diff --git a/lib/eval-config.nix b/lib/eval-config.nix index ffc0db1c7ea..f99f3fbedbb 100644 --- a/lib/eval-config.nix +++ b/lib/eval-config.nix @@ -31,6 +31,7 @@ rec { inherit pkgs modules baseModules; modulesPath = ../modules; pkgs_i686 = import { system = "i686-linux"; }; + utils = {}; # forward compatibility }; # Import Nixpkgs, allowing the NixOS option nixpkgs.config to diff --git a/modules/config/networking.nix b/modules/config/networking.nix index c6ea171bf3d..3905f28b610 100644 --- a/modules/config/networking.nix +++ b/modules/config/networking.nix @@ -16,6 +16,18 @@ let ''; }; + networking.dnsSingleRequest = pkgs.lib.mkOption { + default = false; + description = '' + Recent versions of glibc will issue both ipv4 (A) and ipv6 (AAAA) + address queries at the same time, from the same port. Sometimes upstream + routers will systemically drop the ipv4 queries. The symptom of this problem is + that 'getent hosts example.com' only returns ipv6 (or perhaps only ipv4) addresses. The + workaround for this is to specify the option 'single-request' in + /etc/resolve.conf. This option enables that. + ''; + }; + }; in @@ -60,6 +72,9 @@ in # Invalidate the nscd cache whenever resolv.conf is # regenerated. libc_restart='${pkgs.upstart}/sbin/start invalidate-nscd' + '' + optionalString cfg.dnsSingleRequest '' + # only send one DNS request at a time + resolv_conf_options='single-request' '' + optionalString config.services.bind.enable '' # This hosts runs a full-blown DNS resolver. name_servers='127.0.0.1' diff --git a/modules/installer/cd-dvd/system-tarball-pc-readme.txt b/modules/installer/cd-dvd/system-tarball-pc-readme.txt new file mode 100644 index 00000000000..c4a0a111cd3 --- /dev/null +++ b/modules/installer/cd-dvd/system-tarball-pc-readme.txt @@ -0,0 +1,89 @@ +Let all the files in the system tarball sit in a directory served by NFS (the +NFS root) like this in exportfs: + /home/pcroot 192.168.1.0/24(rw,no_root_squash,no_all_squash) + +Run "exportfs -a" after editing /etc/exportfs, for the nfs server to be aware +of the changes. + +Use a tftp server serving the root of boot/ (from the system tarball). + +In order to have PXE boot, use the boot/dhcpd.conf-example file for your dhcpd +server, as it will point your PXE clients to pxelinux.0 from the tftp server. +Adapt the configuration to your network. + +Adapt the pxelinux configuration (boot/pxelinux.cfg/default) to set the path to +your nfrroot. If you use ip=dhcp in the kernel, the nfs server ip will be taken +from dhcp and so you don't have to specify it. + +The linux in bzImage includes network drivers for some usual cards. + + +QEMU Testing +--------------- + +You can test qemu pxe boot without having a DHCP server adapted, but having +nfsroot, like this: + qemu-system-x86_64 -tftp /home/pcroot/boot -net nic -net user,bootfile=pxelinux.0 -boot n + +I don't know how to use NFS through the qemu '-net user' though. + + +QEMU Testing with NFS root and bridged network +------------------------------------------------- + +This allows testing with qemu as any other host in your LAN. + +Testing with the real dhcpd server requires setting up a bridge and having a +tap device. + tunctl -t tap0 + brctl addbr br0 + brctl addif br0 eth0 + brctl addif tap0 eth0 + ifconfig eth0 0.0.0.0 up + ifconfig tap0 0.0.0.0 up + ifconfig br0 up # With your ip configuration + +Then you can run qemu: + qemu-system-x86_64 -boot n -net tap,ifname=tap0,script=no -net nic,model=e1000 + + +Using the system-tarball-pc in a chroot +-------------------------------------------------- + +Installation: + mkdir nixos-chroot && cd nixos-chroot + tar xf your-system-tarball.tar.xz + mkdir sys dev proc tmp root var run + mount --bind /sys sys + mount --bind /dev dev + mount --bind /proc proc + +Activate the system: look for a directory in nix/store similar to: + "/nix/store/y0d1lcj9fppli0hl3x0m0ba5g1ndjv2j-nixos-feb97bx-53f008" +Having found it, activate that nixos system *twice*: + chroot . /nix/store/SOMETHING-nixos-SOMETHING/activate + chroot . /nix/store/SOMETHING-nixos-SOMETHING/activate + +This runs a 'hostname' command. Restore your old hostname with: + hostname