Commit graph

541 commits

Author SHA1 Message Date
Eelco Dolstra
16cf3ee9da Ensure that the home directory exists even if the user already exists 2015-02-24 11:57:38 +01:00
Thomas Tuegel
0fee7a2b21 fontconfig: stringify dpi correctly 2015-02-01 16:18:48 -06:00
Domen Kožar
3d7ff07258 fix manual 2015-01-03 16:32:07 +01:00
Domen Kožar
1f523bb23d clarify things about hashed passwords and mutableUsers 2015-01-02 17:32:56 +01:00
Peter Simons
137ffc9929 Switch default timezone in NixOS from "CET" to "UTC".
Suggested in https://github.com/NixOS/nixpkgs/pull/5332.
2014-12-15 16:31:18 +01:00
Thomas Tuegel
32e41c2280 nixos: fix config.fonts.fontconfig.ultimate.allowBitmaps
The option was incorrectly negated, so that 'allowBitmaps = true'
actually disabled bitmap fonts.
2014-12-15 09:16:40 -06:00
Eelco Dolstra
8bb494c170 Get rid of a warning about dbus in the activation script 2014-12-12 10:45:37 +01:00
Thomas Tuegel
9707ffd973 nixos: let fontconfig default fonts be lists of fonts 2014-12-08 10:55:24 -06:00
Thomas Tuegel
57ba2093bf Replace Bitstream Vera fonts by DejaVu in defaults
The default configuration installed the Bitstream Vera fonts, but DejaVu
is a superior replacement, and the default Fontconfig settings need it
now for the generic faces monospace, sans-serif, and serif.
2014-12-08 10:55:24 -06:00
Thomas Tuegel
c00c563c66 Add NixOS module for fontconfig-ultimate
Details:
* The option `fonts.fontconfig.ultimate.enable` can be used to disable
  the fontconfig-ultimate configuration.
* The user-configurable options provided by fontconfig-ultimate are
  exposed in the NixOS module: `allowBitmaps` (default: true),
  `allowType1` (default: false), `useEmbeddedBitmaps` (default: false),
  `forceAutohint` (default: false), `renderMonoTTFAsBitmap` (default:
  false).
* Upstream provides three substitution modes for substituting TrueType
  fonts for Type 1 fonts (which do not render well). The default,
  "free", substitutes free fonts for Type 1 fonts. The option "ms"
  substitutions Microsoft fonts for Type 1 fonts. The option "combi"
  uses a combination of Microsoft and free fonts. Substitutions can also
  be disabled.
* All 21 of the Infinality rendering modes supported by fontconfig-ultimate
  or by the original Infinality distribution can be selected through
  `fonts.fontconfig.ultimate.rendering`. The default is the medium style
  provided by fontconfig-ultimate. Any of the modes may be customized,
  or Infinality rendering can be disabled entirely.
2014-12-08 10:55:24 -06:00
Thomas Tuegel
1df1305a8a Rewrite Fontconfig NixOS module
Details:
* The option `fonts.enableFontConfig` has (finally) been renamed
  `fonts.fontconfig.enable`.
* Configurations are loaded in this order: first the Fontconfig-upstream
  configuration is loaded, then the NixOS-specific font directories are
  set, the system-wide default configuration is loaded, and finally the
  user configuration is loaded (if enabled).
* The NixOS options `fonts.fontconfig.defaultFonts.monospace`,
  `fonts.fontconfig.defaultFonts.sansSerif` and
  `fonts.fontconfig.defaultFonts.serif` are added to allow setting the
  default system-wide font used for these generic faces. The defaults
  are the appropriate faces from the DejaVu collection because of their
  comprehensive Unicode coverage, clean rendering, and excellent
  legibility.
* The NixOS option `fonts.fontconfig.antialias` can be used to disable
  antialiasing (it is enabled by default).
* The options `fonts.fontconfig.subpixel.rgba` and
  `fonts.fontconfig.subpixel.lcdfilter` control the system-wide default
  settings for subpixel order and LCD filtering algorithm,
  respectively.
* `fonts.fontconfig.hinting.enable` can be used to disable TrueType font
  hinting (it is enabled by default).
  `fonts.fontconfig.hinting.autohint` controls the FreeType autohinter.
  `fonts.fontconfig.hinting.style` controls the hint style; it is "full"
  by default.
* User configurations can be disabled system-wide by setting
  `fonts.fontconfig.includeUserConf = false`. They are enabled by
  default so users can set Fontconfig options in the desktop environment
  of their choice.
2014-12-08 10:55:23 -06:00
Antoine R. Dumont
da47d6bd59 Improve readability - from https://github.com/NixOS/nixpkgs/pull/5058#discussion_r21043552 2014-11-30 15:19:30 +01:00
Antoine R. Dumont
3c7e779602 Introduce a dedicated networking.proxy option
Following the discussion NixOS#5021:
- obsolete the nix.proxy option
- add the networking.proxy option
- open a default no_proxy environment variable
- add a rsync option
- Manual tests ok.
- Automatic tests ok.

