Add section on network configuration topics
This commit is contained in:
parent
1541311f06
commit
b79c5dc878
|
@ -0,0 +1,169 @@
|
|||
<chapter xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
xml:id="ch-configuration">
|
||||
|
||||
<title>Configuration</title>
|
||||
|
||||
<para>This chapter describes how to configure various aspects of a
|
||||
NixOS machine through the configuration file
|
||||
<filename>/etc/nixos/configuration.nix</filename>. As described in
|
||||
<xref linkend="sec-changing-config" />, changes to that file only take
|
||||
effect after you run <command>nixos-rebuild</command>.</para>
|
||||
|
||||
|
||||
<!--===============================================================-->
|
||||
|
||||
<section><title>Networking</title>
|
||||
|
||||
<section><title>Secure shell access</title>
|
||||
|
||||
<para>Secure shell (SSH) access to your machine can be enabled by
|
||||
setting:
|
||||
|
||||
<programlisting>
|
||||
services.openssh.enable = true;
|
||||
</programlisting>
|
||||
|
||||
By default, root logins using a password are disallowed. They can be
|
||||
disabled entirely by setting
|
||||
<literal>services.openssh.permitRootLogin</literal> to
|
||||
<literal>"no"</literal>.</para>
|
||||
|
||||
<para>You can declaratively specify authorised RSA/DSA public keys for
|
||||
a user as follows:
|
||||
|
||||
<!-- FIXME: this might not work if the user is unmanaged. -->
|
||||
<programlisting>
|
||||
users.extraUsers.alice.openssh.authorizedKeys.keys =
|
||||
[ "ssh-dss AAAAB3NzaC1kc3MAAACBAPIkGWVEt4..." ];
|
||||
</programlisting>
|
||||
|
||||
</para>
|
||||
|
||||
</section>
|
||||
|
||||
|
||||
<section><title>IPv4 configuration</title>
|
||||
|
||||
<para>By default, NixOS uses DHCP (specifically,
|
||||
(<command>dhcpcd</command>)) to automatically configure network
|
||||
interfaces. However, you can configure an interface manually as
|
||||
follows:
|
||||
|
||||
<programlisting>
|
||||
networking.interfaces.eth0 = { ipAddress = "192.168.1.2"; prefixLength = 24; };
|
||||
</programlisting>
|
||||
|
||||
(The network prefix can also be specified using the option
|
||||
<literal>subnetMask</literal>,
|
||||
e.g. <literal>"255.255.255.0"</literal>, but this is deprecated.)
|
||||
Typically you’ll also want to set a default gateway and set of name
|
||||
servers:
|
||||
|
||||
<programlisting>
|
||||
networking.defaultGateway = "192.168.1.1";
|
||||
networking.nameservers = [ "8.8.8.8" ];
|
||||
</programlisting>
|
||||
|
||||
</para>
|
||||
|
||||
<note><para>Statically configured interfaces are set up by the systemd
|
||||
service
|
||||
<replaceable>interface-name</replaceable><literal>-cfg.service</literal>.
|
||||
The default gateway and name server configuration is performed by
|
||||
<literal>network-setup.service</literal>.</para></note>
|
||||
|
||||
<para>The host name is set using <option>networking.hostName</option>:
|
||||
|
||||
<programlisting>
|
||||
networking.hostName = "cartman";
|
||||
</programlisting>
|
||||
|
||||
The default host name is <literal>nixos</literal>. Set it to the
|
||||
empty string (<literal>""</literal>) to allow the DHCP server to
|
||||
provide the host name.</para>
|
||||
|
||||
</section>
|
||||
|
||||
|
||||
<section><title>IPv6 configuration</title>
|
||||
|
||||
<para>IPv6 is enabled by default. Stateless address autoconfiguration
|
||||
is used to automatically assign IPv6 addresses to all interfaces. You
|
||||
can disable IPv6 support globally by setting:
|
||||
|
||||
<programlisting>
|
||||
networking.enableIPv6 = false;
|
||||
</programlisting>
|
||||
|
||||
</para>
|
||||
|
||||
</section>
|
||||
|
||||
|
||||
<section><title>Firewall</title>
|
||||
|
||||
<para>NixOS has a simple stateful firewall that blocks incoming
|
||||
connections and other unexpected packets. The firewall applies to
|
||||
both IPv4 and IPv6 traffic. It can be enabled as follows:
|
||||
|
||||
<programlisting>
|
||||
networking.firewall.enable = true;
|
||||
</programlisting>
|
||||
|
||||
You can open specific TCP ports to the outside world:
|
||||
|
||||
<programlisting>
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
</programlisting>
|
||||
|
||||
Note that TCP port 22 (ssh) is opened automatically if the SSH daemon
|
||||
is enabled (<option>services.openssh.enable = true</option>). UDP
|
||||
ports can be opened through
|
||||
<option>networking.firewall.allowedUDPPorts</option>. Also of
|
||||
interest is
|
||||
|
||||
<programlisting>
|
||||
networking.firewall.allowPing = true;
|
||||
</programlisting>
|
||||
|
||||
to allow the machine to respond to ping requests. (ICMPv6 pings are
|
||||
always allowed.)</para>
|
||||
|
||||
</section>
|
||||
|
||||
|
||||
<section><title>Wireless networks</title>
|
||||
|
||||
<para>TODO</para>
|
||||
|
||||
</section>
|
||||
|
||||
|
||||
<section><title>Ad-hoc configuration</title>
|
||||
|
||||
