The default, which is /tmp, has a few issues associated with it:
One being that it makes it easy for users on the system to spoof a
PostgreSQL server if it's not running, causing applications to connect
to their provided sockets instead of just failing to connect.
Another one is that it makes sandboxing of PostgreSQL and other services
unnecessarily difficult. This is already the case if only PrivateTmp is
used in a systemd service, so in order for such a service to be able to
connect to PostgreSQL, a bind mount needs to be done from /tmp to some
other path, so the service can access it. This pretty much defeats the
whole purpose of PrivateTmp.
We regularily run into issues with this in the past already (one example
would be https://github.com/NixOS/nixpkgs/pull/24317) and with the new
systemd-confinement mode upcoming in
https://github.com/NixOS/nixpkgs/pull/57519, it makes it even more
tedious to sandbox services.
I've tested this change against all the postgresql NixOS VM tests and
they still succeed and I also grepped through the source tree to replace
other occasions where we might have /tmp hardcoded. Luckily there were
very few occasions.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @ocharles, @thoughtpolice, @danbst
My implementation was relying on PrivateDevices, PrivateTmp,
PrivateUsers and others to be false by default if chroot-only mode is
used.
However there is an ongoing effort[1] to change these defaults, which
then will actually increase the attack surface in chroot-only mode,
because it is expected that there is no /dev, /sys or /proc.
If for example PrivateDevices is enabled by default, there suddenly will
be a mounted /dev in the chroot and we wouldn't detect it.
Fortunately, our tests cover that, but I'm preparing for this anyway so
that we have a smoother transition without the need to fix our
implementation again.
Thanks to @Infinisil for the heads-up.
[1]: https://github.com/NixOS/nixpkgs/issues/14645
Signed-off-by: aszlig <aszlig@nix.build>
From @edolstra at [1]:
BTW we probably should take the closure of the whole unit rather than
just the exec commands, to handle things like Environment variables.
With this commit, there is now a "fullUnit" option, which can be enabled
to include the full closure of the service unit into the chroot.
However, I did not enable this by default, because I do disagree here
and *especially* things like environment variables or environment files
shouldn't be in the closure of the chroot.
For example if you have something like:
{ pkgs, ... }:
{
systemd.services.foobar = {
serviceConfig.EnvironmentFile = ${pkgs.writeText "secrets" ''
user=admin
password=abcdefg
'';
};
}
We really do not want the *file* to end up in the chroot, but rather
just the environment variables to be exported.
Another thing is that this makes it less predictable what actually will
end up in the chroot, because we have a "globalEnvironment" option that
will get merged in as well, so users adding stuff to that option will
also make it available in confined units.
I also added a big fat warning about that in the description of the
fullUnit option.
[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704
Signed-off-by: aszlig <aszlig@nix.build>
Another thing requested by @edolstra in [1]:
We should not provide a different /bin/sh in the chroot, that's just
asking for confusion and random shell script breakage. It should be
the same shell (i.e. bash) as in a regular environment.
While I personally would even go as far to even have a very restricted
shell that is not even a shell and basically *only* allows "/bin/sh -c"
with only *very* minimal parsing of shell syntax, I do agree that people
expect /bin/sh to be bash (or the one configured by environment.binsh)
on NixOS.
So this should make both others and me happy in that I could just use
confinement.binSh = "${pkgs.dash}/bin/dash" for the services I confine.
[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704
Signed-off-by: aszlig <aszlig@nix.build>
Quoting @edolstra from [1]:
I don't really like the name "chroot", something like "confine[ment]"
or "restrict" seems better. Conceptually we're not providing a
completely different filesystem tree but a restricted view of the same
tree.
I already used "confinement" as a sub-option and I do agree that
"chroot" sounds a bit too specific (especially because not *only* chroot
is involved).
So this changes the module name and its option to use "confinement"
instead of "chroot" and also renames the "chroot.confinement" to
"confinement.mode".
[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704
Signed-off-by: aszlig <aszlig@nix.build>
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.
This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.
However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.
Now if you want to chroot a systemd service, all you need to do is:
{
systemd.services.yourservice = {
description = "My Shiny Service";
wantedBy = [ "multi-user.target" ];
chroot.enable = true;
serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
};
}
If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.
In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".
Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.
However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).
Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.
The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.
Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.