Amended by lethalman to simplify the option descriptions.
2014-11-30 15:19:25 +01:00
William A. Kennington III
1860ee27b0 nixos/networking: Fixes 2014-11-26 16:29:24 -08:00
William A. Kennington III
c234e7b115 nixos/networking: Rebuild resolvconf during activation
This is needed when /etc/resolv.conf is being overriden by networkd
and other configurations. If the file is destroyed by an environment
activation then it must be rebuilt so that applications which interface
with /etc/resolv.conf directly don't break.
2014-11-26 11:22:02 -08:00
William A. Kennington III
8cffa37787 networkd: Support Host Resolvconf 2014-11-26 11:22:02 -08:00
William A. Kennington III
a332c4eac5 systemd: Enable more network services 2014-11-26 11:22:02 -08:00
Luca Bruno
6af0d6974f Merge branch 'master' into staging 2014-11-10 10:03:52 +01:00
Rüdiger Sonderfeld
fa1cec1037 update-users-groups.pl: Use UTF-8 instead of latin1.
Perl seems to write the file in latin1 independent of the actual input
encoding.  This can corrupt the "description" field of /etc/passwd.  By
setting "binmode" to ":utf8" Perl can be forced to write UTF-8.  Ideally
the program would simply read/write the fields by value without any
changes in encoding.  However, assuming/enforcing UTF-8 is a lot better
than using an obsolete coding like latin1.
2014-11-08 19:25:17 +01:00
Vladimír Čunát
52404a868d Merge recent master into staging
Nixpkgs Hydra: ?compare=1157272

TODO: port e22889064f

Conflicts:
	nixos/tests/gnome3_10.nix (auto-solved)
	pkgs/applications/video/aegisub/default.nix
	pkgs/development/libraries/boost/1.55.nix
2014-11-05 15:00:44 +01:00
Vladimír Čunát
c0e2aceef4 fontconfig: patch and document 2014-11-05 12:12:30 +01:00
Eelco Dolstra
f496c3cbe4 Obsolete security.initialPassword
You can now set users.extraUsers.root.initialHashedPassword instead.
2014-11-03 12:36:56 +01:00
Eelco Dolstra
f8f787b800 Handle initialPassword and initialHashedPassword for !mutableUsers
In this case, they're equivalent to setting ‘password’ and
‘hashedPassword’ (since there is no distinction between an initial and
non-initial user account state).
2014-11-03 12:32:32 +01:00
Eelco Dolstra
3696536115 Handle removing a password if mutableUsers = false 2014-11-03 12:32:27 +01:00
Eelco Dolstra
1b53a3fcb7 Add initialPassword and initialHashedPassword options
These are like password and hashedPassword, except that they only
apply when the user is initially created.
2014-11-03 12:32:19 +01:00
Peter Simons
a9c53037fa Merge remote-tracking branch 'origin/master' into staging. 2014-11-02 16:15:53 +01:00
Eelco Dolstra
a9f5e77e2f update-users-groups.pl: Generate hashed passwords internally
I.e. don't call "passwd" to update /etc/shadow from the "password"
option. This has the side-effect of not updating the password if
mutableUsers = true (since the code path for "hashedPassword" has a
check for mutableUsers).

