diff --git a/default.nix b/default.nix
index fda19c3a149f..9d1475b69618 100644
--- a/default.nix
+++ b/default.nix
@@ -40,7 +40,6 @@ in
# The following are used by nixos-rebuild.
nixFallback = pkgs.nixUnstable;
- manifests = config.installer.manifests;
tests = config.tests;
}
diff --git a/doc/manual/man-nixos-rebuild.xml b/doc/manual/man-nixos-rebuild.xml
index ddf4e40be0c2..4828215977e8 100644
--- a/doc/manual/man-nixos-rebuild.xml
+++ b/doc/manual/man-nixos-rebuild.xml
@@ -25,12 +25,10 @@
-
-
@@ -170,17 +168,6 @@ $ ./result/bin/run-*-vm
partition, which is mounted read-only in the VM.
-
-
-
-
- This operation fetches the latest manifest in the Nixpkgs
- channel to speed up subsequent nix-env
- operations. This is useful if you are not using
- nix-channel but still want to use pre-built
- binary packages. It doesn’t reconfigure the system
-
-
diff --git a/modules/installer/cd-dvd/installation-cd-base.nix b/modules/installer/cd-dvd/installation-cd-base.nix
index 375941d24479..1edb2a452360 100644
--- a/modules/installer/cd-dvd/installation-cd-base.nix
+++ b/modules/installer/cd-dvd/installation-cd-base.nix
@@ -42,8 +42,6 @@ in
isoImage.volumeID = "NIXOS_${config.system.nixosVersion}";
- installer.nixosURL = "http://nixos.org/releases/nixos/nixos-${config.system.nixosVersion}";
-
boot.postBootCommands =
''
# Provide the NixOS/Nixpkgs sources in /etc/nixos. This is required
diff --git a/modules/installer/tools/nixos-install.sh b/modules/installer/tools/nixos-install.sh
index d1fdc5820b15..0739c33e8579 100644
--- a/modules/installer/tools/nixos-install.sh
+++ b/modules/installer/tools/nixos-install.sh
@@ -5,7 +5,6 @@
# - copy closure of Nix to target device
# - register validity
# - with a chroot to the target device:
-# * do a nix-pull
# * nix-env -p /nix/var/nix/profiles/system -i
# * run the activation script of the configuration (also installs Grub)
@@ -36,13 +35,6 @@ if ! test -e "$mountPoint/$NIXOS_CONFIG"; then
fi
-# Do a nix-pull to speed up building.
-if test -n "@nixosURL@" -a ${NIXOS_PULL:-1} != 0; then
- mkdir -p /nix/var/nix/channel-cache -m 0755
- NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache \
- @nix@/bin/nix-pull @nixosURL@/MANIFEST || true
-fi
-
# Mount some stuff in the target root directory. We bind-mount /etc
# into the chroot because we need networking and the nixbld user
@@ -116,6 +108,7 @@ export LC_TIME=
# Create a temporary Nix config file that causes the nixbld users to
# be used.
echo "build-users-group = nixbld" > $mountPoint/tmp/nix.conf
+grep binary-caches /etc/nix/nix.conf >> $mountPoint/tmp/nix.conf
export NIX_CONF_DIR=/tmp
diff --git a/modules/installer/tools/nixos-rebuild.sh b/modules/installer/tools/nixos-rebuild.sh
index f7c22b98dd76..01665e277b6d 100644
--- a/modules/installer/tools/nixos-rebuild.sh
+++ b/modules/installer/tools/nixos-rebuild.sh
@@ -18,14 +18,11 @@ The operation is one of the following:
build-vm-with-bootloader:
like build-vm, but include a boot loader in the VM
dry-run: just show what store paths would be built/downloaded
- pull: just pull the NixOS channel manifest and exit
Options:
--upgrade fetch the latest version of NixOS before rebuilding
--install-grub (re-)install the Grub bootloader
- --pull do a nix-pull to get the latest NixOS channel
- manifest
--no-build-nix don't build the latest Nix from Nixpkgs before
building NixOS
--rollback restore the previous NixOS configuration (only
@@ -49,7 +46,6 @@ EOF
# Parse the command line.
extraBuildFlags=()
action=
-pullManifest=
buildNix=1
rollback=
upgrade=
@@ -60,15 +56,12 @@ while test "$#" -gt 0; do
--help)
showSyntax
;;
- switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader|pull)
+ switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader)
action="$i"
;;
--install-grub)
export NIXOS_INSTALL_GRUB=1
;;
- --pull)
- pullManifest=1
- ;;
--no-build-nix)
buildNix=
;;
@@ -127,24 +120,6 @@ if initctl status nix-daemon 2>&1 | grep -q 'running'; then
fi
-# Pull the manifests defined in the configuration (the "manifests"
-# attribute). Wonderfully hacky.
