Merge remote-tracking branch 'origin/master' into systemd

2012-12-11 17:40:39 +01:00 · 2012-12-11 17:40:39 +01:00 · 97ae408e83
commit 97ae408e83
parent 3224ea8a1e 78bd54ca80
12 changed files with 48 additions and 172 deletions
--- a/default.nix
+++ b/default.nix
@ -40,7 +40,6 @@ in

  # The following are used by nixos-rebuild.
  nixFallback = pkgs.nixUnstable;
-  manifests = config.installer.manifests;

  tests = config.tests;
 }
--- a/doc/manual/man-nixos-rebuild.xml
+++ b/doc/manual/man-nixos-rebuild.xml
@ -25,12 +25,10 @@
      <arg choice='plain'><option>dry-run</option></arg>
      <arg choice='plain'><option>build-vm</option></arg>
      <arg choice='plain'><option>build-vm-with-bootloader</option></arg>
-      <arg choice='plain'><option>pull</option></arg>
    </group>
    <sbr />
    <arg><option>--upgrade</option></arg>
    <arg><option>--install-grub</option></arg>
-    <arg><option>--no-pull</option></arg>
    <arg><option>--no-build-nix</option></arg>
    <arg><option>--fast</option></arg>
    <arg><option>--rollback</option></arg>
@ -170,17 +168,6 @@ $ ./result/bin/run-*-vm
      partition, which is mounted read-only in the VM.</para>
    </listitem>
  </varlistentry>
-  
-  <varlistentry>
-    <term><option>pull</option></term>
-    <listitem>
-      <para>This operation fetches the latest manifest in the Nixpkgs
-      channel to speed up subsequent <command>nix-env</command>
-      operations.  This is useful if you are not using
-      <command>nix-channel</command> but still want to use pre-built
-      binary packages.  It doesn’t reconfigure the system</para>
-    </listitem>
-  </varlistentry>

 </variablelist>

--- a/modules/installer/cd-dvd/installation-cd-base.nix
+++ b/modules/installer/cd-dvd/installation-cd-base.nix
@ -42,8 +42,6 @@ in

  isoImage.volumeID = "NIXOS_${config.system.nixosVersion}";

-  installer.nixosURL = "http://nixos.org/releases/nixos/nixos-${config.system.nixosVersion}";
-
  boot.postBootCommands =
    ''
      # Provide the NixOS/Nixpkgs sources in /etc/nixos.  This is required
--- a/modules/installer/tools/nixos-install.sh
+++ b/modules/installer/tools/nixos-install.sh
@ -5,7 +5,6 @@
 # - copy closure of Nix to target device
 # - register validity
 # - with a chroot to the target device:
-#   * do a nix-pull
 #   * nix-env -p /nix/var/nix/profiles/system -i <nix-expr for the configuration>
 #   * run the activation script of the configuration (also installs Grub)

@ -36,13 +35,6 @@ if ! test -e "$mountPoint/$NIXOS_CONFIG"; then
 fi


-# Do a nix-pull to speed up building.
-if test -n "@nixosURL@" -a ${NIXOS_PULL:-1} != 0; then
-    mkdir -p /nix/var/nix/channel-cache -m 0755
-    NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache \
-        @nix@/bin/nix-pull @nixosURL@/MANIFEST || true
-fi
-

 # Mount some stuff in the target root directory.  We bind-mount /etc
 # into the chroot because we need networking and the nixbld user
@ -116,6 +108,7 @@ export LC_TIME=
 # Create a temporary Nix config file that causes the nixbld users to
 # be used.
 echo "build-users-group = nixbld" > $mountPoint/tmp/nix.conf
+grep binary-caches /etc/nix/nix.conf >> $mountPoint/tmp/nix.conf
 export NIX_CONF_DIR=/tmp


--- a/modules/installer/tools/nixos-rebuild.sh
+++ b/modules/installer/tools/nixos-rebuild.sh
@ -18,14 +18,11 @@ The operation is one of the following:
  build-vm-with-bootloader:
            like build-vm, but include a boot loader in the VM
  dry-run:  just show what store paths would be built/downloaded
-  pull:     just pull the NixOS channel manifest and exit

