Merge remote-tracking branch 'origin/master' into systemd
This commit is contained in:
commit
97ae408e83
@ -40,7 +40,6 @@ in
|
||||
|
||||
# The following are used by nixos-rebuild.
|
||||
nixFallback = pkgs.nixUnstable;
|
||||
manifests = config.installer.manifests;
|
||||
|
||||
tests = config.tests;
|
||||
}
|
||||
|
@ -25,12 +25,10 @@
|
||||
<arg choice='plain'><option>dry-run</option></arg>
|
||||
<arg choice='plain'><option>build-vm</option></arg>
|
||||
<arg choice='plain'><option>build-vm-with-bootloader</option></arg>
|
||||
<arg choice='plain'><option>pull</option></arg>
|
||||
</group>
|
||||
<sbr />
|
||||
<arg><option>--upgrade</option></arg>
|
||||
<arg><option>--install-grub</option></arg>
|
||||
<arg><option>--no-pull</option></arg>
|
||||
<arg><option>--no-build-nix</option></arg>
|
||||
<arg><option>--fast</option></arg>
|
||||
<arg><option>--rollback</option></arg>
|
||||
@ -171,17 +169,6 @@ $ ./result/bin/run-*-vm
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>pull</option></term>
|
||||
<listitem>
|
||||
<para>This operation fetches the latest manifest in the Nixpkgs
|
||||
channel to speed up subsequent <command>nix-env</command>
|
||||
operations. This is useful if you are not using
|
||||
<command>nix-channel</command> but still want to use pre-built
|
||||
binary packages. It doesn’t reconfigure the system</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
|
||||
</para>
|
||||
|
@ -42,8 +42,6 @@ in
|
||||
|
||||
isoImage.volumeID = "NIXOS_${config.system.nixosVersion}";
|
||||
|
||||
installer.nixosURL = "http://nixos.org/releases/nixos/nixos-${config.system.nixosVersion}";
|
||||
|
||||
boot.postBootCommands =
|
||||
''
|
||||
# Provide the NixOS/Nixpkgs sources in /etc/nixos. This is required
|
||||
|
@ -5,7 +5,6 @@
|
||||
# - copy closure of Nix to target device
|
||||
# - register validity
|
||||
# - with a chroot to the target device:
|
||||
# * do a nix-pull
|
||||
# * nix-env -p /nix/var/nix/profiles/system -i <nix-expr for the configuration>
|
||||
# * run the activation script of the configuration (also installs Grub)
|
||||
|
||||
@ -36,13 +35,6 @@ if ! test -e "$mountPoint/$NIXOS_CONFIG"; then
|
||||
fi
|
||||
|
||||
|
||||
# Do a nix-pull to speed up building.
|
||||
if test -n "@nixosURL@" -a ${NIXOS_PULL:-1} != 0; then
|
||||
mkdir -p /nix/var/nix/channel-cache -m 0755
|
||||
NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache \
|
||||
@nix@/bin/nix-pull @nixosURL@/MANIFEST || true
|
||||
fi
|
||||
|
||||
|
||||
# Mount some stuff in the target root directory. We bind-mount /etc
|
||||
# into the chroot because we need networking and the nixbld user
|
||||
@ -116,6 +108,7 @@ export LC_TIME=
|
||||
# Create a temporary Nix config file that causes the nixbld users to
|
||||
# be used.
|
||||
echo "build-users-group = nixbld" > $mountPoint/tmp/nix.conf
|
||||
grep binary-caches /etc/nix/nix.conf >> $mountPoint/tmp/nix.conf
|
||||
export NIX_CONF_DIR=/tmp
|
||||
|
||||
|
||||
|
@ -18,14 +18,11 @@ The operation is one of the following:
|
||||
build-vm-with-bootloader:
|
||||
like build-vm, but include a boot loader in the VM
|
||||
dry-run: just show what store paths would be built/downloaded
|
||||
pull: just pull the NixOS channel manifest and exit
|
||||
|
||||
Options:
|
||||
|
||||
--upgrade fetch the latest version of NixOS before rebuilding
|
||||
--install-grub (re-)install the Grub bootloader
|
||||
--pull do a nix-pull to get the latest NixOS channel
|
||||
manifest
|
||||
--no-build-nix don't build the latest Nix from Nixpkgs before
|
||||
building NixOS
|
||||
--rollback restore the previous NixOS configuration (only
|
||||
@ -49,7 +46,6 @@ EOF
|
||||
# Parse the command line.
|
||||
extraBuildFlags=()
|
||||
action=
|
||||
pullManifest=
|
||||
buildNix=1
|
||||
rollback=
|
||||
upgrade=
|
||||
@ -60,15 +56,12 @@ while test "$#" -gt 0; do
|
||||
--help)
|
||||
showSyntax
|
||||
;;
|
||||
switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader|pull)
|
||||
switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader)
|
||||
action="$i"
|
||||
;;
|
||||
--install-grub)
|
||||
export NIXOS_INSTALL_GRUB=1
|
||||
;;
|
||||
--pull)
|
||||
pullManifest=1
|
||||
;;
|
||||
--no-build-nix)
|
||||
buildNix=
|
||||
;;
|
||||
@ -127,24 +120,6 @@ if initctl status nix-daemon 2>&1 | grep -q 'running'; then
|
||||
fi
|
||||
|
||||
|
||||
# Pull the manifests defined in the configuration (the "manifests"
|
||||
# attribute). Wonderfully hacky.
|
||||
if [ -n "$pullManifest" -o "$action" = pull ]; then
|
||||
set -o pipefail
|
||||
manifests=$(nix-instantiate --eval-only --xml --strict '<nixos>' -A manifests \
|
||||
| grep '<string' | sed 's^.*"\(.*\)".*^\1^g')
|
||||
set +o pipefail
|
||||
if [ $? -ne 0 ]; then exit 1; fi
|
||||
|
||||
mkdir -p /nix/var/nix/channel-cache
|
||||
for i in $manifests; do
|
||||
NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache nix-pull $i || true
|
||||
done
|
||||
fi
|
||||
|
||||
if [ "$action" = pull ]; then exit 0; fi
|
||||
|
||||
|
||||
# If ‘--upgrade’ is given, run ‘nix-channel --update nixos’.
|
||||
if [ -n "$upgrade" ]; then
|
||||
nix-channel --update nixos
|
||||
|
@ -1,7 +1,7 @@
|
||||
# This module generates nixos-install, nixos-rebuild,
|
||||
# nixos-hardware-scan, etc.
|
||||
|
||||
{config, pkgs, modulesPath, ...}:
|
||||
{ config, pkgs, modulesPath, ... }:
|
||||
|
||||
let
|
||||
### implementation
|
||||
@ -23,7 +23,6 @@ let
|
||||
|
||||
inherit (pkgs) perl pathsFromGraph;
|
||||
nix = config.environment.nix;
|
||||
nixosURL = cfg.nixosURL;
|
||||
|
||||
nixClosure = pkgs.runCommand "closure"
|
||||
{ exportReferencesGraph = ["refs" config.environment.nix]; }
|
||||
@ -84,29 +83,6 @@ in
|
||||
{
|
||||
options = {
|
||||
|
||||
# FIXME: remove this option once we're using Nix 1.2.
|
||||
installer.nixosURL = pkgs.lib.mkOption {
|
||||
default = http://nixos.org/channels/nixos-unstable;
|
||||
example = http://nixos.org/releases/nixos/nixos-0.1pre1234;
|
||||
description = ''
|
||||
URL of the Nixpkgs distribution to use when building the
|
||||
installation CD.
|
||||
'';
|
||||
};
|
||||
|
||||
# FIXME: idem.
|
||||
installer.manifests = pkgs.lib.mkOption {
|
||||
default = [ http://nixos.org/channels/nixos-unstable/MANIFEST ];
|
||||
example =
|
||||
[ http://nixos.org/channels/nixpkgs-unstable/MANIFEST
|
||||
http://nixos.org/channels/nixos-stable/MANIFEST
|
||||
];
|
||||
description = ''
|
||||
URLs of manifests to be downloaded when you run
|
||||
<command>nixos-rebuild</command> to speed up builds.
|
||||
'';
|
||||
};
|
||||
|
||||
installer.enableGraphicalTools = pkgs.lib.mkOption {
|
||||
default = false;
|
||||
type = with pkgs.lib.types; bool;
|
||||
|
@ -131,6 +131,7 @@ in
|
||||
spamd = 56;
|
||||
networkmanager = 57;
|
||||
nslcd = 58;
|
||||
scanner = 59;
