From b79c5dc8781611648c728e3650c4b68bfdce231f Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 8 Jan 2013 00:35:27 +0100
Subject: [PATCH] Add section on network configuration topics

---
 doc/manual/configuration.xml | 169 +++++++++++++++++++++++++++++++++++
 doc/manual/installation.xml  |  20 ++---
 doc/manual/manual.xml        |  11 +--
 3 files changed, 185 insertions(+), 15 deletions(-)
 create mode 100644 doc/manual/configuration.xml

diff --git a/doc/manual/configuration.xml b/doc/manual/configuration.xml
new file mode 100644
index 00000000000..f73018279a5
--- /dev/null
+++ b/doc/manual/configuration.xml
@@ -0,0 +1,169 @@
+<chapter xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xml:id="ch-configuration">
+
+<title>Configuration</title>
+
+<para>This chapter describes how to configure various aspects of a
+NixOS machine through the configuration file
+<filename>/etc/nixos/configuration.nix</filename>.  As described in
+<xref linkend="sec-changing-config" />, changes to that file only take
+effect after you run <command>nixos-rebuild</command>.</para>
+
+
+<!--===============================================================-->
+
+<section><title>Networking</title>
+
+<section><title>Secure shell access</title>
+
+<para>Secure shell (SSH) access to your machine can be enabled by
+setting:
+
+<programlisting>
+services.openssh.enable = true;
+</programlisting>
+
+By default, root logins using a password are disallowed.  They can be
+disabled entirely by setting
+<literal>services.openssh.permitRootLogin</literal> to
+<literal>"no"</literal>.</para>
+
+<para>You can declaratively specify authorised RSA/DSA public keys for
+a user as follows:
+
+<!-- FIXME: this might not work if the user is unmanaged. -->
+<programlisting>
+users.extraUsers.alice.openssh.authorizedKeys.keys =
+  [ "ssh-dss AAAAB3NzaC1kc3MAAACBAPIkGWVEt4..." ];
+</programlisting>
+
+</para>
+
+</section>
+
+
+<section><title>IPv4 configuration</title>
+
+<para>By default, NixOS uses DHCP (specifically,
+(<command>dhcpcd</command>)) to automatically configure network
+interfaces.  However, you can configure an interface manually as
+follows:
+
+<programlisting>
+networking.interfaces.eth0 = { ipAddress = "192.168.1.2"; prefixLength = 24; };
+</programlisting>
+
+(The network prefix can also be specified using the option
+<literal>subnetMask</literal>,
+e.g. <literal>"255.255.255.0"</literal>, but this is deprecated.)
+Typically you’ll also want to set a default gateway and set of name
+servers:
+
+<programlisting>
+networking.defaultGateway = "192.168.1.1";
+networking.nameservers = [ "8.8.8.8" ];
+</programlisting>
+
+</para>
+
+<note><para>Statically configured interfaces are set up by the systemd
+service
+<replaceable>interface-name</replaceable><literal>-cfg.service</literal>.
+The default gateway and name server configuration is performed by
+<literal>network-setup.service</literal>.</para></note>
+
+<para>The host name is set using <option>networking.hostName</option>:
+
+<programlisting>
+networking.hostName = "cartman";
+</programlisting>
+
+The default host name is <literal>nixos</literal>.  Set it to the
+empty string (<literal>""</literal>) to allow the DHCP server to
+provide the host name.</para>
+
+</section>
+
+
+<section><title>IPv6 configuration</title>
+
+<para>IPv6 is enabled by default.  Stateless address autoconfiguration
+is used to automatically assign IPv6 addresses to all interfaces.  You
+can disable IPv6 support globally by setting:
+
+<programlisting>
+networking.enableIPv6 = false;
+</programlisting>
+
+</para>
+
+</section>
+
+
+<section><title>Firewall</title>
+
+<para>NixOS has a simple stateful firewall that blocks incoming
+connections and other unexpected packets.  The firewall applies to
+both IPv4 and IPv6 traffic.  It can be enabled as follows:
+
+<programlisting>
+networking.firewall.enable = true;
+</programlisting>
+
+You can open specific TCP ports to the outside world:
+
+<programlisting>
+networking.firewall.allowedTCPPorts = [ 80 443 ];
+</programlisting>
+
+Note that TCP port 22 (ssh) is opened automatically if the SSH daemon
+is enabled (<option>services.openssh.enable = true</option>).  UDP
+ports can be opened through
+<option>networking.firewall.allowedUDPPorts</option>.  Also of
+interest is
+
+<programlisting>
+networking.firewall.allowPing = true;
+</programlisting>
+
+to allow the machine to respond to ping requests.  (ICMPv6 pings are
+always allowed.)</para>
+
+</section>
+
+
+<section><title>Wireless networks</title>
+
+<para>TODO</para>
+
+</section>
+
+
+<section><title>Ad-hoc configuration</title>
+
+<para>You can use <option>networking.localCommands</option> to specify
+shell commands to be run at the end of
+<literal>network-setup.service</literal>.  This is useful for doing
+network configuration not covered by the existing NixOS modules.  For
+instance, to statically configure an IPv6 address:
+
+<programlisting>
+networking.localCommands =
+  ''
+    ip -6 addr add 2001:610:685:1::1/64 dev eth0
+  '';
+</programlisting>
+
+</para>
+
+</section>
+
+
+<!-- TODO: OpenVPN, NAT -->
+
+
+</section>
+
+
+</chapter>
diff --git a/doc/manual/installation.xml b/doc/manual/installation.xml
index 8bde2f6e053..55e23691ccb 100644
--- a/doc/manual/installation.xml
+++ b/doc/manual/installation.xml
@@ -58,7 +58,7 @@ Wiki</link>.</para>
 
