The new configuration.nix option 'environment.enableBashCompletion'
determines whether bash completion is automatically enabled system-wide
for all interactive shells or not. The default setting is 'off'.
The new configuration.nix option 'environment.enableBashCompletion'
determines whether bash completion is automatically enabled system-wide
for all interactive shells or not. The default setting is 'off'.
My main reason for adding this is the ability to turn off helpers
altogether. If you are not using any of the special protocols, keeping
them turned off is safest, and in case you do want to use them, it's
best to configure them through the new CT target for your network
topology. Perhaps some sane defaults for nixos can be examined in the
future.
This change has no impact if you don't touch the added options, so no
need to adapt.
This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which
only works for ipv4. Furthermore, it's nicer to handle this kind of
filtering in the firewall.
There are some more subtle differences, please see:
https://home.regit.org/netfilter-en/secure-use-of-helpers/
I chose to enable this by default (when the firewall is enabled) as
it's a good idea in general. Only people with advanced routing needs
might not want this, but I guess they don't use the nixos firewall
anyway and use a custom solution. Furthermore, the option only becomes
available in kernel 3.3+, so conservative nixos users that just stick
to the default kernel will not need to act now just yet.
The triggers are just arbitrary strings that are included in the unit
under X-Restart-Triggers. The idea is that if they change between
reconfigurations, switch-to-configuration will restart the unit
because its store path changed. This is mostly useful for services
that implicitly depend on generated files in /etc. Thus you can say
restartTriggers = [ confFile ];
where ‘confFile’ is the derivation that generated the /etc file in
question.
Flushing is bad if the Nix store is on a remote filesystem accessed
over that interface.
http://hydra.nixos.org/build/3184162
Also added a interface option ‘prefixLength’ as a better alternative
to ‘subnetMask’.
Instead it's enough to depend on
sys-subsystem-net-devices-<interface>.device, which in turn has a
"wants" dependency on the service (if any) that creates the interface.
For each statically configured interface, we now create a unit
‘<interface>-cfg.service’ which gets started as soon as the network
device comes up. Similarly, each bridge defined in
‘networking.bridges’ and virtual interface in ‘networking.interfaces’
is created by a service ‘<interface>.service’.
So if we have
networking.bridges.br0.interfaces = [ "eth0" "eth1" ];
networking.interfaces =
[ { name = "br0";
ipAddress = "192.168.1.1";
}
];
then there will be a unit ‘br0.service’ that depends on
‘sys-subsystem-net-devices-eth0.device’ and
‘sys-subsystem-net-devices-eth1.device’, and a unit ‘br0-cfg.service’
that depends on ‘sys-subsystem-net-devices-br0.device’.
The special handling for cronjobs should probably move to the cron
module (logcheckIgnore = bool option) in the future, as it's more
natural to just declare a cronjob, and mark it as "log-ignored",
instead of adding cronjobs through logcheck.
But as systemCronjobs is not an attrset yet (just simple strings),
this would require adding an attrset for cronjobs or parsing strings
in the nix language to get hold of the cron-user and command.
So for now, I keep the interface within logcheck's module.
However SLIM is still broken and you have to create a
/usr/lib/dri/fglrx_dri.so symlink pointing to
/run/opengl-driver/lib/fglrx_dri.so
At least fgl_glxgears shows 10 times more frames per second now
This is broken because it requires restarting applications to see new
NSS modules. The proper way to handle NSS modules is through nscd.
See commit 554ae9908b.
The upower daemon needs the gdbus command (which is weird given that
upower links against dbus_glib, but ah well...). This fixes suspend
in KDE with systemd.
Alsa-utils provides a udev rule to restore volume settings, so use
that instead of restoring them from a systemd service. The
"alsa-store" service saves the settings on shutdown.
It's not enough to say "after udev-settle.service" since
udev-settle.service is not wanted/required anywhere - we need to say
"wants udev-settle.service" as well.
This should fix problems with ALSA and X11 initialisation that people
have been seeing.
So instead of:
boot.systemd.services."foo".serviceConfig =
''
StartLimitInterval=10
CPUShare=500
'';
you can say:
boot.systemd.services."foo".serviceConfig.StartLimitInterval = 10;
boot.systemd.services."foo".serviceConfig.CPUShare = 500;
This way all unit options are available and users can set/override
options in configuration.nix.
