public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge 'master' into x-updates

Browse Source
This commit is contained in:
Vladimír Čunát 2014-04-19 13:16:57 +02:00
commit 4d39c5427d
1132 changed files with 24211 additions and 10569 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/meta.xml
View File

@ -164,7 +164,7 @@ meta.hydraPlatforms = [];
<listitem><para>If set to <literal>true</literal>, the package is
marked as “broken”, meaning that it wont show up in
<literal>nix-env -qa</literal>, and cannot be built or installed.
Sush packages should be removed from Nixpkgs eventually unless
Such packages should be removed from Nixpkgs eventually unless
they are fixed.</para></listitem>
</varlistentry>

2
doc/quick-start.xml
View File

@ -71,7 +71,7 @@ $ git add pkgs/development/libraries/libfoo/default.nix</screen>
<listitem>
<para>GNU Multiple Precision arithmetic library (GMP): <link
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/gmp/5.1.1.nix"><filename>pkgs/development/libraries/gmp/5.1.1.nix</filename></link>.
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/gmp/5.1.x.nix"><filename>pkgs/development/libraries/gmp/5.1.x.nix</filename></link>.
Also done by the generic builder, but has a dependency on
<varname>m4</varname>.</para>
</listitem>

7
doc/stdenv.xml
View File

@ -298,6 +298,13 @@ executed and in what order:
</listitem>
</varlistentry>
<varlistentry>
<term><varname>preFixupPhases</varname></term>
<listitem>
<para>Additional phases executed just before the fixup phase.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>preDistPhases</varname></term>
<listitem>

6
lib/licenses.nix
View File

@ -64,6 +64,12 @@
url = https://fedoraproject.org/wiki/Licensing/BSD;
};
cc-by-30 = {
shortName = "CC BY 3.0";
fullName = "Creative Commons Attribution 3.0";
url = http://creativecommons.org/licenses/by/3.0;
};
cddl = {
shortName = "CDDL";
fullName = "Common Development Distribution License ";

1
lib/lists.nix
View File

@ -226,4 +226,5 @@ in rec {
deepSeqList = xs: y: if any (x: deepSeq x false) xs then y else y;
crossLists = f: foldl (fs: args: concatMap (f: map f args) fs) [f];
}

4
lib/maintainers.nix
View File

@ -28,7 +28,8 @@
coroa = "Jonas Hörsch <jonas@chaoflow.net>";
edwtjo = "Edward Tjörnhammar <ed@cflags.cc>";
eelco = "Eelco Dolstra <eelco.dolstra@logicblox.com>";
ertes = "Ertugrul Söylemez <es@ertes.de>";
emery = "Emery Hemingawy <emery@vfemail.net>";
ertes = "Ertugrul Söylemez <ertesx@gmx.de>";
falsifian = "James Cook <james.cook@utoronto.ca>";
garbas = "Rok Garbas <rok@garbas.si>";
goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
@ -38,6 +39,7 @@
iElectric = "Domen Kozar <domen@dev.si>";
iyzsong = "Song Wenwu <iyzsong@gmail.com>";
jcumming = "Jack Cummings <jack@mudshark.org>";
jwiegley = "John Wiegley <johnw@newartisans.com>";
kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
ktosiek = "Tomasz Kontusz <tomasz.kontusz@gmail.com>";
lethalman = "Luca Bruno <lucabru@src.gnome.org>";

3
maintainers/scripts/nixpkgs-lint.pl
View File

@ -31,8 +31,7 @@ GetOptions("package|p=s" => \$filter,
"maintainer|m=s" => \$maintainer,
"file|f=s" => \$path,
"help" => sub { showHelp() }
)
or die("syntax: $0 ...\n");
) or exit 1;
# Evaluate Nixpkgs into an XML representation.
my $xml = `nix-env -f '$path' -qa '$filter' --xml --meta --drv-path`;

32
nixos/doc/manual/configuration.xml
View File

@ -237,7 +237,7 @@ postgresql.package = pkgs.postgresql90;
</section>
<section><title>Abstractions</title>
<section xml:id="sec-module-abstractions"><title>Abstractions</title>
<para>If you find yourself repeating yourself over and over, its time
to abstract. Take, for instance, this Apache HTTP Server configuration:
@ -399,7 +399,7 @@ of an expression to be spliced into a string.</para>
</section>
<section><title>Modularity</title>
<section xml:id="sec-modularity"><title>Modularity</title>
<para>The NixOS configuration mechanism is modular. If your
<filename>configuration.nix</filename> becomes too big, you can split
@ -538,7 +538,7 @@ nix-repl> map (x: x.hostName) config.services.httpd.virtualHosts
</section>
<section><title>Syntax summary</title>
<section xml:id="sec-nix-syntax-summary"><title>Syntax summary</title>
<para>Below is a summary of the most important syntactic constructs in
the Nix expression language. Its not complete. In particular, there
@ -730,7 +730,7 @@ manual</link> for the rest.</para>
<!--===============================================================-->
<section><title>Package management</title>
<section xml:id="sec-package-management"><title>Package management</title>
<para>This section describes how to add additional packages to your
system. NixOS has two distinct styles of package management:
@ -1183,7 +1183,7 @@ fileSystems."/".device = "/dev/mapper/crypted";
<!--===============================================================-->
<section><title>X Window System</title>
<section xml:id="sec-x11"><title>X Window System</title>
<para>The X Window System (X11) provides the basis of NixOS graphical
user interface. It can be enabled as follows:
@ -1275,9 +1275,9 @@ services.xserver.synaptics.twoFingerScroll = true;
<!--===============================================================-->
<section><title>Networking</title>
<section xml:id="sec-networking"><title>Networking</title>
<section><title>Secure shell access</title>
<section xml:id="sec-ssh"><title>Secure shell access</title>
<para>Secure shell (SSH) access to your machine can be enabled by
setting:
@ -1305,7 +1305,7 @@ users.extraUsers.alice.openssh.authorizedKeys.keys =
</section>
<section><title>IPv4 configuration</title>
<section xml:id="sec-ipv4"><title>IPv4 configuration</title>
<para>By default, NixOS uses DHCP (specifically,
<command>dhcpcd</command>) to automatically configure network
@ -1348,7 +1348,7 @@ provide the host name.</para>
</section>
<section><title>IPv6 configuration</title>
<section xml:id="sec-ipv6"><title>IPv6 configuration</title>
<para>IPv6 is enabled by default. Stateless address autoconfiguration
is used to automatically assign IPv6 addresses to all interfaces. You
@ -1363,17 +1363,19 @@ networking.enableIPv6 = false;
</section>
<section><title>Firewall</title>
<section xml:id="sec-firewall"><title>Firewall</title>
<para>NixOS has a simple stateful firewall that blocks incoming
connections and other unexpected packets. The firewall applies to
both IPv4 and IPv6 traffic. It can be enabled as follows:
both IPv4 and IPv6 traffic. It is enabled by default. It can be
disabled as follows:
<programlisting>
networking.firewall.enable = true;
networking.firewall.enable = false;
</programlisting>
You can open specific TCP ports to the outside world:
If the firewall is enabled, you can open specific TCP ports to the
outside world:
<programlisting>
networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -1395,7 +1397,7 @@ always allowed.)</para>
</section>
<section><title>Wireless networks</title>
<section xml:id="sec-wireless"><title>Wireless networks</title>
<para>
NixOS will start wpa_supplicant for you if you enable this setting:
@ -1456,7 +1458,7 @@ networking.localCommands =
<!--===============================================================-->
<section><title>Linux kernel</title>
<section xml:id="sec-kernel-config"><title>Linux kernel</title>
<para>You can override the Linux kernel and associated packages using
the option <option>boot.kernelPackages</option>. For instance, this