-if [ -n "$pullManifest" -o "$action" = pull ]; then
- set -o pipefail
- manifests=$(nix-instantiate --eval-only --xml --strict '' -A manifests \
- | grep 'nixos-rebuild to speed up builds.
- '';
- };
-
installer.enableGraphicalTools = pkgs.lib.mkOption {
default = false;
type = with pkgs.lib.types; bool;
diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index 92e9bb908939..218bd0ed47a7 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -131,6 +131,7 @@ in
spamd = 56;
networkmanager = 57;
nslcd = 58;
+ scanner = 59;
# When adding a gid, make sure it doesn't match an existing uid.
diff --git a/modules/services/hardware/sane.nix b/modules/services/hardware/sane.nix
index 6849b3a7bc8e..905445f22c1b 100644
--- a/modules/services/hardware/sane.nix
+++ b/modules/services/hardware/sane.nix
@@ -29,6 +29,12 @@ with pkgs.lib;
in mkIf config.hardware.sane.enable {
environment.systemPackages = [ pkg ];
services.udev.packages = [ pkg ];
+
+ users.extraGroups = singleton {
+ name = "scanner";
+ gid = config.ids.gids.scanner;
+ };
+
};
}
diff --git a/modules/services/misc/nix-daemon.nix b/modules/services/misc/nix-daemon.nix
index 5af2d19a8394..49aa8e7931f7 100644
--- a/modules/services/misc/nix-daemon.nix
+++ b/modules/services/misc/nix-daemon.nix
@@ -247,8 +247,8 @@ in
build-max-jobs = ${toString (cfg.maxJobs)}
build-use-chroot = ${if cfg.useChroot then "true" else "false"}
build-chroot-dirs = ${toString cfg.chrootDirs} $(echo $extraPaths)
- binary-caches = ${toString config.nix.binaryCaches}
- trusted-binary-caches = ${toString config.nix.trustedBinaryCaches}
+ binary-caches = ${toString cfg.binaryCaches}
+ trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
$extraOptions
END
'';
diff --git a/modules/services/networking/dhcpcd.nix b/modules/services/networking/dhcpcd.nix
index 6c8194f09719..2a0d73f60040 100644
--- a/modules/services/networking/dhcpcd.nix
+++ b/modules/services/networking/dhcpcd.nix
@@ -24,7 +24,8 @@ let
option classless_static_routes, ntp_servers, interface_mtu
# A ServerID is required by RFC2131.
- require dhcp_server_identifier
+ # Commented out because of many non-compliant DHCP servers in the wild :(
+ #require dhcp_server_identifier
# A hook script is provided to lookup the hostname if not set by
# the DHCP server, but it should not be run by default.
diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix
index 858261bd33e2..21f81152fa57 100644
--- a/modules/services/networking/ssh/sshd.nix
+++ b/modules/services/networking/ssh/sshd.nix
@@ -41,102 +41,45 @@ let
userOptions = {
openssh.authorizedKeys = {
-
- preserveExistingKeys = mkOption {
- type = types.bool;
- default = true;
- description = ''
- If this option is enabled, the keys specified in
- keys and/or keyFiles will be
- placed in a special section of the user's authorized_keys file
- and any existing keys will be preserved. That section will be
- regenerated each time NixOS is activated. However, if
- preserveExisting isn't enabled, the complete file
- will be generated, and any user modifications will be wiped out.
- '';
- };
-
keys = mkOption {
type = types.listOf types.string;
default = [];
description = ''
- A list of verbatim OpenSSH public keys that should be inserted into the
- user's authorized_keys file. You can combine the keys and
+ A list of verbatim OpenSSH public keys that should be added to the
+ user's authorized keys. The keys are added to a file that the SSH
+ daemon reads in addition to the the user's authorized_keys file.
+ You can combine the keys and
keyFiles options.
'';
};
keyFiles = mkOption {
- #type = types.listOf types.string;
default = [];
description = ''
- A list of files each containing one OpenSSH public keys that should be
- inserted into the user's authorized_keys file. You can combine
- the keyFiles and
- keys options.
+ A list of files each containing one OpenSSH public key that should be
+ added to the user's authorized keys. The contents of the files are
+ read at build time and added to a file that the SSH daemon reads in
+ addition to the the user's authorized_keys file. You can combine the
+ keyFiles and keys options.
