Commit graph

437 commits

Author SHA1 Message Date
Domen Kožar 4b201b27bf gnome3: correctly place GIO_EXTRA_MODULES 2014-02-17 00:24:13 +01:00
Domen Kožar e24b01f615 desktop-manager.gnome3: add dconf support 2014-02-16 21:37:18 +01:00
Domen Kožar 0b5d523b84 redshift: default to string type for option brightness 2014-02-16 14:22:49 +01:00
Shea Levy abf901484c Allow directly setting hashedPassword for root 2014-02-16 07:33:07 -05:00
Petr Rockai 01d7e79eaf nixos: Make serial agetty's bitrates configurable. 2014-02-15 12:57:27 +01:00
Petr Rockai 42ce480a52 nixos: Try harder to get LVM-hosted filesystems up in stage1. 2014-02-15 12:57:17 +01:00
Domen Kožar 77750efc7e Merge pull request #1739 from ttonelli/master
Improvements to RedShift service
2014-02-15 10:33:45 +01:00
Thiago Tonelli Bartolomei 2dcf933817 adding wantedBy graphical.target 2014-02-14 09:48:19 -05:00
Shea Levy 48b8118f2c virtualbox-image.nix: initialRootPassword setting should be easily overrideable 2014-02-14 09:06:26 -05:00
Shea Levy c8f1a6ac1e Revert "Add nixosSubmodule option type"
Moving recent types work to a separate branch for now

This reverts commit ca1c5cfa8f.
2014-02-13 12:10:50 -05:00
Shea Levy 220654e205 Revert "Add heterogeneousAttrsOf option type"
Moving recent types work to a separate branch for now

This reverts commit 3f70dabad3.
2014-02-13 12:10:50 -05:00
Rickard Nilsson fc90a739ba networkmanager module: No need to start ModemManager explicitly, done by NM 2014-02-13 18:05:04 +01:00
Thiago Tonelli Bartolomei b5d17fe873 - adding brightness options
- setting options to be uniq
- using proper systemd exec service
2014-02-13 11:11:14 -05:00
Domen Kožar 85d38d1436 nginx: add appendConfig option with types.lines 2014-02-12 19:13:36 +01:00
Domen Kožar a49fbca134 Merge pull request #1730 from pSub/logcheck-uid
nixos: add uid for logcheck and only create a user for the default user
2014-02-12 16:10:35 +01:00
Shea Levy 8e97e38677 Reenable efi tests 2014-02-12 07:13:37 -05:00
Oliver Charles 625b42838a NetworkManager: Fix aliases and dependencies
There are two fixes in this commit.

Firstly, I am creating proper symlinks for the Alias= definitions in the
.service files. This achieves the same result as `systemctl enable`, and
I think is preferred over `mv`.

