From 593eb83343ebce6fd26fb3c628571fb5d3870730 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 6 Jun 2012 15:23:20 +0000 Subject: [PATCH 01/25] * Typo. svn path=/nixos/trunk/; revision=34369 --- modules/programs/shadow.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/programs/shadow.nix b/modules/programs/shadow.nix index 8af94c48cce7..3a348818a97c 100644 --- a/modules/programs/shadow.nix +++ b/modules/programs/shadow.nix @@ -37,7 +37,7 @@ in users.defaultUserShell = pkgs.lib.mkOption { default = "/var/run/current-system/sw/bin/bash"; description = '' - This option defined the default shell assigned to user + This option defines the default shell assigned to user accounts. This must not be a store path, since the path is used outside the store (in particular in /etc/passwd). Rather, it should be the path of a symlink that points to the From 6aa4120f3abd71d98d61891e43ffc6553202807e Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 6 Jun 2012 23:14:57 +0000 Subject: [PATCH 02/25] * Shorten the greeting line to make it fit on a 80-character terminal again by removing the kernel version. svn path=/nixos/trunk/; revision=34376 --- modules/services/ttys/mingetty.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/ttys/mingetty.nix b/modules/services/ttys/mingetty.nix index 91a00908385f..85db3f8966e1 100644 --- a/modules/services/ttys/mingetty.nix +++ b/modules/services/ttys/mingetty.nix @@ -31,7 +31,7 @@ with pkgs.lib; }; greetingLine = mkOption { - default = ''<<< Welcome to NixOS ${config.system.nixosVersion} (\m) - \s \r (\l) >>>''; + default = ''<<< Welcome to NixOS ${config.system.nixosVersion} (\m) - \l >>>''; description = '' Welcome line printed by mingetty. ''; From 87e06b97a338bbf16fbebe742dbdfdfe103cc9b3 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 8 Jun 2012 14:29:31 +0000 Subject: [PATCH 03/25] * Don't include the hostname in option default values. Default values are included in the manual, so this causes a different manual to be built for each machine. * Clean up indentation of cntlm module. svn path=/nixos/trunk/; revision=34387 --- modules/services/networking/avahi-daemon.nix | 4 +- modules/services/networking/cntlm.nix | 40 ++++++++++---------- 2 files changed, 24 insertions(+), 20 deletions(-) diff --git a/modules/services/networking/avahi-daemon.nix b/modules/services/networking/avahi-daemon.nix index 81432d34864b..791109dcda2b 100644 --- a/modules/services/networking/avahi-daemon.nix +++ b/modules/services/networking/avahi-daemon.nix @@ -44,7 +44,7 @@ in }; hostName = mkOption { - default = config.networking.hostName; + type = types.uniq types.string; description = ''Host name advertised on the LAN.''; }; @@ -93,6 +93,8 @@ in config = mkIf cfg.enable { + services.avahi.hostName = mkDefault config.networking.hostName; + users.extraUsers = singleton { name = "avahi"; uid = config.ids.uids.avahi; diff --git a/modules/services/networking/cntlm.nix b/modules/services/networking/cntlm.nix index a79f7c21d7c2..bfe7209b991f 100644 --- a/modules/services/networking/cntlm.nix +++ b/modules/services/networking/cntlm.nix @@ -13,7 +13,7 @@ in options = { - services.cntlm= { + services.cntlm = { enable = mkOption { default = false; @@ -39,9 +39,9 @@ in }; netbios_hostname = mkOption { - default = config.networking.hostName; + type = types.uniq types.string; description = '' - The hostname of your workstation. + The hostname of your machine. ''; }; @@ -73,28 +73,28 @@ in ###### implementation config = mkIf config.services.cntlm.enable { + + services.cntlm.netbios_hostname = mkDefault config.networking.hostName; + users.extraUsers = singleton { - name = "cntlm"; - description = "cntlm system-wide daemon"; - home = "/var/empty"; + name = "cntlm"; + description = "cntlm system-wide daemon"; + home = "/var/empty"; }; - jobs.cntlm = { - description = "cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy."; + jobs.cntlm = + { description = "CNTLM is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy"; + startOn = "started