diff options
author | Charles Strahan <charles.c.strahan@gmail.com> | 2015-01-20 20:21:03 -0500 |
---|---|---|
committer | Charles Strahan <charles.c.strahan@gmail.com> | 2015-01-20 20:21:03 -0500 |
commit | dfc225d143142764daf2c1e933e7303a82f7b0cd (patch) | |
tree | 351925e835e82d7f7d20a7eb8567b5a2aaa658c7 /nixos | |
parent | bd5374664663bbf1c2675c100eee8cfe14c6d148 (diff) | |
parent | c55b5eb245198cf3fa58e477a301c90f754f6682 (diff) | |
download | nixlib-dfc225d143142764daf2c1e933e7303a82f7b0cd.tar nixlib-dfc225d143142764daf2c1e933e7303a82f7b0cd.tar.gz nixlib-dfc225d143142764daf2c1e933e7303a82f7b0cd.tar.bz2 nixlib-dfc225d143142764daf2c1e933e7303a82f7b0cd.tar.lz nixlib-dfc225d143142764daf2c1e933e7303a82f7b0cd.tar.xz nixlib-dfc225d143142764daf2c1e933e7303a82f7b0cd.tar.zst nixlib-dfc225d143142764daf2c1e933e7303a82f7b0cd.zip |
Merge branch 'master' of github.com:nixos/nixpkgs into pleasant-ruby
Conflicts: pkgs/applications/version-management/git-and-tools/default.nix pkgs/applications/version-management/git-and-tools/hub/default.nix pkgs/tools/audio/mpdcron/default.nix
Diffstat (limited to 'nixos')
71 files changed, 1096 insertions, 216 deletions
diff --git a/nixos/doc/manual/administration/control-groups.xml b/nixos/doc/manual/administration/control-groups.xml index 86c684cdfe5d..0d7b8ae910a7 100644 --- a/nixos/doc/manual/administration/control-groups.xml +++ b/nixos/doc/manual/administration/control-groups.xml @@ -58,12 +58,10 @@ controls memory allocation limits; by default, all processes are in the top-level cgroup, so any service or session can exhaust all available memory. Per-cgroup memory limits can be specified in <filename>configuration.nix</filename>; for instance, to limit -<literal>httpd.service</literal> to 512 MiB of RAM (excluding swap) -and 640 MiB of RAM (including swap): +<literal>httpd.service</literal> to 512 MiB of RAM (excluding swap): <programlisting> systemd.services.httpd.serviceConfig.MemoryLimit = "512M"; -systemd.services.httpd.serviceConfig.ControlGroupAttribute = [ "memory.memsw.limit_in_bytes 640M" ]; </programlisting> </para> @@ -72,4 +70,4 @@ systemd.services.httpd.serviceConfig.ControlGroupAttribute = [ "memory.memsw.lim continuously updated list of all cgroups with their CPU and memory usage.</para> -</chapter> \ No newline at end of file +</chapter> diff --git a/nixos/doc/manual/configuration/summary.xml b/nixos/doc/manual/configuration/summary.xml index 9bb5e35e16bc..6ff0390c0ed3 100644 --- a/nixos/doc/manual/configuration/summary.xml +++ b/nixos/doc/manual/configuration/summary.xml @@ -60,7 +60,7 @@ manual</link> for the rest.</para> <entry>A nested set, equivalent to <literal>{ foo = { bar = 1; }; }</literal></entry> </row> <row> - <entry><literal>rec { x = "bla"; y = x + "bar"; }</literal></entry> + <entry><literal>rec { x = "foo"; y = x + "bar"; }</literal></entry> <entry>A recursive set, equivalent to <literal>{ x = "foo"; y = "foobar"; }</literal></entry> </row> <row> diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index b0a755c6a6fc..fdfeb5ca07c1 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -20,7 +20,8 @@ let declarations = map (fn: stripPrefix fn) opt.declarations; } // optionalAttrs (opt ? example) { example = substFunction opt.example; } - // optionalAttrs (opt ? default) { default = substFunction opt.default; }); + // optionalAttrs (opt ? default) { default = substFunction opt.default; } + // optionalAttrs (opt ? type) { type = substFunction opt.type; }); prefix = toString ../../..; diff --git a/nixos/doc/manual/installation/obtaining.xml b/nixos/doc/manual/installation/obtaining.xml index 540f19c3201d..afd6c9543f70 100644 --- a/nixos/doc/manual/installation/obtaining.xml +++ b/nixos/doc/manual/installation/obtaining.xml @@ -8,7 +8,7 @@ <para>NixOS ISO images can be downloaded from the <link xlink:href="http://nixos.org/nixos/download.html">NixOS -homepage</link>. There are a number of installation options. If +download page</link>. There are a number of installation options. If you happen to have an optical drive and a spare CD, burning the image to CD and booting from that is probably the easiest option. Most people will need to prepare a USB stick to boot from. @@ -27,7 +27,7 @@ running NixOS system through several other means: <para>Using virtual appliances in Open Virtualization Format (OVF) that can be imported into VirtualBox. These are available from the <link xlink:href="http://nixos.org/nixos/download.html">NixOS - homepage</link>.</para> + download page</link>.</para> </listitem> <listitem> <para>Using AMIs for Amazon’s EC2. To find one for your region diff --git a/nixos/doc/manual/installation/upgrading.xml b/nixos/doc/manual/installation/upgrading.xml index 46d3af56b570..5a9d1f24f7c7 100644 --- a/nixos/doc/manual/installation/upgrading.xml +++ b/nixos/doc/manual/installation/upgrading.xml @@ -14,8 +14,8 @@ been built. These channels are: <itemizedlist> <listitem> - <para>Stable channels, such as <literal - xlink:href="https://nixos.org/channels/nixos-14.04">nixos-14.04</literal>. + <para><emphasis>Stable channels</emphasis>, such as <literal + xlink:href="https://nixos.org/channels/nixos-14.12">nixos-14.12</literal>. These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but @@ -23,14 +23,28 @@ been built. These channels are: 3.11.<replaceable>x</replaceable> (a major change that has the potential to break things). Stable channels are generally maintained until the next stable branch is created.</para> + <para></para> </listitem> <listitem> - <para>The unstable channel, <literal + <para>The <emphasis>unstable channel</emphasis>, <literal xlink:href="https://nixos.org/channels/nixos-unstable">nixos-unstable</literal>. This corresponds to NixOS’s main development branch, and may thus see radical changes between channel updates. It’s not recommended for production systems.</para> </listitem> + <listitem> + <para><emphasis>Small channels</emphasis>, such as <literal + xlink:href="https://nixos.org/channels/nixos-14.12-small">nixos-14.12-small</literal> + or <literal + xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These + are identical to the stable and unstable channels described above, + except that they contain fewer binary packages. This means they + get updated faster than the regular channels (for instance, when a + critical security patch is committed to NixOS’s source tree), but + may require more packages to be built from source than + usual. They’re mostly intended for server environments and as such + contain few GUI applications.</para> + </listitem> </itemizedlist> To see what channels are available, go to <link @@ -41,8 +55,8 @@ appliances.)</para> <para>When you first install NixOS, you’re automatically subscribed to the NixOS channel that corresponds to your installation source. For -instance, if you installed from a 14.04 ISO, you will be subscribed to -the <literal>nixos-14.04</literal> channel. To see which NixOS +instance, if you installed from a 14.12 ISO, you will be subscribed to +the <literal>nixos-14.12</literal> channel. To see which NixOS channel you’re subscribed to, run the following as root: <screen> @@ -57,13 +71,19 @@ $ nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replac </screen> (Be sure to include the <literal>nixos</literal> parameter at the -end.) For instance, to use the NixOS 14.04 stable channel: +end.) For instance, to use the NixOS 14.12 stable channel: + +<screen> +$ nix-channel --add https://nixos.org/channels/nixos-14.12 nixos +</screen> + +If you have a server, you may want to use the “small” channel instead: <screen> -$ nix-channel --add https://nixos.org/channels/nixos-14.04 nixos +$ nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos </screen> -But if you want to live on the bleeding edge: +And if you want to live on the bleeding edge: <screen> $ nix-channel --add https://nixos.org/channels/nixos-unstable nixos diff --git a/nixos/doc/manual/man-nixos-install.xml b/nixos/doc/manual/man-nixos-install.xml index 0ebee7d23f9b..06e7b4a98470 100644 --- a/nixos/doc/manual/man-nixos-install.xml +++ b/nixos/doc/manual/man-nixos-install.xml @@ -11,12 +11,29 @@ <refnamediv> <refname><command>nixos-install</command></refname> - <refpurpose>install NixOS</refpurpose> + <refpurpose>install bootloader and NixOS</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <command>nixos-install</command> + <arg> + <arg choice='plain'><option>-I</option></arg> + <replaceable>path</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--root</option></arg> + <replaceable>root</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--show-trace</option></arg> + </arg> + <arg> + <arg choice='plain'><option>--chroot</option></arg> + </arg> + <arg> + <arg choice='plain'><option>--help</option></arg> + </arg> </cmdsynopsis> </refsynopsisdiv> @@ -55,6 +72,56 @@ it.</para> </refsection> +<refsection><title>Options</title> + +<para>This command accepts the following options:</para> + +<variablelist> + + <varlistentry> + <term><option>--root</option></term> + <listitem> + <para>Defaults to <filename>/mnt</filename>. If this option is given, treat the directory + <replaceable>root</replaceable> as the root of the NixOS installation. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>-I</option></term> + <listitem> + <para>Add a path to the Nix expression search path. This option may be given multiple times. + See the NIX_PATH environment variable for information on the semantics of the Nix search path. + Paths added through <replaceable>-I</replaceable> take precedence over NIX_PATH.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--show-trace</option></term> + <listitem> + <para>Causes Nix to print out a stack trace in case of Nix expression evaluation errors.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--chroot</option></term> + <listitem> + <para>Chroot into given installation. Any additional arguments passed are going to be executed inside the chroot. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--help</option></term> + <listitem> + <para>Synonym for <command>man nixos-install</command>.