2009-01-02 17:06:46 +01:00
|
|
|
# this file contains all extendable options originally defined in system.nix
|
2009-01-02 17:07:24 +01:00
|
|
|
# TODO: split it to make it readable.
|
2009-01-02 17:06:46 +01:00
|
|
|
{pkgs, config, ...}:
|
|
|
|
|
2009-01-02 17:06:52 +01:00
|
|
|
###### interface
|
|
|
|
let
|
|
|
|
inherit (pkgs.lib) mkOption;
|
|
|
|
|
|
|
|
option = {
|
|
|
|
system = {
|
|
|
|
build = mkOption {
|
|
|
|
default = {};
|
|
|
|
description = ''
|
|
|
|
Attribute set of derivation used to setup the system. The system
|
|
|
|
is built by aggregating all derivations.
|
|
|
|
'';
|
|
|
|
apply = components: components // {
|
|
|
|
# all components have to build directories
|
|
|
|
result = pkgs.buildEnv {
|
|
|
|
name = "system";
|
|
|
|
paths = pkgs.lib.mapRecordFlatten (n: v: v) components;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
shell = mkOption {
|
|
|
|
default = "/var/run/current-system/sw/bin/bash";
|
|
|
|
description = ''
|
|
|
|
You should not redefine this option unless you want to change the
|
|
|
|
bash version for security issues.
|
|
|
|
'';
|
|
|
|
merge = list:
|
|
|
|
assert list != [] && builtins.tail list == [];
|
|
|
|
builtins.head list;
|
|
|
|
};
|
|
|
|
|
|
|
|
wrapperDir = mkOption {
|
|
|
|
default = "/var/setuid-wrappers";
|
|
|
|
description = ''
|
|
|
|
You should not redefine this option unless you want to change the
|
|
|
|
path for security issues.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
overridePath = mkOption {
|
|
|
|
default = [];
|
|
|
|
description = ''
|
|
|
|
You should not redefine this option unless you have trouble with a
|
|
|
|
package define in <varname>path</varname>.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
path = mkOption {
|
|
|
|
default = [];
|
|
|
|
description = ''
|
|
|
|
The packages you want in the boot environment.
|
|
|
|
'';
|
|
|
|
apply = list: pkgs.buildEnv {
|
|
|
|
name = "system-path";
|
|
|
|
paths = config.system.overridePath ++ list;
|
|
|
|
|
|
|
|
# Note: We need `/lib' to be among `pathsToLink' for NSS modules
|
|
|
|
# to work.
|
|
|
|
inherit (config.environment) pathsToLink;
|
|
|
|
|
|
|
|
ignoreCollisions = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
in
|
|
|
|
|
|
|
|
###### implementation
|
2009-01-02 17:06:46 +01:00
|
|
|
let
|
|
|
|
inherit (pkgs.stringsWithDeps) noDepEntry FullDepEntry PackEntry;
|
2009-01-02 17:07:24 +01:00
|
|
|
inherit (pkgs.lib) mapRecordFlatten;
|
2009-01-02 17:06:46 +01:00
|
|
|
|
|
|
|
activateLib = config.system.activationScripts.lib;
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
require = [
|
2009-01-02 17:06:52 +01:00
|
|
|
option
|
|
|
|
|
2009-01-02 17:06:46 +01:00
|
|
|
# config.system.activationScripts
|
|
|
|
(import ../system/activate-configuration.nix)
|
|
|
|
];
|
|
|
|
|
|
|
|
system = {
|
2009-01-02 20:41:39 +01:00
|
|
|
build = {
|
|
|
|
binsh = pkgs.bashInteractive;
|
|
|
|
};
|
|
|
|
|
2009-01-02 17:06:46 +01:00
|
|
|
activationScripts = {
|
|
|
|
systemConfig = noDepEntry ''
|
|
|
|
systemConfig="$1"
|
|
|
|
if test -z "$systemConfig"; then
|
|
|
|
systemConfig="/system" # for the installation CD
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
|
|
|
|
defaultPath =
|
|
|
|
let path = [
|
|
|
|
pkgs.coreutils pkgs.gnugrep pkgs.findutils
|
|
|
|
pkgs.glibc # needed for getent
|
2009-04-28 15:42:43 +02:00
|
|
|
pkgs.glibcLocals # needed for getent
|
2009-01-02 17:06:46 +01:00
|
|
|
pkgs.pwdutils
|
|
|
|
]; in noDepEntry ''
|
|
|
|
export PATH=/empty
|
|
|
|
for i in ${toString path}; do
|
|
|
|
PATH=$PATH:$i/bin:$i/sbin;
|
|
|
|
done
|
|
|
|
'';
|
|
|
|
|
|
|
|
stdio = FullDepEntry ''