OLDHOSTNAME + +Copy your system resolv.conf to the /etc/resolv.conf inside the chroot: + cp /etc/resolv.conf etc + +Then you can get an interactive shell in the nixos chroot. '*' means +to run inside the chroot interactive shell + chroot . /bin/sh +* source /etc/profile + +Populate the nix database: that should be done in the init script if you +had booted this nixos. Run: +* `grep local-cmds run/current-system/init` + +Then you can proceed normally subscribing to a nixos channel: + nix-channel --add http://nixos.org/releases/nixos/channels/nixos-unstable + nix-channel --update + +Testing: + nix-env -i hello + which hello + hello diff --git a/modules/installer/cd-dvd/system-tarball-pc.nix b/modules/installer/cd-dvd/system-tarball-pc.nix index 2bc6ce78d94..e98a8c215f9 100644 --- a/modules/installer/cd-dvd/system-tarball-pc.nix +++ b/modules/installer/cd-dvd/system-tarball-pc.nix @@ -60,54 +60,7 @@ let } ''; - readme = pkgs.writeText "readme.txt" '' - Let all the files in the system tarball sit in a directory served by NFS (the NFS root) - like this in exportfs: - /home/pcroot 192.168.1.0/24(rw,no_root_squash,no_all_squash) - - Run "exportfs -a" after editing /etc/exportfs, for the nfs server to be aware of the - changes. - - Use a tftp server serving the root of boot/ (from the system tarball). - - In order to have PXE boot, use the boot/dhcpd.conf-example file for your dhcpd server, - as it will point your PXE clients to pxelinux.0 from the tftp server. Adapt the - configuration to your network. - - Adapt the pxelinux configuration (boot/pxelinux.cfg/default) to set the path to your - nfrroot. If you use ip=dhcp in the kernel, the nfs server ip will be taken from - dhcp and so you don't have to specify it. - - The linux in bzImage includes network drivers for some usual cards. - - - QEMU Testing - --------------- - - You can test qemu pxe boot without having a DHCP server adapted, but having nfsroot, - like this: - qemu-system-x86_64 -tftp /home/pcroot/boot -net nic -net user,bootfile=pxelinux.0 -boot n - - I don't know how to use NFS through the qemu '-net user' though. - - - QEMU Testing with NFS root and bridged network - ------------------------------------------------- - - This allows testing with qemu as any other host in your LAN. - - Testing with the real dhcpd server requires setting up a bridge and having a tap device. - tunctl -t tap0 - brctl addbr br0 - brctl addif br0 eth0 - brctl addif tap0 eth0 - ifconfig eth0 0.0.0.0 up - ifconfig tap0 0.0.0.0 up - ifconfig br0 up # With your ip configuration - - Then you can run qemu: - qemu-system-x86_64 -boot n -net tap,ifname=tap0,script=no -net nic,model=e1000 - ''; + readme = builtins.readFile ./system-tarball-pc-readme.txt; in diff --git a/modules/module-list.nix b/modules/module-list.nix index e480ee9767e..0cca6a95544 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -129,6 +129,7 @@ ./services/networking/gnunet.nix ./services/networking/gogoclient.nix ./services/networking/gvpe.nix + ./services/networking/hostapd.nix ./services/networking/ifplugd.nix ./services/networking/ircd-hybrid/default.nix ./services/networking/nat.nix diff --git a/modules/programs/bash/bash.nix b/modules/programs/bash/bash.nix index 51654b164a0..441d30f1e9f 100644 --- a/modules/programs/bash/bash.nix +++ b/modules/programs/bash/bash.nix @@ -7,6 +7,25 @@ with pkgs.lib; let + initBashCompletion = optionalString config.environment.enableBashCompletion '' + # Check whether we're running a version of Bash that has support for + # programmable completion. If we do, enable all modules installed in + # the system (and user profile). + if shopt -q progcomp &>/dev/null; then + . "${pkgs.bashCompletion}/etc/profile.d/bash_completion.sh" + nullglobStatus=$(shopt -p nullglob) + shopt -s nullglob + for p in $NIX_PROFILES; do + for m in "$p/etc/bash_completion.d/"*; do + . $m + done + done + eval "$nullglobStatus" + unset nullglobStatus p m + fi + ''; + + options = { environment.shellInit = mkOption { @@ -18,6 +37,12 @@ let type = with pkgs.lib.types; string; }; + environment.enableBashCompletion = mkOption { + default = false; + description = "Enable