Commit graph

2557 commits

Author SHA1 Message Date
Shea Levy
d19c223ba6 Simplify unionfs-chroot bind-mounting 2012-12-16 13:07:42 -05:00
Shea Levy
e34024d998 Refactor common unionfs-fuse initrd prep into a separate module 2012-12-16 12:33:36 -05:00
Lluís Batlle i Rossell
3e734ba695 Qemu says 'boot=on' is deprecated, so I try a half-fix here
I change the 'build-vm' to use '-boot menu=on', so a menu displays and allows
choosing the 2nd hd. Otherwise, I don't know how to boot from a 2nd hd.
2012-12-16 18:07:13 +01:00
Shea Levy
3eb0faf317 qemu-vm: Use unionfs-fuse instead of aufs for writableStore 2012-12-16 11:56:49 -05:00
Shea Levy
be4f69519b iso-image: Use unionfs-fuse instead of aufs 2012-12-16 11:31:52 -05:00
Lluís Batlle i Rossell
dacd7d5a58 Setting iso_new_kernel to use linux 3.7.
It was using 3.2, the same kernel as the other isos.
2012-12-16 16:05:50 +01:00
Lluís Batlle i Rossell
cba4d20280 Setting the system utillinux to be utillinuxCurses.
The live-dvd was set that way already.
I think some utillinux pieces may be nicer, or have more tools. I don't know
the details though.
2012-12-16 16:03:38 +01:00
Alexander Inyukhin
1ae44e42ed Use zoneinfo from tzdata
This fixes #50
2012-12-15 22:05:32 +04:00
Florian Friesdorf
14483c0bf9 update nixos channel path 2012-12-14 18:24:41 +01:00
Eelco Dolstra
bd7ea9be58 sysinit.target: Drop the dependency on local-fs.target and swap.target
Having all services with DefaultDependencies=yes depend on
local-fs.target is annoying, because some of those services might be
necessary to mount local filesystems.  For instance, Charon's
send-keys feature requires sshd to be running in order to receive LUKS
encryption keys, which in turn requires dhcpcd, and so on.  So we drop
this dependency (and swap.target as well for consistency).  If
services require a specific mount, they should use RequiresMountsFor
in any case.
2012-12-14 17:42:54 +01:00
Eelco Dolstra
5437424297 Hackery to build against both the nixpkgs master and systemd branch 2012-12-13 15:04:09 +01:00
Carles Pagès
e312df06f0 Add support for nvidia 304.xx drivers in xserver.
Those were already in nixpkgs, but not supported in xserver. Since some time
ago the current 310.xx dropped support for some not so new cards.
2012-12-13 11:36:18 +01:00
Rob Vermaas
859badc966 Zabbix agent: RemainAfterExit=true seems to give more reliable restarts, cannot completely figure out why, as Type=forking should be enough. 2012-12-11 20:54:19 +01:00
Eelco Dolstra
97ae408e83 Merge remote-tracking branch 'origin/master' into systemd 2012-12-11 17:40:39 +01:00
Eelco Dolstra
78bd54ca80 Allow setting additional AuthorizedKeysFiles
Charon needs this to include the dynamically generated
/root/.vbox-charon-client-key.  (We used
users.extraUsers.root.openssh.authorizedKeys.keyFiles for this, but
that no longer works.)
2012-12-11 17:29:34 +01:00
Eelco Dolstra
eda051cff5 Remove abuse of "with" 2012-12-11 17:14:52 +01:00
Rickard Nilsson
68872f81cf openssh: Change the way authorized keys are added to the system.
Instead of the somewhat hacky script that inserted public keys
into the users' .ssh/authorized_keys files, use the AuthorizedKeysFile
configuration directive in sshd_config and generate extra key
files for each user (placed in /etc/authorized_keys.d/).
2012-12-11 17:02:39 +01:00
Eelco Dolstra
3224ea8a1e Don't require nixUnstable 2012-12-11 13:14:33 +01:00
Eelco Dolstra
745a201814 Check whether /proc/sys/net/ipv6/conf/all/disable_ipv6 exists 2012-12-11 13:14:17 +01:00
Eelco Dolstra
13617b803b Use the binary cache in the installer
Also remove "nixos-rebuild pull".
2012-12-08 19:00:06 +01:00
Eelco Dolstra
ef3199f782 Add options for specifying binary caches
Cherry-picked a4bcb26b1a.
2012-12-08 18:37:40 +01:00
Evgeny Egorochkin
860cbf7890 scanner support: create scanner group. Users need to be in this group to access scanners. 2012-12-06 02:59:34 +02:00
Evgeny Egorochkin
15a15be2f6 dhcpcd: disable "require dhcp_server_identifier" because of so many non-compliant DHCP servers 2012-12-05 23:55:42 +02:00
Eelco Dolstra