Secondly, `networkmanager-init` now wants `NetworkManager.service`,
along with `ModemManager.service`. ModemManager does not depend on
NetworkManager (according to `systemctl list-dependencies ModemManager`),
thus NetworkManager never got started on boot.
2014-02-12 11:32:49 +00:00
Shea Levy 3f70dabad3 Add heterogeneousAttrsOf option type
It is parameterized by a function that takes a name and evaluates to the
option type for the attribute of that name. Together with
submoduleWithExtraArgs, this subsumes nixosSubmodule.
2014-02-11 14:59:24 -05:00
Shea Levy ca1c5cfa8f Add nixosSubmodule option type
Since NixOS modules expect special arguments, use a hack to provide them
2014-02-11 14:21:34 -05:00
Eelco Dolstra 9c616e3bf4 Remove /etc/ca-bundle.crt
Applications should use /etc/ssl/certs/ca-bundle.crt instead.
2014-02-11 17:13:36 +01:00
Pascal Wittmann 884190a238 nixos: add uid for logcheck and only create a user for the default user 2014-02-11 14:19:06 +01:00
Rob Vermaas 61eae53709 Add all AWS regions to EBS AMI creation script. 2014-02-11 13:26:46 +01:00
Shea Levy 4ab5646417 Add a keys group with read access to /run/keys
This allows processes running as unprivileged users access to keys they might need
2014-02-11 07:00:10 -05:00
Michael Raskin 91b5aa7e10 Add some packages needed by some generic HP PCL drivers 2014-02-11 01:34:19 +04:00
Michael Raskin 4c9c7f6ba4 Add an option to change vsftpd anonymos write umask. 2014-02-11 01:34:19 +04:00
Shea Levy 80cc2697b1 user-groups: Sidestep all password escaping issues
Now passwords are written to a file first
2014-02-10 10:12:34 -05:00
Thomas Tuegel 3dc6168b31 Properly escape passwords sent to chpasswd
The mutableUsers feature uses `chpasswd` to set users passwords.
Passwords and their hashes were being piped into the program using
double quotes ("") to escape. This causes any `$` characters to be
expanded as shell variables. This is a serious problem because all the
password hash methods besides DES use multiple `$` in the hashes. Single
quotes ('') should be used instead to prevent shell variable expansion.
2014-02-10 08:16:22 -06:00
Shea Levy 6a8cc9ab11 mediawiki: Fix some references to /bin/bash 2014-02-10 09:14:30 -05:00
Shea Levy 42df6fcee9 mediawiki: Run update script after initializing the database 2014-02-10 08:56:16 -05:00
Shea Levy 258c7536be Force a rebuild 2014-02-09 11:59:02 -05:00
Tomasz Kontusz fe38031168 Upgrade bumblebee and add nixos module
* Bump bumblebee to 3.2.1
 * Remove config.patch - options it added can be passed to ./configure now
 * Remove the provided xorg.conf
   Provided xorg.conf was causing problems for some users,
   and Bumblebee provides its own default configuration anyway.
 * Make secondary X11 log to /var/log/X.bumblebee.log
 * Add a module for bumblebee
2014-02-09 15:09:41 +01:00
Bjørn Forsman 48851fa749 nixos/memtest: use docbook formatting
Without this the HTML manual and manpage is quite unreadable (newlines
are squashed so it doesn't look like a list anymore).

(Unfortunately, this makes the source unreadable.)
2014-02-09 13:56:09 +01:00
Ricardo M. Correia cba2444d11 nixos/memtest: Allow user to specify memtest86 boot parameters 2014-02-09 13:55:37 +01:00
Domen Kožar 028379be28 nixos: add most basic gnome3 test and take a screenshot 2014-02-08 21:47:39 +01:00
Domen Kožar ee14f8da9a remove references to isSystemUser and fix eval of tested job 2014-02-08 21:10:00 +01:00
Shea Levy dea562b6b9 services.mesa -> hardware.opengl
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-08 14:45:37 -05:00
Domen Kožar b17edbac57 ModemManager: 0.5.4.0 -> 0.7.991 2014-02-08 20:17:00 +01:00
Petr Rockai 12315a278c Merge branch 'yubikey' of git://github.com/Calrama/nixpkgs 2014-02-08 16:01:22 +01:00
Moritz Maxeiner 09f9af17b4 Update to the Yubikey PBA
Security-relevant changes:
 * No (salted) passphrase hash send to the yubikey, only hash of the salt (as it was in the original implementation).
 * Derive $k_luks with PBKDF2 from the yubikey $response (as the PBKDF2 salt) and the passphrase $k_user
   (as the PBKDF2 password), so that if two-factor authentication is enabled
   (a) a USB-MITM attack on the yubikey itself is not enough to break the system
   (b) the potentially low-entropy $k_user is better protected against brute-force attacks
 * Instead of using uuidgen, gather the salt (previously random uuid / uuid_r) directly from /dev/random.
 * Length of the new salt in byte added as the parameter "saltLength", defaults to 16 byte.
   Note: Length of the challenge is 64 byte, so saltLength > 64 may have no benefit over saltLengh = 64.
 * Length of $k_luks derived with PBKDF2 in byte added as the parameter "keyLength", defaults to 64 byte.
   Example: For a luks device with a 512-bit key, keyLength should be 64.
 * Increase of the PBKDF2 iteration count per successful authentication added as the
   parameter "iterationStep", defaults to 0.

Other changes:
 * Add optional grace period before trying to find the yubikey, defaults to 2 seconds.