242
nixos/doc/manual/containers.xml Normal file
View File

@ -0,0 +1,242 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="ch-containers">
<title>Containers</title>
<para>NixOS allows you to easily run other NixOS instances as
<emphasis>containers</emphasis>. Containers are a light-weight
approach to virtualisation that runs software in the container at the
same speed as in the host system. NixOS containers share the Nix store
of the host, making container creation very efficient.</para>
<warning><para>Currently, NixOS containers are not perfectly isolated
from the host system. This means that a user with root access to the
container can do things that affect the host. So you should not give
container root access to untrusted users.</para></warning>
<para>NixOS containers can be created in two ways: imperatively, using
the command <command>nixos-container</command>, and declaratively, by
specifying them in your <filename>configuration.nix</filename>. The
declarative approach implies that containers get upgraded along with
your host system when you run <command>nixos-rebuild</command>, which
is often not what you want. By contrast, in the imperative approach,
containers are configured and updated independently from the host
system.</para>
<section><title>Imperative container management</title>
<para>Well cover imperative container management using
<command>nixos-container</command> first. You create a container with
identifier <literal>foo</literal> as follows:
<screen>
$ nixos-container create foo
</screen>
This creates the containers root directory in
<filename>/var/lib/containers/foo</filename> and a small configuration
file in <filename>/etc/containers/foo.conf</filename>. It also builds
the containers initial system configuration and stores it in
<filename>/nix/var/nix/profiles/per-container/foo/system</filename>. You
can modify the initial configuration of the container on the command
line. For instance, to create a container that has
<command>sshd</command> running, with the given public key for
<literal>root</literal>:
<screen>
$ nixos-container create foo --config 'services.openssh.enable = true; \
users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];'
</screen>
</para>
<para>Creating a container does not start it. To start the container,
run:
<screen>
$ nixos-container start foo
</screen>
This command will return as soon as the container has booted and has
reached <literal>multi-user.target</literal>. On the host, the
container runs within a systemd unit called
<literal>container@<replaceable>container-name</replaceable>.service</literal>.
Thus, if something went wrong, you can get status info using
<command>systemctl</command>:
<screen>
$ systemctl status container@foo
</screen>
</para>
<para>If the container has started succesfully, you can log in as
root using the <command>root-login</command> operation:
<screen>
$ nixos-container root-login foo
[root@foo:~]#
</screen>
Note that only root on the host can do this (since there is no
authentication). You can also get a regular login prompt using the
<command>login</command> operation, which is available to all users on
the host:
<screen>
$ nixos-container login foo
foo login: alice
Password: ***
</screen>
With <command>nixos-container run</command>, you can execute arbitrary
commands in the container:
<screen>
$ nixos-container run foo -- uname -a
Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
</screen>
</para>
<para>There are several ways to change the configuration of the
container. First, on the host, you can edit
<literal>/var/lib/container/<replaceable>name</replaceable>/etc/nixos/configuration.nix</literal>,
and run
<screen>
$ nixos-container update foo
</screen>
This will build and activate the new configuration. You can also
specify a new configuration on the command line:
<screen>
$ nixos-container update foo --config 'services.httpd.enable = true; \
services.httpd.adminAddr = "foo@example.org";'
$ curl http://$(nixos-container show-ip foo)/
&lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…
</screen>
However, note that this will overwrite the containers
<filename>/etc/nixos/configuration.nix</filename>.</para>
<para>Alternatively, you can change the configuration from within the
container itself by running <command>nixos-rebuild switch</command>
inside the container. Note that the container by default does not have
a copy of the NixOS channel, so you should run <command>nix-channel
--update</command> first.</para>
<para>Containers can be stopped and started using
<literal>nixos-container stop</literal> and <literal>nixos-container
start</literal>, respectively, or by using
<command>systemctl</command> on the containers service unit. To
destroy a container, including its file system, do
<screen>
$ nixos-container destroy foo
</screen>
</para>
</section>
<section><title>Declarative container specification</title>
<para>You can also specify containers and their configuration in the
hosts <filename>configuration.nix</filename>. For example, the
following specifies that there shall be a container named
<literal>database</literal> running PostgreSQL:
<programlisting>
containers.database =
{ config =
{ config, pkgs, ... }:
{ services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql92;
};
};
</programlisting>
If you run <literal>nixos-rebuild switch</literal>, the container will
be built and started. If the container was already running, it will be
updated in place, without rebooting.</para>
<para>By default, declarative containers share the network namespace
of the host, meaning that they can listen on (privileged)
ports. However, they cannot change the network configuration. You can
give a container its own network as follows:
<programlisting>
containers.database =
{ privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
};
</programlisting>
This gives the container a private virtual Ethernet interface with IP
address <literal>192.168.100.11</literal>, which is hooked up to a
virtual Ethernet interface on the host with IP address
<literal>192.168.100.10</literal>. (See the next section for details
on container networking.)</para>
<para>To disable the container, just remove it from
<filename>configuration.nix</filename> and run <literal>nixos-rebuild
switch</literal>. Note that this will not delete the root directory of
the container in <literal>/var/lib/containers</literal>.</para>
</section>
<section><title>Networking</title>
<para>When you create a container using <literal>nixos-container
create</literal>, it gets it own private IPv4 address in the range
<literal>10.233.0.0/16</literal>. You can get the containers IPv4
address as follows:
<screen>
$ nixos-container show-ip foo
10.233.4.2
$ ping -c1 10.233.4.2
64 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms
</screen>
</para>
<para>Networking is implemented using a pair of virtual Ethernet
devices. The network interface in the container is called
<literal>eth0</literal>, while the matching interface in the host is
called <literal>c-<replaceable>container-name</replaceable></literal>
(e.g., <literal>c-foo</literal>). The container has its own network
namespace and the <literal>CAP_NET_ADMIN</literal> capability, so it
can perform arbitrary network configuration such as setting up
firewall rules, without affecting or having access to the hosts
network.</para>
<para>By default, containers cannot talk to the outside network. If
you want that, you should set up Network Address Translation (NAT)
rules on the host to rewrite container traffic to use your external
IP address. This can be accomplished using the following configuration
on the host:
<programlisting>
networking.nat.enable = true;
networking.nat.internalInterfaces = ["c-+"];
networking.nat.externalInterface = "eth0";
</programlisting>
where <literal>eth0</literal> should be replaced with the desired
external interface. Note that <literal>c-+</literal> is a wildcard
that matches all container interfaces.</para>
</section>
</chapter>

393
nixos/doc/manual/development.xml
View File

@ -1,5 +1,6 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="ch-development">
<title>Development</title>
@ -9,7 +10,7 @@ NixOS.</para>
<!--===============================================================-->
<section>
<section xml:id="sec-getting-sources">
<title>Getting the sources</title>
@ -74,7 +75,7 @@ in <filename>nixos/</filename> as packages.</para>
<!--===============================================================-->
<section>
<section xml:id="sec-writing-modules">
<title>Writing NixOS modules</title>
@ -188,9 +189,9 @@ commands to be executed periodically by <command>cron</command>).</para>
<example xml:id='locate-example'><title>NixOS module for the “locate” service</title>
<programlisting>
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let locatedb = "/var/cache/locatedb"; in
@ -579,7 +580,7 @@ systemd.services.dhcpcd =
<!--===============================================================-->
<section>
<section xml:id="sec-building-parts">
<title>Building specific parts of NixOS</title>
@ -692,7 +693,7 @@ $ systemctl start tmp-httpd.service
<!--===============================================================-->
<section>
<section xml:id="sec-building-cd">
<title>Building your own NixOS CD</title>
@ -748,57 +749,310 @@ $ ./result/bin/nixos-install</screen>
<!--===============================================================-->
<section><title>Whole-system testing using virtual machines</title>
<section xml:id="sec-nixos-tests">
<para>Complete NixOS GNU/Linux systems can be tested in virtual
machines (VMs). This makes it possible to test a system upgrade or
configuration change before rebooting into it, using the
<command>nixos-rebuild build-vm</command> or <command>nixos-rebuild
build-vm-with-bootloader</command> command.</para>
<title>NixOS tests</title>
<!-- The following is adapted from
http://wiki.nixos.org/wiki/NixOS_VM_tests, by Eelco Dolstra. -->
<para>The <filename>tests/</filename> directory in the NixOS source
tree contains several <emphasis>whole-system unit tests</emphasis>.
These tests can be run<footnote><para>NixOS tests can be run both from
NixOS and from a non-NixOS GNU/Linux distribution, provided the Nix
package manager is installed.</para></footnote> from the NixOS source
tree as follows:
<para>When you add some feature to NixOS, you should write a test for
it. NixOS tests are kept in the directory <filename
xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/tests">nixos/tests</filename>,
and are executed (using Nix) by a testing framework that automatically
starts one or more virtual machines containing the NixOS system(s)
required for the test.</para>
<simplesect><title>Writing tests</title>
<para>A NixOS test is a Nix expression that has the following structure:
<programlisting>
import ./make-test.nix {
# Either the configuration of a single machine:
machine =
{ config, pkgs, ... }:
{ <replaceable>configuration…</replaceable>
};
# Or a set of machines:
nodes =
{ <replaceable>machine1</replaceable> =
{ config, pkgs, ... }: { <replaceable></replaceable> };
<replaceable>machine2</replaceable> =
{ config, pkgs, ... }: { <replaceable></replaceable> };
};
testScript =
''
<replaceable>Perl code…</replaceable>
'';
}
</programlisting>
The attribute <literal>testScript</literal> is a bit of Perl code that
executes the test (described below). During the test, it will start
one or more virtual machines, the configuration of which is described
by the attribute <literal>machine</literal> (if you need only one
machine in your test) or by the attribute <literal>nodes</literal> (if
you need multiple machines). For instance, <filename
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/login.nix">login.nix</filename>
only needs a single machine to test whether users can log in on the
virtual console, whether device ownership is correctly maintained when
switching between consoles, and so on. On the other hand, <filename
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nfs.nix">nfs.nix</filename>,
which tests NFS client and server functionality in the Linux kernel
(including whether locks are maintained across server crashes),
requires three machines: a server and two clients.</para>
<para>There are a few special NixOS configuration options for test
VMs:
<!-- FIXME: would be nice to generate this automatically. -->
<variablelist>
<varlistentry>
<term><option>virtualisation.memorySize</option></term>
<listitem><para>The memory of the VM in
megabytes.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>virtualisation.vlans</option></term>
<listitem><para>The virtual networks to which the VM is
connected. See <filename
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nat.nix">nat.nix</filename>
for an example.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>virtualisation.writableStore</option></term>
<listitem><para>By default, the Nix store in the VM is not
writable. If you enable this option, a writable union file system
is mounted on top of the Nix store to make it appear
writable. This is necessary for tests that run Nix operations that
modify the store.</para></listitem>
</varlistentry>
</variablelist>
For more options, see the module <filename
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/qemu-vm.nix">qemu-vm.nix</filename>.</para>
<para>The test script is a sequence of Perl statements that perform
various actions, such as starting VMs, executing commands in the VMs,
and so on. Each virtual machine is represented as an object stored in
the variable <literal>$<replaceable>name</replaceable></literal>,
where <replaceable>name</replaceable> is the identifier of the machine
(which is just <literal>machine</literal> if you didnt specify
multiple machines using the <literal>nodes</literal> attribute). For
instance, the following starts the machine, waits until it has
finished booting, then executes a command and checks that the output
is more-or-less correct:
<programlisting>
$machine->start;
$machine->waitForUnit("default.target");
$machine->succeed("uname") =~ /Linux/;
</programlisting>
The first line is actually unnecessary; machines are implicitly
started when you first execute an action on them (such as
<literal>waitForUnit</literal> or <literal>succeed</literal>). If you
have multiple machines, you can speed up the test by starting them in
parallel:
<programlisting>
startAll;
</programlisting>
</para>
<para>The following methods are available on machine objects:
<variablelist>
<varlistentry>
<term><methodname>start</methodname></term>
<listitem><para>Start the virtual machine. This method is
asynchronous — it does not wait for the machine to finish
booting.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>shutdown</methodname></term>
<listitem><para>Shut down the machine, waiting for the VM to
exit.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>crash</methodname></term>
<listitem><para>Simulate a sudden power failure, by telling the VM
to exit immediately.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>block</methodname></term>
<listitem><para>Simulate unplugging the Ethernet cable that
connects the machine to the other machines.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>unblock</methodname></term>
<listitem><para>Undo the effect of
<methodname>block</methodname>.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>screenshot</methodname></term>
<listitem><para>Take a picture of the display of the virtual
machine, in PNG format. The screenshot is linked from the HTML
log.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>sendMonitorCommand</methodname></term>
<listitem><para>Send a command to the QEMU monitor. This is rarely
used, but allows doing stuff such as attaching virtual USB disks
to a running machine.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>sendKeys</methodname></term>
<listitem><para>Simulate pressing keys on the virtual keyboard,
e.g., <literal>sendKeys("ctrl-alt-delete")</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>sendChars</methodname></term>
<listitem><para>Simulate typing a sequence of characters on the
virtual keyboard, e.g., <literal>sendKeys("foobar\n")</literal>
will type the string <literal>foobar</literal> followed by the
Enter key.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>execute</methodname></term>
<listitem><para>Execute a shell command, returning a list
<literal>(<replaceable>status</replaceable>,
<replaceable>stdout</replaceable>)</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>succeed</methodname></term>
<listitem><para>Execute a shell command, raising an exception if
the exit status is not zero, otherwise returning the standard
output.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>fail</methodname></term>
<listitem><para>Like <methodname>succeed</methodname>, but raising
an exception if the command returns a zero status.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>waitUntilSucceeds</methodname></term>
<listitem><para>Repeat a shell command with 1-second intervals
until it succeeds.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>waitUntilFails</methodname></term>
<listitem><para>Repeat a shell command with 1-second intervals
until it fails.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>waitForUnit</methodname></term>
<listitem><para>Wait until the specified systemd unit has reached
the “active” state.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>waitForFile</methodname></term>
<listitem><para>Wait until the specified file
exists.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>waitForOpenPort</methodname></term>
<listitem><para>Wait until a process is listening on the given TCP
port (on <literal>localhost</literal>, at least).</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>waitForClosedPort</methodname></term>
<listitem><para>Wait until nobody is listening on the given TCP
port.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>waitForX</methodname></term>
<listitem><para>Wait until the X11 server is accepting
connections.</para></listitem>
</varlistentry>
<varlistentry>
<term><methodname>waitForWindow</methodname></term>
<listitem><para>Wait until an X11 window has appeared whose name
matches the given regular expression, e.g.,
<literal>waitForWindow(qr/Terminal/)</literal>.</para></listitem>
</varlistentry>
</variablelist>
</para>
</simplesect>
<simplesect><title>Running tests</title>
<para>You can run tests using <command>nix-build</command>. For
example, to run the test <filename
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/login.nix">login.nix</filename>,
you just do:
<screen>
$ nix-build tests/ -A nfs.test
$ nix-build '&lt;nixpkgs/nixos/tests/login.nix>'
</screen>
This performs an automated test of the NFS client and server
functionality in the Linux kernel, including file locking semantics
(e.g., whether locks are maintained across server crashes). It will
first build or download all the dependencies of the test (e.g., all
packages needed to run a NixOS VM). The test is defined in <link
xlink:href="https://nixos.org/repos/nix/nixos/trunk/tests/nfs.nix">
<filename>tests/nfs.nix</filename></link>. If the test succeeds,
<command>nix-build</command> will place a symlink
<filename>./result</filename> in the current directory pointing at the
location in the Nix store of the test results (e.g., screenshots, test
reports, and so on). In particular, a pretty-printed log of the test
is written to <filename>log.html</filename>, which can be viewed using
a web browser like this:
or, if you dont want to rely on <envar>NIX_PATH</envar>:
<screen>
$ cd /my/nixpkgs/nixos/tests
$ nix-build login.nix
running the VM test script
machine: QEMU running (pid 8841)
6 out of 6 tests succeeded
</screen>
After building/downloading all required dependencies, this will
perform a build that starts a QEMU/KVM virtual machine containing a
NixOS system. The virtual machine mounts the Nix store of the host;
this makes VM creation very fast, as no disk image needs to be
created. Afterwards, you can view a pretty-printed log of the test:
<screen>
$ firefox result/log.html
</screen>
</para>
<para>It is also possible to run the test environment interactively,
allowing you to experiment with the VMs. For example:
<screen>
$ nix-build tests/ -A nfs.driver
$ nix-build login.nix -A driver
$ ./result/bin/nixos-run-vms
</screen>
The script <command>nixos-run-vms</command> starts the three virtual
machines defined in the NFS test using QEMU/KVM. The root file system
of the VMs is created on the fly and kept across VM restarts in
The script <command>nixos-run-vms</command> starts the virtual
machines defined by test. The root file system of the VMs is created
on the fly and kept across VM restarts in
<filename>./</filename><varname>hostname</varname><filename>.qcow2</filename>.</para>
<para>Finally, the test itself can be run interactively. This is
@ -811,17 +1065,11 @@ starting VDE switch for network 1
&gt;
</screen>
Perl statements can now be typed in to start or manipulate the VMs:
You can then take any Perl statement, e.g.
<screen>
&gt; startAll;
(the VMs start booting)
&gt; $server-&gt;waitForJob("nfs-kernel-nfsd");
&gt; $client1-&gt;succeed("flock -x /data/lock -c 'sleep 100000' &amp;");
&gt; $client2-&gt;fail("flock -n -s /data/lock true");
&gt; $client1-&gt;shutdown;
(this releases client1's lock)
&gt; $client2-&gt;succeed("flock -n -s /data/lock true");
&gt; startAll
&gt; $machine->succeed("touch /tmp/foo")
</screen>
The function <command>testScript</command> executes the entire test
@ -829,54 +1077,7 @@ script and drops you back into the test driver command line upon its
completion. This allows you to inspect the state of the VMs after the
test (e.g. to debug the test script).</para>
<para>This and other tests are continuously run on <link
xlink:href="http://hydra.nixos.org/jobset/nixos/trunk">the Hydra
instance at <literal>nixos.org</literal></link>, which allows
developers to be notified of any regressions introduced by a NixOS or
Nixpkgs change.</para>
<para>The actual Nix programming interface to VM testing is in NixOS,
under <link
xlink:href="https://nixos.org/repos/nix/nixos/trunk/lib/testing.nix">
<filename>lib/testing.nix</filename></link>. This file defines a
function which takes an attribute set containing a
<literal>nixpkgs</literal> attribute (the path to a Nixpkgs checkout),
and a <literal>system</literal> attribute (the system type). It
returns an attribute set containing several utility functions, among
which the main entry point is <literal>makeTest</literal>.
</para>
<para>The <literal>makeTest</literal> function takes a function
similar to that found in <link
xlink:href="https://nixos.org/repos/nix/nixos/trunk/tests/nfs.nix">
<filename>tests/nfs.nix</filename></link> (discussed above). It
returns an attribute set containing (among others):
<variablelist>
<varlistentry>
<term><varname>test</varname></term>
<listitem><para>A derivation containing the test log as an HTML
file, as seen above, suitable for presentation in the Hydra
continuous build system.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>report</varname></term>
<listitem><para>A derivation containing a code coverage report, with
meta-data suitable for Hydra.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>driver</varname></term>
<listitem><para>A derivation containing scripts to run the VM test or
interact with the VM network interactively, as seen above.</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</simplesect>
</section>

