Commit Graph

177 Commits

Author SHA1 Message Date
William A. Kennington III
c234e7b115 nixos/networking: Rebuild resolvconf during activation
This is needed when /etc/resolv.conf is being overriden by networkd
and other configurations. If the file is destroyed by an environment
activation then it must be rebuilt so that applications which interface
with /etc/resolv.conf directly don't break.
2014-11-26 11:22:02 -08:00
William A. Kennington III
8cffa37787 networkd: Support Host Resolvconf 2014-11-26 11:22:02 -08:00
William A. Kennington III
a332c4eac5 systemd: Enable more network services 2014-11-26 11:22:02 -08:00
Luca Bruno
6af0d6974f Merge branch 'master' into staging 2014-11-10 10:03:52 +01:00
Rüdiger Sonderfeld
fa1cec1037 update-users-groups.pl: Use UTF-8 instead of latin1.
Perl seems to write the file in latin1 independent of the actual input
encoding.  This can corrupt the "description" field of /etc/passwd.  By
setting "binmode" to ":utf8" Perl can be forced to write UTF-8.  Ideally
the program would simply read/write the fields by value without any
changes in encoding.  However, assuming/enforcing UTF-8 is a lot better
than using an obsolete coding like latin1.
2014-11-08 19:25:17 +01:00
Vladimír Čunát
52404a868d Merge recent master into staging
Nixpkgs Hydra: ?compare=1157272

TODO: port e22889064f

Conflicts:
	nixos/tests/gnome3_10.nix (auto-solved)
	pkgs/applications/video/aegisub/default.nix
	pkgs/development/libraries/boost/1.55.nix
2014-11-05 15:00:44 +01:00
Vladimír Čunát
c0e2aceef4 fontconfig: patch and document 2014-11-05 12:12:30 +01:00
Eelco Dolstra
f496c3cbe4 Obsolete security.initialPassword
You can now set users.extraUsers.root.initialHashedPassword instead.
2014-11-03 12:36:56 +01:00
Eelco Dolstra
f8f787b800 Handle initialPassword and initialHashedPassword for !mutableUsers
In this case, they're equivalent to setting ‘password’ and
‘hashedPassword’ (since there is no distinction between an initial and
non-initial user account state).
2014-11-03 12:32:32 +01:00
Eelco Dolstra
3696536115 Handle removing a password if mutableUsers = false 2014-11-03 12:32:27 +01:00
Eelco Dolstra
1b53a3fcb7 Add initialPassword and initialHashedPassword options
These are like password and hashedPassword, except that they only
apply when the user is initially created.
2014-11-03 12:32:19 +01:00
Peter Simons
a9c53037fa Merge remote-tracking branch 'origin/master' into staging. 2014-11-02 16:15:53 +01:00
Eelco Dolstra
a9f5e77e2f update-users-groups.pl: Generate hashed passwords internally
I.e. don't call "passwd" to update /etc/shadow from the "password"
option. This has the side-effect of not updating the password if
mutableUsers = true (since the code path for "hashedPassword" has a
check for mutableUsers).

Fixes #4747.
2014-10-31 17:42:09 +01:00
Eelco Dolstra
f4be4f5e54 Merge remote-tracking branch 'origin/master' into staging 2014-10-24 12:24:13 +02:00
Luca Bruno
0927405a37 fontconfig: update 2.10.2 -> 2.11.1. Close #4410, #2050 2014-10-23 10:40:26 +02:00
Longrin Wischnewski
a2c65d447f passwordFile: update description 2014-10-23 04:52:50 +02:00
Eelco Dolstra
09dc132e04 Merge remote-tracking branch 'origin/master' into staging
Conflicts:
	pkgs/development/libraries/poppler/default.nix
2014-10-16 15:16:50 +02:00
Domen Kožar
4941b96f0c eval fix 2014-10-07 21:46:15 +02:00
Eelco Dolstra
a85dcf4a00 Merge remote-tracking branch 'origin/master' into staging
Conflicts:
	pkgs/development/libraries/libav/default.nix
	pkgs/shells/bash/bash-4.2-patches.nix
	pkgs/stdenv/generic/default.nix
2014-10-07 00:09:37 +02:00
Vladimír Čunát
e4436ad841 FONTCONFIG_FILE: remove setters to /etc/fonts/fonts.conf
Any reasonably new version of fontconfig does search that path by default,
and setting this globally causes problems, as 2.10 and 2.11 need
incompatible configs.