Fixes #4747.
2014-10-31 17:42:09 +01:00
Eelco Dolstra
f4be4f5e54 Merge remote-tracking branch 'origin/master' into staging 2014-10-24 12:24:13 +02:00
Luca Bruno
0927405a37 fontconfig: update 2.10.2 -> 2.11.1. Close #4410, #2050 2014-10-23 10:40:26 +02:00
Longrin Wischnewski
a2c65d447f passwordFile: update description 2014-10-23 04:52:50 +02:00
Eelco Dolstra
09dc132e04 Merge remote-tracking branch 'origin/master' into staging
Conflicts:
	pkgs/development/libraries/poppler/default.nix
2014-10-16 15:16:50 +02:00
Domen Kožar
4941b96f0c eval fix 2014-10-07 21:46:15 +02:00
Eelco Dolstra
a85dcf4a00 Merge remote-tracking branch 'origin/master' into staging
Conflicts:
	pkgs/development/libraries/libav/default.nix
	pkgs/shells/bash/bash-4.2-patches.nix
	pkgs/stdenv/generic/default.nix
2014-10-07 00:09:37 +02:00
Vladimír Čunát
e4436ad841 FONTCONFIG_FILE: remove setters to /etc/fonts/fonts.conf
Any reasonably new version of fontconfig does search that path by default,
and setting this globally causes problems, as 2.10 and 2.11 need
incompatible configs.

Tested: slim+xfce desktop, chrootenv-ed steam.
I have no idea why we were setting the global variable;
e.g., neither Fedora nor Ubuntu does that.
2014-10-05 17:05:27 +02:00
Nathaniel Baxter
0c8ad65560 pulseaudio: Add support for 32bit alsa apps on 64bit systems. 2014-10-04 14:48:58 +02:00
Rickard Nilsson
a59df1e567 nixos: Add also group.members to group 2014-09-22 19:18:08 +02:00
Eelco Dolstra
91ec6e0d90 Merge remote-tracking branch 'origin/master' into staging 2014-09-18 22:28:35 +02:00
Eelco Dolstra
ec4f38c56f Manual: Remove some option defaults that refer to store paths
Option defaults should not refer to store paths, because they cause
the manual to be rebuilt gratuitously. It's especially bad to refer to
a highly variable path like a computed configuration file.
2014-09-18 16:21:26 +02:00
Vladimír Čunát
d957b4bd78 Merge recent master into staging
Hydra nixpkgs: ?compare=1151601
2014-09-13 21:48:29 +02:00
Eelco Dolstra
624efa4224 Support users-groups.json referring to store paths
Fixes #4016.
2014-09-10 11:50:45 +02:00
Eelco Dolstra
152ae27aac Merge remote-tracking branch 'origin/systemd-216' into staging 2014-09-08 13:53:33 +02:00
Eelco Dolstra
585983bc95 Merge remote-tracking branch 'origin/staging'
Conflicts:
	pkgs/applications/version-management/subversion/default.nix
2014-09-08 11:42:09 +02:00
Nicolas Pierron
becde6132b Replace environment.profileVariables by environment.profileRelativeEnvVars 2014-09-07 19:41:00 +02:00
Vladimír Čunát
06fea81c6e Merge recent master into staging
Hydra: ?compare=1150594
2014-09-06 16:52:45 +02:00
Eelco Dolstra
20be024d1b Fix subuid/subgid generation
I don't think we need to filter users with an unset uid, because
mkSubuidEntry/mkSubgidEntry don't references the uid.
2014-09-05 17:40:09 +02:00
Rickard Nilsson
66ee6e03e7 pulseaudio: Use group audio instead of pulse-access 2014-09-03 13:24:47 +02:00
Rickard Nilsson
56102642fa pulseaudio: Add pulse-access group, controlling access to the system-wide PA daemon 2014-09-03 10:25:36 +02:00
Eelco Dolstra
3d821c068a Merge remote-tracking branch 'origin/master' into systemd-216 2014-09-02 14:43:27 +02:00
Peter Simons
1c0d15b90e Merge branch 'origin/master' into staging.
Conflicts:
	pkgs/development/libraries/ffmpeg/2.x.nix
	pkgs/development/libraries/serf/default.nix
2014-09-02 12:31:03 +02:00
Vladimir Still
5588ad472b vpnc: Fix building of system config. 2014-08-31 21:39:03 +02:00
Sam Griffin
ec8e4d23f1 cleanup per Lethalman's suggestions 2014-08-31 13:01:20 -04:00
Sam Griffin
0667d67c95 Adding vpnc configuration module 2014-08-31 12:44:13 -04:00
Vladimír Čunát
e51f73652d Merge recent master into staging
Hydra: ?compare=1149952

Conflicts:
	nixos/doc/manual/configuration.xml (changed split file)
	nixos/modules/config/users-groups.nix (choosing filterNull instead of inline definition)
	pkgs/development/libraries/readline/readline6.3.nix (auto-solved)
2014-08-30 10:04:02 +02:00
aszlig
e0e65cbf8e
nixos/users-groups: Fix eval on missing uid/gid.
This hopefully fixes a regression introduced by 08b214a.

