Commit graph

135 commits

Author SHA1 Message Date
Peter Simons 1103ba84fd modules/misc/ids.nix: patch tcpcrypt to use our uid
The default uid 666 exceeds SYS_UID_MAX (499), so it might not be available
anyway.
2013-09-11 18:58:37 +02:00
Peter Simons b6501c0097 modules/misc/ids.nix: add a comment explaining why tcpcryptd has uid 666. 2013-09-11 11:09:30 +02:00
Peter Simons 0afcc637d7 Add support for opportunistic TCP encryption.
Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption
based on the user-space tools available from <http://tcpcrypt.org>.

Network attackers come in two varieties: passive and active (man-in-the-middle).
Passive attacks are much simpler to execute because they just require listening
on the network. Active attacks are much harder as they require listening and
modifying network traffic, often requiring very precise timing that can make
some attacks impractical.

Opportunistic encryption cannot protect against active attackers, but it *does*
protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to
stop active attacks, too, if the application using it performs authentication.

A complete description of the protocol extension can be found at
<http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>.
2013-09-10 23:32:55 +02:00
Eelco Dolstra 17457297cb Update all legacy-style modules
I.e., modules that use "require = [options]".  Nowadays that should be
written as

  {
    options = { ... };
    config = { ... };
  };

Also, use "imports" instead of "require" in places where we actually
import another module.
2013-09-04 13:05:09 +02:00
Domen Kožar e45e62e078 merge 2013-08-30 18:05:08 +02:00
Jaka Hudoklin c613ae7b82 Add elasticsearch, a powerful open source search and analytics engine 2013-08-27 20:42:59 +02:00
Rickard Nilsson b0b5e08e86 Add some more missing uids/gids 2013-08-26 15:20:25 +02:00
Rickard Nilsson f420726936 Add several missing uids and gids to modules/misc/ids.nix 2013-08-23 11:37:17 +02:00
Jaka Hudoklin 5894f26c81 Add statsd, simple daemon for easy stats aggregation 2013-08-21 11:52:25 +02:00
Domen Kožar 6004b28af8 merge 2013-08-19 09:06:31 +02:00
Rickard Nilsson d1095e1bd4 Add libvirtd gid 2013-08-16 00:47:21 +02:00
Eelco Dolstra 14315b81b1 Add /media and /run to the filesystems ignored by updatedb 2013-08-14 03:07:36 +02:00
Eelco Dolstra ce866184c6 Update the locate database using a systemd service
This makes it easier to update the database manually ("systemctl start
update-locatedb").

Also, use modern module syntax.
2013-08-14 02:58:55 +02:00
Jaka Hudoklin b244a47185 Add graphite, scalable realtime graphing service 2013-08-11 12:16:19 +02:00
Ivan Kozik 390fdb3e60 Fix typos, especially those that end up in the NixOS manual 2013-08-10 21:07:13 +00:00
Jaka Hudoklin d0cb70cefb Add iodined, ip over dns daemon 2013-08-05 01:20:55 +02:00
Cillian de Róiste 41e04c9aff Merge branch 'supybot'
Conflicts:
	modules/misc/ids.nix
2013-08-04 03:59:18 +02:00
Cillian de Róiste 5b25c5a181 supybot.service: tidy up 2013-08-04 03:56:01 +02:00
Cillian de Róiste 90554a03c7 Supybot/limnoria: add service module 2013-08-01 00:36:15 +02:00
Rickard Nilsson 3ca7d7b291 Add OpenSMTPD service option 2013-07-30 10:20:56 +02:00
Eelco Dolstra c52fd85990 Set permissions on /var/log/journal properly
This makes the system journal readable by users in the
systemd-journal, wheel and adm groups.  It also allows users to read
their own journals.