8
nixos/doc/manual/installation.xml
View File

@ -1,13 +1,13 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="installing-nixos">
xml:id="ch-installation">
<title>Installing NixOS</title>
<!--===============================================================-->
<section>
<section xml:id="sec-obtaining">
<title>Obtaining NixOS</title>
@ -51,7 +51,7 @@ running NixOS system through several other means:
<!--===============================================================-->
<section>
<section xml:id="sec-installation">
<title>Installation</title>
@ -339,7 +339,7 @@ changes:
<section>
<title>Booting from a USB stick</title>
<title xml:id="sec-booting-from-usb">Booting from a USB stick</title>
<para>For systems withoua CD drive, the NixOS livecd can be booted from
a usb stick. For non-UEFI installations,

3
nixos/doc/manual/manual.xml
View File

@ -54,12 +54,13 @@
<xi:include href="running.xml" />
<!-- <xi:include href="userconfiguration.xml" /> -->
<xi:include href="troubleshooting.xml" />
<xi:include href="containers.xml" />
<xi:include href="development.xml" />
<xi:include href="release-notes.xml" />
<appendix xml:id="ch-options">
<title>List of options</title>
<title>Configuration options</title>
<xi:include href="options-db.xml" />
</appendix>

9
nixos/doc/manual/options-to-docbook.xsl
View File

@ -18,13 +18,12 @@
<variablelist>
<xsl:for-each select="attrs">
<xsl:variable name="id" select="concat('opt-', str:replace(str:replace(str:replace(str:replace(attr[@name = 'name']/string/@value, '*', '_'), '&lt;', '_'), '>', '_'), '?', '_'))" />
<varlistentry>
<term xml:id="{generate-id(attr[@name = 'name']/string/@value)}" xlink:href="#{generate-id(attr[@name = 'name']/string/@value)}">
<term xlink:href="#{$id}">
<xsl:attribute name="xml:id"><xsl:value-of select="$id"/></xsl:attribute>
<option>
<xsl:for-each select="attr[@name = 'name']/string">
<xsl:value-of select="@value" />
<xsl:if test="position() != last()">.</xsl:if>
</xsl:for-each>
<xsl:value-of select="attr[@name = 'name']/string/@value" />
</option>
</term>

41
nixos/doc/manual/release-notes.xml
View File

@ -5,9 +5,9 @@
<!--==================================================================-->
<section xml:id="sec-release-14.02">
<section xml:id="sec-release-14.04">
<title>Release 14.02 (“Baboon”, 2014/02/??)</title>
<title>Release 14.04 (“Baboon”, 2014/04/??)</title>
<para>This is the second stable release branch of NixOS. The main
enhancements are the following:
@ -18,13 +18,9 @@ enhancements are the following:
<xref linkend="sec-uefi-installation"/> for
details.</para></listitem>
<listitem><para>NixOS is now based on Glibc 2.18 and GCC
<listitem><para>NixOS is now based on Glibc 2.19 and GCC
4.8.</para></listitem>
<listitem><para>The mysql55 service has been merged into the
mysql service, which no longer sets a default for the 'package
option.</para></listitem>
</itemizedlist>
</para>
@ -34,10 +30,41 @@ following incompatible changes:
<itemizedlist>
<listitem><para>Nixpkgs no longer exposes unfree packages by
default. If your NixOS configuration requires unfree packages from
Nixpkgs, you need to enable support for them explicitly by setting:
<programlisting>
nixpkgs.config.allowUnfree = true;
</programlisting>
Otherwise, you get an error message such as:
<screen>
error: package nvidia-x11-331.49-3.12.17 in ‘…/nvidia-x11/default.nix:56
has an unfree license, refusing to evaluate
</screen>
</para></listitem>
<listitem><para>The firewall is now enabled by default. If you dont
want this, you need to disable it explicitly:
<programlisting>
networking.firewall.enable = false;
</programlisting>
</para></listitem>
<listitem><para>The option
<option>boot.loader.grub.memtest86</option> has been renamed to
<option>boot.loader.grub.memtest86.enable</option>.</para></listitem>
<listitem><para>The <literal>mysql55</literal> service has been
merged into the <literal>mysql</literal> service, which no longer
sets a default for the option
<option>services.mysql.package</option>.</para></listitem>
</itemizedlist>
</para>