In bf129a2, it was already fixed for normal uid/gid values and it got
reintroduced by sub-uid/gid-handling again, so I've refactored it a bit
into a filterNull function which takes care of also the filtering
introduced by bf129a2.

I have not tested this extensively, but master is already broken for
systems with `mutableUsers = true` and no uid values set.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-08-29 07:17:19 +02:00
Michael Raskin
844fd2553e Merge pull request #3745 from wkennington/master.dnsmasq
dnsmasq: Update and enable dbus support
2014-08-29 01:43:41 +04:00
Michael Raskin
e8badf3c3b Merge pull request #3275 from taku0/gtk-env
uim, gtk-exe-env, qt-plugin-env: Add input method modules for GTK+ and Qt
2014-08-29 01:35:38 +04:00
Michael Raskin
1fd14fa415 Merge pull request #3100 from tailhook/new-shadow
Upgrade "shadow" to 4.2.1
2014-08-29 00:42:57 +04:00
Paul Colomiets
adbb9ff796 dnsmasq: upgrade to 2.71, fixed dnsmasq module
* The module now has systemd config

* Add resolveLocalQueries option which sets up it as a dns server for
  local host (including reasonable setup of resolvconf)

* Add "dnsmasq" user for running daemon

* Enabled dbus and dnssec support for the package

Conflicts:
	nixos/modules/misc/ids.nix
2014-08-28 11:39:03 -07:00
aszlig
8a56a55bb4
nixos/manual: Use literalExample when feasible.
Should bring most of the examples into a better consistency regarding
syntactic representation in the manual.

Thanks to @devhell for reporting.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-08-27 23:41:15 +02:00
aszlig
9667a4067c
nixos: Use literalExample for systemPackages.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-08-27 22:44:56 +02:00
Eelco Dolstra
d2539605e1 Remove reference to icecat 2014-08-25 14:35:08 +02:00
Eelco Dolstra
d73025a5fe Enable systemd's mymachines NSS module
It makes every local container registered with machined resolvable.
2014-08-24 17:10:19 +02:00
Vladimír Čunát
d4e9fd2a90 Merge recent master into staging
Hydra: ?compare=1148749

Conflicts (easy):
	nixos/modules/virtualisation/containers.nix
2014-08-21 15:09:31 +02:00
Matej Cotman
f4b5cd9f3f use mkDefault on root's shell 2014-08-20 21:17:48 +02:00
Eelco Dolstra
6dc5db3850 Fix setting an empty password 2014-08-18 17:12:56 +02:00
Eelco Dolstra
a323d146b7 Add user attribute isNormalUser
This is shorthand for setting group, createHome, home, useDefaultShell
and isSystemUser.
2014-08-15 02:16:04 +02:00
Eelco Dolstra
1a75958be5 Unify mutableUsers = { true, false }
With mutableUsers = true, we now ensure that all users and groups that
were created declaratively, are updated or removed
appropriately. Thus, adding a user to users.extraUsers and then
removing it now causes the acoount to be removed from
/etc/passwd. Thus user/group management is fully congruent except that
users and groups that were created imperatively (via useradd/groupadd)
are not touched. We distinguish between declarative and imperative
users/groups by tracking the former in
/var/lib/nixos/declarative-{groups,users}.

With mutableUsers = false, you are now no longer required to specify
UIDs/GIDs for all users. The handling of mutableUsers = true/false is
the same code path; the only difference is that the "false" mode
ignores the existing contents of /etc/{passwd,group}.