     <listitem><para>For partitioning:
     <command>fdisk</command>.</para></listitem>
-    
+
     <listitem><para>For initialising Ext4 partitions:
     <command>mkfs.ext4</command>.  It is recommended that you assign a
     unique symbolic label to the file system using the option
@@ -70,13 +70,13 @@ Wiki</link>.</para>
     <command>mkswap</command>.  Again it’s recommended to assign a
     label to the swap partition: <option>-L
     <replaceable>label</replaceable></option>.</para></listitem>
-    
+
     <listitem><para>For creating LVM volumes, the LVM commands, e.g.,
 
 <screen>
 $ pvcreate /dev/sda1 /dev/sdb1
 $ vgcreate MyVolGroup /dev/sda1 /dev/sdb1
-$ lvcreate --size 2G --name bigdisk MyVolGroup 
+$ lvcreate --size 2G --name bigdisk MyVolGroup
 $ lvcreate --size 1G --name smalldisk MyVolGroup</screen>
 
     </para></listitem>
@@ -87,7 +87,7 @@ $ lvcreate --size 1G --name smalldisk MyVolGroup</screen>
   </itemizedlist>
 
   </para></listitem>
-    
+
   <listitem><para>Mount the target file system on which NixOS should
   be installed on <filename>/mnt</filename>.</para></listitem>
 
@@ -138,7 +138,7 @@ $ nixos-option --install</screen>
     xlink:href="https://nixos.org/repos/nix/configurations/trunk/"/>.</para>
 
   </listitem>
-  
+
   <listitem><para>If your machine has a limited amount of memory, you
   may want to activate swap devices now (<command>swapon
   <replaceable>device</replaceable></command>).  The installer (or
@@ -234,7 +234,7 @@ $ reboot</screen>
 
   swapDevices =
     [ { device = "/dev/disk/by-label/swap"; } ];
-  
+
   services.sshd.enable = true;
 }</screen>
 </example>
@@ -260,7 +260,7 @@ to build the new configuration, make it the default configuration for
 booting, and try to realise the configuration in the running system
 (e.g., by restarting system services).</para>
 
-<para>You can also do 
+<para>You can also do
 
 <screen>
 $ nixos-rebuild test</screen>
@@ -270,7 +270,7 @@ without making it the boot default.  So if (say) the configuration
 locks up your machine, you can just reboot to get back to a working
 configuration.</para>
 
-<para>There is also 
+<para>There is also
 
 <screen>
 $ nixos-rebuild boot</screen>
@@ -279,7 +279,7 @@ to build the configuration and make it the boot default, but not
 switch to it now (so it will only take effect after the next
 reboot).</para>
 
-<para>Finally, you can do 
+<para>Finally, you can do
 
 <screen>
 $ nixos-rebuild build</screen>
@@ -329,7 +329,7 @@ You can then upgrade NixOS to the latest version in the channel by
 running
 
 <screen>
-$ nix-channel --update
+$ nix-channel --update nixos
 </screen>
 
 and running the <command>nixos-rebuild</command> command as described
diff --git a/doc/manual/manual.xml b/doc/manual/manual.xml
index b7e4c6315f9..9179911f248 100644
--- a/doc/manual/manual.xml
+++ b/doc/manual/manual.xml
@@ -24,16 +24,16 @@
       <year>2007-2012</year>
       <holder>Eelco Dolstra</holder>
     </copyright>
-    
+
   </info>
 
-  
+
   <preface>
     <title>Preface</title>
 
     <para>This manual describes NixOS, a Linux distribution based on
     the purely functional package management system Nix.</para>
-    
+
     <para>NixOS is rather bleeding edge, and this manual is
     correspondingly sketchy and quite possibly out of date.  It gives
     basic information on how to get NixOS up and running, but since
@@ -45,11 +45,12 @@
     mailing list or on <link
     xlink:href="irc://irc.freenode.net/#nixos">the
     <literal>#nixos</literal> channel on Freenode.</link>.</para>
-    
+
   </preface>
-  
+
 
   <xi:include href="installation.xml" />
+  <xi:include href="configuration.xml" />
   <!-- <xi:include href="userconfiguration.xml" /> -->
   <xi:include href="troubleshooting.xml" />
   <xi:include href="development.xml" />