nixpkgs/nixos/modules/misc/ids.nix

295 lines
5.8 KiB
Nix
Raw Normal View History

# This module defines the global list of uids and gids. We keep a
# central list to prevent id collisions.
{ config, pkgs, lib, ... }:
{
options = {
ids.uids = lib.mkOption {
2013-10-30 16:37:45 +00:00
internal = true;
description = ''
The user IDs used in NixOS.
'';
};
ids.gids = lib.mkOption {
2013-10-30 16:37:45 +00:00
internal = true;
description = ''
The group IDs used in NixOS.
'';
};
};
config = {
ids.uids = {
root = 0;
nscd = 1;
sshd = 2;
ntp = 3;
messagebus = 4; # D-Bus
haldaemon = 5;
nagios = 6;
vsftpd = 7;
ftp = 8;
bitlbee = 9;
avahi = 10;
atd = 12;
zabbix = 13;
postfix = 14;
dovecot = 15;
tomcat = 16;
pulseaudio = 22; # must match `pulseaudio' GID
gpsd = 23;
polkituser = 28;
uptimed = 29;
ddclient = 30;
davfs2 = 31;
privoxy = 32;
osgi = 34;
tor = 35;
cups = 36;
foldingathome = 37;
sabnzbd = 38;
kdm = 39;
ghostone = 40;
git = 41;
fourstore = 42;
fourstorehttp = 43;
virtuoso = 44;
rtkit = 45;
dovecot2 = 46;
dovenull2 = 47;
unbound = 48;
prayer = 49;
mpd = 50;
clamav = 51;
fprot = 52;
bind = 53;
wwwrun = 54;
spamd = 56;
nslcd = 58;
nginx = 60;
chrony = 61;
smtpd = 63;
smtpq = 64;
supybot = 65;
iodined = 66;
graphite = 68;
statsd = 69;
transmission = 70;
postgres = 71;
smbguest = 74; # unused
varnish = 75;
datadog = 76;
lighttpd = 77;
lightdm = 78;
freenet = 79;
ircd = 80;
bacula = 81;
almir = 82;
deluge = 83;
mysql = 84;
rabbitmq = 85;
activemq = 86;
gnunet = 87;
oidentd = 88;
quassel = 89;
amule = 90;
minidlna = 91;
elasticsearch = 92;
tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
2013-10-02 14:14:35 +01:00
zope2 = 94;
firebird = 95;
redis = 96;
2013-10-29 14:55:25 +00:00
haproxy = 97;
mongodb = 98;
openldap = 99;
memcached = 100;
2014-01-12 23:18:05 +00:00
cgminer = 101;
munin = 102;
logcheck = 103;
nix-ssh = 104;
dictd = 105;
2014-02-27 13:33:30 +00:00
couchdb = 106;
2014-03-07 19:09:59 +00:00
searx = 107;
2014-03-12 07:32:56 +00:00
kippo = 108;
jenkins = 109;
systemd-journal-gateway = 110;
notbit = 111;
2014-03-20 02:04:35 +00:00
ngircd = 112;
btsync = 113;
minecraft = 114;
2014-04-01 18:20:33 +01:00
monetdb = 115;
rippled = 116;
murmur = 117;
foundationdb = 118;
newrelic = 119;
starbound = 120;
hydra = 122;
spiped = 123;
teamspeak = 124;
2014-05-27 21:54:43 +01:00
influxdb = 125;
nsd = 126;
gitolite = 127;
znc = 128;
2014-07-15 15:16:58 +01:00
polipo = 129;
mopidy = 130;
2014-08-05 22:00:30 +01:00
unifi = 131;
gdm = 132;
dhcpd = 133;
2014-07-10 19:08:38 +01:00
siproxd = 134;
2014-07-08 23:43:26 +01:00
mlmmj = 135;
2014-08-16 22:53:26 +01:00
neo4j = 136;
riemann = 137;
riemanndash = 138;
