diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1803.xml | 7 | ||||
-rw-r--r-- | nixos/modules/programs/bash/bash.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/misc/disnix.nix | 14 | ||||
-rw-r--r-- | nixos/modules/services/misc/nix-ssh-serve.nix | 24 | ||||
-rw-r--r-- | nixos/modules/services/security/usbguard.nix | 2 | ||||
-rw-r--r-- | nixos/release.nix | 1 | ||||
-rw-r--r-- | nixos/tests/nix-ssh-serve.nix | 39 | ||||
-rw-r--r-- | nixos/tests/openssh.nix | 17 | ||||
-rw-r--r-- | nixos/tests/ssh-keys.nix | 15 |
9 files changed, 95 insertions, 27 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml index 29b252753830..9f80dcc29341 100644 --- a/nixos/doc/manual/release-notes/rl-1803.xml +++ b/nixos/doc/manual/release-notes/rl-1803.xml @@ -430,6 +430,13 @@ following incompatible changes:</para> and <literal>stopJob</literal> provide an optional <literal>$user</literal> argument for that purpose. </para> </listitem> + <listitem> + <para> + Enabling bash completion on NixOS, <literal>programs.bash.enableCompletion</literal>, will now also enable + completion for the Nix command line tools by installing the + <link xlink:href="https://github.com/hedning/nix-bash-completions">nix-bash-completions</link> package. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 1abdb4973a44..1a62f04972df 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -211,6 +211,9 @@ in "/share/bash-completion" ]; + environment.systemPackages = optional cfg.enableCompletion + pkgs.nix-bash-completions; + environment.shells = [ "/run/current-system/sw/bin/bash" "/var/run/current-system/sw/bin/bash" diff --git a/nixos/modules/services/misc/disnix.nix b/nixos/modules/services/misc/disnix.nix index e96645c79c77..39d23610b064 100644 --- a/nixos/modules/services/misc/disnix.nix +++ b/nixos/modules/services/misc/disnix.nix @@ -32,11 +32,17 @@ in description = "Whether to enable Disnix"; }; + enableMultiUser = mkOption { + type = types.bool; + default = true; + description = "Whether to support multi-user mode by enabling the Disnix D-Bus service"; + }; + useWebServiceInterface = mkOption { default = false; description = "Whether to enable the DisnixWebService interface running on Apache Tomcat"; }; - + package = mkOption { type = types.path; description = "The Disnix package"; @@ -52,7 +58,7 @@ in config = mkIf cfg.enable { dysnomia.enable = true; - + environment.systemPackages = [ pkgs.disnix ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService; services.dbus.enable = true; @@ -71,7 +77,7 @@ in }; systemd.services = { - disnix = { + disnix = mkIf cfg.enableMultiUser { description = "Disnix server"; wants = [ "dysnomia.target" ]; wantedBy = [ "multi-user.target" ]; @@ -92,7 +98,7 @@ in } // (if config.environment.variables ? DYSNOMIA_CONTAINERS_PATH then { inherit (config.environment.variables) DYSNOMIA_CONTAINERS_PATH; } else {}) // (if config.environment.variables ? DYSNOMIA_MODULES_PATH then { inherit (config.environment.variables) DYSNOMIA_MODULES_PATH; } else {}); - + serviceConfig.ExecStart = "${cfg.package}/bin/disnix-service"; }; diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix index 66148431709f..5bd9cf9086f1 100644 --- a/nixos/modules/services/misc/nix-ssh-serve.nix +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -1,8 +1,12 @@ { config, lib, pkgs, ... }: with lib; - -{ +let cfg = config.nix.sshServe; + command = + if cfg.protocol == "ssh" + then "nix-store --serve" + else "nix-daemon --stdio"; +in { options = { nix.sshServe = { @@ -10,7 +14,7 @@ with lib; enable = mkOption { type = types.bool; default = false; - description = "Whether to enable serving the Nix store as a binary cache via SSH."; + description = "Whether to enable serving the Nix store as a remote store via SSH."; }; keys = mkOption { @@ -20,14 +24,20 @@ with lib; description = "A list of SSH public keys allowed to access the binary cache via SSH."; }; + protocol = mkOption { + type = types.enum [ "ssh" "ssh-ng" ]; + default = "ssh"; + description = "The specific Nix-over-SSH protocol to use."; + }; + }; }; - config = mkIf config.nix.sshServe.enable { + config = mkIf cfg.enable { users.extraUsers.nix-ssh = { - description = "Nix SSH substituter user"; + description = "Nix SSH store user"; uid = config.ids.uids.nix-ssh; useDefaultShell = true; }; @@ -41,11 +51,11 @@ with lib; PermitTTY no