The attribute ‘createUser’ is gone. It doesn't really make sense to
specify users that shouldn't be created.
2014-08-15 02:15:29 +02:00
Domen Kožar
cc8e4f6814 provide pulseaudioFull and set it as default to hardware.pulseaudio.package 2014-08-12 12:51:25 +02:00
Rickard Nilsson
a01862a4b6 nslcd nixos service: Should be wantedBy multi-user, otherwise not started if activated on running server (only starts on bootup) 2014-08-08 17:40:14 +02:00
Paul Colomiets
08b214a8f2 First implementation of subuid/subgid manipulation module 2014-08-01 21:27:20 +03:00
Paul Colomiets
496d12958e Add automatic plugin activation for vim 2014-07-15 14:59:15 +02:00
taku0
a0c91d66f1 uim, gtk-exe-env, qt-plugin-env: Add input method modules for GTK+ and Qt 2014-07-14 21:33:05 +09:00
Shea Levy
b3cfb9084b Get all lib functions from lib, not pkgs.lib, in modules 2014-07-02 12:28:18 -04:00
Michael Raskin
f2e9ebbd46 Merge pull request #2283 from wizeman/u/sysctl-merge
nixos: Fix sysctl option merging
2014-06-30 09:03:33 +04:00
Bjørn Forsman
4def9a762f nixos: add some missing '.' in option descriptions 2014-06-24 21:25:11 +02:00
Eelco Dolstra
13befa3979 Set session variables in the shell as well 2014-06-13 18:34:56 +02:00
Eelco Dolstra
f5055e2ef6 Rename environment.systemVariables -> environment.sessionVariables
This makes it clearer that they're part of PAM sessions.
2014-06-13 17:57:04 +02:00
Michael Raskin
dceda93bd0 Merge pull request #2543 from wizeman/u/zramswap
nixos: Add zram swap module
2014-06-12 13:01:29 +04:00
Eelco Dolstra
8ae659f16c Revert "Revert "Merge #2692: Use pam_env to properly setup system-wide env""
This reverts commit 491c088731.
2014-06-10 13:07:10 +02:00
Eelco Dolstra
491c088731 Revert "Merge #2692: Use pam_env to properly setup system-wide env"
This reverts commit 18a0cdd864.
2014-06-10 13:03:44 +02:00
Vladimír Čunát
18a0cdd864 Merge #2692: Use pam_env to properly setup system-wide env 2014-06-10 11:42:59 +02:00
Sönke Hahn
089b293019 better error message in case of missing uids 2014-05-28 20:12:53 +08:00
Eelco Dolstra
58226a7b06 Add type for fonts.fonts option 2014-05-22 14:20:23 +02:00
Eelco Dolstra
7fd13ddc66 Set TZDIR for all systemd services
This only matters if a service also overrides the $TZ variable.

Issue #2447.
2014-05-21 18:31:40 +02:00
Charles Strahan
5445132f73 fix -G delimiter in call to useradd 2014-05-17 00:45:16 -04:00
Eelco Dolstra
4fc151b5a3 nixos-install: Ask the user to set a root password
This removes the need to have an initially empty root password.
2014-05-09 00:52:02 +02:00
Ricardo M. Correia
cd1b48bc35 nixos: Add zram swap module
This allows you to use the Linux kernel's built-in compressed memory as
swap space functionality.

It is recommended to enable only for kernel 3.14 (which is when zram came out of
the staging drivers area) or higher.
2014-05-06 20:04:22 +02:00
Rob Vermaas
d056d1d37b Fix users.*.extraGroups for users.mutableUsers = true.
(cherry picked from commit eb222923054fdc895ab73ff5d0260c1e1fc689c7)
2014-05-05 15:35:16 +02:00
Eelco Dolstra
e6b5c0121f Obsolete fonts.extraFonts
You can now just set fonts.fonts, which will be merged with the
default value unless you use mkOverride.
2014-04-29 12:34:57 +02:00
Eelco Dolstra
d6c2dcd98c Remove redundant ~/.fonts element from the font search path 2014-04-29 12:27:03 +02:00
Eelco Dolstra
05468f9b78 Bring back the isSystemUser option 2014-04-29 10:43:38 +02:00
Eelco Dolstra
d4986b5fd3 Don't create world-readable swapfiles 2014-04-24 15:19:10 +02:00
Rickard Nilsson
cfa5b5778c pulseaudio module: Use pid-file for system-wide daemon, add loglevel option 2014-04-21 23:22:11 +02:00
Eelco Dolstra
4e8c2f0ff9 Merge branch 'systemd-update' 2014-04-20 19:31:01 +02:00
Eelco Dolstra
465d6ff572 Set $LOCALE_ARCHIVE in all systemd units
This variable used to be inherited implicitly from the stage-2 script,
but systemd now clears the environment. So we need to set it
explicitly.
2014-04-18 19:04:45 +02:00
Eelco Dolstra
ffedee6ed5 Start ssh-agent as a user unit
This has some advantages:

* You get ssh-agent regardless of how you logged in. Previously it was
  only started for X11 sessions.

