Merge branch 'master' into staging

12 files changed, 420 insertions, 21 deletions

diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix
index 67e536f4fd93..96593885e5b7 100644
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@@ -80,12 +80,12 @@ in {
 
       package = mkOption {
         type = types.package;
-        default = pulseaudio;
-        example = literalExample "pulseaudio.override { jackaudioSupport = true; }";
+        default = pulseaudioFull;
+        example = literalExample "pulseaudioFull";
         description = ''
-          The PulseAudio derivation to use.  This can be used to enable
-          features (such as JACK support) that are not enabled in the
-          default PulseAudio in Nixpkgs.
+          The PulseAudio derivation to use.  This can be used to disable
+          features (such as JACK support, Bluetooth) that are enabled in the
+          pulseaudioFull package in Nixpkgs.
         '';
       };
 
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 853efcc09dc1..fa81ff8a8398 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -139,6 +139,8 @@
       polipo = 129;
       mopidy = 130;
       unifi = 131;
+      gdm = 132;
+      dhcpd = 133;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -252,6 +254,8 @@
       polipo = 129;
       mopidy = 130;
       docker = 131;
+      gdm = 132;
+      tss = 133;
 
       # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
 
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 4806c0e93312..d90c56f2412a 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -50,6 +50,7 @@
   ./programs/bash/bash.nix
   ./programs/bash/command-not-found.nix
   ./programs/blcr.nix
+  ./programs/dconf.nix
   ./programs/environment.nix
   ./programs/info.nix
   ./programs/screen.nix
@@ -125,6 +126,7 @@
   ./services/hardware/pcscd.nix
   ./services/hardware/pommed.nix
   ./services/hardware/sane.nix
+  ./services/hardware/tcsd.nix
   ./services/hardware/thinkfan.nix
   ./services/hardware/udev.nix
   ./services/hardware/udisks2.nix
@@ -279,6 +281,7 @@
   ./services/x11/desktop-managers/default.nix
   ./services/x11/display-managers/auto.nix
   ./services/x11/display-managers/default.nix
+  ./services/x11/display-managers/gdm.nix
   ./services/x11/display-managers/kdm.nix
   ./services/x11/display-managers/lightdm.nix
   ./services/x11/display-managers/slim.nix
@@ -290,6 +293,7 @@
   #./services/x11/window-managers/compiz.nix
   ./services/x11/window-managers/default.nix
   ./services/x11/window-managers/icewm.nix
+  ./services/x11/window-managers/bspwm.nix
   ./services/x11/window-managers/metacity.nix
   ./services/x11/window-managers/none.nix
   ./services/x11/window-managers/twm.nix
diff --git a/nixos/modules/programs/dconf.nix b/nixos/modules/programs/dconf.nix
new file mode 100644
index 000000000000..1b7e20799819
--- /dev/null
+++ b/nixos/modules/programs/dconf.nix
@@ -0,0 +1,34 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) mkOption mkIf types mapAttrsToList;
+  cfg = config.programs.dconf;
+
+  mkDconfProfile = name: path:
+    { source = path; target = "dconf/profile/${name}"; };
+
+in
+{
+  ###### interface
+
+  options = {
+    programs.dconf = {
+
+      profiles = mkOption {
+        type = types.attrsOf types.path;
+        default = {};
+        description = "Set of dconf profile files.";
+        internal = true;
+      };
+
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf (cfg.profiles != {}) {
+    environment.etc =
+      (mapAttrsToList mkDconfProfile cfg.profiles);
+  };
+
+}
diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix
index c31e57e6f6f8..4d8fabc7696e 100644
--- a/nixos/modules/security/rngd.nix
+++ b/nixos/modules/security/rngd.nix
@@ -30,7 +30,8 @@ with lib;
 
       description = "Hardware RNG Entropy Gatherer Daemon";
 
-      serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f";
+      serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" +
+        (if config.services.tcsd.enable then " --no-tpm=1" else "");
 