12
nixos/doc/manual/running.xml
View File

@ -11,7 +11,7 @@ service manager.</para>
<!--===============================================================-->
<section><title>Service management</title>
<section xml:id="sec-systemctl"><title>Service management</title>
<para>In NixOS, all system services are started and monitored using
the systemd program. Systemd is the “init” process of the system
@ -92,7 +92,7 @@ necessary).</para>
<!--===============================================================-->
<section><title>Rebooting and shutting down</title>
<section xml:id="sec-rebooting"><title>Rebooting and shutting down</title>
<para>The system can be shut down (and automatically powered off) by
doing:
@ -134,7 +134,7 @@ authentication.</para>
<!--===============================================================-->
<section><title>User sessions</title>
<section xml:id="sec-user-sessions"><title>User sessions</title>
<para>Systemd keeps track of all users who are logged into the system
(e.g. on a virtual console or remotely via SSH). The command
@ -185,7 +185,7 @@ $ loginctl terminate-session c3
<!--===============================================================-->
<section><title>Control groups</title>
<section xml:id="sec-cgroups"><title>Control groups</title>
<para>To keep track of the processes in a running system, systemd uses
<emphasis>control groups</emphasis> (cgroups). A control group is a
@ -258,7 +258,7 @@ usage.</para>
<!--===============================================================-->
<section><title>Logging</title>
<section xml:id="sec-logging"><title>Logging</title>
<para>System-wide logging is provided by systemds
<emphasis>journal</emphasis>, which subsumes traditional logging
@ -308,7 +308,7 @@ groups. All users have a private journal that can be read using
<!--===============================================================-->
<section><title>Cleaning up the Nix store</title>
<section xml:id="sec-nix-gc"><title>Cleaning up the Nix store</title>
<para>Nix has a purely functional model, meaning that packages are
never upgraded in place. Instead new versions of packages end up in a

13
nixos/doc/manual/troubleshooting.xml
View File

@ -1,12 +1,13 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="ch-troubleshooting">
<title>Troubleshooting</title>
<!--===============================================================-->
<section><title>Boot problems</title>
<section xml:id="sec-boot-problems"><title>Boot problems</title>
<para>If NixOS fails to boot, there are a number of kernel command
line parameters that may help you to identify or fix the issue. You
@ -69,7 +70,7 @@ unless something is very wrong.)</para>
<!--===============================================================-->
<section><title>Maintenance mode</title>
<section xml:id="sec-maintenance-mode"><title>Maintenance mode</title>
<para>You can enter rescue mode by running:
@ -85,7 +86,7 @@ just exit from the rescue shell.</para>
<!--===============================================================-->
<section><title>Rolling back configuration changes</title>
<section xml:id="sec-rollback"><title>Rolling back configuration changes</title>
<para>After running <command>nixos-rebuild</command> to switch to a
new configuration, you may find that the new configuration doesnt
@ -131,7 +132,7 @@ lrwxrwxrwx 1 root root 78 Aug 12 13:54 /nix/var/nix/profiles/system-268-link ->
<!--===============================================================-->
<section><title>Nix store corruption</title>
<section xml:id="sec-nix-store-corruption"><title>Nix store corruption</title>
<para>After a system crash, its possible for files in the Nix store
to become corrupted. (For instance, the Ext4 file system has the
@ -166,7 +167,7 @@ binary cache; otherwise, they cannot be repaired.</para>
<!--===============================================================-->
<section><title>Nix network issues</title>
<section xml:id="sec-nix-network-issues"><title>Nix network issues</title>
<para>Nix uses a so-called <emphasis>binary cache</emphasis> to
optimise building a package from source into downloading it as a

7
nixos/lib/eval-config.nix
View File

@ -26,10 +26,15 @@ rec {
# These are the extra arguments passed to every module. In
# particular, Nixpkgs is passed through the "pkgs" argument.
# FIXME: we enable config.allowUnfree to make packages like
# nvidia-x11 available. This isn't a problem because if the user has
# nixpkgs.config.allowUnfree = false, then evaluation will fail on
# the 64-bit package anyway. However, it would be cleaner to respect
# nixpkgs.config here.
extraArgs = extraArgs_ // {
inherit pkgs modules baseModules;
modulesPath = ../modules;
pkgs_i686 = import ./nixpkgs.nix { system = "i686-linux"; };
pkgs_i686 = import ./nixpkgs.nix { system = "i686-linux"; config.allowUnfree = true; };
utils = import ./utils.nix pkgs;
};

2
nixos/lib/test-driver/test-driver.pl
View File

@ -147,7 +147,7 @@ sub runTests {
$log->nest("syncing", sub {
foreach my $vm (values %vms) {
next unless $vm->isUp();
$vm->execute("sync /tmp/xchg");
$vm->execute("sync");
}
});

86
nixos/lib/testing.nix
View File

@ -67,57 +67,55 @@ rec {
};
makeTest = testFun: complete (call testFun);
makeTests = testsFun: lib.mapAttrs (name: complete) (call testsFun);
makeTest =
{ testScript, makeCoverageReport ? false, ... } @ t:
apply = makeTest; # compatibility
call = f: f { inherit pkgs system; };
let
complete = { testScript, ... } @ t: t // rec {
nodes = buildVirtualNetwork (
t.nodes or (if t ? machine then { machine = t.machine; } else { }));
nodes = buildVirtualNetwork (
t.nodes or (if t ? machine then { machine = t.machine; } else { }));
testScript' =
# Call the test script with the computed nodes.
if builtins.isFunction testScript
then testScript { inherit nodes; }
else testScript;
testScript =
# Call the test script with the computed nodes.
if builtins.isFunction t.testScript
then t.testScript { inherit nodes; }
else t.testScript;
vlans = map (m: m.config.virtualisation.vlans) (lib.attrValues nodes);
vlans = map (m: m.config.virtualisation.vlans) (lib.attrValues nodes);
vms = map (m: m.config.system.build.vm) (lib.attrValues nodes);
vms = map (m: m.config.system.build.vm) (lib.attrValues nodes);
# Generate onvenience wrappers for running the test driver
# interactively with the specified network, and for starting the
# VMs from the command line.
driver = runCommand "nixos-test-driver"
{ buildInputs = [ makeWrapper];
testScript = testScript';
preferLocalBuild = true;
}
''
mkdir -p $out/bin
echo "$testScript" > $out/test-script
ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
wrapProgram $out/bin/nixos-test-driver \
--add-flags "$vms" \
--run "testScript=\"\$(cat $out/test-script)\"" \
--set testScript '"$testScript"' \
--set VLANS '"${toString vlans}"'
ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
wrapProgram $out/bin/nixos-run-vms \
--add-flags "$vms" \
--set tests '"startAll; joinAll;"' \
--set VLANS '"${toString vlans}"' \
${lib.optionalString (builtins.length vms == 1) "--set USE_SERIAL 1"}
''; # "
# Generate onvenience wrappers for running the test driver
# interactively with the specified network, and for starting the
# VMs from the command line.
driver = runCommand "nixos-test-driver"
{ buildInputs = [ makeWrapper];
inherit testScript;
preferLocalBuild = true;
}
''
mkdir -p $out/bin
echo "$testScript" > $out/test-script
ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
wrapProgram $out/bin/nixos-test-driver \
--add-flags "$vms" \
--run "testScript=\"\$(cat $out/test-script)\"" \
--set testScript '"$testScript"' \
--set VLANS '"${toString vlans}"'
ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
wrapProgram $out/bin/nixos-run-vms \
--add-flags "$vms" \
--set tests '"startAll; joinAll;"' \
--set VLANS '"${toString vlans}"' \
${lib.optionalString (builtins.length vms == 1) "--set USE_SERIAL 1"}
''; # "
test = runTests driver;
test = runTests driver;
report = releaseTools.gcovReport { coverageRuns = [ test ]; };
report = releaseTools.gcovReport { coverageRuns = [ test ]; };
};
in (if makeCoverageReport then report else test) // { inherit driver test; };
runInMachine =
@ -147,7 +145,7 @@ rec {
exit $?
'';
testscript = ''
testScript = ''
startAll;
$client->waitForUnit("multi-user.target");
${preBuild}
@ -160,7 +158,7 @@ rec {
${coreutils}/bin/mkdir $out
${coreutils}/bin/mkdir -p vm-state-client/xchg
export > vm-state-client/xchg/saved-env
export tests='${testscript}'
export tests='${testScript}'
${testDriver}/bin/nixos-test-driver ${vm.config.system.build.vm}/bin/run-*-vm
''; # */

14
nixos/maintainers/scripts/gce/create-gce.sh Executable file
View File

@ -0,0 +1,14 @@
#! /bin/sh -e
export NIX_PATH=nixpkgs=../../../..
export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/google-compute-image.nix
export TIMESTAMP=$(date +%Y%m%d%H%M)
nix-build '<nixpkgs/nixos>' \
-A config.system.build.googleComputeImage --argstr system x86_64-linux -o gce --option extra-binary-caches http://hydra.nixos.org -j 10
img=$(echo gce/*.tar.gz)
if ! gsutil ls gs://nixos/$(basename $img); then
gsutil cp $img gs://nixos/$(basename $img)
fi
gcutil addimage $(basename $img .raw.tar.gz | sed 's|\.|-|' | sed 's|_|-|') gs://nixos/$(basename $img)

4
nixos/modules/config/fonts/corefonts.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{

4
nixos/modules/config/fonts/fontconfig.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{

4
nixos/modules/config/fonts/fontdir.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/config/fonts/fonts.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{

4
nixos/modules/config/fonts/ghostscript.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{

4
nixos/modules/config/gnu.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{
options = {

4
nixos/modules/config/i18n.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/config/krb5.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/config/ldap.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
with pkgs;
let

4
nixos/modules/config/networking.nix
View File

@ -1,8 +1,8 @@
# /etc files related to networking, such as /etc/services.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/config/no-x-libs.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{
options = {

4
nixos/modules/config/nsswitch.nix
View File

@ -1,8 +1,8 @@
# Configuration for the Name Service Switch (/etc/nsswitch.conf).
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/config/power-management.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/config/pulseaudio.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
with pkgs;
let

4
nixos/modules/config/shells-environment.nix
View File

@ -1,9 +1,9 @@
# This module defines a global environment configuration and
# a common configuration for all shells.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/config/swap.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, utils, ... }:
{ config, lib, pkgs, utils, ... }:
with pkgs.lib;
with lib;
with utils;
{