</para> + </listitem> + </varlistentry> + +</variablelist> + +</refsection> + <refsection><title>Examples</title> @@ -72,6 +139,7 @@ $ mount /dev/sda1 /mnt $ nixos-generate-config --root /mnt $ # edit /mnt/etc/nixos/configuration.nix $ nixos-install +$ reboot </screen> </para> diff --git a/nixos/doc/manual/man-pages.xml b/nixos/doc/manual/man-pages.xml index 467864e208bd..97a2c16d406e 100644 --- a/nixos/doc/manual/man-pages.xml +++ b/nixos/doc/manual/man-pages.xml @@ -15,7 +15,7 @@ </author> <copyright> - <year>2007-2013</year> + <year>2007-2015</year> <holder>Eelco Dolstra</holder> </copyright> diff --git a/nixos/doc/manual/options-to-docbook.xsl b/nixos/doc/manual/options-to-docbook.xsl index e81a1dc356e1..af9eb0e48fb0 100644 --- a/nixos/doc/manual/options-to-docbook.xsl +++ b/nixos/doc/manual/options-to-docbook.xsl @@ -34,6 +34,14 @@ select="attr[@name = 'description']/string/@value" /> </para> + <xsl:if test="attr[@name = 'type']"> + <para> + <emphasis>Type:</emphasis> + <xsl:text> </xsl:text> + <xsl:apply-templates select="attr[@name = 'type']" mode="top" /> + </para> + </xsl:if> + <xsl:if test="attr[@name = 'default']"> <para> <emphasis>Default:</emphasis> diff --git a/nixos/doc/manual/release-notes/rl-1412.xml b/nixos/doc/manual/release-notes/rl-1412.xml index 324a3e6bdc2f..7249317a0c74 100644 --- a/nixos/doc/manual/release-notes/rl-1412.xml +++ b/nixos/doc/manual/release-notes/rl-1412.xml @@ -4,15 +4,14 @@ version="5.0" xml:id="sec-release-14.12"> -<title>Release 14.12 (“Caterpillar”, 2014/12/??)</title> +<title>Release 14.12 (“Caterpillar”, 2014/12/30)</title> <para>In addition to numerous new and upgraded packages, this release has the following highlights: <itemizedlist> <listitem><para>Systemd has been updated to version 217, which has numerous -<link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements -.</link></para></listitem> +<link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements.</link></para></listitem> <listitem><para><link xlink:href="http://thread.gmane.org/gmane.linux.distributions.nixos/15165"> Nix has been updated to 1.8.</link></para></listitem> @@ -23,76 +22,81 @@ Nix has been updated to 1.8.</link></para></listitem> <listitem><para>The default Linux kernel has been updated to 3.14.</para></listitem> -<listitem><para><option>users.mutableUsers</option> set to <literal>true</literal> now respect any changes -made after initial creation of a user or a group. -</para></listitem> +<listitem><para>If <option>users.mutableUsers</option> is enabled (the +default), changes made to the declaration of a user or group will be +correctly realised when running <command>nixos-rebuild</command>. For +instance, removing a user specification from +<filename>configuration.nix</filename> will cause the actual user +account to be deleted. If <option>users.mutableUsers</option> is +disabled, it is no longer necessary to specify UIDs or GIDs; if +omitted, they are allocated dynamically.</para></listitem> </itemizedlist></para> <para>Following new services were added since the last release: <itemizedlist> -<listitem><para>parallels-guest</para></listitem> -<listitem><para>docker</para></listitem> -<listitem><para>lxc</para></listitem> -<listitem><para>openvswitch</para></listitem> -<listitem><para>fluxbox</para></listitem> -<listitem><para>bspwm</para></listitem> -<listitem><para>gdm</para></listitem> -<listitem><para>fcgiwrap</para></listitem> -<listitem><para>peerflix</para></listitem> -<listitem><para>fail2ban</para></listitem> -<listitem><para>chronos</para></listitem> -<listitem><para>znc</para></listitem> -<listitem><para>unifi</para></listitem> -<listitem><para>teamspeak3</para></listitem> -<listitem><para>strongswan</para></listitem> -<listitem><para>seeks</para></listitem> -<listitem><para>radicale</para></listitem> -<listitem><para>prosody</para></listitem> -<listitem><para>polipo</para></listitem> -<listitem><para>openntpd</para></listitem> -<listitem><para>nsd</para></listitem> -<listitem><para>mailpile</para></listitem> -<listitem><para>i2pd</para></listitem> -<listitem><para>dnscrypt-proxy</para></listitem> -<listitem><para>consul</para></listitem> -<listitem><para>atftpd</para></listitem> -<listitem><para>scollector</para></listitem> -<listitem><para>collectd</para></listitem> -<listitem><para>bosun</para></listitem> -<listitem><para>riemann</para></listitem> -<listitem><para>zookeeper</para></listitem> -<listitem><para>uhub</para></listitem> -<listitem><para>siproxd</para></listitem> -<listitem><para>redmine</para></listitem> -<listitem><para>phd</para></listitem> -<listitem><para>mesos</para></listitem> -<listitem><para>gitlab</para></listitem> -<listitem><para>gitolite</para></listitem> -<listitem><para>etcd</para></listitem> -<listitem><para>docker-registry</para></listitem> -<listitem><para>cpuminer-cryptonight</para></listitem> -<listitem><para>thermald</para></listitem> -<listitem><para>mlmmj</para></listitem> -<listitem><para>tcsd</para></listitem> -<listitem><para>gnome3.seahorse</para></listitem> -<listitem><para>gnome3.gvfs</para></listitem> -<listitem><para>gnome3.gnome-online-miners</para></listitem> -<listitem><para>gnome3.gnome-documents</para></listitem> -<listitem><para>geoclue2</para></listitem> -<listitem><para>opentsdb</para></listitem> -<listitem><para>neo4j</para></listitem> -<listitem><para>monetdb</para></listitem> -<listitem><para>influxdb</para></listitem> -<listitem><para>hbase</para></listitem> -<listitem><para>torque/mrom</para></listitem> -<listitem><para>torque/server</para></listitem> -<listitem><para>kubernetes</para></listitem> -<listitem><para>fleet</para></listitem> -<listitem><para>crashplan</para></listitem> -<listitem><para>mopidy</para></listitem> -<listitem><para>liquidsoap</para></listitem> +<listitem><para><literal>atftpd</literal></para></listitem> +<listitem><para><literal>bosun</literal></para></listitem> +<listitem><para><literal>bspwm</literal></para></listitem> +<listitem><para><literal>chronos</literal></para></listitem> +<listitem><para><literal>collectd</literal></para></listitem> +<listitem><para><literal>consul</literal></para></listitem> +<listitem><para><literal>cpuminer-cryptonight</literal></para></listitem> +<listitem><para><literal>crashplan</literal></para></listitem> +<listitem><para><literal>dnscrypt-proxy</literal></para></listitem> +<listitem><para><literal>docker-registry</literal></para></listitem> +<listitem><para><literal>docker</literal></para></listitem> +<listitem><para><literal>etcd</literal></para></listitem> +<listitem><para><literal>fail2ban</literal></para></listitem> +<listitem><para><literal>fcgiwrap</literal></para></listitem> +<listitem><para><literal>fleet</literal></para></listitem> +<listitem><para><literal>fluxbox</literal></para></listitem> +<listitem><para><literal>gdm</literal></para></listitem> +<listitem><para><literal>geoclue2</literal></para></listitem> +<listitem><para><literal>gitlab</literal></para></listitem> +<listitem><para><literal>gitolite</literal></para></listitem> +<listitem><para><literal>gnome3.gnome-documents</literal></para></listitem> +<listitem><para><literal>gnome3.gnome-online-miners</literal></para></listitem> +<listitem><para><literal>gnome3.gvfs</literal></para></listitem> +<listitem><para><literal>gnome3.seahorse</literal></para></listitem> +<listitem><para><literal>hbase</literal></para></listitem> +<listitem><para><literal>i2pd</literal></para></listitem> +<listitem><para><literal>influxdb</literal></para></listitem> +<listitem><para><literal>kubernetes</literal></para></listitem> +<listitem><para><literal>liquidsoap</literal></para></listitem> +<listitem><para><literal>lxc</literal></para></listitem> +<listitem><para><literal>mailpile</literal></para></listitem> +<listitem><para><literal>mesos</literal></para></listitem> +<listitem><para><literal>mlmmj</literal></para></listitem> +<listitem><para><literal>monetdb</literal></para></listitem> +<listitem><para><literal>mopidy</literal></para></listitem> +<listitem><para><literal>neo4j</literal></para></listitem> +<listitem><para><literal>nsd</literal></para></listitem> +<listitem><para><literal>openntpd</literal></para></listitem> +<listitem><para><literal>opentsdb</literal></para></listitem> +<listitem><para><literal>openvswitch</literal></para></listitem> +<listitem><para><literal>parallels-guest</literal></para></listitem> +<listitem><para><literal>peerflix</literal></para></listitem> +<listitem><para><literal>phd</literal></para></listitem> +<listitem><para><literal>polipo</literal></para></listitem> +<listitem><para><literal>prosody</literal></para></listitem> +<listitem><para><literal>radicale</literal></para></listitem> +<listitem><para><literal>redmine</literal></para></listitem> +<listitem><para><literal>riemann</literal></para></listitem> +<listitem><para><literal>scollector</literal></para></listitem> +<listitem><para><literal>seeks</literal></para></listitem> +<listitem><para><literal>siproxd</literal></para></listitem> +<listitem><para><literal>strongswan</literal></para></listitem> +<listitem><para><literal>tcsd</literal></para></listitem> +<listitem><para><literal>teamspeak3</literal></para></listitem> +<listitem><para><literal>thermald</literal></para></listitem> +<listitem><para><literal>torque/mrom</literal></para></listitem> +<listitem><para><literal>torque/server</literal></para></listitem> +<listitem><para><literal>uhub</literal></para></listitem> +<listitem><para><literal>unifi</literal></para></listitem> +<listitem><para><literal>znc</literal></para></listitem> +<listitem><para><literal>zookeeper</literal></para></listitem> </itemizedlist> </para> @@ -125,9 +129,11 @@ rather than <literal>c-<replaceable>container-name</replaceable></literal>.</par <listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem> -<listitem><para>VirtualBox has been upgraded to 4.3.20 release. Users may be required to run -<command>rm -rf /tmp.vbox*</command>. <literal>imports = [ <nixpkgs/nixos/modules/programs/virtualbox.nix> ]</literal> -is no longer necessary, use <literal>services.virtualboxHost.enable = true</literal> instead. +<listitem><para>VirtualBox has been upgraded to 4.3.20 release. Users +may be required to run <command>rm -rf /tmp/.vbox*</command>. The line +<literal>imports = [ <nixpkgs/nixos/modules/programs/virtualbox.nix> ]</literal> is +no longer necessary, use <literal>services.virtualboxHost.enable = +true</literal> instead. </para> <para>Also, hardening mode is now enabled by default, which means that unless you want to use USB support, you no longer need to be a member of the <literal>vboxusers</literal> group. @@ -160,6 +166,10 @@ xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>.</pa the ability to connect to sessions created by older versions of screen.</para></listitem> +<listitem><para>The Intel GPU driver was updated to the 3.x prerelease +version (used by most distributions) and supports DRI3 +now.