       restartTriggers = [ pkgs.rng_tools ];
     };
diff --git a/nixos/modules/services/hardware/tcsd.nix b/nixos/modules/services/hardware/tcsd.nix
new file mode 100644
index 000000000000..26b2c884b8f1
--- /dev/null
+++ b/nixos/modules/services/hardware/tcsd.nix
@@ -0,0 +1,139 @@
+# tcsd daemon.
+
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+let
+
+  cfg = config.services.tcsd;
+
+  tcsdConf = pkgs.writeText "tcsd.conf" ''
+    port = 30003
+    num_threads = 10
+    system_ps_file = ${cfg.stateDir}/system.data
+    # This is the log of each individual measurement done by the system.
+    # By re-calculating the PCR registers based on this information, even
+    # finer details about the measured environment can be inferred than
+    # what is available directly from the PCR registers.
+    firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
+    kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
+    #firmware_pcrs = 0,1,2,3,4,5,6,7
+    #kernel_pcrs = 10,11
+    platform_cred = ${cfg.platformCred}
+    conformance_cred = ${cfg.conformanceCred}
+    endorsement_cred = ${cfg.endorsementCred}
+    #remote_ops = create_key,random
+    #host_platform_class = server_12
+    #all_platform_classes = pc_11,pc_12,mobile_12
+  '';
+
+in
+{
+
+  ###### interface
+
+  options = {
+
+    services.tcsd = {
+
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Whether to enable tcsd, a Trusted Computing management service
+          that provides TCG Software Stack (TSS).  The tcsd daemon is
+          the only portal to the Trusted Platform Module (TPM), a hardware
+          chip on the motherboard.
+        '';
+      };
+
+      user = mkOption {
+        default = "tss";
+        type = types.string;
+        description = "User account under which tcsd runs.";
+      };
+
+      group = mkOption {
+        default = "tss";
+        type = types.string;
+        description = "Group account under which tcsd runs.";
+      };
+
+      stateDir = mkOption {
+	default = "/var/lib/tpm";
+        type = types.path;
+	description = ''
+          The location of the system persistent storage file.
+          The system persistent storage file holds keys and data across
+          restarts of the TCSD and system reboots. 
+	'';
+      };
+
+      platformCred = mkOption {
+        default = "${cfg.stateDir}/platform.cert";
+        type = types.path;
+        description = ''
+	  Path to the platform credential for your TPM. Your TPM
+          manufacturer may have provided you with a set of credentials
+          (certificates) that should be used when creating identities
+          using your TPM. When a user of your TPM makes an identity,
+          this credential will be encrypted as part of that process.
+          See the 1.1b TPM Main specification section 9.3 for information
+          on this process. '';
+      };
+
+      conformanceCred = mkOption {
+        default = "${cfg.stateDir}/conformance.cert";
+        type = types.path;
+        description = ''
+          Path to the conformance credential for your TPM.
+          See also the platformCred option'';
+      };
+
+      endorsementCred = mkOption {
+        default = "${cfg.stateDir}/endorsement.cert";
+        type = types.path;
+        description = ''
+          Path to the endorsement credential for your TPM.
+          See also the platformCred option'';
+      };
+    };
+
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    environment.systemPackages = [ pkgs.trousers ];
+
+#    system.activationScripts.tcsd =
+#      ''
+#        chown ${cfg.user}:${cfg.group} ${tcsdConf}
+#      '';
+
+    systemd.services.tcsd = {
+      description = "TCSD";
+      after = [ "systemd-udev-settle.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.trousers ];
+      preStart =
+        ''
+        mkdir -m 0700 -p ${cfg.stateDir}
+        chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir}
+        '';
+      serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}";
+    };
+
+    users.extraUsers = optionalAttrs (cfg.user == "tss") (singleton
+      { name = "tss";
+        group = "tss";
+        uid = config.ids.uids.nginx;
+      });
+
+    users.extraGroups = optionalAttrs (cfg.group == "tss") (singleton
+      { name = "tss";
+        gid = config.ids.gids.nginx;
+      });
+  };
+}
diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix
index e5e1c103c686..900df67b53aa 100644
--- a/nixos/modules/services/networking/dhcpd.nix
+++ b/nixos/modules/services/networking/dhcpd.nix
@@ -13,7 +13,7 @@ let
       default-lease-time 600;
       max-lease-time 7200;
       authoritative;
-      ddns-update-style ad-hoc;
+      ddns-update-style interim;
       log-facility local1; # see dhcpd.nix
 
       ${cfg.extraConfig}
@@ -108,22 +108,41 @@ in
 
   config = mkIf config.services.dhcpd.enable {
 
-    jobs.dhcpd =
+    users = {
+      extraUsers.dhcpd = {
+        uid = config.ids.uids.dhcpd;
+        description = "DHCP daemon user";
+      };
+    };
+
+    systemd.services.dhcpd =
       { description = "DHCP server";
 
-        startOn = "started network-interfaces";
-        stopOn = "stopping network-interfaces";
+        wantedBy = [ "multi-user.target" ];
 