|
|
|
|
# Needed by some programs.
|
|
|
|
ln -sfn /proc/self/fd /dev/fd
|
|
|
|
ln -sfn /proc/self/fd/0 /dev/stdin
|
|
|
|
ln -sfn /proc/self/fd/1 /dev/stdout
|
|
|
|
ln -sfn /proc/self/fd/2 /dev/stderr
|
|
|
|
'' [
|
|
|
|
activateLib.defaultPath # path to ln
|
|
|
|
];
|
2009-01-02 17:06:56 +01:00
|
|
|
|
|
|
|
binsh = FullDepEntry ''
|
|
|
|
# Create the required /bin/sh symlink; otherwise lots of things
|
|
|
|
# (notably the system() function) won't work.
|
|
|
|
mkdir -m 0755 -p $mountPoint/bin
|
2009-01-02 20:41:39 +01:00
|
|
|
ln -sfn ${config.system.build.binsh}/bin/sh $mountPoint/bin/sh
|
2009-01-02 17:06:56 +01:00
|
|
|
'' [
|
|
|
|
activateLib.defaultPath # path to ln & mkdir
|
|
|
|
activateLib.stdio # ?
|
|
|
|
];
|
|
|
|
|
|
|
|
modprobe = FullDepEntry ''
|
|
|
|
# Allow the kernel to find our wrapped modprobe (which searches in the
|
|
|
|
# right location in the Nix store for kernel modules). We need this
|
|
|
|
# when the kernel (or some module) auto-loads a module.
|
|
|
|
# !!! maybe this should only happen at boot time, since we shouldn't
|
|
|
|
# use modules that don't match the running kernel.
|
2009-01-02 17:07:24 +01:00
|
|
|
echo ${config.system.sbin.modprobe}/sbin/modprobe > /proc/sys/kernel/modprobe
|
2009-01-02 17:06:56 +01:00
|
|
|
'' [
|
|
|
|
# ?
|
|
|
|
];
|
|
|
|
|
|
|
|
var = FullDepEntry ''
