Merge remote-tracking branch 'origin/master' into systemd

This commit is contained in:
Eelco Dolstra 2012-12-11 17:40:39 +01:00
commit 97ae408e83
12 changed files with 48 additions and 172 deletions

View File

@ -40,7 +40,6 @@ in
# The following are used by nixos-rebuild.
nixFallback = pkgs.nixUnstable;
manifests = config.installer.manifests;
tests = config.tests;
}

View File

@ -25,12 +25,10 @@
<arg choice='plain'><option>dry-run</option></arg>
<arg choice='plain'><option>build-vm</option></arg>
<arg choice='plain'><option>build-vm-with-bootloader</option></arg>
<arg choice='plain'><option>pull</option></arg>
</group>
<sbr />
<arg><option>--upgrade</option></arg>
<arg><option>--install-grub</option></arg>
<arg><option>--no-pull</option></arg>
<arg><option>--no-build-nix</option></arg>
<arg><option>--fast</option></arg>
<arg><option>--rollback</option></arg>
@ -171,17 +169,6 @@ $ ./result/bin/run-*-vm
</listitem>
</varlistentry>
<varlistentry>
<term><option>pull</option></term>
<listitem>
<para>This operation fetches the latest manifest in the Nixpkgs
channel to speed up subsequent <command>nix-env</command>
operations. This is useful if you are not using
<command>nix-channel</command> but still want to use pre-built
binary packages. It doesnt reconfigure the system</para>
</listitem>
</varlistentry>
</variablelist>
</para>

View File

@ -42,8 +42,6 @@ in
isoImage.volumeID = "NIXOS_${config.system.nixosVersion}";
installer.nixosURL = "http://nixos.org/releases/nixos/nixos-${config.system.nixosVersion}";
boot.postBootCommands =
''
# Provide the NixOS/Nixpkgs sources in /etc/nixos. This is required

View File

@ -5,7 +5,6 @@
# - copy closure of Nix to target device
# - register validity
# - with a chroot to the target device:
# * do a nix-pull
# * nix-env -p /nix/var/nix/profiles/system -i <nix-expr for the configuration>
# * run the activation script of the configuration (also installs Grub)
@ -36,13 +35,6 @@ if ! test -e "$mountPoint/$NIXOS_CONFIG"; then
fi
# Do a nix-pull to speed up building.
if test -n "@nixosURL@" -a ${NIXOS_PULL:-1} != 0; then
mkdir -p /nix/var/nix/channel-cache -m 0755
NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache \
@nix@/bin/nix-pull @nixosURL@/MANIFEST || true
fi
# Mount some stuff in the target root directory. We bind-mount /etc
# into the chroot because we need networking and the nixbld user
@ -116,6 +108,7 @@ export LC_TIME=
# Create a temporary Nix config file that causes the nixbld users to
# be used.
echo "build-users-group = nixbld" > $mountPoint/tmp/nix.conf
grep binary-caches /etc/nix/nix.conf >> $mountPoint/tmp/nix.conf
export NIX_CONF_DIR=/tmp

View File

@ -18,14 +18,11 @@ The operation is one of the following:
build-vm-with-bootloader:
like build-vm, but include a boot loader in the VM
dry-run: just show what store paths would be built/downloaded
pull: just pull the NixOS channel manifest and exit
Options:
--upgrade fetch the latest version of NixOS before rebuilding
--install-grub (re-)install the Grub bootloader
--pull do a nix-pull to get the latest NixOS channel
manifest
--no-build-nix don't build the latest Nix from Nixpkgs before
building NixOS
--rollback restore the previous NixOS configuration (only
@ -49,7 +46,6 @@ EOF
# Parse the command line.
extraBuildFlags=()
action=
pullManifest=
buildNix=1
rollback=
upgrade=
@ -60,15 +56,12 @@ while test "$#" -gt 0; do
--help)
showSyntax
;;
switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader|pull)
switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader)
action="$i"
;;
--install-grub)
export NIXOS_INSTALL_GRUB=1
;;
--pull)
pullManifest=1
;;
--no-build-nix)
buildNix=
;;
@ -127,24 +120,6 @@ if initctl status nix-daemon 2>&1 | grep -q 'running'; then
fi
# Pull the manifests defined in the configuration (the "manifests"
# attribute). Wonderfully hacky.
if [ -n "$pullManifest" -o "$action" = pull ]; then
set -o pipefail
manifests=$(nix-instantiate --eval-only --xml --strict '<nixos>' -A manifests \
| grep '<string' | sed 's^.*"\(.*\)".*^\1^g')
set +o pipefail
if [ $? -ne 0 ]; then exit 1; fi
mkdir -p /nix/var/nix/channel-cache
for i in $manifests; do
NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache nix-pull $i || true
done
fi
if [ "$action" = pull ]; then exit 0; fi
# If --upgrade is given, run nix-channel --update nixos.
if [ -n "$upgrade" ]; then
nix-channel --update nixos