22
nixos/modules/config/sysctl.nix
View File

@ -1,12 +1,12 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let
sysctlOption = mkOptionType {
name = "sysctl option value";
check = x: isBool x || isString x || isInt x;
check = x: isBool x || isString x || isInt x || isNull x;
merge = args: defs: (last defs).value; # FIXME: hacky way to allow overriding in configuration.nix.
};
@ -29,8 +29,9 @@ in
<manvolnum>8</manvolnum></citerefentry>. Note that sysctl
parameters names must be enclosed in quotes
(e.g. <literal>"vm.swappiness"</literal> instead of
<literal>vm.swappiness</literal>). The value of each parameter
may be a string, integer or Boolean.
<literal>vm.swappiness</literal>). The value of each
parameter may be a string, integer, boolean, or null
(signifying the option will not appear at all).
'';
};
@ -39,7 +40,9 @@ in
config = {
environment.etc."sysctl.d/nixos.conf".text =
concatStrings (mapAttrsToList (n: v: "${n}=${if v == false then "0" else toString v}\n") config.boot.kernel.sysctl);
concatStrings (mapAttrsToList (n: v:
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
) config.boot.kernel.sysctl);
systemd.services.systemd-sysctl =
{ description = "Apply Kernel Variables";
@ -65,8 +68,9 @@ in
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
# users as these make it easier to exploit kernel vulnerabilities.
boot.kernel.sysctl."kernel.kptr_restrict" = 1;
#
# Removed under grsecurity.
boot.kernel.sysctl."kernel.kptr_restrict" =
if config.security.grsecurity.enable then null else 1;
};
}

9
nixos/modules/config/system-path.nix
View File

@ -1,9 +1,9 @@
# This module defines the packages that appear in
# /run/current-system/sw.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let
@ -46,6 +46,7 @@ let
pkgs.rsync
pkgs.strace
pkgs.sysvtools
pkgs.su
pkgs.time
pkgs.usbutils
pkgs.utillinux
@ -134,6 +135,10 @@ in
if [ -x $out/bin/glib-compile-schemas -a -w $out/share/glib-2.0/schemas ]; then
$out/bin/glib-compile-schemas $out/share/glib-2.0/schemas
fi
if [ -x $out/bin/update-desktop-database -a -w $out/share/applications ]; then
$out/bin/update-desktop-database $out/share/applications
fi
'';
};

4
nixos/modules/config/timezone.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{
options = {

4
nixos/modules/config/unix-odbc-drivers.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
# unixODBC drivers (this solution is not perfect.. Because the user has to
# ask the admin to add a driver.. but it's simple and works

102
nixos/modules/config/users-groups.nix
View File

@ -1,12 +1,15 @@
{pkgs, config, ...}:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let
ids = config.ids;
cfg = config.users;
nonUidUsers = filterAttrs (n: u: u.createUser && u.uid == null) cfg.extraUsers;
nonGidGroups = filterAttrs (n: g: g.gid == null) cfg.extraGroups;
passwordDescription = ''
The options <literal>hashedPassword</literal>,
<literal>password</literal> and <literal>passwordFile</literal>
@ -31,7 +34,10 @@ let
name = mkOption {
type = types.str;
description = "The name of the user account. If undefined, the name of the attribute set will be used.";
description = ''
The name of the user account. If undefined, the name of the
attribute set will be used.
'';
};
description = mkOption {
@ -46,8 +52,14 @@ let
};
uid = mkOption {
type = with types; uniq int;
description = "The account UID.";
type = with types; nullOr int;
default = null;
description = ''
The account UID. If the <literal>mutableUsers</literal> option
is false, the UID cannot be null. Otherwise, the UID might be
null, in which case a free UID is picked on activation (by the
useradd command).
'';
};
group = mkOption {
@ -151,12 +163,21 @@ let
name = mkOption {
type = types.str;
description = "The name of the group. If undefined, the name of the attribute set will be used.";
description = ''
The name of the group. If undefined, the name of the attribute set
will be used.
'';
};
gid = mkOption {
type = with types; uniq int;
description = "The GID of the group.";
type = with types; nullOr int;
default = null;
description = ''
The group GID. If the <literal>mutableUsers</literal> option
is false, the GID cannot be null. Otherwise, the GID might be
null, in which case a free GID is picked on activation (by the
groupadd command).
'';
};
members = mkOption {
@ -218,13 +239,15 @@ let
groupFile = pkgs.writeText "group" (
concatStringsSep "\n" (map (g: mkGroupEntry g.name) (
sortOn "gid" (attrValues cfg.extraGroups)
let f = g: g.gid != null; in
sortOn "gid" (filter f (attrValues cfg.extraGroups))
))
);
passwdFile = pkgs.writeText "passwd" (
concatStringsSep "\n" (map (u: mkPasswdEntry u.name) (
sortOn "uid" (filter (u: u.createUser) (attrValues cfg.extraUsers))
let f = u: u.createUser && (u.uid != null); in
sortOn "uid" (filter f (attrValues cfg.extraUsers))
))
);
@ -261,11 +284,11 @@ let
then builtins.trace "Duplicate ${idAttr} ${id}" { dup = true; acc = null; }
else { dup = false; acc = newAcc; }
) { dup = false; acc = {}; } (builtins.attrNames set)).dup;
uidsAreUnique = idsAreUnique cfg.extraUsers "uid";
gidsAreUnique = idsAreUnique cfg.extraGroups "gid";
in
{
uidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) cfg.extraUsers) "uid";
gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.extraGroups) "gid";
in {
###### interface
@ -369,6 +392,7 @@ in
home = "/root";
shell = cfg.defaultUserShell;
group = "root";
extraGroups = [ "grsecurity" ];
hashedPassword = mkDefault config.security.initialRootPassword;
};
nobody = {
@ -397,6 +421,7 @@ in
nixbld.gid = ids.gids.nixbld;
utmp.gid = ids.gids.utmp;
adm.gid = ids.gids.adm;
grsecurity.gid = ids.gids.grsecurity;
};
system.activationScripts.users =
@ -424,16 +449,31 @@ in
}
fi
'';
mkhome = n: u:
let
uid = toString u.uid;
gid = toString ((getGroup u.group).gid);
h = u.home;
in ''
test -a "${h}" || mkdir -p "${h}" || true
test "$(stat -c %u "${h}")" = ${uid} || chown ${uid} "${h}" || true
test "$(stat -c %g "${h}")" = ${gid} || chgrp ${gid} "${h}" || true
'';
mkhome = n: u: ''
uid="$(id -u ${u.name})"
gid="$(id -g ${u.name})"
h="${u.home}"
test -a "$h" || mkdir -p "$h" || true
test "$(stat -c %u "$h")" = $uid || chown $uid "$h" || true
test "$(stat -c %g "$h")" = $gid || chgrp $gid "$h" || true
'';
groupadd = n: g: ''
if [ -z "$(getent group "${g.name}")" ]; then
echo "Adding group ${g.name}"
${pkgs.shadow}/sbin/groupadd "${g.name}"
fi
'';
useradd = n: u: ''
if ! id "${u.name}" &>/dev/null; then
echo "Adding user ${u.name}"
${pkgs.shadow}/sbin/useradd \
-g "${u.group}" \
-s "${u.shell}" \
-d "${u.home}" \
"${u.name}"
echo "${u.name}:x" | ${pkgs.shadow}/sbin/chpasswd -e
fi
'';
in stringAfter [ "etc" ] ''
touch /etc/group
touch /etc/passwd
@ -441,6 +481,8 @@ in
VISUAL=${merger passwdFile} ${pkgs.shadow}/sbin/vipw &>/dev/null
${pkgs.shadow}/sbin/grpconv
${pkgs.shadow}/sbin/pwconv
${concatStrings (mapAttrsToList groupadd nonGidGroups)}
${concatStrings (mapAttrsToList useradd nonUidUsers)}
${concatStrings (mapAttrsToList mkhome mkhomeUsers)}
${concatStrings (mapAttrsToList setpw setpwUsers)}
'';
@ -448,7 +490,17 @@ in
# for backwards compatibility
system.activationScripts.groups = stringAfter [ "users" ] "";
assertions = [ { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique); message = "uids and gids must be unique!"; } ];
assertions = [
{ assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);
message = "uids and gids must be unique!";
}
{ assertion = cfg.mutableUsers || (nonUidUsers == {});
message = "When mutableUsers is false, no uid can be null";
}
{ assertion = cfg.mutableUsers || (nonGidGroups == {});
message = "When mutableUsers is false, no gid can be null";
}
];
};

4
nixos/modules/hardware/all-firmware.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{

4
nixos/modules/hardware/cpu/amd-microcode.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{

4
nixos/modules/hardware/cpu/intel-microcode.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{

4
nixos/modules/hardware/network/b43.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let kernelVersion = config.boot.kernelPackages.kernel.version; in

21
nixos/modules/hardware/opengl.nix
View File

@ -39,8 +39,7 @@ in {
default = false;
description = ''
Make S3TC(S3 Texture Compression) via libtxc_dxtn available
to OpenGL drivers. It is essential for many games to work
with FOSS GPU drivers.
to OpenGL drivers instead of the patent-free S2TC replacement.
Using this library may require a patent license depending on your location.
'';
@ -89,17 +88,25 @@ in {
else if elem "ati_unfree" cfg.videoDrivers then
"ln -sf ${kernelPackages.ati_drivers_x11} /run/opengl-driver"
else
let
lib_fun = p: p.buildEnv {
name = "mesa-drivers+txc-${p.mesa_drivers.version}";
paths = [
p.mesa_drivers
p.mesa_noglu # mainly for libGL
(if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
];
};
in
''
${optionalString cfg.driSupport "ln -sf ${pkgs.mesa_drivers} /run/opengl-driver"}
${optionalString cfg.driSupport "ln -sf ${lib_fun pkgs} /run/opengl-driver"}
${optionalString cfg.driSupport32Bit
"ln -sf ${pkgs_i686.mesa_drivers} /run/opengl-driver-32"}
"ln -sf ${lib_fun pkgs_i686} /run/opengl-driver-32"}
''
);
environment.variables.LD_LIBRARY_PATH =
[ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ]
++ optional cfg.s3tcSupport "${pkgs.libtxc_dxtn}/lib"
++ optional (cfg.s3tcSupport && cfg.driSupport32Bit) "${pkgs_i686.libtxc_dxtn}/lib";
[ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ];
boot.extraModulePackages =
optional (elem "nvidia" cfg.videoDrivers) kernelPackages.nvidia_x11 ++

4
nixos/modules/hardware/pcmcia.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/hardware/video/bumblebee.nix
View File

@ -1,7 +1,7 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
let kernel = config.boot.kernelPackages; in
with pkgs.lib;
with lib;
{

6
nixos/modules/installer/cd-dvd/channel.nix
View File

@ -1,9 +1,9 @@
# Provide an initial copy of the NixOS channel so that the user
# doesn't need to run "nix-channel --update" first.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let
@ -28,7 +28,7 @@ in
{
# Provide the NixOS/Nixpkgs sources in /etc/nixos. This is required
# for nixos-install.
boot.postBootCommands =
boot.postBootCommands = mkAfter
''
if ! [ -e /var/lib/nixos/did-channel-init ]; then
echo "unpacking the NixOS/Nixpkgs sources..."