<para>You can use <option>networking.localCommands</option> to specify
|
||||
shell commands to be run at the end of
|
||||
<literal>network-setup.service</literal>. This is useful for doing
|
||||
network configuration not covered by the existing NixOS modules. For
|
||||
instance, to statically configure an IPv6 address:
|
||||
|
||||
<programlisting>
|
||||
networking.localCommands =
|
||||
''
|
||||
ip -6 addr add 2001:610:685:1::1/64 dev eth0
|
||||
'';
|
||||
</programlisting>
|
||||
|
||||
</para>
|
||||
|
||||
</section>
|
||||
|
||||
|
||||
<!-- TODO: OpenVPN, NAT -->
|
||||
|
||||
|
||||
</section>
|
||||
|
||||
|
||||
</chapter>
|
|
@ -58,7 +58,7 @@ Wiki</link>.</para>
|
|||
|
||||
<listitem><para>For partitioning:
|
||||
<command>fdisk</command>.</para></listitem>
|
||||
|
||||
|
||||
<listitem><para>For initialising Ext4 partitions:
|
||||
<command>mkfs.ext4</command>. It is recommended that you assign a
|
||||
unique symbolic label to the file system using the option
|
||||
|
@ -70,13 +70,13 @@ Wiki</link>.</para>
|
|||
<command>mkswap</command>. Again it’s recommended to assign a
|
||||
label to the swap partition: <option>-L
|
||||
<replaceable>label</replaceable></option>.</para></listitem>
|
||||
|
||||
|
||||
<listitem><para>For creating LVM volumes, the LVM commands, e.g.,
|
||||
|
||||
<screen>
|
||||
$ pvcreate /dev/sda1 /dev/sdb1
|
||||
$ vgcreate MyVolGroup /dev/sda1 /dev/sdb1
|
||||
$ lvcreate --size 2G --name bigdisk MyVolGroup
|
||||
$ lvcreate --size 2G --name bigdisk MyVolGroup
|
||||
$ lvcreate --size 1G --name smalldisk MyVolGroup</screen>
|
||||
|
||||
</para></listitem>
|
||||
|
@ -87,7 +87,7 @@ $ lvcreate --size 1G --name smalldisk MyVolGroup</screen>
|
|||
</itemizedlist>
|
||||
|
||||
</para></listitem>
|
||||
|
||||
|
||||
<listitem><para>Mount the target file system on which NixOS should
|
||||
be installed on <filename>/mnt</filename>.</para></listitem>
|
||||
|
||||
|
@ -138,7 +138,7 @@ $ nixos-option --install</screen>
|
|||
xlink:href="https://nixos.org/repos/nix/configurations/trunk/"/>.</para>
|
||||
|
||||
</listitem>
|
||||
|
||||
|
||||
<listitem><para>If your machine has a limited amount of memory, you
|
||||
may want to activate swap devices now (<command>swapon
|
||||
<replaceable>device</replaceable></command>). The installer (or
|
||||
|
@ -234,7 +234,7 @@ $ reboot</screen>
|
|||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-label/swap"; } ];
|
||||
|
||||
|
||||
services.sshd.enable = true;
|
||||
}</screen>
|
||||
</example>
|
||||
|
@ -260,7 +260,7 @@ to build the new configuration, make it the default configuration for
|
|||
booting, and try to realise the configuration in the running system
|
||||
(e.g., by restarting system services).</para>
|
||||
|
||||
<para>You can also do
|
||||
<para>You can also do
|
||||
|
||||
<screen>
|
||||
$ nixos-rebuild test</screen>
|
||||
|
@ -270,7 +270,7 @@ without making it the boot default. So if (say) the configuration
|
|||
locks up your machine, you can just reboot to get back to a working
|
||||
configuration.</para>
|
||||
|
||||
<para>There is also
|
||||
<para>There is also
|
||||
|
||||
<screen>
|
||||
$ nixos-rebuild boot</screen>
|
||||
|
@ -279,7 +279,7 @@ to build the configuration and make it the boot default, but not
|
|||
switch to it now (so it will only take effect after the next
|
||||
reboot).</para>
|
||||
|
||||
<para>Finally, you can do
|
||||
<para>Finally, you can do
|
||||
|
||||
<screen>
|
||||
$ nixos-rebuild build</screen>
|
||||
|
@ -329,7 +329,7 @@ You can then upgrade NixOS to the latest version in the channel by
|
|||
running
|
||||
|
||||
<screen>
|
||||
$ nix-channel --update
|
||||
$ nix-channel --update nixos
|
||||
</screen>
|
||||
|
||||
and running the <command>nixos-rebuild</command> command as described
|
||||
|
|
|
@ -24,16 +24,16 @@
|
|||
<year>2007-2012</year>
|
||||
<holder>Eelco Dolstra</holder>
|
||||
</copyright>
|
||||
|
||||
|
||||
</info>
|
||||
|
||||
|
||||
|
||||
<preface>
|
||||
<title>Preface</title>
|
||||
|
||||
<para>This manual describes NixOS, a Linux distribution based on
|
||||
the purely functional package management system Nix.</para>
|
||||
|
||||
|
||||
<para>NixOS is rather bleeding edge, and this manual is
|
||||
correspondingly sketchy and quite possibly out of date. It gives
|
||||
basic information on how to get NixOS up and running, but since
|
||||
|
@ -45,11 +45,12 @@
|
|||
mailing list or on <link
|
||||
xlink:href="irc://irc.freenode.net/#nixos">the
|
||||
<literal>#nixos</literal> channel on Freenode.</link>.</para>
|
||||
|
||||
|
||||
</preface>
|
||||
|
||||
|
||||
|
||||
<xi:include href="installation.xml" />
|
||||
<xi:include href="configuration.xml" />
|
||||
<!-- <xi:include href="userconfiguration.xml" /> -->
|
||||
<xi:include href="troubleshooting.xml" />
|
||||
<xi:include href="development.xml" />
|
||||
|
|
Loading…
Reference in New Issue