public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge master.

Browse Source
This commit is contained in:
James Cook 2012-11-18 10:49:55 -08:00
commit 63dc873b85
17 changed files with 448 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/eval-config.nix
View File

@ -31,6 +31,7 @@ rec {
inherit pkgs modules baseModules; inherit pkgs modules baseModules;
modulesPath = ../modules; modulesPath = ../modules;
pkgs_i686 = import <nixpkgs> { system = "i686-linux"; }; pkgs_i686 = import <nixpkgs> { system = "i686-linux"; };
utils = {}; # forward compatibility
}; };
# Import Nixpkgs, allowing the NixOS option nixpkgs.config to # Import Nixpkgs, allowing the NixOS option nixpkgs.config to

15
modules/config/networking.nix
View File

@ -16,6 +16,18 @@ let
''; '';
}; };
networking.dnsSingleRequest = pkgs.lib.mkOption {
default = false;
description = ''
Recent versions of glibc will issue both ipv4 (A) and ipv6 (AAAA)
address queries at the same time, from the same port. Sometimes upstream
routers will systemically drop the ipv4 queries. The symptom of this problem is
that 'getent hosts example.com' only returns ipv6 (or perhaps only ipv4) addresses. The
workaround for this is to specify the option 'single-request' in
/etc/resolve.conf. This option enables that.
'';
};
}; };
in in
@ -60,6 +72,9 @@ in
# Invalidate the nscd cache whenever resolv.conf is # Invalidate the nscd cache whenever resolv.conf is
# regenerated. # regenerated.
libc_restart='${pkgs.upstart}/sbin/start invalidate-nscd' libc_restart='${pkgs.upstart}/sbin/start invalidate-nscd'
'' + optionalString cfg.dnsSingleRequest ''
# only send one DNS request at a time
resolv_conf_options='single-request'
'' + optionalString config.services.bind.enable '' '' + optionalString config.services.bind.enable ''
# This hosts runs a full-blown DNS resolver. # This hosts runs a full-blown DNS resolver.
name_servers='127.0.0.1' name_servers='127.0.0.1'

89
modules/installer/cd-dvd/system-tarball-pc-readme.txt Normal file
View File

@ -0,0 +1,89 @@
Let all the files in the system tarball sit in a directory served by NFS (the
NFS root) like this in exportfs:
/home/pcroot 192.168.1.0/24(rw,no_root_squash,no_all_squash)
Run "exportfs -a" after editing /etc/exportfs, for the nfs server to be aware
of the changes.
Use a tftp server serving the root of boot/ (from the system tarball).
In order to have PXE boot, use the boot/dhcpd.conf-example file for your dhcpd
server, as it will point your PXE clients to pxelinux.0 from the tftp server.
Adapt the configuration to your network.
Adapt the pxelinux configuration (boot/pxelinux.cfg/default) to set the path to
your nfrroot. If you use ip=dhcp in the kernel, the nfs server ip will be taken
from dhcp and so you don't have to specify it.
The linux in bzImage includes network drivers for some usual cards.
QEMU Testing
---------------
You can test qemu pxe boot without having a DHCP server adapted, but having
nfsroot, like this:
qemu-system-x86_64 -tftp /home/pcroot/boot -net nic -net user,bootfile=pxelinux.0 -boot n
I don't know how to use NFS through the qemu '-net user' though.
QEMU Testing with NFS root and bridged network
-------------------------------------------------
This allows testing with qemu as any other host in your LAN.
Testing with the real dhcpd server requires setting up a bridge and having a
tap device.
tunctl -t tap0
brctl addbr br0
brctl addif br0 eth0
brctl addif tap0 eth0
ifconfig eth0 0.0.0.0 up
ifconfig tap0 0.0.0.0 up
ifconfig br0 up # With your ip configuration
Then you can run qemu:
qemu-system-x86_64 -boot n -net tap,ifname=tap0,script=no -net nic,model=e1000
Using the system-tarball-pc in a chroot
--------------------------------------------------
Installation:
mkdir nixos-chroot && cd nixos-chroot
tar xf your-system-tarball.tar.xz
mkdir sys dev proc tmp root var run
mount --bind /sys sys
mount --bind /dev dev
mount --bind /proc proc
Activate the system: look for a directory in nix/store similar to:
"/nix/store/y0d1lcj9fppli0hl3x0m0ba5g1ndjv2j-nixos-feb97bx-53f008"
Having found it, activate that nixos system *twice*:
chroot . /nix/store/SOMETHING-nixos-SOMETHING/activate
chroot . /nix/store/SOMETHING-nixos-SOMETHING/activate
This runs a 'hostname' command. Restore your old hostname with:
hostname OLDHOSTNAME
Copy your system resolv.conf to the /etc/resolv.conf inside the chroot:
cp /etc/resolv.conf etc
Then you can get an interactive shell in the nixos chroot. '*' means
to run inside the chroot interactive shell
chroot . /bin/sh
* source /etc/profile
Populate the nix database: that should be done in the init script if you
had booted this nixos. Run:
* `grep local-cmds run/current-system/init`
Then you can proceed normally subscribing to a nixos channel:
nix-channel --add http://nixos.org/releases/nixos/channels/nixos-unstable
nix-channel --update
Testing:
nix-env -i hello
which hello
hello