9
nixos/modules/installer/cd-dvd/installation-cd-base.nix
View File

@ -1,9 +1,9 @@
# This module contains the basic configuration for building a NixOS
# installation CD.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{
imports =
@ -29,8 +29,9 @@ with pkgs.lib;
boot.kernel.sysctl."vm.overcommit_memory" = "1";
# To speed up installation a little bit, include the complete stdenv
# in the Nix store on the CD.
isoImage.storeContents = [ pkgs.stdenv pkgs.busybox ];
# in the Nix store on the CD. Archive::Cpio is needed for the
# initrd builder.
isoImage.storeContents = [ pkgs.stdenv pkgs.busybox pkgs.perlPackages.ArchiveCpio ];
# EFI booting
isoImage.makeEfiBootable = true;

4
nixos/modules/installer/cd-dvd/installation-cd-graphical.nix
View File

@ -1,9 +1,9 @@
# This module defines a NixOS installation CD that contains X11 and
# KDE 4.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{
imports = [ ./installation-cd-base.nix ../../profiles/graphical.nix ];

4
nixos/modules/installer/cd-dvd/iso-image.nix
View File

@ -2,9 +2,9 @@
# configuration. The derivation for the ISO image will be placed in
# config.system.build.isoImage.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/installer/cd-dvd/system-tarball-pc.nix
View File

@ -1,9 +1,9 @@
# This module contains the basic configuration for building a NixOS
# tarball, that can directly boot, maybe using PXE or unpacking on a fs.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix
View File

@ -1,9 +1,9 @@
# This module contains the basic configuration for building a NixOS
# tarball for the sheevaplug.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/installer/cd-dvd/system-tarball.nix
View File

@ -2,9 +2,9 @@
# configuration. The derivation for the ISO image will be placed in
# config.system.build.tarball.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/installer/scan/detected.nix
View File

@ -1,8 +1,8 @@
# List all devices which are detected by nixos-hardware-scan.
# Common devices are enabled by default.
{config, pkgs, ...}:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{
config = mkDefault {

4
nixos/modules/installer/scan/not-detected.nix
View File

@ -1,8 +1,8 @@
# List all devices which are _not_ detected by nixos-hardware-scan.
# Common devices are enabled by default.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{
hardware.enableAllFirmware = true;

4
nixos/modules/installer/tools/nixos-checkout.nix
View File

@ -1,9 +1,9 @@
# This module generates the nixos-checkout script, which replaces the
# Nixpkgs source trees in /etc/nixos/nixpkgs with a Git checkout.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

14
nixos/modules/installer/tools/nixos-generate-config.pl
View File

@ -96,9 +96,9 @@ my $videoDriver;
sub pciCheck {
my $path = shift;
my $vendor = read_file "$path/vendor";
my $device = read_file "$path/device";
my $class = read_file "$path/class";
my $vendor = read_file "$path/vendor"; chomp $vendor;
my $device = read_file "$path/device"; chomp $device;
my $class = read_file "$path/class"; chomp $class;
my $module;
if (-e "$path/driver/module") {
@ -130,6 +130,7 @@ sub pciCheck {
# broadcom STA driver (wl.ko)
# list taken from http://www.broadcom.com/docs/linux_sta/README.txt
# FIXME: still needed?
if ($vendor eq "0x14e4" &&
($device eq "0x4311" || $device eq "0x4312" || $device eq "0x4313" ||
$device eq "0x4315" || $device eq "0x4327" || $device eq "0x4328" ||
@ -156,6 +157,7 @@ sub pciCheck {
# Assume that all NVIDIA cards are supported by the NVIDIA driver.
# There may be exceptions (e.g. old cards).
# FIXME: do we want to enable an unfree driver here?
$videoDriver = "nvidia" if $vendor eq "0x10de" && $class =~ /^0x03/;
}
@ -170,9 +172,9 @@ push @attrs, "hardware.opengl.videoDrivers = [ \"$videoDriver\" ];" if $videoDri
sub usbCheck {
my $path = shift;
my $class = read_file "$path/bInterfaceClass";
my $subclass = read_file "$path/bInterfaceSubClass";
my $protocol = read_file "$path/bInterfaceProtocol";
my $class = read_file "$path/bInterfaceClass"; chomp $class;
my $subclass = read_file "$path/bInterfaceSubClass"; chomp $subclass;
my $protocol = read_file "$path/bInterfaceProtocol"; chomp $protocol;
my $module;
if (-e "$path/driver/module") {

72
nixos/modules/installer/tools/nixos-rebuild.sh
View File

@ -1,4 +1,6 @@
#! @shell@ -e
#! @shell@
set -e
showSyntax() {
exec man nixos-rebuild
@ -7,6 +9,7 @@ showSyntax() {
# Parse the command line.
origArgs=("$@")
extraBuildFlags=()
action=
buildNix=1
@ -76,8 +79,30 @@ done
if [ -z "$action" ]; then showSyntax; fi
if [ -n "$rollback" ]; then
buildNix=
# Only run shell scripts from the Nixpkgs tree if the action is
# "switch", "boot", or "test". With other actions (such as "build"),
# the user may reasonably expect that no code from the Nixpkgs tree is
# executed, so it's safe to run nixos-rebuild against a potentially
# untrusted tree.
canRun=
if [ "$action" = switch -o "$action" = boot -o "$action" = test ]; then
canRun=1
fi
# If --upgrade is given, run nix-channel --update nixos.
if [ -n "$upgrade" -a -z "$_NIXOS_REBUILD_REEXEC" ]; then
nix-channel --update nixos
fi
# Re-execute nixos-rebuild from the Nixpkgs tree.
if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then
if p=$(nix-instantiate --find-file nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh "${extraBuildFlags[@]}"); then
export _NIXOS_REBUILD_REEXEC=1
exec $SHELL -e $p "${origArgs[@]}"
exit 1
fi
fi
@ -98,20 +123,33 @@ if [ -z "$repair" ] && systemctl show nix-daemon.socket nix-daemon.service | gre
fi
# If --upgrade is given, run nix-channel --update nixos.
if [ -n "$upgrade" ]; then
nix-channel --update nixos
# First build Nix, since NixOS may require a newer version than the
# current one.
if [ -n "$rollback" -o "$action" = dry-run ]; then
buildNix=
fi
# First build Nix, since NixOS may require a newer version than the
# current one. Of course, the same goes for Nixpkgs, but Nixpkgs is
# more conservative.
if [ "$action" != dry-run -a -n "$buildNix" ]; then
if [ -n "$buildNix" ]; then
echo "building Nix..." >&2
if ! nix-build '<nixpkgs/nixos>' -A config.nix.package -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
if ! nix-build '<nixpkgs/nixos>' -A nixFallback -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
nix-build '<nixpkgs>' -A nixUnstable -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null
if ! nix-build '<nixpkgs>' -A nix -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
machine="$(uname -m)"
if [ "$machine" = x86_64 ]; then
nixStorePath=/nix/store/d34q3q2zj9nriq4ifhn3dnnngqvinjb3-nix-1.7
elif [[ "$machine" =~ i.86 ]]; then
nixStorePath=/nix/store/qlah0darpcn6sf3lr2226rl04l1gn4xz-nix-1.7
else
echo "$0: unsupported platform"
exit 1
fi
if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
--option extra-binary-caches http://cache.nixos.org/; then
echo "warning: don't know how to get latest Nix" >&2
fi
# Older version of nix-store -r don't support --add-root.
[ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
fi
fi
fi
PATH=$tmpDir/nix/bin:$PATH
@ -120,10 +158,12 @@ fi
# Update the version suffix if we're building from Git (so that
# nixos-version shows something useful).
if nixpkgs=$(nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then
suffix=$(@shell@ $nixpkgs/nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}" || true)
if [ -n "$suffix" ]; then
echo -n "$suffix" > "$nixpkgs/.version-suffix" || true
if [ -n "$canRun" ]; then
if nixpkgs=$(nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then
suffix=$($SHELL $nixpkgs/nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}" || true)
if [ -n "$suffix" ]; then
echo -n "$suffix" > "$nixpkgs/.version-suffix" || true
fi
fi
fi

4
nixos/modules/installer/tools/tools.nix
View File

@ -80,9 +80,9 @@ in
/*
options = {
installer.enableGraphicalTools = pkgs.lib.mkOption {
installer.enableGraphicalTools = mkOption {
default = false;
type = with pkgs.lib.types; bool;
type = types.bool;
example = true;
description = ''
Enable the installation of graphical tools.

4
nixos/modules/installer/virtualbox-demo.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{
imports =

4
nixos/modules/misc/assertions.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/misc/check-config.nix
View File

@ -1,6 +1,6 @@
{ pkgs, ... }:
{ lib, ... }:
with pkgs.lib;
with lib;
{
options = {

4
nixos/modules/misc/crashdump.nix
View File

@ -1,6 +1,6 @@
{pkgs, config, ...}:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let
crashdump = config.boot.crashDump;

15
nixos/modules/misc/ids.nix
View File

@ -123,6 +123,14 @@
ngircd = 112;
btsync = 113;
minecraft = 114;
monetdb = 115;
rippled = 116;
murmur = 117;
foundationdb = 118;
newrelic = 119;
starbound = 120;
hydra = 122;
spiped = 123;
# When adding a uid, make sure it doesn't match an existing gid.
@ -221,6 +229,13 @@
jenkins = 109;
systemd-journal-gateway = 110;
notbit = 111;
monetdb = 115;
foundationdb = 118;
newrelic = 119;
starbound = 120;
grsecurity = 121;
hydra = 122;
spiped = 123;
# When adding a gid, make sure it doesn't match an existing uid.