* All sessions of a user share the same agent. So if you added a key
  on tty1, it will also be available on tty2.

* Systemd will restart ssh-agent if it dies.

* $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is
  more secure than /tmp.

For bonus points, we should patch ssh-agent to support socket-based
activation...
2014-04-18 00:45:26 +02:00
Eelco Dolstra
179acfb664 Allow upstream systemd units to be extended
If you define a unit, and either systemd or a package in
systemd.packages already provides that unit, then we now generate a
file /etc/systemd/system/<unit>.d/overrides.conf. This makes it
possible to use upstream units, while allowing them to be customised
from the NixOS configuration. For instance, the module nix-daemon.nix
now uses the units provided by the Nix package. And all unit
definitions that duplicated upstream systemd units are finally gone.

This makes the baseUnit option unnecessary, so I've removed it.
2014-04-17 18:52:31 +02:00
Domen Kožar
3a9f28ee08 Merge pull request #2185 from lethalman/gnome3
tracker, licenses.cc-by-30, gnome-user-docs, upgrade sushi, gnome-keyring service, gnome-user-share, gnome-tweak-tool, gnome-shell-extensions, xdg-user-dirs
2014-04-16 18:08:00 +02:00
Eelco Dolstra
150d3b0095 no-x-libs.nix: Disable su xauth forwarding, and X11 dependency in dbus 2014-04-16 16:58:06 +02:00
William A. Kennington III
dd209e901c cpu-freq: Use cpupower instead of cpufrequtils
Additionally, put the powersave utility in charge of loading the
cpufrequency modules based on the governor specified in the
configuration.
2014-04-16 01:10:26 +02:00
Ricardo M. Correia
d8b21c2224 nixos: Fix sysctl option merging
Using pkgs.lib.mkOverride in a sysctl option would throw a bogus error.

Also, if you defined a sysctl multiple times in the same configuration,
only one of the values would be picked up, while the others were silently
discarded.

This patch should fix both issues. If you define a sysctl multiple
times at your highest defined priority level, you will get a proper
error with detailed location information.
2014-04-15 21:52:04 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Luca Bruno
add4977a91 system-path, gnome3: run update-desktop-database to create the mime cache
This allows programs such as yelp to handle help:// protocol schemas
2014-04-14 09:58:03 +02:00
Austin Seipp
172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Rickard Nilsson
604306c34a Don't add users if createUser is false 2014-04-08 12:36:03 +02:00
Rickard Nilsson
bf129a2c23 Allow undefined uids and gids when mutableUsers = true
Groups and users without gid/uid are created with
useradd/groupadd after the passwd/group merge phase
if mutableUsers = true.

This should fix #2114.
2014-04-06 12:42:55 +02:00
William A. Kennington III
28ab3acb58 su: Make the su package a provider of only the su binary
Additionally, provide su with the base system and remove su from the
util-linux package as it is now provided by shadow.
2014-04-05 16:01:52 -05:00
ambrop7@gmail.com
49768ca8ff power-management: Don't enable acpid.
Running acpid along with systemd will cause double handling of acpi events.
2014-03-15 12:17:00 +01:00
Domen Kožar
bb7fe59b80 Merge pull request #1767 from the-kenny/fix-consoleKeyMap-type
i18n.consoleKeyMap: Accept string or path.
2014-03-08 18:04:55 +01:00
Domen Kožar
97a0dd9eb9 nixos: set all package options to have type package 2014-02-27 13:22:29 +01:00
Moritz Ulrich
958df8b9d1 i18n.consoleKeyMap: Accept string or path.
i18n.consoleKeyMap maps to KEYMAP=... in vconsole.conf and `loadkeymap'
in stage1. Both of these accept paths to a keymap file in addition to
a string containing the name of the keymap.