PermitTunnel no X11Forwarding no - ForceCommand ${config.nix.package.out}/bin/nix-store --serve + ForceCommand ${config.nix.package.out}/bin/${command} Match All ''; - users.extraUsers.nix-ssh.openssh.authorizedKeys.keys = config.nix.sshServe.keys; + users.extraUsers.nix-ssh.openssh.authorizedKeys.keys = cfg.keys; }; } diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 4e685e633354..5d469cabe2cb 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -192,7 +192,7 @@ in { serviceConfig = { Type = "simple"; - ExecStart = ''${pkgs.usbguard}/bin/usbguard-daemon -d -k -c ${daemonConfFile}''; + ExecStart = ''${pkgs.usbguard}/bin/usbguard-daemon -P -d -k -c ${daemonConfFile}''; Restart = "on-failure"; }; }; diff --git a/nixos/release.nix b/nixos/release.nix index 23f050367d69..558bbbf9a9d4 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -319,6 +319,7 @@ in rec { tests.nfs4 = callTest tests/nfs.nix { version = 4; }; tests.nginx = callTest tests/nginx.nix { }; tests.nghttpx = callTest tests/nghttpx.nix { }; + tests.nix-ssh-serve = callTest tests/nix-ssh-serve.nix { }; tests.novacomd = callTestOnTheseSystems ["x86_64-linux"] tests/novacomd.nix { }; tests.leaps = callTest tests/leaps.nix { }; tests.nsd = callTest tests/nsd.nix {}; diff --git a/nixos/tests/nix-ssh-serve.nix b/nixos/tests/nix-ssh-serve.nix new file mode 100644 index 000000000000..aa366d8612d7 --- /dev/null +++ b/nixos/tests/nix-ssh-serve.nix @@ -0,0 +1,39 @@ +import ./make-test.nix ({ pkgs, lib, ... }: +let inherit (import ./ssh-keys.nix pkgs) + snakeOilPrivateKey snakeOilPublicKey; + ssh-config = builtins.toFile "ssh.conf" '' + UserKnownHostsFile=/dev/null + StrictHostKeyChecking=no + ''; +in + { name = "nix-ssh-serve"; + meta.maintainers = [ lib.maintainers.shlevy ]; + nodes = + { server.nix.sshServe = + { enable = true; + keys = [ snakeOilPublicKey ]; + protocol = "ssh-ng"; + }; + server.nix.package = pkgs.nixUnstable; + client.nix.package = pkgs.nixUnstable; + }; + testScript = '' + startAll; + + $client->succeed("mkdir -m 700 /root/.ssh"); + $client->copyFileFromHost("${ssh-config}", "/root/.ssh/config"); + $client->succeed("cat ${snakeOilPrivateKey} > /root/.ssh/id_ecdsa"); + $client->succeed("chmod 600 /root/.ssh/id_ecdsa"); + + $client->succeed("nix-store --add /etc/machine-id > mach-id-path"); + + $server->waitForUnit("sshd"); + + $client->fail("diff /root/other-store\$(cat mach-id-path) /etc/machine-id"); + # Currently due to shared store this is a noop :( + $client->succeed("nix copy --to ssh-ng://nix-ssh\@server \$(cat mach-id-path)"); + $client->succeed("nix-store --realise \$(cat mach-id-path) --store /root/other-store --substituters ssh-ng://nix-ssh\@server"); + $client->succeed("diff /root/other-store\$(cat mach-id-path) /etc/machine-id"); + ''; + } +) diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 291544996889..b2d254e9d9d9 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -1,20 +1,7 @@ import ./make-test.nix ({ pkgs, ... }: -let - snakeOilPrivateKey = pkgs.writeText "privkey.snakeoil" '' - -----BEGIN EC PRIVATE KEY----- - MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49 - AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN - r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA== - -----END EC PRIVATE KEY----- - ''; - - snakeOilPublicKey = pkgs.lib.concatStrings [ - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA" - "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa" - "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil" - ]; - +let inherit (import ./ssh-keys.nix pkgs) + snakeOilPrivateKey snakeOilPublicKey; in { name = "openssh"; meta = with pkgs.stdenv.lib.maintainers; { diff --git a/nixos/tests/ssh-keys.nix b/nixos/tests/ssh-keys.nix new file mode 100644 index 000000000000..07d422196efa --- /dev/null +++ b/nixos/tests/ssh-keys.nix @@ -0,0 +1,15 @@ +pkgs: +{ snakeOilPrivateKey = pkgs.writeText "privkey.snakeoil" '' + -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49 + AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN + r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA== + -----END EC PRIVATE KEY----- + ''; + + snakeOilPublicKey = pkgs.lib.concatStrings [ + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA" + "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa" + "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil" + ]; +} |