-        script =
+        after = [ "network.target" ];
+
+        path = [ pkgs.dhcp ];
+
+        preStart =
           ''
             mkdir -m 755 -p ${stateDir}
 
             touch ${stateDir}/dhcpd.leases
 
-            exec ${pkgs.dhcp}/sbin/dhcpd -f -cf ${configFile} \
-                -lf ${stateDir}/dhcpd.leases \
-                ${toString cfg.interfaces}
+            mkdir -m 755 -p /run/dhcpd
+            chown dhcpd /run/dhcpd
           '';
+
+        serviceConfig =
+          { ExecStart = "@${pkgs.dhcp}/sbin/dhcpd dhcpd"
+              + " -pf /run/dhcpd/dhcpd.pid -cf ${configFile}"
+              + " -lf ${stateDir}/dhcpd.leases -user dhcpd -group nogroup"
+              + " ${toString cfg.interfaces}";
+            Restart = "always";
+            Type = "forking";
+            PIDFile = "/run/dhcpd/dhcpd.pid";
+          };
       };
 
   };
diff --git a/nixos/modules/services/web-servers/lighttpd/default.nix b/nixos/modules/services/web-servers/lighttpd/default.nix
index f0f59a664026..fc9487ab4859 100644
--- a/nixos/modules/services/web-servers/lighttpd/default.nix
+++ b/nixos/modules/services/web-servers/lighttpd/default.nix
@@ -9,9 +9,9 @@ let
   cfg = config.services.lighttpd;
 
   needModRedirect = cfg.gitweb.enable;
-  needModAlias = cfg.cgit.enable or cfg.gitweb.enable;
-  needModSetenv = cfg.cgit.enable or cfg.gitweb.enable;
-  needModCgi = cfg.cgit.enable or cfg.gitweb.enable;
+  needModAlias = cfg.cgit.enable || cfg.gitweb.enable;
+  needModSetenv = cfg.cgit.enable || cfg.gitweb.enable;
+  needModCgi = cfg.cgit.enable || cfg.gitweb.enable;
   needModStatus = cfg.mod_status;
   needModUserdir = cfg.mod_userdir;
 
diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix
index df50ca8c905c..06bcb6dbb8be 100644
--- a/nixos/modules/services/x11/desktop-managers/gnome3.nix
+++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix
@@ -35,6 +35,14 @@ in {
       description = "Enable Gnome 3 desktop manager.";
     };
 
+    services.xserver.desktopManager.gnome3.sessionPath = mkOption {
+      default = [];
+      example = "[ pkgs.gnome3.gpaste ]";
+      description = "Additional list of packages to be added to the session search path.
+                     Useful for gnome shell extensions or gsettings-conditionated autostart.";
+      apply = list: list ++ [ gnome3.gnome_shell ]; 
+    };
+
     environment.gnome3.packageSet = mkOption {
       default = pkgs.gnome3;
       example = literalExample "pkgs.gnome3_12";
@@ -86,10 +94,19 @@ in {
 
           export XDG_MENU_PREFIX=gnome
 
-          # Don't let epiphany depend upon gnome-shell
-          # Don't let gnome-session depend upon vino (for .desktop autostart condition)
+          ${concatMapStrings (p: ''
+            if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then
+              export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name}
+            fi
+
+            if [ -d "${p}/lib/girepository-1.0" ]; then
+              export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0
+              export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib
+            fi
+          '') cfg.sessionPath}
+
           # Override default mimeapps
-          export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${gnome3.gnome_shell}/share/gsettings-schemas/${gnome3.gnome_shell.name}:${gnome3.vino}/share/gsettings-schemas/${gnome3.vino.name}:${mimeAppsList}/share
+          export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${mimeAppsList}/share
 