|
|
|
|
# Various log/runtime directories.
|
|
|
|
mkdir -m 0755 -p /var/run
|
|
|
|
mkdir -m 0755 -p /var/run/console # for pam_console
|
|
|
|
|
|
|
|
touch /var/run/utmp # must exist
|
|
|
|
chmod 644 /var/run/utmp
|
|
|
|
|
|
|
|
mkdir -m 0755 -p /var/run/nix/current-load # for distributed builds
|
|
|
|
mkdir -m 0700 -p /var/run/nix/remote-stores
|
|
|
|
|
|
|
|
mkdir -m 0755 -p /var/log
|
|
|
|
|
|
|
|
touch /var/log/wtmp # must exist
|
|
|
|
chmod 644 /var/log/wtmp
|
|
|
|
|
|
|
|
touch /var/log/lastlog
|
|
|
|
chmod 644 /var/log/lastlog
|
|
|
|
|
|
|
|
mkdir -m 1777 -p /var/tmp
|
|
|
|
|
|
|
|
|
|
|
|
# Empty, read-only home directory of many system accounts.
|
|
|
|
mkdir -m 0555 -p /var/empty
|
|
|
|
'' [
|
|
|
|
activateLib.defaultPath # path to mkdir & touch & chmod
|
|
|
|
];
|
|
|
|
|
|
|
|
rootPasswd = FullDepEntry ''
|
|
|
|
# If there is no password file yet, create a root account with an
|
|
|
|
# empty password.
|
|
|
|
if ! test -e /etc/passwd; then
|
|
|
|
rootHome=/root
|
|
|
|
touch /etc/passwd; chmod 0644 /etc/passwd
|
|
|
|
touch /etc/group; chmod 0644 /etc/group
|
|
|
|
touch /etc/shadow; chmod 0600 /etc/shadow
|
|
|
|
# Can't use useradd, since it complains that it doesn't know us
|
|
|
|
# (bootstrap problem!).
|
2009-01-02 17:07:24 +01:00
|
|
|
echo "root:x:0:0:System administrator:$rootHome:${config.system.shell}" >> /etc/passwd
|
2009-01-02 17:06:56 +01:00
|
|
|
echo "root::::::::" >> /etc/shadow
|
|
|
|
echo | passwd --stdin root
|
|
|
|
fi
|
|
|
|
'' [
|
|
|
|
activateLib.defaultPath # path to touch & passwd
|
|
|
|
activateLib.etc # for /etc
|
|
|
|
# ?
|
|
|
|
];
|
2009-01-02 17:07:05 +01:00
|
|
|
|
|
|
|
nix = FullDepEntry ''
|
|
|
|
# Set up Nix.
|
|
|
|
mkdir -p /nix/etc/nix
|
|
|
|
ln -sfn /etc/nix.conf /nix/etc/nix/nix.conf
|
|
|
|
chown root.nixbld /nix/store
|
|
|
|
chmod 1775 /nix/store
|
|
|
|
|
|
|
|
# Nix initialisation.
|
|
|
|
mkdir -m 0755 -p \
|
|
|
|
/nix/var/nix/gcroots \
|
|
|
|
/nix/var/nix/temproots \
|
|
|
|
/nix/var/nix/manifests \
|
|
|
|
/nix/var/nix/userpool \
|
|
|
|
/nix/var/nix/profiles \
|
|
|
|
/nix/var/nix/db \
|
|
|
|
/nix/var/log/nix/drvs \
|
|
|
|
/nix/var/nix/channel-cache \
|
|
|
|
/nix/var/nix/chroots
|
|
|
|
mkdir -m 1777 -p /nix/var/nix/gcroots/per-user
|
|
|
|
mkdir -m 1777 -p /nix/var/nix/profiles/per-user
|
|
|
|
|
|
|
|
ln -sf /nix/var/nix/profiles /nix/var/nix/gcroots/
|
|
|
|
ln -sf /nix/var/nix/manifests /nix/var/nix/gcroots/
|
|
|
|
'' [
|
|
|
|
activateLib.defaultPath
|
|
|
|
activateLib.etc # /etc/nix.conf
|
|
|
|
activateLib.users # nixbld group
|
|
|
|
];
|
2009-01-02 17:07:24 +01:00
|
|
|
|
|
|
|
path = FullDepEntry ''
|
|
|
|
PATH=${config.system.path}/bin:${config.system.path}/sbin:$PATH
|
|
|
|
'' [
|
|
|
|
activateLib.defaultPath
|
|
|
|
];
|
|
|
|
|
|
|
|
setuid =
|
|
|
|
let
|
|
|
|
setuidPrograms = builtins.toString (
|
|
|
|
config.security.setuidPrograms ++
|
|
|
|
config.security.extraSetuidPrograms ++
|
|
|
|
map (x: x.program) config.security.setuidOwners
|
|
|
|
);
|
|
|
|
|
|
|
|
adjustSetuidOwner = pkgs.lib.concatStrings (map
|
|
|
|
(_entry: let entry = {
|
|
|
|
owner = "nobody";
|
|
|
|
group = "nogroup";
|
|
|
|
setuid = false;
|
|
|
|
setgid = false;
|
|
|
|
} //_entry; in
|
|
|
|
''
|
|
|
|
chown ${entry.owner}.${entry.group} $wrapperDir/${entry.program}
|
|
|
|
chmod u${if entry.setuid then "+" else "-"}s $wrapperDir/${entry.program}
|
|
|
|
chmod g${if entry.setgid then "+" else "-"}s $wrapperDir/${entry.program}
|
|
|
|
'')
|
|
|
|
config.security.setuidOwners);
|
|
|
|
|
|
|
|
in FullDepEntry ''