With this commit, it's possible to use your own keymap via:

i18n.consoleKeyMap = ./path/to/something.kmap
2014-02-17 20:46:33 +01:00
Shea Levy
abf901484c Allow directly setting hashedPassword for root 2014-02-16 07:33:07 -05:00
Shea Levy
80cc2697b1 user-groups: Sidestep all password escaping issues
Now passwords are written to a file first
2014-02-10 10:12:34 -05:00
Thomas Tuegel
3dc6168b31 Properly escape passwords sent to chpasswd
The mutableUsers feature uses `chpasswd` to set users passwords.
Passwords and their hashes were being piped into the program using
double quotes ("") to escape. This causes any `$` characters to be
expanded as shell variables. This is a serious problem because all the
password hash methods besides DES use multiple `$` in the hashes. Single
quotes ('') should be used instead to prevent shell variable expansion.
2014-02-10 08:16:22 -06:00
Shea Levy
e058de1642 Add option to enforce uniqueness of uids/gids (on by default)
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-07 09:57:28 -05:00
Rickard Nilsson
72ba2bf126 Add description to group.members option 2014-02-05 15:56:51 +01:00
Rickard Nilsson
0b92ad02c8 Re-introduce security.initialRootPassword, and add a new option users.extraUsers.<user>.hashedPassword 2014-02-05 15:56:51 +01:00
Rickard Nilsson
eb2f44c18c Generate /etc/passwd and /etc/group at build time
This is a rather large commit that switches user/group creation from using
useradd/groupadd on activation to just generating the contents of /etc/passwd
and /etc/group, and then on activation merging the generated files with the
files that exist in the system. This makes the user activation process much
cleaner, in my opinion.

The users.extraUsers.<user>.uid and users.extraGroups.<group>.gid must all be
properly defined (if <user>.createUser is true, which it is by default). My
pull request adds a lot of uids/gids to config.ids to solve this problem for
existing nixos services, but there might be configurations that break because
this change. However, this will be discovered during the build.

Option changes introduced by this commit:

* Remove the options <user>.isSystemUser and <user>.isAlias since
they don't make sense when generating /etc/passwd statically.

* Add <group>.members as a complement to <user>.extraGroups.

* Add <user>.passwordFile for setting a user's password from an encrypted
(shadow-style) file.

* Add users.mutableUsers which is true by default. This means you can keep
managing your users as previously, by using useradd/groupadd manually. This is
accomplished by merging the generated passwd/group file with the existing files
in /etc on system activation. The merging of the files is simplistic. It just
looks at the user/group names. If a user/group exists both on the system and
in the generated files, the system entry will be kept un-changed and the
generated entries will be ignored. The merging itself is performed with the
help of vipw/vigr to properly lock the account files during edit.
If mutableUsers is set to false, the generated passwd and group files will not
be merged with the system files on activation. Instead they will simply replace
the system files, and overwrite any changes done on the running system. The
same logic holds for user password, if the <user>.password or
<user>.passwordFile options are used. If mutableUsers is false, password will
simply be replaced on activation. If true, the initial user passwords will be
set according to the configuration, but existing passwords will not be touched.

I have tested this on a couple of different systems and it seems to work fine
so far. If you think this is a good idea, please test it. This way of adding
local users has been discussed in issue #103 (and this commit solves that
issue).
2014-02-05 15:56:51 +01:00
Eelco Dolstra
c32d0180e4 Don't set $TZ
Now that Java is happy with our /etc/localtime, there is no reason to
set $TZ anymore.  (See 945849b86f, 279248f6c5, 1b5e860f65607b4cc7de4b6b5db95460cf144526.)

Fixes #1463.
2014-01-06 18:27:07 +01:00
Eelco Dolstra
1b5e860f65 Make /etc/localtime a direct symlink to the zoneinfo file
Some programs (notably the Java Runtime Environment) expect to be able
to extract the name of the time zone from the target of the
/etc/localtime symlink.  That doesn't work if /etc/localtime is a
symlink to /etc/static/localtime.  So make it a direct symlink.
2014-01-06 18:23:41 +01:00
Eelco Dolstra
2b1f212494 Disable various services when running inside a container 2013-11-26 18:19:45 +01:00
Eelco Dolstra
785eaf2cea Add some primops to lib 2013-11-12 13:48:30 +01:00
Bjørn Forsman
dc352536a8 nixos: capitalize a bunch of service descriptions
(systemd service descriptions that is, not service descriptions in "man
configuration.nix".)

Capitalizing each word in the description seems to be the accepted
standard.