b1da38f564 Merge remote-tracking branch 'origin/master' into systemd 2012-11-30 16:12:04 +01:00
Eelco Dolstra
7435db4f89 Get rid of the last uses of mkAlways
mkAlways is an insane function, mkMerge is much saner.
2012-11-30 15:07:39 +01:00
Eelco Dolstra
3c6e0fd594 Generate the binary hardware database required by systemd 196 2012-11-29 18:51:44 +01:00
Eelco Dolstra
9eb81d2578 Renamed tcpWrapper -> tcp_wrappers 2012-11-29 15:16:30 +01:00
Lluís Batlle i Rossell
04963cf802 system-tarball-pc: fixing the readme inclusion 2012-11-29 11:29:15 +01:00
Lluís Batlle i Rossell
a9e5d1ab50 Changing the kernel parameters for crashump
I think that these enable more checks, and make more NMIs happen.
2012-11-29 11:27:33 +01:00
Peter Simons
6b6b245693 sane: update name of the snapshot version of the backends 2012-11-26 16:21:11 +01:00
Peter Simons
403dc16c51 sane: update name of the snapshot version of the backends 2012-11-26 16:20:29 +01:00
Shea Levy
a5ef0ffe12 rngd: Require /dev/random, only start when a hardware randomness source becomes available 2012-11-26 08:45:23 -05:00
Eelco Dolstra
f3c9c83e04 Make it easier to append to the default sudo configuration 2012-11-23 15:14:16 +01:00
Shea Levy
e76eb7f1a7 Disable rngd by default while I work on some patches to make it more systemd-friendly 2012-11-22 10:14:41 -05:00
Eelco Dolstra
994a15bc25 nixos-rebuild: Handle options with spaces in them
Like ‘--option binary-caches "http://foo http://bar"’
2012-11-22 12:04:00 +01:00
Eelco Dolstra
a4bcb26b1a Add options for specifying binary caches 2012-11-22 11:49:47 +01:00
Eelco Dolstra
77891f8d59 Typo 2012-11-22 10:41:54 +01:00
Shea Levy
cd513482d4 Add rngd service.
Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c
2012-11-22 02:07:25 -05:00
Rob Vermaas
f0a6911929 Add ec2.metadata (default false) option whether to allow access to EC2 metadata API. 2012-11-21 12:19:38 -05:00
Peter Simons
0f15d75017 Merge pull request #29 from rickynils/shellaliases
Generate shell aliases programatically
2012-11-20 12:35:03 -08:00
Rickard Nilsson
6099451662 Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-11-20 16:39:45 +01:00
Rickard Nilsson
611ebeb1d0 Add nslcd (nss-pam-ldapd) uid and gid 2012-11-20 16:39:45 +01:00
Rickard Nilsson
a22c362155 Add option for specifying shell aliases, environment.shellAliases. 2012-11-20 16:33:29 +01:00
James Cook
3afa5f86c1 Fixed the documentation for programs.ssh.forwardX11 to account for the X11 SECURITY extension. 2012-11-18 11:05:18 -08:00
James Cook
63dc873b85 Merge master. 2012-11-18 10:49:55 -08:00
Eelco Dolstra
60bf4c3cd7 Add a GRUB 1 dependency
http://hydra.nixos.org/build/3331139
2012-11-16 16:42:45 +01:00
Eelco Dolstra
722a3a7147 Remove unnecessary (AFAICT) call to toPath 2012-11-15 23:07:05 +01:00
Eelco Dolstra
35922e61d9 Systemd requires the latest Nix 2012-11-15 22:55:36 +01:00
Eelco Dolstra
1f401a0e35 Make install-grub.pl work when $PATH is empty 2012-11-15 22:54:43 +01:00
Eelco Dolstra
f44d27a96c Make the installer work on systemd
Systemd mounts the root filesystem as a shared subtree, which breaks
recursive bind mounts.
2012-11-15 22:53:57 +01:00
Rickard Nilsson
02e0d7dbc3 dnsmasq: Add extraConfig option 2012-11-12 18:16:04 +01:00
Eelco Dolstra
08e6c0cb7c Update channel URLs 2012-11-12 09:19:25 +01:00
Eelco Dolstra
1350816199 test-instrumentation.nix: Don't start agetty on hvc0 2012-11-12 09:19:25 +01:00
Peter Simons
622a652411 Add option "environment.binsh" to configure the shell executable used to create the global /bin/sh symlink. 2012-11-11 21:46:25 +01:00
Peter Simons
04ba5de70a modules/programs/bash/bash.nix: cosmetic indention fix 2012-11-11 21:29:33 +01:00
Shea Levy
2f833bc88d Remove unnecessary toPath that breaks with recent nixUnstable 2012-11-08 13:04:20 -05:00
Eelco Dolstra
e078117c72 firewall.nix: Don't fail if IPv6 is disabled 2012-11-06 22:55:25 +01:00
aszlig
a333f7212e systemd: Fail if kernel features are missing.
This has rendered my system unbootable, because I forgot to enable AUTOFS4 in my
custom kernel. In addition to AUTOFS4, this includes (hopefully) all other
kernel features needed by systemd, as listed in the README:

