public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/misc/ids.nix

256 lines
5.1 KiB
Nix
Raw Normal View History

* Move the uid/gid mappings into a module. This allows other modules to use it through config.ids.{uids,gids} rather than `import relative-path/ids.nix'. svn path=/nixos/branches/modular-nixos/; revision=15796
2009-05-29 14:25:56 +00:00
# This module defines the global list of uids and gids. We keep a
Fix typos, especially those that end up in the NixOS manual
2013-08-10 21:07:13 +00:00
# central list to prevent id collisions.
* Move the uid/gid mappings into a module. This allows other modules to use it through config.ids.{uids,gids} rather than `import relative-path/ids.nix'. svn path=/nixos/branches/modular-nixos/; revision=15796
2009-05-29 14:25:56 +00:00
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
{ config, pkgs, ... }:
* Move the uid/gid mappings into a module. This allows other modules to use it through config.ids.{uids,gids} rather than `import relative-path/ids.nix'. svn path=/nixos/branches/modular-nixos/; revision=15796
2009-05-29 14:25:56 +00:00
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
{
* Move the uid/gid mappings into a module. This allows other modules to use it through config.ids.{uids,gids} rather than `import relative-path/ids.nix'. svn path=/nixos/branches/modular-nixos/; revision=15796
2009-05-29 14:25:56 +00:00
options = {
ids.uids = pkgs.lib.mkOption {
Add lots of missing option types
2013-10-30 17:37:45 +01:00
internal = true;
* Move the uid/gid mappings into a module. This allows other modules to use it through config.ids.{uids,gids} rather than `import relative-path/ids.nix'. svn path=/nixos/branches/modular-nixos/; revision=15796
2009-05-29 14:25:56 +00:00
description = ''
The user IDs used in NixOS.
'';
};
ids.gids = pkgs.lib.mkOption {
Add lots of missing option types
2013-10-30 17:37:45 +01:00
internal = true;
* Move the uid/gid mappings into a module. This allows other modules to use it through config.ids.{uids,gids} rather than `import relative-path/ids.nix'. svn path=/nixos/branches/modular-nixos/; revision=15796
2009-05-29 14:25:56 +00:00
description = ''
The group IDs used in NixOS.
'';
};
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
config = {
* Declarative specification of user accounts. Jobs can now specify a list of user accounts that the job needs to run. For instance, the SSH daemon job says: { name = "sshd"; uid = (import ../system/ids.nix).uids.sshd; description = "SSH privilege separation user"; home = "/var/empty"; } The activation script creates the system users/groups and updates them as well. So a change in the Nix expression can be realised in /etc/{group,passwd} by running nixos-rebuild. svn path=/nixos/trunk/; revision=8846
2007-06-08 15:41:12 +00:00
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
ids.uids = {
root = 0;
nscd = 1;
sshd = 2;
ntp = 3;
messagebus = 4; # D-Bus
haldaemon = 5;
nagios = 6;
vsftpd = 7;
ftp = 8;
bitlbee = 9;
avahi = 10;
atd = 12;
zabbix = 13;
postfix = 14;
dovecot = 15;
tomcat = 16;
pulseaudio = 22; # must match `pulseaudio' GID
gpsd = 23;
polkituser = 28;
uptimed = 29;
ddclient = 30;
davfs2 = 31;
privoxy = 32;
osgi = 34;
tor = 35;
cups = 36;
Fix some uid/gid attributes to match the actual user/group name
2014-04-29 10:51:42 +02:00
foldingathome = 37;
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
sabnzbd = 38;
kdm = 39;
Fix some uid/gid attributes to match the actual user/group name
2014-04-29 10:51:42 +02:00
ghostone = 40;
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
git = 41;
Fix some uid/gid attributes to match the actual user/group name
2014-04-29 10:51:42 +02:00
fourstore = 42;
fourstorehttp = 43;
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
virtuoso = 44;
rtkit = 45;
dovecot2 = 46;
dovenull2 = 47;
unbound = 48;
prayer = 49;
mpd = 50;
clamav = 51;
fprot = 52;
bind = 53;
wwwrun = 54;
spamd = 56;
nslcd = 58;
nginx = 60;
chrony = 61;
smtpd = 63;
smtpq = 64;
supybot = 65;
iodined = 66;
graphite = 68;
statsd = 69;
transmission = 70;
postgres = 71;
smbguest = 74;
varnish = 75;
nixos: overhaul datadog module This overhauls the Datadog module a bit to be much more useful. In particular, it adds support for nginx and postgresql monitoring integrations to dd-agent. These have to exist in separate files under /etc/dd-agent, so the module just exposes then as separate options. In the future, more integrations could be added this way. In the process of doing this, I also had to rename the dd-agent user to datadog. Note the UIDs did not change, so this is strictly backwards compatible. The reason for this is to make it easier to create a 'datadog' postgres user with access to pg_stats, as 'dd-agent' typically isn't a valid username. This allows the out of the box configurations to be used. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-02 00:43:27 -05:00
