This is needed when /etc/resolv.conf is being overriden by networkd
and other configurations. If the file is destroyed by an environment
activation then it must be rebuilt so that applications which interface
with /etc/resolv.conf directly don't break.
Perl seems to write the file in latin1 independent of the actual input
encoding. This can corrupt the "description" field of /etc/passwd. By
setting "binmode" to ":utf8" Perl can be forced to write UTF-8. Ideally
the program would simply read/write the fields by value without any
changes in encoding. However, assuming/enforcing UTF-8 is a lot better
than using an obsolete coding like latin1.
In this case, they're equivalent to setting ‘password’ and
‘hashedPassword’ (since there is no distinction between an initial and
non-initial user account state).
I.e. don't call "passwd" to update /etc/shadow from the "password"
option. This has the side-effect of not updating the password if
mutableUsers = true (since the code path for "hashedPassword" has a
check for mutableUsers).
Fixes#4747.
Any reasonably new version of fontconfig does search that path by default,
and setting this globally causes problems, as 2.10 and 2.11 need
incompatible configs.
Tested: slim+xfce desktop, chrootenv-ed steam.
I have no idea why we were setting the global variable;
e.g., neither Fedora nor Ubuntu does that.
Option defaults should not refer to store paths, because they cause
the manual to be rebuilt gratuitously. It's especially bad to refer to
a highly variable path like a computed configuration file.
This hopefully fixes a regression introduced by 08b214a.
In bf129a2, it was already fixed for normal uid/gid values and it got
reintroduced by sub-uid/gid-handling again, so I've refactored it a bit
into a filterNull function which takes care of also the filtering
introduced by bf129a2.
I have not tested this extensively, but master is already broken for
systems with `mutableUsers = true` and no uid values set.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
* The module now has systemd config
* Add resolveLocalQueries option which sets up it as a dns server for
local host (including reasonable setup of resolvconf)
* Add "dnsmasq" user for running daemon
* Enabled dbus and dnssec support for the package
Conflicts:
nixos/modules/misc/ids.nix
Should bring most of the examples into a better consistency regarding
syntactic representation in the manual.
Thanks to @devhell for reporting.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With mutableUsers = true, we now ensure that all users and groups that
were created declaratively, are updated or removed
appropriately. Thus, adding a user to users.extraUsers and then
removing it now causes the acoount to be removed from
/etc/passwd. Thus user/group management is fully congruent except that
users and groups that were created imperatively (via useradd/groupadd)
are not touched. We distinguish between declarative and imperative
users/groups by tracking the former in
/var/lib/nixos/declarative-{groups,users}.
With mutableUsers = false, you are now no longer required to specify
UIDs/GIDs for all users. The handling of mutableUsers = true/false is
the same code path; the only difference is that the "false" mode
ignores the existing contents of /etc/{passwd,group}.
The attribute ‘createUser’ is gone. It doesn't really make sense to
specify users that shouldn't be created.
This allows you to use the Linux kernel's built-in compressed memory as
swap space functionality.
It is recommended to enable only for kernel 3.14 (which is when zram came out of
the staging drivers area) or higher.
This has some advantages:
* You get ssh-agent regardless of how you logged in. Previously it was
only started for X11 sessions.
* All sessions of a user share the same agent. So if you added a key
on tty1, it will also be available on tty2.
* Systemd will restart ssh-agent if it dies.
* $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is
more secure than /tmp.
For bonus points, we should patch ssh-agent to support socket-based
activation...
If you define a unit, and either systemd or a package in
systemd.packages already provides that unit, then we now generate a
file /etc/systemd/system/<unit>.d/overrides.conf. This makes it
possible to use upstream units, while allowing them to be customised
from the NixOS configuration. For instance, the module nix-daemon.nix
now uses the units provided by the Nix package. And all unit
definitions that duplicated upstream systemd units are finally gone.
This makes the baseUnit option unnecessary, so I've removed it.
Using pkgs.lib.mkOverride in a sysctl option would throw a bogus error.
Also, if you defined a sysctl multiple times in the same configuration,
only one of the values would be picked up, while the others were silently
discarded.
This patch should fix both issues. If you define a sysctl multiple
times at your highest defined priority level, you will get a proper
error with detailed location information.
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
i18n.consoleKeyMap maps to KEYMAP=... in vconsole.conf and `loadkeymap'
in stage1. Both of these accept paths to a keymap file in addition to
a string containing the name of the keymap.
With this commit, it's possible to use your own keymap via:
i18n.consoleKeyMap = ./path/to/something.kmap
The mutableUsers feature uses `chpasswd` to set users passwords.
Passwords and their hashes were being piped into the program using
double quotes ("") to escape. This causes any `$` characters to be
expanded as shell variables. This is a serious problem because all the
password hash methods besides DES use multiple `$` in the hashes. Single
quotes ('') should be used instead to prevent shell variable expansion.