diff options
Diffstat (limited to 'nixos')
69 files changed, 1724 insertions, 1119 deletions
diff --git a/nixos/doc/manual/configuration.xml b/nixos/doc/manual/configuration.xml index 965ba73105ad..e93c49d1ccec 100644 --- a/nixos/doc/manual/configuration.xml +++ b/nixos/doc/manual/configuration.xml @@ -592,7 +592,7 @@ users.extraUsers.alice.openssh.authorizedKeys.keys = <section><title>IPv4 configuration</title> <para>By default, NixOS uses DHCP (specifically, -(<command>dhcpcd</command>)) to automatically configure network +<command>dhcpcd</command>) to automatically configure network interfaces. However, you can configure an interface manually as follows: diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index e6edb30985c1..56ad652c60ed 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -3,6 +3,8 @@ , revision ? "HEAD" }: +with pkgs.lib; + let # To prevent infinite recursion, remove system.path from the @@ -12,7 +14,7 @@ let { system = removeAttrs options.system ["path"]; }; optionsXML = builtins.toFile "options.xml" (builtins.unsafeDiscardStringContext - (builtins.toXML (pkgs.lib.optionAttrSetToDocList "" options_))); + (builtins.toXML (optionAttrSetToDocList options_))); optionsDocBook = pkgs.runCommand "options-db.xml" {} '' ${pkgs.libxslt}/bin/xsltproc \ @@ -26,7 +28,7 @@ in rec { manual = pkgs.stdenv.mkDerivation { name = "nixos-manual"; - sources = pkgs.lib.sourceFilesBySuffices ./. [".xml"]; + sources = sourceFilesBySuffices ./. [".xml"]; buildInputs = [ pkgs.libxml2 pkgs.libxslt ]; @@ -71,7 +73,7 @@ in rec { manpages = pkgs.stdenv.mkDerivation { name = "nixos-manpages"; - sources = pkgs.lib.sourceFilesBySuffices ./. [".xml"]; + sources = sourceFilesBySuffices ./. [".xml"]; buildInputs = [ pkgs.libxml2 pkgs.libxslt ]; diff --git a/nixos/doc/manual/development.xml b/nixos/doc/manual/development.xml index d8b5f6f571cc..7b4e6df5f878 100644 --- a/nixos/doc/manual/development.xml +++ b/nixos/doc/manual/development.xml @@ -414,7 +414,7 @@ properly: <screen> $ export NIXOS_CONFIG=/etc/nixos/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix -$ nix-build /etc/nixos/nixos -A config.system.build.nixosInstall +$ nix-build /etc/nixos/nixos -A config.system.build.nixos-install $ dd if=/dev/zero of=diskimage seek=2G count=0 bs=1 $ yes | mke2fs -j diskimage $ mount -o loop diskimage /mnt diff --git a/nixos/doc/manual/man-nixos-generate-config.xml b/nixos/doc/manual/man-nixos-generate-config.xml new file mode 100644 index 000000000000..ff69d8d91701 --- /dev/null +++ b/nixos/doc/manual/man-nixos-generate-config.xml @@ -0,0 +1,191 @@ +<refentry xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude"> + +<refmeta> + <refentrytitle><command>nixos-generate-config</command></refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">NixOS</refmiscinfo> + <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> +</refmeta> + +<refnamediv> + <refname><command>nixos-generate-config</command></refname> + <refpurpose>generate NixOS configuration modules</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>nixos-generate-config</command> + <arg><option>--force</option></arg> + <arg> + <arg choice='plain'><option>--root</option></arg> + <replaceable>root</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--dir</option></arg> + <replaceable>dir</replaceable> + </arg> + </cmdsynopsis> +</refsynopsisdiv> + + +<refsection><title>Description</title> + +<para>This command writes two NixOS configuration modules: + +<variablelist> + + <varlistentry> + <term><option>/etc/nixos/hardware-configuration.nix</option></term> + <listitem> + <para>This module sets NixOS configuration options based on your + current hardware configuration. In particular, it sets the + <option>fileSystem</option> option to reflect all currently + mounted file systems, the <option>swapDevices</option> option to + reflect active swap devices, and the + <option>boot.initrd.*</option> options to ensure that the + initial ramdisk contains any kernel modules necessary for + mounting the root file system.</para> + + <para>If this file already exists, it is overwritten. Thus, you + should not modify it manually. Rather, you should include it + from your <filename>/etc/nixos/configuration.nix</filename>, and + re-run <command>nixos-generate-config</command> to update it + whenever your hardware configuration changes.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>/etc/nixos/configuration.nix</option></term> + <listitem> + <para>This is the main NixOS system configuration module. If it + already exists, it’s left unchanged. Otherwise, + <command>nixos-generate-config</command> will write a template + for you to customise.</para> + </listitem> + </varlistentry> + +</variablelist> + +</para> + +</refsection> + + +<refsection><title>Options</title> + +<para>This command accepts the following options:</para> + +<variablelist> + + <varlistentry> + <term><option>--root</option></term> + <listitem> + <para>If this option is given, treat the directory + <replaceable>root</replaceable> as the root of the file system. + This means that configuration files will be written to + <filename><replaceable>root</replaceable>/etc/nixos</filename>, + and that any file systems outside of + <replaceable>root</replaceable> are ignored for the purpose of + generating the <option>fileSystems</option> option.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--dir</option></term> + <listitem> + <para>If this option is given, write the configuration files to + the directory <replaceable>dir</replaceable> instead of + <filename>/etc/nixos</filename>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--force</option></term> + <listitem> + <para>Overwrite + <filename>/etc/nixos/configuration.nix</filename> if it already + exists.</para> + </listitem> + </varlistentry> + +</variablelist> + +</refsection> + + +<refsection><title>Examples</title> + +<para>This command is typically used during NixOS installation to +write initial configuration modules. For example, if you created and +mounted the target file systems on <filename>/mnt</filename> and +<filename>/mnt/boot</filename>, you would run: + +<screen> +$ nixos-generate-config --root /mnt +</screen> + +The resulting file +<filename>/mnt/etc/nixos/hardware-configuration.nix</filename> might +look like this: + +<programlisting> +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, pkgs, ... }: + +{ + imports = + [ <nixos/modules/installer/scan/not-detected.nix> + ]; + + boot.initrd.availableKernelModules = [ "ehci_hcd" "ahci" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-label/nixos"; + fsType = "ext3"; + options = "rw,data=ordered,relatime"; + }; + + fileSystems."/boot" = + { device = "/dev/sda1"; + fsType = "ext3"; + options = "rw,errors=continue,user_xattr,acl,barrier=1,data=writeback,relatime"; + }; + + swapDevices = + [ { device = "/dev/sda2"; } + ]; + + nix.maxJobs = 8; +} +</programlisting> + +It will also create a basic +<filename>/mnt/etc/nixos/configuration.nix</filename>, which you +should edit to customise the logical configuration of your system. +This file includes the result of the hardware scan as follows: + +<programlisting> + imports = [ ./hardware-configuration.nix ]; +</programlisting> +</para> + +<para>After installation, if your hardware configuration changes, you +can run: + +<screen> +$ nixos-generate-config +</screen> + +to update <filename>/etc/nixos/hardware-configuration.nix</filename>. +Your <filename>/etc/nixos/configuration.nix</filename> will +<emphasis>not</emphasis> be overwritten.</para> + +</refsection> + +</refentry> diff --git a/nixos/doc/manual/man-nixos-install.xml b/nixos/doc/manual/man-nixos-install.xml new file mode 100644 index 000000000000..d5157859857b --- /dev/null +++ b/nixos/doc/manual/man-nixos-install.xml @@ -0,0 +1,78 @@ +<refentry xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude"> + +<refmeta> + <refentrytitle><command>nixos-install</command></refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">NixOS</refmiscinfo> + <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> +</refmeta> + +<refnamediv> + <refname><command>nixos-install</command></refname> + <refpurpose>install NixOS</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>nixos-install</command> + </cmdsynopsis> +</refsynopsisdiv> + + +<refsection><title>Description</title> + +<para>This command installs NixOS in the file system mounted on +<filename>/mnt</filename>, based on the NixOS configuration specified +in <filename>/mnt/etc/nixos/configuration.nix</filename>. It performs +the following steps: + +<itemizedlist> + + <listitem><para>It copies Nix and its dependencies to + <filename>/mnt/nix/store</filename>.</para></listitem> + + <listitem><para>It runs Nix in <filename>/mnt</filename> to build + the NixOS configuration specified in + <filename>/mnt/etc/nixos/configuration.nix</filename>.</para></listitem> + + <listitem><para>It installs the GRUB boot loader on the device + specified in the option <option>boot.loader.grub.device</option>, + and generates a GRUB configuration file that boots into the NixOS + configuration just installed.</para></listitem> + +</itemizedlist> + +</para> + +<para>This command is idempotent: if it is interrupted or fails due to +a temporary problem (e.g. a network issue), you can safely re-run +it.</para> + +</refsection> + + +<refsection><title>Examples</title> + +<para>A typical NixOS installation is done by creating and mounting a +file system on <filename>/mnt</filename>, generating a NixOS +configuration in +<filename>/mnt/etc/nixos/configuration.nix</filename>, and running +<command>nixos-install</command>. For instance, if we want to install +NixOS on an <literal>ext4</literal> file system created in +<filename>/dev/sda1</filename>: + +<screen> +$ mkfs.ext4 /dev/sda1 +$ mount /dev/sda1 /mnt +$ nixos-generate-config --root /mnt +$ # edit /mnt/etc/nixos/configuration.nix +$ nixos-install +</screen> + +</para> + +</refsection> + +</refentry> diff --git a/nixos/doc/manual/man-nixos-option.xml b/nixos/doc/manual/man-nixos-option.xml index f7a8ce403dc1..bd180363e70d 100644 --- a/nixos/doc/manual/man-nixos-option.xml +++ b/nixos/doc/manual/man-nixos-option.xml @@ -18,17 +18,12 @@ <cmdsynopsis> <command>nixos-option</command> <group choice="opt"> - <option>-i</option> - <option>v</option> - <option>d</option> - <option>l</option> + <option>-v</option> + <option>-d</option> + <option>-l</option> </group> <arg choice='plain'><replaceable>option.name</replaceable></arg> </cmdsynopsis> - <cmdsynopsis> - <command>nixos-option</command> - <arg choice='plain'><option>--install</option></arg> - </cmdsynopsis> </refsynopsisdiv> @@ -40,16 +35,7 @@ of the option name given as argument. By default, it returns the value of the option.</para> <para>When the option name is not an option, the command prints the list of -attributes in contained in the attribute set. This could used to provide -completion in some editors.</para> - -<para>When the option <option>--install</option> (or <option>-i</option>) is -used with no option name, this command generates a template configuration -with a scan of the target system. It produces a template configuration -in <filename>/etc/nixos/configuration.nix</filename>, and a scan of the -machine in <filename>/etc/nixos/hardware-configuration.nix</filename>. The -scan of the machine is produced -by <command>nixos-hardware-scan</command>.</para> +attributes contained in the attribute set.</para> </refsection> @@ -60,15 +46,6 @@ by <command>nixos-hardware-scan</command>.</para> <variablelist> <varlistentry> - <term><option>--install</option>, <option>-i</option></term> - <listitem> - <para>Use the installation configuration instead of current system - configuration. Generate a template configuration if no option name is - specified.</para> - </listitem> - </varlistentry> - - <varlistentry> <term><option>--value</option>, <option>-v</option></term> <listitem> <para>Returns the value of the option. This is the default operation @@ -103,15 +80,6 @@ by <command>nixos-hardware-scan</command>.</para> <variablelist> <varlistentry> - <term><envar>mountPoint</envar></term> - <listitem> - <para>Location of the target file system. Defaults to - <filename>/mnt</filename>. This environment variable is only used in - combinaison with <option>--install</option> option.</para> - </listitem> - </varlistentry> - - <varlistentry> <term><envar>NIXOS_CONFIG</envar></term> <listitem> <para>Path to the main NixOS configuration module. Defaults to diff --git a/nixos/doc/manual/man-nixos-rebuild.xml b/nixos/doc/manual/man-nixos-rebuild.xml index e43dafd3cfec..e08153c723d9 100644 --- a/nixos/doc/manual/man-nixos-rebuild.xml +++ b/nixos/doc/manual/man-nixos-rebuild.xml @@ -33,6 +33,14 @@ <arg><option>--fast</option></arg> <arg><option>--rollback</option></arg> <sbr /> + <arg> + <group choice='req'> + <arg choice='plain'><option>--profile-name</option></arg> + <arg choice='plain'><option>-p</option></arg> + </group> + <replaceable>name</replaceable> + </arg> + <sbr /> <arg><option>--show-trace</option></arg> </cmdsynopsis> </refsynopsisdiv> @@ -229,7 +237,34 @@ $ ./result/bin/run-*-vm <filename>/etc/nixos/configuration.nix</filename>, roll back to the previous configuration. (The previous configuration is defined as the one before the “current” generation of the - profile <filename>/nix/var/nix/profiles/system</filename>.)</para> + Nix profile <filename>/nix/var/nix/profiles/system</filename>.)</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--profile-name</option></term> + <term><option>-p</option></term> + <listitem> + <para>Instead of using the Nix profile + <filename>/nix/var/nix/profiles/system</filename> to keep track + of the current and previous system configurations, use + <filename>/nix/var/nix/profiles/system-profiles/<replaceable>name</replaceable></filename>. + When you use GRUB 2, for every system profile created with this + flag, NixOS will create a submenu named “NixOS - Profile + '<replaceable>name</replaceable>'” in GRUB’s boot menu, + containing the current and previous configurations of this + profile.</para> + + <para>For instance, if you want to test a configuration file + named <filename>test.nix</filename> without affecting the + default system profile, you would do: + +<screen> +$ nixos-rebuild switch -p test -I nixos-config=./test.nix +</screen> + + The new configuration will appear in the GRUB 2 submenu “NixOS - Profile + 'test'”.