datadog = 76;
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
lighttpd = 77;
lightdm = 78;
freenet = 79;
ircd = 80;
bacula = 81;
almir = 82;
deluge = 83;
mysql = 84;
rabbitmq = 85;
activemq = 86;
gnunet = 87;
oidentd = 88;
quassel = 89;
amule = 90;
minidlna = 91;
elasticsearch = 92;
modules/misc/ids.nix: document the fact that the uid for tcpcryptd is hard-coded in the daemon
2013-09-17 11:22:31 +02:00
tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
zope2 service (plone)
2013-10-02 15:14:35 +02:00
zope2 = 94;
firebird service many suggestions contributed by bjornfor and edolstra
2013-10-05 23:07:22 +02:00
firebird = 95;
nixos/redis: user set uid, make it compatible #1076
2013-10-28 18:14:01 +01:00
redis = 96;
nixos: haproxy module
2013-10-29 15:55:25 +01:00
haproxy = 97;
nixos/mongodb: set static uid to work with #1076
2013-11-07 11:25:14 +01:00
mongodb = 98;
Added openldap user, group and configure service so its not running as root.
2013-11-28 22:21:50 +01:00
openldap = 99;
memcached: set uid to make it work with #1076
2013-12-13 10:05:36 +01:00
memcached = 100;
nixos/cgminer: fix restarts, set uid
2014-01-13 00:18:05 +01:00
cgminer = 101;
nixos: add uid/gid for munin To be compatible with eb2f44c18cb6d300e965308547d8a4dea110f519 (Generate /etc/passwd and /etc/group at build time). Without this you'll get this: $ nixos-rebuild build [...] user-thrown exception: The option `users.extraGroups.unnamed-9.1.gid' is used but not defined.
2014-02-07 23:08:15 +01:00
munin = 102;
nixos: add uid for logcheck and only create a user for the default user
2014-02-11 14:19:06 +01:00
logcheck = 103;
Add module to enable the server for the ssh substituter
2014-02-20 12:34:54 -05:00
nix-ssh = 104;
nixos: Assign uid/gid to dictd's service user.
2014-02-21 12:40:05 +01:00
dictd = 105;
couchdb: add ids
2014-02-27 14:33:30 +01:00
couchdb = 106;
searx: add module
2014-03-07 20:09:59 +01:00
searx = 107;
UID/GID fix for kippo
2014-03-12 03:32:56 -04:00
kippo = 108;
Add jenkins continuous integration server and user. By default the jenkins server is executed under the user "jenkins". Which can be configured using users.jenkins.* options. If a different user is requested by changing services.jenkins.user then none of the users.jenkins options apply. This patch does not include jenkins slave configuration. Some config options will probably change when this is implemented. Aspects like the user and environment are typically identical between slave and master. The service configs are different. The design is for users.jenkins to cover the shared aspects while services.jenkins and services.jenkins-slave cover the master and slave specific aspects, respectively. Another option would be to place everything under services.jenkins and have a config that selects master vs slave.
2014-02-10 12:07:12 -08:00
jenkins = 109;
Merge branch 'pkgs/systemd/journald_http_gateway' of git://github.com/offlinehacker/nixpkgs systemd: python support & journal http gateway Conflicts: nixos/modules/misc/ids.nix
2014-03-14 19:16:59 -04:00
systemd-journal-gateway = 110;
notbit: Add systemd service for a system daemon
2014-03-13 03:45:57 -05:00
notbit = 111;
Add ngircd module
2014-03-19 22:04:35 -04:00
ngircd = 112;
nixos: add BitTorrent Sync service module Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-02-21 13:05:12 -06:00
btsync = 113;
nixos: add minecraft-server service Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-29 04:48:33 -05:00
minecraft = 114;
Added MonetDB NixOS module.
2014-04-01 20:20:33 +03:00
monetdb = 115;
Merge branch 'rippled' of git://github.com/ehmry/nixpkgs rippled: initial pkg and module expressions Had to change the rippled uid. Conflicts: nixos/modules/misc/ids.nix
2014-04-05 14:23:29 -04:00
rippled = 116;
Merge branch 'murmur' of git://github.com/thoughtpolice/nixpkgs nixos: add Murmur module (Mumble chat) Conflicts: nixos/modules/misc/ids.nix
2014-04-05 15:18:14 -04:00
murmur = 117;
nixos: reserve some uids/gids I have some NixOS modules that I keep out of tree, and having UIDs/GIDs reserved is quite helpful. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-02 11:01:25 -05:00
foundationdb = 118;
newrelic = 119;
starbound = 120;
Allocate system uids/gids between 400 and 500 Previously it was between 100 and 500, but this can already collide with the static uids/guid in misc/ids.nix.