REQUIREMENTS:
  Linux kernel >= 2.6.39
    with devtmpfs
    with cgroups (but it's OK to disable all controllers)
    optional but strongly recommended: autofs4, ipv6

Autofs4 is not a requirement here, but in our case it turns out that the system
is not able to boot properly with a LUKS-enabled system (or at least not on _my_
system).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-11-06 11:25:43 +01:00
Peter Simons
70e6e19f54 xsession: source /etc/profile at the beginning of the script
The xsession script runs services that depend on a sane environment. Gpg-agent, for
example, runs the program "pinentry-gtk-2" to obtain the password to unlock GnuPG
and SSH keys. That program will display only gibberish unless $FONTCONFIG_FILE is
configured properly. Instead of configuring these variables explicitly one by one,
we just source /etc/profile, which contains the appropriate @shellInit@ code.
2012-11-05 23:07:53 +01:00
aszlig
1c28b86749
pam: Douchebag commit, fix alphabetical order.
Yes, I'm going to get back to school and learn the alphabet. I promise!

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-11-05 09:41:24 +01:00
aszlig
6e6ee3278c
pam: Add default configuration for GNU screen.
This is needed in order to properly lock your screen using the C-a C-x
(lockscreen) command _and_ being back to re-login, because the "other" PAM
service/fallback is to deny authentication.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-11-05 09:40:15 +01:00
Lluís Batlle i Rossell
64540fb453 Adding quick instructions in system-tarball-pc to use it as chroot.
I also split the readme into a file apart.
2012-11-04 22:13:19 +01:00
Eelco Dolstra
458f36f5f1 Turn fileSystems into an attribute set
So now you can write

  fileSystems =
    [ { mountPoint = "/";
        device = "/dev/sda1";
      }
    ];

as

  fileSystems."/".device = "/dev/sda1";
2012-11-02 18:02:12 +01:00
Eelco Dolstra
97f087cd44 Turn networking.interfaces into an attribute set
Thus

  networking.interfaces = [ { name = "eth0"; ipAddress = "192.168.15.1"; } ];

can now be written as

  networking.interfaces.eth0.ipAddress = "192.168.15.1";

The old notation still works though.
2012-11-02 17:08:11 +01:00
Eelco Dolstra
93f82dfeef Remove outdated comment about EC2 booting into stage-2 directly 2012-11-02 17:07:53 +01:00
Eelco Dolstra
67de234e1c wpa_supplicant.nix: Slightly improve descriptions 2012-11-02 17:05:30 +01:00
Eelco Dolstra
6ae0b3beed dhcpcd: Don't use --background so that fetch-ec2-data can be ordered after it 2012-11-02 14:20:05 +01:00
Eelco Dolstra
af4e176c12 Fix description 2012-11-02 14:10:06 +01:00
Eelco Dolstra
48a0ea0513 Make Apache wait for ‘charon send-keys’
(This is a no-op on non-Charon deployments since the ‘keys.target’
unit won't have any dependencies.)
2012-11-01 23:32:12 +01:00
Eelco Dolstra
dd7edefb2c Order mkfs services before the corresponding fsck services 2012-10-31 14:49:09 +01:00
Eelco Dolstra
1860badbeb dhcpcd: Go into the background immediately 2012-10-31 14:24:51 +01:00
Eelco Dolstra
f293455474 dhcpcd: Don't duplicate log messages
Dhcpcd writes log messages to both syslog and stderr.  So ignore
stderr.
2012-10-31 14:24:22 +01:00
Eelco Dolstra
1da362b34b Fix coverage data collection
http://hydra.nixos.org/build/3253046
2012-10-30 17:27:14 +01:00
Eelco Dolstra
bcdc71ddae Kill the backdoor more forcefully
Otherwise it hangs until the 90 second timeout expires.

http://hydra.nixos.org/build/3253068
2012-10-30 16:42:05 +01:00
Rob Vermaas
8caceffae8 Logstash: fix typo, should have tested. 2012-10-30 14:22:14 +01:00
Rob Vermaas
631fce3c6f Logstash: pass TZ, redirect log output to prevent recursion when using syslogd. 2012-10-30 14:18:51 +01:00
Rob Vermaas
2b19856f40 Logstash: do not always log to stdout 2012-10-30 14:09:30 +01:00
Eelco Dolstra
4143ff2280 In headless deployments, don't start agetty on the console 2012-10-30 13:53:36 +01:00
Rob Vermaas
88a9d7a9ca Added environment.promptInit to allow PS1 overriding. Would be nicer to be able to allow overriding via shellInit, however could not get that to work. For now this is a temporary solution which will not break anything. 2012-10-30 13:33:37 +01:00
Eelco Dolstra
1a82024dd8 In the tests, don't start agetty on /dev/ttyS0
Running agetty on ttyS0 interferes with the backdoor, which uses ttyS0
as its standard error.  After agetty starts, writes to the stderr file
descriptor will return EIO (though doing "exec 2>/proc/self/fd/2" will
miracuously fix this).