network-interfaces"; - environment = { - }; - preStart = '' ''; + daemonType = "fork"; - daemonType = "fork"; - - exec = - '' - ${pkgs.cntlm}/bin/cntlm -U cntlm \ - -c ${pkgs.writeText "cntlm_config" cfg.extraConfig} - ''; - }; + exec = + '' + ${pkgs.cntlm}/bin/cntlm -U cntlm \ + -c ${pkgs.writeText "cntlm_config" cfg.extraConfig} + ''; + }; services.cntlm.extraConfig = '' @@ -109,5 +109,7 @@ in Listen ${toString port} '') cfg.port} ''; + }; + } From 825a84c8f61102dc7662310d6ba9dd8f213f05b8 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 8 Jun 2012 20:59:26 +0000 Subject: [PATCH 04/25] * Fix generated module links in the manual to point to GitHub. * Use instead of /etc/nixos/... svn path=/nixos/trunk/; revision=34391 --- doc/manual/options-to-docbook.xsl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/manual/options-to-docbook.xsl b/doc/manual/options-to-docbook.xsl index 660ba6208b3f..ce942d574309 100644 --- a/doc/manual/options-to-docbook.xsl +++ b/doc/manual/options-to-docbook.xsl @@ -156,7 +156,7 @@ or to the local filesystem. --> - https://nixos.org/viewvc/nix/nixos/trunk/modules/?revision= + https://github.com/NixOS/nixos/blob//modules/ file:// @@ -166,8 +166,8 @@ /nix/store/ prefix by the default location of nixos sources. --> - - /etc/nixos/nixos/modules/ + + <nixos/modules/> From ef15fa63c8de95a34fbdccff451c95c048d6c0c5 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 8 Jun 2012 21:10:11 +0000 Subject: [PATCH 05/25] * Ad-hockery to support the Charon manual. svn path=/nixos/trunk/; revision=34392 --- doc/manual/options-to-docbook.xsl | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/manual/options-to-docbook.xsl b/doc/manual/options-to-docbook.xsl index ce942d574309..0584081fef18 100644 --- a/doc/manual/options-to-docbook.xsl +++ b/doc/manual/options-to-docbook.xsl @@ -158,6 +158,9 @@ https://github.com/NixOS/nixos/blob//modules/ + + https://github.com/NixOS/charon/blob//nix/ + file:// @@ -169,6 +172,9 @@ <nixos/modules/> + + <charon/> + From c539224a846516d6ab7628ccb6bd4b7afe67a22f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 10 Jun 2012 14:36:16 +0000 Subject: [PATCH 06/25] Postfix was started before all filesystems were mounted. I add 'filesystem' to startOn. svn path=/nixos/trunk/; revision=34416 --- modules/services/mail/postfix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/mail/postfix.nix b/modules/services/mail/postfix.nix index d4314236a9b4..842427f6d059 100644 --- a/modules/services/mail/postfix.nix +++ b/modules/services/mail/postfix.nix @@ -307,7 +307,7 @@ in # accurate way is unlikely to be better. { description = "Postfix mail server"; - startOn = "started networking"; + startOn = "started networking and filesystem"; daemonType = "none"; From 31f30722d6ccad96eee50f485db2d1f13888677a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 10 Jun 2012 14:45:30 +0000 Subject: [PATCH 07/25] Small comment fix on the system-tarball-sheevaplug. svn path=/nixos/trunk/; revision=34418 --- modules/installer/cd-dvd/system-tarball-sheevaplug.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/installer/cd-dvd/system-tarball-sheevaplug.nix b/modules/installer/cd-dvd/system-tarball-sheevaplug.nix index 381223a078b1..24e7a0063149 100644 --- a/modules/installer/cd-dvd/system-tarball-sheevaplug.nix +++ b/modules/installer/cd-dvd/system-tarball-sheevaplug.nix @@ -1,5 +1,5 @@ # This module contains the basic configuration for building a NixOS -# installation CD. +# tarball for the sheevaplug. { config, pkgs, ... }: @@ -87,6 +87,7 @@ in pkgs.bvi # binary editor pkgs.joe ]; +*/ boot.loader.grub.enable = false; boot.loader.generationsDir.enable = false; From 78333e5d845cfb71a5fdb329c39e06ba12b85f78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 10 Jun 2012 14:50:44 +0000 Subject: [PATCH 08/25] Add a 'named' option to run only for ipv4. I remember the 'named' log was giving annoying messages on systems not ipv6 capable (I can't recall if lacking the kernel ipv6 code or unconfigured ipv6 addresses). svn path=/nixos/trunk/; revision=34419 --- modules/services/networking/bind.