diff --git a/default.nix b/default.nix index fda19c3a149..9d1475b6961 100644 --- a/default.nix +++ b/default.nix @@ -40,7 +40,6 @@ in # The following are used by nixos-rebuild. nixFallback = pkgs.nixUnstable; - manifests = config.installer.manifests; tests = config.tests; } diff --git a/doc/manual/man-nixos-rebuild.xml b/doc/manual/man-nixos-rebuild.xml index ddf4e40be0c..4828215977e 100644 --- a/doc/manual/man-nixos-rebuild.xml +++ b/doc/manual/man-nixos-rebuild.xml @@ -25,12 +25,10 @@ - - @@ -170,17 +168,6 @@ $ ./result/bin/run-*-vm partition, which is mounted read-only in the VM. - - - - - This operation fetches the latest manifest in the Nixpkgs - channel to speed up subsequent nix-env - operations. This is useful if you are not using - nix-channel but still want to use pre-built - binary packages. It doesn’t reconfigure the system - - diff --git a/modules/installer/cd-dvd/installation-cd-base.nix b/modules/installer/cd-dvd/installation-cd-base.nix index 375941d2447..1edb2a45236 100644 --- a/modules/installer/cd-dvd/installation-cd-base.nix +++ b/modules/installer/cd-dvd/installation-cd-base.nix @@ -42,8 +42,6 @@ in isoImage.volumeID = "NIXOS_${config.system.nixosVersion}"; - installer.nixosURL = "http://nixos.org/releases/nixos/nixos-${config.system.nixosVersion}"; - boot.postBootCommands = '' # Provide the NixOS/Nixpkgs sources in /etc/nixos. This is required diff --git a/modules/installer/tools/nixos-install.sh b/modules/installer/tools/nixos-install.sh index d1fdc5820b1..0739c33e857 100644 --- a/modules/installer/tools/nixos-install.sh +++ b/modules/installer/tools/nixos-install.sh @@ -5,7 +5,6 @@ # - copy closure of Nix to target device # - register validity # - with a chroot to the target device: -# * do a nix-pull # * nix-env -p /nix/var/nix/profiles/system -i # * run the activation script of the configuration (also installs Grub) @@ -36,13 +35,6 @@ if ! test -e "$mountPoint/$NIXOS_CONFIG"; then fi -# Do a nix-pull to speed up building. -if test -n "@nixosURL@" -a ${NIXOS_PULL:-1} != 0; then - mkdir -p /nix/var/nix/channel-cache -m 0755 - NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache \ - @nix@/bin/nix-pull @nixosURL@/MANIFEST || true -fi - # Mount some stuff in the target root directory. We bind-mount /etc # into the chroot because we need networking and the nixbld user @@ -116,6 +108,7 @@ export LC_TIME= # Create a temporary Nix config file that causes the nixbld users to # be used. echo "build-users-group = nixbld" > $mountPoint/tmp/nix.conf +grep binary-caches /etc/nix/nix.conf >> $mountPoint/tmp/nix.conf export NIX_CONF_DIR=/tmp diff --git a/modules/installer/tools/nixos-rebuild.sh b/modules/installer/tools/nixos-rebuild.sh index f7c22b98dd7..01665e277b6 100644 --- a/modules/installer/tools/nixos-rebuild.sh +++ b/modules/installer/tools/nixos-rebuild.sh @@ -18,14 +18,11 @@ The operation is one of the following: build-vm-with-bootloader: like build-vm, but include a boot loader in the VM dry-run: just show what store paths would be built/downloaded - pull: just pull the NixOS channel manifest and exit Options: --upgrade fetch the latest version of NixOS before rebuilding --install-grub (re-)install the Grub bootloader - --pull do a nix-pull to get the latest NixOS channel - manifest --no-build-nix don't build the latest Nix from Nixpkgs before building NixOS --rollback restore the previous NixOS configuration (only @@ -49,7 +46,6 @@ EOF # Parse the command line. extraBuildFlags=() action= -pullManifest= buildNix=1 rollback= upgrade= @@ -60,15 +56,12 @@ while test "$#" -gt 0; do --help) showSyntax ;; - switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader|pull) + switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader) action="$i" ;; --install-grub) export NIXOS_INSTALL_GRUB=1 ;; - --pull) - pullManifest=1 - ;; --no-build-nix) buildNix= ;; @@ -127,24 +120,6 @@ if initctl status nix-daemon 2>&1 | grep -q 'running'; then fi -# Pull the manifests defined in the configuration (the "manifests" -# attribute). Wonderfully hacky. -if [ -n "$pullManifest" -o "$action" = pull ]; then - set -o pipefail - manifests=$(nix-instantiate --eval-only --xml --strict '' -A manifests \ - | grep 'nixos-rebuild to speed up builds. - ''; - }; - installer.enableGraphicalTools = pkgs.lib.mkOption { default = false; type = with pkgs.lib.types; bool; diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index 92e9bb90893..218bd0ed47a 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -131,6 +131,7 @@ in spamd = 56; networkmanager = 57; nslcd = 58; + scanner = 59; # When adding a gid, make sure it doesn't match an existing uid. diff --git a/modules/services/hardware/sane.nix b/modules/services/hardware/sane.nix index 6849b3a7bc8..905445f22c1 100644 --- a/modules/services/hardware/sane.nix +++ b/modules/services/hardware/sane.nix @@ -29,6 +29,12 @@ with pkgs.lib; in mkIf config.hardware.sane.enable { environment.systemPackages = [ pkg ]; services.udev.packages = [ pkg ]; + + users.extraGroups = singleton { + name = "scanner"; + gid = config.ids.gids.scanner; + }; + }; } diff --git a/modules/services/misc/nix-daemon.nix b/modules/services/misc/nix-daemon.nix index 5af2d19a839..49aa8e7931f 100644 --- a/modules/services/misc/nix-daemon.nix +++ b/modules/services/misc/nix-daemon.nix @@ -247,8 +247,8 @@ in build-max-jobs = ${toString (cfg.maxJobs)} build-use-chroot = ${if cfg.useChroot then "true" else "false"} build-chroot-dirs = ${toString cfg.chrootDirs} $(echo $extraPaths) - binary-caches = ${toString config.nix.binaryCaches} - trusted-binary-caches = ${toString config.nix.trustedBinaryCaches} + binary-caches = ${toString cfg.binaryCaches} + trusted-binary-caches = ${toString cfg.trustedBinaryCaches} $extraOptions END ''; diff --git a/modules/services/networking/dhcpcd.nix b/modules/services/networking/dhcpcd.nix index 6c8194f0971..2a0d73f6004 100644 --- a/modules/services/networking/dhcpcd.nix +++ b/modules/services/networking/dhcpcd.nix @@ -24,7 +24,8 @@ let option classless_static_routes, ntp_servers, interface_mtu # A ServerID is required by RFC2131. - require dhcp_server_identifier + # Commented out because of many non-compliant DHCP servers in the wild :( + #require dhcp_server_identifier # A hook script is provided to lookup the hostname if not set by # the DHCP server, but it should not be run by default. diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix index 858261bd33e..21f81152fa5 100644 --- a/modules/services/networking/ssh/sshd.nix +++ b/modules/services/networking/ssh/sshd.nix @@ -41,102 +41,45 @@ let userOptions = { openssh.authorizedKeys = { - - preserveExistingKeys = mkOption { - type = types.bool; - default = true; - description = '' - If this option is enabled, the keys specified in - keys and/or keyFiles will be - placed in a special section of the user's authorized_keys file - and any existing keys will be preserved. That section will be - regenerated each time NixOS is activated. However, if - preserveExisting isn't enabled, the complete file - will be generated, and any user modifications will be wiped out. - ''; - }; - keys = mkOption { type = types.listOf types.string; default = []; description = '' - A list of verbatim OpenSSH public keys that should be inserted into the - user's authorized_keys file. You can combine the keys and + A list of verbatim OpenSSH public keys that should be added to the + user's authorized keys. The keys are added to a file that the SSH + daemon reads in addition to the the user's authorized_keys file. + You can combine the keys and keyFiles options. ''; }; keyFiles = mkOption { - #type = types.listOf types.string; default = []; description = '' - A list of files each containing one OpenSSH public keys that should be - inserted into the user's authorized_keys file. You can combine - the keyFiles and - keys options. + A list of files each containing one OpenSSH public key that should be + added to the user's authorized keys. The contents of the files are + read at build time and added to a file that the SSH daemon reads in + addition to the the user's authorized_keys