http://hydra.nixos.org/build/3252782
2012-10-29 21:10:00 +01:00
Eelco Dolstra
4764848314 Remove some obsolete options 2012-10-29 21:10:00 +01:00
Peter Simons
b1fefb8834 modules/programs/ssh.nix: strip trailing whitespace 2012-10-29 17:10:46 +01:00
Peter Simons
307644e3b0 modules/programs/ssh.nix: simplify expression that generates 'ForwardX11' entry 2012-10-29 17:10:37 +01:00
Peter Simons
9c74f9a51b modules/programs/ssh.nix: configure AddressFamily properly
Explicitly restrict ssh clients to use of IPv4 addresses if IPv6 support is not enabled.
2012-10-29 17:10:17 +01:00
Peter Simons
cd372c62ea modules/services/networking/ssh/sshd.nix: configure AddressFamily properly
Explicitly restrict sshd to use of IPv4 addresses if IPv6 support is not enabled.
2012-10-29 12:46:30 +01:00
Eelco Dolstra
ae861c8e33 Undo accidental commit 2012-10-29 12:44:38 +01:00
Eelco Dolstra
390f5f7376 Remove the cgroups module
Cgroups are handled by systemd now.  Systemd's cgroup support does not
do all the things that cgrulesengd does, but they're likely to
interact poorly with each other.
2012-10-26 19:36:59 +02:00
Eelco Dolstra
65eae4dd34 Update libvirt for systemd 2012-10-26 16:22:19 +02:00
Eelco Dolstra
23390147ea upstart.nix: Treat "daemon" as "forking" 2012-10-26 16:22:19 +02:00
Eelco Dolstra
6705358ede Convert Zabbix agent/server to systemd
Note all the crap systemd doesn't need :-)
2012-10-26 16:22:19 +02:00
Eelco Dolstra
b3c5d42b1d Don't create /var/log/upstart 2012-10-26 16:22:18 +02:00
Lluís Batlle i Rossell
82d39c9ca4 Fixing stage1 about getting a shell with job control in case of error
It's a busybox faq:
http://www.busybox.net/FAQ.html#job_control
2012-10-24 21:49:10 +02:00
Lluís Batlle i Rossell
c76fc27aff dnsmasq: Setting fixed order in DNS name resolution.
That fits better my setup; if anyone doesn't need this, we can write an option
for the fixed order queries.
2012-10-24 19:29:39 +02:00
Peter Simons
b43e219aeb modules/services/networking/ssh/sshd.nix: configure AddressFamily properly
Explicitly restrict sshd to use of IPv4 addresses if IPv6 support is not enabled.
2012-10-24 19:01:38 +02:00
Eelco Dolstra
b6f9e05269 Update NFS client/server modules for systemd 2012-10-24 18:10:58 +02:00
Eelco Dolstra
2d9258da67 auto.nix: Use SLiM to implement auto-logins 2012-10-24 12:31:02 +02:00
Vladimír Čunát
a392468245 Merge pull request #39 from MarcWeber/fixes/ati-proprietary
making ati proprietary drivers work again
2012-10-24 02:59:38 -07:00
Eelco Dolstra
224c825a36 Add option ‘users.motd’ for setting a message of the day shown on login
Note that this uses pam_motd.
2012-10-23 09:10:48 -04:00
Eelco Dolstra
c980faebe2 upstart.nix: Set ‘Type’ to ‘oneshot’ for Upstart tasks
This way the service will only reach the "started" state when the task
has finished.
2012-10-23 08:30:50 -04:00
Eelco Dolstra
e5fa3f108e Set uniqueness constraint on boot.devShmSize etc. 2012-10-23 07:50:23 -04:00
Eelco Dolstra
7efde0740e Add user option ‘isAlias’ to allow one user account to alias another 2012-10-23 13:35:06 +02:00
Jack Cummings
1cbad692c3 Add an option to add 'option=single-request' to /etc/resolv.conf. 2012-10-21 21:49:21 -07:00
Eelco Dolstra
c8628e0293 Don't let interfaces get IPv6 addresses if networking.enableIPv6 is false 2012-10-19 15:41:01 -04:00
Eelco Dolstra
ac8db6fd33 firewall.nix: Don't fail if IPv6 is disabled 2012-10-19 15:21:06 -04:00
Eelco Dolstra
06cbe62537 switch-to-configuration: Support services activated by multiple sockets 2012-10-18 13:26:47 -04:00
Eelco Dolstra
b4a1893cdd systemd-vconsole-setup: Don't put the X server in non-raw mode
‘systemd-vconsole-setup’ by default operates on /dev/tty0, the
currently active tty.  Since it puts /dev/tty0 in Unicode or ASCII
mode, if the X server is currently active when it runs, keys such as
Alt-F4 won't reach the X server anymore.  So use /dev/tty1 instead.
2012-10-18 11:58:37 -04:00
Eelco Dolstra
a4cad32c3d Generate more user-friendly script filenames
This is primarily important in journal entries.
2012-10-18 11:58:37 -04:00
Peter Simons
7d58132c0a Merge pull request #36 from jcumming/hostapd
hostapd module
2012-10-18 03:21:31 -07:00
aszlig
f9831a94c9
apache-httpd: Simplify all versionOlder calls.
We now just have a simple attribute called "version24" which replaces all those
pesky versionOlder that were spreading throughout the file and makes things way
more readable.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 17:47:30 +02:00
aszlig
919e6e55a9
apache-httpd: Create runtime dir for version 2.4.
By default the path is determined related to ServerRoot. Unfortunately
ServerRoot is pointing to the Nix store and the web server can't write to it.