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/services/networking/bind.nix b/modules/services/networking/bind.nix index 19619f0383f9..1e04b354939b 100644 --- a/modules/services/networking/bind.nix +++ b/modules/services/networking/bind.nix @@ -78,6 +78,13 @@ in "; }; + ipv4Only = mkOption { + default = false; + description = " + Only use ipv4, even if the host supports ipv6 + "; + }; + zones = mkOption { default = []; description = " @@ -121,7 +128,7 @@ in ${pkgs.coreutils}/bin/mkdir -p /var/run/named ''; - exec = "${pkgs.bind}/sbin/named -c ${cfg.configFile} -f"; + exec = "${pkgs.bind}/sbin/named ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; }; }; From 9b833aafb974b26bde7636a3f827fcade8b4e7ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 10 Jun 2012 14:51:43 +0000 Subject: [PATCH 09/25] Fix prayer so it does not start a server at port 80. svn path=/nixos/trunk/; revision=34420 --- modules/services/networking/prayer.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/services/networking/prayer.nix b/modules/services/networking/prayer.nix index 0424a252087c..fb541bf101ae 100644 --- a/modules/services/networking/prayer.nix +++ b/modules/services/networking/prayer.nix @@ -26,7 +26,9 @@ let ''; prayerCfg = pkgs.runCommand "prayer.cf" { } '' - cat ${prayer}/etc/prayer.cf ${prayerExtraCfg} > $out + # We have to remove the http_port 80, or it will start a server there + cat ${prayer}/etc/prayer.cf | grep -v http_port > $out + cat ${prayerExtraCfg} >> $out ''; in From 6824f1e0822a8b2e4af949dac49a0ea8580998e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 10 Jun 2012 15:07:25 +0000 Subject: [PATCH 10/25] Making the dovecot2 mail location a nixos option. svn path=/nixos/trunk/; revision=34421 --- modules/services/mail/dovecot2.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/services/mail/dovecot2.nix b/modules/services/mail/dovecot2.nix index c7ae59afa203..c5f5da41d317 100644 --- a/modules/services/mail/dovecot2.nix +++ b/modules/services/mail/dovecot2.nix @@ -25,7 +25,7 @@ let + '' default_internal_user = ${cfg.user} - mail_location = maildir:/var/spool/mail/%u + mail_location = ${cfg.mailLocation} maildir_copy_with_hardlinks = yes @@ -76,6 +76,14 @@ in description = "Dovecot group name."; }; + mailLocation = mkOption { + default = "maildir:/var/spool/mail/%u"; /* Same as inbox, as postfix */ + example = "maildir:~/mail:INBOX=/var/spool/mail/%u"; + description = '' + Location that dovecot will use for mail folders. Dovecot mail_location option. + ''; + }; + sslServerCert = mkOption { default = ""; description = "Server certificate"; From 3d2ed1906764abf42f544444d628907233513830 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 10 Jun 2012 15:14:16 +0000 Subject: [PATCH 11/25] Making fcron use the daemonType=fork, instead of foreground. This way logrotate does not have to handle it appart. svn path=/nixos/trunk/; revision=34422 --- modules/services/scheduling/fcron.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/services/scheduling/fcron.nix b/modules/services/scheduling/fcron.nix index 1dbaefdd7190..6d274bf59732 100644 --- a/modules/services/scheduling/fcron.nix +++ b/modules/services/scheduling/fcron.nix @@ -101,7 +101,7 @@ in jobs.fcron = { description = "fcron daemon"; - startOn = "startup"; + startOn = "startup and filesystem"; environment = { PATH = "/var/run/current-system/sw/bin"; @@ -114,7 +114,9 @@ in ${pkgs.fcron}/bin/fcrontab -u systab ${pkgs.writeText "systab" cfg.systab} ''; - exec = "${pkgs.fcron}/sbin/fcron -f -m ${toString cfg.maxSerialJobs} ${queuelen}"; + daemonType = "fork"; + + exec = "${pkgs.fcron}/sbin/fcron -m ${toString cfg.maxSerialJobs} ${queuelen}"; }; }; From 9125d3af50ba58b903f31e67d1d24c04c32a7f2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 10 Jun 2012 22:37:20 +0000 Subject: [PATCH 12/25] Adding creation of /dev/ptmx in stage-2, in case stage-1 did not run. Upstart requires /dev/ptmx since its 1.4, and will lock up in case of it missing. I was hitting this in the fuloong, where I don't use the nixos initrd. svn path=/nixos/trunk/; revision=34429 --- modules/system/boot/stage-2-init.