View File

@ -1,7 +1,7 @@
# This module generates nixos-install, nixos-rebuild,
# nixos-hardware-scan, etc.
{config, pkgs, modulesPath, ...}:
{ config, pkgs, modulesPath, ... }:
let
### implementation
@ -23,7 +23,6 @@ let
inherit (pkgs) perl pathsFromGraph;
nix = config.environment.nix;
nixosURL = cfg.nixosURL;
nixClosure = pkgs.runCommand "closure"
{ exportReferencesGraph = ["refs" config.environment.nix]; }
@ -84,29 +83,6 @@ in
{
options = {
# FIXME: remove this option once we're using Nix 1.2.
installer.nixosURL = pkgs.lib.mkOption {
default = http://nixos.org/channels/nixos-unstable;
example = http://nixos.org/releases/nixos/nixos-0.1pre1234;
description = ''
URL of the Nixpkgs distribution to use when building the
installation CD.
'';
};
# FIXME: idem.
installer.manifests = pkgs.lib.mkOption {
default = [ http://nixos.org/channels/nixos-unstable/MANIFEST ];
example =
[ http://nixos.org/channels/nixpkgs-unstable/MANIFEST
http://nixos.org/channels/nixos-stable/MANIFEST
];
description = ''
URLs of manifests to be downloaded when you run
<command>nixos-rebuild</command> to speed up builds.
'';
};
installer.enableGraphicalTools = pkgs.lib.mkOption {
default = false;
type = with pkgs.lib.types; bool;

View File

@ -131,6 +131,7 @@ in
spamd = 56;
networkmanager = 57;
nslcd = 58;
scanner = 59;
# When adding a gid, make sure it doesn't match an existing uid.

View File

@ -29,6 +29,12 @@ with pkgs.lib;
in mkIf config.hardware.sane.enable {
environment.systemPackages = [ pkg ];
services.udev.packages = [ pkg ];
users.extraGroups = singleton {
name = "scanner";
gid = config.ids.gids.scanner;
};
};
}

View File

@ -247,8 +247,8 @@ in
build-max-jobs = ${toString (cfg.maxJobs)}
build-use-chroot = ${if cfg.useChroot then "true" else "false"}
build-chroot-dirs = ${toString cfg.chrootDirs} $(echo $extraPaths)
binary-caches = ${toString config.nix.binaryCaches}
trusted-binary-caches = ${toString config.nix.trustedBinaryCaches}
binary-caches = ${toString cfg.binaryCaches}
trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
$extraOptions
END
'';

View File

@ -24,7 +24,8 @@ let
option classless_static_routes, ntp_servers, interface_mtu
# A ServerID is required by RFC2131.
require dhcp_server_identifier
# Commented out because of many non-compliant DHCP servers in the wild :(
#require dhcp_server_identifier
# A hook script is provided to lookup the hostname if not set by
# the DHCP server, but it should not be run by default.