</para> </listitem> </varlistentry> diff --git a/nixos/doc/manual/man-pages.xml b/nixos/doc/manual/man-pages.xml index 7840e1b897b0..467864e208bd 100644 --- a/nixos/doc/manual/man-pages.xml +++ b/nixos/doc/manual/man-pages.xml @@ -15,17 +15,17 @@ </author> <copyright> - <year>2007</year> - <year>2008</year> - <year>2009</year> + <year>2007-2013</year> <holder>Eelco Dolstra</holder> </copyright> - + </info> - + <xi:include href="man-configuration.xml" /> - <xi:include href="man-nixos-rebuild.xml" /> - <xi:include href="man-nixos-option.xml" /> <xi:include href="man-nixos-build-vms.xml" /> - + <xi:include href="man-nixos-generate-config.xml" /> + <xi:include href="man-nixos-install.xml" /> + <xi:include href="man-nixos-option.xml" /> + <xi:include href="man-nixos-rebuild.xml" /> + </reference> diff --git a/nixos/doc/manual/userconfiguration.xml b/nixos/doc/manual/userconfiguration.xml deleted file mode 100644 index 7c6540caf3a7..000000000000 --- a/nixos/doc/manual/userconfiguration.xml +++ /dev/null @@ -1,80 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink"> - -<title>Configuration in home directory</title> - - -<!--===============================================================--> - -<section> -<title>Compiz Fusion</title> -<para> - Compiz Fusion is just a set of plugins for Compiz. Your best interest is to have - them found both by Compiz and by Compiz Configuration Settings (also in Compiz Fusion - distribution). By default they look in Compiz installation path and in home directory. - You do not need to track /nix/store manually - everything is already in - /run/current-system/sw/share. - - <orderedlist> - <listitem><para><filename>$HOME/.compiz/plugins</filename> - should contain plugins you want to load. All the installed - plugins are available in - <filename>/run/current-system/sw/share/compiz-plugins/compiz/</filename>, - so you can use symlinks to this directory. - </para></listitem> - - <listitem><para><filename>$HOME/.compiz/metadata</filename> - should contain metadata (definition of configuration options) for plugins - you want to load. All the installed metadata is available in - <filename>/run/current-system/sw/share/compiz/</filename>, - so you can use symlinks to this directory. - </para></listitem> - - <listitem><para> - Probably a way to load <literal>GConf</literal> configuration backend by default - should be found, but if you run <literal>Compiz</literal> with - <literal>GConf</literal> configuration (default for <literal>X server</literal> job - for now), you have to link - <filename>/run/current-system/sw/share/compizconfig/backends/</filename> - into <filename>$HOME/.compizconfig/backends</filename> directory. - </para></listitem> - - </orderedlist> - - To summarize the above, these are the commands you have to execute - <command>ln -s /run/current-system/sw/share/compiz/ $HOME/.compiz/metadata</command> - <command>ln -s /run/current-system/sw/share/compiz-plugins/compiz/ $HOME/.compiz/plugins</command> - <command>ln -s /run/current-system/sw/share/compizconfig/backends/ $HOME/.compizconfig/backends</command> - - Now you can launch <literal>ccsm</literal> and configure everything. You should select - GConf as a backend in the preferences menu of <literal>ccsm</literal> -</para> -</section> - -<section> -<title>Pidgin-LaTeX</title> -<para> - To have pidgin-latex plugin working after installation, you need the following: - <orderedlist> - <listitem><para> - Symlink <filename>/run/current-system/sw/share/pidgin-latex/pidgin-latex.so</filename> - to <filename>$HOME/.purple/plugins/pidgin-latex.so</filename> - </para></listitem> - <listitem><para> - Enable smileys. If you do not want to, you can create - <filename>$HOME/.purple/smileys/empty/theme</filename> with the following contents: - <programlisting> - Name=Empty - Description=No predefined smileys - Author=Nobody - </programlisting> - Enabling this theme will enable smileys, but define none. - </para></listitem> - <listitem><para> - Enable the plugin. - </para></listitem> - </orderedlist> - </para> - </section> - -</chapter> diff --git a/nixos/lib/build-vms.nix b/nixos/lib/build-vms.nix index aad85aedc48e..d20fbc1cc663 100644 --- a/nixos/lib/build-vms.nix +++ b/nixos/lib/build-vms.nix @@ -1,6 +1,6 @@ { system, minimal ? false }: -let pkgs = import ../.. { config = {}; inherit system; }; in +let pkgs = import ./nixpkgs.nix { config = {}; inherit system; }; in with pkgs.lib; with import ../lib/qemu-flags.nix; diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix index 89f81cf70bd9..72ba66cdbac4 100644 --- a/nixos/lib/eval-config.nix +++ b/nixos/lib/eval-config.nix @@ -30,7 +30,7 @@ rec { extraArgs = extraArgs_ // { inherit pkgs modules baseModules; modulesPath = ../modules; - pkgs_i686 = import ../.. { system = "i686-linux"; }; + pkgs_i686 = import ./nixpkgs.nix { system = "i686-linux"; }; utils = import ./utils.nix pkgs; }; @@ -47,7 +47,7 @@ rec { pkgs = if pkgs_ != null then pkgs_ - else import ../.. ( + else import ./nixpkgs.nix ( let system = if nixpkgsOptions.system != "" then nixpkgsOptions.system else system_; nixpkgsOptions = (import ./eval-config.nix { @@ -55,7 +55,7 @@ rec { # For efficiency, leave out most NixOS modules; they don't # define nixpkgs.config, so it's pointless to evaluate them. baseModules = [ ../modules/misc/nixpkgs.nix ]; - pkgs = import ../.. { system = system_; config = {}; }; + pkgs = import ./nixpkgs.nix { system = system_; config = {}; }; }).optionDefinitions.nixpkgs; in { diff --git a/nixos/lib/nixpkgs.nix b/nixos/lib/nixpkgs.nix new file mode 100644 index 000000000000..10096f58c79a --- /dev/null +++ b/nixos/lib/nixpkgs.nix @@ -0,0 +1,8 @@ +/* Terrible backward compatibility hack to get the path to Nixpkgs + from here. Usually, that's the relative path ‘../..’. However, + when using the NixOS channel, <nixos> resolves to a symlink to + nixpkgs/nixos, so ‘../..’ doesn't resolve to the top-level Nixpkgs + directory but one above it. So check for that situation. */ +if builtins.pathExists ../../.version then import ../.. +else if builtins.pathExists ../../nixpkgs then import ../../nixpkgs +else abort "Can't find Nixpkgs, please set ‘NIX_PATH=nixpkgs=/path/to/nixpkgs’." diff --git a/nixos/lib/testing.nix b/nixos/lib/testing.nix index 7be0903ed3a8..3407229e921a 100644 --- a/nixos/lib/testing.nix +++ b/nixos/lib/testing.nix @@ -176,7 +176,10 @@ rec { let vm = buildVM { } [ machine - { key = "hostname"; networking.hostName = "client"; } + { key = "run-in-machine"; + networking.hostName = "client"; + nix.readOnlyStore = false; + } ]; buildrunner = writeText "vm-build" '' @@ -192,9 +195,11 @@ rec { testscript = '' startAll; + $client->waitForUnit("multi-user.target"); ${preBuild} $client->succeed("env -i ${pkgs.bash}/bin/bash ${buildrunner} /tmp/xchg/saved-env >&2"); ${postBuild} + $client->succeed("sync"); # flush all data before pulling the plug ''; vmRunCommand = writeText "vm-run" '' diff --git a/nixos/modules/installer/cd-dvd/channel.nix b/nixos/modules/installer/cd-dvd/channel.nix index 987b85d61656..c6e0f1577bb1 100644 --- a/nixos/modules/installer/cd-dvd/channel.nix +++ b/nixos/modules/installer/cd-dvd/channel.nix @@ -14,10 +14,7 @@ let { expr = builtins.readFile ../../../lib/channel-expr.nix; } '' mkdir -p $out/nixos - # FIXME: should use ../../../.. instead of <nixpkgs>, but that - # doesn't work properly if <nixos> is a symlink to - # nixpkgs/nixos. - cp -prd ${<nixpkgs>} $out/nixos/nixpkgs + cp -prd ${pkgs.path} $out/nixos/nixpkgs ln -s nixpkgs/nixos $out/nixos/nixos chmod -R u+w $out/nixos rm -rf $out/nixos/nixpkgs/.git diff --git a/nixos/modules/installer/tools/nixos-build-vms/nixos-build-vms.sh b/nixos/modules/installer/tools/nixos-build-vms/nixos-build-vms.sh index 0a6e8b920a11..f9cbfffde704 100644 --- a/nixos/modules/installer/tools/nixos-build-vms/nixos-build-vms.sh +++ b/nixos/modules/installer/tools/nixos-build-vms/nixos-build-vms.sh @@ -2,14 +2,9 @@ # Shows the usage of this command to the user -showUsage() -{ - echo "Usage: $0 network_expr" - echo "Options:" - echo - echo "--no-out-link Do not create a 'result' symlink" - echo "--show-trace Shows the output trace" - echo "-h,--help Shows the usage of this command" +showUsage() { + exec man nixos-build-vms + exit 1 } # Parse valid argument options diff --git a/nixos/modules/installer/tools/nixos-gen-seccure-keys.sh b/nixos/modules/installer/tools/nixos-gen-seccure-keys.sh deleted file mode 100644 index a97eef672f7e..000000000000 --- a/nixos/modules/installer/tools/nixos-gen-seccure-keys.sh +++ /dev/null @@ -1,13 +0,0 @@ -#! @shell@ -e - -mkdir -p /var/elliptic-keys -chmod 0755 /var/elliptic-keys -cd /var/elliptic-keys -touch private -chmod 0700 private -dd if=/dev/urandom bs=128 count=1 of=private -chmod 0500 private -public=$(seccure-key -F private 2>&1) -echo ${public#*The public key is: } > public -chmod 0555 public - diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl new file mode 100644 index 000000000000..3418b0122de1 --- /dev/null +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -0,0 +1,452 @@ +#! @perl@ + +use File::Spec; +use File::Path; +use File::Basename; +use File::Slurp; + + +sub uniq { + my %seen; + my @res = (); + foreach my $s (@_) { + if (!defined $seen{$s}) { + $seen{$s} = 1; + push @res, $s; + } + } + return @res; +} + + +# Process the command line. +my $outDir = "/etc/nixos"; +my $rootDir = ""; # = / +my $force = 0; + +for (my $n = 0; $n < scalar @ARGV; $n++) { + my $arg = $ARGV[$n]; + if ($arg eq "--help") { + exec "man nixos-generate-config" or die; + } + elsif ($arg eq "--dir") { + $n++; + $outDir = $ARGV[$n]; + die "$0: ‘--dir’ requires an argument\n" unless defined $outDir; + } + elsif ($arg eq "--root") { + $n++; + $rootDir = $ARGV[$n]; + die "$0: ‘--root’ requires an argument\n" unless defined $rootDir; + $rootDir =~ s/\/*$//; # remove trailing slashes + } + elsif ($arg eq "--force") { + $force = 1; + } + else { + die "$0: unrecognized argument ‘$arg’\n"; + } +} + + +my @attrs = (); +my @kernelModules = (); +my @initrdKernelModules = (); +my @modulePackages = (); +my @imports = ("<nixos/modules/installer/scan/not-detected.nix>"); + + +sub debug { + return unless defined $ENV{"DEBUG"}; + print STDERR @_; +} + + +my $cpuinfo = read_file "/proc/cpuinfo"; + + +sub hasCPUFeature { + my $feature = shift; + return $cpuinfo =~ /^flags\s*:.* $feature( |$)/m; +} + + +# Detect the number of CPU cores. +my $cpus = scalar (grep {/^processor\s*:/} (split '\n', $cpuinfo)); + + +# Virtualization support? +push @kernelModules, "kvm-intel" if hasCPUFeature "vmx"; +push @kernelModules, "kvm-amd" if hasCPUFeature "svm"; + + +# Look at the PCI devices and add necessary modules. Note that most +# modules are auto-detected so we don't need to list them here. +# However, some are needed in the initrd to boot the system. + +my $videoDriver; + +sub pciCheck { + my $path = shift; + my $vendor = read_file "$path/vendor"; + my $device = read_file "$path/device"; + my $class = read_file "$path/class"; + + my $module; + if (-e "$path/driver/module") { + $module = basename `readlink -f $path/driver/module`; + chomp $module; + } + + debug "$path: $vendor $device $class"; + debug " $module" if defined $module; + debug "\n"; + + if (defined $module) { + # See the bottom of http://pciids.sourceforge.net/pci.ids for + # device classes. + if (# Mass-storage controller. Definitely important. + $class =~ /^0x01/ || + + # Firewire controller. A disk might be attached. + $class =~ /^0x0c00/ || + + # USB controller. Needed if we want to use the + # keyboard when things go wrong in the initrd. + $class =~ /^0x0c03/ + ) + { + push @initrdAvailableKernelModules, $module; + } + } + + # broadcom STA driver (wl.ko) + # list taken from http://www.broadcom.com/docs/linux_sta/README.txt + if ($vendor eq "0x14e4" && + ($device eq "0x4311" || $device eq "0x4312" || $device eq "0x4313" || + $device eq "0x4315" || $device eq "0x4327" || $device eq "0x4328" || + $device eq "0x4329" || $device eq "0x432a" || $device eq "0x432b" || + $device eq "0x432c" || $device eq "0x432d" || $device eq "0x4353" || + $device eq "0x4357" || $device eq "0x4358" || $device eq "0x4359" ) ) + { + push @modulePackages, "config.boot.kernelPackages.broadcom_sta"; + push @kernelModules, "wl"; + } + + # Can't rely on $module here, since the module may not be loaded + # due to missing firmware. Ideally we would check modules.pcimap + # here. + push @attrs, "networking.enableIntel2200BGFirmware = true;" if + $vendor eq "0x8086" && + ($device eq "0x1043" || $device eq "0x104f" || $device eq "0x4220" || + $device eq "0x4221" || $device eq "0x4223" || $device eq "0x4224"); + + push @attrs, "networking.enableIntel3945ABGFirmware = true;" if + $vendor eq "0x8086" && + ($device eq "0x4229" || $device eq "0x4230" || + $device eq "0x4222" || $device eq "0x4227"); + + # Assume that all NVIDIA cards are supported by the NVIDIA driver. + # There may be exceptions (e.g. old cards). + $videoDriver = "nvidia" if $vendor eq "0x10de" && $class =~ /^0x03/; +} + +foreach my $path (glob "/sys/bus/pci/devices/*") { + pciCheck $path; +} + +push @attrs, "services.xserver.videoDrivers = [ \"$videoDriver\" ];" if $videoDriver; + + +# Idem for USB devices. + +sub usbCheck { + my $path = shift; + my $class = read_file "$path/bInterfaceClass"; + my $subclass = read_file "$path/bInterfaceSubClass"; + my $protocol = read_file "$path/bInterfaceProtocol"; + + my $module; + if (-e "$path/driver/module") { + $module = basename `readlink -f $path/driver/module`; + chomp $module; + } + + debug "$path: $class $subclass $protocol"; + debug " $module" if defined $module; + debug "\n"; + + if (defined $module) { + if (# Mass-storage controller. Definitely important. + $class eq "08" || + + # Keyboard. Needed if we want to use the + # keyboard when things go wrong in the initrd. + ($class eq "03" && $protocol eq "01") + ) + { + push @initrdAvailableKernelModules, $module; + } + } +} + +foreach my $path (glob "/sys/bus/usb/devices/*") { + if (-e "$path/bInterfaceClass") { + usbCheck $path; + } +} + + +# Add the modules for all block devices. +foreach my $path (glob "/sys/class/block/*") { + my $module; + if (-e "$path/device/driver/module") { + $module = basename `readlink -f $path/device/driver/module`; + chomp $module; + push @initrdAvailableKernelModules, $module; + } +} + + +# Check if we're a VirtualBox guest. If so, enable the guest +# additions. +my $dmi = `@dmidecode@/sbin/dmidecode`; +if ($dmi =~ /Manufacturer: innotek/) { + push @attrs, "services.virtualbox.enable = true;" +} + + +# Generate the swapDevices option from the currently activated swap +# devices. +my @swaps = read_file("/proc/swaps"); +shift @swaps; +my @swapDevices; +foreach my $swap (@swaps) { + $swap =~ /^(\S+)\s/; + push @swapDevices, "{ device = \"$1\"; }"; +} + + +# Generate the fileSystems option from the currently mounted +# filesystems. +sub in { + my ($d1, $d2) = @_; + return $d1 eq $d2 || substr($d1, 0, length($d2) + 1) eq "$d2/"; +} + +my $fileSystems; +my %fsByDev; +foreach my $fs (read_file("/proc/self/mountinfo")) { + chomp $fs; + my @fields = split / /, $fs; + my $mountPoint = $fields[4]; + next unless -d $mountPoint; + my @mountOptions = split /,/, $fields[5]; + + next if !in($mountPoint, $rootDir); + $mountPoint = substr($mountPoint, length($rootDir)); # strip the root directory (e.g. /mnt) + $mountPoint = "/" if $mountPoint eq ""; + + # Skip special filesystems. + next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run"); + + # Skip the optional fields. + my $n = 6; $n++ while $fields[$n] ne "-"; $n++; + my $fsType = $fields[$n]; + my $device = $fields[$n + 1]; + my @superOptions = split /,/, $fields[$n + 2]; + + # Skip the read-only bind-mount on /nix/store. + next if $mountPoint eq "/nix/store" && (grep { $_ eq "rw" } @superOptions) && (grep { $_ eq "ro" } @mountOptions); + + # Maybe this is a bind-mount of a filesystem we saw earlier? + if (defined $fsByDev{$fields[2]}) { + my $path = $fields[3]; $path = "" if $path eq "/"; + $fileSystems .