We now create a directory called "runtime" withen the stateDir and point
DefaultRuntimeDir to it.

For more information on the DefaultRuntimeDir directive, please see:

http://httpd.apache.org/docs/2.4/mod/core.html#defaultruntimedir

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 17:38:43 +02:00
aszlig
5655ec0efa
apache-httpd: Avoid NameVirtualHost in >= v2.4.
NameVirtualHost no longer has any effect on version 2.4 and just emits ugly
warnings, so let's not use it if we use 2.4.

More information: http://httpd.apache.org/docs/2.4/upgrading.html#misc

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 17:03:50 +02:00
aszlig
a88453fbaa
apache-httpd: Properly wrap access directives.
The Order/Deny directives are deprecated in version 2.4, so we're going to
define two wrappers for allDenied and allGranted in order to properly generate
configurations for both version 2.2 and 2.4.

For more information an access control changes, see:

http://httpd.apache.org/docs/2.4/upgrading.html#access

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 16:57:18 +02:00
aszlig
3acd98b040
apache-httpd: Add unixd for 2.4, needed by "User".
Beginning with 2.4 mod_unixd is needed to supply Unix usernames and groups for
the web server. For details please have a look at:

http://httpd.apache.org/docs/2.4/upgrading.html#commonproblems

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 15:34:08 +02:00
aszlig
3ad8fac5a2
apache-httpd: Dynamically load MPM module in v2.4.
Now, MPMs can be loaded at runtime and it's no longer required to compile in one
of the MPM modules statically. So, if version is >= 2.4, load the MPM module
corresponding to the multiProcessingModule value of the service module.

For details, please see: http://httpd.apache.org/docs/2.4/mpm.html

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 15:17:48 +02:00
aszlig
18076e001a
apache-httpd: Use authn_core for version >= 2.3.
Beginning with version 2.3, the authn were refactored. As a result, authn_alias
is now part of the new module authn_core, so let's use authn_core instead of
authn_alias.

For details please see: http://httpd.apache.org/docs/2.4/upgrading.html#misc

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-10-17 15:11:53 +02:00
Peter Simons
56f90da276 modules/programs/bash: '/run/current-system/sw' is already a part of $NIX_PROFILES 2012-10-16 19:08:10 +02:00
Peter Simons
6a9b855412 modules/programs/bash: '/run/current-system/sw' is already a part of $NIX_PROFILES 2012-10-16 19:07:19 +02:00
Peter Simons
04a8642b4b modules/programs/bash: clean-up variables used in initialization of bash-completion 2012-10-16 18:41:45 +02:00
Peter Simons
efc104c4c8 modules/programs/bash: improve bash completion support
The new configuration.nix option 'environment.enableBashCompletion'
determines whether bash completion is automatically enabled system-wide
for all interactive shells or not. The default setting is 'off'.
2012-10-16 18:41:45 +02:00
Peter Simons
c7fb0defe6 modules/programs/bash: clean-up variables used in initialization of bash-completion 2012-10-16 18:41:20 +02:00
Peter Simons
4ca0617f4a modules/programs/bash: improve bash completion support
The new configuration.nix option 'environment.enableBashCompletion'
determines whether bash completion is automatically enabled system-wide
for all interactive shells or not. The default setting is 'off'.
2012-10-16 18:23:28 +02:00
Eelco Dolstra
8499d7555f Backward compatibility hack for ‘networking.nat.internalIPs’ 2012-10-16 11:28:30 -04:00
Eelco Dolstra
10ac80115b switch-to-configuration: Fix bad Perl 2012-10-14 21:12:11 -04:00
Mathijs Kwik
97a3a99b40 firewall: options to select connection-tracking helpers
My main reason for adding this is the ability to turn off helpers
altogether. If you are not using any of the special protocols, keeping
them turned off is safest, and in case you do want to use them, it's
best to configure them through the new CT target for your network
topology. Perhaps some sane defaults for nixos can be examined in the
future.

This change has no impact if you don't touch the added options, so no
need to adapt.
2012-10-13 09:59:31 +02:00
Mathijs Kwik
6c62de6a31 firewall: option to enable the rpfilter netfilter module
This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which
only works for ipv4. Furthermore, it's nicer to handle this kind of
filtering in the firewall.

