Commit graph

389 commits

Author SHA1 Message Date
Rickard Nilsson 72ba2bf126 Add description to group.members option 2014-02-05 15:56:51 +01:00
Rickard Nilsson 0b92ad02c8 Re-introduce security.initialRootPassword, and add a new option users.extraUsers.<user>.hashedPassword 2014-02-05 15:56:51 +01:00
Rickard Nilsson 03ee174032 Only add shadow to system packages if users.mutableUsers is true 2014-02-05 15:56:51 +01:00
Rickard Nilsson eb2f44c18c Generate /etc/passwd and /etc/group at build time
This is a rather large commit that switches user/group creation from using
useradd/groupadd on activation to just generating the contents of /etc/passwd
and /etc/group, and then on activation merging the generated files with the
files that exist in the system. This makes the user activation process much
cleaner, in my opinion.

The users.extraUsers.<user>.uid and users.extraGroups.<group>.gid must all be
properly defined (if <user>.createUser is true, which it is by default). My
pull request adds a lot of uids/gids to config.ids to solve this problem for
existing nixos services, but there might be configurations that break because
this change. However, this will be discovered during the build.

Option changes introduced by this commit:

* Remove the options <user>.isSystemUser and <user>.isAlias since
they don't make sense when generating /etc/passwd statically.

* Add <group>.members as a complement to <user>.extraGroups.

* Add <user>.passwordFile for setting a user's password from an encrypted
(shadow-style) file.

* Add users.mutableUsers which is true by default. This means you can keep
managing your users as previously, by using useradd/groupadd manually. This is
accomplished by merging the generated passwd/group file with the existing files
in /etc on system activation. The merging of the files is simplistic. It just
looks at the user/group names. If a user/group exists both on the system and
in the generated files, the system entry will be kept un-changed and the
generated entries will be ignored. The merging itself is performed with the
help of vipw/vigr to properly lock the account files during edit.
If mutableUsers is set to false, the generated passwd and group files will not
be merged with the system files on activation. Instead they will simply replace
the system files, and overwrite any changes done on the running system. The
same logic holds for user password, if the <user>.password or
<user>.passwordFile options are used. If mutableUsers is false, password will
simply be replaced on activation. If true, the initial user passwords will be
set according to the configuration, but existing passwords will not be touched.

I have tested this on a couple of different systems and it seems to work fine
so far. If you think this is a good idea, please test it. This way of adding
local users has been discussed in issue #103 (and this commit solves that
issue).
2014-02-05 15:56:51 +01:00
Shea Levy bfc682ea37 Mount a ramfs on /run/keys for safe key storage for nixops
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-05 08:00:19 -05:00
Shea Levy 1e0352f801 Fix gummiboot builder
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-05 07:54:11 -05:00
Domen Kožar e1b206b4a9 clarify rename error messages 2014-02-04 16:33:01 +01:00
Shea Levy 741cc62f75 Force a rebuild.
Sigh.

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-04 08:43:45 -05:00
Eelco Dolstra 9e7fe29e41 ntpd: Don't answer status queries
Workaround for CVE-2013-5211:

http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
2014-02-03 23:44:11 +01:00
Shea Levy 5e72e36f95 gummiboot-builder.py: Remove old entries before adding new ones
Fixes #1483

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-03 17:41:31 -05:00
Shea Levy 448dc031ed Document EFI installation
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-03 17:05:23 -05:00
Shea Levy d6ef65cb6a Limit livecd label to 11 characters
vfat partition labels can only be 11 characters long

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-03 17:05:04 -05:00
Oliver Charles 0d18d39e98 switch-to-configuration.pl: Handle successful auto-restarts
switch-to-configuration.pl is currently hard-coded to assume that if a
unit is in the "auto-restart" state that something has gone wrong, but
this is not strictly true. For example, I run offlineimap as a oneshot
service restarting itself every minute (on success). NixOS currently
thinks that offlineimap has failed to start as it enters the
auto-restart state, because it doesn't consider why the unit failed.