</para></listitem> + </itemizedlist> </para> diff --git a/nixos/maintainers/scripts/ec2/create-ebs-amis.py b/nixos/maintainers/scripts/ec2/create-ebs-amis.py index 6c91aa68694d..44af56c4091b 100755 --- a/nixos/maintainers/scripts/ec2/create-ebs-amis.py +++ b/nixos/maintainers/scripts/ec2/create-ebs-amis.py @@ -12,7 +12,7 @@ from nixops.statefile import StateFile, get_default_state_file parser = argparse.ArgumentParser(description='Create an EBS-backed NixOS AMI') parser.add_argument('--region', dest='region', required=True, help='EC2 region to create the image in') -parser.add_argument('--channel', dest='channel', default="13.10", help='Channel to use') +parser.add_argument('--channel', dest='channel', default="14.12", help='Channel to use') parser.add_argument('--keep', dest='keep', action='store_true', help='Keep NixOps machine after use') parser.add_argument('--hvm', dest='hvm', action='store_true', help='Create HVM image') parser.add_argument('--key', dest='key_name', action='store_true', help='Keypair used for HVM instance creation', default="rob") @@ -34,13 +34,13 @@ ebs_size = 20 # Start a NixOS machine in the given region. f = open("ebs-creator-config.nix", "w") f.write('''{{ - resources.ec2KeyPairs.keypair.accessKeyId = "logicblox-dev"; + resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos"; resources.ec2KeyPairs.keypair.region = "{0}"; machine = {{ pkgs, ... }}: {{ - deployment.ec2.accessKeyId = "logicblox-dev"; + deployment.ec2.accessKeyId = "lb-nixos"; deployment.ec2.region = "{0}"; deployment.ec2.blockDeviceMapping."/dev/xvdg".size = pkgs.lib.mkOverride 10 {1}; }}; @@ -54,7 +54,7 @@ try: except Exception: depl = db.create_deployment() depl.name = "ebs-creator" -depl.auto_response = "y" +depl.logger.set_autoresponse("y") depl.nix_exprs = [os.path.abspath("./ebs-creator.nix"), os.path.abspath("./ebs-creator-config.nix")] if not args.keep: depl.destroy_resources() depl.deploy(allow_reboot=True) @@ -140,6 +140,7 @@ common_args = dict( ) if not args.hvm: common_args['kernel_id']=aki.id + ami_id = m._conn.register_image(**common_args) print >> sys.stderr, "registered AMI {0}".format(ami_id) @@ -161,16 +162,16 @@ f.write( {{ network.description = "NixOS EBS test"; - resources.ec2KeyPairs.keypair.accessKeyId = "logicblox-dev"; + resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos"; resources.ec2KeyPairs.keypair.region = "{0}"; machine = {{ config, pkgs, resources, ... }}: {{ deployment.targetEnv = "ec2"; - deployment.ec2.accessKeyId = "logicblox-dev"; + deployment.ec2.accessKeyId = "lb-nixos"; deployment.ec2.region = "{0}"; deployment.ec2.instanceType = "{2}"; deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name; - deployment.ec2.securityGroups = [ "admin" ]; + deployment.ec2.securityGroups = [ "public-ssh" ]; deployment.ec2.ami = "{1}"; }}; }} @@ -185,23 +186,31 @@ test_depl.deploy(create_only=True) test_depl.machines['machine'].run_command("nixos-version") # Log the AMI ID. -f = open("{0}.{1}.ami-id".format(args.region, image_type), "w") -f.write("{0}".format(ami_id)) -f.close() +f = open("ec2-amis.nix".format(args.region, image_type), "w") +f.write("{\n") for dest in [ 'us-east-1', 'us-west-1', 'us-west-2', 'eu-west-1', 'eu-central-1', 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'sa-east-1']: + copy_image = None if args.region != dest: - print >> sys.stderr, "copying image from region {0} to {1}".format(args.region, dest) - conn = boto.ec2.connect_to_region(dest) - copy_image = conn.copy_image(args.region, ami_id, ami_name, description=None, client_token=None) + try: + print >> sys.stderr, "copying image from region {0} to {1}".format(args.region, dest) + conn = boto.ec2.connect_to_region(dest) + copy_image = conn.copy_image(args.region, ami_id, ami_name, description=None, client_token=None) + except : + print >> sys.stderr, "FAILED!" # Log the AMI ID. - f = open("{0}.{1}.ami-id".format(dest, image_type), "w") - f.write("{0}".format(copy_image.image_id)) - f.close() + if copy_image != None: + f.write(' "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,dest,"hvm" if args.hvm else "ebs",copy_image.image_id)) + else: + f.write(' "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,args.region,"hvm" if args.hvm else "ebs",ami_id)) +f.write("}\n") +f.close() + if not args.keep: + test_depl.logger.set_autoresponse("y") test_depl.destroy_resources() test_depl.delete() diff --git a/nixos/maintainers/scripts/ec2/create-s3-amis.sh b/nixos/maintainers/scripts/ec2/create-s3-amis.sh index 140b4fcbddb8..ed861a3944ac 100755 --- a/nixos/maintainers/scripts/ec2/create-s3-amis.sh +++ b/nixos/maintainers/scripts/ec2/create-s3-amis.sh @@ -31,17 +31,22 @@ buildAndUploadFor() { -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" --location "$s3location" \ --url http://s3.amazonaws.com - kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.03-$arch*" --region "$region" | cut -f 2) + kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2) echo "using PV-GRUB kernel $kernel" - ami=$(ec2-register "$bucket/nixos.img.manifest.xml" -n "$name" -d "NixOS $system r$revision" \ + ami=$(ec2-register "$bucket/nixos.img.manifest.xml" -n "$name" -d "NixOS $system r$revision" -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY" \ --region "$region" --kernel "$kernel" | cut -f 2) echo "AMI ID is $ami" - echo $ami >> $region.s3.ami-id + echo " \"14.12\".\"$region\".s3 = \"$ami\";" >> ec2-amis.nix - ec2-modify-image-attribute --region "$region" "$ami" -l -a all + ec2-modify-image-attribute --region "$region" "$ami" -l -a all -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY" + + for cp_region in us-east-1 us-west-1 us-west-2 eu-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do + new_ami=$(aws ec2 copy-image --source-image-id $ami --source-region $region --region $cp_region --name "$name" | json ImageId) + echo " \"14.12\".\"$cp_region\".s3 = \"$new_ami\";" >> ec2-amis.nix + done done } diff --git a/nixos/maintainers/scripts/ec2/ebs-creator.nix b/nixos/maintainers/scripts/ec2/ebs-creator.nix index 37795d5d5b4a..7bb13695fa78 100644 --- a/nixos/maintainers/scripts/ec2/ebs-creator.nix +++ b/nixos/maintainers/scripts/ec2/ebs-creator.nix @@ -5,10 +5,9 @@ { config, pkgs, resources, ... }: { deployment.targetEnv = "ec2"; deployment.ec2.instanceType = "c3.large"; - deployment.ec2.securityGroups = [ "admin" ]; + deployment.ec2.securityGroups = [ "public-ssh" ]; deployment.ec2.ebsBoot = false; deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name; - deployment.ec2.zone = "us-east-1e"; environment.systemPackages = [ pkgs.parted ]; }; } diff --git a/nixos/maintainers/scripts/gce/create-gce.sh b/nixos/maintainers/scripts/gce/create-gce.sh index fc476fb6e403..7f8a0d23027a 100755 --- a/nixos/maintainers/scripts/gce/create-gce.sh +++ b/nixos/maintainers/scripts/gce/create-gce.sh @@ -1,6 +1,6 @@ #! /bin/sh -e -BUCKET_NAME=${BUCKET_NAME:-nixos} +BUCKET_NAME=${BUCKET_NAME:-nixos-images} export NIX_PATH=nixpkgs=../../../.. export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/google-compute-image.nix export TIMESTAMP=$(date +%Y%m%d%H%M) diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 256c5888cb94..f585a2774799 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -25,6 +25,11 @@ let options. ''; + hashedPasswordDescription = '' + To generate hashed password install <literal>mkpassword</literal> + package and run <literal>mkpasswd -m sha-512</literal>. + ''; + userOpts = { name, config, ... }: { options = { @@ -165,6 +170,7 @@ let description = '' Specifies the hashed password for the user. ${passwordDescription} + ${hashedPasswordDescription} ''; }; @@ -202,6 +208,8 @@ let password can be changed subsequently using the <command>passwd</command> command. Otherwise, it's equivalent to setting the <option>password</option> option. + + ${hashedPasswordDescription} ''; }; @@ -366,21 +374,24 @@ in { type = types.bool; default = true; description = '' - If true, you are free to add new users and groups to the system + If set to <literal>true</literal>, you are free to add new users and groups to the system with the ordinary <literal>useradd</literal> and <literal>groupadd</literal> commands. On system activation, the existing contents of the <literal>/etc/passwd</literal> and <literal>/etc/group</literal> files will be merged with the contents generated from the <literal>users.extraUsers</literal> and - <literal>users.extraGroups</literal> options. If - <literal>mutableUsers</literal> is false, the contents of the user and - group files will simply be replaced on system activation. This also - holds for the user passwords; if this option is false, all changed - passwords will be reset according to the - <literal>users.extraUsers</literal> configuration on activation. If - this option is true, the initial password for a user will be set + <literal>users.extraGroups</literal> options. + The initial password for a user will be set according to <literal>users.extraUsers</literal>, but existing passwords will not be changed. + + <warning><para> + If set to <literal>false</literal>, the contents of the user and + group files will simply be replaced on system activation. This also + holds for the user passwords; all changed + passwords will be reset according to the + <literal>users.extraUsers</literal> configuration on activation. + </para></warning> ''; }; diff --git a/nixos/modules/hardware/video/bumblebee.nix b/nixos/modules/hardware/video/bumblebee.nix index 7b48d9d1fcf5..e20ebc3041e7 100644 --- a/nixos/modules/hardware/video/bumblebee.nix +++ b/nixos/modules/hardware/video/bumblebee.nix @@ -1,7 +1,13 @@ { config, lib, pkgs, ... }: -let kernel = config.boot.kernelPackages; in with lib; +let + kernel = config.boot.kernelPackages; + bumblebee = if config.hardware.bumblebee.connectDisplay + then pkgs.bumblebee_display + else pkgs.bumblebee; + +in { @@ -23,6 +29,17 @@ with lib; type = types.uniq types.str; description = ''Group for bumblebee socket''; }; + hardware.bumblebee.connectDisplay = mkOption { + default = false; + type = types.bool; + description = '' + Set to true if you intend to connect your discrete card to a + monitor. This option will set up your Nvidia card for EDID + discovery and to turn on the monitor signal. + + Only nvidia driver is supported so far. + ''; + }; }; config = mkIf config.hardware.bumblebee.enable { @@ -30,13 +47,13 @@ with lib; boot.kernelModules = [ "bbswitch" ]; boot.extraModulePackages = [ kernel.bbswitch kernel.nvidia_x11 ]; - environment.systemPackages = [ pkgs.bumblebee pkgs.primus ]; + environment.systemPackages = [ bumblebee pkgs.primus ]; systemd.services.bumblebeed = { description = "Bumblebee Hybrid Graphics Switcher"; wantedBy = [ "display-manager.service" ]; script = "bumblebeed --use-syslog -g ${config.hardware.bumblebee.group}"; - path = [ kernel.bbswitch pkgs.bumblebee ]; + path = [ kernel.bbswitch bumblebee ]; serviceConfig = { Restart = "always"; RestartSec = 60; diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 9dfc322b9f74..bfb42d40b06e 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -77,6 +77,7 @@ mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/et mkdir -m 01777 -p $mountPoint/tmp mkdir -m 0755 -p $mountPoint/tmp/root mkdir -m 0755 -p $mountPoint/var/setuid-wrappers +mkdir -m 0700 -p $mountPoint/root mount --rbind /dev $mountPoint/dev mount --rbind /proc $mountPoint/proc mount --rbind /sys $mountPoint/sys diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index bf8365e34645..7bfbefb348f0 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -174,6 +174,8 @@ chronos = 164; gitlab = 165; tox-bootstrapd = 166; + cadvisor = 167; + nylon = 168; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -273,6 +275,7 @@ jenkins = 109; systemd-journal-gateway = 110; notbit = 111; + btsync = 113; monetdb = 115; foundationdb = 118; newrelic = 119; @@ -306,13 +309,16 @@ systemd-resolve = 153; systemd-timesync = 154; liquidsoap = 155; - scollector = 156; - bosun = 157; - kubernetes = 158; fleet = 159; - gitlab = 160; + scollector = 160; + bosun = 161; + kubernetes = 162; + gitlab = 165; + nylon = 166; - # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399! + # When adding a gid, make sure it doesn't match an existing + # uid. Users and groups with the same name should have equal + # uids and gids. Also, don't use gids above 399! users = 100; nixbld = 30000; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2c52ebb37bcb..2a2a7b004163 100755 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -54,8 +54,8 @@ ./misc/version.nix ./programs/atop.nix ./programs/bash/bash.nix - ./programs/bash/command-not-found.nix ./programs/blcr.nix + ./programs/command-not-found/command-not-found.nix ./programs/dconf.nix ./programs/environment.nix ./programs/info.nix @@ -197,6 +197,7 @@ ./services/misc/zookeeper.nix ./services/monitoring/apcupsd.nix ./services/monitoring/bosun.nix + ./services/monitoring/cadvisor.nix ./services/monitoring/collectd.nix ./services/monitoring/dd-agent.nix ./services/monitoring/graphite.nix @@ -237,6 +238,7 @@ ./services/networking/dnscrypt-proxy.nix ./services/networking/dnsmasq.nix ./services/networking/ejabberd.nix + ./services/networking/firefox/sync-server.nix ./services/networking/firewall.nix ./services/networking/flashpolicyd.nix ./services/networking/freenet.nix @@ -253,6 +255,7 @@ ./services/networking/kippo.nix ./services/networking/mailpile.nix ./services/networking/minidlna.nix + ./services/networking/mstpd.nix ./services/networking/murmur.nix ./services/networking/nat.nix ./services/networking/networkmanager.nix @@ -261,6 +264,7 @@ ./services/networking/nsd.nix ./services/networking/ntopng.nix ./services/networking/ntpd.nix + ./services/networking/nylon.nix ./services/networking/oidentd.nix ./services/networking/openfire.nix ./services/networking/openntpd.nix @@ -305,6 +309,7 @@ ./services/search/solr.nix ./services/security/clamav.nix ./services/security/fail2ban.nix + ./services/security/fprintd.nix ./services/security/fprot.nix ./services/security/frandom.nix ./services/security/haveged.nix diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index 3d1412b56859..457642d82f71 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -10,6 +10,8 @@ pkgs.w3m # needed for the manual anyway pkgs.testdisk # useful for repairing boot problems pkgs.mssys # for writing Microsoft boot sectors / MBRs + pkgs.efibootmgr + pkgs.efivar pkgs.parted pkgs.gptfdisk pkgs.ddrescue diff --git a/nixos/modules/programs/bash/command-not-found.nix b/nixos/modules/programs/command-not-found/command-not-found.nix index 8c86d48b0808..bead2dcdcf90 100644 --- a/nixos/modules/programs/bash/command-not-found.nix +++ b/nixos/modules/programs/command-not-found/command-not-found.nix @@ -44,6 +44,26 @@ in } ''; + programs.zsh.interactiveShellInit = + '' + # This function is called whenever a command is not found. + command_not_found_handler() { + local p=/run/current-system/sw/bin/command-not-found + if [ -x $p -a -f /nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite ]; then + # Run the helper program. + $p "$1" + + # Retry the command if we just installed it. + if [ $? = 126 ]; then + "$@" + fi + else + # Indicate than there was an error so ZSH falls back to its default handler + return 127 + fi + } + ''; + environment.systemPackages = [ commandNotFound ]; # TODO: tab completion for uninstalled commands! :-) diff --git a/nixos/modules/programs/bash/command-not-found.pl b/nixos/modules/programs/command-not-found/command-not-found.pl index 916649059d37..916649059d37 100644 --- a/nixos/modules/programs/bash/command-not-found.pl +++ b/nixos/modules/programs/command-not-found/command-not-found.pl diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 1857371ebe8d..74dd6af0bdde 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -100,7 +100,7 @@ in export HISTSIZE=2000 export HISTFILE=$HOME/.zsh_history - setopt HIST_IGNORE_DUPS SHARE_HISTORY + setopt HIST_IGNORE_DUPS SHARE_HISTORY HIST_FCNTL_LOCK ''; }; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index cb1b92e78d62..20fd76855d96 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -55,8 +55,8 @@ let apply = x: use (toOf config); inherit visible; }); - } - { config = setTo (mkMerge (if (fromOf options).isDefined then [ (define (mkMerge (fromOf options).definitions)) ] else [])); + + config = setTo (mkAliasAndWrapDefinitions define (fromOf options)); } ]; diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 9893e63fb24f..0e3a54325cad 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -110,7 +110,7 @@ in default = false; description = '' Print the contents of <literal>/etc/motd</literal> to screen - after a succesful login. + after a successful login. ''; }; @@ -145,7 +145,7 @@ in When $DUO_PASSCODE is non-empty, it will override autopush. The SSH client will need SendEnv DUO_PASSCODE in - its configuration, and the SSH server will similarily need + its configuration, and the SSH server will similarly need AcceptEnv DUO_PASSCODE. ''; }; diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index cbad94007088..d0c7fa6ec288 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -38,7 +38,7 @@ in type = types.bool; default = false; description = '' - Enable the testing grsecurity patch, based on Linux 3.17. + Enable the testing grsecurity patch, based on Linux 3.18. ''; }; @@ -156,6 +156,24 @@ in ''; }; + denyUSB = mkOption { + type = types.bool; + default = false; + description = '' + If true, then set <literal>GRKERNSEC_DENYUSB y</literal>. + + This enables a sysctl with name + <literal>kernel.grsecurity.deny_new_usb</literal>. Setting + its value to <literal>1</literal> will prevent any new USB + devices from being recognized by the OS. Any attempted + USB device insertion will be logged. + + This option is intended to be used against custom USB + devices designed to exploit vulnerabilities in various USB + device drivers. + ''; + }; + restrictProc = mkOption { type = types.bool; default = false; @@ -227,7 +245,7 @@ in message = '' If grsecurity is enabled, you must select either the stable patch (with kernel 3.14), or the testing patch (with - kernel 3.17) to continue. + kernel 3.18) to continue. ''; } { assertion = (cfg.stable -> !cfg.testing) || (cfg.testing -> !cfg.stable); diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 844a9da0eb46..65761865859f 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -54,6 +54,15 @@ let ''; }; + fprintAuth = mkOption { + default = config.services.fprintd.enable; + type = types.bool; + description = '' + If set, fingerprint reader will be used (if exists and + your fingerprints are enrolled). + ''; + }; + sshAgentAuth = mkOption { default = false; type = types.bool; @@ -113,6 +122,14 @@ let ''; }; + requireWheel = mkOption { + default = false; + type = types.bool; + description = '' + Whether to permit root access only to members of group wheel. + ''; + }; + limits = mkOption { description = '' Attribute set describing resource limits. Defaults to the @@ -175,10 +192,14 @@ let # Authentication management. ${optionalString cfg.rootOK "auth sufficient pam_rootok.so"} + ${optionalString cfg.requireWheel + "auth required pam_wheel.so use_uid"} ${optionalString cfg.logFailures "auth required pam_tally.so"} ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} + ${optionalString cfg.fprintAuth + "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} ${optionalString cfg.usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} ${optionalString cfg.unixAuth diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix index 4d8fabc7696e..b14ea7a5f276 100644 --- a/nixos/modules/security/rngd.nix +++ b/nixos/modules/security/rngd.nix @@ -20,7 +20,7 @@ with lib; KERNEL=="random", TAG+="systemd" SUBSYSTEM=="cpu", ENV{MODALIAS}=="x86cpu:*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" - KERNEL=="tmp0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" + ${if config.services.tcsd.enable then "" else ''KERNEL=="tpm0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"''} ''; systemd.services.rngd = { @@ -32,8 +32,6 @@ with lib; serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" + (if config.services.tcsd.enable then " --no-tpm=1" else ""); - - restartTriggers = [ pkgs.rng_tools ]; }; }; } diff --git a/nixos/modules/services/databases/postgresql.xml b/nixos/modules/services/databases/postgresql.xml index e98b431bd60a..a98026942959 100644 --- a/nixos/modules/services/databases/postgresql.xml +++ b/nixos/modules/services/databases/postgresql.xml @@ -24,11 +24,11 @@ <programlisting> services.postgresql.enable = true; -services.postgresql.package = pkgs.postgresql93; +services.postgresql.package = pkgs.postgresql94; </programlisting> Note that you are required to specify the desired version of -PostgreSQL (e.g. <literal>pkgs.postgresql93</literal>). Since +PostgreSQL (e.g. <literal>pkgs.postgresql94</literal>). Since upgrading your PostgreSQL version requires a database dump and reload (see below), NixOS cannot provide a default value for <option>services.postgresql.package</option> such as the most