There are some more subtle differences, please see:
https://home.regit.org/netfilter-en/secure-use-of-helpers/

I chose to enable this by default (when the firewall is enabled) as
it's a good idea in general. Only people with advanced routing needs
might not want this, but I guess they don't use the nixos firewall
anyway and use a custom solution. Furthermore, the option only becomes
available in kernel 3.3+, so conservative nixos users that just stick
to the default kernel will not need to act now just yet.
2012-10-13 09:59:31 +02:00
Eelco Dolstra
53f216885f Ignore systemd-modules-load errors
On NixOS, ‘boot.kernelModules’ has historically contained modules that
may not exist or load everywhere, so don't barf on those.
2012-10-12 17:39:06 -04:00
Eelco Dolstra
161c837c49 Port automatic filesystem creation to systemd 2012-10-12 17:32:36 -04:00
Eelco Dolstra
12d1cd87ce Systemd unit names can contain Nix-illegal characters, so don't include them 2012-10-12 17:32:05 -04:00
Eelco Dolstra
3f6d53cc97 Move escapeSystemdPath to lib/utils.nix
The new file ‘utils.nix’ is intended for NixOS-specific library
functions (i.e. stuff that shouldn't go into Nixpkgs' lib/).
2012-10-12 17:01:49 -04:00
Eelco Dolstra
e8de4455ab Update automatic swapfile creation for systemd 2012-10-12 16:47:29 -04:00
Eelco Dolstra
97a2de983b Ensure that swap.target is pulled in by switch-to-configuration even if it failed earlier 2012-10-12 16:38:00 -04:00
Eelco Dolstra
fd7dbc99ab switch-to-configuration: Handle multiple swap devices properly 2012-10-12 16:37:14 -04:00
Eelco Dolstra
b968244aa1 Move fs.target to filesystems.nix 2012-10-12 15:08:44 -04:00
Peter Simons
7ce9893bef network-interfaces.nix: interfaces that are part of a bridge must be brought 'up' for the bridge to function 2012-10-12 18:14:39 +02:00
Eelco Dolstra
e3c1865067 Let the tun services depend on /dev/net/tun 2012-10-11 17:59:41 -04:00
Eelco Dolstra
d63da5892c Ensure that systemd-modules-load is restarted when boot.kernelModules changes 2012-10-11 17:58:46 -04:00
Eelco Dolstra
71a541afb6 dhcpcd: Don't depend on network-interfaces.target
Dhcpcd automatically detects new interfaces, so we can start it right
away.
2012-10-11 17:57:54 -04:00
Eelco Dolstra
b606165bd9 Allow a unit to declare "triggers" that force a restart
The triggers are just arbitrary strings that are included in the unit
under X-Restart-Triggers.  The idea is that if they change between
reconfigurations, switch-to-configuration will restart the unit
because its store path changed.  This is mostly useful for services
that implicitly depend on generated files in /etc.  Thus you can say

  restartTriggers = [ confFile ];

where ‘confFile’ is the derivation that generated the /etc file in
question.
2012-10-11 17:54:43 -04:00
Eelco Dolstra
285f587025 Move non-interface specific initialisation to ‘network-setup.service’
The unit ‘network-interface.service’ has been replaced by
‘network-interfaces.target’.
2012-10-11 16:18:48 -04:00
Eelco Dolstra
2cf9bb929b Add a ‘restart’ alias 2012-10-11 16:18:34 -04:00
Eelco Dolstra
1c53b2e299 Don't flush addresses unless necessary
Flushing is bad if the Nix store is on a remote filesystem accessed
over that interface.

http://hydra.nixos.org/build/3184162

Also added a interface option ‘prefixLength’ as a better alternative
to ‘subnetMask’.
2012-10-11 15:36:52 -04:00
Eelco Dolstra
4104f60800 Fix accidental commit 2012-10-11 12:43:08 -04:00
Eelco Dolstra
bd1071d02b Remove "wants" dependencies on <interface>.service
Instead it's enough to depend on
sys-subsystem-net-devices-<interface>.device, which in turn has a
"wants" dependency on the service (if any) that creates the interface.
2012-10-10 22:47:50 -04:00
Eelco Dolstra
d7458b5fc2 Split the monolithic network-interface service into multiple units
For each statically configured interface, we now create a unit
‘<interface>-cfg.service’ which gets started as soon as the network
device comes up.  Similarly, each bridge defined in
‘networking.bridges’ and virtual interface in ‘networking.interfaces’
is created by a service ‘<interface>.service’.

So if we have

  networking.bridges.br0.interfaces = [ "eth0" "eth1" ];
  networking.interfaces =
    [ { name = "br0";
        ipAddress = "192.168.1.1";
      }
    ];