 Options:

  --upgrade              fetch the latest version of NixOS before rebuilding
  --install-grub         (re-)install the Grub bootloader
-  --pull                 do a nix-pull to get the latest NixOS channel
-                         manifest
  --no-build-nix         don't build the latest Nix from Nixpkgs before
                         building NixOS
  --rollback             restore the previous NixOS configuration (only
@ -49,7 +46,6 @@ EOF
 # Parse the command line.
 extraBuildFlags=()
 action=
-pullManifest=
 buildNix=1
 rollback=
 upgrade=
@ -60,15 +56,12 @@ while test "$#" -gt 0; do
      --help)
        showSyntax
        ;;
-      switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader|pull)
+      switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader)
        action="$i"
        ;;
      --install-grub)
        export NIXOS_INSTALL_GRUB=1
        ;;
-      --pull)
-        pullManifest=1
-        ;;
      --no-build-nix)
        buildNix=
        ;;
@ -127,24 +120,6 @@ if initctl status nix-daemon 2>&1 | grep -q 'running'; then
 fi


-# Pull the manifests defined in the configuration (the "manifests"
-# attribute).  Wonderfully hacky.
-if [ -n "$pullManifest" -o "$action" = pull ]; then
-    set -o pipefail
-    manifests=$(nix-instantiate --eval-only --xml --strict '<nixos>' -A manifests \
-        | grep '<string'  | sed 's^.*"\(.*\)".*^\1^g')
-    set +o pipefail
-    if [ $? -ne 0 ]; then exit 1; fi
-
-    mkdir -p /nix/var/nix/channel-cache
-    for i in $manifests; do
-        NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache nix-pull $i || true
-    done
-fi
-
-if [ "$action" = pull ]; then exit 0; fi
-
-
 # If ‘--upgrade’ is given, run ‘nix-channel --update nixos’.
 if [ -n "$upgrade" ]; then
    nix-channel --update nixos
--- a/modules/installer/tools/tools.nix
+++ b/modules/installer/tools/tools.nix
@ -1,7 +1,7 @@
 # This module generates nixos-install, nixos-rebuild,
 # nixos-hardware-scan, etc.

-{config, pkgs, modulesPath, ...}:
+{ config, pkgs, modulesPath, ... }:

 let
  ### implementation
@ -23,7 +23,6 @@ let

    inherit (pkgs) perl pathsFromGraph;
    nix = config.environment.nix;
-    nixosURL = cfg.nixosURL;

    nixClosure = pkgs.runCommand "closure"
      { exportReferencesGraph = ["refs" config.environment.nix]; }
@ -84,29 +83,6 @@ in
 {
  options = {

-    # FIXME: remove this option once we're using Nix 1.2.
-    installer.nixosURL = pkgs.lib.mkOption {
-      default = http://nixos.org/channels/nixos-unstable;
-      example = http://nixos.org/releases/nixos/nixos-0.1pre1234;
-      description = ''
-        URL of the Nixpkgs distribution to use when building the
-        installation CD.
-      '';
-    };
-
-    # FIXME: idem.
-    installer.manifests = pkgs.lib.mkOption {
-      default = [ http://nixos.org/channels/nixos-unstable/MANIFEST ];
-      example =
-        [ http://nixos.org/channels/nixpkgs-unstable/MANIFEST
-          http://nixos.org/channels/nixos-stable/MANIFEST
-        ];
-      description = ''
-        URLs of manifests to be downloaded when you run
-        <command>nixos-rebuild</command> to speed up builds.
-      '';
-    };
-
    installer.enableGraphicalTools = pkgs.lib.mkOption {
      default = false;
      type = with pkgs.lib.types; bool;
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@ -131,6 +131,7 @@ in
    spamd = 56;
    networkmanager = 57;
    nslcd = 58;
+    scanner = 59;

    # When adding a gid, make sure it doesn't match an existing uid.

--- a/modules/services/hardware/sane.nix
+++ b/modules/services/hardware/sane.nix
@ -29,6 +29,12 @@ with pkgs.lib;
      in mkIf config.hardware.sane.enable {
           environment.systemPackages = [ pkg ];
           services.udev.packages = [ pkg ];
+           
+           users.extraGroups = singleton {
+             name = "scanner";
+             gid = config.ids.gids.scanner;
+           };
+
      };