recent diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 1fb7102e7f3e..50ff1b38db12 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -45,8 +45,6 @@ let pop3_uidl_format = %08Xv%08Xu '' + cfg.extraConfig; - confFile = pkgs.writeText "dovecot.conf" dovecotConf; - in { @@ -88,6 +86,12 @@ in description = "Additional entries to put verbatim into Dovecot's config file."; }; + configFile = mkOption { + default = null; + description = "Config file used for the whole dovecot configuration."; + apply = v: if v != null then v else pkgs.writeText "dovecot.conf" dovecotConf; + }; + mailLocation = mkOption { default = "maildir:/var/spool/mail/%u"; /* Same as inbox, as postfix */ example = "maildir:~/mail:INBOX=/var/spool/mail/%u"; @@ -144,10 +148,11 @@ in gid = config.ids.gids.dovecot2; }; - jobs.dovecot2 = + systemd.services.dovecot2 = { description = "Dovecot IMAP/POP3 server"; - startOn = "started networking"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; preStart = '' @@ -155,7 +160,13 @@ in ${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} /var/run/dovecot2 ''; - exec = "${pkgs.dovecot}/sbin/dovecot -F -c ${confFile}"; + serviceConfig = { + ExecStart = "${pkgs.dovecot}/sbin/dovecot -F -c ${cfg.configFile}"; + Restart = "on-failure"; + RestartSec = "1s"; + StartLimitInterval = "1min"; + }; + }; environment.systemPackages = [ pkgs.dovecot ]; diff --git a/nixos/modules/services/mail/mlmmj.nix b/nixos/modules/services/mail/mlmmj.nix index 637974f05cd1..db3a266d011f 100644 --- a/nixos/modules/services/mail/mlmmj.nix +++ b/nixos/modules/services/mail/mlmmj.nix @@ -90,7 +90,7 @@ in enable = true; recipientDelimiter= "+"; extraMasterConf = '' - mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-recieve -F -L ${spoolDir}/$nextHop + mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L ${spoolDir}/$nextHop ''; extraAliases = concatMapStrings (alias cfg.listDomain) cfg.mailLists; diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 8f75bd8ab5d0..b84c63e6421d 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -96,9 +96,9 @@ let # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING - pickup fifo n - n 60 1 pickup + pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup - qmgr fifo n - n 300 1 qmgr + qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index e9aa10181789..e2548864af5b 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -82,9 +82,10 @@ in description = '' This option defines the maximum number of concurrent tasks during one build. It affects, e.g., -j option for make. The default is 1. - Some builds may become non-deterministic with this option; use with - care! Packages will only be affected if enableParallelBuilding is - set for them. + The special value 0 means that the builder should use all + available CPU cores in the system. Some builds may become + non-deterministic with this option; use with care! Packages will + only be affected if enableParallelBuilding is set for them. ''; }; diff --git a/nixos/modules/services/monitoring/cadvisor.nix b/nixos/modules/services/monitoring/cadvisor.nix new file mode 100644 index 000000000000..0a06291da2a4 --- /dev/null +++ b/nixos/modules/services/monitoring/cadvisor.nix @@ -0,0 +1,106 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.cadvisor; + +in { + options = { + services.cadvisor = { + enable = mkOption { + default = false; + type = types.bool; + description = "Whether to enable cadvisor service."; + }; + + host = mkOption { + default = "127.0.0.1"; + type = types.str; + description = "Cadvisor listening host"; + }; + + port = mkOption { + default = 8080; + type = types.int; + description = "Cadvisor listening port"; + }; + + storageDriver = mkOption { + default = null; + type = types.nullOr types.str; + example = "influxdb"; + description = "Cadvisor storage driver."; + }; + + storageDriverHost = mkOption { + default = "localhost:8086"; + type = types.str; + description = "Cadvisor storage driver host."; + }; + + storageDriverDb = mkOption { + default = "root"; + type = types.str; + description = "Cadvisord storage driver database name."; + }; + + storageDriverUser = mkOption { + default = "root"; + type = types.str; + description = "Cadvisor storage driver username."; + }; + + storageDriverPassword = mkOption { + default = "root"; + type = types.str; + description = "Cadvisor storage driver password."; + }; + + storageDriverSecure = mkOption { + default = false; + type = types.bool; + description = "Cadvisor storage driver, enable secure communication."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.cadvisor = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "docker.service" "influxdb.service" ]; + + postStart = mkBefore '' + until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.host}:${toString cfg.port}/containers/'; do + sleep 1; + done + ''; + + serviceConfig = { + ExecStart = ''${pkgs.cadvisor}/bin/cadvisor \ + -logtostderr=true \ + -listen_ip=${cfg.host} \ + -port=${toString cfg.port} \ + ${optionalString (cfg.storageDriver != null) '' + -storage_driver ${cfg.storageDriver} \ + -storage_driver_user ${cfg.storageDriverHost} \ + -storage_driver_db ${cfg.storageDriverDb} \ + -storage_driver_user ${cfg.storageDriverUser} \ + -storage_driver_password ${cfg.storageDriverPassword} \ + ${optionalString cfg.storageDriverSecure "-storage_driver_secure"} + ''} + ''; + User = "cadvisor"; + }; + }; + + virtualisation.docker.enable = true; + + users.extraUsers = singleton { + name = "cadvisor"; + uid = config.ids.uids.cadvisor; + description = "Cadvisor user"; + extraGroups = [ "docker" ]; + }; + }; +} diff --git a/nixos/modules/services/monitoring/dd-agent.nix b/nixos/modules/services/monitoring/dd-agent.nix index deef64d69981..dc51a7c74866 100644 --- a/nixos/modules/services/monitoring/dd-agent.nix +++ b/nixos/modules/services/monitoring/dd-agent.nix @@ -140,6 +140,7 @@ in { Restart = "always"; RestartSec = 2; }; + environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"; restartTriggers = [ pkgs.dd-agent ddConf postgresqlConfig nginxConfig ]; }; diff --git a/nixos/modules/services/monitoring/riemann.nix b/nixos/modules/services/monitoring/riemann.nix index ab37d717b86d..ac5d0134a80d 100644 --- a/nixos/modules/services/monitoring/riemann.nix +++ b/nixos/modules/services/monitoring/riemann.nix @@ -17,7 +17,7 @@ let launcher = writeScriptBin "riemann" '' #!/bin/sh - exec ${openjdk}/bin/java ${concatStringsSep "\n" cfg.extraJavaOpts} \ + exec ${jdk}/bin/java ${concatStringsSep "\n" cfg.extraJavaOpts} \ -cp ${classpath} \ riemann.bin ${writeText "riemann-config.clj" riemannConfig} ''; diff --git a/nixos/modules/services/monitoring/statsd.nix b/nixos/modules/services/monitoring/statsd.nix index 942ce72f6a36..7d7ca27bb2f0 100644 --- a/nixos/modules/services/monitoring/statsd.nix +++ b/nixos/modules/services/monitoring/statsd.nix @@ -53,7 +53,7 @@ in }; mgmt_address = mkOption { - description = "Address to run managment TCP interface on"; + description = "Address to run management TCP interface on"; default = "127.0.0.1"; type = types.str; }; @@ -65,7 +65,7 @@ in }; backends = mkOption { - description = "List of backends statsd will use for data persistance"; + description = "List of backends statsd will use for data persistence"; default = ["graphite"]; example = ["graphite" pkgs.nodePackages."statsd-influxdb-backend"]; type = types.listOf (types.either types.str types.package); diff --git a/nixos/modules/services/network-filesystems/nfsd.nix b/nixos/modules/services/network-filesystems/nfsd.nix index 9b317e968849..33b7ec3d9f1c 100644 --- a/nixos/modules/services/network-filesystems/nfsd.nix +++ b/nixos/modules/services/network-filesystems/nfsd.nix @@ -61,7 +61,7 @@ in default = null; example = 4002; description = '' - Use fixed port for rpc.mountd, usefull if server is behind firewall. + Use fixed port for rpc.mountd, useful if server is behind firewall. ''; }; diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 1199fa316f91..6fcf89999523 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -9,7 +9,7 @@ let logDir = "/var/log/samba"; privateDir = "/var/samba/private"; - inherit (pkgs) samba; + samba = cfg.package; setupScript = '' @@ -90,6 +90,14 @@ in "; }; + package = mkOption { + default = pkgs.samba; + example = pkgs.samba4; + description = '' + Defines which package should be used for the samba server. + ''; + }; + syncPasswordsByPam = mkOption { default = false; description = " diff --git a/nixos/modules/services/networking/btsync.nix b/nixos/modules/services/networking/btsync.nix index 7ddc9e1045e4..34bddf908731 100644 --- a/nixos/modules/services/networking/btsync.nix +++ b/nixos/modules/services/networking/btsync.nix @@ -88,7 +88,7 @@ in use <literal>systemctl start btsync@user</literal> to start the daemon only for user <literal>user</literal>, using the configuration file located at - <literal>$HOME/.config/btsync.conf</literal> + <literal>$HOME/.config/btsync.conf</literal>. ''; }; @@ -223,6 +223,21 @@ in --generate-secret</literal>. Note that this secret will be put inside the Nix store, so it is realistically not very secret. + + If you would like to be able to modify the contents of this + directories, it is recommended that you make your user a + member of the <literal>btsync</literal> group. + + Directories in this list should be in the + <literal>btsync</literal> group, and that group must have + write access to the directory. It is also recommended that + <literal>chmod g+s</literal> is applied to the directory + so that any sub directories created will also belong to + the <literal>btsync</literal> group. Also, + <literal>setfacl -d -m group:btsync:rwx</literal> and + <literal>setfacl -m group:btsync:rwx</literal> should also + be applied so that the sub directories are writable by + the group. ''; }; }; @@ -246,14 +261,20 @@ in home = "/var/lib/btsync"; createHome = true; uid = config.ids.uids.btsync; + group = "btsync"; }; + users.extraGroups = [ + { name = "btsync"; + }]; + systemd.services.btsync = with pkgs; { description = "Bittorrent Sync Service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { Restart = "on-abort"; + UMask = "0002"; User = "btsync"; ExecStart = "${bittorrentSync}/bin/btsync --nodaemon --config ${configFile}"; diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix new file mode 100644 index 000000000000..79f32f3358cb --- /dev/null +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -0,0 +1,142 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.firefox.syncserver; + syncServerIni = pkgs.writeText "syncserver.ini" '' + [DEFAULT] + overrides = ${cfg.privateConfig} + + [server:main] + use = egg:Paste#http + host = ${cfg.listen.address} + port = ${toString cfg.listen.port} + + [app:main] + use = egg:syncserver + + [syncserver] + public_url = ${cfg.publicUrl} + ${optionalString (cfg.sqlUri != "") "sqluri = ${cfg.sqlUri}"} + allow_new_users = ${if cfg.allowNewUsers then "true" else "false"} + + [browserid] + backend = tokenserver.verifiers.LocalVerifier + audiences = ${removeSuffix "/" cfg.publicUrl} + ''; +in + +{ + options = { + services.firefox.syncserver = { + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether to enable a Firefox Sync Server, this give the opportunity to + Firefox users to store all synchronized data on their own server. To use this + server, Firefox users should visit the <option>about:config</option>, and + replicate the following change + + <screen> + services.sync.tokenServerURI: http://localhost:5000/token/1.0/sync/1.5 + </screen> + + where <option>http://localhost:5000/</option> corresponds to the + public url of the server. + ''; + }; + + listen.address = mkOption { + type = types.str; + default = "127.0.0.1"; + example = "0.0.0.0"; + description = '' + Address on which the sync server listen to. + ''; + }; + + listen.port = mkOption { + type = types.int; + default = 5000; + description = '' + Port on which the sync server listen to. + ''; + }; + + publicUrl = mkOption { + type = types.str; + default = "http://localhost:5000/"; + example = "http://sync.example.com/"; + description = '' + Public URL with which firefox users can use to access the sync server. + ''; + }; + + allowNewUsers = mkOption { + type = types.bool; + default = true; + example = false; + description = '' + Whether to allow new-user signups on the server. Only request by + existing accounts will be honored. + ''; + }; + + sqlUri = mkOption { + type = types.str; + default = "sqlite:////var/db/firefox-sync-server.db"; + example = "postgresql://scott:tiger@localhost/test"; + description = '' + The location of the database. This URL is composed of + <option>dialect[+driver]://user:password@host/dbname[?key=value..]</option>, + where <option>dialect</option> is a database name such as + <option>mysql</option>, <option>oracle</option>, <option>postgresql</option>, + etc., and <option>driver</option> the name of a DBAPI, such as + <option>psycopg2</option>, <option>pyodbc</option>, <option>cx_oracle</option>, + etc. The <link + xlink:href="http://docs.sqlalchemy.org/en/rel_0_9/core/engines.html#database-urls"> + SQLAlchemy documentation</link> provides more examples and describe the syntax of + the expected URL. + ''; + }; + + privateConfig = mkOption { + type = types.str; + default = "/etc/firefox/syncserver-secret.ini"; + description = '' + The private config file is used to extend the generated config with confidential + information, such as the <option>syncserver.sqlUri</option> setting if it contains a + password, and the <option>syncserver.secret</option> setting is used by the server to + generate cryptographically-signed authentication tokens. + + If this file does not exists, then it is created with a generated + <option>syncserver.secret</option> settings. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd.services.syncserver = { + after = [ "network.target" ]; + description = "Firefox Sync Server"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.pythonPackages.pasteScript pkgs.coreutils ]; + environment.PYTHONPATH = "${pkgs.pythonPackages.syncserver}/lib/${pkgs.pythonPackages.python.libPrefix}/site-packages"; + preStart = '' + if ! test -e ${cfg.privateConfig}; then + umask u=rwx,g=x,o=x + mkdir -p $(dirname ${cfg.privateConfig}) + echo > ${cfg.privateConfig} '[syncserver]' + echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" + fi + ''; + serviceConfig.ExecStart = "paster serve ${syncServerIni}"; + }; + + }; +} diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 1f17661c9f08..b05a640e11fd 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -356,7 +356,7 @@ in '' If pings are allowed, this allows setting rate limits on them. If non-null, this option should be in the form - of flags like "-limit 1/minute -limit-burst 5" + of flags like "--limit 1/minute --limit-burst 5" ''; }; diff --git a/nixos/modules/services/networking/i2pd.nix b/nixos/modules/services/networking/i2pd.nix index d0127fd3f75e..95b0ae59ff3c 100644 --- a/nixos/modules/services/networking/i2pd.nix +++ b/nixos/modules/services/networking/i2pd.nix @@ -142,7 +142,7 @@ in type = types.int; default = 80; description = '' - Port to forward incoming trafic to. 80 by default. + Port to forward incoming traffic to. 80 by default. ''; }; keyFile = mkOption { @@ -195,4 +195,4 @@ in }; }; } -# \ No newline at end of file +# diff --git a/nixos/modules/services/networking/mstpd.nix b/nixos/modules/services/networking/mstpd.nix new file mode 100644 index 000000000000..5d1fc4a65427 --- /dev/null +++ b/nixos/modules/services/networking/mstpd.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.mstpd; +in +with lib; +{ + options.services.mstpd = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable the multiple spanning tree protocol daemon. + ''; + }; + + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.mstpd ]; + + systemd.services.mstpd = { + description = "Multiple Spanning Tree Protocol Daemon"; + wantedBy = [ "network.target" ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + serviceConfig = { + Type = "forking"; + ExecStart = "@${pkgs.mstpd}/bin/mstpd mstpd"; + PIDFile = "/run/mstpd.pid"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/nylon.nix b/nixos/modules/services/networking/nylon.nix new file mode 100644 index 000000000000..da6487dbd499 --- /dev/null +++ b/nixos/modules/services/networking/nylon.nix @@ -0,0 +1,139 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.nylon; + + homeDir = "/var/lib/nylon"; + + configFile = pkgs.writeText "nylon.conf" '' + [General] + No-Simultaneous-Conn=${toString cfg.nrConnections} + Log=${if cfg.logging then "1" else "0"} + Verbose=${if cfg.verbosity then "1" else "0"} + + [Server] + Binding-Interface=${cfg.acceptInterface} + Connecting-Interface=${cfg.bindInterface} + Port=${toString cfg.port} + Allow-IP=${concatStringsSep " " cfg.allowedIPRanges} + Deny-IP=${concatStringsSep " " cfg.deniedIPRanges} + ''; + +in + +{ + + ###### interface + + options = { + + services.nylon = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables nylon as a running service upon activation. + ''; + }; + + nrConnections = mkOption { + type = types.int; + default = 10; + description = '' + The number of allowed simultaneous connections to the daemon, default 10. + ''; + }; + + logging = mkOption { + type = types.bool; + default = false; + description = '' + Enable logging, default is no logging. + ''; + }; + + verbosity = mkOption { + type = types.bool; + default = false; + description = '' + Enable verbose output, default is to not be verbose. + ''; + }; + + acceptInterface = mkOption { + type = types.string; + default = "lo"; + description = '' + Tell nylon which interface to listen for client requests on, default is "lo". + ''; + }; + + bindInterface = mkOption { + type = types.string; + default = "enp3s0f0"; + description = '' + Tell nylon which interface to use as an uplink, default is "enp3s0f0". + ''; + }; + + port = mkOption { + type = types.int; + default = 1080; + description = '' + What port to listen for client requests, default is 1080. + ''; + }; + + allowedIPRanges = mkOption { + type = with types; listOf string; + default = [ "192.168.0.0/16" "127.0.0.1/8" "172.16.0.1/12" "10.0.0.0/8" ]; + description = '' + Allowed client IP ranges are evaluated first, defaults to ARIN IPv4 private ranges: + [ "192.168.0.0/16" "127.0.0.0/8" "172.16.0.0/12" "10.0.0.0/8" ] + ''; + }; + + deniedIPRanges = mkOption { + type = with types; listOf string; + default = [ "0.0.0.0/0" ]; + description = '' + Denied client IP ranges, these gets evaluated after the allowed IP ranges, defaults to all IPv4 addresses: + [ "0.0.0.0/0" ] + To block all other access than the allowed. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + users.extraUsers.nylon= { + group = "nylon"; + description = "Nylon SOCKS Proxy"; + home = homeDir; + createHome = true; + uid = config.ids.uids.nylon; + }; + + users.extraGroups.nylon.gid = config.ids.gids.nylon; + + systemd.services.nylon = { + description = "Nylon, a lightweight SOCKS proxy server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = + { + User = "nylon"; + Group = "nylon"; + WorkingDirectory = homeDir; + ExecStart = "${pkgs.nylon}/bin/nylon -f -c ${configFile}"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 4db8d1e25450..c0ad9e17c413 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -17,13 +17,11 @@ let knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts); - knownHostsFile = pkgs.runCommand "ssh_known_hosts" {} '' - touch "$out" - ${flip concatMapStrings knownHosts (h: '' - pubkeyfile=${builtins.toFile "host.pub" (if h.publicKey == null then readFile h.publicKeyFile else h.publicKey)} - ${pkgs.gnused}/bin/sed 's/^/${concatStringsSep "," h.hostNames} /' $pubkeyfile >> "$out" - '')} - ''; + knownHostsText = flip (concatMapStringsSep "\n") knownHosts + (h: + concatStringsSep "," h.hostNames + " " + + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile) + ); userOptions = { @@ -301,7 +299,7 @@ in { source = "${cfgc.package}/etc/ssh/moduli"; target = "ssh/moduli"; } - { source = knownHostsFile; + { text = knownHostsText; target = "ssh/ssh_known_hosts"; } ]; diff --git a/nixos/modules/services/networking/tox-bootstrapd.nix b/nixos/modules/services/networking/tox-bootstrapd.nix index 65aa87be44cc..c1f945773e23 100644 --- a/nixos/modules/services/networking/tox-bootstrapd.nix +++ b/nixos/modules/services/networking/tox-bootstrapd.nix @@ -24,7 +24,7 @@ in default = false; description = '' - Whether to enable the Tox DHT boostrap daemon. + Whether to enable the Tox DHT bootstrap daemon. ''; }; @@ -45,7 +45,7 @@ in default = ""; description = '' - Configuration for boostrap daemon. + Configuration for bootstrap daemon. See <link xlink:href="https://github.com/irungentoo/toxcore/blob/master/other/bootstrap_daemon/tox-bootstrapd.conf"/> and <link xlink:href="http://wiki.tox.im/Nodes"/>. ''; diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index 8905ff1598ba..d6c8e0dc7a5c 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -3,7 +3,7 @@ with