then there will be a unit ‘br0.service’ that depends on
‘sys-subsystem-net-devices-eth0.device’ and
‘sys-subsystem-net-devices-eth1.device’, and a unit ‘br0-cfg.service’
that depends on ‘sys-subsystem-net-devices-br0.device’.
2012-10-10 17:55:42 -04:00
Eelco Dolstra
62b707de07 Add support for postStop scripts 2012-10-10 17:55:13 -04:00
Eelco Dolstra
e9b221c2ff firewall.nix: Don't spam the log 2012-10-10 16:51:05 -04:00
Eelco Dolstra
17a7f48364 Add an option for BindsTo dependencies 2012-10-10 16:50:41 -04:00
Eelco Dolstra
6b185a131f Use config.system.build.systemd in the toplevel derivation 2012-10-10 16:49:59 -04:00
Eelco Dolstra
ad94b9e50e Use optionalAttrs 2012-10-10 16:49:47 -04:00
James Cook
5181ca4a3f Change the default value of programs.ssh.forwardX11 to false.
Forwarding X11 to untrusted servers is extremely insecure; see for example
http://www.hackinglinuxexposed.com/articles/20040705.html
2012-10-09 23:21:45 -07:00
Jack Cummings
71e6eca567 - fix indention, clarify parameter descriptions, and use 'exec' instead of 'script' in the hostapd job 2012-10-09 12:19:09 -07:00
Eelco Dolstra
6902452901 Whitespace 2012-10-09 15:14:32 -04:00
Eelco Dolstra
d71c0bb834 Respect partOf etc. for socket and target units 2012-10-09 15:14:15 -04:00
Jack Cummings
e40146de16 nat: enable NAT for multiple networks 2012-10-09 14:00:59 -04:00
Jack Cummings
e8d8b6b399 smartd: Add options for each device being monitored 2012-10-09 14:00:59 -04:00
Mathijs Kwik
01b8c48c32 logcheck: add some options to ease setting up ignore-rules
The special handling for cronjobs should probably move to the cron
module (logcheckIgnore = bool option) in the future, as it's more
natural to just declare a cronjob, and mark it as "log-ignored",
instead of adding cronjobs through logcheck.

But as systemCronjobs is not an attrset yet (just simple strings),
this would require adding an attrset for cronjobs or parsing strings
in the nix language to get hold of the cron-user and command.

So for now, I keep the interface within logcheck's module.
2012-10-09 16:04:17 +02:00
Eelco Dolstra
dd3fe9d792 Merge remote-tracking branch 'origin/master' into systemd
Conflicts:
	modules/services/system/nscd.nix
2012-10-08 13:47:37 -04:00
Eelco Dolstra
f451afea8f Remove ‘services.journald.logKernelMessages’
This option no longer exists in systemd.
2012-10-08 10:51:17 -04:00
Marc Weber
87bb6b1c6d making ati proprietary drivers work again
However SLIM is still broken and you have to create a
/usr/lib/dri/fglrx_dri.so symlink pointing to
/run/opengl-driver/lib/fglrx_dri.so

At least fgl_glxgears shows 10 times more frames per second now
2012-10-07 17:24:42 +02:00
Eelco Dolstra
2b2f0067b8 Add an /etc/hosts entry mapping localhost to ::1 2012-10-07 00:46:24 -04:00
Eelco Dolstra
570e523a88 Remove 127.0.0.1 mapping for the system's hostname
Also remove the <hostname>.<domain> mapping.
2012-10-07 00:40:00 -04:00
Eelco Dolstra
74295866f5 Don't include NSS modules in $LD_LIBRARY_PATH
This is broken because it requires restarting applications to see new
NSS modules.  The proper way to handle NSS modules is through nscd.
See commit 554ae9908b.
2012-10-07 00:37:36 -04:00
Eelco Dolstra
13841d6e47 Use nss-myhostname to ensure that the hostname resolves to something sensible 2012-10-06 21:00:26 -04:00
Eelco Dolstra
757ab7f6d3 Generate nsswitch.conf properly 2012-10-06 20:58:46 -04:00
Jack Cummings
33754edb3e - add a hostapd module 2012-10-05 21:39:56 -07:00
Eelco Dolstra
dd1770bf0b Enable klogd on Linux < 3.5
On Linux >= 3.5, systemd takes care of logging kernel messages.
2012-10-05 13:44:15 -04:00
Eelco Dolstra
a5969634f4 sshd: Do detach into the background
This is necessary to ensure that jobs that need to start after sshd
work properly.