[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
to make room for a *real* "full" confinement mode, which is more
restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix
Signed-off-by: aszlig <aszlig@nix.build>
This commit contains the following changes:
- nixos/sway: Remove the beta references
- sway: Drop buildDocs
- nixos/sway: Improve the documentation
- sway,nixos/sway: Adapt Sway to NixOS
- Copy the default configuration file to /etc/sway/config (Sway will
still load the identical file from the Nix store but this makes it
easier to copy the default configuration file).
- This will also remove all references to the Nix store from the
default configuration file as they will eventually be garbage
collected which is a problem if the user copies it.
- I've also decided to drop the default wallpaper (alternatively we
could copy it to a fixed location).
- nixos/sway: Drop the package option
This is the result of executing:
git mv -f pkgs/applications/window-managers/sway/beta.nix pkgs/applications/window-managers/sway/default.nix
git mv -f nixos/modules/programs/sway-beta.nix nixos/modules/programs/sway.nix
And removing sway-beta from the following files:
pkgs/top-level/all-packages.nix
nixos/modules/module-list.nix
The function `addCheck` resides within the attrset `types`. We should be
explicit about this since otherwise people might be confused where it
does come from / why it doesn't work for them.
We don't need gnome-bluetooth because its executables
path is already hardcoded into the contractor file, as that's
the only place it is needed.
Don't think we need gnome-power-manager either.
Also add programs like geary to removePackagesByName.
* zoneminder: fix initial database creation
Move initialDatabases directive from the 'ensureUsers' scope to the correct outer 'mysql' one.
* zoneminder: Fix mysql username to match unix username
When database.createLocally is used, a mysql user is created with the ensureUsers directive.
It ensures that the unix user with the name provided exists and can connect to MySQL through socket.
Thus, the MySQL username used by php/perl scripts must match the unix user owning the server PID.
This patch sets the default mysql user to 'zoneminder' instead of 'zmuser'.
If setting a root password using the `passwd` call in the
`nixos-install` script fails, it should be explained how set it manually
to ensure that nobody gets accidentally locked out of the system.
- Remove xdg-desktop-menu-dummy.menu kbuildsycoca5. Not sure why we
need it but it is a pretty big failure if it exists.
See issue #56176.
- plasma: clear ksycoca cache before building
This is needed to pick up on software removed since the last cache
update. Otherwise it hangs around as zombies forever (or until the
cache is cleared).
- Add the above + the icon cache cleanup to plasmaSetup
This will be run for the logged in user on each nixos-rebuild.
Unfortunately this only works if you are managing software through
nixos-rebuild (nix-env users need to run this manually, otherwise
log out and log back in).
The explicit remove helped to uncover some hidden uses of `optionSet`
in NixOps. However it makes life harder for end-users of NixOps - it will
be impossible to deploy 19.03 systems with old NixOps, but there is no
new release of NixOps with `optionSet` fixes.
Also, "deprecation" process isn't well defined. Even that `optionSet` was
declared "deprecated" for many years, it was never announced. Hence, I
leave "deprecation" announce. Then, 3 releases after announce,
we can announce removal of this feature.
This type has to be removed, not `throw`-ed in runtime, because it makes
some perfectly fine code to fail. For example:
```
$ nix-instantiate --eval -E '(import <nixpkgs/lib>).types' --strict
trace: `types.list` is deprecated; use `types.listOf` instead
error: types.optionSet is deprecated; use types.submodule instead
(use '--show-trace' to show detailed location information)
```
I think the bepasty nixos service has been broken since c539c02, since
bepasty changed from using python2.7 to python3.7. This updates the
nixos module to refer to the matching python version.
A nixos module for configuring the server side of pkgs.snapcast.
The module is named "snapserver" following upstream convention.
This commit does not provide module for the corresponding client.
Fix handling of port and controlPort
Fix stream uri generation & address review
Remove unused streams options & add description
Add missing description & Remove default fs path
Use types.port for ports & formatting improvements
Force mpd and mopidy to wait for snapserver
Before this change `man 5 configuration.nix` would only show options of modules in
the `baseModules` set, which consists only of the list of modules in
`nixos/modules/module-list.nix`
With this change applied and `documentation.nixos.includeAllModules` option enabled
all modules included in `configuration.nix` file will be used instead.
This makes configurations with custom modules self-documenting. It also means
that importing non-`baseModules` modules like `gce.nix` or `azure.nix`
will make their documentation available in `man 5 configuration.nix`.
