi-daemon.nix index 81432d34864b..791109dcda2b 100644 --- a/modules/services/networking/avahi-daemon.nix +++ b/modules/services/networking/avahi-daemon.nix @@ -44,7 +44,7 @@ in }; hostName = mkOption { - default = config.networking.hostName; + type = types.uniq types.string; description = ''Host name advertised on the LAN.''; }; @@ -93,6 +93,8 @@ in config = mkIf cfg.enable { + services.avahi.hostName = mkDefault config.networking.hostName; + users.extraUsers = singleton { name = "avahi"; uid = config.ids.uids.avahi; diff --git a/modules/services/networking/bind.nix b/modules/services/networking/bind.nix index 19619f0383f9..1e04b354939b 100644 --- a/modules/services/networking/bind.nix +++ b/modules/services/networking/bind.nix @@ -78,6 +78,13 @@ in "; }; + ipv4Only = mkOption { + default = false; + description = " + Only use ipv4, even if the host supports ipv6 + "; + }; + zones = mkOption { default = []; description = " @@ -121,7 +128,7 @@ in ${pkgs.coreutils}/bin/mkdir -p /var/run/named ''; - exec = "${pkgs.bind}/sbin/named -c ${cfg.configFile} -f"; + exec = "${pkgs.bind}/sbin/named ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; }; }; diff --git a/modules/services/networking/cntlm.nix b/modules/services/networking/cntlm.nix index a79f7c21d7c2..bfe7209b991f 100644 --- a/modules/services/networking/cntlm.nix +++ b/modules/services/networking/cntlm.nix @@ -13,7 +13,7 @@ in options = { - services.cntlm= { + services.cntlm = { enable = mkOption { default = false; @@ -39,9 +39,9 @@ in }; netbios_hostname = mkOption { - default = config.networking.hostName; + type = types.uniq types.string; description = '' - The hostname of your workstation. + The hostname of your machine. ''; }; @@ -73,28 +73,28 @@ in ###### implementation config = mkIf config.services.cntlm.enable { + + services.cntlm.netbios_hostname = mkDefault config.networking.hostName; + users.extraUsers = singleton { - name = "cntlm"; - description = "cntlm system-wide daemon"; - home = "/var/empty"; + name = "cntlm"; + description = "cntlm system-wide daemon"; + home = "/var/empty"; }; - jobs.cntlm = { - description = "cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy."; + jobs.cntlm = + { description = "CNTLM is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy"; + startOn = "started network-interfaces"; - environment = { - }; - preStart = '' ''; + daemonType = "fork"; - daemonType = "fork"; - - exec = - '' - ${pkgs.cntlm}/bin/cntlm -U cntlm \ - -c ${pkgs.writeText "cntlm_config" cfg.extraConfig} - ''; - }; + exec = + '' + ${pkgs.cntlm}/bin/cntlm -U cntlm \ + -c ${pkgs.writeText "cntlm_config" cfg.extraConfig} + ''; + }; services.cntlm.extraConfig = '' @@ -109,5 +109,7 @@ in Listen ${toString port} '') cfg.port} ''; + }; + } diff --git a/modules/services/networking/prayer.nix b/modules/services/networking/prayer.nix index 0424a252087c..fb541bf101ae 100644 --- a/modules/services/networking/prayer.nix +++ b/modules/services/networking/prayer.nix @@ -26,7 +26,9 @@ let ''; prayerCfg = pkgs.runCommand "prayer.cf" { } '' - cat ${prayer}/etc/prayer.cf ${prayerExtraCfg} > $out + # We have to remove the http_port 80, or it will start a server there + cat ${prayer}/etc/prayer.cf | grep -v http_port > $out + cat ${prayerExtraCfg} >> $out ''; in diff --git a/modules/services/scheduling/fcron.nix b/modules/services/scheduling/fcron.nix index 1dbaefdd7190..6d274bf59732 100644 --- a/modules/services/scheduling/fcron.nix +++ b/modules/services/scheduling/fcron.nix @@ -101,7 +101,7 @@ in jobs.fcron = { description = "fcron daemon"; - startOn = "startup"; + startOn = "startup and filesystem"; environment = { PATH = "/var/run/current-system/sw/bin"; @@ -114,7 +114,9 @@ in ${pkgs.fcron}/bin/fcrontab -u systab ${pkgs.writeText "systab" cfg.systab} ''; - exec = "${pkgs.fcron}/sbin/fcron -f -m ${toString cfg.maxSerialJobs} ${queuelen}"; + daemonType = "fork"; + + exec = "${pkgs.fcron}/sbin/fcron -m ${toString cfg.maxSerialJobs} ${queuelen}"; }; }; diff --git a/modules/services/ttys/mingetty.nix b/modules/services/ttys/mingetty.nix index 91a00908385f..85db3f8966e1 100644 --- a/modules/services/ttys/mingetty.nix +++ b/modules/services/ttys/mingetty.nix @@ -31,7 +31,7 @@ with pkgs.lib; }; greetingLine = mkOption { - default = ''<<< Welcome to NixOS ${config.system.nixosVersion} (\m) - \s \r (\l) >>>''; + default = ''<<< Welcome to NixOS ${config.system.nixosVersion} (\m) - \l >>>''; description = '' Welcome