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/system/boot/stage-2-init.sh b/modules/system/boot/stage-2-init.sh index bd48f463dcd6..f02149ced750 100644 --- a/modules/system/boot/stage-2-init.sh +++ b/modules/system/boot/stage-2-init.sh @@ -46,6 +46,7 @@ if [ ! -e /proc/1 ]; then mknod -m 0666 /dev/null c 1 3 mknod -m 0644 /dev/urandom c 1 9 # needed for passwd mknod -m 0644 /dev/console c 5 1 + mknod -m 0644 /dev/ptmx c 5 2 # required by upstart mknod -m 0644 /dev/tty1 c 4 1 mknod -m 0644 /dev/ttyS0 c 4 64 mknod -m 0644 /dev/ttyS1 c 4 65 From fbf53168f3dc640d63a67f8f7d46d86439979193 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Mon, 11 Jun 2012 07:05:11 +0000 Subject: [PATCH 13/25] Add new option config.boot.cleanTmpDir. This option is to control if the user wants to have its /tmp directory cleaned up during system boot. svn path=/nixos/trunk/; revision=34432 --- modules/system/boot/stage-2.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/system/boot/stage-2.nix b/modules/system/boot/stage-2.nix index c92c29d6aefd..d1a4e81ce2ca 100644 --- a/modules/system/boot/stage-2.nix +++ b/modules/system/boot/stage-2.nix @@ -40,6 +40,14 @@ let for the accepted syntax. ''; }; + + cleanTmpDir = pkgs.lib.mkOption { + default = false; + example = true; + description = '' + Delete all files in /tmp/ during boot. + ''; + }; }; }; @@ -51,7 +59,7 @@ let src = ./stage-2-init.sh; shellDebug = "${pkgs.bashInteractive}/bin/bash"; isExecutable = true; - inherit (config.boot) devShmSize runSize; + inherit (config.boot) devShmSize runSize cleanTmpDir; ttyGid = config.ids.gids.tty; upstart = config.system.build.upstart; path = From 4931188684547230342024c512dca2e82dd84509 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Mon, 11 Jun 2012 07:05:13 +0000 Subject: [PATCH 14/25] Integrate cleanTmpDir in stage-2-init.sh. We're using find in order to remove dotfiles, too. svn path=/nixos/trunk/; revision=34433 --- modules/system/boot/stage-2-init.sh | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/modules/system/boot/stage-2-init.sh b/modules/system/boot/stage-2-init.sh index f02149ced750..cc0f8befae85 100644 --- a/modules/system/boot/stage-2-init.sh +++ b/modules/system/boot/stage-2-init.sh @@ -102,16 +102,18 @@ mkdir -m 0755 -p /etc/nixos rm -rf /var/run /var/lock /var/log/upstart rm -f /etc/resolv.conf -#echo -n "cleaning \`/tmp'..." -#rm -rf --one-file-system /tmp/* -#echo " done" +if test -n "@cleanTmpDir@"; then + echo -n "cleaning \`/tmp'..." + find /tmp -maxdepth 1 -mindepth 1 -print0 | xargs -0r rm -rf --one-file-system + echo " done" +else + # Get rid of ICE locks... + rm -rf /tmp/.ICE-unix +fi - -# Get rid of ICE locks and ensure that it's owned by root. -rm -rf /tmp/.ICE-unix +# ... and ensure that it's owned by root. mkdir -m 1777 /tmp/.ICE-unix - # This is a good time to clean up /nix/var/nix/chroots. Doing an `rm # -rf' on it isn't safe in general because it can contain bind mounts # to /nix/store and other places. But after rebooting these are all From 25155a02e608fc8a12b75ce82dce147cb7bb8280 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Mon, 11 Jun 2012 07:05:15 +0000 Subject: [PATCH 15/25] Add findutils dependency for /tmp cleaning. This dependency is only added if the setting is activated. svn path=/nixos/trunk/; revision=34434 --- modules/system/boot/stage-2.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/boot/stage-2.nix b/modules/system/boot/stage-2.nix index d1a4e81ce2ca..02c061dacde2 100644 --- a/modules/system/boot/stage-2.nix +++ b/modules/system/boot/stage-2.nix @@ -67,7 +67,7 @@ let pkgs.utillinux pkgs.udev pkgs.sysvtools - ]; + ] ++ pkgs.lib.optional config.boot.cleanTmpDir pkgs.findutils; postBootCommands = pkgs.writeText "local-cmds" '' ${config.boot.postBootCommands} From 4c54fcaf4567304696c4a26792dc8c1bc62b26ab Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Mon, 11 Jun 2012 07:10:25 +0000 Subject: [PATCH 16/25] pam security for i3lock svn path=/nixos/trunk/; revision=34435 --- modules/security/pam.