Merge remote-tracking branch 'origin/master' into systemd

2012-12-11 17:40:39 +01:00 · 2012-12-11 17:40:39 +01:00 · 97ae408e83
parent 3224ea8a1e 78bd54ca80
commit 97ae408e83
12 changed files with 48 additions and 172 deletions
--- a/default.nix
+++ b/default.nix
@ -40,7 +40,6 @@ in
  # The following are used by nixos-rebuild.
  nixFallback = pkgs.nixUnstable;
  manifests = config.installer.manifests;
  tests = config.tests;
 }
--- a/doc/manual/man-nixos-rebuild.xml
+++ b/doc/manual/man-nixos-rebuild.xml
@ -25,12 +25,10 @@
      <arg choice='plain'><option>dry-run</option></arg>
      <arg choice='plain'><option>build-vm</option></arg>
      <arg choice='plain'><option>build-vm-with-bootloader</option></arg>
      <arg choice='plain'><option>pull</option></arg>
    </group>
    <sbr />
    <arg><option>--upgrade</option></arg>
    <arg><option>--install-grub</option></arg>
    <arg><option>--no-pull</option></arg>
    <arg><option>--no-build-nix</option></arg>
    <arg><option>--fast</option></arg>
    <arg><option>--rollback</option></arg>
@ -170,17 +168,6 @@ $ ./result/bin/run-*-vm
      partition, which is mounted read-only in the VM.</para>
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><option>pull</option></term>
    <listitem>
      <para>This operation fetches the latest manifest in the Nixpkgs
      channel to speed up subsequent <command>nix-env</command>
      operations.  This is useful if you are not using
      <command>nix-channel</command> but still want to use pre-built
      binary packages.  It doesn’t reconfigure the system</para>
    </listitem>
  </varlistentry>
 </variablelist>
--- a/modules/installer/cd-dvd/installation-cd-base.nix
+++ b/modules/installer/cd-dvd/installation-cd-base.nix
@ -42,8 +42,6 @@ in
  isoImage.volumeID = "NIXOS_${config.system.nixosVersion}";
  installer.nixosURL = "http://nixos.org/releases/nixos/nixos-${config.system.nixosVersion}";
  boot.postBootCommands =
    ''
      # Provide the NixOS/Nixpkgs sources in /etc/nixos.  This is required
--- a/modules/installer/tools/nixos-install.sh
+++ b/modules/installer/tools/nixos-install.sh
@ -5,7 +5,6 @@
 # - copy closure of Nix to target device
 # - register validity
 # - with a chroot to the target device:
 #   * do a nix-pull
 #   * nix-env -p /nix/var/nix/profiles/system -i <nix-expr for the configuration>
 #   * run the activation script of the configuration (also installs Grub)
@ -36,13 +35,6 @@ if ! test -e "$mountPoint/$NIXOS_CONFIG"; then
 fi
 # Do a nix-pull to speed up building.
 if test -n "@nixosURL@" -a ${NIXOS_PULL:-1} != 0; then
    mkdir -p /nix/var/nix/channel-cache -m 0755
    NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache \
        @nix@/bin/nix-pull @nixosURL@/MANIFEST || true
 fi
 # Mount some stuff in the target root directory.  We bind-mount /etc
 # into the chroot because we need networking and the nixbld user
@ -116,6 +108,7 @@ export LC_TIME=
 # Create a temporary Nix config file that causes the nixbld users to
 # be used.
 echo "build-users-group = nixbld" > $mountPoint/tmp/nix.conf
 grep binary-caches /etc/nix/nix.conf >> $mountPoint/tmp/nix.conf
 export NIX_CONF_DIR=/tmp
--- a/modules/installer/tools/nixos-rebuild.sh
+++ b/modules/installer/tools/nixos-rebuild.sh
@ -18,14 +18,11 @@ The operation is one of the following:
  build-vm-with-bootloader:
            like build-vm, but include a boot loader in the VM
  dry-run:  just show what store paths would be built/downloaded
  pull:     just pull the NixOS channel manifest and exit
 Options:
  --upgrade              fetch the latest version of NixOS before rebuilding
  --install-grub         (re-)install the Grub bootloader
  --pull                 do a nix-pull to get the latest NixOS channel
                         manifest
  --no-build-nix         don't build the latest Nix from Nixpkgs before
                         building NixOS
  --rollback             restore the previous NixOS configuration (only
@ -49,7 +46,6 @@ EOF
 # Parse the command line.
 extraBuildFlags=()
 action=
 pullManifest=
 buildNix=1
 rollback=
 upgrade=
@ -60,15 +56,12 @@ while test "$#" -gt 0; do
      --help)
        showSyntax
        ;;
-      switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader|pull)
+      switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader)
        action="$i"
        ;;
      --install-grub)
        export NIXOS_INSTALL_GRUB=1
        ;;
      --pull)
        pullManifest=1
        ;;
      --no-build-nix)
        buildNix=
        ;;
@ -127,24 +120,6 @@ if initctl status nix-daemon 2>&1 | grep -q 'running'; then
 fi
 # Pull the manifests defined in the configuration (the "manifests"
 # attribute).  Wonderfully hacky.
 if [ -n "$pullManifest" -o "$action" = pull ]; then
    set -o pipefail
    manifests=$(nix-instantiate --eval-only --xml --strict '<nixos>' -A manifests \
        | grep '<string'  | sed 's^.*"\(.*\)".*^\1^g')
    set +o pipefail
    if [ $? -ne 0 ]; then exit 1; fi
    mkdir -p /nix/var/nix/channel-cache
    for i in $manifests; do
        NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache nix-pull $i || true
    done
 fi
 if [ "$action" = pull ]; then exit 0; fi
 # If ‘--upgrade’ is given, run ‘nix-channel --update nixos’.
 if [ -n "$upgrade" ]; then
    nix-channel --update nixos
--- a/modules/installer/tools/tools.nix
+++ b/modules/installer/tools/tools.nix
@ -1,7 +1,7 @@
 # This module generates nixos-install, nixos-rebuild,
 # nixos-hardware-scan, etc.
-{config, pkgs, modulesPath, ...}:
+{ config, pkgs, modulesPath, ... }:
 let
  ### implementation
@ -23,7 +23,6 @@ let
    inherit (pkgs) perl pathsFromGraph;
    nix = config.environment.nix;
    nixosURL = cfg.nixosURL;
    nixClosure = pkgs.runCommand "closure"
      { exportReferencesGraph = ["refs" config.environment.nix]; }
@ -84,29 +83,6 @@ in
 {
  options = {
    # FIXME: remove this option once we're using Nix 1.2.
    installer.nixosURL = pkgs.lib.mkOption {
      default = http://nixos.org/channels/nixos-unstable;
      example = http://nixos.org/releases/nixos/nixos-0.1pre1234;
      description = ''
        URL of the Nixpkgs distribution to use when building the
        installation CD.
      '';
    };
    # FIXME: idem.
    installer.manifests = pkgs.lib.mkOption {
      default = [ http://nixos.org/channels/nixos-unstable/MANIFEST ];
      example =
        [ http://nixos.org/channels/nixpkgs-unstable/MANIFEST
          http://nixos.org/channels/nixos-stable/MANIFEST
        ];
      description = ''
        URLs of manifests to be downloaded when you run
        <command>nixos-rebuild</command> to speed up builds.