Tested: slim+xfce desktop, chrootenv-ed steam.
I have no idea why we were setting the global variable;
e.g., neither Fedora nor Ubuntu does that.
2014-10-05 17:05:27 +02:00
Nathaniel Baxter
0c8ad65560 pulseaudio: Add support for 32bit alsa apps on 64bit systems. 2014-10-04 14:48:58 +02:00
Rickard Nilsson
a59df1e567 nixos: Add also group.members to group 2014-09-22 19:18:08 +02:00
Eelco Dolstra
91ec6e0d90 Merge remote-tracking branch 'origin/master' into staging 2014-09-18 22:28:35 +02:00
Eelco Dolstra
ec4f38c56f Manual: Remove some option defaults that refer to store paths
Option defaults should not refer to store paths, because they cause
the manual to be rebuilt gratuitously. It's especially bad to refer to
a highly variable path like a computed configuration file.
2014-09-18 16:21:26 +02:00
Vladimír Čunát
d957b4bd78 Merge recent master into staging
Hydra nixpkgs: ?compare=1151601
2014-09-13 21:48:29 +02:00
Eelco Dolstra
624efa4224 Support users-groups.json referring to store paths
Fixes #4016.
2014-09-10 11:50:45 +02:00
Eelco Dolstra
152ae27aac Merge remote-tracking branch 'origin/systemd-216' into staging 2014-09-08 13:53:33 +02:00
Eelco Dolstra
585983bc95 Merge remote-tracking branch 'origin/staging'
Conflicts:
	pkgs/applications/version-management/subversion/default.nix
2014-09-08 11:42:09 +02:00
Nicolas Pierron
becde6132b Replace environment.profileVariables by environment.profileRelativeEnvVars 2014-09-07 19:41:00 +02:00
Vladimír Čunát
06fea81c6e Merge recent master into staging
Hydra: ?compare=1150594
2014-09-06 16:52:45 +02:00
Eelco Dolstra
20be024d1b Fix subuid/subgid generation
I don't think we need to filter users with an unset uid, because
mkSubuidEntry/mkSubgidEntry don't references the uid.
2014-09-05 17:40:09 +02:00
Rickard Nilsson
66ee6e03e7 pulseaudio: Use group audio instead of pulse-access 2014-09-03 13:24:47 +02:00
Rickard Nilsson
56102642fa pulseaudio: Add pulse-access group, controlling access to the system-wide PA daemon 2014-09-03 10:25:36 +02:00
Eelco Dolstra
3d821c068a Merge remote-tracking branch 'origin/master' into systemd-216 2014-09-02 14:43:27 +02:00
Peter Simons
1c0d15b90e Merge branch 'origin/master' into staging.
Conflicts:
	pkgs/development/libraries/ffmpeg/2.x.nix
	pkgs/development/libraries/serf/default.nix
2014-09-02 12:31:03 +02:00
Vladimir Still
5588ad472b vpnc: Fix building of system config. 2014-08-31 21:39:03 +02:00
Sam Griffin
ec8e4d23f1 cleanup per Lethalman's suggestions 2014-08-31 13:01:20 -04:00
Sam Griffin
0667d67c95 Adding vpnc configuration module 2014-08-31 12:44:13 -04:00
Vladimír Čunát
e51f73652d Merge recent master into staging
Hydra: ?compare=1149952

Conflicts:
	nixos/doc/manual/configuration.xml (changed split file)
	nixos/modules/config/users-groups.nix (choosing filterNull instead of inline definition)
	pkgs/development/libraries/readline/readline6.3.nix (auto-solved)
2014-08-30 10:04:02 +02:00
aszlig
e0e65cbf8e
nixos/users-groups: Fix eval on missing uid/gid.
This hopefully fixes a regression introduced by 08b214a.

In bf129a2, it was already fixed for normal uid/gid values and it got
reintroduced by sub-uid/gid-handling again, so I've refactored it a bit
into a filterNull function which takes care of also the filtering
introduced by bf129a2.