4
nixos/modules/misc/locate.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/misc/nixpkgs.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let
isConfig = x:

4
nixos/modules/misc/version.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{

18
nixos/modules/module-list.nix
View File

@ -62,6 +62,7 @@
./security/apparmor-suid.nix
./security/ca.nix
./security/duosec.nix
./security/grsecurity.nix
./security/pam.nix
./security/pam_usb.nix
./security/polkit.nix
@ -95,6 +96,16 @@
./services/databases/openldap.nix
./services/databases/postgresql.nix
./services/databases/virtuoso.nix
./services/databases/monetdb.nix
./services/desktops/accountservice.nix
./services/desktops/gnome3/at-spi2-core.nix
./services/desktops/gnome3/evolution-data-server.nix
./services/desktops/gnome3/gnome-keyring.nix
./services/desktops/gnome3/gnome-online-accounts.nix
./services/desktops/gnome3/gnome-user-share.nix
./services/desktops/gnome3/sushi.nix
./services/desktops/gnome3/tracker.nix
./services/desktops/telepathy.nix
./services/games/ghost-one.nix
./services/games/minecraft-server.nix
./services/hardware/acpid.nix
@ -132,6 +143,7 @@
./services/misc/nix-gc.nix
./services/misc/nix-ssh-serve.nix
./services/misc/nixos-manual.nix
./services/misc/rippled.nix
./services/misc/rogue.nix
./services/misc/svnserve.nix
./services/misc/synergy.nix
@ -151,12 +163,14 @@
./services/network-filesystems/drbd.nix
./services/network-filesystems/nfsd.nix
./services/network-filesystems/openafs-client/default.nix
./services/network-filesystems/rsyncd.nix
./services/network-filesystems/samba.nix
./services/networking/amuled.nix
./services/networking/avahi-daemon.nix
./services/networking/bind.nix
./services/networking/bitlbee.nix
./services/networking/btsync.nix
./services/networking/cjdns.nix
./services/networking/connman.nix
./services/networking/cntlm.nix
./services/networking/chrony.nix
@ -180,6 +194,7 @@
./services/networking/ircd-hybrid/default.nix
./services/networking/kippo.nix
./services/networking/minidlna.nix
./services/networking/murmur.nix
./services/networking/nat.nix
./services/networking/networkmanager.nix
./services/networking/ngircd.nix
@ -197,7 +212,9 @@
./services/networking/rpcbind.nix
./services/networking/sabnzbd.nix
./services/networking/searx.nix
./services/networking/spiped.nix
./services/networking/supybot.nix
./services/networking/syncthing.nix
./services/networking/ssh/lshd.nix
./services/networking/ssh/sshd.nix
./services/networking/tftpd.nix
@ -297,6 +314,7 @@
./tasks/scsi-link-power-management.nix
./tasks/swraid.nix
./testing/service-runner.nix
./virtualisation/container-config.nix
./virtualisation/containers.nix
./virtualisation/libvirtd.nix
#./virtualisation/nova.nix

4
nixos/modules/profiles/clone-config.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, modules, ... }:
{ config, lib, pkgs, modules, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/profiles/headless.nix
View File

@ -1,9 +1,9 @@
# Common configuration for headless machines (e.g., Amazon EC2
# instances).
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{
sound.enable = false;

6
nixos/modules/profiles/installation-device.nix
View File

@ -1,7 +1,7 @@
# Provide a basic configuration for installation devices like CDs.
{ config, pkgs, modules, ... }:
{ config, lib, ... }:
with pkgs.lib;
with lib;
{
imports =
@ -45,7 +45,7 @@ with pkgs.lib;
# Enable wpa_supplicant, but don't start it by default.
networking.wireless.enable = true;
jobs.wpa_supplicant.startOn = pkgs.lib.mkOverride 50 "";
jobs.wpa_supplicant.startOn = mkOverride 50 "";
# Tell the Nix evaluator to garbage collect more aggressively.
# This is desirable in memory-constrained environments that don't

4
nixos/modules/programs/atop.nix
View File

@ -1,8 +1,8 @@
# Global configuration for atop.
{config, pkgs, ...}:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let cfg = config.programs.atop;

4
nixos/modules/programs/bash/bash.nix
View File

@ -1,9 +1,9 @@
# This module defines global configuration for the Bash shell, in
# particular /etc/bashrc and /etc/profile.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/programs/bash/command-not-found.nix
View File

@ -3,9 +3,9 @@
# SQLite database that maps program names to Nix package names (e.g.,
# "pdflatex" is mapped to "tetex").
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/programs/environment.nix
View File

@ -2,9 +2,9 @@
# Most of the stuff here should probably be moved elsewhere sometime.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/programs/shadow.nix
View File

@ -1,8 +1,8 @@
# Configuration for the pwdutils suite of tools: passwd, useradd, etc.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/programs/shell.nix
View File

@ -1,8 +1,8 @@
# This module defines a standard configuration for NixOS shells.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

6
nixos/modules/programs/ssh.nix
View File

@ -1,8 +1,8 @@
# Global configuration for the SSH client.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let cfg = config.programs.ssh;
cfgd = config.services.openssh;
@ -31,7 +31,7 @@ in
setXAuthLocation = mkOption {
type = types.bool;
default = true;
default = config.services.xserver.enable;
description = ''
Whether to set the path to <command>xauth</command> for X11-forwarded connections.
This causes a dependency on X11 packages.

4
nixos/modules/programs/ssmtp.nix
View File

@ -3,9 +3,9 @@
# directly to an SMTP server defined in its configuration file, wihout
# queueing mail locally.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/programs/venus.nix
View File

@ -1,6 +1,6 @@
{config, pkgs, ...}:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let
cfg = config.services.venus;

4
nixos/modules/programs/virtualbox.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let virtualbox = config.boot.kernelPackages.virtualbox; in

4
nixos/modules/programs/wvdial.nix
View File

@ -1,8 +1,8 @@
# Global configuration for wvdial.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/programs/zsh/zsh.nix
View File

@ -1,8 +1,8 @@
# This module defines global configuration for the zshell.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/rename.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, options, ... }:
{ config, lib, options, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/security/apparmor-suid.nix
View File

@ -1,8 +1,8 @@
{pkgs, config, ...}:
{ config, lib, pkgs, ... }:
let
cfg = config.security.apparmor;
in
with pkgs.lib;
with lib;
{
options.security.apparmor.confineSUIDApplications = mkOption {

45
nixos/modules/security/apparmor.nix
View File

@ -1,55 +1,39 @@
{pkgs, config, ...}:
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.apparmor;
in
with pkgs.lib;
{
###### interface
options = {
security.apparmor = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable AppArmor application security system. Enable only if
you want to further improve AppArmor.
'';
description = "Enable the AppArmor Mandatory Access Control system.";
};
profiles = mkOption {
type = types.listOf types.path;
default = [];
description = ''
List of file names of AppArmor profiles.
'';
description = "List of files containing AppArmor profiles.";
};
};
};
###### implementation
config = mkIf (cfg.enable) {
assertions = [ { assertion = config.boot.kernelPackages.kernel.features ? apparmor
&& config.boot.kernelPackages.kernel.features.apparmor;
message = "AppArmor is enabled, but the kernel doesn't have AppArmor support"; }
];
config = mkIf cfg.enable {
assertions =
[ { assertion = config.boot.kernelPackages.kernel.features ? apparmor
&& config.boot.kernelPackages.kernel.features.apparmor;
message = "Your selected kernel does not have AppArmor support";
}
];
environment.systemPackages = [ pkgs.apparmor ];
systemd.services.apparmor = {
#wantedBy = [ "basic.target" ];
wantedBy = [ "local-fs.target" ];
path = [ pkgs.apparmor ];
path = [ pkgs.apparmor ];
serviceConfig = {
Type = "oneshot";
@ -61,9 +45,6 @@ with pkgs.lib;
''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
) cfg.profiles;
};
};
};
}

4
nixos/modules/security/ca.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{

4
nixos/modules/security/duosec.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let
cfg = config.security.duosec;