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 4e50c661460c..edc1c7daac29 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -220,6 +220,7 @@ in { name = "samba"; } { name = "sshd"; } { name = "xlock"; } + { name = "i3lock"; } ]; }; From 5c3593be46618127403d0c6af0a8969f268cd381 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Mon, 11 Jun 2012 07:12:39 +0000 Subject: [PATCH 17/25] Add PAM configuration for vlock. svn path=/nixos/trunk/; revision=34436 --- modules/security/pam.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index edc1c7daac29..e59d132e0bcb 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -220,6 +220,7 @@ in { name = "samba"; } { name = "sshd"; } { name = "xlock"; } + { name = "vlock"; } { name = "i3lock"; } ]; From 51b5da4023cbb5978933ae6024d416c9735010dd Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Mon, 11 Jun 2012 07:12:41 +0000 Subject: [PATCH 18/25] modules/security/pam.nix: sort security.pam.services alphabetically svn path=/nixos/trunk/; revision=34437 --- modules/security/pam.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index e59d132e0bcb..f5cb453ef084 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -216,12 +216,12 @@ in [ { name = "cups"; } { name = "ejabberd"; } { name = "ftp"; } + { name = "i3lock"; } { name = "lshd"; } { name = "samba"; } { name = "sshd"; } - { name = "xlock"; } { name = "vlock"; } - { name = "i3lock"; } + { name = "xlock"; } ]; }; From a257bf78cb452c483f7aaff50e010e0bb4e9b5f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Mon, 11 Jun 2012 17:31:03 +0000 Subject: [PATCH 19/25] Making the virtualbox-guest module be evaluated only in i686 and x86_64. On mips, an assertion in the nixpkgs virtualbox was failing. svn path=/nixos/trunk/; revision=34464 --- modules/virtualisation/virtualbox-guest.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/virtualisation/virtualbox-guest.nix b/modules/virtualisation/virtualbox-guest.nix index abfd63715577..d0935d9a052c 100644 --- a/modules/virtualisation/virtualbox-guest.nix +++ b/modules/virtualisation/virtualbox-guest.nix @@ -11,6 +11,7 @@ let in +if (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) then { ###### interface @@ -76,3 +77,4 @@ in }; } +else {} From a3118792a52779024e38100799a2de5c263a740a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 11 Jun 2012 22:37:55 +0000 Subject: [PATCH 20/25] * Make the ACPI Shutdown command in VirtualBox to do the right thing. svn path=/nixos/trunk/; revision=34473 --- modules/virtualisation/virtualbox-guest.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/virtualisation/virtualbox-guest.nix b/modules/virtualisation/virtualbox-guest.nix index d0935d9a052c..8e09d79e3a48 100644 --- a/modules/virtualisation/virtualbox-guest.nix +++ b/modules/virtualisation/virtualbox-guest.nix @@ -73,7 +73,10 @@ if (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) then # should restrict this to logged-in users. KERNEL=="vboxuser", OWNER="root", GROUP="root", MODE="0666" ''; - + + # Make the ACPI Shutdown command to do the right thing. + services.acpid.enable = true; + services.acpid.powerEventCommands = "poweroff"; }; } From 03653d43eb29a840cc7a4c7da6ee3914bb8125c3 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 11 Jun 2012 22:41:07 +0000 Subject: [PATCH 21/25] * Add support for sudo authentication using the SSH agent. This allows password-less servers. svn path=/nixos/trunk/; revision=34474 --- modules/security/pam.nix | 32 ++++++++++++++++++++++++-------- modules/security/sudo.nix | 13 +++++++------ 2 files changed, 31 insertions(+), 14 deletions(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index f5cb453ef084..963aef55999d 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -7,7 +7,7 @@ with pkgs.lib; let - inherit (pkgs) pam_usb pam_ldap pam_krb5 