I have not tested this extensively, but master is already broken for
systems with `mutableUsers = true` and no uid values set.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-08-29 07:17:19 +02:00
Michael Raskin
844fd2553e Merge pull request #3745 from wkennington/master.dnsmasq
dnsmasq: Update and enable dbus support
2014-08-29 01:43:41 +04:00
Michael Raskin
e8badf3c3b Merge pull request #3275 from taku0/gtk-env
uim, gtk-exe-env, qt-plugin-env: Add input method modules for GTK+ and Qt
2014-08-29 01:35:38 +04:00
Michael Raskin
1fd14fa415 Merge pull request #3100 from tailhook/new-shadow
Upgrade "shadow" to 4.2.1
2014-08-29 00:42:57 +04:00
Paul Colomiets
adbb9ff796 dnsmasq: upgrade to 2.71, fixed dnsmasq module
* The module now has systemd config

* Add resolveLocalQueries option which sets up it as a dns server for
  local host (including reasonable setup of resolvconf)

* Add "dnsmasq" user for running daemon

* Enabled dbus and dnssec support for the package

Conflicts:
	nixos/modules/misc/ids.nix
2014-08-28 11:39:03 -07:00
aszlig
8a56a55bb4
nixos/manual: Use literalExample when feasible.
Should bring most of the examples into a better consistency regarding
syntactic representation in the manual.

Thanks to @devhell for reporting.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-08-27 23:41:15 +02:00
aszlig
9667a4067c
nixos: Use literalExample for systemPackages.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-08-27 22:44:56 +02:00
Eelco Dolstra
d2539605e1 Remove reference to icecat 2014-08-25 14:35:08 +02:00
Eelco Dolstra
d73025a5fe Enable systemd's mymachines NSS module
It makes every local container registered with machined resolvable.
2014-08-24 17:10:19 +02:00
Vladimír Čunát
d4e9fd2a90 Merge recent master into staging
Hydra: ?compare=1148749

Conflicts (easy):
	nixos/modules/virtualisation/containers.nix
2014-08-21 15:09:31 +02:00
Matej Cotman
f4b5cd9f3f use mkDefault on root's shell 2014-08-20 21:17:48 +02:00
Eelco Dolstra
6dc5db3850 Fix setting an empty password 2014-08-18 17:12:56 +02:00
Eelco Dolstra
a323d146b7 Add user attribute isNormalUser
This is shorthand for setting group, createHome, home, useDefaultShell
and isSystemUser.
2014-08-15 02:16:04 +02:00
Eelco Dolstra
1a75958be5 Unify mutableUsers = { true, false }
With mutableUsers = true, we now ensure that all users and groups that
were created declaratively, are updated or removed
appropriately. Thus, adding a user to users.extraUsers and then
removing it now causes the acoount to be removed from
/etc/passwd. Thus user/group management is fully congruent except that
users and groups that were created imperatively (via useradd/groupadd)
are not touched. We distinguish between declarative and imperative
users/groups by tracking the former in
/var/lib/nixos/declarative-{groups,users}.

With mutableUsers = false, you are now no longer required to specify
UIDs/GIDs for all users. The handling of mutableUsers = true/false is
the same code path; the only difference is that the "false" mode
ignores the existing contents of /etc/{passwd,group}.