bash-completion for all interactive shells."; + type = with pkgs.lib.types; bool; + }; + }; in @@ -38,7 +63,10 @@ in { # /etc/bashrc: executed every time a bash starts. Sources # /etc/profile to ensure that the system environment is # configured properly. - source = ./bashrc.sh; + source = pkgs.substituteAll { + src = ./bashrc.sh; + inherit initBashCompletion; + }; target = "bashrc"; } @@ -59,4 +87,5 @@ in mv /bin/.sh.tmp /bin/sh # atomically replace /bin/sh ''; + environment.pathsToLink = optional config.environment.enableBashCompletion "/etc/bash_completion.d"; } diff --git a/modules/programs/bash/bashrc.sh b/modules/programs/bash/bashrc.sh index 74550656151..4382e7ee9d8 100644 --- a/modules/programs/bash/bashrc.sh +++ b/modules/programs/bash/bashrc.sh @@ -27,15 +27,7 @@ if test "$TERM" = "xterm"; then PS1="\[\033]2;\h:\u:\w\007\]$PS1" fi -# Check whether we're running a version of Bash that has support for -# programmable completion. If we do, and if the current user has -# installed the package 'bash-completion' in her $HOME/.nix-profile, -# then completion is enabled automatically. -if [ -f "$HOME/.nix-profile/etc/profile.d/bash_completion.sh" ]; then - if shopt -q progcomp &>/dev/null; then - . "$HOME/.nix-profile/etc/profile.d/bash_completion.sh" - fi -fi +@initBashCompletion@ # Some aliases. alias ls="ls --color=tty" diff --git a/modules/security/pam.nix b/modules/security/pam.nix index dc18ffd7d02..a77b7697379 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -235,6 +235,7 @@ in { name = "i3lock"; } { name = "lshd"; } { name = "samba"; } + { name = "screen"; } { name = "sshd"; } { name = "vlock"; } { name = "xlock"; } diff --git a/modules/services/hardware/pommed.nix b/modules/services/hardware/pommed.nix index 63c783f5c6d..32599554fc1 100644 --- a/modules/services/hardware/pommed.nix +++ b/modules/services/hardware/pommed.nix @@ -13,7 +13,7 @@ with pkgs.lib; }; configFile = mkOption { - default = builtins.toPath "${pkgs.pommed}/etc/pommed.conf"; + default = "${pkgs.pommed}/etc/pommed.conf"; description = '' The contents of the pommed.conf file. ''; diff --git a/modules/services/networking/dnsmasq.nix b/modules/services/networking/dnsmasq.nix index 389d5c22e82..b726493d421 100644 --- a/modules/services/networking/dnsmasq.nix +++ b/modules/services/networking/dnsmasq.nix @@ -8,6 +8,10 @@ let serversParam = concatMapStrings (s: "-S ${s} ") cfg.servers; + dnsmasqConf = pkgs.writeText "dnsmasq.conf" '' + ${cfg.extraConfig} + ''; + in { @@ -33,6 +37,15 @@ in ''; }; + extraConfig = mkOption { + type = types.string; + default = ""; + description = '' + Extra configuration directives that should be added to + dnsmasq.conf + ''; + }; + }; }; @@ -49,7 +62,7 @@ in daemonType = "daemon"; - exec = "${dnsmasq}/bin/dnsmasq -R ${serversParam}"; + exec = "${dnsmasq}/bin/dnsmasq -R ${serversParam} -o -C ${dnsmasqConf}"; }; }; diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index e6ae725f85f..9f7db27c738 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -39,6 +39,15 @@ let } ''; + kernelPackages = config.boot.kernelPackages; + kernelHasRPFilter = kernelPackages.kernel ? features + && kernelPackages.kernel.features ? netfilterRPFilter + && kernelPackages.kernel.features.netfilterRPFilter; + + kernelCanDisableHelpers = kernelPackages.kernel ? features + && kernelPackages.kernel.features ? canDisableNetfilterConntrackHelpers + && kernelPackages.kernel.features.canDisableNetfilterConntrackHelpers; + in { @@ -140,6 +149,53 @@ in ''; }; + networking.firewall.checkReversePath = mkOption { + default = kernelHasRPFilter; + type = types.bool; + description = + '' + Performs a reverse path filter test on a packet. + If a reply to the packet would not be sent via the same interface + that the packet arrived on, it is refused. + + If using asymmetric routing or other complicated routing, + disable this setting and setup your own counter-measures. + + (needs kernel 3.3+) + ''; + }; + + networking.firewall.connectionTrackingModules = mkOption { + default = [ "ftp" ]; + example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; + type = types.list types.string; + description = + '' + List