= <<EOF; + fileSystems.\"$mountPoint\" = + { device = \"$fsByDev{$fields[2]}$path\"; + fsType = \"none\"; + options = \"bind\"; + }; + +EOF + next; + } + $fsByDev{$fields[2]} = $mountPoint; + + # We don't know how to handle FUSE filesystems. + if ($fsType eq "fuseblk" || $fsType eq "fuse") { + print STDERR "warning: don't know how to emit ‘fileSystem’ option for FUSE filesystem ‘$mountPoint’\n"; + next; + } + + # Is this a mount of a loopback device? + my @extraOptions; + if ($device =~ /\/dev\/loop(\d+)/) { + my $loopnr = $1; + my $backer = read_file "/sys/block/loop$loopnr/loop/backing_file"; + if (defined $backer) { + chomp $backer; + $device = $backer; + push @extraOptions, "loop"; + } + } + + # Emit the filesystem. + $fileSystems .= <<EOF; + fileSystems.\"$mountPoint\" = + { device = \"$device\"; + fsType = \"$fsType\"; + options = \"${\join ",", uniq(@extraOptions, @superOptions, @mountOptions)}\"; + }; + +EOF +} + + +# Generate the hardware configuration file. + +sub toNixExpr { + my $res = ""; + foreach my $s (@_) { + $res .= " \"$s\""; + } + return $res; +} + +sub multiLineList { + my $indent = shift; + return "[ ]" if !@_; + $res = "\n${indent}[ "; + my $first = 1; + foreach my $s (@_) { + $res .= "$indent " if !$first; + $first = 0; + $res .= "$s\n"; + } + $res .= "$indent]"; + return $res; +} + +my $initrdAvailableKernelModules = toNixExpr(uniq @initrdAvailableKernelModules); +my $kernelModules = toNixExpr(uniq @kernelModules); +my $modulePackages = toNixExpr(uniq @modulePackages); + +$outDir = "$rootDir$outDir"; + +my $fn = "$outDir/hardware-configuration.nix"; +print STDERR "writing $fn...\n"; +mkpath($outDir, 0, 0755); + +write_file($fn, <<EOF); +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, pkgs, ... }: + +{ + imports = ${\multiLineList(" ", @imports)}; + + boot.initrd.availableKernelModules = [$initrdAvailableKernelModules ]; + boot.kernelModules = [$kernelModules ]; + boot.extraModulePackages = [$modulePackages ]; + +${fileSystems} swapDevices = ${\multiLineList(" ", @swapDevices)}; + + nix.maxJobs = $cpus; +${\join "", (map { " $_\n" } (uniq @attrs))}} +EOF + + +# Generate a basic configuration.nix, unless one already exists. +$fn = "$outDir/configuration.nix"; +if ($force || ! -e $fn) { + print STDERR "writing $fn...\n"; + + my $bootloaderConfig; + if (-e "/sys/firmware/efi/efivars") { + $bootLoaderConfig = <<EOF; + # Use the gummiboot efi boot loader. + boot.loader.grub.enable = false; + boot.loader.gummiboot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + # !!! Remove this when nixos is on 3.10 or greater by default + # EFI booting requires kernel >= 3.10 + boot.kernelPackages = pkgs.linuxPackages_3_10; +EOF + } else { + $bootLoaderConfig = <<EOF; + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # Define on which hard drive you want to install Grub. + # boot.loader.grub.device = "/dev/sda"; +EOF + } + + write_file($fn, <<EOF); +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot.initrd.kernelModules = + [ # Specify all kernel modules that are necessary for mounting the root + # filesystem. + # "xfs" "ata_piix" + # fbcon # Uncomment this when EFI booting to see the console before the root partition is mounted + ]; + +$bootLoaderConfig + # networking.hostName = "nixos"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless. + + # Add filesystem entries for each partition that you want to see + # mounted at boot time. This should include at least the root + # filesystem. + + # fileSystems."/".device = "/dev/disk/by-label/nixos"; + + # fileSystems."/data" = # where you want to mount the device + # { device = "/dev/sdb"; # the device + # fsType = "ext3"; # the type of the partition + # options = "data=journal"; + # }; + + # Select internationalisation properties. + # i18n = { + # consoleFont = "lat9w-16"; + # consoleKeyMap = "us"; + # defaultLocale = "en_US.UTF-8"; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + # Enable the KDE Desktop Environment. + # services.xserver.displayManager.kdm.enable = true; + # services.xserver.desktopManager.kde4.enable = true; +} +EOF +} else { + print STDERR "warning: not overwriting existing $fn\n"; +} + +# workaround for a bug in substituteAll diff --git a/nixos/modules/installer/tools/nixos-hardware-scan.pl b/nixos/modules/installer/tools/nixos-hardware-scan.pl deleted file mode 100644 index 3204f3d40512..000000000000 --- a/nixos/modules/installer/tools/nixos-hardware-scan.pl +++ /dev/null @@ -1,248 +0,0 @@ -#! @perl@/bin/perl -w - -use File::Spec; -use File::Basename; - - -my @attrs = (); -my @kernelModules = (); -my @initrdKernelModules = (); -my @modulePackages = (); -my @imports = ("<nixos/modules/installer/scan/not-detected.nix>"); - - -sub debug { - return unless defined $ENV{"DEBUG"}; - print STDERR @_; -} - - -# Read a file, returning undef if the file cannot be opened. -sub readFile { - my $filename = shift; - my $res; - if (open FILE, "<$filename") { - my $prev = $/; - undef $/; - $res = <FILE>; - $/ = $prev; - close FILE; - chomp $res; - } - return $res; -} - - -my $cpuinfo = readFile "/proc/cpuinfo"; - - -sub hasCPUFeature { - my $feature = shift; - return $cpuinfo =~ /^flags\s*:.* $feature( |$)/m; -} - - -# Detect the number of CPU cores. -my $cpus = scalar (grep {/^processor\s*:/} (split '\n', $cpuinfo)); - - -# Virtualization support? -push @kernelModules, "kvm-intel" if hasCPUFeature "vmx"; -push @kernelModules, "kvm-amd" if hasCPUFeature "svm"; - - -# Look at the PCI devices and add necessary modules. Note that most -# modules are auto-detected so we don't need to list them here. -# However, some are needed in the initrd to boot the system. - -my $videoDriver; - -sub pciCheck { - my $path = shift; - my $vendor = readFile "$path/vendor"; - my $device = readFile "$path/device"; - my $class = readFile "$path/class"; - - my $module; - if (-e "$path/driver/module") { - $module = basename `readlink -f $path/driver/module`; - chomp $module; - } - - debug "$path: $vendor $device $class"; - debug " $module" if defined $module; - debug "\n"; - - if (defined $module) { - # See the bottom of http://pciids.sourceforge.net/pci.ids for - # device classes. - if (# Mass-storage controller. Definitely important. - $class =~ /^0x01/ || - - # Firewire controller. A disk might be attached. - $class =~ /^0x0c00/ || - - # USB controller. Needed if we want to use the - # keyboard when things go wrong in the initrd. - $class =~ /^0x0c03/ - ) - { - push @initrdKernelModules, $module; - } - } - - # broadcom STA driver (wl.ko) - # list taken from http://www.broadcom.com/docs/linux_sta/README.txt - if ($vendor eq "0x14e4" && - ($device eq "0x4311" || $device eq "0x4312" || $device eq "0x4313" || - $device eq "0x4315" || $device eq "0x4327" || $device eq "0x4328" || - $device eq "0x4329" || $device eq "0x432a" || $device eq "0x432b" || - $device eq "0x432c" || $device eq "0x432d" || $device eq "0x4353" || - $device eq "0x4357" || $device eq "0x4358" || $device eq "0x4359" ) ) - { - push @modulePackages, "config.boot.kernelPackages.broadcom_sta"; - push @kernelModules, "wl"; - } - - # Can't rely on $module here, since the module may not be loaded - # due to missing firmware. Ideally we would check modules.pcimap - # here. - push @attrs, "networking.enableIntel2200BGFirmware = true;" if - $vendor eq "0x8086" && - ($device eq "0x1043" || $device eq "0x104f" || $device eq "0x4220" || - $device eq "0x4221" || $device eq "0x4223" || $device eq "0x4224"); - - push @attrs, "networking.enableIntel3945ABGFirmware = true;" if - $vendor eq "0x8086" && - ($device eq "0x4229" || $device eq "0x4230" || - $device eq "0x4222" || $device eq "0x4227"); - - # Assume that all NVIDIA cards are supported by the NVIDIA driver. - # There may be exceptions (e.g. old cards). - $videoDriver = "nvidia" if $vendor eq "0x10de" && $class =~ /^0x03/; -} - -foreach my $path (glob "/sys/bus/pci/devices/*") { - pciCheck $path; -} - - -# Idem for USB devices. - -sub usbCheck { - my $path = shift; - my $class = readFile "$path/bInterfaceClass"; - my $subclass = readFile "$path/bInterfaceSubClass"; - my $protocol = readFile "$path/bInterfaceProtocol"; - - my $module; - if (-e "$path/driver/module") { - $module = basename `readlink -f $path/driver/module`; - chomp $module; - } - - debug "$path: $class $subclass $protocol"; - debug " $module" if defined $module; - debug "\n"; - - if (defined $module) { - if (# Mass-storage controller. Definitely important. - $class eq "08" || - - # Keyboard. Needed if we want to use the - # keyboard when things go wrong in the initrd. - ($class eq "03" && $protocol eq "01") - ) - { - push @initrdKernelModules, $module; - } - } -} - -foreach my $path (glob "/sys/bus/usb/devices/*") { - if (-e "$path/bInterfaceClass") { - usbCheck $path; - } -} - - -# Add the modules for all block devices. - -foreach my $path (glob "/sys/class/block/*") { - my $module; - if (-e "$path/device/driver/module") { - $module = basename `readlink -f $path/device/driver/module`; - chomp $module; - push @initrdKernelModules, $module; - } -} - - -if ($videoDriver) { - push @attrs, "services.xserver.videoDrivers = [ \"$videoDriver\" ];"; -} - - -# Check if we're a VirtualBox guest. If so, enable the guest -# additions. -my $dmi = `@dmidecode@/sbin/dmidecode`; -if ($dmi =~ /Manufacturer: innotek/) { - push @attrs, "services.virtualbox.enable = true;" -} - - -# Generate the configuration file. - -sub removeDups { - my %seen; - my @res = (); - foreach my $s (@_) { - if (!defined $seen{$s}) { - $seen{$s} = ""; - push @res, $s; - } - } - return @res; -} - -sub toNixExpr { - my $res = ""; - foreach my $s (@_) { - $res .= " \"$s\""; - } - return $res; -} - -sub multiLineList { - my $indent = shift; - my $res = ""; - $res = "\n" if scalar @_ > 0; - foreach my $s (@_) { - $res .= "$indent$s\n"; - } - return $res; -} - -my $initrdKernelModules = toNixExpr(removeDups @initrdKernelModules); -my $kernelModules = toNixExpr(removeDups @kernelModules); -my $modulePackages = toNixExpr(removeDups @modulePackages); -my $attrs = multiLineList(" ", removeDups @attrs); -my $imports = multiLineList(" ", removeDups @imports); - - -print <<EOF ; -# This is a generated file. Do not modify! -# Make changes to /etc/nixos/configuration.nix instead. -{ config, pkgs, ... }: - -{ - imports = [$imports ]; - - boot.initrd.kernelModules = [$initrdKernelModules ]; - boot.kernelModules = [$kernelModules ]; - boot.extraModulePackages = [$modulePackages ]; - - nix.maxJobs = $cpus; -$attrs} -EOF -# workaround for a bug in substituteAll diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 19ce81983f15..126d5b185e81 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -14,15 +14,19 @@ extraBuildFlags=() while [ "$#" -gt 0 ]; do i="$1"; shift 1 case "$i" in - -I) - given_path="$1"; shift 1 - absolute_path=$(readlink -m $given_path) - extraBuildFlags+=("$i" "/mnt$absolute_path") - ;; - *) - echo "$0: unknown option \`$i'" - exit 1 - ;; + -I) + given_path="$1"; shift 1 + absolute_path=$(readlink -m $given_path) + extraBuildFlags+=("$i" "/mnt$absolute_path") + ;; + --help) + exec man nixos-install + exit 1 + ;; + *) + echo "$0: unknown option \`$i'" + exit 1 + ;; esac done diff --git a/nixos/modules/installer/tools/nixos-option.sh b/nixos/modules/installer/tools/nixos-option.sh index 7f008d62c249..69dd513f95c0 100644 --- a/nixos/modules/installer/tools/nixos-option.sh +++ b/nixos/modules/installer/tools/nixos-option.sh @@ -1,43 +1,8 @@ #! @shell@ -e -# Allow the location of NixOS sources and the system configuration -# file to be overridden. - -: ${mountPoint=/mnt} -: ${NIXOS_CONFIG=/etc/nixos/configuration.nix} -export NIXOS_CONFIG - usage () { - echo 1>&2 " -Usage: $0 [-v] [-d] [-l] [--xml] OPTION_NAME - $0 --install - -This program allows you to inspect the current value of NixOS -configuration options. It can also generate a basic NixOS -configuration file. - -Options: - - -i | --install Write a template NixOS configuration file to - ${mountPoint:+$mountPoint/}$NIXOS_CONFIG. - -v | --value Display the current value, based on your - configuration. - -d | --description Display the default value, the example and the - description. - -l | --lookup Display where the option is defined and where it - is declared. - --xml Print an XML representation of the result. - Implies -vdl options. - --help Show this message. - -Environment variables affecting $0: - - \$mountPoint Path to the target file system. - \$NIXOS_CONFIG Path to your configuration file. - -" - - exit 1; + exec man nixos-option + exit 1 } ##################### @@ -48,7 +13,6 @@ desc=false defs=false value=false xml=false -install=false verbose=false option="" @@ -66,7 +30,6 @@ for arg; do -d*) longarg="$longarg --description";; -v*) longarg="$longarg --value";; -l*) longarg="$longarg --lookup";; - -i*) longarg="$longarg --install";; -*) usage;; esac # remove the first letter option @@ -81,7 +44,6 @@ for arg; do --value) value=true;; --lookup) defs=true;; --xml) xml=true;; - --install) install=true;; --verbose) verbose=true;; --help) usage;; -*) usage;; @@ -109,16 +71,6 @@ if $xml; then defs=true fi -# --install cannot be used with -d -v -l without option name. -if $value || $desc || $defs && $install && test -z "$option"; then - usage -fi - -generate=false -if ! $defs && ! $desc && ! $value && $install && test -z "$option"; then - generate=true -fi - if ! $defs && ! $desc; then value=true fi @@ -182,122 +134,6 @@ nixMap() { done } -if $install; then - NIXOS_CONFIG="$mountPoint$NIXOS_CONFIG" -fi - -if $generate; then - mkdir -p $(dirname "$NIXOS_CONFIG") - - # Scan the hardware and add the result to /etc/nixos/hardware-scan.nix. - hardware_config="${NIXOS_CONFIG%/configuration.nix}/hardware-configuration.nix" - if test -e "$hardware_config"; then - echo "A hardware configuration file exists, generation skipped." - else - echo "Generating a hardware configuration file in $hardware_config..." - nixos-hardware-scan > "$hardware_config" - fi - - if test -e "$NIXOS_CONFIG"; then - echo 1>&2 "error: Cannot generate a template configuration because a configuration file exists." - exit 1 - fi - - nl=" -" - if test -e /sys/firmware/efi/efivars; then - l1=" # Use the gummiboot efi boot loader." - l2=" boot.loader.grub.enable = false;" - l3=" boot.loader.gummiboot.enable = true;" - l4=" boot.loader.efi.canTouchEfiVariables = true;" - # !!! Remove me when nixos is on 3.10 or greater by default - l5=" # EFI booting requires kernel >= 3.10" - l6=" boot.kernelPackages = pkgs.linuxPackages_3_10;" - bootloader_config="$l1$nl$l2$nl$l3$nl$l4$nl$nl$l5$nl$l6" - else - l1=" # Use the Grub2 boot loader." - l2=" boot.loader.grub.enable = true;" - l3=" boot.loader.grub.version = 2;" - l4=" # Define on which hard drive you want to install Grub." - l5=' # boot.loader.grub.device = "/dev/sda";' - bootloader_config="$l1$nl$l2$nl$l3$nl$nl$l4$nl$l5" - fi - - echo "Generating a basic configuration file in $NIXOS_CONFIG..." - - # Generate a template configuration file where the user has to - # fill the gaps. - cat <<EOF > "$NIXOS_CONFIG" -# Edit this configuration file to define what should be installed on -# the system. Help is available in the configuration.nix(5) man page -# or the NixOS manual available on virtual console 8 (Alt+F8). - -{ config, pkgs, ... }: - -{ - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - boot.initrd.kernelModules = - [ # Specify all kernel modules that are necessary for mounting the root - # filesystem. - # "xfs" "ata_piix" - # fbcon # Uncomment this when EFI booting to see the console before the root partition is mounted - ]; - -$bootloader_config - - # networking.hostName = "nixos"; # Define your hostname. - # networking.wireless.enable = true; # Enables Wireless. - - # Add filesystem entries for each partition that you want to see - # mounted at boot time. This should include at least the root - # filesystem. - - # fileSystems."/".device = "/dev/disk/by-label/nixos"; - - # fileSystems."/data" = # where you want to mount the device - # { device = "/dev/sdb"; # the device - # fsType = "ext3"; # the type of the partition - # options = "data=journal"; - # }; - - # List swap partitions activated at boot time. - swapDevices = - [ # { device = "/dev/disk/by-label/swap"; } - ]; - - # Select internationalisation properties. - # i18n = { - # consoleFont = "lat9w-16"; - # consoleKeyMap = "us"; - # defaultLocale = "en_US.UTF-8"; - # }; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - # services.openssh.enable = true; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - # Enable the KDE Desktop Environment. - # services.xserver.displayManager.kdm.enable = true; - # services.xserver.desktopManager.kde4.enable = true; -} -EOF - - exit 0 -fi; - # This duplicates the work made below, but it is useful for processing # the output of nixos-option with other tools such as nixos-gui. if $xml; then diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index 8734cb273d49..6b747bc1a2be 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -1,44 +1,7 @@ #! @shell@ -e showSyntax() { - # !!! more or less cut&paste from - # system/switch-to-configuration.sh (which we call, of course). - cat <<EOF -Usage: $0 [OPTIONS...] OPERATION - -The operation is one of the following: - - switch: make the configuration the boot default and activate now - boot: make the configuration the boot default - test: activate the configuration, but don't make it the boot default - build: build the configuration, but don't make it the default or - activate it - build-vm: build a virtual machine containing the configuration - (useful for testing) - build-vm-with-bootloader: - like build-vm, but include a boot loader in the VM - dry-run: just show what store paths would be built/downloaded - -Options: - - --upgrade fetch the latest version of NixOS before rebuilding - --install-grub (re-)install the Grub bootloader - --no-build-nix don't build the latest Nix from Nixpkgs before - building NixOS - --rollback restore the previous NixOS configuration (only - with switch, boot, test, build) - --profile-name / -p install in the specified system profile - --fast same as --no-build-nix --show-trace - -Various nix-build options are also accepted, in particular: - - --show-trace show a detailed stack trace for evaluation errors - -Environment variables affecting nixos-rebuild: - - \$NIX_PATH Nix expression search path - \$NIXOS_CONFIG path to the NixOS system configuration specification -EOF + exec man nixos-rebuild exit 1 } @@ -157,10 +120,10 @@ fi # Update the version suffix if we're building from Git (so that # nixos-version shows something useful). -if nixos=$(nix-instantiate --find-file nixos "${extraBuildFlags[@]}"); then - suffix=$(@shell@ $nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}") +if nixpkgs=$(nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then + suffix=$(@shell@ $nixpkgs/nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}") if [ -n "$suffix" ]; then - echo -n "$suffix" > "$nixos/.version-suffix" || true + echo -n "$suffix" > "$nixpkgs/.version-suffix" || true fi fi diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index c761d74a8902..074c77b51467 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -1,10 +1,10 @@ # This module generates nixos-install, nixos-rebuild, -# nixos-hardware-scan, etc. +# nixos-generate-config, etc. { config, pkgs, modulesPath, ... }: let - ### implementation + cfg = config.installer; makeProg = args: pkgs.substituteAll (args // { @@ -12,12 +12,12 @@ let isExecutable = true; }); - nixosBuildVMS = makeProg { + nixos-build-vms = makeProg { name = "nixos-build-vms"; src = ./nixos-build-vms/nixos-build-vms.sh; }; - nixosInstall = makeProg { + nixos-install = makeProg { name = "nixos-install"; src = ./nixos-install.sh; @@ -29,36 +29,30 @@ let "cp refs $out"; }; - nixosRebuild = makeProg { + nixos-rebuild = makeProg { name = "nixos-rebuild"; src = ./nixos-rebuild.sh; }; - /* - nixosGenSeccureKeys = makeProg { - name = "nixos-gen-seccure-keys"; - src = ./nixos-gen-seccure-keys.sh; - }; - */ - - nixosHardwareScan = makeProg { - name = "nixos-hardware-scan"; - src = ./nixos-hardware-scan.pl; - inherit (pkgs) perl dmidecode; + nixos-generate-config = makeProg { + name = "nixos-generate-config"; + src = ./nixos-generate-config.pl; + perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl"; + inherit (pkgs) dmidecode; }; - nixosOption = makeProg { + nixos-option = makeProg { name = "nixos-option"; src = ./nixos-option.sh; }; - nixosVersion = makeProg { + nixos-version = makeProg { name = "nixos-version"; src = ./nixos-version.sh; inherit (config.system) nixosVersion nixosCodeName; }; - nixosGui = pkgs.xulrunnerWrapper { + nixos-gui = pkgs.xulrunnerWrapper { launcher = "nixos-gui"; application = pkgs.stdenv.mkDerivation { name = "nixos-gui"; @@ -96,17 +90,16 @@ in config = { environment.systemPackages = - [ nixosBuildVMS - nixosInstall - nixosRebuild - nixosHardwareScan - #nixosGenSeccureKeys - nixosOption - nixosVersion - ] ++ pkgs.lib.optional cfg.enableGraphicalTools nixosGui; + [ nixos-build-vms + nixos-install + nixos-rebuild + nixos-generate-config + nixos-option + nixos-version + ] ++ pkgs.lib.optional cfg.enableGraphicalTools nixos-gui; system.build = { - inherit nixosInstall nixosHardwareScan nixosOption; + inherit nixos-install nixos-generate-config nixos-option; }; }; } diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index 0df0e57c98e9..9eba728c3390 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -70,18 +70,4 @@ in }; }; - - config = { - - # FIXME - nixpkgs.config.packageOverrides = pkgs: { - #udev = pkgs.systemd; - slim = pkgs.slim.override (args: if args ? consolekit then { consolekit = null; } else { }); - lvm2 = pkgs.lvm2.override { udev = pkgs.systemd; }; - upower = pkgs.upower.override { useSystemd = true; }; - polkit = pkgs.polkit.override { useSystemd = true; }; - consolekit = null; - }; - - }; } diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index fa7baf36fb9c..1b519d3e6eef 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -26,10 +26,11 @@ with pkgs.lib; config = { system.nixosVersion = - mkDefault (builtins.readFile ../../../.version + config.system.nixosVersionSuffix); + mkDefault (builtins.readFile "${toString pkgs.path}/.version" + config.system.nixosVersionSuffix); system.nixosVersionSuffix = - mkDefault (if builtins.pathExists ../../../.version-suffix then builtins.readFile ../../../.version-suffix else "pre-git"); + let suffixFile = "${toString pkgs.path}/.version-suffix"; in + mkDefault (if builtins.pathExists suffixFile then builtins.readFile suffixFile else "pre-git"); # Note: code names must only increase in alphabetical order. system.nixosCodeName = "Aardvark"; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 977ca2518ecc..fff7a0cfad5c 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -46,6 +46,7 @@ ./programs/bash/command-not-found.nix ./programs/blcr.nix ./programs/environment.nix + ./programs/gurobi.nix ./programs/info.nix ./programs/shadow.nix ./programs/shell.nix @@ -61,6 +62,7 @@ ./security/pam.nix ./security/pam_usb.nix ./security/polkit.nix + ./security/prey.nix ./security/rngd.nix ./security/rtkit.nix ./security/setuid-wrappers.nix @@ -117,6 +119,7 @@ ./services/misc/felix.nix ./services/misc/folding-at-home.nix ./services/misc/gpsd.nix + ./services/misc/gurobi.nix ./services/misc/nix-daemon.nix ./services/misc/nix-gc.nix ./services/misc/nixos-manual.nix @@ -127,6 +130,7 @@ ./services/monitoring/dd-agent.nix ./services/monitoring/graphite.nix ./services/monitoring/monit.nix + ./services/monitoring/munin.nix ./services/monitoring/nagios/default.nix ./services/monitoring/smartd.nix ./services/monitoring/statsd.nix diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 8cfe3f990adc..9d33e26c4959 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -127,8 +127,6 @@ in loginShellInit = cfge.loginShellInit; interactiveShellInit = '' - ${cfge.interactiveShellInit} - # Check the window size after every command. shopt -s checkwinsize @@ -138,6 +136,8 @@ in ${cfg.promptInit} ${bashCompletion} ${bashAliases} + + ${cfge.interactiveShellInit} ''; }; diff --git a/nixos/modules/programs/environment.nix b/nixos/modules/programs/environment.nix index 683f6b54b10a..7c1922cdfd89 100644 --- a/nixos/modules/programs/environment.nix +++ b/nixos/modules/programs/environment.nix @@ -24,7 +24,6 @@ in [ "/nix/var/nix/profiles/per-user/root/channels/nixos" "nixpkgs=/etc/nixos/nixpkgs" "nixos-config=/etc/nixos/configuration.nix" - "services=/etc/nixos/services" ]; PAGER = "less -R"; EDITOR = "nano"; diff --git a/nixos/modules/programs/gurobi.nix b/nixos/modules/programs/gurobi.nix new file mode 100644 index 000000000000..7fa099b0884f --- /dev/null +++ b/nixos/modules/programs/gurobi.nix @@ -0,0 +1,43 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.programs.gurobi; +in { + options = { + programs.gurobi = { + license = mkOption { + default = null; + + description = "Path to the Gurobi license file if not using a token server"; + + type = types.nullOr types.path; + }; + + tokenServerAddress = mkOption { + default = null; + + description = "Address of the token server"; + + type = types.nullOr types.string; + }; + }; + }; + + config = mkIf (cfg.license != null || cfg.tokenServerAddress != null) { + assertions = [ { + assertion = cfg.license == null || cfg.tokenServerAddress == null; + message = "Please only set one of a gurobi license file and a gurobi token server address"; + } ]; + + environment.variables.GRB_LICENSE_FILE = if cfg.license != null + then cfg.license + else pkgs.writeTextFile { + name = "gurobi-generated-license"; + text = "TOKENSERVER=${cfg.tokenServerAddress}"; + }; + + environment.systemPackages = [ pkgs.gurobi ]; + }; +} diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 695c0b6620f7..36c915f755f0 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -79,22 +79,22 @@ in ]; security.pam.services = - [ { name = "chsh"; rootOK = true; } - { name = "chfn"; rootOK = true; } - { name = "su"; rootOK = true; forwardXAuth = true; } - { name = "passwd"; } + { chsh = { rootOK = true; }; + chfn = { rootOK = true; }; + su = { rootOK = true; forwardXAuth = true; }; + passwd = {}; # Note: useradd, groupadd etc. aren't setuid root, so it # doesn't really matter what the PAM config says as long as it # lets root in. - { name = "useradd"; rootOK = true; } - { name = "usermod"; rootOK = true; } - { name = "userdel"; rootOK = true; } - { name = "groupadd"; rootOK = true; } - { name = "groupmod"; rootOK = true; } - { name = "groupmems"; rootOK = true; } - { name = "groupdel"; rootOK = true; } - { name = "login"; startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; } - ]; + useradd = { rootOK = true; }; + usermod = { rootOK = true; }; + userdel = { rootOK = true; }; + groupadd = { rootOK = true; }; + groupmod = { rootOK = true; }; + groupmems = { rootOK = true; }; + groupdel = { rootOK = true; }; + login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; }; + }; security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp" ]; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 3ef01ea2c179..1081b41299de 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -7,77 +7,147 @@ with pkgs.lib; let - inherit (pkgs) pam_krb5 pam_ccreds; + pamOpts = args: { + + options = { + + name = mkOption { + example = "sshd"; + type = types.uniq types.string; + description = "Name of the PAM service."; + }; + + unixAuth = mkOption { + default = true; + type = types.bool; + description = '' + Whether users can log in with passwords defined in + <filename>/etc/shadow</filename>. + ''; + }; + + rootOK = mkOption { + default = false; + type = types.bool; + description = '' + If set, root doesn't need to authenticate (e.g. for the + <command>useradd</command> service). + ''; + }; + + usbAuth = mkOption { + default = config.security.pam.usb.enable; + type = types.bool; + description = '' + If set, users listed in + <filename>/etc/pamusb.conf</filename> are able to log in + with the associated USB key. + ''; + }; + + otpwAuth = mkOption { + default = config.security.pam.enableOTPW; + type = types.bool; + description = '' + If set, the OTPW system will be used (if + <filename>~/.otpw</filename> exists). + ''; + }; + + sshAgentAuth = mkOption { + default = false; + type = types.bool; + description = '' + If set, the calling user's SSH agent is used to authenticate + against the keys in the calling user's + <filename>~/.ssh/authorized_keys</filename>. This is useful + for <command>sudo</command> on password-less remote systems. + ''; + }; + + startSession = mkOption { + default = false; + type = types.bool; + description = '' + If set, the service will register a new session with + systemd's login manager. For local sessions, this will give + the user access to audio devices, CD-ROM drives. In the + default PolicyKit configuration, it also allows the user to + reboot the system. + ''; + }; + + setLoginUid = mkOption { + type = types.bool; + description = '' + Set the login uid of the process + (<filename>/proc/self/loginuid</filename>) for auditing + purposes. The login uid is only set by ‘entry points’ like + <command>login</command> and <command>sshd</command>, not by + commands like <command>sudo</command>. + ''; + }; + + forwardXAuth = mkOption { + default = false; + type = types.bool; + description = '' + Whether X authentication keys should be passed from the + calling user to the target user (e.g. for + <command>su</command>) + ''; + }; + + allowNullPassword = mkOption { + default = false; + type = types.bool; + description = '' + Whether to allow logging into accounts that have no password + set (i.e., have an empty password field in + <filename>/etc/passwd</filename> or + <filename>/etc/group</filename>). This does not enable + logging into disabled accounts (i.e., that have the password + field set to <literal>!</literal>). Note that regardless of + what the pam_unix documentation says, accounts with hashed + empty passwords are always allowed to log in. + ''; + }; - pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap; + limits = mkOption { + description = '' + Attribute set describing resource limits. Defaults to the + value of <option>security.pam.loginLimits</option>. + ''; + }; - otherService = pkgs.writeText "other.pam" - '' - auth required pam_warn.so - auth required pam_deny.so - account required pam_warn.so - account required pam_deny.so - password required pam_warn.so - password required pam_deny.so - session required pam_warn.so - session required pam_deny.so - ''; + showMotd = mkOption { + default = false; + type = types.bool; + description = "Whether to show the message of the day."; + }; - # Create a limits.conf(5) file. - makeLimitsConf = limits: - pkgs.writeText "limits.conf" - (concatStringsSep "\n" - (map ({ domain, type, item, value }: - concatStringsSep " " [ domain type item value ]) - limits)); + updateWtmp = mkOption { + default = false; + type = types.bool; + description = "Whether to update <filename>/var/log/wtmp</filename>."; + }; - motd = pkgs.writeText "motd" config.users.motd; + text = mkOption { + type = types.nullOr types.string; + description = "Contents of the PAM service file."; + }; + + }; - makePAMService = - { name - , # If set, root doesn't need to authenticate (e.g. for the "chsh" - # service). - rootOK ? false - , # If set, user listed in /etc/pamusb.conf are able to log in with - # the associated usb key. - usbAuth ? config.security.pam.usb.enable - , # If set, OTPW system will be used (if ~/.otpw exists) - otpwAuth ? config.security.pam.enableOTPW - , # If set, the calling user's SSH agent is used to authenticate - # against the keys in the calling user's ~/.ssh/authorized_keys. - # This is useful for "sudo" on password-less remote systems. - sshAgentAuth ? false - , # If set, the service will register a new session with systemd's - # login manager. If the service is running locally, this will - # give the user ownership of audio devices etc. - startSession ? false - , # Set the login uid of the process (/proc/self/loginuid) for - # auditing purposes. The login uid is only set by "entry - # points" like login and sshd, not by commands like sudo. - setLoginUid ? startSession - , # Whether to forward XAuth keys between users. Mostly useful - # for "su". - forwardXAuth ? false - , # Whether to allow logging into accounts that have no password - # set (i.e., have an empty password field in /etc/passwd or - # /etc/group). This does not enable logging into disabled - # accounts (i.e., that have the password field set to `!'). - # Note that regardless of what the pam_unix documentation says, - # accounts with hashed empty passwords are always allowed to log - # in. - allowNullPassword ? false - , # The limits, as per limits.conf(5). - limits ? config.security.pam.loginLimits - , # Whether to show the message of the day. - showMotd ? false - , # Whether to update /var/log/wtmp. - updateWtmp ? false - }: - - { source = pkgs.writeText "${name}.pam" - # !!! TODO: move the LDAP stuff to the LDAP module, and the - # Samba stuff to the Samba module. This requires that the PAM - # module provides the right hooks. + config = let cfg = args.config; in { + name = mkDefault args.name; + setLoginUid = mkDefault cfg.startSession; + limits = mkDefault config.security.pam.loginLimits; + + # !!! TODO: move the LDAP stuff to the LDAP module, and the + # Samba stuff to the Samba module. This requires that the PAM + # module provides the right hooks. + text = mkDefault '' # Account management. account sufficient pam_unix.so @@ -87,14 +157,15 @@ let "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} # Authentication management. - ${optionalString rootOK + ${optionalString cfg.rootOK "auth sufficient pam_rootok.so"} - ${optionalString (config.security.pam.enableSSHAgentAuth && sshAgentAuth) + ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} - ${optionalString usbAuth + ${optionalString cfg.usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} - auth sufficient pam_unix.so ${optionalString allowNullPassword "nullok"} likeauth - ${optionalString otpwAuth + ${optionalString cfg.unixAuth + "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"} + ${optionalString cfg.otpwAuth "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} ${optionalString config.users.ldap.enable "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} @@ -116,26 +187,46 @@ let # Session management. session required pam_unix.so - ${optionalString updateWtmp + ${optionalString cfg.updateWtmp "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} ${optionalString config.users.ldap.enable "session optional ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable "session optional ${pam_krb5}/lib/security/pam_krb5.so"} - ${optionalString otpwAuth + ${optionalString cfg.otpwAuth "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"} - ${optionalString startSession + ${optionalString cfg.startSession "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"} - ${optionalString setLoginUid + ${optionalString cfg.setLoginUid "session required pam_loginuid.so"} - ${optionalString forwardXAuth + ${optionalString cfg.forwardXAuth "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"} - ${optionalString (limits != []) - "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf limits}"} - ${optionalString (showMotd && config.users.motd != null) + ${optionalString (cfg.limits != []) + "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"} + ${optionalString (cfg.showMotd && config.users.motd != null) "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"} ''; - target = "pam.d/${name}"; + }; + + }; + + + inherit (pkgs) pam_krb5 pam_ccreds; + + pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap; + + # Create a limits.conf(5) file. + makeLimitsConf = limits: + pkgs.writeText "limits.conf" + (concatMapStrings ({ domain, type, item, value }: + "${domain} ${type} ${item} ${toString value}\n") + limits); + + motd = pkgs.writeText "motd" config.users.motd; + + makePAMService = pamService: + { source = pkgs.writeText "${pamService.name}.pam" pamService.text; + target = "pam.d/${pamService.name}"; }; in @@ -173,44 +264,15 @@ in security.pam.services = mkOption { default = []; - example = [ - { name = "chsh"; rootOK = true; } - { name = "login"; startSession = true; allowNullPassword = true; - limits = [ - { domain = "ftp"; - type = "hard"; - item = "nproc"; - value = "0"; - } - ]; - } - ]; - + type = types.loaOf types.optionSet; + options = [ pamOpts ]; description = '' This option defines the PAM services. A service typically corresponds to a program that uses PAM, e.g. <command>login</command> or <command>passwd</command>. - Each element of this list is an attribute set describing a - service. The attribute <varname>name</varname> specifies - the name of the service. The attribute - <varname>rootOK</varname> specifies whether the root user is - allowed to use this service without authentication. The - attribute <varname>startSession</varname> specifies whether - systemd's PAM connector module should be used to start a new - session; for local sessions, this will give the user - ownership of devices such as audio and CD-ROM drives. The - attribute <varname>forwardXAuth</varname> specifies whether - X authentication keys should be passed from the calling user - to the target user (e.g. for <command>su</command>). - - The attribute <varname>limits</varname> defines resource limits - that should apply to users or groups for the service. Each item in - the list should be an attribute set with a - <varname>domain</varname>, <varname>type</varname>, - <varname>item</varname>, and <varname>value</varname> attribute. - The syntax and semantics of these attributes must be that described - in the limits.conf(5) man page. + Each attribute of this set defines a PAM service, with the attribute name + defining the name of the service. ''; }; @@ -228,7 +290,7 @@ in security.pam.enableOTPW = mkOption { default = false; description = '' - Enable the OTPW (one-time password) PAM module + Enable the OTPW (one-time password) PAM module. ''; }; @@ -254,11 +316,7 @@ in ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]; environment.etc = - map makePAMService config.security.pam.services - ++ singleton - { source = otherService; - target = "pam.d/other"; - }; + mapAttrsToList (n: v: makePAMService v) config.security.pam.services; security.setuidOwners = [ { program = "unix_chkpwd"; @@ -268,18 +326,27 @@ in } ]; security.pam.services = - # Most of these should be moved to specific modules. - [ { name = "cups"; } - { name = "ejabberd"; } - { name = "ftp"; } - { name = "i3lock"; } - { name = "lshd"; } - { name = "samba"; } - { name = "screen"; } - { name = "vlock"; } - { name = "xlock"; } - { name = "xscreensaver"; } - ]; + { other.text = + '' + auth required pam_warn.so + auth required pam_deny.so + account required pam_warn.so + account required pam_deny.so + password required pam_warn.so + password required pam_deny.so + session required pam_warn.so + session required pam_deny.so + ''; + + # Most of these should be moved to specific modules. + cups = {}; + ftp = {}; + i3lock = {}; + screen = {}; + vlock = {}; + xlock = {}; + xscreensaver = {}; + }; }; diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index 1c2a6a05f261..2bd3069ddb12 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -8,7 +8,7 @@ let cfg = config.security.pam.usb; - anyUsbAuth = any (attrByPath ["usbAuth"] false) config.security.pam.services; + anyUsbAuth = any (attrByPath ["usbAuth"] false) (attrValues config.security.pam.services); in @@ -19,8 +19,8 @@ in enable = mkOption { default = false; description = '' - Enable USB login for all login system unless the service disabled - it. For more information, visit <link + Enable USB login for all login systems that support it. For + more information, visit <link xlink:href="http://pamusb.org/doc/quickstart#setting_up" />. ''; }; diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index b9b32496a368..8b04f4043bc7 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -94,7 +94,7 @@ in services.dbus.packages = [ pkgs.polkit ]; - security.pam.services = [ { name = "polkit-1"; } ]; + security.pam.services.polkit-1 = {}; security.setuidPrograms = [ "pkexec" ]; diff --git a/nixos/modules/security/prey.nix b/nixos/modules/security/prey.nix new file mode 100644 index 000000000000..75b95d5fbb04 --- /dev/null +++ b/nixos/modules/security/prey.nix @@ -0,0 +1,42 @@ +{config, pkgs, ...}: + +with pkgs.lib; + +let + cfg = config.services.prey; + myPrey = pkgs."prey-bash-client".override { + apiKey = cfg.apiKey; + deviceKey = cfg.deviceKey; + }; +in { + options = { + + services.prey = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enables http://preyproject.com/ bash client. Be sure to specify api and device keys. + Once setup, cronjob will run evert 15 minutes and report status. + ''; + }; + + deviceKey = mkOption { + type = types.string; + description = "Device Key obtained from https://panel.preyproject.com/devices (and clicking on the device)"; + }; + + apiKey = mkOption { + type = types.string; + description = "API key obtained from https://panel.preyproject.com/profile"; + }; + }; + + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ myPrey ]; + services.cron.systemCronJobs = [ "*/15 * * * * root ${myPrey}/prey.sh" ]; + }; + +} diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index cd548f4a4fe0..772517801981 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -74,7 +74,7 @@ in environment.systemPackages = [ sudo ]; - security.pam.services = [ { name = "sudo"; sshAgentAuth = true; } ]; + security.pam.services.sudo = { sshAgentAuth = true; }; environment.etc = singleton { source = pkgs.writeText "sudoers-in" cfg.configFile; diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 5f8e8e1ade3b..92682d644f41 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -124,7 +124,7 @@ in config = mkIf config.services.dovecot2.enable { - security.pam.services = [ { name = "dovecot2"; } ]; + security.pam.services.dovecot2 = {}; users.extraUsers = [ { name = cfg.user; diff --git a/nixos/modules/services/misc/gurobi.nix b/nixos/modules/services/misc/gurobi.nix new file mode 100644 index 000000000000..9cd76a1e78f7 --- /dev/null +++ b/nixos/modules/services/misc/gurobi.