line printed by mingetty. ''; diff --git a/modules/system/boot/stage-2-init.sh b/modules/system/boot/stage-2-init.sh index 33d0a6ad3e81..9e0ed028d5dd 100644 --- a/modules/system/boot/stage-2-init.sh +++ b/modules/system/boot/stage-2-init.sh @@ -46,6 +46,7 @@ if [ ! -e /proc/1 ]; then mknod -m 0666 /dev/null c 1 3 mknod -m 0644 /dev/urandom c 1 9 # needed for passwd mknod -m 0644 /dev/console c 5 1 + mknod -m 0644 /dev/ptmx c 5 2 # required by upstart mknod -m 0644 /dev/tty1 c 4 1 mknod -m 0644 /dev/ttyS0 c 4 64 mknod -m 0644 /dev/ttyS1 c 4 65 @@ -101,16 +102,18 @@ mkdir -m 0755 -p /etc/nixos rm -rf /var/run /var/lock /var/log/upstart rm -f /etc/resolv.conf -#echo -n "cleaning \`/tmp'..." -#rm -rf --one-file-system /tmp/* -#echo " done" +if test -n "@cleanTmpDir@"; then + echo -n "cleaning \`/tmp'..." + find /tmp -maxdepth 1 -mindepth 1 -print0 | xargs -0r rm -rf --one-file-system + echo " done" +else + # Get rid of ICE locks... + rm -rf /tmp/.ICE-unix +fi - -# Get rid of ICE locks and ensure that it's owned by root. -rm -rf /tmp/.ICE-unix +# ... and ensure that it's owned by root. mkdir -m 1777 /tmp/.ICE-unix - # This is a good time to clean up /nix/var/nix/chroots. Doing an `rm # -rf' on it isn't safe in general because it can contain bind mounts # to /nix/store and other places. But after rebooting these are all diff --git a/modules/system/boot/stage-2.nix b/modules/system/boot/stage-2.nix index c92c29d6aefd..02c061dacde2 100644 --- a/modules/system/boot/stage-2.nix +++ b/modules/system/boot/stage-2.nix @@ -40,6 +40,14 @@ let for the accepted syntax. ''; }; + + cleanTmpDir = pkgs.lib.mkOption { + default = false; + example = true; + description = '' + Delete all files in /tmp/ during boot. + ''; + }; }; }; @@ -51,7 +59,7 @@ let src = ./stage-2-init.sh; shellDebug = "${pkgs.bashInteractive}/bin/bash"; isExecutable = true; - inherit (config.boot) devShmSize runSize; + inherit (config.boot) devShmSize runSize cleanTmpDir; ttyGid = config.ids.gids.tty; upstart = config.system.build.upstart; path = @@ -59,7 +67,7 @@ let pkgs.utillinux pkgs.udev pkgs.sysvtools - ]; + ] ++ pkgs.lib.optional config.boot.cleanTmpDir pkgs.findutils; postBootCommands = pkgs.writeText "local-cmds" '' ${config.boot.postBootCommands} diff --git a/modules/tasks/filesystems.nix b/modules/tasks/filesystems.nix index 5848e21688c5..9495cac67855 100644 --- a/modules/tasks/filesystems.nix +++ b/modules/tasks/filesystems.nix @@ -22,7 +22,7 @@ let # Swap devices. ${flip concatMapStrings config.swapDevices (sw: - "${sw.device} none swap\n" + "${sw.device} none swap\n" )} ''; @@ -213,6 +213,17 @@ in ${flip concatMapStrings config.fileSystems (fs: optionalString fs.autocreate '' mkdir -p -m 0755 '${fs.mountPoint}' '')} + + # Create missing swapfiles. + # FIXME: support changing the size of existing swapfiles. + ${flip concatMapStrings config.swapDevices (sw: optionalString (sw.size != null) '' + if [ ! -e "${sw.device}" -a -e "$(dirname "${sw.device}")" ]; then + # FIXME: use ‘fallocate’ on filesystems that support it. + dd if=/dev/zero of="${sw.device}" bs=1M count=${toString sw.size} + mkswap ${sw.device} + fi + '')} + ''; daemonType = "daemon"; diff --git a/modules/virtualisation/virtualbox-guest.nix b/modules/virtualisation/virtualbox-guest.nix index abfd63715577..8e09d79e3a48 100644 --- a/modules/virtualisation/virtualbox-guest.nix +++ b/modules/virtualisation/virtualbox-guest.nix @@ -11,6 +11,7 @@ let in +if (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) then { ###### interface @@ -72,7 +73,11 @@ in # should restrict this to logged-in users. KERNEL=="vboxuser", OWNER="root", GROUP="root", MODE="0666" ''; - + + # Make the ACPI Shutdown command to do the right thing. + services.acpid.enable = true; + services.acpid.powerEventCommands = "poweroff"; }; } +else {} diff --git a/tests/misc.nix b/tests/misc.nix index 512d087168d5..8501d6a09796 100644 --- a/tests/misc.nix +++ b/tests/misc.nix @@ -4,7 +4,11 @@ { - machine = { config, pkgs, ... }: { }; + machine = + { config, pkgs, ... }: + { swapDevices = pkgs.lib.mkOverride 0 + [ { device = "/root/swapfile"; size = 128; } ]; + }; testScript = '' @@ -23,6 +27,12 @@ subtest "gmp", sub { $machine->succeed("expr 1 + 2"); }; + + # Test that the swap file got created. + subtest "swapfile", sub { + $machine->waitUntilSucceeds("cat /proc/swaps | grep /root/swapfile"); + $machine->succeed("ls -l /root/swapfile | grep 134217728"); + }; ''; }