2014-04-29 10:45:06 +02:00
hydra = 122;
spiped = 123;
Add TeamSpeak 3 server & service module (close #2056) Conflicts (trivial): lib/maintainers.nix nixos/modules/misc/ids.nix
2014-03-29 11:40:30 +11:00
teamspeak = 124;
nixos: add influxdb module
2014-05-27 22:54:43 +02:00
influxdb = 125;
nsd-service: add service module for nsd
2014-06-12 11:20:43 +02:00
nsd = 126;
4Store SPARQL endpoint: packaged svn path=/nixos/trunk/; revision=26853
2011-04-15 16:10:17 +00:00
Allocate system uids/gids between 400 and 500 Previously it was between 100 and 500, but this can already collide with the static uids/guid in misc/ids.nix.
2014-04-29 10:45:06 +02:00
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
Add support for the Avahi daemon. The daemon starts correctly but, for some reason, clients fail to connect to it. svn path=/nixos/trunk/; revision=10999
2008-03-06 17:11:22 +00:00
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
nixbld = 30000; # start of range of uids
nobody = 65534;
};
ids.gids = {
root = 0;
wheel = 1;
kmem = 2;
tty = 3;
messagebus = 4; # D-Bus
haldaemon = 5;
disk = 6;
vsftpd = 7;
ftp = 8;
bitlbee = 9;
avahi = 10;
atd = 12;
postfix = 13;
postdrop = 14;
dovecot = 15;
audio = 17;
floppy = 18;
uucp = 19;
lp = 20;
tomcat = 21;
pulseaudio = 22; # must match `pulseaudio' UID
gpsd = 23;
cdrom = 24;
tape = 25;
video = 26;
dialout = 27;
polkit: major update 0.105 -> 0.112 - It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion.
2013-11-09 16:29:18 +01:00
#polkituser = 28; # currently unused, polkitd doesn't need a group
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
utmp = 29;
davfs2 = 31;
privoxy = 32;
disnix = 33;
osgi = 34;
ghostOne = 40;
git = 41;
Fix some uid/gid attributes to match the actual user/group name
2014-04-29 10:51:42 +02:00
fourstore = 42;
fourstorehttpd = 43;
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
virtuoso = 44;
dovecot2 = 46;
prayer = 49;
mpd = 50;
clamav = 51;
fprot = 52;
wwwrun = 54;
adm = 55;
spamd = 56;
networkmanager = 57;
nslcd = 58;
scanner = 59;
nginx = 60;
systemd-journal = 62;
smtpd = 63;
smtpq = 64;
supybot = 65;
iodined = 66;
libvirtd = 67;
graphite = 68;
transmission = 70;
postgres = 71;
vboxusers = 72;
vboxsf = 73;
smbguest = 74;
varnish = 75;
nixos: overhaul datadog module This overhauls the Datadog module a bit to be much more useful. In particular, it adds support for nginx and postgresql monitoring integrations to dd-agent. These have to exist in separate files under /etc/dd-agent, so the module just exposes then as separate options. In the future, more integrations could be added this way. In the process of doing this, I also had to rename the dd-agent user to datadog. Note the UIDs did not change, so this is strictly backwards compatible. The reason for this is to make it easier to create a 'datadog' postgres user with access to pg_stats, as 'dd-agent' typically isn't a valid username. This allows the out of the box configurations to be used. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-02 00:43:27 -05:00
datadog = 76;
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
lighttpd = 77;
lightdm = 78;
freenet = 79;
ircd = 80;
bacula = 81;
almir = 82;
deluge = 83;
mysql = 84;
rabbitmq = 85;
activemq = 86;
gnunet = 87;
oidentd = 88;
quassel = 89;
amule = 90;
minidlna = 91;
nixos: haproxy module
2013-10-29 15:55:25 +01:00
haproxy = 92;
Added openldap user, group and configure service so its not running as root.
2013-11-28 22:21:50 +01:00
openldap = 93;
connman: new packages ConnMan v1.20 and connman-ui
2014-01-04 01:13:26 +01:00
connman = 94;
nixos: add uid/gid for munin To be compatible with eb2f44c18cb6d300e965308547d8a4dea110f519 (Generate /etc/passwd and /etc/group at build time). Without this you'll get this: $ nixos-rebuild build [...] user-thrown exception: The option `users.extraGroups.unnamed-9.1.gid' is used but not defined.