49
modules/installer/cd-dvd/system-tarball-pc.nix
View File

@ -60,54 +60,7 @@ let
} }
''; '';
readme = pkgs.writeText "readme.txt" '' readme = builtins.readFile ./system-tarball-pc-readme.txt;
Let all the files in the system tarball sit in a directory served by NFS (the NFS root)
like this in exportfs:
/home/pcroot 192.168.1.0/24(rw,no_root_squash,no_all_squash)
Run "exportfs -a" after editing /etc/exportfs, for the nfs server to be aware of the
changes.
Use a tftp server serving the root of boot/ (from the system tarball).
In order to have PXE boot, use the boot/dhcpd.conf-example file for your dhcpd server,
as it will point your PXE clients to pxelinux.0 from the tftp server. Adapt the
configuration to your network.
Adapt the pxelinux configuration (boot/pxelinux.cfg/default) to set the path to your
nfrroot. If you use ip=dhcp in the kernel, the nfs server ip will be taken from
dhcp and so you don't have to specify it.
The linux in bzImage includes network drivers for some usual cards.
QEMU Testing
---------------
You can test qemu pxe boot without having a DHCP server adapted, but having nfsroot,
like this:
qemu-system-x86_64 -tftp /home/pcroot/boot -net nic -net user,bootfile=pxelinux.0 -boot n
I don't know how to use NFS through the qemu '-net user' though.
QEMU Testing with NFS root and bridged network
-------------------------------------------------
This allows testing with qemu as any other host in your LAN.
Testing with the real dhcpd server requires setting up a bridge and having a tap device.
tunctl -t tap0
brctl addbr br0
brctl addif br0 eth0
brctl addif tap0 eth0
ifconfig eth0 0.0.0.0 up
ifconfig tap0 0.0.0.0 up
ifconfig br0 up # With your ip configuration
Then you can run qemu:
qemu-system-x86_64 -boot n -net tap,ifname=tap0,script=no -net nic,model=e1000
'';
in in

1
modules/module-list.nix
View File

@ -129,6 +129,7 @@
./services/networking/gnunet.nix ./services/networking/gnunet.nix
./services/networking/gogoclient.nix ./services/networking/gogoclient.nix
./services/networking/gvpe.nix ./services/networking/gvpe.nix
./services/networking/hostapd.nix
./services/networking/ifplugd.nix ./services/networking/ifplugd.nix
./services/networking/ircd-hybrid/default.nix ./services/networking/ircd-hybrid/default.nix
./services/networking/nat.nix ./services/networking/nat.nix