Full overview of the yubikey authentication process:

  (1) Read $salt and $iterations from unencrypted device (UD).
  (2) Calculate the $challenge from the $salt with a hash function.
      Chosen instantiation: SHA-512($salt).
  (3) Challenge the yubikey with the $challenge and receive the $response.
  (4) Repeat three times:
    (a) Prompt for the passphrase $k_user.
    (b) Derive the key $k_luks for the luks device with a key derivation function from $k_user and $response.
        Chosen instantiation: PBKDF2(HMAC-SHA-512, $k_user, $response, $iterations, keyLength).
    (c) Try to open the luks device with $k_luks and escape loop (4) only on success.
  (5) Proceed only if luks device was opened successfully, fail otherwise.

  (6) Gather $new_salt from a cryptographically secure pseudorandom number generator
      Chosen instantiation: /dev/random
  (7) Calculate the $new_challenge from the $new_salt with the same hash function as (2).
  (8) Challenge the yubikey with the $new_challenge and receive the $new_response.
  (9) Derive the new key $new_k_luks for the luks device in the same manner as in (4) (b),
      but with more iterations as given by iterationStep.
 (10) Try to change the luks device's key $k_luks to $new_k_luks.
 (11) If (10) was successful, write the $new_salt and the $new_iterations to the UD.
      Note: $new_iterations = $iterations + iterationStep

Known (software) attack vectors:

 * A MITM attack on the keyboard can recover $k_user. This, combined with a USB-MITM
   attack on the yubikey for the $response (1) or the $new_response (2) will result in
   (1) $k_luks being recovered,
   (2) $new_k_luks being recovered.
 * Any attacker with access to the RAM state of stage-1 at mid- or post-authentication
   can recover $k_user, $k_luks, and  $new_k_luks
 * If an attacker has recovered $response or $new_response, he can perform a brute-force
   attack on $k_user with it without the Yubikey needing to be present (using cryptsetup's
   "luksOpen --verify-passphrase" oracle. He could even make a copy of the luks device's
   luks header and run the brute-force attack without further access to the system.
 * A USB-MITM attack on the yubikey will allow an attacker to attempt to brute-force
   the yubikey's internal key ("shared secret") without it needing to be present anymore.

Credits:

 * Florian Klien,
   for the original concept and the reference implementation over at
   https://github.com/flowolf/initramfs_ykfde
 * Anthony Thysse,
   for the reference implementation of accessing OpenSSL's PBKDF2 over at
   http://www.ict.griffith.edu.au/anthony/software/pbkdf2.c
2014-02-08 14:59:52 +01:00
Domen Kožar 5ffab7710d gnome3.gnome_control_center: build and fix runtime deps 2014-02-08 12:30:23 +01:00
Bjørn Forsman db12d783ff nixos: add uid/gid for munin
To be compatible with eb2f44c18c (Generate
/etc/passwd and /etc/group at build time). Without this you'll get this:

  $ nixos-rebuild build
  [...]
  user-thrown exception: The option `users.extraGroups.unnamed-9.1.gid' is used but not defined.
2014-02-07 23:08:15 +01:00
Shea Levy e058de1642 Add option to enforce uniqueness of uids/gids (on by default)
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-07 09:57:28 -05:00
Domen Kožar 506a030b91 gnome3: add missing files 2014-02-07 00:37:17 +01:00
Domen Kožar 65a28e8b73 Add gnome3 desktop manager. Very experimental.
Currently very basic gnome-shell launches on my laptop. Quite some
services won't start yet, most notable is gnome-control-center.

GTK3 apps still don't have theming applied and for example launching
chromium results in horrible red windows.
2014-02-07 00:31:29 +01:00
Domen Kožar 15fb296b43 xfce: partially add gtk3 support 2014-02-07 00:30:21 +01:00
Mathijs Kwik 951f37f3da services.xserver.videoDrivers -> services.mesa.videoDrivers 2014-02-06 10:01:08 +01:00
Vladimír Čunát 4284694439 nixos/mesa: don't create /run/opengl-driver-32 ...
... if on 64-bit and without 32-bit drivers.
Also assert against requesting 32-bit drivers on 32-bit machine.
2014-02-05 19:20:42 +01:00
Rickard Nilsson 72ba2bf126 Add description to group.members option 2014-02-05 15:56:51 +01:00
Rickard Nilsson 0b92ad02c8 Re-introduce security.initialRootPassword, and add a new option users.extraUsers.<user>.hashedPassword 2014-02-05 15:56:51 +01:00
Rickard Nilsson 03ee174032 Only add shadow to system packages if users.mutableUsers is true 2014-02-05 15:56:51 +01:00