pam_ccreds; + inherit (pkgs) pam_ldap pam_krb5 pam_ccreds; otherService = pkgs.writeText "other.pam" '' @@ -37,6 +37,10 @@ let , # If set, user listed in /etc/pamusb.conf are able to log in with # the associated usb key. usbAuth ? config.security.pam.usb.enable + , # If set, the calling user's SSH agent is used to authenticate + # against the keys in the calling user's ~/.ssh/authorized_keys. + # This is useful for "sudo" on password-less remote systems. + sshAgentAuth ? false , # If set, use ConsoleKit's PAM connector module to claim # ownership of audio devices etc. ownDevices ? false @@ -70,16 +74,17 @@ let # Authentication management. ${optionalString rootOK "auth sufficient pam_rootok.so"} + ${optionalString sshAgentAuth + "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"} ${optionalString usbAuth - "auth sufficient ${pam_usb}/lib/security/pam_usb.so"} - auth sufficient pam_unix.so ${ - optionalString allowNullPassword "nullok"} likeauth + "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} + auth sufficient pam_unix.so ${optionalString allowNullPassword "nullok"} likeauth ${optionalString config.users.ldap.enable "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} - ${optionalString config.krb5.enable -''auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass -auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass -auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass + ${optionalString config.krb5.enable '' + auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass + auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass + auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass ''} auth required pam_deny.so @@ -184,6 +189,17 @@ in ''; }; + security.pam.enableSSHAgentAuth = mkOption { + default = false; + description = + '' + Enable sudo logins if the user's SSH agent provides a key + present in ~/.ssh/authorized_keys. + This allows machines to exclusively use SSH keys instead of + passwords. + ''; + }; + }; diff --git a/modules/security/sudo.nix b/modules/security/sudo.nix index 3f01633d67ad..76c325d8d8f6 100644 --- a/modules/security/sudo.nix +++ b/modules/security/sudo.nix @@ -30,13 +30,16 @@ in # configuration will fail to build. default = '' - # Don't edit this file. Set nixos option security.sudo.configFile instead + # Don't edit this file. Set the NixOS option ‘security.sudo.configFile’ instead. - # env vars to keep for root and %wheel also if not explicitly set + # Environment variables to keep for root and %wheel. Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE Defaults:root,%wheel env_keep+=NIX_PATH Defaults:root,%wheel env_keep+=TERMINFO_DIRS + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. + Defaults env_keep+=SSH_AUTH_SOCK + # "root" is allowed to do anything. root ALL=(ALL) SETENV: ALL @@ -60,15 +63,13 @@ in environment.systemPackages = [ sudo ]; - security.pam.services = [ { name = "sudo"; } ]; + security.pam.services = [ { name = "sudo"; sshAgentAuth = true; } ]; environment.etc = singleton - { source = pkgs.runCommand "sudoers" - { src = pkgs.writeText "sudoers-in" cfg.configFile; } + { source = pkgs.writeText "sudoers-in" cfg.configFile; # Make sure that the sudoers file is syntactically valid. # (currently disabled - NIXOS-66) #"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out"; - "cp $src $out"; target = "sudoers"; mode = "0440"; }; From 15d44498f9ec7b6481dcc0608a1ef89265c654c2 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 12 Jun 2012 13:41:51 +0000 Subject: [PATCH 22/25] =?UTF-8?q?*=20Add=20a=20=E2=80=98size=E2=80=99=20op?= =?UTF-8?q?tion=20to=20=E2=80=98swapDevices=E2=80=99=20to=20create=20swapf?= =?UTF-8?q?iles=20on=20the=20fly.