Note that this doesn't change the permissions of existing journals.
2013-07-19 21:18:44 +02:00
Eelco Dolstra a6aba08d35 Bump the NixOS version number to 13.07
This is in preparation of making a stable release/branch.  The version
number is <YY>.<MM>, Ubuntu style, denoting the intended release
year/month.  It also has a release codename ("Aardvark").
2013-07-17 13:34:40 +02:00
Ricardo M. Correia 02d9a8066a Add chrony service
Also, do not build and add ntp to the system unless it is enabled.
2013-05-23 02:07:49 +00:00
Russell O'Connor 76b7dea805 Make nginx uid and gid optional. 2013-05-06 10:49:23 -04:00
Lluís Batlle i Rossell f50014339a Putting the gnunet module up to date. It still doesn't start gnunet though.
No idea why.
2013-04-24 19:03:29 +04:00
Eelco Dolstra f290808509 Set some missing types 2013-01-16 15:03:54 +01:00
Eelco Dolstra b35fe01f02 Set the NixOS version to something useful when building from Git 2013-01-16 14:40:41 +01:00
Eelco Dolstra 5437424297 Hackery to build against both the nixpkgs master and systemd branch 2012-12-13 15:04:09 +01:00
Eelco Dolstra 97ae408e83 Merge remote-tracking branch 'origin/master' into systemd 2012-12-11 17:40:39 +01:00
Eelco Dolstra 3224ea8a1e Don't require nixUnstable 2012-12-11 13:14:33 +01:00
Evgeny Egorochkin 860cbf7890 scanner support: create scanner group. Users need to be in this group to access scanners. 2012-12-06 02:59:34 +02:00
Eelco Dolstra b1da38f564 Merge remote-tracking branch 'origin/master' into systemd 2012-11-30 16:12:04 +01:00
Lluís Batlle i Rossell a9e5d1ab50 Changing the kernel parameters for crashump
I think that these enable more checks, and make more NMIs happen.
2012-11-29 11:27:33 +01:00
Rickard Nilsson 611ebeb1d0 Add nslcd (nss-pam-ldapd) uid and gid 2012-11-20 16:39:45 +01:00
Eelco Dolstra 35922e61d9 Systemd requires the latest Nix 2012-11-15 22:55:36 +01:00
Eelco Dolstra 3ad370ae0a Merge remote-tracking branch 'origin/master' into systemd
Conflicts:
	modules/misc/ids.nix
	modules/services/mail/postfix.nix
	modules/services/system/nscd.nix
	modules/services/x11/desktop-managers/xfce.nix
	modules/system/boot/stage-1.nix
2012-09-28 11:35:27 -04:00
Eelco Dolstra 1084a8e0de Add "adm" group from the systemd branch to prevent constant collisions 2012-09-28 11:14:33 -04:00
Peter Simons 6f052ee62e spamassassin: use virtual user home directories under /var/lib/spamassassin to avoid permission problems
When spamd isn't running as 'root', it cannot access the usual ~/.spamassassin
path where user-specific files normally reside. Instead, we use the path
/var/lib/spamassassin-<user> to store those home directories.
2012-09-28 00:06:52 +02:00
Rickard Nilsson 65c1c6525b network-manager: Big overhaul
* Add group 'networkmanager' and implement polkit configuration
    that allows users in this group to make persistent, system-wide
    changes to NetworkManager settings.

  * Add support for ModemManager. 3G modems should work out of the
    box now (it does for me...). This introduces a dependency on
    pkgs.modemmanager.

  * Write NetworkManger config file to Nix store, and let the
    daemon use it from there.
2012-09-27 09:26:07 +02:00
Eelco Dolstra aac6fe44b6 Merge branch 'master' of github.com:NixOS/nixos into systemd 2012-09-11 10:58:57 -04:00
Peter Simons 51e58dafca spamassassin: use a dedicated user for running spamd 2012-08-28 16:27:28 +02:00
Eelco Dolstra cce6e48edf Don't use consolekit anywhere 2012-08-23 10:25:15 -04:00
Eelco Dolstra c2da812bd0 Enable upower's systemd unit 2012-08-21 11:29:59 -04:00
Eelco Dolstra 08f14b33c1 Merge branch 'master' of github.com:NixOS/nixos into systemd 2012-08-20 11:27:38 -04:00
Eelco Dolstra 5408f1ebcd Build slim without consolekit 2012-08-20 11:11:25 -04:00
Eelco Dolstra 36f5c97b49 Use systemd-udevd instead of udevd 2012-08-16 16:34:49 -04:00
Eelco Dolstra be5486813b Add an "adm" group
Journald will chown all journal files to the adm group so that users
in that group can run "journalctl".
2012-08-10 15:25:04 -04:00
Eelco Dolstra d5d8acfacd Assign uid/gid 54 to wwwrun 2012-08-03 11:05:25 -04:00
Eelco Dolstra 0a0c28f812 Revert "Add services.httpd.fixUidAndGid option to assign reliable numeric UID and GID for the Apache user."
This reverts commit 0ef085d58a.
2012-08-03 10:52:53 -04:00
Peter Simons 0ef085d58a Add services.httpd.fixUidAndGid option to assign reliable numeric UID and GID for the Apache user.
The option is disabled by default so that previously existing installations
aren't affected.

If you'd like to migrate to the fixed numeric id for Apache, set "fixUidAndGid
= true", edit the file "/etc/groups" and replace the old GID value with 54.
(NixOS can't do that for you because it refuses to change a GID that identifies
the primary group of a user.) Then run

  find / -xdev -uid $oldUID -exec chown 54 {} +
  find / -xdev -gid $oldGID -exec chgrp 54 {} +

to update ownership of all files that are supposed to be owned by Apache.
2012-08-03 16:39:55 +02:00