`documentation.nixos.includeAllModules` is currently set to `false` by
default as enabling it usually uncovers bugs and prevents evaluation.
It should be set to `true` in a release or two.
This was originally implemented in #47177, edited for more configurability,
documented and rebased onto master by @oxij.
by adding targets and curl wait loops to services to ensure services
are not started before their depended services are reachable.
Extra targets cfssl-online.target and kube-apiserver-online.target
syncronize starts across machines and node-online.target ensures
docker is restarted and ready to deploy containers on after flannel
has discussed the network cidr with apiserver.
Since flannel needs to be started before addon-manager to configure
the docker interface, it has to have its own rbac bootstrap service.
The curl wait loops within the other services exists to ensure that when
starting the service it is able to do its work immediately without
clobbering the log about failing conditions.
By ensuring kubernetes.target is only reached after starting the
cluster it can be used in the tests as a wait condition.
In kube-certmgr-bootstrap mkdir is needed for it to not fail to start.
The following is the relevant part of systemctl list-dependencies
default.target
● ├─certmgr.service
● ├─cfssl.service
● ├─docker.service
● ├─etcd.service
● ├─flannel.service
● ├─kubernetes.target
● │ ├─kube-addon-manager.service
● │ ├─kube-proxy.service
● │ ├─kube-apiserver-online.target
● │ │ ├─flannel-rbac-bootstrap.service
● │ │ ├─kube-apiserver-online.service
● │ │ ├─kube-apiserver.service
● │ │ ├─kube-controller-manager.service
● │ │ └─kube-scheduler.service
● │ └─node-online.target
● │ ├─node-online.service
● │ ├─flannel.target
● │ │ ├─flannel.service
● │ │ └─mk-docker-opts.service
● │ └─kubelet.target
● │ └─kubelet.service
● ├─network-online.target
● │ └─cfssl-online.target
● │ ├─certmgr.service
● │ ├─cfssl-online.service
● │ └─kube-certmgr-bootstrap.service
to protect services from crashing and clobbering the logs when
certificates are not in place yet and make sure services are activated
when certificates are ready.
To prevent errors similar to "kube-controller-manager.path: Failed to
enter waiting state: Too many open files"
fs.inotify.max_user_instances has to be increased.
PlexPy was renamed to Tautulli.
This renames the module as well as the application accordingly.
Aliases are kept for backwards compatibility.
# Conflicts:
# nixos/modules/services/misc/tautulli.nix
The overwriteprotocol option can be used to force Nextcloud to generate
URLs with the given protocol. This is useful for instances behind
reverse proxies that serve Nextcloud with HTTPS.
In this case Nextcloud can't determine the proper protocol and it needs
to be configured manually.
https://github.com/golang/go/issues/9334 describes how net.Listen (as used by Alertmanager):
* listens on 127.0.0.1 if the listenAddress is "localhost"
* listens on all interfaces if the listenAddress is ""
If our old Nix can’t evaluate the Nixpkgs channel, try the fallback
from the new channel /first/. That way we can upgrade Nix to a newer
version and support breaking changes to Nix (like seen in the upgrade
o Nix 2.0).
This change should be backported to older NixOS versions!
Before flannel is ready there is a brief time where docker will be
running with a default docker0 bridge. If kubernetes happens to spawn
containers before flannel is ready, docker can't be restarted when
flannel is ready because some containers are still running on the
docker0 bridge with potentially different network addresses.
Environment variables in `EnvironmentFile` override those defined via
`Environment` in the systemd service config.
Co-authored-by: Christian Albrecht <christian.albrecht@mayflower.de>
+ isolate etcd on the master node by letting it listen only on loopback
+ enabling kubelet on master and taint master with NoSchedule
The reason for the latter is that flannel requires all nodes to be "registered"
in the cluster in order to setup the cluster network. This means that the
kubelet is needed even at nodes on which we don't plan to schedule anything.
- All kubernetes components have been seperated into different files
- All TLS-enabled ports have been deprecated and disabled by default
- EasyCert option added to support automatic cluster PKI-bootstrap
- RBAC has been enforced for all cluster components by default
- NixOS kubernetes test cases make use of easyCerts to setup PKI
This round is without the systemd CVE,
as we don't have binaries for that yet.
BTW, I just ignore darwin binaries these days,
as I'd have to wait for weeks for them.