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit svn path=/nixos/trunk/; revision=34478 --- modules/config/swap.nix | 13 +++++++++++-- modules/tasks/filesystems.nix | 13 ++++++++++++- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/modules/config/swap.nix b/modules/config/swap.nix index 550cd4755af7..f0a6ceeda81c 100644 --- a/modules/config/swap.nix +++ b/modules/config/swap.nix @@ -33,13 +33,22 @@ with pkgs.lib; device = mkOption { example = "/dev/sda3"; - type = types.string; + type = types.uniq types.string; description = "Path of the device."; }; label = mkOption { example = "swap"; - type = types.string; + type = types.uniq types.string; + description = '' + Label of the device. Can be used instead of device. + ''; + }; + + size = mkOption { + default = null; + example = "swap"; + type = types.nullOr types.int; description = '' Label of the device. Can be used instead of device. ''; diff --git a/modules/tasks/filesystems.nix b/modules/tasks/filesystems.nix index 5848e21688c5..9495cac67855 100644 --- a/modules/tasks/filesystems.nix +++ b/modules/tasks/filesystems.nix @@ -22,7 +22,7 @@ let # Swap devices. ${flip concatMapStrings config.swapDevices (sw: - "${sw.device} none swap\n" + "${sw.device} none swap\n" )} ''; @@ -213,6 +213,17 @@ in ${flip concatMapStrings config.fileSystems (fs: optionalString fs.autocreate '' mkdir -p -m 0755 '${fs.mountPoint}' '')} + + # Create missing swapfiles. + # FIXME: support changing the size of existing swapfiles. + ${flip concatMapStrings config.swapDevices (sw: optionalString (sw.size != null) '' + if [ ! -e "${sw.device}" -a -e "$(dirname "${sw.device}")" ]; then + # FIXME: use ‘fallocate’ on filesystems that support it. + dd if=/dev/zero of="${sw.device}" bs=1M count=${toString sw.size} + mkswap ${sw.device} + fi + '')} + ''; daemonType = "daemon"; From 97b81d7e6eba687643bfdf377569559960e0158d Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 12 Jun 2012 14:05:11 +0000 Subject: [PATCH 23/25] * Test swapfile creation. svn path=/nixos/trunk/; revision=34479 --- tests/misc.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tests/misc.nix b/tests/misc.nix index 512d087168d5..8501d6a09796 100644 --- a/tests/misc.nix +++ b/tests/misc.nix @@ -4,7 +4,11 @@ { - machine = { config, pkgs, ... }: { }; + machine = + { config, pkgs, ... }: + { swapDevices = pkgs.lib.mkOverride 0 + [ { device = "/root/swapfile"; size = 128; } ]; + }; testScript = '' @@ -23,6 +27,12 @@ subtest "gmp", sub { $machine->succeed("expr 1 + 2"); }; + + # Test that the swap file got created. + subtest "swapfile", sub { + $machine->waitUntilSucceeds("cat /proc/swaps | grep /root/swapfile"); + $machine->succeed("ls -l /root/swapfile | grep 134217728"); + }; ''; } From 63517eca1b829fad5b6b42a8a43cf9e508c86eb7 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 12 Jun 2012 20:21:15 +0000 Subject: [PATCH 24/25] * Actually use the security.pam.enableSSHAgentAuth option. http://hydra.nixos.org/build/2698800 svn path=/nixos/trunk/; revision=34483 --- modules/security/pam.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 963aef55999d..4fab7febc710 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -74,7 +74,7 @@ let # Authentication management. ${optionalString rootOK "auth sufficient pam_rootok.so"} - ${optionalString sshAgentAuth + ${optionalString (config.security.pam.enableSSHAgentAuth && sshAgentAuth) "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"} ${optionalString usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} From fd9604b319b66df9a47d639ecac0e5631ac3358a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 13 Jun 2012 03:28:03 +0000 Subject: [PATCH 25/25] * Oops, fix an incomplete commit. svn path=/nixos/trunk/; revision=34488 --- modules/config/swap.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/config/swap.nix b/modules/config/swap.nix index f0a6ceeda81c..163de568d0f7 100644 --- a/modules/config/swap.nix +++ b/modules/config/swap.nix @@ -47,10 +47,13 @@ with pkgs.lib; size = mkOption { default = null; - example = "swap"; + example = 2048; type = types.nullOr types.int; description = '' - Label of the device. Can be used instead of device. + If this option is set, ‘device’ is interpreted as the + path of a swapfile that will be created automatically + with the indicated size (in megabytes) if it doesn't + exist. ''; };