|
||||
|
||||
# When adding a gid, make sure it doesn't match an existing uid.
|
||||
|
||||
|
@ -29,6 +29,12 @@ with pkgs.lib;
|
||||
in mkIf config.hardware.sane.enable {
|
||||
environment.systemPackages = [ pkg ];
|
||||
services.udev.packages = [ pkg ];
|
||||
|
||||
users.extraGroups = singleton {
|
||||
name = "scanner";
|
||||
gid = config.ids.gids.scanner;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -247,8 +247,8 @@ in
|
||||
build-max-jobs = ${toString (cfg.maxJobs)}
|
||||
build-use-chroot = ${if cfg.useChroot then "true" else "false"}
|
||||
build-chroot-dirs = ${toString cfg.chrootDirs} $(echo $extraPaths)
|
||||
binary-caches = ${toString config.nix.binaryCaches}
|
||||
trusted-binary-caches = ${toString config.nix.trustedBinaryCaches}
|
||||
binary-caches = ${toString cfg.binaryCaches}
|
||||
trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
|
||||
$extraOptions
|
||||
END
|
||||
'';
|
||||
|
@ -24,7 +24,8 @@ let
|
||||
option classless_static_routes, ntp_servers, interface_mtu
|
||||
|
||||
# A ServerID is required by RFC2131.
|
||||
require dhcp_server_identifier
|
||||
# Commented out because of many non-compliant DHCP servers in the wild :(
|
||||
#require dhcp_server_identifier
|
||||
|
||||
# A hook script is provided to lookup the hostname if not set by
|
||||
# the DHCP server, but it should not be run by default.
|
||||
|
@ -41,102 +41,45 @@ let
|
||||
userOptions = {
|
||||
|
||||
openssh.authorizedKeys = {
|
||||
|
||||
preserveExistingKeys = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
If this option is enabled, the keys specified in
|
||||
<literal>keys</literal> and/or <literal>keyFiles</literal> will be
|
||||
placed in a special section of the user's authorized_keys file
|
||||
and any existing keys will be preserved. That section will be
|
||||
regenerated each time NixOS is activated. However, if
|
||||
<literal>preserveExisting</literal> isn't enabled, the complete file
|
||||
will be generated, and any user modifications will be wiped out.
|
||||
'';
|
||||
};
|
||||
|
||||
keys = mkOption {
|
||||
type = types.listOf types.string;
|
||||
default = [];
|
||||
description = ''
|
||||
A list of verbatim OpenSSH public keys that should be inserted into the
|
||||
user's authorized_keys file. You can combine the <literal>keys</literal> and
|
||||
A list of verbatim OpenSSH public keys that should be added to the
|
||||
user's authorized keys. The keys are added to a file that the SSH
|
||||
daemon reads in addition to the the user's authorized_keys file.
|
||||
You can combine the <literal>keys</literal> and
|
||||
<literal>keyFiles</literal> options.
|
||||
'';
|
||||
};
|
||||
|
||||
keyFiles = mkOption {
|
||||
#type = types.listOf types.string;
|
||||
default = [];
|
||||
description = ''
|
||||
A list of files each containing one OpenSSH public keys that should be
|
||||
inserted into the user's authorized_keys file. You can combine
|
||||
the <literal>keyFiles</literal> and
|
||||
<literal>keys</literal> options.
|
||||
A list of files each containing one OpenSSH public key that should be
|
||||
added to the user's authorized keys. The contents of the files are
|
||||
read at build time and added to a file that the SSH daemon reads in
|
||||
addition to the the user's authorized_keys file. You can combine the
|
||||
<literal>keyFiles</literal> and <literal>keys</literal> options.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
mkAuthkeyScript =
|
||||
let
|
||||
marker1 = "### NixOS auto-added key. Do not edit!";
|
||||
marker2 = "### NixOS will regenerate this file. Do not edit!";
|
||||
users = map (userName: getAttr userName config.users.extraUsers) (attrNames config.users.extraUsers);
|
||||
usersWithKeys = flip filter users (u:
|
||||
length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
|
||||
);
|
||||
userLoop = flip concatMapStrings usersWithKeys (u:
|
||||
let
|
||||
authKeys = concatStringsSep "," u.openssh.authorizedKeys.keys;
|
||||
authKeyFiles = concatStrings (map (x: " ${x}") u.openssh.authorizedKeys.keyFiles);
|
||||