This commit changes switch-to-configuration.pl to inspect the full
status of a unit in auto-restart state, and now only considers it failed
if the ExecMainStatus is non-zero.
2014-02-02 15:56:22 +01:00
Vladimír Čunát 4a55391f1f Merge #1645 and #1646: lightdm and -gtk-greeter update 2014-02-02 15:51:35 +01:00
Vladimír Čunát b5a32b3944 Merge #1618: use ubuntu module blacklists by default 2014-02-02 15:51:07 +01:00
Jaka Hudoklin b6e3cd7170 nixos/nscd: add option to change nscd config
[Bjørn Forsman <bjorn.forsman@gmail.com>:
 - use types.lines instead of types.string. The former joins strings
   with "\n" and the latter with "" (and is deprecated).
]
2014-02-02 15:31:55 +01:00
Eelco Dolstra 559f5be07d dhcpcd: Update to 6.2.1
Dhcpcd now has integration with udev, so it should no longer be a
problem if udev renames an interface while dhcpcd is running.
2014-02-02 11:28:45 +01:00
Arvin Moezzi 0602ef22de git-daemon service: fix typo in option (close #1659) 2014-02-01 11:56:56 +01:00
Rob Vermaas 9b1bd84940 httpd: Respect original order of environment eval. 2014-01-31 21:18:24 +01:00
Rob Vermaas bfa56d7657 httpd: Only add PHPRC to environment of httpd when enablePHP is true. 2014-01-31 21:14:05 +01:00
Oliver Charles 32a08d0846 lightdm: Update to 1.8.6 2014-01-31 12:42:03 +00:00
Petr Rockai 2062abfd4f Merge branch 'yubikey' of git://github.com/Calrama/nixpkgs 2014-01-29 18:54:07 +01:00
Moritz Maxeiner 7bf94cadad Add library dependencies explicitly 2014-01-29 18:49:26 +01:00
Moritz Maxeiner e96f58ef5c Implement muli-user authentication for yubikey pba, i.e. multiple users can now share a single luks keyslot.
This is achieved by having multiple lines per storage file, one for each user (if the feature is enabled); each of these
lines has the same format as would be the case for the userless authentication, except that they are prepended with a
SHA-512 of the user's id.
2014-01-29 17:20:05 +01:00
Moritz Maxeiner 20cfaf0faa Change the crypt-storage file to be hex encoded instead of raw binary. To update from the previous configuration, convert your crypt-storage file from raw binary to hex. 2014-01-29 13:58:35 +01:00
aszlig 795941261a
nixos-generate-config: Fix reference to <nixos>.
IIUC, <nixos> is going to be deprecated someday in the future, and as
most of those references are already replaced I guess it's safe to
replace it here as well, as it is only relevant on new/updated
installations.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-01-29 13:23:30 +01:00
Moritz Maxeiner cce9712331 Enable two-factor authentication by default. Add proper descriptions to attributes. 2014-01-29 12:55:32 +01:00
Moritz Maxeiner 45b1ffb8db Cosmetic change to yubikey detection 2014-01-28 20:39:46 +01:00
Vladimír Čunát 5acaa980a5 pull module blacklist from Ubuntu and use it by default
People often have serious problems due to bogus modules like *fb.
2014-01-28 12:52:36 +01:00
Moritz Maxeiner 407a770161 Rewrite as a pre-boot authentication module (mostly) comforming to the design specification of
'YubiKey Integration for Full Disk Encryption Pre-Boot Authentication (Copyright) Yubico, 2011 Version: 1.1'.