The attribute ‘createUser’ is gone. It doesn't really make sense to
specify users that shouldn't be created.
2014-08-15 02:15:29 +02:00
Domen Kožar
cc8e4f6814 provide pulseaudioFull and set it as default to hardware.pulseaudio.package 2014-08-12 12:51:25 +02:00
Rickard Nilsson
a01862a4b6 nslcd nixos service: Should be wantedBy multi-user, otherwise not started if activated on running server (only starts on bootup) 2014-08-08 17:40:14 +02:00
Paul Colomiets
08b214a8f2 First implementation of subuid/subgid manipulation module 2014-08-01 21:27:20 +03:00
Paul Colomiets
496d12958e Add automatic plugin activation for vim 2014-07-15 14:59:15 +02:00
taku0
a0c91d66f1 uim, gtk-exe-env, qt-plugin-env: Add input method modules for GTK+ and Qt 2014-07-14 21:33:05 +09:00
Shea Levy
b3cfb9084b Get all lib functions from lib, not pkgs.lib, in modules 2014-07-02 12:28:18 -04:00
Michael Raskin
f2e9ebbd46 Merge pull request #2283 from wizeman/u/sysctl-merge
nixos: Fix sysctl option merging
2014-06-30 09:03:33 +04:00
Bjørn Forsman
4def9a762f nixos: add some missing '.' in option descriptions 2014-06-24 21:25:11 +02:00
Eelco Dolstra
13befa3979 Set session variables in the shell as well 2014-06-13 18:34:56 +02:00
Eelco Dolstra
f5055e2ef6 Rename environment.systemVariables -> environment.sessionVariables
This makes it clearer that they're part of PAM sessions.
2014-06-13 17:57:04 +02:00
Michael Raskin
dceda93bd0 Merge pull request #2543 from wizeman/u/zramswap
nixos: Add zram swap module
2014-06-12 13:01:29 +04:00
Eelco Dolstra
8ae659f16c Revert "Revert "Merge #2692: Use pam_env to properly setup system-wide env""
This reverts commit 491c088731.
2014-06-10 13:07:10 +02:00
Eelco Dolstra
491c088731 Revert "Merge #2692: Use pam_env to properly setup system-wide env"
This reverts commit 18a0cdd864.
2014-06-10 13:03:44 +02:00
Vladimír Čunát
18a0cdd864 Merge #2692: Use pam_env to properly setup system-wide env 2014-06-10 11:42:59 +02:00
Sönke Hahn
089b293019 better error message in case of missing uids 2014-05-28 20:12:53 +08:00
Eelco Dolstra
58226a7b06 Add type for fonts.fonts option 2014-05-22 14:20:23 +02:00
Eelco Dolstra
7fd13ddc66 Set TZDIR for all systemd services
This only matters if a service also overrides the $TZ variable.

Issue #2447.
2014-05-21 18:31:40 +02:00
Charles Strahan
5445132f73 fix -G delimiter in call to useradd 2014-05-17 00:45:16 -04:00
Eelco Dolstra
4fc151b5a3 nixos-install: Ask the user to set a root password
This removes the need to have an initially empty root password.
2014-05-09 00:52:02 +02:00
Ricardo M. Correia
cd1b48bc35 nixos: Add zram swap module
This allows you to use the Linux kernel's built-in compressed memory as
swap space functionality.

It is recommended to enable only for kernel 3.14 (which is when zram came out of
the staging drivers area) or higher.
2014-05-06 20:04:22 +02:00
Rob Vermaas
d056d1d37b Fix users.*.extraGroups for users.mutableUsers = true.
(cherry picked from commit eb222923054fdc895ab73ff5d0260c1e1fc689c7)
2014-05-05 15:35:16 +02:00
Eelco Dolstra
e6b5c0121f Obsolete fonts.extraFonts
You can now just set fonts.fonts, which will be merged with the
default value unless you use mkOverride.
2014-04-29 12:34:57 +02:00
Eelco Dolstra
d6c2dcd98c Remove redundant ~/.fonts element from the font search path 2014-04-29 12:27:03 +02:00
Eelco Dolstra
05468f9b78 Bring back the isSystemUser option 2014-04-29 10:43:38 +02:00
Eelco Dolstra
d4986b5fd3 Don't create world-readable swapfiles 2014-04-24 15:19:10 +02:00
Rickard Nilsson
cfa5b5778c pulseaudio module: Use pid-file for system-wide daemon, add loglevel option 2014-04-21 23:22:11 +02:00
Eelco Dolstra
4e8c2f0ff9 Merge branch 'systemd-update' 2014-04-20 19:31:01 +02:00
Eelco Dolstra
465d6ff572 Set $LOCALE_ARCHIVE in all systemd units
This variable used to be inherited implicitly from the stage-2 script,
but systemd now clears the environment. So we need to set it
explicitly.
2014-04-18 19:04:45 +02:00
Eelco Dolstra
ffedee6ed5 Start ssh-agent as a user unit
This has some advantages:

* You get ssh-agent regardless of how you logged in. Previously it was
  only started for X11 sessions.

* All sessions of a user share the same agent. So if you added a key
  on tty1, it will also be available on tty2.

* Systemd will restart ssh-agent if it dies.

* $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is
  more secure than /tmp.