Otherwise, the standard options (e.g. AddressFamily) cannot be overriden
in extraConfig, as the option is applied on the first (not most
specific) match. Closes#52267
The module is indeed very large but allows configuring every aspect of
icingaweb2. The built-in monitoring module is in an own file because
there are actually more (third-party) modules and this structure means
every module can get an own file.
The `| tee` invocation always masked the return value of the
switch-to-configuration test.
```
~ $ false | tee && echo "oh no"
oh no
```
The added wrapper script will still output everything to stderr, while
passing failures to the test harness.
Patch by @Baughn, who noticed these imports being very slow when run
serially with many datasets, so much that the service would time out and
fail, this fixes it.
This hasn't been needed for a long time, even when `mutableUsers =
false`. Setting a uid manually is potentially risky since it could
collide with non-declarative user accounts. (We do check for
collisions between declarative accounts.)
trace: warning: config.services.gitea.database.password will be stored as plaintext
in the Nix store. Use database.passwordFile instead.
(Arguably, this shouldn't be a warning at all. But making it happy is
easier than having a debate on the value of this warning.)
trace: warning: The options services.ndppd.interface and services.ndppd.network will probably be removed soon,
please use services.ndppd.proxies.<interface>.rules.<network> instead.
trace: warning: The option `services.rspamd.bindUISocket' defined in `<unknown-file>' has been renamed to `services.rspamd.workers.controller.bindSockets'.
trace: warning: The option `services.rspamd.bindSocket' defined in `<unknown-file>' has been renamed to `services.rspamd.workers.normal.bindSockets'.
trace: warning: The option `services.rspamd.workers.”rspamd_proxy".type` defined in `<unknown-file>' has enum value `proxy` which has been renamed to `rspamd_proxy`
With this option it's possible to specify a custom expression for
`roundcube`, i.e. a roundcube environment with third-party plugins as
shown in the testcase.
system-sendmail allows all sendmail's to be auto-detected, including on
non-NixOS systems. This is, to me, a better UX than having to manually
override the sendmailPath argument.
In exchange, it is a breach of retro-compatibility. Given right now I
can't see any uses for sendmailPath other than what is supported by
system-sendmail, I didn't keep it, but it'd be possible to allow
sendmailPath to override the choice of sendmail from system-sendmail.
* pr-55320:
nixos/release-notes: mention breaking changes with matrix-synapse update
nixos/matrix-synapse: reload service with SIGHUP
nixos/tests/matrix-synapse: generate ca and certificates
nixos/matrix-synapse: use python to launch synapse
pythonPackages.pymacaroons-pynacl: remove unmaintained fork
matrix-synapse: 0.34.1.1 -> 0.99.0
pythonPackages.pymacaroons: init at 0.13.0
Hydra should support multiple Nix versions (and currently contains fixes
to work with Nix 2.0 and higher).
Further Nix versions can be added to the `hydraPkgs` expression in the
test case which lists all supported Nix versions for Hydra.
Fixes#5185856e12aae54 ends up passing config to pkgs. Unfortunately this might be null and pkgs/top-level/default.nix assumes it is an attrset. To fix this, we just make the default for config = {}. Thanks to @kristoff3r for tracking this down.
/cc @domenkozar
This installs the kio "man:" protocol handler, which fixes the UNIX manual
section in the KDE Help Center.
Note that kde currently parses "/etc/man.conf" manually, if `$MANPATH` is not
set, to build its man page index. (if https://bugs.kde.org/show_bug.cgi?id=404022
is addressed, the "/etc/man.conf" symlink should not be necessary anymore)
Force this option to false. Leaving this as true (currently the default)
is dangerous. If the TT-RSS installation upgrades itself to a newer
version requiring a schema update, the installation will break the next
time the TT-RSS systemd service is restarted.
Ideally, the installation itself should be immutable (see
https://github.com/NixOS/nixpkgs/issues/55300).
* redmine: 3.4.8 -> 4.0.1
* nixos/redmine: update nixos test to run against both redmine 3.x and 4.x series
* nixos/redmine: default new installs from 19.03 onward to redmine 4.x series, while keeping existing installs on redmine 3.x series
* nixos/redmine: add comment about default redmine package to 19.03 release notes
* redmine: add aandersea as a maintainer
munin_update relies on a stats file that exists, but isn't found in the
default location on NixOS; the appropriate plugin configuration is
added.
munin_stats relies on munin-cron writing a logfile, which the NixOS
build of munin does not. (This is probably fixable in the munin package,
but I don't have time to dig into that right now.)