 }
--- a/modules/services/misc/nix-daemon.nix
+++ b/modules/services/misc/nix-daemon.nix
@ -247,8 +247,8 @@ in
                build-max-jobs = ${toString (cfg.maxJobs)}
                build-use-chroot = ${if cfg.useChroot then "true" else "false"}
                build-chroot-dirs = ${toString cfg.chrootDirs} $(echo $extraPaths)
-                binary-caches = ${toString config.nix.binaryCaches}
-                trusted-binary-caches = ${toString config.nix.trustedBinaryCaches}
+                binary-caches = ${toString cfg.binaryCaches}
+                trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
                $extraOptions
                END
              '';
--- a/modules/services/networking/dhcpcd.nix
+++ b/modules/services/networking/dhcpcd.nix
@ -24,7 +24,8 @@ let
      option classless_static_routes, ntp_servers, interface_mtu

      # A ServerID is required by RFC2131.
-      require dhcp_server_identifier
+      # Commented out because of many non-compliant DHCP servers in the wild :(
+      #require dhcp_server_identifier

      # A hook script is provided to lookup the hostname if not set by
      # the DHCP server, but it should not be run by default.
--- a/modules/services/networking/ssh/sshd.nix
+++ b/modules/services/networking/ssh/sshd.nix
@ -41,102 +41,45 @@ let
  userOptions = {

    openssh.authorizedKeys = {
-
-      preserveExistingKeys = mkOption {
-        type = types.bool;
-        default = true;
-        description = ''
-          If this option is enabled, the keys specified in
-          <literal>keys</literal> and/or <literal>keyFiles</literal> will be
-          placed in a special section of the user's authorized_keys file
-          and any existing keys will be preserved. That section will be
-          regenerated each time NixOS is activated. However, if
-          <literal>preserveExisting</literal> isn't enabled, the complete file
-          will be generated, and any user modifications will be wiped out.
-        '';
-      };
-
      keys = mkOption {
        type = types.listOf types.string;
        default = [];
        description = ''
-          A list of verbatim OpenSSH public keys that should be inserted into the
-          user's authorized_keys file. You can combine the <literal>keys</literal> and
+          A list of verbatim OpenSSH public keys that should be added to the
+          user's authorized keys. The keys are added to a file that the SSH
+          daemon reads in addition to the the user's authorized_keys file.
+          You can combine the <literal>keys</literal> and
          <literal>keyFiles</literal> options.
        '';
      };

      keyFiles = mkOption {
-        #type = types.listOf types.string;
        default = [];
        description = ''
-          A list of files each containing one OpenSSH public keys that should be
-          inserted into the user's authorized_keys file. You can combine
-          the <literal>keyFiles</literal> and
-          <literal>keys</literal> options.
+          A list of files each containing one OpenSSH public key that should be
+          added to the user's authorized keys. The contents of the files are
+          read at build time and added to a file that the SSH daemon reads in
+          addition to the the user's authorized_keys file. You can combine the
+          <literal>keyFiles</literal> and <literal>keys</literal> options.
        '';
      };
-
    };

  };