preserveExisting = if u.openssh.authorizedKeys.preserveExistingKeys then "true" else "false";
|
||||
in ''
|
||||
mkAuthKeysFile "${u.name}" "${authKeys}" "${authKeyFiles}" "${preserveExisting}"
|
||||
''
|
||||
);
|
||||
in ''
|
||||
mkAuthKeysFile() {
|
||||
local userName="$1"
|
||||
local authKeys="$2"
|
||||
local authKeyFiles="$3"
|
||||
local preserveExisting="$4"
|
||||
|
||||
eval homeDir=~$userName
|
||||
if ! [ -d "$homeDir" ]; then
|
||||
echo "User $userName does not exist"
|
||||
return
|
||||
fi
|
||||
if ! [ -d "$homeDir/.ssh" ]; then
|
||||
mkdir -v -m 700 "$homeDir/.ssh"
|
||||
chown "$userName":users "$homeDir/.ssh"
|
||||
fi
|
||||
local authKeysFile="$homeDir/.ssh/authorized_keys"
|
||||
touch "$authKeysFile"
|
||||
if [ "$preserveExisting" == false ]; then
|
||||
rm -f "$authKeysFile"
|
||||
echo "${marker2}" > "$authKeysFile"
|
||||
else
|
||||
sed -i '/${marker1}/ d' "$authKeysFile"
|
||||
fi
|
||||
IFS=,
|
||||
for f in $authKeys; do
|
||||
echo "$f ${marker1}" >> "$authKeysFile"
|
||||
done
|
||||
unset IFS
|
||||
for f in $authKeyFiles; do
|
||||
if [ -f "$f" ]; then
|
||||
echo "$(cat "$f") ${marker1}" >> "$authKeysFile"
|
||||
fi
|
||||
done
|
||||
chown "$userName" "$authKeysFile"
|
||||
}
|
||||
|
||||
${userLoop}
|
||||
'';
|
||||
authKeysFiles = let
|
||||
mkAuthKeyFile = u: {
|
||||
target = "ssh/authorized_keys.d/${u.name}";
|
||||
mode = "0444";
|
||||
source = pkgs.writeText "${u.name}-authorized_keys" ''
|
||||
${concatStringsSep "\n" u.openssh.authorizedKeys.keys}
|
||||
${concatMapStrings (f: builtins.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
|
||||
'';
|
||||
};
|
||||
usersWithKeys = attrValues (flip filterAttrs config.users.extraUsers (n: u:
|
||||
length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
|
||||
));
|
||||
in map mkAuthKeyFile usersWithKeys;
|
||||
|
||||
in
|
||||
|
||||
@ -244,6 +187,11 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
authorizedKeysFiles = mkOption {
|
||||
default = [];
|
||||
description = "Files from with authorized keys are read.";
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
default = "";
|
||||
description = "Verbatim contents of <filename>sshd_config</filename>.";
|
||||
@ -305,7 +253,7 @@ in
|
||||
home = "/var/empty";
|
||||
};
|
||||
|
||||
environment.etc = [
|
||||
environment.etc = authKeysFiles ++ [
|
||||
{ source = "${pkgs.openssh}/etc/ssh/moduli";
|
||||
target = "ssh/moduli";
|
||||
}
|
||||
@ -314,22 +262,10 @@ in
|
||||
}
|
||||
];
|
||||
|
||||
boot.systemd.services."set-ssh-keys" =
|
||||
{ description = "Update authorized SSH keys";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
script = mkAuthkeyScript;
|
||||
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.RemainAfterExit = true;
|
||||
};
|
||||
|
||||
boot.systemd.services.sshd =
|
||||
{ description = "SSH Daemon";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "set-ssh-keys.service" ];
|
||||
|
||||
path = [ pkgs.openssh ];
|
||||
|
||||
@ -360,6 +296,9 @@ in
|
||||
|
||||
security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; };
|
||||
|
||||
services.openssh.authorizedKeysFiles =
|
||||
[ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
|
||||
|
||||
services.openssh.extraConfig =
|
||||
''
|
||||
PidFile /run/sshd.pid
|
||||
@ -393,6 +332,8 @@ in
|
||||
ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"}
|
||||
|
||||
PrintMotd no # handled by pam_motd
|
||||
|
||||
AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
|
||||
'';
|
||||
|
||||
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
|
||||
|
@ -75,7 +75,7 @@ let
|
||||
{ services.httpd.enable = true;
|
||||
services.httpd.adminAddr = "foo@example.org";
|
||||
services.httpd.servedDirs = singleton
|
||||
{ urlPath = "/channels/nixos-unstable";
|
||||
{ urlPath = "/binary-cache";
|
||||
dir = "/tmp/channel";
|
||||
};
|
||||
|
||||
@ -125,7 +125,6 @@ let
|
||||
"rm /etc/hosts",
|
||||
"echo 192.168.1.1 nixos.org > /etc/hosts",
|
||||
"ifconfig eth1 up 192.168.1.2",
|
||||
"nixos-rebuild pull",
|
||||
);
|
||||
|
||||
# Test nix-env.
|
||||
|
Loading…
Reference in New Issue
Block a user