31
modules/programs/bash/bash.nix
View File

@ -7,6 +7,25 @@ with pkgs.lib;
let let
initBashCompletion = optionalString config.environment.enableBashCompletion ''
# Check whether we're running a version of Bash that has support for
# programmable completion. If we do, enable all modules installed in
# the system (and user profile).
if shopt -q progcomp &>/dev/null; then
. "${pkgs.bashCompletion}/etc/profile.d/bash_completion.sh"
nullglobStatus=$(shopt -p nullglob)
shopt -s nullglob
for p in $NIX_PROFILES; do
for m in "$p/etc/bash_completion.d/"*; do
. $m
done
done
eval "$nullglobStatus"
unset nullglobStatus p m
fi
'';
options = { options = {
environment.shellInit = mkOption { environment.shellInit = mkOption {
@ -18,6 +37,12 @@ let
type = with pkgs.lib.types; string; type = with pkgs.lib.types; string;
}; };
environment.enableBashCompletion = mkOption {
default = false;
description = "Enable bash-completion for all interactive shells.";
type = with pkgs.lib.types; bool;
};
}; };
in in
@ -38,7 +63,10 @@ in
{ # /etc/bashrc: executed every time a bash starts. Sources { # /etc/bashrc: executed every time a bash starts. Sources
# /etc/profile to ensure that the system environment is # /etc/profile to ensure that the system environment is
# configured properly. # configured properly.
source = ./bashrc.sh; source = pkgs.substituteAll {
src = ./bashrc.sh;
inherit initBashCompletion;
};
target = "bashrc"; target = "bashrc";
} }
@ -59,4 +87,5 @@ in
mv /bin/.sh.tmp /bin/sh # atomically replace /bin/sh mv /bin/.sh.tmp /bin/sh # atomically replace /bin/sh
''; '';
environment.pathsToLink = optional config.environment.enableBashCompletion "/etc/bash_completion.d";
} }

10
modules/programs/bash/bashrc.sh
View File

@ -27,15 +27,7 @@ if test "$TERM" = "xterm"; then
PS1="\[\033]2;\h:\u:\w\007\]$PS1" PS1="\[\033]2;\h:\u:\w\007\]$PS1"
fi fi
# Check whether we're running a version of Bash that has support for @initBashCompletion@
# programmable completion. If we do, and if the current user has
# installed the package 'bash-completion' in her $HOME/.nix-profile,
# then completion is enabled automatically.
if [ -f "$HOME/.nix-profile/etc/profile.d/bash_completion.sh" ]; then
if shopt -q progcomp &>/dev/null; then
. "$HOME/.nix-profile/etc/profile.d/bash_completion.sh"
fi
fi
# Some aliases. # Some aliases.
alias ls="ls --color=tty" alias ls="ls --color=tty"

1
modules/security/pam.nix
View File

@ -235,6 +235,7 @@ in
{ name = "i3lock"; } { name = "i3lock"; }
{ name = "lshd"; } { name = "lshd"; }
{ name = "samba"; } { name = "samba"; }
{ name = "screen"; }
{ name = "sshd"; } { name = "sshd"; }
{ name = "vlock"; } { name = "vlock"; }
{ name = "xlock"; } { name = "xlock"; }

2
modules/services/hardware/pommed.nix
View File

@ -13,7 +13,7 @@ with pkgs.lib;
}; };
configFile = mkOption { configFile = mkOption {
default = builtins.toPath "${pkgs.pommed}/etc/pommed.conf"; default = "${pkgs.pommed}/etc/pommed.conf";
description = '' description = ''
The contents of the pommed.conf file. The contents of the pommed.conf file.
''; '';

15
modules/services/networking/dnsmasq.nix
View File

@ -8,6 +8,10 @@ let
serversParam = concatMapStrings (s: "-S ${s} ") cfg.servers; serversParam = concatMapStrings (s: "-S ${s} ") cfg.servers;
dnsmasqConf = pkgs.writeText "dnsmasq.conf" ''
${cfg.extraConfig}
'';
in in
{ {
@ -33,6 +37,15 @@ in
''; '';
}; };
extraConfig = mkOption {
type = types.string;
default = "";
description = ''
Extra configuration directives that should be added to
<literal>dnsmasq.conf</literal>
'';
};
}; };
}; };
@ -49,7 +62,7 @@ in
daemonType = "daemon"; daemonType = "daemon";
exec = "${dnsmasq}/bin/dnsmasq -R ${serversParam}"; exec = "${dnsmasq}/bin/dnsmasq -R ${serversParam} -o -C ${dnsmasqConf}";
}; };
}; };