This reverts 03f13a4939.
2012-10-04 23:38:27 -04:00
Eelco Dolstra
98c6c5b730 fetch-ec2-data: Update for systemd 2012-10-04 23:26:19 -04:00
Eelco Dolstra
892b3f6ad6 acpid: Skip (rather than fail) if /proc/acpi doesn't exist
E.g. EC2 instances don't have ACPI.
2012-10-04 23:26:01 -04:00
Eelco Dolstra
0ddd147cfc headless.nix: Mountall is gone 2012-10-04 23:25:33 -04:00
Eelco Dolstra
5d9b3ed12b scsi-link-pm: Don't fail if there are no matching SCSI hosts 2012-10-04 23:25:11 -04:00
Eelco Dolstra
8f4d8cf620 Enable the power management module by default
After all, we don't want NixOS machines to contribute to global
warming more than necessary!
2012-10-04 22:10:35 -04:00
Eelco Dolstra
9b431cb24e upower: Work around the daemon getting stuck after a suspend 2012-10-04 21:58:40 -04:00
Eelco Dolstra
7d26dde69a Oops, systemd-inhibit should be exec'ed 2012-10-04 21:58:20 -04:00
Eelco Dolstra
52483c36bb Lowercase debug output 2012-10-04 21:44:45 -04:00
Eelco Dolstra
db2a4d144e xsession: Set a inhibitor to prevent systemd from handling the power button and lid 2012-10-04 21:44:24 -04:00
Eelco Dolstra
c6d12257f1 systemd: Run the powerManagement.* hooks on suspend/resume
Also, drop pm-utils. Systemd now takes care of suspend/resume.
2012-10-04 17:57:10 -04:00
Eelco Dolstra
38229da940 upower: Add glib to $PATH
The upower daemon needs the gdbus command (which is weird given that
upower links against dbus_glib, but ah well...).  This fixes suspend
in KDE with systemd.
2012-10-04 16:38:31 -04:00
Eelco Dolstra
fdea3ac3d2 stage-2-init: Don't rely on groups being initialised 2012-10-04 16:15:30 -04:00
Eelco Dolstra
6c6134c2d2 Fix the manual service on the installation CD 2012-10-04 16:15:10 -04:00
Eelco Dolstra
74be2d9707 ISO image: Fix graphical GRUB menu 2012-10-04 16:14:44 -04:00
Eelco Dolstra
8dc4f2c3be Fix the rogue service for systemd 2012-10-04 15:27:31 -04:00
Eelco Dolstra
02624758b1 Use udev to restore ALSA volume settings
Alsa-utils provides a udev rule to restore volume settings, so use
that instead of restoring them from a systemd service.  The
"alsa-store" service saves the settings on shutdown.
2012-10-02 11:09:54 -04:00
Eelco Dolstra
666620cdd5 Use ‘mountpoint -q’ 2012-10-02 10:32:56 -04:00
Eelco Dolstra
2044ae785d Use "wants" instead of "requires" 2012-10-02 10:32:29 -04:00
Eelco Dolstra
7932978617 Fix Upstart compatibility jobs that depend on "stopped udevtrigger"
It's not enough to say "after udev-settle.service" since
udev-settle.service is not wanted/required anywhere - we need to say
"wants udev-settle.service" as well.

This should fix problems with ALSA and X11 initialisation that people
have been seeing.
2012-10-02 10:31:02 -04:00
Eelco Dolstra
2cf5e3cb66 Add options ‘boot.systemd.targets’ and ‘boot.systemd.sockets’ 2012-10-01 18:58:11 -04:00
Eelco Dolstra
ca13a913d9 Oops, lost some code 2012-10-01 18:20:22 -04:00
Eelco Dolstra
990ec8cc4e Decrease PostgreSQL start check interval 2012-10-01 17:32:03 -04:00
Eelco Dolstra
2326c6da2b postgresql.nix: Depend on the filesystem containing the database 2012-10-01 16:53:13 -04:00
Eelco Dolstra
5cf702e1c1 postgresql.nix: Use User/Group instead of su 2012-10-01 16:49:02 -04:00
Eelco Dolstra
13d747c11a Support postStart scripts in service units 2012-10-01 16:45:49 -04:00
Eelco Dolstra
891be375b5 Make unitConfig/serviceConfig attribute sets
So instead of:

  boot.systemd.services."foo".serviceConfig =
    ''
      StartLimitInterval=10
      CPUShare=500
    '';

you can say:

  boot.systemd.services."foo".serviceConfig.StartLimitInterval = 10;
  boot.systemd.services."foo".serviceConfig.CPUShare = 500;

This way all unit options are available and users can set/override
options in configuration.nix.
2012-10-01 16:27:42 -04:00
Eelco Dolstra
440b793a5b Remove ‘autocreate’ FS option
Systemd creates missing mountpoints unconditionally.
2012-10-01 14:34:39 -04:00
Eelco Dolstra
353522ef79 Remove JoinControllers line because upstream reverted joining cpuset 2012-10-01 14:33:01 -04:00
Peter Simons
4b78161e3e dovecot: add options to selectively enable/disable the IMAP and/or POP3 listener 2012-09-30 00:54:03 +02:00
Mathijs Kwik
1b47614c46 invalidate-nscd: use script instead of exec for multiple commands
otherwise, only the first one line executes
2012-09-29 10:51:28 +02:00
Eelco Dolstra
0c4c3fc8aa Merge branch 'systemd' of github.com:NixOS/nixos into systemd 2012-09-28 11:41:59 -04:00
Peter Simons
03f13a4939 Tell sshd not to detach into the background.
This makes it easier for systemd to track it and avoids race conditions such as
this one:

  systemd[1]: PID file /run/sshd.pid not readable (yet?) after start.
  systemd[1]: Failed to start SSH Daemon.
  systemd[1]: Unit sshd.service entered failed state.
  systemd[1]: sshd.service holdoff time over, scheduling restart.
  systemd[1]: Stopping SSH Daemon...
  systemd[1]: Starting SSH Daemon...
  sshd[2315]: Server listening on 0.0.0.0 port 22.
  sshd[2315]: Server listening on :: port 22.
  sshd[2335]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
  sshd[2335]: error: Bind to port 22 on :: failed: Address already in use.
  sshd[2335]: fatal: Cannot bind any address.
  systemd[1]: Started SSH Daemon.
2012-09-28 17:38:24 +02:00
Peter Simons
fabe06337e alsa.nix: initialize the sound card before restoring previously stored settings
The sound card in my ThinkPad won't work unless "init" is run explicitly.
2012-09-28 17:38:24 +02:00