diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/default.nix | 26 | ||||
-rw-r--r-- | nixos/modules/programs/ssh.nix | 5 | ||||
-rw-r--r-- | nixos/modules/programs/venus.nix | 2 | ||||
-rw-r--r-- | nixos/modules/security/audit.nix | 4 | ||||
-rw-r--r-- | nixos/modules/security/ca.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/misc/nix-daemon.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/dd-agent.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/ddclient.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/gateone.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/sddm.nix | 11 | ||||
-rw-r--r-- | nixos/modules/virtualisation/container-config.nix | 3 |
11 files changed, 45 insertions, 26 deletions
diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index bd558dac971d..eb2ceb7fd021 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -1,4 +1,4 @@ -{ pkgs, options, version, revision }: +{ pkgs, options, version, revision, extraSources ? [] }: with pkgs; with pkgs.lib; @@ -17,19 +17,27 @@ let # Clean up declaration sites to not refer to the NixOS source tree. optionsList' = flip map optionsList (opt: opt // { - declarations = map (fn: stripPrefix fn) opt.declarations; + declarations = map (fn: stripAnyPrefixes fn) opt.declarations; } // optionalAttrs (opt ? example) { example = substFunction opt.example; } // optionalAttrs (opt ? default) { default = substFunction opt.default; } // optionalAttrs (opt ? type) { type = substFunction opt.type; }); - prefix = toString ../../..; - - stripPrefix = fn: - if substring 0 (stringLength prefix) fn == prefix then - substring (stringLength prefix + 1) 1000 fn - else - fn; + # We need to strip references to /nix/store/* from options, + # including any `extraSources` if some modules came from elsewhere, + # or else the build will fail. + # + # E.g. if some `options` came from modules in ${pkgs.customModules}/nix, + # you'd need to include `extraSources = [ "#{pkgs.customModules}" ]` + herePrefix = toString ../../..; + prefixesToStrip = [ herePrefix ] ++ extraSources; + + stripAnyPrefixes = fn: + flip (flip fold fn) prefixesToStrip (fn: prefix: + if substring 0 (stringLength prefix) fn == prefix then + substring (stringLength prefix + 1) 1000 fn + else + fn); # Convert the list of options into an XML file. optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList'); diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 260888be485f..2da8ff738fbc 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -221,10 +221,7 @@ in fi ''; - environment.interactiveShellInit = optionalString config.services.xserver.enable - '' - export SSH_ASKPASS=${askPassword} - ''; + environment.variables.SSH_ASKPASS = optionalString config.services.xserver.enable askPassword; programs.ssh.askPassword = mkDefault "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"; diff --git a/nixos/modules/programs/venus.nix b/nixos/modules/programs/venus.nix index 8f85b602fe2c..c3756b4838c7 100644 --- a/nixos/modules/programs/venus.nix +++ b/nixos/modules/programs/venus.nix @@ -165,7 +165,7 @@ in script = "exec venus-planet ${configFile}"; serviceConfig.User = "${cfg.user}"; serviceConfig.Group = "${cfg.group}"; - environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"; + environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; startAt = cfg.dates; }; diff --git a/nixos/modules/security/audit.nix b/nixos/modules/security/audit.nix index 3aa31e079073..f223f52ec487 100644 --- a/nixos/modules/security/audit.nix +++ b/nixos/modules/security/audit.nix @@ -93,9 +93,11 @@ in { config = mkIf (cfg.enable == "lock" || cfg.enable) { systemd.services.audit = { - description = "pseudo-service representing the kernel audit state"; + description = "Kernel Auditing"; wantedBy = [ "basic.target" ]; + unitConfig.ConditionVirtualization = "!container"; + path = [ pkgs.audit ]; serviceConfig = { diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index ddfad52d42ed..98d73ed25426 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -4,7 +4,7 @@ with lib; let - caBundle = pkgs.runCommand "ca-bundle.crt" + caCertificates = pkgs.runCommand "ca-certificates.crt" { files = config.security.pki.certificateFiles ++ [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ]; @@ -26,7 +26,7 @@ in description = '' A list of files containing trusted root certificates in PEM format. These are concatenated to form - <filename>/etc/ssl/certs/ca-bundle.crt</filename>, which is + <filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is used by many programs that use OpenSSL, such as <command>curl</command> and <command>git</command>. ''; @@ -56,13 +56,13 @@ in security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. - environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; + environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates; # Old NixOS compatibility. - environment.etc."ssl/certs/ca-bundle.crt".source = caBundle; + environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates; # CentOS/Fedora compatibility. - environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle; + environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates; environment.sessionVariables = { SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index da03eb17e302..8e984727a80e 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -364,7 +364,7 @@ in ++ optionals cfg.distributedBuilds [ pkgs.gzip ]; environment = cfg.envVars - // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-bundle.crt"; } + // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; } // config.networking.proxy.envVars; serviceConfig = diff --git a/nixos/modules/services/monitoring/dd-agent.nix b/nixos/modules/services/monitoring/dd-agent.nix index 8c847af3bfc0..ed9be73ba65b 100644 --- a/nixos/modules/services/monitoring/dd-agent.nix +++ b/nixos/modules/services/monitoring/dd-agent.nix @@ -183,7 +183,7 @@ in { Restart = "always"; RestartSec = 2; }; - environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"; + environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ]; }; diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index ee06dfbbca3a..e60520c742bd 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -127,7 +127,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"; + environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; serviceConfig = { # Uncomment this if too many problems occur: # Type = "forking"; diff --git a/nixos/modules/services/networking/gateone.nix b/nixos/modules/services/networking/gateone.nix index 93273837181e..78ff0b76198c 100644 --- a/nixos/modules/services/networking/gateone.nix +++ b/nixos/modules/services/networking/gateone.nix @@ -21,7 +21,7 @@ options = { }; config = mkIf cfg.enable { environment.systemPackages = with pkgs.pythonPackages; [ - gateone pkgs.openssh pkgs.procps pkgs.coreutils ]; + gateone pkgs.openssh pkgs.procps pkgs.coreutils pkgs.cacert]; users.extraUsers.gateone = { description = "GateOne privilege separation user"; @@ -49,8 +49,6 @@ config = mkIf cfg.enable { User = "gateone"; Group = "gateone"; WorkingDirectory = cfg.settingsDir; - PermissionsStartOnly = true; - }; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index bcac83aa738b..4d61afe0eaeb 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -31,6 +31,9 @@ let [General] HaltCommand=${pkgs.systemd}/bin/systemctl poweroff RebootCommand=${pkgs.systemd}/bin/systemctl reboot + ${optionalString cfg.autoNumlock '' + Numlock=on + ''} [Theme] Current=${cfg.theme} @@ -110,6 +113,14 @@ in ''; }; + autoNumlock = mkOption { + type = types.bool; + default = false; + description = '' + Enable numlock at login. + ''; + }; + setupScript = mkOption { type = types.str; default = ""; diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index c210c8d5f25e..b4f9d8b6fc17 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -19,6 +19,9 @@ with lib; # Shut up warnings about not having a boot loader. system.build.installBootLoader = "${pkgs.coreutils}/bin/true"; + # Not supported in systemd-nspawn containers. + security.audit.enable = false; + }; } |