           # Let gnome-control-center find gnome-shell search providers
           export GNOME_SEARCH_PROVIDERS_DIR=${config.system.path}/share/gnome-shell/search-providers/
@@ -123,7 +140,7 @@ in {
         gnome3.gnome_settings_daemon
         gnome3.gnome_shell
         gnome3.gnome_themes_standard
-      ] ++ (removePackagesByName [
+      ] ++ cfg.sessionPath ++ (removePackagesByName [
         gnome3.baobab
         gnome3.empathy
         gnome3.eog
diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix
new file mode 100644
index 000000000000..9d14fc2e137c
--- /dev/null
+++ b/nixos/modules/services/x11/display-managers/gdm.nix
@@ -0,0 +1,151 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.xserver.displayManager;
+  gdm = pkgs.gnome3_12.gdm; # gdm 3.10 not supported
+  gnome3 = config.environment.gnome3.packageSet;
+
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.xserver.displayManager.gdm = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        example = true;
+        description = ''
+          Whether to enable GDM as the display manager.
+          <emphasis>GDM is very experimental and may render system unusable.</emphasis>
+        '';
+      };
+
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.gdm.enable {
+
+    services.xserver.displayManager.slim.enable = false;
+
+    users.extraUsers.gdm =
+      { name = "gdm";
+        uid = config.ids.uids.gdm;
+        group = "gdm";
+        home = "/run/gdm";
+        description = "GDM user";
+      };
+
+    users.extraGroups.gdm.gid = config.ids.gids.gdm;
+
+    services.xserver.displayManager.job =
+      { 
+        environment = {
+          GDM_X_SERVER = "${cfg.xserverBin} ${cfg.xserverArgs}";
+          GDM_SESSIONS_DIR = "${cfg.session.desktops}";
+          XDG_CONFIG_DIRS = "${gnome3.gnome_settings_daemon}/etc/xdg";
+        };
+        execCmd = "exec ${gdm}/sbin/gdm";
+      };
+
+    # Because sd_login_monitor_new requires /run/systemd/machines
+    systemd.services.display-manager.wants = [ "systemd-machined.service" ];
+    systemd.services.display-manager.after = [ "systemd-machined.service" ];
+
+    systemd.services.display-manager.path = [ gnome3.gnome_shell gnome3.caribou ];
+
+    services.dbus.packages = [ gdm ];
+
+    programs.dconf.profiles.gdm = "${gdm}/share/dconf/profile/gdm";
+
+    # GDM LFS PAM modules, adapted somehow to NixOS
+    security.pam.services = {
+      gdm-launch-environment.text = ''
+        auth     required       pam_succeed_if.so audit quiet_success user = gdm
+        auth     optional       pam_permit.so
+
+        account  required       pam_succeed_if.so audit quiet_success user = gdm
+        account  sufficient     pam_unix.so
+
+        password required       pam_deny.so
+
+        session  required       pam_succeed_if.so audit quiet_success user = gdm
+        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
+        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
+        session  optional       pam_keyinit.so force revoke
+        session  optional       pam_permit.so
+      '';
+
+     gdm.text = ''
+        auth     requisite      pam_nologin.so
+        auth     required       pam_env.so
+
+        auth     required       pam_succeed_if.so uid >= 1000 quiet
+        auth     optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
+        auth     sufficient     pam_unix.so nullok likeauth
+        auth     required       pam_deny.so
+
+        account  sufficient     pam_unix.so
+
+        password requisite      pam_unix.so nullok sha512
+
+        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
+        session  required       pam_unix.so
+        session  required       pam_loginuid.so
+        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
+        session  optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
+      '';
+
+      gdm-password.text = ''
+        auth     requisite      pam_nologin.so
+        auth     required       pam_env.so envfile=${config.system.build.pamEnvironment}
+
+        auth     required       pam_succeed_if.so uid >= 1000 quiet
+        auth     optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
+        auth     sufficient     pam_unix.so nullok likeauth
+        auth     required       pam_deny.so 
+
+        account  sufficient     pam_unix.so
+        
+        password requisite      pam_unix.so nullok sha512
+
+        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
+        session  required       pam_unix.so
+        session  required       pam_loginuid.so
+        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
+        session  optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
+      '';
+
+      gdm-autologin.text = ''
+        auth     requisite      pam_nologin.so
+
+        auth     required       pam_succeed_if.so uid >= 1000 quiet
+        auth     required       pam_permit.so
+
+        account  sufficient     pam_unix.so
+
+        password requisite      pam_unix.so nullok sha512
+
+        session  optional       pam_keyinit.so revoke
+        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
+        session  required       pam_unix.so
+        session  required       pam_loginuid.so
+        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
+      '';
+
+    };
+
+  };
+
+}
diff --git a/nixos/modules/services/x11/window-managers/bspwm.nix b/nixos/modules/services/x11/window-managers/bspwm.nix
new file mode 100644
index 000000000000..d234a432e9a9
--- /dev/null
+++ b/nixos/modules/services/x11/window-managers/bspwm.nix
@@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.xserver.windowManager.bspwm;
+in
+
+{
+  options = {
+    services.xserver.windowManager.bspwm.enable = mkOption {
+      type = types.bool;
+      default = false;
+      example = true;
+      description = "Enable the bspwm window manager.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.xserver.windowManager.session = singleton {
+      name = "bspwm";
+      start = "
+        ${pkgs.sxhkd}/bin/sxhkd &
+        ${pkgs.bspwm}/bin/bspwm
+      ";
+    };
+    environment.systemPackages = [ pkgs.bspwm ];
+  };
+}
diff --git a/nixos/modules/services/x11/window-managers/default.nix b/nixos/modules/services/x11/window-managers/default.nix
index f27ba3661413..45a4e947e0aa 100644
--- a/nixos/modules/services/x11/window-managers/default.nix
+++ b/nixos/modules/services/x11/window-managers/default.nix
@@ -17,6 +17,7 @@ in
       ./xmonad.nix
       ./i3.nix
       ./herbstluftwm.nix
+      ./bspwm.nix
     ];
 
   options = {