of connection-tracking helpers that are auto-loaded. + The complete list of possible values is given in the example. + + As helpers can pose as a security risk, it is adviced to + set this to an empty list and disable the setting + networking.firewall.autoLoadConntrackHelpers + + Loading of helpers is recommended to be done through the new + CT target. More info: + https://home.regit.org/netfilter-en/secure-use-of-helpers/ + ''; + }; + + networking.firewall.autoLoadConntrackHelpers = mkOption { + default = true; + type = types.bool; + description = + '' + Whether to auto-load connection-tracking helpers. + See the description at networking.firewall.connectionTrackingModules + + (needs kernel 3.5+) + ''; + }; + networking.firewall.extraCommands = mkOption { default = ""; example = "iptables -A INPUT -p icmp -j ACCEPT"; @@ -168,7 +224,16 @@ in environment.systemPackages = [ pkgs.iptables ]; - boot.kernelModules = [ "nf_conntrack_ftp" ]; + boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; + boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' + options nf_conntrack nf_conntrack_helper=0 + ''; + + assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter; + message = "This kernel does not support rpfilter"; } + { assertion = cfg.autoLoadConntrackHelpers || kernelCanDisableHelpers; + message = "This kernel does not support disabling conntrack helpers"; } + ]; jobs.firewall = { startOn = "started network-interfaces"; @@ -233,6 +298,12 @@ in # The "nixos-fw" chain does the actual work. ip46tables -N nixos-fw + # Perform a reverse-path test to refuse spoofers + # For now, we just drop, as the raw table doesn't have a log-refuse yet + ${optionalString (kernelHasRPFilter && cfg.checkReversePath) '' + ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP + ''} + # Accept all traffic on the trusted interfaces. ${flip concatMapStrings cfg.trustedInterfaces (iface: '' ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept @@ -269,9 +340,11 @@ in # Accept all ICMPv6 messages except redirects and node # information queries (type 139). See RFC 4890, section # 4.4. - ip6tables -A nixos-fw -p icmpv6 --icmpv6-type redirect -j DROP - ip6tables -A nixos-fw -p icmpv6 --icmpv6-type 139 -j DROP - ip6tables -A nixos-fw -p icmpv6 -j nixos-fw-accept + ${optionalString config.networking.enableIPv6 '' + ip6tables -A nixos-fw -p icmpv6 --icmpv6-type redirect -j DROP + ip6tables -A nixos-fw -p icmpv6 --icmpv6-type 139 -j DROP + ip6tables -A nixos-fw -p icmpv6 -j nixos-fw-accept + ''} ${cfg.extraCommands} diff --git a/modules/services/networking/hostapd.nix b/modules/services/networking/hostapd.nix new file mode 100644 index 00000000000..42779494b4b --- /dev/null +++ b/modules/services/networking/hostapd.nix @@ -0,0 +1,155 @@ +{ config, pkgs, ... }: + +# TODO: +# +# asserts +# ensure that the nl80211 module is loaded/compiled in the kernel +# hwMode must be a/b/g +# channel must be between 1 and 13 (maybe) +# wpa_supplicant and hostapd on the same wireless interface doesn't make any sense +# perhaps an assertion that there is a dhcp server and a dns server on the IP address serviced by the hostapd? + +with pkgs.lib; + +let + + cfg = config.services.hostapd; + + configFile = pkgs.writeText "hostapd.conf" + '' + interface=${cfg.interface} + driver=${cfg.driver} + ssid=${cfg.ssid} + hw_mode=${cfg.hwMode} + channel=${toString cfg.channel} + + # logging (debug level) + logger_syslog=-1 + logger_syslog_level=2 + logger_stdout=-1 + logger_stdout_level=2 + + ctrl_interface=/var/run/hostapd + ctrl_interface_group=${cfg.group} + + ${if cfg.wpa then '' + wpa=1 + wpa_passphrase=${cfg.wpaPassphrase} + '' else ""} + + ${cfg.extraCfg} + '' ; + +in + +{ + ###### interface + + options = { + + services.hostapd = { + + enable = mkOption { + default = false; + description = '' + Enable putting a wireless interface into infrastructure mode, + allowing other wireless devices to associate with the wireless interface and do + wireless networking. A simple access point will enable hostapd.wpa, and + hostapd.wpa_passphrase, hostapd.ssid, dhcpd on the wireless interface to + provide IP addresses to the associated