'';
};
-
};
};
- mkAuthkeyScript =
- let
- marker1 = "### NixOS auto-added key. Do not edit!";
- marker2 = "### NixOS will regenerate this file. Do not edit!";
- users = map (userName: getAttr userName config.users.extraUsers) (attrNames config.users.extraUsers);
- usersWithKeys = flip filter users (u:
- length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
- );
- userLoop = flip concatMapStrings usersWithKeys (u:
- let
- authKeys = concatStringsSep "," u.openssh.authorizedKeys.keys;
- authKeyFiles = concatStrings (map (x: " ${x}") u.openssh.authorizedKeys.keyFiles);
- preserveExisting = if u.openssh.authorizedKeys.preserveExistingKeys then "true" else "false";
- in ''
- mkAuthKeysFile "${u.name}" "${authKeys}" "${authKeyFiles}" "${preserveExisting}"
- ''
- );
- in ''
- mkAuthKeysFile() {
- local userName="$1"
- local authKeys="$2"
- local authKeyFiles="$3"
- local preserveExisting="$4"
-
- eval homeDir=~$userName
- if ! [ -d "$homeDir" ]; then
- echo "User $userName does not exist"
- return
- fi
- if ! [ -d "$homeDir/.ssh" ]; then
- mkdir -v -m 700 "$homeDir/.ssh"
- chown "$userName":users "$homeDir/.ssh"
- fi
- local authKeysFile="$homeDir/.ssh/authorized_keys"
- touch "$authKeysFile"
- if [ "$preserveExisting" == false ]; then
- rm -f "$authKeysFile"
- echo "${marker2}" > "$authKeysFile"
- else
- sed -i '/${marker1}/ d' "$authKeysFile"
- fi
- IFS=,
- for f in $authKeys; do
- echo "$f ${marker1}" >> "$authKeysFile"
- done
- unset IFS
- for f in $authKeyFiles; do
- if [ -f "$f" ]; then
- echo "$(cat "$f") ${marker1}" >> "$authKeysFile"
- fi
- done
- chown "$userName" "$authKeysFile"
- }
-
- ${userLoop}
- '';
+ authKeysFiles = let
+ mkAuthKeyFile = u: {
+ target = "ssh/authorized_keys.d/${u.name}";
+ mode = "0444";
+ source = pkgs.writeText "${u.name}-authorized_keys" ''
+ ${concatStringsSep "\n" u.openssh.authorizedKeys.keys}
+ ${concatMapStrings (f: builtins.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
+ '';
+ };
+ usersWithKeys = attrValues (flip filterAttrs config.users.extraUsers (n: u:
+ length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
+ ));
+ in map mkAuthKeyFile usersWithKeys;
in
@@ -244,6 +187,11 @@ in
'';
};
+ authorizedKeysFiles = mkOption {
+ default = [];
+ description = "Files from with authorized keys are read.";
+ };
+
extraConfig = mkOption {
default = "";
description = "Verbatim contents of sshd_config.";
@@ -305,7 +253,7 @@ in
home = "/var/empty";
};
- environment.etc = [
+ environment.etc = authKeysFiles ++ [
{ source = "${pkgs.openssh}/etc/ssh/moduli";
target = "ssh/moduli";
}
@@ -314,22 +262,10 @@ in
}
];
- boot.systemd.services."set-ssh-keys" =
- { description = "Update authorized SSH keys";
-
- wantedBy = [ "multi-user.target" ];
-
- script = mkAuthkeyScript;
-
- serviceConfig.Type = "oneshot";
- serviceConfig.RemainAfterExit = true;
- };
-
boot.systemd.services.sshd =
{ description = "SSH Daemon";
wantedBy = [ "multi-user.target" ];
- after = [ "set-ssh-keys.service" ];
path = [ pkgs.openssh ];
@@ -360,6 +296,9 @@ in
security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; };
+ services.openssh.authorizedKeysFiles =
+ [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
+
services.openssh.extraConfig =
''
PidFile /run/sshd.pid
@@ -393,6 +332,8 @@ in
ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"}
PrintMotd no # handled by pam_motd
+
+ AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
'';
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
diff --git a/tests/installer.nix b/tests/installer.nix
index 9f89ad10021e..477e5c660af5 100644
--- a/tests/installer.nix
+++ b/tests/installer.nix
@@ -75,7 +75,7 @@ let
{ services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org";
services.httpd.servedDirs = singleton
- { urlPath = "/channels/nixos-unstable";
+ { urlPath = "/binary-cache";
dir = "/tmp/channel";
};
@@ -125,7 +125,6 @@ let
"rm /etc/hosts",
"echo 192.168.1.1 nixos.org > /etc/hosts",
"ifconfig eth1 up 192.168.1.2",
- "nixos-rebuild pull",
);
# Test nix-env.