81
modules/services/networking/firewall.nix
View File

@ -39,6 +39,15 @@ let
} }
''; '';
kernelPackages = config.boot.kernelPackages;
kernelHasRPFilter = kernelPackages.kernel ? features
&& kernelPackages.kernel.features ? netfilterRPFilter
&& kernelPackages.kernel.features.netfilterRPFilter;
kernelCanDisableHelpers = kernelPackages.kernel ? features
&& kernelPackages.kernel.features ? canDisableNetfilterConntrackHelpers
&& kernelPackages.kernel.features.canDisableNetfilterConntrackHelpers;
in in
{ {
@ -140,6 +149,53 @@ in
''; '';
}; };
networking.firewall.checkReversePath = mkOption {
default = kernelHasRPFilter;
type = types.bool;
description =
''
Performs a reverse path filter test on a packet.
If a reply to the packet would not be sent via the same interface
that the packet arrived on, it is refused.
If using asymmetric routing or other complicated routing,
disable this setting and setup your own counter-measures.
(needs kernel 3.3+)
'';
};
networking.firewall.connectionTrackingModules = mkOption {
default = [ "ftp" ];
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
type = types.list types.string;
description =
''
List of connection-tracking helpers that are auto-loaded.
The complete list of possible values is given in the example.
As helpers can pose as a security risk, it is adviced to
set this to an empty list and disable the setting
networking.firewall.autoLoadConntrackHelpers
Loading of helpers is recommended to be done through the new
CT target. More info:
https://home.regit.org/netfilter-en/secure-use-of-helpers/
'';
};
networking.firewall.autoLoadConntrackHelpers = mkOption {
default = true;
type = types.bool;
description =
''
Whether to auto-load connection-tracking helpers.
See the description at networking.firewall.connectionTrackingModules
(needs kernel 3.5+)
'';
};
networking.firewall.extraCommands = mkOption { networking.firewall.extraCommands = mkOption {
default = ""; default = "";
example = "iptables -A INPUT -p icmp -j ACCEPT"; example = "iptables -A INPUT -p icmp -j ACCEPT";
@ -168,7 +224,16 @@ in
environment.systemPackages = [ pkgs.iptables ]; environment.systemPackages = [ pkgs.iptables ];
boot.kernelModules = [ "nf_conntrack_ftp" ]; boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) ''
options nf_conntrack nf_conntrack_helper=0
'';
assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter;
message = "This kernel does not support rpfilter"; }
{ assertion = cfg.autoLoadConntrackHelpers || kernelCanDisableHelpers;
message = "This kernel does not support disabling conntrack helpers"; }
];
jobs.firewall = jobs.firewall =
{ startOn = "started network-interfaces"; { startOn = "started network-interfaces";
@ -233,6 +298,12 @@ in
# The "nixos-fw" chain does the actual work. # The "nixos-fw" chain does the actual work.
ip46tables -N nixos-fw ip46tables -N nixos-fw
# Perform a reverse-path test to refuse spoofers
# For now, we just drop, as the raw table doesn't have a log-refuse yet
${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP
''}
# Accept all traffic on the trusted interfaces. # Accept all traffic on the trusted interfaces.
${flip concatMapStrings cfg.trustedInterfaces (iface: '' ${flip concatMapStrings cfg.trustedInterfaces (iface: ''
ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept
@ -269,9 +340,11 @@ in
# Accept all ICMPv6 messages except redirects and node # Accept all ICMPv6 messages except redirects and node
# information queries (type 139). See RFC 4890, section # information queries (type 139). See RFC 4890, section
# 4.4. # 4.4.
ip6tables -A nixos-fw -p icmpv6 --icmpv6-type redirect -j DROP ${optionalString config.networking.enableIPv6 ''
ip6tables -A nixos-fw -p icmpv6 --icmpv6-type 139 -j DROP ip6tables -A nixos-fw -p icmpv6 --icmpv6-type redirect -j DROP
ip6tables -A nixos-fw -p icmpv6 -j nixos-fw-accept ip6tables -A nixos-fw -p icmpv6 --icmpv6-type 139 -j DROP
ip6tables -A nixos-fw -p icmpv6 -j nixos-fw-accept
''}
${cfg.extraCommands} ${cfg.extraCommands}