stations, and nat (from the wireless + interface to an upstream interface). + ''; + }; + + interface = mkOption { + default = ""; + example = "wlan0"; + description = '' + The interfaces hostapd will use. + ''; + }; + + driver = mkOption { + default = "nl80211"; + example = "hostapd"; + type = types.string; + description = "Which driver hostapd will use. Most things will probably use the default."; + }; + + ssid = mkOption { + default = "nixos"; + example = "mySpecialSSID"; + type = types.string; + description = "SSID to be used in IEEE 802.11 management frames."; + }; + + hwMode = mkOption { + default = "b"; + example = "g"; + type = types.string; + description = "Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g"; + }; + + channel = mkOption { + default = 7; + example = 11; + type = types.int; + description = + '' + Channel number (IEEE 802.11) + Please note that some drivers do not use this value from hostapd and the + channel will need to be configured separately with iwconfig. + ''; + }; + + group = mkOption { + default = "wheel"; + example = "network"; + type = types.string; + description = "members of this group can control hostapd"; + }; + + wpa = mkOption { + default = true; + description = "enable WPA (IEEE 802.11i/D3.0) to authenticate to the access point"; + }; + + wpaPassphrase = mkOption { + default = "my_sekret"; + example = "any_64_char_string"; + type = types.string; + description = + '' + WPA-PSK (pre-shared-key) passphrase. Clients will need this + passphrase to associate with this access point. Warning: This passphrase will + get put into a world-readable file in the nix store. + ''; + }; + + extraCfg = mkOption { + default = ""; + example = '' + auth_algo=0 + ieee80211n=1 + ht_capab=[HT40-][SHORT-GI-40][DSSS_CCK-40] + ''; + type = types.string; + description = "Extra configuration options to put in the hostapd.conf"; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.hostapd ]; + + jobs.hostapd = + { startOn = "started network-interfaces"; + stopOn = "stopping network-interfaces"; + exec = "${pkgs.hostapd}/bin/hostapd ${configFile}"; + }; + }; +} diff --git a/modules/services/networking/nat.nix b/modules/services/networking/nat.nix index ff6ff02f7e9..9d62a764f06 100644 --- a/modules/services/networking/nat.nix +++ b/modules/services/networking/nat.nix @@ -34,6 +34,9 @@ in coming from these networks and destined for the external interface will be rewritten. ''; + # Backward compatibility: this used to be a single range instead + # of a list. + apply = x: if isList x then x else [x]; }; networking.nat.externalInterface = mkOption { @@ -78,8 +81,8 @@ in '' iptables -t nat -F POSTROUTING iptables -t nat -X - '' - + (concatMapStrings (network: + '' + + (concatMapStrings (network: '' iptables -t nat -A POSTROUTING \ -s ${network} -o ${cfg.externalInterface} \ diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix index ea60e591c14..830559f3e9d 100644 --- a/modules/services/networking/ssh/sshd.nix +++ b/modules/services/networking/ssh/sshd.nix @@ -356,6 +356,7 @@ in UsePAM ${if cfg.usePAM then "yes" else "no"} + AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} ${concatMapStrings (port: '' Port ${toString port} '') cfg.ports} diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index 9ceb66a85a0..1729850421a 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -8,6 +8,8 @@ let httpd = mainCfg.package; + version24 = !versionOlder httpd.version "2.4"; + httpdConf = mainCfg.configFile; php = pkgs.php.override { apacheHttpd = httpd; }; @@ -101,7 +103,8 @@ let "auth_basic" "auth_digest" # Authentication: is the user who he claims to be? - "authn_file" "authn_dbm" "authn_anon" "authn_alias" + "authn_file" "authn_dbm" "authn_anon" + (if version24 then "authn_core" else "authn_alias") # Authorization: is the user allowed access? "authz_user" "authz_groupfile" "authz_host" @@ -113,11 +116,31 @@ let "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" "userdir" "alias" "rewrite" "proxy" "proxy_http" ] + ++ optionals version24 [ + "mpm_${mainCfg.multiProcessingModule}" + "authz_core" + "unixd" + ] ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) ++ optional enableSSL "ssl" ++ extraApacheModules; + allDenied = if version24 then '' + Require all denied + '' else '' + Order deny,allow + Deny from all + ''; + + allGranted = if version24 then '' + Require all granted + '' else '' + Order allow,deny + Allow from all + ''; + + loggingConf = '' ErrorLog ${mainCfg.logDir}/error_log @@ -186,8 +209,7 @@ let Options Indexes FollowSymLinks AllowOverride None - Order allow,deny - Allow from all + ${allGranted} ''; @@ -241,12 +263,10 @@ let AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec - Order allow,deny - Allow from all + ${allGranted} - Order deny,allow - Deny from all + ${allDenied} @@ -268,8 +288,7 @@ let Alias ${elem.urlPath} ${elem.dir}/ Options +Indexes - Order allow,deny - Allow from all + ${allGranted} AllowOverride All ''; @@ -286,6 +305,10 @@ let ServerRoot ${httpd} + ${optionalString version24 '' + DefaultRuntimeDir ${mainCfg.stateDir}/runtime + ''} + PidFile ${mainCfg.stateDir}/httpd.pid ${optionalString (mainCfg.multiProcessingModule != "prefork") '' @@ -321,8 +344,7 @@ let AddHandler type-map var - Order allow,deny - Deny from all + ${allDenied} ${mimeConf} @@ -340,16 +362,14 @@ let Options FollowSymLinks AllowOverride None - Order deny,allow - Deny from all + ${allDenied} # But do allow access to files in the store so that we don't have # to generate clauses for every generated file that we # want to serve. - Order allow,deny - Allow from all + ${allGranted} # Generate directives for the main server. @@ -359,7 +379,8 @@ let ${let ports = map getPort allHosts; uniquePorts = uniqList {inputList = ports;}; - in concatMapStrings (port: "NameVirtualHost *:${toString port}\n") uniquePorts + directives = concatMapStrings (port: "NameVirtualHost *:${toString port}\n") uniquePorts; + in optionalString (!version24) directives } ${let @@ -620,6 +641,10 @@ in '' mkdir -m 0750 -p ${mainCfg.stateDir} chown root.${mainCfg.group} ${mainCfg.stateDir} + ${optionalString version24 '' + mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" + chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" + ''} mkdir -m 0700 -p ${mainCfg.logDir} ${optionalString (mainCfg.documentRoot != null) diff --git a/modules/services/x11/xserver.nix b/modules/services/x11/xserver.nix index 97424308c27..1aa432afdfc 100644 --- a/modules/services/x11/xserver.nix +++ b/modules/services/x11/xserver.nix @@ -343,7 +343,8 @@ in optional (elem "virtualbox" driverNames) kernelPackages.virtualboxGuestAdditions ++ optional (elem "ati_unfree" driverNames) kernelPackages.ati_drivers_x11; - environment.etc = optionals cfg.exportConfiguration + environment.etc = + (optionals cfg.exportConfiguration [ { source = "${configFile}"; target = "X11/xorg.conf"; } @@ -351,7 +352,15 @@ in { source = "${pkgs.xkeyboard_config}/etc/X11/xkb"; target = "X11/xkb"; } - ]; + ]) + ++ (optionals (elem "ati_unfree" driverNames) [ + + # according toiive on #ati you don't need the pcs, it is like registry... keeps old stuff to make your + # life harder ;) Still it seems to be required + { source = "${kernelPackages.ati_drivers_x11}/etc/ati"; + target = "ati"; + } + ]); environment.x11Packages = [ xorg.xorgserver @@ -420,6 +429,8 @@ in "ln -sf ${kernelPackages.nvidia_x11_legacy96} /run/opengl-driver" else if elem "nvidiaLegacy173" driverNames then "ln -sf ${kernelPackages.nvidia_x11_legacy173} /run/opengl-driver" + else if elem "ati_unfree" driverNames then + "ln -sf ${kernelPackages.ati_drivers_x11} /run/opengl-driver" else if cfg.driSupport then "ln -sf ${pkgs.mesa} /run/opengl-driver" else "" diff --git a/modules/system/boot/stage-1-init.sh b/modules/system/boot/stage-1-init.sh index 53d528fcd56..c6fc87bf32a 100644 --- a/modules/system/boot/stage-1-init.sh +++ b/modules/system/boot/stage-1-init.sh @@ -40,10 +40,10 @@ EOF case $reply in f) - exec setsid @shell@ < /dev/$console >/dev/$console 2>/dev/$console ;; + exec setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" ;; i) echo "Starting interactive shell..." - setsid @shell@ < /dev/$console >/dev/$console 2>/dev/$console || fail + setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail ;; *) echo "Continuing...";;