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.services.gurobi.tokenServer; +in { + options = { + services.gurobi.tokenServer = { + enable = mkOption { + default = false; + + description = "Whether to enable the Gurobi token server"; + + type = types.bool; + }; + + license = mkOption { + description = "Path to the Gurobi license file"; + + type = types.path; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.gurobi-token-server = { + description = "Gurobi token server"; + + wantedBy = [ "multi-user.target" ]; + + environment.GRB_LICENSE_FILE = cfg.license; + + serviceConfig = { + ExecStart = "${pkgs.gurobi}/bin/grb_ts"; + + Type = "forking"; + }; + }; + }; +} diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index adf4f145f25d..ff0bdf65ced6 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -108,24 +108,10 @@ in distributedBuilds = mkOption { default = false; - description = " + description = '' Whether to distribute builds to the machines listed in <option>nix.buildMachines</option>. - If you know that the <option>buildMachines</option> are not - always available either use nixos - <command>nixos-rebuild --no-build-hook</command> - or consider managing <filename>/etc/nix.machines</filename> manually - by setting <option>manualNixMachines</option>. Then you can comment - unavailable build machines. - "; - }; - - manualNixMachines = mkOption { - default = false; - description = " - Whether to manually manage the list of build machines used in distributed - builds in /etc/nix.machines. - "; + ''; }; daemonNiceLevel = mkOption { @@ -145,6 +131,7 @@ in }; buildMachines = mkOption { + default = []; example = [ { hostName = "voila.labs.cs.uu.nl"; sshUser = "nix"; @@ -161,7 +148,7 @@ in mandatoryFeatures = "perf"; } ]; - description = " + description = '' This option lists the machines to be used if distributed builds are enabled (see <option>nix.distributedBuilds</option>). Nix will perform @@ -185,7 +172,7 @@ in key should be added to <filename>~<replaceable>sshUser</replaceable>/authorized_keys</filename> on the remote machine. - "; + ''; }; proxy = mkOption { @@ -262,8 +249,8 @@ in # List of machines for distributed Nix builds in the format # expected by build-remote.pl. - environment.etc."nix.machines" = - { enable = cfg.distributedBuilds && !cfg.manualNixMachines; + environment.etc."nix/machines" = + { enable = cfg.buildMachines != []; text = concatMapStrings (machine: "${machine.sshUser}@${machine.hostName} " @@ -307,17 +294,17 @@ in nix.envVars = { NIX_CONF_DIR = "/etc/nix"; - # Enable the copy-from-other-stores substituter, which allows builds - # to be sped up by copying build results from remote Nix stores. To - # do this, mount the remote file system on a subdirectory of - # /var/run/nix/remote-stores. - NIX_OTHER_STORES = "/var/run/nix/remote-stores/*/nix"; + # Enable the copy-from-other-stores substituter, which allows + # builds to be sped up by copying build results from remote + # Nix stores. To do this, mount the remote file system on a + # subdirectory of /run/nix/remote-stores. + NIX_OTHER_STORES = "/run/nix/remote-stores/*/nix"; } // optionalAttrs cfg.distributedBuilds { NIX_BUILD_HOOK = "${config.environment.nix}/libexec/nix/build-remote.pl"; - NIX_REMOTE_SYSTEMS = "/etc/nix.machines"; - NIX_CURRENT_LOAD = "/var/run/nix/current-load"; + NIX_REMOTE_SYSTEMS = "/etc/nix/machines"; + NIX_CURRENT_LOAD = "/run/nix/current-load"; } # !!! These should not be defined here, but in some general proxy configuration module! diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix index 38f1917a46ad..1260272b68e9 100644 --- a/nixos/modules/services/misc/nixos-manual.nix +++ b/nixos/modules/services/misc/nixos-manual.nix @@ -3,7 +3,7 @@ # of the virtual consoles. The latter is useful for the installation # CD. -{ config, pkgs, options, ... }: +{ config, pkgs, baseModules, ... } @ extraArgs: with pkgs.lib; @@ -13,7 +13,11 @@ let manual = import ../../../doc/manual { inherit (cfg) revision; - inherit pkgs options; + inherit pkgs; + options = (fixMergeModules baseModules + (removeAttrs extraArgs ["config" "options"]) // { + modules = [ ]; + }).options; }; entry = "${manual.manual}/share/doc/nixos/manual.html"; diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix index ec36db7b21c3..7fa3ab22b001 100644 --- a/nixos/modules/services/monitoring/graphite.nix +++ b/nixos/modules/services/monitoring/graphite.nix @@ -5,7 +5,18 @@ with pkgs.lib; let cfg = config.services.graphite; writeTextOrNull = f: t: if t == null then null else pkgs.writeText f t; + dataDir = "/var/db/graphite"; + carbonOpts = name: with config.ids; '' + --nodaemon --syslog --prefix=${name} \ + --uid ${toString uids.graphite} --gid ${toString uids.graphite} ${name} + ''; + carbonEnv = { + PYTHONPATH = "${pkgs.python27Packages.carbon}/lib/python2.7/site-packages"; + GRAPHITE_ROOT = dataDir; + GRAPHITE_CONF_DIR = "/etc/graphite/"; + }; + in { ###### interface @@ -34,7 +45,14 @@ in { carbon = { config = mkOption { description = "Content of carbon configuration file"; - default = ""; + default = '' + [cache] + # Listen on localhost by default for security reasons + UDP_RECEIVER_INTERFACE = 127.0.0.1 + PICKLE_RECEIVER_INTERFACE = 127.0.0.1 + LINE_RECEIVER_INTERFACE = 127.0.0.1 + CACHE_QUERY_INTERFACE = 127.0.0.1 + ''; type = types.uniq types.string; }; @@ -52,7 +70,7 @@ in { [all_min] pattern = \.min$ xFilesFactor = 0.1 - aggregationMethod = min + aggregationMethod = min ''; }; @@ -153,15 +171,8 @@ in { description = "Graphite data storage backend"; wantedBy = [ "multi-user.target" ]; after = [ "network-interfaces.target" ]; - environment = { - GRAPHITE_CONF_DIR = "/etc/graphite/"; - GRAPHITE_STORAGE_DIR = "/var/db/graphite/"; - }; - serviceConfig = { - ExecStart = "${pkgs.pythonPackages.carbon}/bin/carbon-cache.py --pidfile /tmp/carbonCache.pid start"; - User = "graphite"; - Group = "graphite"; - }; + environment = carbonEnv; + serviceConfig.ExecStart = "${pkgs.twisted}/bin/twistd ${carbonOpts "carbon-cache"}"; restartTriggers = [ pkgs.pythonPackages.carbon cfg.carbon.config @@ -178,15 +189,8 @@ in { description = "Carbon data aggregator"; wantedBy = [ "multi-user.target" ]; after = [ "network-interfaces.target" ]; - environment = { - GRAPHITE_CONF_DIR = "/etc/graphite/"; - GRAPHITE_STORAGE_DIR = "${dataDir}"; - }; - serviceConfig = { - ExecStart = "${pkgs.pythonPackages.carbon}/bin/carbon-aggregator.py --pidfile /tmp/carbonAggregator.pid start"; - User = "graphite"; - Group = "graphite"; - }; + environment = carbonEnv; + serviceConfig.ExecStart = "${pkgs.twisted}/bin/twistd ${carbonOpts "carbon-aggregator"}"; restartTriggers = [ pkgs.pythonPackages.carbon cfg.carbon.config cfg.carbon.aggregationRules ]; @@ -196,15 +200,8 @@ in { description = "Carbon data relay"; wantedBy = [ "multi-user.target" ]; after = [ "network-interfaces.target" ]; - environment = { - GRAPHITE_CONF_DIR = "/etc/graphite/"; - GRAPHITE_STORAGE_DIR = "${dataDir}"; - }; - serviceConfig = { - ExecStart = "${pkgs.pythonPackages.carbon}/bin/carbon-relay.py --pidfile /tmp/carbonRelay.pid start"; - User = "graphite"; - Group = "graphite"; - }; + environment = carbonEnv; + serviceConfig.ExecStart = "${pkgs.twisted}/bin/twistd ${carbonOpts "carbon-relay"}"; restartTriggers = [ pkgs.pythonPackages.carbon cfg.carbon.config cfg.carbon.relayRules ]; @@ -218,7 +215,7 @@ in { PYTHONPATH = "${pkgs.python27Packages.graphite_web}/lib/python2.7/site-packages"; DJANGO_SETTINGS_MODULE = "graphite.settings"; GRAPHITE_CONF_DIR = "/etc/graphite/"; - GRAPHITE_STORAGE_DIR = "${dataDir}"; + GRAPHITE_STORAGE_DIR = dataDir; }; serviceConfig = { ExecStart = '' @@ -257,7 +254,7 @@ in { name = "graphite"; uid = config.ids.uids.graphite; description = "Graphite daemon user"; - home = "${dataDir}"; + home = dataDir; createHome = true; }; users.extraGroups.graphite.gid = config.ids.gids.graphite; diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix new file mode 100644 index 000000000000..fea52fa56081 --- /dev/null +++ b/nixos/modules/services/monitoring/munin.nix @@ -0,0 +1,216 @@ +{ config, pkgs, ... }: + +# TODO: support munin-async +# TODO: LWP/Pg perl libs aren't recognized + +# TODO: support fastcgi +# http://munin-monitoring.org/wiki/CgiHowto2 +# spawn-fcgi -s /var/run/munin/fastcgi-graph.sock -U www-data -u munin -g munin /usr/lib/munin/cgi/munin-cgi-graph +# spawn-fcgi -s /var/run/munin/fastcgi-html.sock -U www-data -u munin -g munin /usr/lib/munin/cgi/munin-cgi-html +# https://paste.sh/vofcctHP#-KbDSXVeWoifYncZmLfZzgum +# nginx http://munin.readthedocs.org/en/latest/example/webserver/nginx.html + + +with pkgs.lib; + +let + nodeCfg = config.services.munin-node; + cronCfg = config.services.munin-cron; + + muninPlugins = pkgs.stdenv.mkDerivation { + name = "munin-available-plugins"; + buildCommand = '' + mkdir -p $out + + cp --preserve=mode ${pkgs.munin}/lib/plugins/* $out/ + + for file in $out/*; do + case "$file" in + plugin.sh) continue;; + esac + + # read magic makers from the file + family=$(sed -nr 's/.*#%#\s+family\s*=\s*(\S+)\s*/\1/p' $file) + cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file) + + wrapProgram $file \ + --set PATH "/run/current-system/sw/bin:/run/current-system/sw/sbin" \ + --set MUNIN_LIBDIR "${pkgs.munin}/lib" \ + --set MUNIN_PLUGSTATE "/var/run/munin" + + # munin uses markers to tell munin-node-configure what a plugin can do + echo "#%# family=$family" >> $file + echo "#%# capabilities=$cap" >> $file + done + + # NOTE: we disable disktstats because plugin seems to fail and it hangs html generation (100% CPU + memory leak) + rm -f $out/diskstats + ''; + buildInputs = [ pkgs.makeWrapper ]; + }; + + muninConf = pkgs.writeText "munin.conf" + '' + dbdir /var/lib/munin + htmldir /var/www/munin + logdir /var/log/munin + rundir /var/run/munin + + ${cronCfg.extraGlobalConfig} + + ${cronCfg.hosts} + ''; + + nodeConf = pkgs.writeText "munin-node.conf" + '' + log_level 3 + log_file Sys::Syslog + port 4949 + host * + background 0 + user root + group root + host_name ${config.networking.hostName} + setsid 0 + + # wrapped plugins by makeWrapper being with dots + ignore_file ^\. + + allow ^127\.0\.0\.1$ + + ${nodeCfg.extraConfig} + ''; +in + +{ + + options = { + + services.munin-node = { + + enable = mkOption { + default = false; + description = '' + Enable Munin Node agent. Munin node listens on 0.0.0.0 and + by default accepts connections only from 127.0.0.1 for security reasons. + + See <link xlink:href='http://munin-monitoring.org/wiki/munin-node' />. + ''; + }; + + extraConfig = mkOption { + default = ""; + description = '' + <filename>munin-node.conf</filename> extra configuration. See + <link xlink:href='http://munin-monitoring.org/wiki/munin-node.conf' /> + ''; + }; + + # TODO: add option to add additional plugins + + }; + + services.munin-cron = { + + enable = mkOption { + default = false; + description = '' + Enable munin-cron. Takes care of all heavy lifting to collect data from + nodes and draws graphs to html. Runs munin-update, munin-limits, + munin-graphs and munin-html in that order. + + HTML output is in <filename>/var/www/munin/</filename>, configure your + favourite webserver to serve static files. + ''; + example = literalExample '' + services = { + munin-node.enable = true; + munin-cron = { + enable = true; + hosts = ''' + [''${config.networking.hostName}] + address localhost + '''; + extraGlobalConfig = ''' + contact.email.command mail -s "Munin notification for ''${var:host}" someone@example.com + '''; + }; + }; + ''; + }; + + extraGlobalConfig = mkOption { + default = ""; + description = '' + <filename>munin.conf</filename> extra global configuration. + See <link xlink:href='http://munin-monitoring.org/wiki/munin-node' />. + Useful to setup notifications, see + <link xlink:href='http://munin-monitoring.org/wiki/HowToContact' /> + ''; + }; + + hosts = mkOption { + example = '' + [''${config.networking.hostName}] + address localhost + ''; + description = '' + Definitions of hosts of nodes to collect data from. Needs at least one + hosts for cron to succeed. See + <link xlink:href='http://munin-monitoring.org/wiki/munin.conf' /> + ''; + }; + + }; + + }; + + config = mkMerge [ (mkIf (nodeCfg.enable || cronCfg.enable) { + + environment.systemPackages = [ pkgs.munin ]; + + users.extraUsers = [{ + name = "munin"; + description = "Munin monitoring user"; + group = "munin"; + }]; + + users.extraGroups = [{ + name = "munin"; + }]; + + }) (mkIf nodeCfg.enable { + + systemd.services.munin-node = { + description = "Munin node, the agent process"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.munin ]; + environment.MUNIN_PLUGSTATE = "/var/run/munin"; + serviceConfig = { + ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/"; + }; + }; + + system.activationScripts.munin-node = '' + echo "updating munin plugins..." + + export PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin"; + mkdir -p /etc/munin/plugins + rm -rf /etc/munin/plugins/* + ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash + ''; + + }) (mkIf cronCfg.enable { + + services.cron.systemCronJobs = [ + "*/5 * * * * munin ${pkgs.munin}/bin/munin-cron --config ${muninConf}" + ]; + + system.activationScripts.munin-cron = stringAfter [ "users" "groups" ] '' + mkdir -p /var/{run,log,www,lib}/munin + chown -R munin:munin /var/{run,log,www,lib}/munin + ''; + + })]; +} diff --git a/nixos/modules/services/monitoring/statsd.nix b/nixos/modules/services/monitoring/statsd.nix index a32666056714..120c8860d571 100644 --- a/nixos/modules/services/monitoring/statsd.nix +++ b/nixos/modules/services/monitoring/statsd.nix @@ -10,6 +10,8 @@ let { host: "${cfg.host}", port: "${toString cfg.port}", + mgmt_address: "${cfg.mgmt_address}", + mgmt_port: "${toString cfg.mgmt_port}", backends: [${concatMapStrings (el: ''"./backends/${el}",'') cfg.backends}], graphiteHost: "${cfg.graphiteHost}", graphitePort: "${toString cfg.graphitePort}", @@ -43,6 +45,18 @@ in type = types.uniq types.int; }; + mgmt_address = mkOption { + description = "Address to run managment TCP interface on"; + default = "127.0.0.1"; + type = types.uniq types.string; + }; + + mgmt_port = mkOption { + description = "Port to run the management TCP interface on"; + default = 8126; + type = types.uniq types.int; + }; + backends = mkOption { description = "List of backends statsd will use for data persistance"; default = ["graphite"]; diff --git a/nixos/modules/services/monitoring/uptime.nix b/nixos/modules/services/monitoring/uptime.nix index fa3de7d90bc6..553110d7b80c 100644 --- a/nixos/modules/services/monitoring/uptime.nix +++ b/nixos/modules/services/monitoring/uptime.nix @@ -51,7 +51,7 @@ in { enableWebService = mkEnableOption "the uptime monitoring program web service"; - enableSeparateMonitoringService = mkEnableOption "the uptime monitoring service (default: enableWebService == true)" // { default = cfg.enableWebService; }; + enableSeparateMonitoringService = mkEnableOption "the uptime monitoring service" // { default = cfg.enableWebService; }; nodeEnv = mkOption { description = "The node environment to run in (development, production, etc.)"; diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 70a14487ea59..e18d9d7b67b5 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -198,6 +198,7 @@ in } (mkIf config.services.samba.enable { + users.extraUsers.smbguest = { description = "Samba service user"; group = group; @@ -228,6 +229,8 @@ in }; }; + security.pam.services.sambda = {}; + }) ]; diff --git a/nixos/modules/services/networking/ejabberd.nix b/nixos/modules/services/networking/ejabberd.nix index 6d233e543e23..05e0aba7d70e 100644 --- a/nixos/modules/services/networking/ejabberd.nix +++ b/nixos/modules/services/networking/ejabberd.nix @@ -130,6 +130,8 @@ in ''; }; + security.pam.services.ejabberd = {}; + }; } diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix index d32fabbde24b..04ef76f1e4d4 100644 --- a/nixos/modules/services/networking/ssh/lshd.nix +++ b/nixos/modules/services/networking/ssh/lshd.nix @@ -170,6 +170,8 @@ in ''; }; + security.pam.services.lshd = {}; + }; } diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index d57eef860d28..c85c9307e3e4 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -128,21 +128,10 @@ in ''; }; - usePAM = mkOption { - default = true; - description = '' - Specifies whether the OpenSSH daemon uses PAM to authenticate - login attempts. - ''; - }; - passwordAuthentication = mkOption { default = true; description = '' - Specifies whether password authentication is allowed. Note - that setting this value to <literal>false</literal> is most - probably not going to have the desired effect unless - <literal>usePAM</literal> is disabled as well. + Specifies whether password authentication is allowed. ''; }; @@ -284,7 +273,11 @@ in networking.firewall.allowedTCPPorts = cfg.ports; - security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; }; + security.pam.services.sshd = + { startSession = true; + showMotd = true; + unixAuth = cfg.passwordAuthentication; + }; services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; @@ -295,7 +288,7 @@ in Protocol 2 - UsePAM ${if cfg.usePAM then "yes" else "no"} + UsePAM yes AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} ${concatMapStrings (port: '' diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index c9a4a9087e56..1c3dc9d90b1d 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -219,5 +219,7 @@ in # Allow CUPS to receive IPP printer announcements via UDP. networking.firewall.allowedUDPPorts = [ 631 ]; + security.pam.services.cups = {}; + }; } diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index 88bec2cb2f3e..8c96252668e3 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -49,7 +49,7 @@ in environment.systemPackages = [ at ]; - security.pam.services = [ { name = "atd"; } ]; + security.pam.services.atd = {}; users.extraUsers = singleton { name = "atd"; diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index 6dfabc7e3053..3c27c1400f93 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -66,9 +66,9 @@ in { logging = mkOption { description = "Elasticsearch logging configuration"; default = '' - rootLogger: DEBUG, console + rootLogger: INFO, console logger: - action: DEBUG + action: INFO com.amazonaws: WARN appender: console: diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 2b2a54ef4097..395a5df8af07 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -10,7 +10,7 @@ let jailConf = pkgs.writeText "jail.conf" (concatStringsSep "\n" (attrValues (flip mapAttrs cfg.jails (name: def: - optionalString (def != "") + optionalString (def != "") '' [${name}] ${def} @@ -32,7 +32,8 @@ in [Definition] loglevel = 3 logtarget = SYSLOG - socket = /var/run/fail2ban/fail2ban.sock + socket = /run/fail2ban/fail2ban.sock + pidfile = /run/fail2ban/fail2ban.pid ''; type = types.string; description = @@ -71,56 +72,53 @@ in <filename>/etc/fail2ban/filter.d</filename>. ''; }; - + }; }; - + ###### implementation config = { environment.systemPackages = [ pkgs.fail2ban ]; - environment.etc = - [ { source = fail2banConf; - target = "fail2ban/fail2ban.conf"; - } - { source = jailConf; - target = "fail2ban/jail.conf"; - } - { source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf"; - target = "fail2ban/action.d"; - } - { source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf"; - target = "fail2ban/filter.d"; - } - ]; - - system.activationScripts.fail2ban = - '' - mkdir -p /var/run/fail2ban -m 0755 - ''; + environment.etc."fail2ban/fail2ban.conf".source = fail2banConf; + environment.etc."fail2ban/jail.conf".source = jailConf; + environment.etc."fail2ban/action.d".source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf"; + environment.etc."fail2ban/filter.d".source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf"; systemd.services.fail2ban = { description = "Fail2ban intrusion prevention system"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - + restartTriggers = [ fail2banConf jailConf ]; path = [ pkgs.fail2ban pkgs.iptables ]; - + + preStart = + '' + mkdir -p /run/fail2ban -m 0755 + ''; + serviceConfig = { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/var/run/fail2ban /var/tmp"; - CapabilityBoundingSet="CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; + ReadWriteDirectories = "/run/fail2ban /var/tmp"; + CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; }; postStart = '' + # Wait for the server to start listening. + for ((n = 0; n < 20; n++)); do + if fail2ban-client ping; then break; fi + sleep 0.5 + done + + # Reload its configuration. fail2ban-client reload ''; }; @@ -137,14 +135,14 @@ in ''; # Block SSH if there are too many failing connection attempts. - services.fail2ban.jails."ssh-iptables" = + services.fail2ban.jails.ssh-iptables = '' filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/warn maxretry = 5 ''; - + }; } diff --git a/nixos/modules/services/web-servers/zope2.nix b/nixos/modules/services/web-servers/zope2.nix index 19afa55d7fef..f75b62b219a7 100644 --- a/nixos/modules/services/web-servers/zope2.nix +++ b/nixos/modules/services/web-servers/zope2.nix @@ -37,14 +37,14 @@ let default = '' <zodb_db main> - mount-point / - cache-size 30000 - <blobstorage> - blob-dir /var/lib/zope2/${name}/blobstorage - <filestorage> - path /var/lib/zope2/${name}/filestorage/Data.fs - </filestorage> - </blobstorage> + mount-point / + cache-size 30000 + <blobstorage> + blob-dir /var/lib/zope2/${name}/blobstorage + <filestorage> + path /var/lib/zope2/${name}/filestorage/Data.fs + </filestorage> + </blobstorage> </zodb_db> ''; type = types.string; @@ -76,14 +76,14 @@ in extra = '' <zodb_db main> - mount-point / - cache-size 30000 - <blobstorage> - blob-dir /var/lib/zope2/plone01/blobstorage - <filestorage> - path /var/lib/zope2/plone01/filestorage/Data.fs - </filestorage> - </blobstorage> + mount-point / + cache-size 30000 + <blobstorage> + blob-dir /var/lib/zope2/plone01/blobstorage + <filestorage> + path /var/lib/zope2/plone01/filestorage/Data.fs + </filestorage> + </blobstorage> </zodb_db> ''; @@ -107,32 +107,32 @@ in let interpreter = pkgs.writeScript "interpreter" '' -import sys - -_interactive = True -if len(sys.argv) > 1: - _options, _args = __import__("getopt").getopt(sys.argv[1:], 'ic:m:') - _interactive = False - for (_opt, _val) in _options: - if _opt == '-i': - _interactive = True - elif _opt == '-c': - exec _val - elif _opt == '-m': - sys.argv[1:] = _args - _args = [] - __import__("runpy").run_module( - _val, {}, "__main__", alter_sys=True) - - if _args: - sys.argv[:] = _args - __file__ = _args[0] - del _options, _args - execfile(__file__) - -if _interactive: - del _interactive - __import__("code").interact(banner="", local=globals()) + import sys + + _interactive = True + if len(sys.argv) > 1: + _options, _args = __import__("getopt").getopt(sys.argv[1:], 'ic:m:') + _interactive = False + for (_opt, _val) in _options: + if _opt == '-i': + _interactive = True + elif _opt == '-c': + exec _val + elif _opt == '-m': + sys.argv[1:] = _args + _args = [] + __import__("runpy").run_module( + _val, {}, "__main__", alter_sys=True) + + if _args: + sys.argv[:] = _args + __file__ = _args[0] + del _options, _args + execfile(__file__) + + if _interactive: + del _interactive + __import__("code").interact(banner="", local=globals()) ''; env = pkgs.buildEnv { name = "zope2-${name}-env"; @@ -149,73 +149,76 @@ if _interactive: ''; }; conf = pkgs.writeText "zope2-${name}-conf" - ''%define INSTANCEHOME ${env} -instancehome $INSTANCEHOME -%define CLIENTHOME /var/lib/zope2/${name} -clienthome $CLIENTHOME - -debug-mode off -security-policy-implementation C -verbose-security off -default-zpublisher-encoding utf-8 -zserver-threads ${toString opts.threads} -effective-user ${opts.user} - -pid-filename /var/lib/zope2/${name}/pid -lock-filename /var/lib/zope2/${name}/lock -python-check-interval 1000 -enable-product-installation off - -<environment> - zope_i18n_compile_mo_files false -</environment> - -<eventlog> -level INFO -<logfile> - path /var/log/zope2/${name}.log - level INFO -</logfile> -</eventlog> - -<logger access> -level WARN -<logfile> - path /var/log/zope2/${name}-Z2.log - format %(message)s -</logfile> -</logger> - -<http-server> -address ${opts.http_address} -</http-server> - -<zodb_db temporary> -<temporarystorage> - name temporary storage for sessioning -</temporarystorage> -mount-point /temp_folder -container-class Products.TemporaryFolder.TemporaryContainer -</zodb_db> - -${opts.extra} + '' + %define INSTANCEHOME ${env} + instancehome $INSTANCEHOME + %define CLIENTHOME /var/lib/zope2/${name} + clienthome $CLIENTHOME + + debug-mode off + security-policy-implementation C + verbose-security off + default-zpublisher-encoding utf-8 + zserver-threads ${toString opts.threads} + effective-user ${opts.user} + + pid-filename /var/lib/zope2/${name}/pid + lock-filename /var/lib/zope2/${name}/lock + python-check-interval 1000 + enable-product-installation off + + <environment> + zope_i18n_compile_mo_files false + </environment> + + <eventlog> + level INFO + <logfile> + path /var/log/zope2/${name}.log + level INFO + </logfile> + </eventlog> + + <logger access> + level WARN + <logfile> + path /var/log/zope2/${name}-Z2.log + format %(message)s + </logfile> + </logger> + + <http-server> + address ${opts.http_address} + </http-server> + + <zodb_db temporary> + <temporarystorage> + name temporary storage for sessioning + </temporarystorage> + mount-point /temp_folder + container-class Products.TemporaryFolder.TemporaryContainer + </zodb_db> + + ${opts.extra} ''; ctlScript = pkgs.writeScript "zope2-${name}-ctl-script" - ''#!${env}/bin/python + '' + #!${env}/bin/python -import sys -import plone.recipe.zope2instance.ctl + import sys + import plone.recipe.zope2instance.ctl -if __name__ == '__main__': - sys.exit(plone.recipe.zope2instance.ctl.main( - ["-C", "${conf}"] - + sys.argv[1:])) + if __name__ == '__main__': + sys.exit(plone.recipe.zope2instance.ctl.main( + ["-C", "${conf}"] + + sys.argv[1:])) ''; ctl = pkgs.writeScript "zope2-${name}-ctl" - ''#!${pkgs.bash}/bin/bash -e -export PYTHONHOME=${env} -exec ${ctlScript} "$@" + '' + #!${pkgs.bash}/bin/bash -e + export PYTHONHOME=${env} + exec ${ctlScript} "$@" ''; in { description = "zope2 ${name} instance"; diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix index c76acfbcd4e2..d1eb1799bc84 100644 --- a/nixos/modules/services/x11/desktop-managers/kde4.nix +++ b/nixos/modules/services/x11/desktop-managers/kde4.nix @@ -162,7 +162,7 @@ in services.udisks2.enable = wantsUdisks2; services.upower.enable = config.powerManagement.enable; - security.pam.services = [ { name = "kde"; allowNullPassword = true; startSession = true; } ]; + security.pam.services.kde = { allowNullPassword = true; }; }; diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index c7599e245b05..91de910662f2 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -239,39 +239,35 @@ in }; }; - job = mkOption { - default = {}; - type = types.uniq types.optionSet; - description = "This option defines how to start the display manager."; - - options = { - - preStart = mkOption { - default = ""; - example = "rm -f /var/log/my-display-manager.log"; - description = "Script executed before the display manager is started."; - }; - - execCmd = mkOption { - example = "${pkgs.slim}/bin/slim"; - description = "Command to start the display manager."; - }; - - environment = mkOption { - default = {}; - example = { SLIM_CFGFILE = /etc/slim.conf; }; - description = "Additional environment variables needed by the display manager."; - }; - - logsXsession = mkOption { - default = false; - description = '' - Whether the display manager redirects the - output of the session script to - <filename>~/.xsession-errors</filename>. - ''; - }; + job = { + preStart = mkOption { + type = types.lines; + default = ""; + example = "rm -f /var/log/my-display-manager.log"; + description = "Script executed before the display manager is started."; + }; + + execCmd = mkOption { + type = types.uniq types.string; + example = "${pkgs.slim}/bin/slim"; + description = "Command to start the display manager."; + }; + + environment = mkOption { + default = {}; + example = { SLIM_CFGFILE = /etc/slim.conf; }; + description = "Additional environment variables needed by the display manager."; + }; + + logsXsession = mkOption { + type = types.bool; + default = false; + description = '' + Whether the display manager redirects the + output of the session script to + <filename>~/.xsession-errors</filename>. + ''; }; }; diff --git a/nixos/modules/services/x11/display-managers/kdm.nix b/nixos/modules/services/x11/display-managers/kdm.nix index 229ab12c6e1b..c03f71164541 100644 --- a/nixos/modules/services/x11/display-managers/kdm.nix +++ b/nixos/modules/services/x11/display-managers/kdm.nix @@ -128,7 +128,7 @@ in services.xserver.displayManager.slim.enable = false; services.xserver.displayManager.job = - { execCmd = + { execCmd = mkFixStrictness '' mkdir -m 0755 -p /var/lib/kdm chown kdm /var/lib/kdm @@ -138,7 +138,7 @@ in logsXsession = true; }; - security.pam.services = [ { name = "kde"; allowNullPassword = true; startSession = true; } ]; + security.pam.services.kde = { allowNullPassword = true; startSession = true; }; users.extraUsers = singleton { name = "kdm"; diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index c2b90d239eaa..f4fb5ee003a9 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -89,11 +89,14 @@ in }; config = mkIf cfg.enable { + + services.xserver.displayManager.slim.enable = false; + services.xserver.displayManager.job = { logsXsession = true; # lightdm relaunches itself via just `lightdm`, so needs to be on the PATH - execCmd = '' + execCmd = mkFixStrictness '' export PATH=${lightdm}/sbin:$PATH ${lightdm}/sbin/lightdm --log-dir=/var/log --run-dir=/run --config=${lightdmConf} ''; @@ -102,10 +105,8 @@ in services.dbus.enable = true; services.dbus.packages = [ lightdm ]; - security.pam.services = [ - { name = "lightdm"; allowNullPassword = true; startSession = true; } - { name = "lightdm-greeter"; allowNullPassword = true; startSession = true; } - ]; + security.pam.services.lightdm = { allowNullPassword = true; startSession = true; }; + security.pam.services.lightdm-greeter = { allowNullPassword = true; startSession = true; }; users.extraUsers.lightdm = { createHome = true; diff --git a/nixos/modules/services/x11/display-managers/slim.nix b/nixos/modules/services/x11/display-managers/slim.nix index 9e8b9391f45f..01c9fa96c8c8 100644 --- a/nixos/modules/services/x11/display-managers/slim.nix +++ b/nixos/modules/services/x11/display-managers/slim.nix @@ -12,7 +12,7 @@ let xauth_path ${dmcfg.xauthBin} default_xserver ${dmcfg.xserverBin} xserver_arguments ${dmcfg.xserverArgs} - sessions ${pkgs.lib.concatStringsSep "," (dmcfg.session.names ++ ["custom"])} + sessiondir ${dmcfg.session.desktops} login_cmd exec ${pkgs.stdenv.shell} ${dmcfg.session.script} "%session" halt_cmd ${config.systemd.package}/sbin/shutdown -h now reboot_cmd ${config.systemd.package}/sbin/shutdown -r now @@ -45,7 +45,7 @@ in services.xserver.displayManager.slim = { enable = mkOption { - default = true; + default = config.services.xserver.enable; description = '' Whether to enable SLiM as the display manager. ''; @@ -106,7 +106,12 @@ in # Allow null passwords so that the user can login as root on the # installation CD. - security.pam.services = [ { name = "slim"; allowNullPassword = true; startSession = true; } ]; + security.pam.services.slim = { allowNullPassword = true; startSession = true; }; + + # Allow slimlock to work. + security.pam.services.slimlock = {}; + + environment.systemPackages = [ pkgs.slim ]; }; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index d42d7caaa06b..02ba680255bf 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -229,6 +229,14 @@ in ''; }; + s3tcSupport = mkOption { + default = false; + description = '' + Make S2TC via libtxc_dxtn available to OpenGL drivers. Using + this library may require a patent license depending on your location. + ''; + }; + startOpenSSHAgent = mkOption { default = true; description = '' @@ -410,7 +418,9 @@ in optionals (elem "nvidia" driverNames) [ "nouveau" "nvidiafb" ]; environment.variables.LD_LIBRARY_PATH = - [ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ]; + [ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ] + ++ pkgs.lib.optional cfg.s3tcSupport "${pkgs.libtxc_dxtn}/lib" + ++ pkgs.lib.optional (cfg.s3tcSupport && cfg.driSupport32Bit) "${pkgs_i686.libtxc_dxtn}/lib"; environment.etc = (optionals cfg.exportConfiguration @@ -527,6 +537,11 @@ in ''; script = "${cfg.displayManager.job.execCmd}"; + + serviceConfig = { + Restart = "always"; + RestartSec = "200ms"; + }; }; services.xserver.displayManager.xserverArgs = diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 8e9f3253f877..c7c1f675c778 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -237,13 +237,14 @@ in boot.loader.grub.devices = optional (cfg.device != "") cfg.device; - system.build = mkAssert (cfg.devices != []) - "You must set the ‘boot.loader.grub.device’ option to make the system bootable." - { installBootLoader = - "PERL5LIB=${makePerlPath [ pkgs.perlPackages.XMLLibXML pkgs.perlPackages.XMLSAX ]} " + - "${pkgs.perl}/bin/perl ${./install-grub.pl} ${grubConfig}"; - inherit grub; - }; + system.build.installBootLoader = + if cfg.devices == [] then + throw "You must set the ‘boot.loader.grub.device’ option to make the system bootable." + else + "PERL5LIB=${makePerlPath [ pkgs.perlPackages.XMLLibXML pkgs.perlPackages.XMLSAX ]} " + + "${pkgs.perl}/bin/perl ${./install-grub.pl} ${grubConfig}"; + + system.build.grub = grub; # Common attribute for boot loaders so only one of them can be # set at once. diff --git a/nixos/modules/tasks/filesystems/xfs.nix b/nixos/modules/tasks/filesystems/xfs.nix index 5f9eb741c2ab..6800696a05a3 100644 --- a/nixos/modules/tasks/filesystems/xfs.nix +++ b/nixos/modules/tasks/filesystems/xfs.nix @@ -13,7 +13,7 @@ in system.fsPackages = [ pkgs.xfsprogs ]; - boot.initrd.kernelModules = mkIf inInitrd [ "xfs" "crc32c" ]; + boot.initrd.availableKernelModules = mkIf inInitrd [ "xfs" "crc32c" ]; boot.initrd.extraUtilsCommands = mkIf inInitrd '' diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 5b521a455470..708b462e0e5d 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -295,7 +295,7 @@ in boot.initrd.postMountCommands = '' - # Mark this as a NixOS machinex. + # Mark this as a NixOS machine. mkdir -p $targetRoot/etc echo -n > $targetRoot/etc/NIXOS @@ -303,7 +303,6 @@ in chmod 1777 $targetRoot/tmp mkdir -p $targetRoot/boot - mount -o remount,ro $targetRoot/nix/store ${optionalString cfg.writableStore '' mkdir -p /unionfs-chroot/ro-store mount --rbind $targetRoot/nix/store /unionfs-chroot/ro-store diff --git a/nixos/modules/virtualisation/virtualbox-guest.nix b/nixos/modules/virtualisation/virtualbox-guest.nix index e1a83cdecc23..664fd21781cd 100644 --- a/nixos/modules/virtualisation/virtualbox-guest.nix +++ b/nixos/modules/virtualisation/virtualbox-guest.nix @@ -82,10 +82,6 @@ optionalAttrs (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) # ugly... # Allow systemd dependencies on vboxguest. KERNEL=="vboxguest", TAG+="systemd" ''; - - # Make the ACPI Shutdown command to do the right thing. - services.acpid.enable = true; - services.acpid.powerEventCommands = "poweroff"; }; } diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index f36f3fd9aba7..6866c709dd4c 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -43,16 +43,22 @@ in rec { (all nixos.iso_graphical) (all nixos.ova) + (all nixos.tests.efi-installer.simple) (all nixos.tests.firefox) (all nixos.tests.firewall) + (all nixos.tests.installer.grub1) (all nixos.tests.installer.lvm) (all nixos.tests.installer.separateBoot) (all nixos.tests.installer.simple) + (all nixos.tests.ipv6) (all nixos.tests.kde4) (all nixos.tests.login) (all nixos.tests.misc) + (all nixos.tests.nat) + (all nixos.tests.nfs3) (all nixos.tests.openssh) (all nixos.tests.printing) + (all nixos.tests.proxy) (all nixos.tests.xfce) nixpkgs.tarball diff --git a/nixos/release.nix b/nixos/release.nix index 094eacf70598..e19403eccb66 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -224,7 +224,4 @@ in { mapAttrsRecursiveCond (x: !x ? test) (n: v: listToAttrs [(nameValuePair system v.test)]) (import ./tests { inherit nixpkgs system; }); in fold recursiveUpdate {} (map testsFor systems); - - - run-in-machine-tests = pkgs.lib.genAttrs systems (system: import ./tests/run-in-machine.nix { inherit nixpkgs system; }); } diff --git a/nixos/tests/default.nix b/nixos/tests/default.nix index 17fe6a6d045f..0c971f1b712b 100644 --- a/nixos/tests/default.nix +++ b/nixos/tests/default.nix @@ -25,13 +25,14 @@ with import ../lib/testing.nix { inherit system minimal; }; nfs3 = makeTest (import ./nfs.nix { version = 3; }); #nfs4 = makeTest (import ./nfs.nix { version = 4; }); openssh = makeTest (import ./openssh.nix); - partition = makeTest (import ./partition.nix); + #partition = makeTest (import ./partition.nix); printing = makeTest (import ./printing.nix); proxy = makeTest (import ./proxy.nix); quake3 = makeTest (import ./quake3.nix); simple = makeTest (import ./simple.nix); #subversion = makeTest (import ./subversion.nix); tomcat = makeTest (import ./tomcat.nix); - trac = makeTest (import ./trac.nix); + #trac = makeTest (import ./trac.nix); xfce = makeTest (import ./xfce.nix); + runInMachine.test = import ./run-in-machine.nix { inherit system; }; } diff --git a/nixos/tests/efi-installer.nix b/nixos/tests/efi-installer.nix index a9c5d7190306..8a05dbf2a610 100644 --- a/nixos/tests/efi-installer.nix +++ b/nixos/tests/efi-installer.nix @@ -37,13 +37,12 @@ let # The config to install config = builtins.toFile "configuration.nix" '' { pkgs, ... }: { - imports = [ ./hardware.nix <nixos/modules/testing/test-instrumentation.nix> ]; + imports = [ ./hardware-configuration.nix <nixos/modules/testing/test-instrumentation.nix> ]; boot.kernelPackages = pkgs.linuxPackages_3_10; boot.loader.grub.enable = false; boot.loader.efi.canTouchEfiVariables = true; boot.loader.gummiboot.enable = true; fonts.enableFontConfig = false; - fileSystems."/".label = "nixos"; } ''; @@ -60,7 +59,7 @@ in { createDisk("harddisk", 4 * 1024); my $machine = createMachine({ hda => "harddisk", - hdaInterface => "virtio", + hdaInterface => "scsi", cdrom => glob("${iso}/iso/*.iso"), qemuFlags => '-L ${biosDir} ${optionalString (pkgs.stdenv.system == "x86_64-linux") "-cpu kvm64"}'}); $machine->start; @@ -69,14 +68,13 @@ in { $machine->succeed("echo hello"); $machine->waitForUnit("rogue"); $machine->waitForUnit("nixos-manual"); - $machine->waitForUnit("dhcpcd"); # Partition the disk. $machine->succeed( - "sgdisk -Z /dev/vda", - "sgdisk -n 1:0:+256M -N 2 -t 1:ef00 -t 2:8300 -c 1:boot -c 2:root /dev/vda", - "mkfs.vfat -n BOOT /dev/vda1", - "mkfs.ext3 -L nixos /dev/vda2", + "sgdisk -Z /dev/sda", + "sgdisk -n 1:0:+256M -N 2 -t 1:ef00 -t 2:8300 -c 1:boot -c 2:root /dev/sda", + "mkfs.vfat -n BOOT /dev/sda1", + "mkfs.ext3 -L nixos /dev/sda2", "mount LABEL=nixos /mnt", "mkdir /mnt/boot", "mount LABEL=BOOT /mnt/boot", @@ -84,12 +82,10 @@ in { # Create the NixOS configuration. $machine->succeed( - "mkdir -p /mnt/etc/nixos", - "nixos-hardware-scan > /mnt/etc/nixos/hardware.nix", + "nixos-generate-config --root /mnt", ); - my $cfg = $machine->succeed("cat /mnt/etc/nixos/hardware.nix"); - print STDERR "Result of the hardware scan:\n$cfg\n"; + $machine->succeed("cat /mnt/etc/nixos/hardware-configuration.nix >&2"); $machine->copyFileFromHost( "${config}", diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 0ce780531712..bebd6c04374b 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -38,7 +38,7 @@ let { config, pkgs, modulesPath, ... }: { imports = - [ ./hardware.nix + [ ./hardware-configuration.nix "''${modulesPath}/testing/test-instrumentation.nix" ]; @@ -48,10 +48,7 @@ let ''} boot.loader.grub.device = "${grubDevice}"; boot.loader.grub.extraConfig = "serial; terminal_output.serial"; - boot.initrd.kernelModules = [ "ext3" "ext4" "xfs" "virtio_console" ]; - - ${fileSystems} - swapDevices = [ { label = "swap"; } ]; + boot.initrd.kernelModules = [ "virtio_console" ]; environment.systemPackages = [ ${optionalString testChannel "pkgs.rlwrap"} ]; } @@ -143,12 +140,10 @@ let # Create the NixOS configuration. $machine->succeed( - "mkdir -p /mnt/etc/nixos", - "nixos-hardware-scan > /mnt/etc/nixos/hardware.nix", + "nixos-generate-config --root /mnt", ); - my $cfg = $machine->succeed("cat /mnt/etc/nixos/hardware.nix"); - print STDERR "Result of the hardware scan:\n$cfg\n"; + $machine->succeed("cat /mnt/etc/nixos/hardware-configuration.nix >&2"); $machine->copyFileFromHost( "${ config { inherit fileSystems testChannel grubVersion grubDevice; } }", @@ -179,6 +174,11 @@ let $machine->succeed("nixos-rebuild switch >&2"); + # Test nixos-option. + $machine->succeed("nixos-option boot.initrd.kernelModules | grep virtio_console"); + $machine->succeed("nixos-option -d boot.initrd.kernelModules | grep 'List of modules'"); + $machine->succeed("nixos-option -l boot.initrd.kernelModules | grep /etc/nixos/configuration.nix"); + $machine->shutdown; # And just to be sure, check that the machine still boots after diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix index e18a208fe432..12ac6f6f9a67 100644 --- a/nixos/tests/misc.nix +++ b/nixos/tests/misc.nix @@ -9,6 +9,7 @@ { swapDevices = pkgs.lib.mkOverride 0 [ { device = "/root/swapfile"; size = 128; } ]; environment.variables.EDITOR = pkgs.lib.mkOverride 0 "emacs"; + services.nixosManual.enable = pkgs.lib.mkOverride 0 true; }; testScript = @@ -18,7 +19,7 @@ }; subtest "nixos-rebuild", sub { - $machine->succeed("nixos-rebuild --help | grep 'Usage:'"); + $machine->succeed("nixos-rebuild --help | grep SYNOPSIS"); }; # Sanity check for uid/gid assignment. diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 16757cf9098e..49d92fbde908 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -8,6 +8,8 @@ { services.openssh.enable = true; + security.pam.services.sshd.limits = + [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; }; client = @@ -31,5 +33,6 @@ $client->waitForUnit("network.target"); $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2"); + $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024"); ''; } diff --git a/nixos/tests/run-in-machine.nix b/nixos/tests/run-in-machine.nix index 75bd161ec9ef..8efe26c17082 100644 --- a/nixos/tests/run-in-machine.nix +++ b/nixos/tests/run-in-machine.nix @@ -1,10 +1,8 @@ -{ nixpkgs ? <nixpkgs> -, system ? builtins.currentSystem -}: +{ system ? builtins.currentSystem }: with import ../lib/testing.nix { inherit system; }; runInMachine { - drv = (import nixpkgs { inherit system; }).aterm; + drv = pkgs.patchelf; machine = { config, pkgs, ... }: { services.sshd.enable = true; }; } |