155
modules/services/networking/hostapd.nix Normal file
View File

@ -0,0 +1,155 @@
{ config, pkgs, ... }:
# TODO:
#
# asserts
# ensure that the nl80211 module is loaded/compiled in the kernel
# hwMode must be a/b/g
# channel must be between 1 and 13 (maybe)
# wpa_supplicant and hostapd on the same wireless interface doesn't make any sense
# perhaps an assertion that there is a dhcp server and a dns server on the IP address serviced by the hostapd?
with pkgs.lib;
let
cfg = config.services.hostapd;
configFile = pkgs.writeText "hostapd.conf"
''
interface=${cfg.interface}
driver=${cfg.driver}
ssid=${cfg.ssid}
hw_mode=${cfg.hwMode}
channel=${toString cfg.channel}
# logging (debug level)
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=${cfg.group}
${if cfg.wpa then ''
wpa=1
wpa_passphrase=${cfg.wpaPassphrase}
'' else ""}
${cfg.extraCfg}
'' ;
in
{
###### interface
options = {
services.hostapd = {
enable = mkOption {
default = false;
description = ''
Enable putting a wireless interface into infrastructure mode,
allowing other wireless devices to associate with the wireless interface and do
wireless networking. A simple access point will enable hostapd.wpa, and
hostapd.wpa_passphrase, hostapd.ssid, dhcpd on the wireless interface to
provide IP addresses to the associated stations, and nat (from the wireless
interface to an upstream interface).
'';
};
interface = mkOption {
default = "";
example = "wlan0";
description = ''
The interfaces <command>hostapd</command> will use.
'';
};
driver = mkOption {
default = "nl80211";
example = "hostapd";
type = types.string;
description = "Which driver hostapd will use. Most things will probably use the default.";
};
ssid = mkOption {
default = "nixos";
example = "mySpecialSSID";
type = types.string;
description = "SSID to be used in IEEE 802.11 management frames.";
};
hwMode = mkOption {
default = "b";
example = "g";
type = types.string;
description = "Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g";
};
channel = mkOption {
default = 7;
example = 11;
type = types.int;
description =
''
Channel number (IEEE 802.11)
Please note that some drivers do not use this value from hostapd and the
channel will need to be configured separately with iwconfig.
'';
};
group = mkOption {
default = "wheel";
example = "network";
type = types.string;
description = "members of this group can control hostapd";
};
wpa = mkOption {
default = true;
description = "enable WPA (IEEE 802.11i/D3.0) to authenticate to the access point";
};
wpaPassphrase = mkOption {
default = "my_sekret";
example = "any_64_char_string";
type = types.string;
description =
''
WPA-PSK (pre-shared-key) passphrase. Clients will need this
passphrase to associate with this access point. Warning: This passphrase will
get put into a world-readable file in the nix store.
'';
};
extraCfg = mkOption {
default = "";
example = ''
auth_algo=0
ieee80211n=1
ht_capab=[HT40-][SHORT-GI-40][DSSS_CCK-40]
'';
type = types.string;
description = "Extra configuration options to put in the hostapd.conf";
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.hostapd ];
jobs.hostapd =
{ startOn = "started network-interfaces";
stopOn = "stopping network-interfaces";
exec = "${pkgs.hostapd}/bin/hostapd ${configFile}";
};
};
}

7
modules/services/networking/nat.nix
View File

@ -34,6 +34,9 @@ in
coming from these networks and destined for the external coming from these networks and destined for the external
interface will be rewritten. interface will be rewritten.
''; '';
# Backward compatibility: this used to be a single range instead
# of a list.
apply = x: if isList x then x else [x];
}; };
networking.nat.externalInterface = mkOption { networking.nat.externalInterface = mkOption {
@ -78,8 +81,8 @@ in
'' ''
iptables -t nat -F POSTROUTING iptables -t nat -F POSTROUTING
iptables -t nat -X iptables -t nat -X
'' ''
+ (concatMapStrings (network: + (concatMapStrings (network:
'' ''
iptables -t nat -A POSTROUTING \ iptables -t nat -A POSTROUTING \
-s ${network} -o ${cfg.externalInterface} \ -s ${network} -o ${cfg.externalInterface} \

1
modules/services/networking/ssh/sshd.nix
View File

@ -356,6 +356,7 @@ in
UsePAM ${if cfg.usePAM then "yes" else "no"} UsePAM ${if cfg.usePAM then "yes" else "no"}
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
${concatMapStrings (port: '' ${concatMapStrings (port: ''
Port ${toString port} Port ${toString port}
'') cfg.ports} '') cfg.ports}