lib; let cfg = config.services.unifi; stateDir = "/var/lib/unifi"; - cmd = "@${pkgs.icedtea7_jre}/bin/java java -jar ${stateDir}/lib/ace.jar"; + cmd = "@${pkgs.jre}/bin/java java -jar ${stateDir}/lib/ace.jar"; mountPoints = [ { what = "${pkgs.unifi}/dl"; diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index bb3bf2519d42..679aa81a13da 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -4,7 +4,7 @@ with lib; let - inherit (pkgs) cups; + inherit (pkgs) cups cups_filters; cfg = config.services.printing; @@ -123,6 +123,19 @@ in ''; }; + browsedConf = mkOption { + type = types.lines; + default = ""; + example = + '' + BrowsePoll cups.example.com + ''; + description = '' + The contents of the configuration. file of the CUPS Browsed daemon + (<filename>cups-browsed.conf</filename>) + ''; + }; + drivers = mkOption { type = types.listOf types.path; example = literalExample "[ pkgs.splix ]"; @@ -161,6 +174,7 @@ in environment.etc."cups/client.conf".text = cfg.clientConf; environment.etc."cups/cups-files.conf".text = cfg.cupsFilesConf; environment.etc."cups/cupsd.conf".text = cfg.cupsdConf; + environment.etc."cups/cups-browsed.conf".text = cfg.browsedConf; services.dbus.packages = [ cups ]; @@ -195,6 +209,22 @@ in ]; }; + systemd.services.cups-browsed = + { description = "Make remote CUPS printers available locally"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "cups.service" "avahi-daemon.service" ]; + after = [ "cups.service" "avahi-daemon.service" ]; + + path = [ cups ]; + + serviceConfig.ExecStart = "${cups_filters}/bin/cups-browsed"; + + restartTriggers = + [ config.environment.etc."cups/cups-browsed.conf".source + ]; + }; + services.printing.drivers = [ cups pkgs.ghostscript pkgs.cups_filters additionalBackends pkgs.perl pkgs.coreutils pkgs.gnused pkgs.bc pkgs.gawk pkgs.gnugrep diff --git a/nixos/modules/services/search/solr.nix b/nixos/modules/services/search/solr.nix index 38d9dedbe3cf..7886d1e2e8e6 100644 --- a/nixos/modules/services/search/solr.nix +++ b/nixos/modules/services/search/solr.nix @@ -22,7 +22,7 @@ let cp common/lib/*.jar $out/lib/ ln -s ${pkgs.ant}/lib/ant/lib/ant.jar $out/lib/ ln -s ${cfg.solrPackage}/lib/ext/* $out/lib/ - ln -s ${pkgs.openjdk}/lib/openjdk/lib/tools.jar $out/lib/ + ln -s ${pkgs.jdk.home}/lib/tools.jar $out/lib/ '' + optionalString (cfg.extraJars != []) '' for f in ${concatStringsSep " " cfg.extraJars}; do cp $f $out/lib @@ -44,7 +44,7 @@ in { javaPackage = mkOption { type = types.package; - default = pkgs.openjre; + default = pkgs.jre; description = '' Which Java derivation to use for running solr. ''; diff --git a/nixos/modules/services/security/fprintd.nix b/nixos/modules/services/security/fprintd.nix new file mode 100644 index 000000000000..a35b065ba815 --- /dev/null +++ b/nixos/modules/services/security/fprintd.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.fprintd; + +in + + +{ + + ###### interface + + options = { + + services.fprintd = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable fprintd daemon and PAM module for fingerprint readers handling. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + services.dbus.packages = [ pkgs.fprintd ]; + + environment.systemPackages = [ pkgs.fprintd ]; + + systemd.services.fprintd = { + description = "Fingerprint Authentication Daemon"; + + serviceConfig = { + Type = "dbus"; + BusName = "net.reactivated.Fprint"; + ExecStart = "${pkgs.fprintd}/libexec/fprintd"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/web-servers/winstone.nix b/nixos/modules/services/web-servers/winstone.nix index 7f48012f158e..eed16a64f2a8 100644 --- a/nixos/modules/services/web-servers/winstone.nix +++ b/nixos/modules/services/web-servers/winstone.nix @@ -30,7 +30,7 @@ let javaPackage = mkOption { type = types.package; - default = pkgs.openjre; + default = pkgs.jre; description = '' Which Java derivation to use for running Winstone. ''; diff --git a/nixos/modules/services/web-servers/zope2.nix b/nixos/modules/services/web-servers/zope2.nix index 21117118457d..bbe4d10f83d0 100644 --- a/nixos/modules/services/web-servers/zope2.nix +++ b/nixos/modules/services/web-servers/zope2.nix @@ -24,7 +24,7 @@ let http_address = mkOption { default = "localhost:8080"; type = types.string; - description = "Give a port and adress for the HTTP server."; + description = "Give a port and address for the HTTP server."; }; user = mkOption { diff --git a/nixos/modules/services/x11/desktop-managers/e19.nix b/nixos/modules/services/x11/desktop-managers/e19.nix index dd9becb0f6ca..2d5c7b192bc6 100644 --- a/nixos/modules/services/x11/desktop-managers/e19.nix +++ b/nixos/modules/services/x11/desktop-managers/e19.nix @@ -7,6 +7,11 @@ let xcfg = config.services.xserver; cfg = xcfg.desktopManager.e19; e19_enlightenment = pkgs.e19.enlightenment.override { set_freqset_setuid = true; }; + GST_PLUGIN_PATH = lib.makeSearchPath "lib/gstreamer-1.0" [ + pkgs.gst_all_1.gst-plugins-base + pkgs.gst_all_1.gst-plugins-good + pkgs.gst_all_1.gst-plugins-bad + pkgs.gst_all_1.gst-libav ]; in @@ -45,6 +50,8 @@ in export GTK_PATH=${config.system.path}/lib/gtk-3.0:${config.system.path}/lib/gtk-2.0 export XDG_MENU_PREFIX=enlightenment + export GST_PLUGIN_PATH="${GST_PLUGIN_PATH}" + # make available for D-BUS user services #export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}:${config.system.path}/share:${pkgs.e19.efl}/share diff --git a/nixos/modules/system/activation/switch-to-configuration.pl b/nixos/modules/system/activation/switch-to-configuration.pl index c814469ae41d..dbe13c022f09 100644 --- a/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixos/modules/system/activation/switch-to-configuration.pl @@ -323,7 +323,7 @@ system("@systemd@/bin/systemctl", "daemon-reload") == 0 or $res = 3; # Signal dbus to reload its configuration before starting other units. # Other units may rely on newly installed policy files under /etc/dbus-1 -system("@systemd@/bin/systemctl", "reload", "dbus.service"); +system("@systemd@/bin/systemctl", "reload-or-restart", "dbus.service"); # Restart changed services (those that have to be restarted rather # than stopped and started). diff --git a/nixos/modules/system/boot/loader/gummiboot/gummiboot-builder.py b/nixos/modules/system/boot/loader/gummiboot/gummiboot-builder.py index db73544181b6..ef431a7732e1 100644 --- a/nixos/modules/system/boot/loader/gummiboot/gummiboot-builder.py +++ b/nixos/modules/system/boot/loader/gummiboot/gummiboot-builder.py @@ -63,7 +63,8 @@ def get_generations(profile): "@nix@/bin/nix-env", "--list-generations", "-p", - "/nix/var/nix/profiles/%s" % (profile) + "/nix/var/nix/profiles/%s" % (profile), + "--option", "build-users-group", "" ]) gen_lines = gen_list.split('\n') gen_lines.pop() diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index 3762bda94a5c..356a440b17ac 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -91,6 +91,7 @@ mkdir -m 01777 -p /tmp mkdir -m 0755 -p /var /var/log /var/lib /var/db mkdir -m 0755 -p /nix/var mkdir -m 0700 -p /root +chmod 0700 /root mkdir -m 0755 -p /bin # for the /bin/sh symlink mkdir -m 0755 -p /home mkdir -m 0755 -p /etc/nixos diff --git a/nixos/modules/system/boot/systemd-unit-options.nix b/nixos/modules/system/boot/systemd-unit-options.nix index 20851c626d75..2f4786c78966 100644 --- a/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixos/modules/system/boot/systemd-unit-options.nix @@ -58,7 +58,7 @@ let "simple" "forking" "oneshot" "dbus" "notify" "idle" ]) (assertValueOneOf "Restart" [ - "no" "on-success" "on-failure" "on-abort" "always" + "no" "on-success" "on-failure" "on-abnormal" "on-abort" "always" ]) ]; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 05f8c8009bfd..053a85c4c5b9 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -695,21 +695,21 @@ in default = {}; type = types.attrsOf types.optionSet; options = [ linkOptions ]; - description = "Definiton of systemd network links."; + description = "Definition of systemd network links."; }; systemd.network.netdevs = mkOption { default = {}; type = types.attrsOf types.optionSet; options = [ netdevOptions ]; - description = "Definiton of systemd network devices."; + description = "Definition of systemd network devices."; }; systemd.network.networks = mkOption { default = {}; type = types.attrsOf types.optionSet; options = [ networkOptions networkConfig ]; - description = "Definiton of systemd networks."; + description = "Definition of systemd networks."; }; systemd.network.units = mkOption { @@ -858,6 +858,13 @@ in description = "Definition of systemd per-user service units."; }; + systemd.user.timers = mkOption { + default = {}; + type = types.attrsOf types.optionSet; + options = [ timerOptions unitConfig ]; + description = "Definition of systemd per-user timer units."; + }; + systemd.user.sockets = mkOption { default = {}; type = types.attrsOf types.optionSet; @@ -978,8 +985,9 @@ in // mapAttrs' (n: v: nameValuePair "${n}.network" (networkToUnit n v)) cfg.network.networks; systemd.user.units = - mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.user.services - // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.user.sockets; + mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.user.services + // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.user.sockets + // mapAttrs' (n: v: nameValuePair "${n}.timer" (timerToUnit n v)) cfg.user.timers; system.requiredKernelConfig = map config.lib.kernelConfig.isEnabled [ "DEVTMPFS" "CGROUPS" "INOTIFY_USER" "SIGNALFD" "TIMERFD" "EPOLL" "NET" diff --git a/nixos/modules/system/etc/setup-etc.pl b/nixos/modules/system/etc/setup-etc.pl index d7e15eccefcd..89a49b972ff9 100644 --- a/nixos/modules/system/etc/setup-etc.pl +++ b/nixos/modules/system/etc/setup-etc.pl @@ -12,8 +12,8 @@ sub atomicSymlink { my ($source, $target) = @_; my $tmp = "$target.tmp"; unlink $tmp; - symlink $source, $tmp or return 1; - rename $tmp, $target or return 1; + symlink $source, $tmp or return 0; + rename $tmp, $target or return 0; return 1; } diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix index 75c4f93c6917..79de6556f251 100644 --- a/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixos/modules/tasks/filesystems/nfs.nix @@ -38,7 +38,7 @@ in default = null; example = 4000; description = '' - Use fixed port for rpc.statd, usefull if NFS server is behind firewall. + Use fixed port for rpc.statd, useful if NFS server is behind firewall. ''; }; lockdPort = mkOption { @@ -46,7 +46,7 @@ in example = 4001; description = '' Use fixed port for NFS lock manager kernel module (lockd/nlockmgr), - usefull if NFS server is behind firewall. + useful if NFS server is behind firewall. ''; }; }; diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 9d61a4b05301..fd545a723e76 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -185,8 +185,9 @@ in in { description = "Bridge Interface ${n}"; wantedBy = [ "network.target" (subsystemDevice n) ]; - bindsTo = deps; - after = [ "network-pre.target" ] ++ deps + bindsTo = deps ++ optional v.rstp "mstpd.service"; + partOf = optional v.rstp "mstpd.service"; + after = [ "network-pre.target" "mstpd.service" ] ++ deps ++ concatMap (i: [ "network-addresses-${i}.service" "network-link-${i}.service" ]) v.interfaces; before = [ "network-interfaces.target" (subsystemDevice n) ]; serviceConfig.Type = "oneshot"; @@ -206,6 +207,11 @@ in ip link set "${i}" up '')} + # Enable stp on the interface + ${optionalString v.rstp '' + echo 2 >/sys/class/net/${n}/bridge/stp_state + ''} + ip link set "${n}" up ''; postStop = '' diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 4a272483e549..71a721abba21 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -16,6 +16,35 @@ let slaveIfs = map (i: cfg.interfaces.