For bonus points, we should patch ssh-agent to support socket-based
activation...
2014-04-18 00:45:26 +02:00
Eelco Dolstra
179acfb664 Allow upstream systemd units to be extended
If you define a unit, and either systemd or a package in
systemd.packages already provides that unit, then we now generate a
file /etc/systemd/system/<unit>.d/overrides.conf. This makes it
possible to use upstream units, while allowing them to be customised
from the NixOS configuration. For instance, the module nix-daemon.nix
now uses the units provided by the Nix package. And all unit
definitions that duplicated upstream systemd units are finally gone.

This makes the baseUnit option unnecessary, so I've removed it.
2014-04-17 18:52:31 +02:00
Domen Kožar
3a9f28ee08 Merge pull request #2185 from lethalman/gnome3
tracker, licenses.cc-by-30, gnome-user-docs, upgrade sushi, gnome-keyring service, gnome-user-share, gnome-tweak-tool, gnome-shell-extensions, xdg-user-dirs
2014-04-16 18:08:00 +02:00
Eelco Dolstra
150d3b0095 no-x-libs.nix: Disable su xauth forwarding, and X11 dependency in dbus 2014-04-16 16:58:06 +02:00
William A. Kennington III
dd209e901c cpu-freq: Use cpupower instead of cpufrequtils
Additionally, put the powersave utility in charge of loading the
cpufrequency modules based on the governor specified in the
configuration.
2014-04-16 01:10:26 +02:00
Ricardo M. Correia
d8b21c2224 nixos: Fix sysctl option merging
Using pkgs.lib.mkOverride in a sysctl option would throw a bogus error.

Also, if you defined a sysctl multiple times in the same configuration,
only one of the values would be picked up, while the others were silently
discarded.

This patch should fix both issues. If you define a sysctl multiple
times at your highest defined priority level, you will get a proper
error with detailed location information.
2014-04-15 21:52:04 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Luca Bruno
add4977a91 system-path, gnome3: run update-desktop-database to create the mime cache
This allows programs such as yelp to handle help:// protocol schemas
2014-04-14 09:58:03 +02:00
Austin Seipp
172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Rickard Nilsson
604306c34a Don't add users if createUser is false 2014-04-08 12:36:03 +02:00
Rickard Nilsson
bf129a2c23 Allow undefined uids and gids when mutableUsers = true
Groups and users without gid/uid are created with
useradd/groupadd after the passwd/group merge phase
if mutableUsers = true.

This should fix #2114.
2014-04-06 12:42:55 +02:00
William A. Kennington III
28ab3acb58 su: Make the su package a provider of only the su binary
Additionally, provide su with the base system and remove su from the
util-linux package as it is now provided by shadow.
2014-04-05 16:01:52 -05:00
ambrop7@gmail.com
49768ca8ff power-management: Don't enable acpid.
Running acpid along with systemd will cause double handling of acpi events.
2014-03-15 12:17:00 +01:00
Domen Kožar
bb7fe59b80 Merge pull request #1767 from the-kenny/fix-consoleKeyMap-type
i18n.consoleKeyMap: Accept string or path.
2014-03-08 18:04:55 +01:00
Domen Kožar
97a0dd9eb9 nixos: set all package options to have type package 2014-02-27 13:22:29 +01:00
Moritz Ulrich
958df8b9d1 i18n.consoleKeyMap: Accept string or path.
i18n.consoleKeyMap maps to KEYMAP=... in vconsole.conf and `loadkeymap'
in stage1. Both of these accept paths to a keymap file in addition to
a string containing the name of the keymap.

With this commit, it's possible to use your own keymap via:

i18n.consoleKeyMap = ./path/to/something.kmap
2014-02-17 20:46:33 +01:00
Shea Levy
abf901484c Allow directly setting hashedPassword for root 2014-02-16 07:33:07 -05:00
Shea Levy
80cc2697b1 user-groups: Sidestep all password escaping issues
Now passwords are written to a file first
2014-02-10 10:12:34 -05:00
Thomas Tuegel
3dc6168b31 Properly escape passwords sent to chpasswd
The mutableUsers feature uses `chpasswd` to set users passwords.
Passwords and their hashes were being piped into the program using
double quotes ("") to escape. This causes any `$` characters to be
expanded as shell variables. This is a serious problem because all the
password hash methods besides DES use multiple `$` in the hashes. Single
quotes ('') should be used instead to prevent shell variable expansion.
2014-02-10 08:16:22 -06:00