This makes it easier for systemd to track it and avoids race conditions such as
this one:
systemd[1]: PID file /run/sshd.pid not readable (yet?) after start.
systemd[1]: Failed to start SSH Daemon.
systemd[1]: Unit sshd.service entered failed state.
systemd[1]: sshd.service holdoff time over, scheduling restart.
systemd[1]: Stopping SSH Daemon...
systemd[1]: Starting SSH Daemon...
sshd[2315]: Server listening on 0.0.0.0 port 22.
sshd[2315]: Server listening on :: port 22.
sshd[2335]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
sshd[2335]: error: Bind to port 22 on :: failed: Address already in use.
sshd[2335]: fatal: Cannot bind any address.
systemd[1]: Started SSH Daemon.
When spamd isn't running as 'root', it cannot access the usual ~/.spamassassin
path where user-specific files normally reside. Instead, we use the path
/var/lib/spamassassin-<user> to store those home directories.
* Add group 'networkmanager' and implement polkit configuration
that allows users in this group to make persistent, system-wide
changes to NetworkManager settings.
* Add support for ModemManager. 3G modems should work out of the
box now (it does for me...). This introduces a dependency on
pkgs.modemmanager.
* Write NetworkManger config file to Nix store, and let the
daemon use it from there.
It specifies what mingetty will be stopped, if a bad filesystem
triggers an emergency shell.
That should be ttyS0 on headless systems, and in that case,
nixos should stop the ttyS0 mingetty from getting in.
I had some problems with LDAP user lookups not working properly
at boot. I found that invalidating passwd and group on the
ip-up event (when nscd-invalidate starts) helped a bit.
Systemd sets locale variables like $LANG when running services, so
$LOCALE_ARCHIVE should also be set to prevent warnings like "perl:
warning: Setting locale failed.".
If passno is set, then systemd will instantiate a systemd-fsck unit,
which in turn will instantiate a <device>.device unit
(e.g. "none.device"). Since no such device exists, mounting will
fail. So don't set passno.
kernel 3.4+ needs cifs-utils to mount CIFS filesystems.
the kernel itself (and busybox's cifs mount code) are no longer able
to do this in some/most cases and will error out saying:
"CIFS VFS: connecting to DFS root not implemented yet"
Nixos' qemu-vm target is hurt by this, as it wants to mount /nix/store
via cifs very early in the boot process.
This commit makes sure the initrd for affected kernels is built with
cifs-utils if needed.
proxy_arp (and proxy_ndp for ipv6) can be turned on on a few
interfaces (at least 2).
This is mainly useful for creating pseudo-bridges between a real
interface and a virtual network such as VPN or a virtual machine for
interfaces that don't support real bridging (most wlan interfaces).
As ARP proxying acts slightly above the link-layer, below-ip traffic
isn't bridged, so things like DHCP won't work. The advantage above
using NAT lies in the fact that no IP addresses are shared, so all
hosts are reachable/routeable.
If a service has a corresponding socket unit, then stop the socket
before stopping the service. This prevents it from being restarted
behind our backs. Also, don't restart the service; it will be
restarted on demand via the socket.
Logind sessions are more generally useful than for device ownership.
For instances, ssh logins can be put in their own session (and thus
their own cgroup).
Subtle: dhcpcd.service would call resolvconf during shutdown, which in
turn would start invalidate-nscd.service, causing the shutdown to be
cancelled. Instead, give nscd.service a proper reload action, and do
"systemctl reload --no-block nscd.service". The --no-block is
necessary to prevent that command from waiting until a timeout occurs
(bug in systemd?).
This especially annoyed me whenver I was doing nixos-rebuild switch and getting
logged out on all consoles. With this there now is services.mingetty.dontRestart
for heavy VT users to deactivate this behaviour.
As non-QWERTY keyboards don't feel so warm and cozy if they hug QWERTY LUKS
password prompts, it was on honor for me to serve King Dvorak XV to fight the
glorious keyboard war against... what?! Yes, I'm awake!
We're fighting with loadkeys to spit out busybox binary keymaps against loadkmap
(loadkeys does have a special target -b for that).
And yep, I'm somewhat abusing preLVMCommands, if someone got issues with that,
feel free to introduce a new substitute in stage-i-init.sh.