${i}) (filter (i: cfg.interfaces ? ${i}) slaves); + rstpBridges = flip filterAttrs cfg.bridges (_: { rstp, ... }: rstp); + + needsMstpd = rstpBridges != { }; + + bridgeStp = optional needsMstpd (pkgs.writeTextFile { + name = "bridge-stp"; + executable = true; + destination = "/bin/bridge-stp"; + text = '' + #!${pkgs.stdenv.shell} -e + export PATH="${pkgs.mstpd}/bin" + + BRIDGES=(${concatStringsSep " " (attrNames rstpBridges)}) + for BRIDGE in $BRIDGES; do + if [ "$BRIDGE" = "$1" ]; then + if [ "$2" = "start" ]; then + mstpctl addbridge "$BRIDGE" + exit 0 + elif [ "$2" = "stop" ]; then + mstpctl delbridge "$BRIDGE" + exit 0 + fi + exit 1 + fi + done + exit 1 + ''; + }); + # We must escape interfaces due to the systemd interpretation subsystemDevice = interface: "sys-subsystem-net-devices-${escapeSystemdPath interface}.device"; @@ -368,6 +397,13 @@ in "The physical network interfaces connected by the bridge."; }; + rstp = mkOption { + example = true; + default = false; + type = types.bool; + description = "Whether the bridge interface should enable rstp."; + }; + }; }; @@ -676,7 +712,7 @@ in pkgs.iw pkgs.rfkill pkgs.openresolv - ]; + ] ++ bridgeStp; systemd.targets."network-interfaces" = { description = "All Network Interfaces"; @@ -724,6 +760,9 @@ in ip link set "${i.name}" mtu "${toString i.mtu}" ''; }))); + + services.mstpd = mkIf needsMstpd { enable = true; }; + }; } diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 4b4284d85319..f37bbd0246da 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -38,6 +38,11 @@ let kernel = config.boot.kernelPackages.kernel; in systemd.services."serial-getty@ttyS0".enable = false; systemd.services."serial-getty@hvc0".enable = false; + # Don't use a pager when executing backdoor actions. Because we + # use a tty, commands like systemctl or nix-store get confused + # into thinking they're running interactively. + environment.variables.PAGER = ""; + boot.initrd.postDeviceCommands = '' # Using acpi_pm as a clock source causes the guest clock to diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 994a00fb028f..075ec0ea2277 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -111,6 +111,13 @@ in ''; }; + autoStart = mkOption { + type = types.bool; + default = false; + description = '' + Wether the container is automatically started at boot-time. + ''; + }; }; config = mkMerge @@ -187,7 +194,7 @@ in script = '' mkdir -p -m 0755 "$root/etc" "$root/var/lib" - mkdir -p -m 0700 "$root/var/lib/private" + mkdir -p -m 0700 "$root/var/lib/private" "$root/root" if ! [ -e "$root/etc/os-release" ]; then touch "$root/etc/os-release" fi @@ -305,6 +312,9 @@ in LOCAL_ADDRESS=${cfg.localAddress} ''} ''} + ${optionalString cfg.autoStart '' + AUTO_START=1 + ''} ''; }) config.containers; diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix index 93a83a3e42af..15114b1e76ac 100644 --- a/nixos/modules/virtualisation/ec2-data.nix +++ b/nixos/modules/virtualisation/ec2-data.nix @@ -44,7 +44,7 @@ with lib; # into the image (a Nova feature). if ! [ -e /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." - mkdir -p /root/.ssh + mkdir -m 0700 -p /root/.ssh $wget http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key > /root/key.pub if [ $? -eq 0 -a -e /root/key.pub ]; then if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 697423ac60be..4d493b3896f2 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -63,11 +63,12 @@ in # Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db + chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" # Create the system profile to allow nixos-rebuild to work. chroot /mnt ${config.nix.package}/bin/nix-env \ - -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} + -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \ + --option build-users-group "" # `nixos-rebuild' requires an /etc/NIXOS. mkdir -p /mnt/etc @@ -119,6 +120,8 @@ in 169.254.169.254 metadata.google.internal metadata ''; + services.ntp.servers = [ "metadata.google.internal" ]; + networking.usePredictableInterfaceNames = false; systemd.services.fetch-ssh-keys = @@ -129,15 +132,15 @@ in after = [ "network-online.target" ]; wants = [ "network-online.target" ]; - path = [ pkgs.wget ]; - script = + script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 6 --waitretry=10"; in '' - wget="wget --retry-connrefused -t 6 --waitretry=10" + # When dealing with cryptographic keys, we want to keep things private. + umask 077 # Don't download the SSH key if it has already been downloaded if ! [ -e /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." - mkdir -p /root/.ssh - $wget -O /root/authorized-keys-metadata http://metadata/0.1/meta-data/authorized-keys + mkdir -m 0700 -p /root/.ssh + ${wget} -O /root/authorized-keys-metadata http://metadata/0.1/meta-data/authorized-keys if [ $? -eq 0 -a -e /root/authorized-keys-metadata ]; then cat /root/authorized-keys-metadata | cut -d: -f2- > /root/key.pub if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then @@ -145,24 +148,30 @@ in echo "new key added to authorized_keys" fi chmod 600 /root/.ssh/authorized_keys - rm -f /root/key.pub /root/authorized-keys-metadata fi + rm -f /root/key.pub /root/authorized-keys-metadata fi - echo "obtaining SSH private host key..." - $wget -O /root/ssh_host_ecdsa_key http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key - if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key ]; then - mv -f /root/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key - echo "downloaded ssh_host_ecdsa_key" - chmod 600 /etc/ssh/ssh_host_ecdsa_key - fi + countKeys=0 + ${flip concatMapStrings config.services.openssh.hostKeys (k : + let kName = baseNameOf k.path; in '' + echo "trying to obtain SSH private host key ${kName}" + ${wget} -O /root/${kName} http://metadata/0.1/meta-data/attributes/${kName} && : + if [ $? -eq 0 -a -e /root/${kName} ]; then + countKeys=$((countKeys+1)) + mv -f /root/${kName} ${k.path} + echo "downloaded ${k.path}" + chmod 600 ${k.path} + ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub + chmod 644 ${k.path}.pub + fi + rm -f /root/${kName} + '' + )} - echo "obtaining SSH public host key..." - $wget -O /root/ssh_host_ecdsa_key.pub http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key_pub - if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key.pub ]; then - mv -f /root/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub - echo "downloaded ssh_host_ecdsa_key.pub" - chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub + if [[ $countKeys -le 0 ]]; then + echo "failed to obtain any SSH private host keys." + false fi ''; serviceConfig.Type = "oneshot"; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 42986aa3e033..33c64cc890e0 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -266,7 +266,7 @@ in Networking-related command-line options that should be passed to qemu. The default is to use userspace networking (slirp). - If you override this option, be adviced to keep + If you override this option, be advised to keep ''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} (as seen in the default) to keep the default runtime behaviour. ''; diff --git a/nixos/release-small.nix b/nixos/release-small.nix index 07cd672843ea..7f53a101bdfc 100644 --- a/nixos/release-small.nix +++ b/nixos/release-small.nix @@ -61,12 +61,12 @@ in rec { gettext git imagemagick + jdk linux mysql51 mysql55 nginx nodejs - openjdk openssh php postgresql92 diff --git a/nixos/release.nix b/nixos/release.nix index 04b8fd9bf675..c2760965d200 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -242,6 +242,7 @@ in rec { tests.avahi = callTest tests/avahi.nix {}; tests.bittorrent = callTest tests/bittorrent.nix {}; tests.blivet = callTest tests/blivet.nix {}; + tests.cadvisor = scrubDrv (import tests/cadvisor.nix { system = "x86_64-linux"; }); tests.chromium = callTest tests/chromium.nix {}; tests.cjdns = callTest tests/cjdns.nix {}; tests.containers = callTest tests/containers.nix {}; diff --git a/nixos/tests/cadvisor.nix b/nixos/tests/cadvisor.nix new file mode 100644 index 000000000000..225bf1a7483d --- /dev/null +++ b/nixos/tests/cadvisor.nix @@ -0,0 +1,30 @@ +import ./make-test.nix { + name = "cadvisor"; + + nodes = { + machine = { config, pkgs, ... }: { + services.cadvisor.enable = true; + }; + + influxdb = { config, pkgs, lib, ... }: with lib; { + services.cadvisor.enable = true; + services.cadvisor.storageDriver = "influxdb"; + services.influxdb.enable = true; + systemd.services.influxdb.postStart = mkAfter '' + ${pkgs.curl}/bin/curl -X POST 'http://localhost:8086/db?u=root&p=root' \ + -d '{"name": "root"}' + ''; + }; + }; + + testScript = + '' + startAll; + $machine->waitForUnit("cadvisor.service"); + $machine->succeed("curl http://localhost:8080/containers/"); + + $influxdb->waitForUnit("influxdb.service"); + $influxdb->waitForUnit("cadvisor.service"); + $influxdb->succeed("curl http://localhost:8080/containers/"); + ''; +} diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 641ff924e14e..af9e6365a9fe 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -190,6 +190,9 @@ let $machine->succeed("test -e /boot/grub"); + # Check whether /root has correct permissions. + $machine->succeed("stat -c '%a' /root") =~ /700/ or die; + # Did the swap device get activated? # uncomment once https://bugs.freedesktop.org/show_bug.cgi?id=86930 is resolved #$machine->waitForUnit("swap.target"); |