Used binaries:
  * uuidgen - for generation of random sequence numbers
  * ykchalresp - for challenging a Yubikey
  * ykinfo - to check if a Yubikey is plugged in at boot (fallback to passphrase authentication otherwise)
  * openssl - for calculation of SHA-1, HMAC-SHA-1, as well as AES-256-CTR (de/en)cryption

Main differences to the specification mentioned above:
  * No user management (yet), only one password+yubikey per LUKS device
  * SHA-512 instead of CRC-16 for checksum

Main differences to the previous implementation:
  * Instead of changing the key slot of the LUKS device each boot,
    the actual key for the LUKS device will be encrypted itself
  * Since the response for the new challenge is now calculated
    locally with openssl, the MITM-USB-attack with which previously
    an attacker could obtain the new response (that was used as the new
    encryption key for the LUKS device) by listening to the
    Yubikey has ideally become useless (as long as uuidgen can
    successfuly generate new random sequence numbers).

Remarks:
  * This is not downwards compatible to the previous implementation
2014-01-28 04:02:51 +01:00
Rob Vermaas 4ccd60af00 Merge pull request #1178 from chexxor/fix-httpd-ssh
HTTPD: Check for SSL Cert value before building with SSL support.
2014-01-27 12:34:42 -08:00
Petr Rockai 66db1b3a64 nixos: Add a dictd service. 2014-01-25 16:35:02 +01:00
Aristid Breitkreuz 5d3d6b3799 support -Q in nixos-rebuild 2014-01-25 11:20:25 +01:00
Moritz Maxeiner 333f5caaf9 Implement authentication for a LUKS device with a yubikey (HMAC-SHA1); supports simple challenge-response and two-factor authentication 2014-01-25 03:33:09 +01:00
Thomas Tuegel 7b743fcaab networkmanager: load modules required for PPTP 2014-01-24 09:22:59 -06:00
Vladimír Čunát 12235ed36e remove .topmsg (close #1578) 2014-01-23 22:30:07 +01:00
Shea Levy 51de280c0a nixos X tests: wait for logind to link a session to the server
There seems to be some race causing failures if an X command gets in before slim starts the session

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-22 14:23:56 -05:00
Shea Levy d18bc25b95 Rename linuxManualConfig to buildLinux
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-21 20:05:55 -05:00
Shea Levy 30f7947031 Whitespace to force a build
Ugh

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-19 15:07:35 -05:00
Domen Kožar e5b6de80bb Merge pull request #1536 from Shados/service-haveged
Adds a service for haveged, the entropy daemon
2014-01-18 09:38:51 -08:00
Shea Levy d454e094ef kmscon: Don't re-run systemd-vconsole-setup after boot, and let tty1 wait for vconsole setup
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-18 11:17:49 -05:00
Shea Levy ca7805be94 systemd: Enable specifying extra config files for a unit
This will allow overriding package-provided units, or overriding only a
specific instance of a unit template.

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-18 11:10:39 -05:00
Shea Levy 9c1d3bfa9f Whitespace to force a rebuild
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-17 12:15:49 -05:00
Shea Levy 7f15b0c132 Merge branch 'xprofile' of git://github.com/pSub/nixpkgs into master
Allow the user to execute commands at the beginning of the X session.

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-17 09:28:19 -05:00
Alexei Robyn 6d80803e66 Adds a service for haveged, the entropy daemon
Includes configuration option for the threshold beneath which to refill
the entropy pool - defaults to 1024 bits as this is the number used in
other distro's existing service files I looked at.
2014-01-17 22:10:52 +11:00
Shea Levy babd66e8e6 Fix environment.etc setting
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-15 15:15:46 -05:00
Shea Levy 22c5c57043 Fix typo
Thanks to @bennofs for pointing it out

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-15 11:14:46 -05:00
Shea Levy fd97be3501 Don't restart kmscon VTs if the unit changes
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-15 08:52:08 -05:00
Shea Levy 646af581f5 Option description formatting
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-15 08:17:19 -05:00
Shea Levy 852c270035 nixos: Split mesa setup from xserver.nix
With kmscon, it is now possible to have a system without X that still
needs the mesa setup in /run/opengl-driver

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-15 08:17:19 -05:00