radvd = 139;
2014-08-24 16:43:45 +01:00
zookeeper = 140;
dnsmasq = 141;
2014-09-01 07:53:00 +01:00
uhub = 142;
2014-09-26 09:44:09 +01:00
yandexdisk = 143;
collectd = 144;
consul = 145;
2014-09-26 09:03:29 +01:00
mailpile = 146;
2014-10-07 09:53:01 +01:00
redmine = 147;
2014-10-06 20:25:10 +01:00
seeks = 148;
prosody = 149;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
nixbld = 30000; # start of range of uids
nobody = 65534;
};
ids.gids = {
root = 0;
wheel = 1;
kmem = 2;
tty = 3;
messagebus = 4; # D-Bus
haldaemon = 5;
disk = 6;
vsftpd = 7;
ftp = 8;
bitlbee = 9;
avahi = 10;
atd = 12;
postfix = 13;
postdrop = 14;
dovecot = 15;
audio = 17;
floppy = 18;
uucp = 19;
lp = 20;
tomcat = 21;
pulseaudio = 22; # must match `pulseaudio' UID
gpsd = 23;
cdrom = 24;
tape = 25;
video = 26;
dialout = 27;
#polkituser = 28; # currently unused, polkitd doesn't need a group
utmp = 29;
davfs2 = 31;
privoxy = 32;
disnix = 33;
osgi = 34;
ghostOne = 40;
git = 41;
fourstore = 42;
fourstorehttpd = 43;
virtuoso = 44;
dovecot2 = 46;
prayer = 49;
mpd = 50;
clamav = 51;
fprot = 52;
wwwrun = 54;
adm = 55;
spamd = 56;
networkmanager = 57;
nslcd = 58;
scanner = 59;
nginx = 60;
systemd-journal = 62;
smtpd = 63;
smtpq = 64;
supybot = 65;
iodined = 66;
libvirtd = 67;
graphite = 68;
transmission = 70;
postgres = 71;
vboxusers = 72;
vboxsf = 73;
smbguest = 74; # unused
varnish = 75;
datadog = 76;
lighttpd = 77;
lightdm = 78;
freenet = 79;
ircd = 80;
bacula = 81;
almir = 82;
deluge = 83;
mysql = 84;
rabbitmq = 85;
activemq = 86;
gnunet = 87;
oidentd = 88;
quassel = 89;
amule = 90;
minidlna = 91;
2013-10-29 14:55:25 +00:00
haproxy = 92;
openldap = 93;
connman = 94;
munin = 95;
keys = 96;
dictd = 105;
2014-02-27 13:33:30 +00:00
couchdb = 106;
2014-03-07 19:09:59 +00:00
searx = 107;
2014-03-12 07:32:56 +00:00
kippo = 108;
jenkins = 109;
systemd-journal-gateway = 110;
notbit = 111;
monetdb = 115;
foundationdb = 118;
newrelic = 119;
starbound = 120;
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
grsecurity = 121;
hydra = 122;
spiped = 123;
teamspeak = 124;
2014-05-27 21:54:43 +01:00
influxdb = 125;
nsd = 126;
firebird = 127;
znc = 128;
2014-07-15 15:16:58 +01:00
polipo = 129;
mopidy = 130;
docker = 131;
gdm = 132;
tss = 133;
2014-07-10 19:08:38 +01:00
siproxd = 134;
2014-07-08 23:43:26 +01:00
mlmmj = 135;
riemann = 137;
riemanndash = 138;
2014-09-01 07:53:00 +01:00
uhub = 142;
2014-09-26 09:03:29 +01:00
mailpile = 146;
2014-10-07 09:53:01 +01:00
redmine = 147;
2014-10-06 20:25:10 +01:00
seeks = 148;
prosody = 149;
# When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
users = 100;
nixbld = 30000;
nogroup = 65534;
};
};
}