Also shorten these descriptions:
 * "Munin node, the agent process" => "Munin Node"
 * "Planet Venus, an awesome ‘river of news’ feed reader" => "Planet Venus Feed Reader"
2013-11-09 20:45:50 +01:00
Eelco Dolstra
20093751ec Print a reminder to users to set or disable the root password 2013-11-01 15:04:21 +01:00
Eelco Dolstra
4ba7dfde5b Don't set an initial null root password for Amazon / VirtualBox images
A null password allows logging into local PAM services such as "login"
(agetty) and KDM.  That's not actually a security problem for EC2
machines, since they do not have "local" logins; for VirtualBox
machines, if you local access, you can do anything anyway.  But it's
better to be on the safe side and disable password-based logins for
root.
2013-11-01 15:04:21 +01:00
Eelco Dolstra
a840dae935 Improve description of the users.extraUsers.*.description option
Fixes NixOS/nixos#278.
2013-10-31 08:43:10 +01:00
Eelco Dolstra
f3cdf9b477 Make update-mime-database less verbose 2013-10-30 18:47:44 +01:00
Eelco Dolstra
408b8b5725 Add lots of missing option types 2013-10-30 18:47:43 +01:00
Eelco Dolstra
70a2c54527 Strictly check the arguments to mkOption
And fix various instances of bad arguments.
2013-10-30 15:35:09 +01:00
Eelco Dolstra
800f9c2037 Show correct position info for errors in submodules
E.g.

  The unique option `fileSystems./.device' is defined multiple times, in `/etc/nixos/configuration.nix' and `/etc/nixos/foo.nix'.

This requires passing file/value tuples to the merge functions.
2013-10-30 14:57:43 +01:00
Eelco Dolstra
4680af6a93 Add some option types 2013-10-30 14:57:42 +01:00
Eelco Dolstra
862e3dd977 Substitute "types.uniq types.string" -> "types.str" 2013-10-30 14:57:42 +01:00
Eelco Dolstra
73f32d0375 Show precise error messages in option merge failures
For instance, if time.timeZone is defined multiple times, you now get
the error message:

  error: user-thrown exception: The unique option `time.timeZone' is defined multiple times, in `/etc/nixos/configurations/misc/eelco/x11vnc.nix' and `/etc/nixos/configuration.nix'.

while previously you got:

  error: user-thrown exception: Multiple definitions of string. Only one is allowed for this option.

and only an inspection of the stack trace gave a clue as to what
option caused the problem.
2013-10-28 22:45:57 +01:00
Eelco Dolstra
e28ea1239f Fix evaluation of environment.variables 2013-10-28 22:45:57 +01:00
Eelco Dolstra
259f7a93b1 Rename environment.nix -> nix.package 2013-10-28 22:45:57 +01:00
Eelco Dolstra
d5047faede Remove uses of the "merge" option attribute
It's redundant because you can (and should) specify an option type, or
an apply function.
2013-10-28 22:45:56 +01:00
Eelco Dolstra
0e333688ce Big cleanup of the NixOS module system
The major changes are:

* The evaluation is now driven by the declared options.  In
  particular, this fixes the long-standing problem with lack of
  laziness of disabled option definitions.  Thus, a configuration like

    config = mkIf false {
      environment.systemPackages = throw "bla";
    };

  will now evaluate without throwing an error.  This also improves
  performance since we're not evaluating unused option definitions.

* The implementation of properties is greatly simplified.

* There is a new type constructor "submodule" that replaces
  "optionSet".  Unlike "optionSet", "submodule" gets its option
  declarations as an argument, making it more like "listOf" and other
  type constructors.  A typical use is:

    foo = mkOption {
      type = type.attrsOf (type.submodule (
        { config, ... }:
        { bar = mkOption { ... };
          xyzzy = mkOption { ... };
        }));
    };

  Existing uses of "optionSet" are automatically mapped to
  "submodule".

* Modules are now checked for unsupported attributes: you get an error
  if a module contains an attribute other than "config", "options" or
  "imports".

* The new implementation is faster and uses much less memory.
2013-10-28 22:45:55 +01:00
Eelco Dolstra
5b8c4d2a7d Get rid of the only use of mkNotdef 2013-10-28 22:45:54 +01:00
Eelco Dolstra
29014a47fb Allow options to be marked as "internal"
This means they're not for end users.  Currently they're filtered from
the manual, but we could include them in a separate section.
2013-10-23 20:08:21 +02:00
Eelco Dolstra
441dcd68d8 Get rid of special-casing of system.path in the manual generation 2013-10-23 20:08:21 +02:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00