      '';
    };
    installer.enableGraphicalTools = pkgs.lib.mkOption {
      default = false;
      type = with pkgs.lib.types; bool;
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@ -131,6 +131,7 @@ in
    spamd = 56;
    networkmanager = 57;
    nslcd = 58;
    scanner = 59;
    # When adding a gid, make sure it doesn't match an existing uid.
--- a/modules/services/hardware/sane.nix
+++ b/modules/services/hardware/sane.nix
@ -29,6 +29,12 @@ with pkgs.lib;
      in mkIf config.hardware.sane.enable {
           environment.systemPackages = [ pkg ];
           services.udev.packages = [ pkg ];
           users.extraGroups = singleton {
             name = "scanner";
             gid = config.ids.gids.scanner;
           };
      };
 }
--- a/modules/services/misc/nix-daemon.nix
+++ b/modules/services/misc/nix-daemon.nix
@ -247,8 +247,8 @@ in
                build-max-jobs = ${toString (cfg.maxJobs)}
                build-use-chroot = ${if cfg.useChroot then "true" else "false"}
                build-chroot-dirs = ${toString cfg.chrootDirs} $(echo $extraPaths)
-                binary-caches = ${toString config.nix.binaryCaches}
+                binary-caches = ${toString cfg.binaryCaches}
-                trusted-binary-caches = ${toString config.nix.trustedBinaryCaches}
+                trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
                $extraOptions
                END
              '';
--- a/modules/services/networking/dhcpcd.nix
+++ b/modules/services/networking/dhcpcd.nix
@ -24,7 +24,8 @@ let
      option classless_static_routes, ntp_servers, interface_mtu
      # A ServerID is required by RFC2131.
-      require dhcp_server_identifier
+      # Commented out because of many non-compliant DHCP servers in the wild :(
      #require dhcp_server_identifier
      # A hook script is provided to lookup the hostname if not set by
      # the DHCP server, but it should not be run by default.
--- a/modules/services/networking/ssh/sshd.nix
+++ b/modules/services/networking/ssh/sshd.nix
@ -41,102 +41,45 @@ let
  userOptions = {
    openssh.authorizedKeys = {
      preserveExistingKeys = mkOption {
        type = types.bool;
        default = true;
        description = ''
          If this option is enabled, the keys specified in
          <literal>keys</literal> and/or <literal>keyFiles</literal> will be
          placed in a special section of the user's authorized_keys file
          and any existing keys will be preserved. That section will be
          regenerated each time NixOS is activated. However, if
          <literal>preserveExisting</literal> isn't enabled, the complete file
          will be generated, and any user modifications will be wiped out.
        '';
      };
      keys = mkOption {
        type = types.listOf types.string;
        default = [];
        description = ''
-          A list of verbatim OpenSSH public keys that should be inserted into the
+          A list of verbatim OpenSSH public keys that should be added to the
-          user's authorized_keys file. You can combine the <literal>keys</literal> and
+          user's authorized keys. The keys are added to a file that the SSH
          daemon reads in addition to the the user's authorized_keys file.
          You can combine the <literal>keys</literal> and
          <literal>keyFiles</literal> options.
        '';
      };
      keyFiles = mkOption {
        #type = types.listOf types.string;
        default = [];
        description = ''
-          A list of files each containing one OpenSSH public keys that should be
+          A list of files each containing one OpenSSH public key that should be
-          inserted into the user's authorized_keys file. You can combine
+          added to the user's authorized keys. The contents of the files are
-          the <literal>keyFiles</literal> and
+          read at build time and added to a file that the SSH daemon reads in
-          <literal>keys</literal> options.
+          addition to the the user's authorized_keys file. You can combine the
          <literal>keyFiles</literal> and <literal>keys</literal> options.