443
nixos/modules/security/grsecurity.nix Normal file
View File

@ -0,0 +1,443 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.grsecurity;
mkKernel = kernel: patch:
assert patch.kversion == kernel.version;
{ inherit kernel patch;
inherit (patch) grversion revision;
};
stable-patch = with pkgs.kernelPatches;
if cfg.vserver then grsecurity_vserver else grsecurity_stable;
stableKernel = mkKernel pkgs.linux_3_2 stable-patch;
testKernel = mkKernel pkgs.linux_3_13 pkgs.kernelPatches.grsecurity_unstable;
## -- grsecurity configuration -----------------------------------------------
grsecPrioCfg =
if cfg.config.priority == "security" then
"GRKERNSEC_CONFIG_PRIORITY_SECURITY y"
else
"GRKERNSEC_CONFIG_PRIORITY_PERF y";
grsecSystemCfg =
if cfg.config.system == "desktop" then
"GRKERNSEC_CONFIG_DESKTOP y"
else
"GRKERNSEC_CONFIG_SERVER y";
grsecVirtCfg =
if cfg.config.virtualisationConfig == "none" then
"GRKERNSEC_CONFIG_VIRT_NONE y"
else if cfg.config.virtualisationConfig == "host" then
"GRKERNSEC_CONFIG_VIRT_HOST y"
else
"GRKERNSEC_CONFIG_VIRT_GUEST y";
grsecHwvirtCfg = if cfg.config.virtualisationConfig == "none" then "" else
if cfg.config.hardwareVirtualisation == true then
"GRKERNSEC_CONFIG_VIRT_EPT y"
else
"GRKERNSEC_CONFIG_VIRT_SOFT y";
grsecVirtswCfg =
let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y";
in
if cfg.config.virtualisationConfig == "none" then ""
else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN"
else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM"
else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"
else virtCfg "VIRTUALBOX";
grsecMainConfig = if cfg.config.mode == "custom" then "" else ''
GRKERNSEC_CONFIG_AUTO y
${grsecPrioCfg}
${grsecSystemCfg}
${grsecVirtCfg}
${grsecHwvirtCfg}
${grsecVirtswCfg}
'';
grsecConfig =
let boolToKernOpt = b: if b then "y" else "n";
# Disable RANDSTRUCT under virtualbox, as it has some kind of
# breakage with the vbox guest drivers
randstruct = optionalString config.services.virtualbox.enable
"GRKERNSEC_RANDSTRUCT n";
# Disable restricting links under the testing kernel, as something
# has changed causing it to fail miserably during boot.
restrictLinks = optionalString cfg.testing
"GRKERNSEC_LINK n";
in ''
SECURITY_APPARMOR y
DEFAULT_SECURITY_APPARMOR y
GRKERNSEC y
${grsecMainConfig}
${if cfg.config.restrictProc then
"GRKERNSEC_PROC_USER y"
else
optionalString cfg.config.restrictProcWithGroup ''
GRKERNSEC_PROC_USERGROUP y
GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid}
''
}
GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
${randstruct}
${restrictLinks}
${cfg.config.kernelExtraConfig}
'';
## -- grsecurity kernel packages ---------------------------------------------
localver = grkern:
"-grsec" + optionalString cfg.config.verboseVersion
"-${grkern.grversion}-${grkern.revision}";
grsecurityOverrider = args: grkern: {
# Apparently as of gcc 4.6, gcc-plugin headers (which are needed by PaX plugins)
# include libgmp headers, so we need these extra tweaks
buildInputs = args.buildInputs ++ [ pkgs.gmp ];
preConfigure = ''
${args.preConfigure or ""}
sed -i 's|-I|-I${pkgs.gmp}/include -I|' scripts/gcc-plugin.sh
sed -i 's|HOST_EXTRACFLAGS +=|HOST_EXTRACFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
sed -i 's|HOST_EXTRACXXFLAGS +=|HOST_EXTRACXXFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
rm localversion-grsec
echo ${localver grkern} > localversion-grsec
'';
};
mkGrsecPkg = grkern:
let kernelPkg = lowPrio (overrideDerivation (grkern.kernel.override (args: {
kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ];
argsOverride = {
modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
};
extraConfig = grsecConfig;
})) (args: grsecurityOverrider args grkern));
in pkgs.linuxPackagesFor kernelPkg (mkGrsecPkg grkern);
grsecPackage = mkGrsecPkg (if cfg.stable then stableKernel else testKernel);
in
{
options = {
security.grsecurity = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable grsecurity support. This enables advanced exploit
hardening for the Linux kernel, and adds support for
administrative Role-Based Acess Control (RBAC) via
<literal>gradm</literal>. It also includes traditional
utilities for PaX.
'';
};
stable = mkOption {
type = types.bool;
default = false;
description = ''
Enable the stable grsecurity patch, based on Linux 3.2.
'';
};
vserver = mkOption {
type = types.bool;
default = false;
description = ''
Enable the stable grsecurity/vserver patches, based on Linux 3.2.
'';
};
testing = mkOption {
type = types.bool;
default = false;
description = ''
Enable the testing grsecurity patch, based on Linux 3.13.
'';
};
config = {
mode = mkOption {
type = types.str;
default = "auto";
example = "custom";
description = ''
grsecurity configuration mode. This specifies whether
grsecurity is auto-configured or otherwise completely
manually configured. Can either by
<literal>custom</literal> or <literal>auto</literal>.
<literal>auto</literal> is recommended.
'';
};
priority = mkOption {
type = types.str;
default = "security";
example = "performance";
description = ''
grsecurity configuration priority. This specifies whether
the kernel configuration should emphasize speed or
security. Can either by <literal>security</literal> or
<literal>performance</literal>.
'';
};
system = mkOption {
type = types.str;
default = "";
example = "desktop";
description = ''
grsecurity system configuration. This specifies whether
the kernel configuration should be suitable for a Desktop
or a Server. Can either by <literal>server</literal> or
<literal>desktop</literal>.
'';
};
virtualisationConfig = mkOption {
type = types.str;
default = "none";
example = "host";
description = ''
grsecurity virtualisation configuration. This specifies
the virtualisation role of the machine - that is, whether
it will be a virtual machine guest, a virtual machine
host, or neither. Can be one of <literal>none</literal>,
<literal>host</literal>, or <literal>guest</literal>.
'';
};
hardwareVirtualisation = mkOption {
type = types.nullOr types.bool;
default = null;
example = true;
description = ''
grsecurity hardware virtualisation configuration. Set to
<literal>true</literal> if your machine supports hardware
accelerated virtualisation.
'';
};
virtualisationSoftware = mkOption {
type = types.str;
default = "";
example = "kvm";
description = ''
grsecurity virtualisation software. Set this to the
specified virtual machine technology if the machine is
running as a guest, or a host.
Can be one of <literal>kvm</literal>,
<literal>xen</literal>, <literal>vmware</literal> or
<literal>virtualbox</literal>.
'';
};
sysctl = mkOption {
type = types.bool;
default = false;
description = ''
If true, then set <literal>GRKERN_SYSCTL y</literal>. If
enabled then grsecurity can be controlled using sysctl
(and turned off). You are advised to *never* enable this,
but if you do, make sure to always set the sysctl
<literal>kernel.grsecurity.grsec_lock</literal> to
non-zero as soon as all sysctl options are set. *THIS IS
EXTREMELY IMPORTANT*!
If disabled, this also turns off the
<literal>systemd-sysctl</literal> service.
'';
};
denyChrootChmod = mkOption {
type = types.bool;
default = false;
description = ''
If true, then set <literal>GRKERN_CHROOT_CHMOD
y</literal>. If enabled, this denies processes inside a
chroot from setting the suid or sgid bits using
<literal>chmod</literal> or <literal>fchmod</literal>.
By default this protection is disabled - it makes it
impossible to use Nix to build software on your system,
which is what most users want.
If you are using NixOps to deploy your software to a
remote machine, you're encouraged to enable this as you
won't need to compile code.
'';
};
restrictProc = mkOption {
type = types.bool;
default = false;
description = ''
If true, then set <literal>GRKERN_PROC_USER
y</literal>. This restricts non-root users to only viewing
their own processes and restricts network-related
information, kernel symbols, and module information.
'';
};
restrictProcWithGroup = mkOption {
type = types.bool;
default = true;
description = ''
If true, then set <literal>GRKERN_PROC_USERGROUP
y</literal>. This is similar to
<literal>restrictProc</literal> except it allows a special
group (specified by <literal>unrestrictProcGid</literal>)
to still access otherwise classified information in
<literal>/proc</literal>.
'';
};
unrestrictProcGid = mkOption {
type = types.int;
default = config.ids.gids.grsecurity;
description = ''
If set, specifies a GID which is exempt from
<literal>/proc</literal> restrictions (set by
<literal>GRKERN_PROC_USERGROUP</literal>). By default,
this is set to the GID for <literal>grsecurity</literal>,
a predefined NixOS group, which the
<literal>root</literal> account is a member of. You may
conveniently add other users to this group if you need
access to <literal>/proc</literal>
'';
};
disableRBAC = mkOption {
type = types.bool;
default = false;
description = ''
If true, then set <literal>GRKERN_NO_RBAC
y</literal>. This disables the
<literal>/dev/grsec</literal> device, which in turn
disables the RBAC system (and <literal>gradm</literal>).
'';
};
verboseVersion = mkOption {
type = types.bool;
default = false;
description = "Use verbose version in kernel localversion.";
};
kernelExtraConfig = mkOption {
type = types.str;
default = "";
description = "Extra kernel configuration parameters.";
};
};
};
};
config = mkIf cfg.enable {
assertions =
[ { assertion = cfg.stable || cfg.testing;
message = ''
If grsecurity is enabled, you must select either the
stable patch (with kernel 3.2), or the testing patch (with
kernel 3.13) to continue.
'';
}
{ assertion = (cfg.stable -> !cfg.testing) || (cfg.testing -> !cfg.stable);
message = ''
You must select either the stable or testing patch, not
both.
'';
}
{ assertion = (cfg.testing -> !cfg.vserver);
message = "The vserver patches are only supported in the stable kernel.";
}
{ assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) ||
(cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc);
message = "You cannot enable both restrictProc and restrictProcWithGroup";
}
{ assertion = config.boot.kernelPackages.kernel.features ? grsecurity
&& config.boot.kernelPackages.kernel.features.grsecurity;
message = "grsecurity enabled, but kernel doesn't have grsec support";
}
{ assertion = elem cfg.config.mode [ "auto" "custom" ];
message = "grsecurity mode must either be 'auto' or 'custom'.";
}
{ assertion = cfg.config.mode == "auto" -> elem cfg.config.system [ "desktop" "server" ];
message = "when using auto grsec mode, system must be either 'desktop' or 'server'";
}
{ assertion = cfg.config.mode == "auto" -> elem cfg.config.priority [ "performance" "security" ];
message = "when using auto grsec mode, priority must be 'performance' or 'security'.";
}
{ assertion = cfg.config.mode == "auto" -> elem cfg.config.virtualisationConfig [ "host" "guest" "none" ];
message = "when using auto grsec mode, 'virt' must be 'host', 'guest' or 'none'.";
}
{ assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) ->
cfg.config.hardwareVirtualisation != null;
message = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions";
}
{ assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) ->
elem cfg.config.virtualisationSoftware [ "kvm" "xen" "virtualbox" "vmware" ];
message = "virtualisation software must be 'kvm', 'xen', 'vmware' or 'virtualbox'";
}
];
systemd.services.grsec-lock = mkIf cfg.config.sysctl {
description = "grsecurity sysctl-lock Service";
requires = [ "sysctl.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = "yes";
script = ''
locked=`cat /proc/sys/kernel/grsecurity/grsec_lock`
if [ "$locked" == "0" ]; then
echo 1 > /proc/sys/kernel/grsecurity/grsec_lock
echo grsecurity sysctl lock - enabled
else
echo grsecurity sysctl lock already enabled - doing nothing
fi
'';
};
# systemd.services.grsec-learn = {
# description = "grsecurity learning Service";
# wantedBy = [ "local-fs.target" ];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = "yes";
# ExecStart = "${pkgs.gradm}/sbin/gradm -VFL /etc/grsec/learning.logs";
# ExecStop = "${pkgs.gradm}/sbin/gradm -D";
# };
# };
system.activationScripts.grsec =
''
mkdir -p /etc/grsec
if [ ! -f /etc/grsec/learn_config ]; then
cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec
fi
if [ ! -f /etc/grsec/policy ]; then
cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec
fi
chmod -R 0600 /etc/grsec
'';
# Enable apparmor support, gradm udev rules, and utilities
security.apparmor.enable = true;
boot.kernelPackages = grsecPackage;
services.udev.packages = [ pkgs.gradm ];
environment.systemPackages = [ pkgs.gradm pkgs.paxctl pkgs.pax-utils ];
};
}

4
nixos/modules/security/pam.nix
View File

@ -1,9 +1,9 @@
# This module provides configuration for the PAM (Pluggable
# Authentication Modules) system.
{config, pkgs, ...}:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/security/pam_usb.nix
View File

@ -1,6 +1,6 @@
{config, pkgs, ...}:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/security/polkit.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

4
nixos/modules/security/prey.nix
View File

@ -1,6 +1,6 @@
{config, pkgs, ...}:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let
cfg = config.services.prey;

4
nixos/modules/security/rngd.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{
options = {

4
nixos/modules/security/rtkit.nix
View File

@ -1,9 +1,9 @@
# A module for rtkit, a DBus system service that hands out realtime
# scheduling priority to processes that ask for it.
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
{

5
nixos/modules/security/setuid-wrappers.nix
View File

@ -1,6 +1,6 @@
{pkgs, config, ...}:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let
@ -46,6 +46,7 @@ in
group = "postdrop";
setuid = false;
setgid = true;
permissions = "u+rx,g+x,o+x";
}
];
description = ''

4
nixos/modules/security/sudo.nix
View File

@ -1,6 +1,6 @@
{pkgs, config, ...}:
{ config, lib, pkgs, ... }:
with pkgs.lib;
with lib;
let

Some files were not shown because too many files have changed in this diff Show More