This permits custom styling of the generated HTML without needing to
build your own Munin package from source. Also comes with an example
that works as a passable dark theme for Munin.
extraAutoPlugins lets you list plugins and plugin directories to be
autoconfigured, and extraPlugins lets you enable plugins on a one-by-one
basis. This can be used to enable plugins from contrib (although you'll
need to download and check out contrib yourself, then point these
options at it), or plugins you've written yourself.
munin-graph is hardcoded to use DejaVu Mono for the graph legends; if it
can't find it, there's no guarantee it finds a monospaced font at all,
and if it can't find a monospaced font the legends come out badly
misformatted.
This is just a set of globs to remove from the active plugins directory
after autoconfiguration is complete.
I also removed the hard-coded disabling of "diskstats", since it seems
to work just fine now.
Since this module was written, Munin has moved their documentation from
munin-monitoring.org/wiki to guide.munin-monitoring.org. Most of the
links were broken, and the ones that weren't went to "please use the new
site" pages.
NixOS currently defaults services.nginx.package to
nginxStable. Including configuration files from nginxMainline could
potentially cause incompatible configuration.
Also simplified the argument parsing to write all currently supported
CLI options into a bash array and pass this to `nix-build`.
Also documented `--option` usage in the corresponding manpage.
- allow for options to (added 2 options):
- agree to eula (eula.txt) true/false will create symlink over
existing eula.txt to `/nix/store/...`.
- whitelist users (optional and will symlink over existing
whitelist.json and create backup)
- server.properties can be configured with the serverProperties
option. If there is an existing server.properties it will
copy it to a server.properties.old to keep the old
one. server.properties MUST be writable thus symlinking is not
an option.
- all ports that are stated in `server.properties` are exposed
properly in the firewall.
(infinisil) nixos/minecraft-server: Fix, refactor and polish
Adds an option `declarative` (defaulted to false), in order to stay
(mostly) backwards compatible. The only thing that's not backwards
compatible is that you now need to agree to the EULA on evaluation time,
but that's guarded by an assertion and therefore doesn't need a release
note.
27982b408e introduced a bug when
refactoring the encrypted-devices module, causing some encrypted
filesystem options to not be recognized anymore.
See e.g. https://hydra.nixos.org/build/88145490
New option `extraPluginPaths' that allows users to supply additional
paths for netdata plugins. Very useful for when you want to use
custom collection scripts.
This allows the VM to provide a `configuration.nix` file to the VM.
The test doesn't work in sandbox because it needs Internet (however it
works interactively).
The Openstack metadata service exposes the EC2 API. We use the
existing `ec2.nix` module to configure the hostname and ssh keys of an
Openstack Instance.
A test checks the ssh server is well configured.
This is mainly to reduce the size of the image (700MB). Also,
declarative features provided by cloud-init are not really useful
since we would prefer to use our `configuration.nix` file instead.
1. Allow syslog identifiers with special characters
2. Do not write a pid file as we are running in foreground anyway
3. Clean up the module for readability
Without this, when deploying using nixops, restarting sshguard would make
nixops show an error about restarting the service although the service is
actually being restarted.
This should make the composability of kernel configurations more straigthforward.
- now distinguish freeform options from tristate ones
- will look for a structured config in kernelPatches too
one can now access the structuredConfig from a kernel via linux_test.configfile.structuredConfig
in order to reinject it into another kernel, no need to rewrite the config from scratch
The following merge strategies are used in case of conflict:
-- freeform items must be equal or they conflict (mergeEqualOption)
-- for tristate (y/m/n) entries, I use the mergeAnswer strategy which takes the best available value, "best" being defined by the user (by default "y" > "m" > "n", e.g. if one entry is both marked "y" and "n", "y" wins)
-- if one item is both marked optional/mandatory, mandatory wins (mergeFalseByDefault)
I've been asked, on numerous occasions, by my students and others, how
to 'sudo' on NixOS.
Of course new users could read up in the manual on how to do that, or we
could make it more accessible for them by simply making it visible in
the default `configuration.nix` file.
Additionally, as raised in [1], replacing `guest` with something more
recognizable could be potentially beneficial to new users. I've
opted for `jane` for now.
[1]: https://github.com/NixOS/nixpkgs/pull/54519#issuecomment-457012223
