Charon needs this to include the dynamically generated
/root/.vbox-charon-client-key. (We used
users.extraUsers.root.openssh.authorizedKeys.keyFiles for this, but
that no longer works.)
Instead of the somewhat hacky script that inserted public keys
into the users' .ssh/authorized_keys files, use the AuthorizedKeysFile
configuration directive in sshd_config and generate extra key
files for each user (placed in /etc/authorized_keys.d/).
The xsession script runs services that depend on a sane environment. Gpg-agent, for
example, runs the program "pinentry-gtk-2" to obtain the password to unlock GnuPG
and SSH keys. That program will display only gibberish unless $FONTCONFIG_FILE is
configured properly. Instead of configuring these variables explicitly one by one,
we just source /etc/profile, which contains the appropriate @shellInit@ code.
Thus
networking.interfaces = [ { name = "eth0"; ipAddress = "192.168.15.1"; } ];
can now be written as
networking.interfaces.eth0.ipAddress = "192.168.15.1";
The old notation still works though.
Cgroups are handled by systemd now. Systemd's cgroup support does not
do all the things that cgrulesengd does, but they're likely to
interact poorly with each other.
We now just have a simple attribute called "version24" which replaces all those
pesky versionOlder that were spreading throughout the file and makes things way
more readable.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
By default the path is determined related to ServerRoot. Unfortunately
ServerRoot is pointing to the Nix store and the web server can't write to it.
We now create a directory called "runtime" withen the stateDir and point
DefaultRuntimeDir to it.
For more information on the DefaultRuntimeDir directive, please see:
http://httpd.apache.org/docs/2.4/mod/core.html#defaultruntimedir
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
NameVirtualHost no longer has any effect on version 2.4 and just emits ugly
warnings, so let's not use it if we use 2.4.
More information: http://httpd.apache.org/docs/2.4/upgrading.html#misc
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The Order/Deny directives are deprecated in version 2.4, so we're going to
define two wrappers for allDenied and allGranted in order to properly generate
configurations for both version 2.2 and 2.4.
For more information an access control changes, see:
http://httpd.apache.org/docs/2.4/upgrading.html#access
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Now, MPMs can be loaded at runtime and it's no longer required to compile in one
of the MPM modules statically. So, if version is >= 2.4, load the MPM module
corresponding to the multiProcessingModule value of the service module.
For details, please see: http://httpd.apache.org/docs/2.4/mpm.html
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Beginning with version 2.3, the authn were refactored. As a result, authn_alias
is now part of the new module authn_core, so let's use authn_core instead of
authn_alias.
For details please see: http://httpd.apache.org/docs/2.4/upgrading.html#misc
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
My main reason for adding this is the ability to turn off helpers
altogether. If you are not using any of the special protocols, keeping
them turned off is safest, and in case you do want to use them, it's
best to configure them through the new CT target for your network
topology. Perhaps some sane defaults for nixos can be examined in the
future.
This change has no impact if you don't touch the added options, so no
need to adapt.
This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which
only works for ipv4. Furthermore, it's nicer to handle this kind of
filtering in the firewall.
There are some more subtle differences, please see:
https://home.regit.org/netfilter-en/secure-use-of-helpers/
I chose to enable this by default (when the firewall is enabled) as
it's a good idea in general. Only people with advanced routing needs
might not want this, but I guess they don't use the nixos firewall
anyway and use a custom solution. Furthermore, the option only becomes
available in kernel 3.3+, so conservative nixos users that just stick
to the default kernel will not need to act now just yet.
For each statically configured interface, we now create a unit
‘<interface>-cfg.service’ which gets started as soon as the network
device comes up. Similarly, each bridge defined in
‘networking.bridges’ and virtual interface in ‘networking.interfaces’
is created by a service ‘<interface>.service’.
So if we have
networking.bridges.br0.interfaces = [ "eth0" "eth1" ];
networking.interfaces =
[ { name = "br0";
ipAddress = "192.168.1.1";
}
];
then there will be a unit ‘br0.service’ that depends on
‘sys-subsystem-net-devices-eth0.device’ and
‘sys-subsystem-net-devices-eth1.device’, and a unit ‘br0-cfg.service’
that depends on ‘sys-subsystem-net-devices-br0.device’.
The special handling for cronjobs should probably move to the cron
module (logcheckIgnore = bool option) in the future, as it's more
natural to just declare a cronjob, and mark it as "log-ignored",
instead of adding cronjobs through logcheck.