file. You can combine the + keyFiles and keys options. ''; }; - }; }; - mkAuthkeyScript = - let - marker1 = "### NixOS auto-added key. Do not edit!"; - marker2 = "### NixOS will regenerate this file. Do not edit!"; - users = map (userName: getAttr userName config.users.extraUsers) (attrNames config.users.extraUsers); - usersWithKeys = flip filter users (u: - length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0 - ); - userLoop = flip concatMapStrings usersWithKeys (u: - let - authKeys = concatStringsSep "," u.openssh.authorizedKeys.keys; - authKeyFiles = concatStrings (map (x: " ${x}") u.openssh.authorizedKeys.keyFiles); - preserveExisting = if u.openssh.authorizedKeys.preserveExistingKeys then "true" else "false"; - in '' - mkAuthKeysFile "${u.name}" "${authKeys}" "${authKeyFiles}" "${preserveExisting}" - '' - ); - in '' - mkAuthKeysFile() { - local userName="$1" - local authKeys="$2" - local authKeyFiles="$3" - local preserveExisting="$4" - - eval homeDir=~$userName - if ! [ -d "$homeDir" ]; then - echo "User $userName does not exist" - return - fi - if ! [ -d "$homeDir/.ssh" ]; then - mkdir -v -m 700 "$homeDir/.ssh" - chown "$userName":users "$homeDir/.ssh" - fi - local authKeysFile="$homeDir/.ssh/authorized_keys" - touch "$authKeysFile" - if [ "$preserveExisting" == false ]; then - rm -f "$authKeysFile" - echo "${marker2}" > "$authKeysFile" - else - sed -i '/${marker1}/ d' "$authKeysFile" - fi - IFS=, - for f in $authKeys; do - echo "$f ${marker1}" >> "$authKeysFile" - done - unset IFS - for f in $authKeyFiles; do - if [ -f "$f" ]; then - echo "$(cat "$f") ${marker1}" >> "$authKeysFile" - fi - done - chown "$userName" "$authKeysFile" - } - - ${userLoop} - ''; + authKeysFiles = let + mkAuthKeyFile = u: { + target = "ssh/authorized_keys.d/${u.name}"; + mode = "0444"; + source = pkgs.writeText "${u.name}-authorized_keys" '' + ${concatStringsSep "\n" u.openssh.authorizedKeys.keys} + ${concatMapStrings (f: builtins.readFile f + "\n") u.openssh.authorizedKeys.keyFiles} + ''; + }; + usersWithKeys = attrValues (flip filterAttrs config.users.extraUsers (n: u: + length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0 + )); + in map mkAuthKeyFile usersWithKeys; in @@ -244,6 +187,11 @@ in ''; }; + authorizedKeysFiles = mkOption { + default = []; + description = "Files from with authorized keys are read."; + }; + extraConfig = mkOption { default = ""; description = "Verbatim contents of sshd_config."; @@ -305,7 +253,7 @@ in home = "/var/empty"; }; - environment.etc = [ + environment.etc = authKeysFiles ++ [ { source = "${pkgs.openssh}/etc/ssh/moduli"; target = "ssh/moduli"; } @@ -314,22 +262,10 @@ in } ]; - boot.systemd.services."set-ssh-keys" = - { description = "Update authorized SSH keys"; - - wantedBy = [ "multi-user.target" ]; - - script = mkAuthkeyScript; - - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - }; - boot.systemd.services.sshd = { description = "SSH Daemon"; wantedBy = [ "multi-user.target" ]; - after = [ "set-ssh-keys.service" ]; path = [ pkgs.openssh ]; @@ -360,6 +296,9 @@ in security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; }; + services.openssh.authorizedKeysFiles = + [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; + services.openssh.extraConfig = '' PidFile /run/sshd.pid @@ -393,6 +332,8 @@ in ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"} PrintMotd no # handled by pam_motd + + AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} ''; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; diff --git a/tests/installer.nix b/tests/installer.nix index 9f89ad10021..477e5c660af 100644 --- a/tests/installer.nix +++ b/tests/installer.nix @@ -75,7 +75,7 @@ let { services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; services.httpd.servedDirs = singleton - { urlPath = "/channels/nixos-unstable"; + { urlPath = "/binary-cache"; dir = "/tmp/channel"; }; @@ -125,7 +125,6 @@ let "rm /etc/hosts", "echo 192.168.1.1 nixos.org > /etc/hosts", "ifconfig eth1 up 192.168.1.2", - "nixos-rebuild pull", ); # Test nix-env.