View File

@ -41,102 +41,45 @@ let
userOptions = {
openssh.authorizedKeys = {
preserveExistingKeys = mkOption {
type = types.bool;
default = true;
description = ''
If this option is enabled, the keys specified in
<literal>keys</literal> and/or <literal>keyFiles</literal> will be
placed in a special section of the user's authorized_keys file
and any existing keys will be preserved. That section will be
regenerated each time NixOS is activated. However, if
<literal>preserveExisting</literal> isn't enabled, the complete file
will be generated, and any user modifications will be wiped out.
'';
};
keys = mkOption {
type = types.listOf types.string;
default = [];
description = ''
A list of verbatim OpenSSH public keys that should be inserted into the
user's authorized_keys file. You can combine the <literal>keys</literal> and
A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys. The keys are added to a file that the SSH
daemon reads in addition to the the user's authorized_keys file.
You can combine the <literal>keys</literal> and
<literal>keyFiles</literal> options.
'';
};
keyFiles = mkOption {
#type = types.listOf types.string;
default = [];
description = ''
A list of files each containing one OpenSSH public keys that should be
inserted into the user's authorized_keys file. You can combine
the <literal>keyFiles</literal> and
<literal>keys</literal> options.
A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys. The contents of the files are
read at build time and added to a file that the SSH daemon reads in
addition to the the user's authorized_keys file. You can combine the
<literal>keyFiles</literal> and <literal>keys</literal> options.
'';
};
};
};
mkAuthkeyScript =
let
marker1 = "### NixOS auto-added key. Do not edit!";
marker2 = "### NixOS will regenerate this file. Do not edit!";
users = map (userName: getAttr userName config.users.extraUsers) (attrNames config.users.extraUsers);
usersWithKeys = flip filter users (u:
length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
);
userLoop = flip concatMapStrings usersWithKeys (u:
let
authKeys = concatStringsSep "," u.openssh.authorizedKeys.keys;
authKeyFiles = concatStrings (map (x: " ${x}") u.openssh.authorizedKeys.keyFiles);
preserveExisting = if u.openssh.authorizedKeys.preserveExistingKeys then "true" else "false";
in ''
mkAuthKeysFile "${u.name}" "${authKeys}" "${authKeyFiles}" "${preserveExisting}"
''
);
in ''
mkAuthKeysFile() {
local userName="$1"
local authKeys="$2"
local authKeyFiles="$3"
local preserveExisting="$4"
eval homeDir=~$userName
if ! [ -d "$homeDir" ]; then
echo "User $userName does not exist"
return
fi
if ! [ -d "$homeDir/.ssh" ]; then
mkdir -v -m 700 "$homeDir/.ssh"
chown "$userName":users "$homeDir/.ssh"
fi
local authKeysFile="$homeDir/.ssh/authorized_keys"
touch "$authKeysFile"
if [ "$preserveExisting" == false ]; then
rm -f "$authKeysFile"
echo "${marker2}" > "$authKeysFile"
else
sed -i '/${marker1}/ d' "$authKeysFile"
fi
IFS=,
for f in $authKeys; do
echo "$f ${marker1}" >> "$authKeysFile"
done
unset IFS
for f in $authKeyFiles; do
if [ -f "$f" ]; then
echo "$(cat "$f") ${marker1}" >> "$authKeysFile"
fi
done
chown "$userName" "$authKeysFile"
}
${userLoop}
'';
authKeysFiles = let
mkAuthKeyFile = u: {
target = "ssh/authorized_keys.d/${u.name}";
mode = "0444";
source = pkgs.writeText "${u.name}-authorized_keys" ''
${concatStringsSep "\n" u.openssh.authorizedKeys.keys}
${concatMapStrings (f: builtins.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
'';
};
usersWithKeys = attrValues (flip filterAttrs config.users.extraUsers (n: u:
length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
));
in map mkAuthKeyFile usersWithKeys;
in
@ -244,6 +187,11 @@ in
'';
};
authorizedKeysFiles = mkOption {
default = [];
description = "Files from with authorized keys are read.";
};
extraConfig = mkOption {
default = "";
description = "Verbatim contents of <filename>sshd_config</filename>.";
@ -305,7 +253,7 @@ in
home = "/var/empty";
};
environment.etc = [
environment.etc = authKeysFiles ++ [
{ source = "${pkgs.openssh}/etc/ssh/moduli";
target = "ssh/moduli";
}
@ -314,22 +262,10 @@ in
}
];
boot.systemd.services."set-ssh-keys" =
{ description = "Update authorized SSH keys";
wantedBy = [ "multi-user.target" ];
script = mkAuthkeyScript;
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
};
boot.systemd.services.sshd =
{ description = "SSH Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "set-ssh-keys.service" ];
path = [ pkgs.openssh ];
@ -360,6 +296,9 @@ in
security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; };
services.openssh.authorizedKeysFiles =
[ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
services.openssh.extraConfig =
''
PidFile /run/sshd.pid
@ -393,6 +332,8 @@ in
ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"}
PrintMotd no # handled by pam_motd
AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
'';
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;

View File

@ -75,7 +75,7 @@ let
{ services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org";
services.httpd.servedDirs = singleton
{ urlPath = "/channels/nixos-unstable";
{ urlPath = "/binary-cache";
dir = "/tmp/channel";
};
@ -125,7 +125,6 @@ let
"rm /etc/hosts",
"echo 192.168.1.1 nixos.org > /etc/hosts",
"ifconfig eth1 up 192.168.1.2",
"nixos-rebuild pull",
);
# Test nix-env.