But as systemCronjobs is not an attrset yet (just simple strings),
this would require adding an attrset for cronjobs or parsing strings
in the nix language to get hold of the cron-user and command.
So for now, I keep the interface within logcheck's module.
However SLIM is still broken and you have to create a
/usr/lib/dri/fglrx_dri.so symlink pointing to
/run/opengl-driver/lib/fglrx_dri.so
At least fgl_glxgears shows 10 times more frames per second now
The upower daemon needs the gdbus command (which is weird given that
upower links against dbus_glib, but ah well...). This fixes suspend
in KDE with systemd.
Alsa-utils provides a udev rule to restore volume settings, so use
that instead of restoring them from a systemd service. The
"alsa-store" service saves the settings on shutdown.
So instead of:
boot.systemd.services."foo".serviceConfig =
''
StartLimitInterval=10
CPUShare=500
'';
you can say:
boot.systemd.services."foo".serviceConfig.StartLimitInterval = 10;
boot.systemd.services."foo".serviceConfig.CPUShare = 500;
This way all unit options are available and users can set/override
options in configuration.nix.
This makes it easier for systemd to track it and avoids race conditions such as
this one:
systemd[1]: PID file /run/sshd.pid not readable (yet?) after start.
systemd[1]: Failed to start SSH Daemon.
systemd[1]: Unit sshd.service entered failed state.
systemd[1]: sshd.service holdoff time over, scheduling restart.
systemd[1]: Stopping SSH Daemon...
systemd[1]: Starting SSH Daemon...
sshd[2315]: Server listening on 0.0.0.0 port 22.
sshd[2315]: Server listening on :: port 22.
sshd[2335]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
sshd[2335]: error: Bind to port 22 on :: failed: Address already in use.
sshd[2335]: fatal: Cannot bind any address.
systemd[1]: Started SSH Daemon.
When spamd isn't running as 'root', it cannot access the usual ~/.spamassassin
path where user-specific files normally reside. Instead, we use the path
/var/lib/spamassassin-<user> to store those home directories.
* Add group 'networkmanager' and implement polkit configuration
that allows users in this group to make persistent, system-wide
changes to NetworkManager settings.
* Add support for ModemManager. 3G modems should work out of the
box now (it does for me...). This introduces a dependency on
pkgs.modemmanager.
* Write NetworkManger config file to Nix store, and let the
daemon use it from there.
I had some problems with LDAP user lookups not working properly
at boot. I found that invalidating passwd and group on the
ip-up event (when nscd-invalidate starts) helped a bit.
Logind sessions are more generally useful than for device ownership.
For instances, ssh logins can be put in their own session (and thus
their own cgroup).
Subtle: dhcpcd.service would call resolvconf during shutdown, which in
turn would start invalidate-nscd.service, causing the shutdown to be
cancelled. Instead, give nscd.service a proper reload action, and do
"systemctl reload --no-block nscd.service". The --no-block is
necessary to prevent that command from waiting until a timeout occurs
(bug in systemd?).
This especially annoyed me whenver I was doing nixos-rebuild switch and getting
logged out on all consoles. With this there now is services.mingetty.dontRestart
for heavy VT users to deactivate this behaviour.
The option is disabled by default so that previously existing installations
aren't affected.
If you'd like to migrate to the fixed numeric id for Apache, set "fixUidAndGid
= true", edit the file "/etc/groups" and replace the old GID value with 54.
(NixOS can't do that for you because it refuses to change a GID that identifies
the primary group of a user.) Then run
find / -xdev -uid $oldUID -exec chown 54 {} +
find / -xdev -gid $oldGID -exec chgrp 54 {} +
to update ownership of all files that are supposed to be owned by Apache.
- The new option 'apacheHttpd' determines the version of the Apache
HTTP Server that's being used by this module. The default version
is Apache 2.2.x, as before.
- The new option 'configFile' allows users specify their own custom
config file for the web server instead of being limited to the one
that this module generates.
Ugly hack to get around the error "a string that refers to a store
path cannot be appended to a path". The underlying problem is that
you cannot do
"${./file1} ${./file2}"
but you can do
" ${./file1} ${./file2}"
Obviously we should allow the first case as well.
This allows hiding the implementation details for how to represent logstash
config types that don't directly map to nix expressions, particularly floats,
hashes, and name-value pair sets with repeated names. Instead of setting
__type and value directly, the user now uses these convenience functions to
generate their logstash config.
Since the logstash config file seemed very similar to a nixexpr, I decided
to map directly from nixexprs to logstash configs. I didn't realize until
too far in that this solution was probably way over-engineered, but it
works.