-  mkAuthkeyScript =
-    let
-      marker1 = "### NixOS auto-added key. Do not edit!";
-      marker2 = "### NixOS will regenerate this file. Do not edit!";
-      users = map (userName: getAttr userName config.users.extraUsers) (attrNames config.users.extraUsers);
-      usersWithKeys = flip filter users (u:
-        length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
-      );
-      userLoop = flip concatMapStrings usersWithKeys (u:
-        let
-          authKeys = concatStringsSep "," u.openssh.authorizedKeys.keys;
-          authKeyFiles = concatStrings (map (x: " ${x}") u.openssh.authorizedKeys.keyFiles);
-          preserveExisting = if u.openssh.authorizedKeys.preserveExistingKeys then "true" else "false";
-        in ''
-          mkAuthKeysFile "${u.name}" "${authKeys}" "${authKeyFiles}" "${preserveExisting}"
-        ''
-      );
-    in ''
-      mkAuthKeysFile() {
-        local userName="$1"
-        local authKeys="$2"
-        local authKeyFiles="$3"
-        local preserveExisting="$4"
-
-        eval homeDir=~$userName
-        if ! [ -d "$homeDir" ]; then
-          echo "User $userName does not exist"
-          return
-        fi
-        if ! [ -d "$homeDir/.ssh" ]; then
-          mkdir -v -m 700 "$homeDir/.ssh"
-          chown "$userName":users "$homeDir/.ssh"
-        fi
-        local authKeysFile="$homeDir/.ssh/authorized_keys"
-        touch "$authKeysFile"
-        if [ "$preserveExisting" == false ]; then
-          rm -f "$authKeysFile"
-          echo "${marker2}" > "$authKeysFile"
-        else
-          sed -i '/${marker1}/ d' "$authKeysFile"
-        fi
-        IFS=,
-        for f in $authKeys; do
-          echo "$f ${marker1}" >> "$authKeysFile"
-        done
-        unset IFS
-        for f in $authKeyFiles; do
-          if [ -f "$f" ]; then
-            echo "$(cat "$f") ${marker1}" >> "$authKeysFile"
-          fi
-        done
-        chown "$userName" "$authKeysFile"
-      }
-
-      ${userLoop}
-    '';
+  authKeysFiles = let
+    mkAuthKeyFile = u: {
+      target = "ssh/authorized_keys.d/${u.name}";
+      mode = "0444";
+      source = pkgs.writeText "${u.name}-authorized_keys" ''
+        ${concatStringsSep "\n" u.openssh.authorizedKeys.keys}
+        ${concatMapStrings (f: builtins.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
+      '';
+    };
+    usersWithKeys = attrValues (flip filterAttrs config.users.extraUsers (n: u:
+      length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
+    ));
+  in map mkAuthKeyFile usersWithKeys;

 in

@ -244,6 +187,11 @@ in
        '';
      };

+      authorizedKeysFiles = mkOption {
+        default = [];
+        description = "Files from with authorized keys are read.";
+      };
+
      extraConfig = mkOption {
        default = "";
        description = "Verbatim contents of <filename>sshd_config</filename>.";
@ -305,7 +253,7 @@ in
        home = "/var/empty";
      };

-    environment.etc = [
+    environment.etc = authKeysFiles ++ [
      { source = "${pkgs.openssh}/etc/ssh/moduli";
        target = "ssh/moduli";
      }
@ -314,22 +262,10 @@ in
      }
    ];

-    boot.systemd.services."set-ssh-keys" =
-      { description = "Update authorized SSH keys";
-
-        wantedBy = [ "multi-user.target" ];
-
-        script = mkAuthkeyScript;
-
-        serviceConfig.Type = "oneshot";
-        serviceConfig.RemainAfterExit = true;
-      };
-
    boot.systemd.services.sshd =
      { description = "SSH Daemon";

        wantedBy = [ "multi-user.target" ];
-        after = [ "set-ssh-keys.service" ];

        path = [ pkgs.openssh ];

@ -360,6 +296,9 @@ in

    security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; };

+    services.openssh.authorizedKeysFiles =
+      [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
+
    services.openssh.extraConfig =
      ''
        PidFile /run/sshd.pid
@ -393,6 +332,8 @@ in
        ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"}

        PrintMotd no # handled by pam_motd
+
+        AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
      '';

    assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
--- a/tests/installer.nix
+++ b/tests/installer.nix
@ -75,7 +75,7 @@ let
    { services.httpd.enable = true;
      services.httpd.adminAddr = "foo@example.org";
      services.httpd.servedDirs = singleton
-        { urlPath = "/channels/nixos-unstable";
+        { urlPath = "/binary-cache";
          dir = "/tmp/channel";
        };

@ -125,7 +125,6 @@ let
            "rm /etc/hosts",
            "echo 192.168.1.1 nixos.org > /etc/hosts",
            "ifconfig eth1 up 192.168.1.2",
-            "nixos-rebuild pull",
        );

        # Test nix-env.