57
modules/services/web-servers/apache-httpd/default.nix
View File

@ -8,6 +8,8 @@ let
httpd = mainCfg.package; httpd = mainCfg.package;
version24 = !versionOlder httpd.version "2.4";
httpdConf = mainCfg.configFile; httpdConf = mainCfg.configFile;
php = pkgs.php.override { apacheHttpd = httpd; }; php = pkgs.php.override { apacheHttpd = httpd; };
@ -101,7 +103,8 @@ let
"auth_basic" "auth_digest" "auth_basic" "auth_digest"
# Authentication: is the user who he claims to be? # Authentication: is the user who he claims to be?
"authn_file" "authn_dbm" "authn_anon" "authn_alias" "authn_file" "authn_dbm" "authn_anon"
(if version24 then "authn_core" else "authn_alias")
# Authorization: is the user allowed access? # Authorization: is the user allowed access?
"authz_user" "authz_groupfile" "authz_host" "authz_user" "authz_groupfile" "authz_host"
@ -113,11 +116,31 @@ let
"vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
"userdir" "alias" "rewrite" "proxy" "proxy_http" "userdir" "alias" "rewrite" "proxy" "proxy_http"
] ]
++ optionals version24 [
"mpm_${mainCfg.multiProcessingModule}"
"authz_core"
"unixd"
]
++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
++ optional enableSSL "ssl" ++ optional enableSSL "ssl"
++ extraApacheModules; ++ extraApacheModules;
allDenied = if version24 then ''
Require all denied
'' else ''
Order deny,allow
Deny from all
'';
allGranted = if version24 then ''
Require all granted
'' else ''
Order allow,deny
Allow from all
'';
loggingConf = '' loggingConf = ''
ErrorLog ${mainCfg.logDir}/error_log ErrorLog ${mainCfg.logDir}/error_log
@ -186,8 +209,7 @@ let
<Directory "${documentRoot}"> <Directory "${documentRoot}">
Options Indexes FollowSymLinks Options Indexes FollowSymLinks
AllowOverride None AllowOverride None
Order allow,deny ${allGranted}
Allow from all
</Directory> </Directory>
''; '';
@ -241,12 +263,10 @@ let
AllowOverride FileInfo AuthConfig Limit Indexes AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS> <Limit GET POST OPTIONS>
Order allow,deny ${allGranted}
Allow from all
</Limit> </Limit>
<LimitExcept GET POST OPTIONS> <LimitExcept GET POST OPTIONS>
Order deny,allow ${allDenied}
Deny from all
</LimitExcept> </LimitExcept>
</Directory> </Directory>
@ -268,8 +288,7 @@ let
Alias ${elem.urlPath} ${elem.dir}/ Alias ${elem.urlPath} ${elem.dir}/
<Directory ${elem.dir}> <Directory ${elem.dir}>
Options +Indexes Options +Indexes
Order allow,deny ${allGranted}
Allow from all
AllowOverride All AllowOverride All
</Directory> </Directory>
''; '';
@ -286,6 +305,10 @@ let
ServerRoot ${httpd} ServerRoot ${httpd}
${optionalString version24 ''
DefaultRuntimeDir ${mainCfg.stateDir}/runtime
''}
PidFile ${mainCfg.stateDir}/httpd.pid PidFile ${mainCfg.stateDir}/httpd.pid
${optionalString (mainCfg.multiProcessingModule != "prefork") '' ${optionalString (mainCfg.multiProcessingModule != "prefork") ''
@ -321,8 +344,7 @@ let
AddHandler type-map var AddHandler type-map var
<Files ~ "^\.ht"> <Files ~ "^\.ht">
Order allow,deny ${allDenied}
Deny from all
</Files> </Files>
${mimeConf} ${mimeConf}
@ -340,16 +362,14 @@ let
<Directory /> <Directory />
Options FollowSymLinks Options FollowSymLinks
AllowOverride None AllowOverride None
Order deny,allow ${allDenied}
Deny from all
</Directory> </Directory>
# But do allow access to files in the store so that we don't have # But do allow access to files in the store so that we don't have
# to generate <Directory> clauses for every generated file that we # to generate <Directory> clauses for every generated file that we
# want to serve. # want to serve.
<Directory /nix/store> <Directory /nix/store>
Order allow,deny ${allGranted}
Allow from all
</Directory> </Directory>
# Generate directives for the main server. # Generate directives for the main server.
@ -359,7 +379,8 @@ let
${let ${let
ports = map getPort allHosts; ports = map getPort allHosts;
uniquePorts = uniqList {inputList = ports;}; uniquePorts = uniqList {inputList = ports;};
in concatMapStrings (port: "NameVirtualHost *:${toString port}\n") uniquePorts directives = concatMapStrings (port: "NameVirtualHost *:${toString port}\n") uniquePorts;
in optionalString (!version24) directives
} }
${let ${let
@ -620,6 +641,10 @@ in
'' ''
mkdir -m 0750 -p ${mainCfg.stateDir} mkdir -m 0750 -p ${mainCfg.stateDir}
chown root.${mainCfg.group} ${mainCfg.stateDir} chown root.${mainCfg.group} ${mainCfg.stateDir}
${optionalString version24 ''
mkdir -m 0750 -p "${mainCfg.stateDir}/runtime"
chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime"
''}
mkdir -m 0700 -p ${mainCfg.logDir} mkdir -m 0700 -p ${mainCfg.logDir}
${optionalString (mainCfg.documentRoot != null) ${optionalString (mainCfg.documentRoot != null)