        '';
      };
    };
  };
-  mkAuthkeyScript =
+  authKeysFiles = let
-    let
+    mkAuthKeyFile = u: {
-      marker1 = "### NixOS auto-added key. Do not edit!";
+      target = "ssh/authorized_keys.d/${u.name}";
-      marker2 = "### NixOS will regenerate this file. Do not edit!";
+      mode = "0444";
-      users = map (userName: getAttr userName config.users.extraUsers) (attrNames config.users.extraUsers);
+      source = pkgs.writeText "${u.name}-authorized_keys" ''
-      usersWithKeys = flip filter users (u:
+        ${concatStringsSep "\n" u.openssh.authorizedKeys.keys}
-        length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
+        ${concatMapStrings (f: builtins.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
-      );
+      '';
-      userLoop = flip concatMapStrings usersWithKeys (u:
+    };
-        let
+    usersWithKeys = attrValues (flip filterAttrs config.users.extraUsers (n: u:
-          authKeys = concatStringsSep "," u.openssh.authorizedKeys.keys;
+      length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
-          authKeyFiles = concatStrings (map (x: " ${x}") u.openssh.authorizedKeys.keyFiles);
+    ));
-          preserveExisting = if u.openssh.authorizedKeys.preserveExistingKeys then "true" else "false";
+  in map mkAuthKeyFile usersWithKeys;
        in ''
          mkAuthKeysFile "${u.name}" "${authKeys}" "${authKeyFiles}" "${preserveExisting}"
        ''
      );
    in ''
      mkAuthKeysFile() {
        local userName="$1"
        local authKeys="$2"
        local authKeyFiles="$3"
        local preserveExisting="$4"
        eval homeDir=~$userName
        if ! [ -d "$homeDir" ]; then
          echo "User $userName does not exist"
          return
        fi
        if ! [ -d "$homeDir/.ssh" ]; then
          mkdir -v -m 700 "$homeDir/.ssh"
          chown "$userName":users "$homeDir/.ssh"
        fi
        local authKeysFile="$homeDir/.ssh/authorized_keys"
        touch "$authKeysFile"
        if [ "$preserveExisting" == false ]; then
          rm -f "$authKeysFile"
          echo "${marker2}" > "$authKeysFile"
        else
          sed -i '/${marker1}/ d' "$authKeysFile"
        fi
        IFS=,
        for f in $authKeys; do
          echo "$f ${marker1}" >> "$authKeysFile"
        done
        unset IFS
        for f in $authKeyFiles; do
          if [ -f "$f" ]; then
            echo "$(cat "$f") ${marker1}" >> "$authKeysFile"
          fi
        done
        chown "$userName" "$authKeysFile"
      }
      ${userLoop}
    '';
 in
@ -244,6 +187,11 @@ in
        '';
      };
      authorizedKeysFiles = mkOption {
        default = [];
        description = "Files from with authorized keys are read.";
      };
      extraConfig = mkOption {
        default = "";
        description = "Verbatim contents of <filename>sshd_config</filename>.";
@ -305,7 +253,7 @@ in
        home = "/var/empty";
      };
-    environment.etc = [
+    environment.etc = authKeysFiles ++ [
      { source = "${pkgs.openssh}/etc/ssh/moduli";
        target = "ssh/moduli";
      }
@ -314,22 +262,10 @@ in
      }
    ];
    boot.systemd.services."set-ssh-keys" =
      { description = "Update authorized SSH keys";
        wantedBy = [ "multi-user.target" ];
        script = mkAuthkeyScript;
        serviceConfig.Type = "oneshot";
        serviceConfig.RemainAfterExit = true;
      };
    boot.systemd.services.sshd =
      { description = "SSH Daemon";
        wantedBy = [ "multi-user.target" ];
        after = [ "set-ssh-keys.service" ];
        path = [ pkgs.openssh ];
@ -360,6 +296,9 @@ in
    security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; };
    services.openssh.authorizedKeysFiles =
      [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
    services.openssh.extraConfig =
      ''
        PidFile /run/sshd.pid
@ -393,6 +332,8 @@ in
        ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"}
        PrintMotd no # handled by pam_motd
        AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
      '';
    assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
--- a/tests/installer.nix
+++ b/tests/installer.nix
@ -75,7 +75,7 @@ let
    { services.httpd.enable = true;
      services.httpd.adminAddr = "foo@example.org";
      services.httpd.servedDirs = singleton
-        { urlPath = "/channels/nixos-unstable";
+        { urlPath = "/binary-cache";
          dir = "/tmp/channel";
        };
@ -125,7 +125,6 @@ let
            "rm /etc/hosts",
            "echo 192.168.1.1 nixos.org > /etc/hosts",
            "ifconfig eth1 up 192.168.1.2",
            "nixos-rebuild pull",
        );
        # Test nix-env.