Sent from my iPhone
We had a "mount -o remount,rw none /" that was setting back 'relatime',
although we had set 'noatime' at initrd mount. Removing the word 'none' fixed
it.
Specifying a device (in this case 'none'), makes mount to forget previous
device options. According to manpage, it says not to read fstab or mtab. But the
effect is that of setting 'relatime', if it was mounted 'noatime.
Unless we search the entire filesystem to do a chown *and* restart
existing processes owned by that user, there is no sensible way that
we can change uids/gids. So don't try.
The option is disabled by default so that previously existing installations
aren't affected.
If you'd like to migrate to the fixed numeric id for Apache, set "fixUidAndGid
= true", edit the file "/etc/groups" and replace the old GID value with 54.
(NixOS can't do that for you because it refuses to change a GID that identifies
the primary group of a user.) Then run
find / -xdev -uid $oldUID -exec chown 54 {} +
find / -xdev -gid $oldGID -exec chgrp 54 {} +
to update ownership of all files that are supposed to be owned by Apache.
- Renamed system.build.menuBuilder to system.build.installBootLoader.
- ‘install-grub.pl’ (formerly grub-menu-builder.pl) now generates the
GRUB menu *and* installs GRUB (if necessary).
- ‘switch-to-configuration.sh’ has no boot loader specific knowledge
anymore. It just calls installBootLoader.
The old GRUB menu builder script is quite slow, typically taking
several seconds. This is a real annoyance since it's run every time
you switch to a new configuration. Therefore this patch replaces the
Bash script with a much faster Perl script. In a VirtualBox test, the
execution time went from 2.7s to 0.1s. The Perl version is also more
correct because it uses XML to get the GRUB configuration (through
builtins.toXML), so there are no shell escaping issues.
The new script currently lacks support for subconfigurations defined
through "nesting.children".
Systemd's systemd-vconsole-setup.service reads locale and console
font/keymap settings from these files. In particular, it sets the
virtual console to UTF-8 mode depending on the LANG setting.
This removed the need for the kbd job.
- The new option 'apacheHttpd' determines the version of the Apache
HTTP Server that's being used by this module. The default version
is Apache 2.2.x, as before.
- The new option 'configFile' allows users specify their own custom
config file for the web server instead of being limited to the one
that this module generates.
The environment variable "NIXOS_EXTRA_MODULES" is now checked to
contain a path to a file similar to modules/module-list.nix.
This gives the ability to include nixos modules that are not in the
nixos source tree.
This can be useful for modules that are still experimental, or which
aren't useful for other nixos users. Of course, this was already
possible to do this using a forked nixos tree, but with this
functionality, you can just rely on the nixos channel, easing things a
lot.
Ugly hack to get around the error "a string that refers to a store
path cannot be appended to a path". The underlying problem is that
you cannot do
"${./file1} ${./file2}"
but you can do
" ${./file1} ${./file2}"
Obviously we should allow the first case as well.
This allows hiding the implementation details for how to represent logstash
config types that don't directly map to nix expressions, particularly floats,
hashes, and name-value pair sets with repeated names. Instead of setting
__type and value directly, the user now uses these convenience functions to
generate their logstash config.
Since the logstash config file seemed very similar to a nixexpr, I decided
to map directly from nixexprs to logstash configs. I didn't realize until
too far in that this solution was probably way over-engineered, but it
works.
The new option ‘skins’ allows specifying a list of directories
providing skins to be added to the MediaWiki installation. The
‘defaultSkin’ option just sets the default.
resolvconf prefers a locally running BIND resolver over the forwarders; we just
have to tell it whether we have one or not. We use 'config.services.bind.enable'
to make that decision, assuming that people are not going to configure a local
BIND that won't respond to queries on 127.0.0.1. If we run into such a (weird)
case, then we'll need to introduce another variable for that purpose which can
be set independently from 'config.services.bind.enable'.
BusyBox doesn't handle the "auto" filesystem type very well: fsck will
just ignore such filesystems, and mount will only work properly if the
required kernel module is already loaded. Therefore, use blkid to
determine the filesystem type.
Also generate an /etc/fstab in the initrd rootfs on the fly. This is
useful if you're dropped into an emergency shell since it allows you
to say "fsck /dev/sda1" or "mount /dev/sda" and have the right thing
happen.