15
modules/services/x11/xserver.nix
View File

@ -343,7 +343,8 @@ in
optional (elem "virtualbox" driverNames) kernelPackages.virtualboxGuestAdditions ++ optional (elem "virtualbox" driverNames) kernelPackages.virtualboxGuestAdditions ++
optional (elem "ati_unfree" driverNames) kernelPackages.ati_drivers_x11; optional (elem "ati_unfree" driverNames) kernelPackages.ati_drivers_x11;
environment.etc = optionals cfg.exportConfiguration environment.etc =
(optionals cfg.exportConfiguration
[ { source = "${configFile}"; [ { source = "${configFile}";
target = "X11/xorg.conf"; target = "X11/xorg.conf";
} }
@ -351,7 +352,15 @@ in
{ source = "${pkgs.xkeyboard_config}/etc/X11/xkb"; { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
target = "X11/xkb"; target = "X11/xkb";
} }
]; ])
++ (optionals (elem "ati_unfree" driverNames) [
# according toiive on #ati you don't need the pcs, it is like registry... keeps old stuff to make your
# life harder ;) Still it seems to be required
{ source = "${kernelPackages.ati_drivers_x11}/etc/ati";
target = "ati";
}
]);
environment.x11Packages = environment.x11Packages =
[ xorg.xorgserver [ xorg.xorgserver
@ -420,6 +429,8 @@ in
"ln -sf ${kernelPackages.nvidia_x11_legacy96} /run/opengl-driver" "ln -sf ${kernelPackages.nvidia_x11_legacy96} /run/opengl-driver"
else if elem "nvidiaLegacy173" driverNames then else if elem "nvidiaLegacy173" driverNames then
"ln -sf ${kernelPackages.nvidia_x11_legacy173} /run/opengl-driver" "ln -sf ${kernelPackages.nvidia_x11_legacy173} /run/opengl-driver"
else if elem "ati_unfree" driverNames then
"ln -sf ${kernelPackages.ati_drivers_x11} /run/opengl-driver"
else if cfg.driSupport then else if cfg.driSupport then
"ln -sf ${pkgs.mesa} /run/opengl-driver" "ln -sf ${pkgs.mesa} /run/opengl-driver"
else "" else ""

4
modules/system/boot/stage-1-init.sh
View File

@ -40,10 +40,10 @@ EOF
case $reply in case $reply in
f) f)
exec setsid @shell@ < /dev/$console >/dev/$console 2>/dev/$console ;; exec setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" ;;
i) i)
echo "Starting interactive shell..." echo "Starting interactive shell..."
setsid @shell@ < /dev/$console >/dev/$console 2>/dev/$console || fail setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail
;; ;;
*) *)
echo "Continuing...";; echo "Continuing...";;