2014-02-07 23:08:15 +01:00
munin = 95;
Add a keys group with read access to /run/keys This allows processes running as unprivileged users access to keys they might need
2014-02-11 07:00:10 -05:00
keys = 96;
nixos: Assign uid/gid to dictd's service user.
2014-02-21 12:40:05 +01:00
dictd = 105;
couchdb: add ids
2014-02-27 14:33:30 +01:00
couchdb = 106;
searx: add module
2014-03-07 20:09:59 +01:00
searx = 107;
UID/GID fix for kippo
2014-03-12 03:32:56 -04:00
kippo = 108;
Add jenkins continuous integration server and user. By default the jenkins server is executed under the user "jenkins". Which can be configured using users.jenkins.* options. If a different user is requested by changing services.jenkins.user then none of the users.jenkins options apply. This patch does not include jenkins slave configuration. Some config options will probably change when this is implemented. Aspects like the user and environment are typically identical between slave and master. The service configs are different. The design is for users.jenkins to cover the shared aspects while services.jenkins and services.jenkins-slave cover the master and slave specific aspects, respectively. Another option would be to place everything under services.jenkins and have a config that selects master vs slave.
2014-02-10 12:07:12 -08:00
jenkins = 109;
Merge branch 'pkgs/systemd/journald_http_gateway' of git://github.com/offlinehacker/nixpkgs systemd: python support & journal http gateway Conflicts: nixos/modules/misc/ids.nix
2014-03-14 19:16:59 -04:00
systemd-journal-gateway = 110;
notbit: Add systemd service for a system daemon
2014-03-13 03:45:57 -05:00
notbit = 111;
fixed monetdb's gid to be the same with its id.
2014-04-01 20:41:37 +03:00
monetdb = 115;
nixos: reserve some uids/gids I have some NixOS modules that I keep out of tree, and having UIDs/GIDs reserved is quite helpful. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-02 11:01:25 -05:00
foundationdb = 118;
newrelic = 119;
starbound = 120;
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
grsecurity = 121;
Fix hydra UID The style for IDs dictates that groups/users should have the same ID - so if a user doesn't have a group or vice versa, then we should skip that ID. In this case, we had already assigned grsecurity GID 121, but I accidentally also assigned Hydra UID 121. Instead, let's assign Hydra UID 122. And also assign a GID (122) as well. Luckily nobody was depending on this yet (except me). Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 02:28:01 -05:00
hydra = 122;
nixos: add spiped service module Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 03:21:53 -05:00
spiped = 123;
Add TeamSpeak 3 server & service module (close #2056) Conflicts (trivial): lib/maintainers.nix nixos/modules/misc/ids.nix
2014-03-29 11:40:30 +11:00
teamspeak = 124;
nixos: add influxdb module
2014-05-27 22:54:43 +02:00
influxdb = 125;
nsd-service: add service module for nsd
2014-06-12 11:20:43 +02:00
nsd = 126;
* Declarative specification of user accounts. Jobs can now specify a list of user accounts that the job needs to run. For instance, the SSH daemon job says: { name = "sshd"; uid = (import ../system/ids.nix).uids.sshd; description = "SSH privilege separation user"; home = "/var/empty"; } The activation script creates the system users/groups and updates them as well. So a change in the Nix expression can be realised in /etc/{group,passwd} by running nixos-rebuild. svn path=/nixos/trunk/; revision=8846
2007-06-08 15:41:12 +00:00
Allocate system uids/gids between 400 and 500 Previously it was between 100 and 500, but this can already collide with the static uids/guid in misc/ids.nix.
2014-04-29 10:45:06 +02:00
# When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
4Store SPARQL endpoint: packaged svn path=/nixos/trunk/; revision=26853
2011-04-15 16:10:17 +00:00
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module.
2013-09-04 13:05:09 +02:00
users = 100;
nixbld = 30000;
nogroup = 65534;
};
* Add some groups required by the latest udev. svn path=/nixos/trunk/; revision=16667
2009-08-11 09:17:30 +00:00
* Declarative specification of user accounts. Jobs can now specify a list of user accounts that the job needs to run. For instance, the SSH daemon job says: { name = "sshd"; uid = (import ../system/ids.nix).uids.sshd; description = "SSH privilege separation user"; home = "/var/empty"; } The activation script creates the system users/groups and updates them as well. So a change in the Nix expression can be realised in /etc/{group,passwd} by running nixos-rebuild. svn path=/nixos/trunk/; revision=8846
2007-06-08 15:41:12 +00:00
};
}
Reference in New Issue Copy Permalink