|
|
|
|
# Make a few setuid programs work.
|
|
|
|
save_PATH="$PATH"
|
|
|
|
|
|
|
|
# Add the default profile to the search path for setuid executables.
|
|
|
|
PATH="/nix/var/nix/profiles/default/sbin:$PATH"
|
|
|
|
PATH="/nix/var/nix/profiles/default/bin:$PATH"
|
|
|
|
|
|
|
|
wrapperDir=${config.system.wrapperDir}
|
|
|
|
if test -d $wrapperDir; then rm -f $wrapperDir/*; fi # */
|
|
|
|
mkdir -p $wrapperDir
|
|
|
|
for i in ${setuidPrograms}; do
|
|
|
|
program=$(type -tp $i)
|
|
|
|
if test -z "$program"; then
|
|
|
|
# XXX: It would be preferable to detect this problem before
|
|
|
|
# `activate-configuration' is invoked.
|
|
|
|
#echo "WARNING: No executable named \`$i' was found" >&2
|
|
|
|
#echo "WARNING: but \`$i' was specified as a setuid program." >&2
|
|
|
|
true
|
|
|
|
else
|
|
|
|
cp "$(type -tp setuid-wrapper)" $wrapperDir/$i
|
|
|
|
echo -n "$program" > $wrapperDir/$i.real
|
|
|
|
chown root.root $wrapperDir/$i
|
|
|
|
chmod 4755 $wrapperDir/$i
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
${adjustSetuidOwner}
|
|
|
|
|
|
|
|
PATH="$save_PATH"
|
|
|
|
'' [
|
|
|
|
activateLib.path
|
|
|
|
activateLib.users
|
|
|
|
];
|
|
|
|
|
|
|
|
hostname = FullDepEntry ''
|
|
|
|
# Set the host name. Don't clear it if it's not configured in the
|
|
|
|
# NixOS configuration, since it may have been set by dhclient in the
|
|
|
|
# meantime.
|
2009-01-25 16:48:35 +01:00
|
|
|
${if config.networking.hostName != "" then
|
2009-01-02 17:07:24 +01:00
|
|
|
''hostname "${config.networking.hostName}"''
|
|
|
|
else ''
|
|
|
|
# dhclient won't do anything if the hostname isn't empty.
|
|
|
|
if test "$(hostname)" = "(none)"; then
|
|
|
|
hostname ""
|
|
|
|
fi
|
|
|
|
''}
|
|
|
|
'' [
|
|
|
|
activateLib.path
|
|
|
|
];
|
|
|
|
|
|
|
|
# The activation have to be done at the end. Therefore, this entry
|
|
|
|
# depends on all scripts declared in the activation library.
|
|
|
|
activate = FullDepEntry ''
|
|
|
|
# Make this configuration the current configuration.
|
|
|
|
# The readlink is there to ensure that when $systemConfig = /system
|
|
|
|
# (which is a symlink to the store), /var/run/current-system is still
|
|
|
|
# used as a garbage collection root.
|
|
|
|
ln -sfn "$(readlink -f "$systemConfig")" /var/run/current-system
|
|
|
|
|
|
|
|
# Prevent the current configuration from being garbage-collected.
|
|
|
|
ln -sfn /var/run/current-system /nix/var/nix/gcroots/current-system
|
|
|
|
'' (mapRecordFlatten (a: v: v)
|
|
|
|
# should be removed if this does not cause an infinite recursion.
|
|
|
|
(activateLib // { activate = { text = ""; deps = []; }; })
|
|
|
|
);
|
2009-01-02 17:06:46 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|