From 80377e512e29de50cb8de015c42dedf0daccec37 Mon Sep 17 00:00:00 2001 From: Marc Weber Date: Thu, 20 Nov 2008 23:47:05 +0000 Subject: [PATCH 01/21] added sshd GatwayPorts option svn path=/nixos/trunk/; revision=13363 --- system/options.nix | 7 +++++++ upstart-jobs/default.nix | 4 +--- upstart-jobs/sshd.nix | 3 ++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/system/options.nix b/system/options.nix index 2d670e97200..63bd0d663f7 100644 --- a/system/options.nix +++ b/system/options.nix @@ -842,6 +842,13 @@ in no "; }; + + gatewayPorts = mkOption { + default = "no"; + description = " + Specifies whether remote hosts are allowed to connect to ports forwarded for the client. See man sshd_conf. + "; + }; }; lshd = { diff --git a/upstart-jobs/default.nix b/upstart-jobs/default.nix index 6bc7cff9ceb..87833f09ed9 100644 --- a/upstart-jobs/default.nix +++ b/upstart-jobs/default.nix @@ -191,9 +191,7 @@ let inherit (pkgs) writeText openssh glibc; inherit (pkgs.xorg) xauth; inherit nssModulesPath; - forwardX11 = config.services.sshd.forwardX11; - allowSFTP = config.services.sshd.allowSFTP; - permitRootLogin = config.services.sshd.permitRootLogin; + inherit (config.services.sshd) forwardX11 allowSFTP permitRootLogin gatewayPorts; }) # GNU lshd SSH2 deamon. diff --git a/upstart-jobs/sshd.nix b/upstart-jobs/sshd.nix index c64c4eb49a5..e9b916e81d3 100644 --- a/upstart-jobs/sshd.nix +++ b/upstart-jobs/sshd.nix @@ -1,6 +1,6 @@ { writeText, openssh, glibc, xauth , nssModulesPath -, forwardX11, allowSFTP, permitRootLogin +, forwardX11, allowSFTP, permitRootLogin, gatewayPorts }: assert permitRootLogin == "yes" || @@ -29,6 +29,7 @@ let "} PermitRootLogin ${permitRootLogin} + GatewayPorts ${gatewayPorts} ''; From eea7e6c213e44ff3bc05ead14e8930d9636871c7 Mon Sep 17 00:00:00 2001 From: Marc Weber Date: Sat, 22 Nov 2008 17:05:20 +0000 Subject: [PATCH 02/21] adding fcron daemon. I have only tested it with upstart 0.5, maybe you have to fix small things in the job description svn path=/nixos/trunk/; revision=13369 --- system/options.nix | 1 + upstart-jobs/fcron.nix | 137 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 138 insertions(+) create mode 100644 upstart-jobs/fcron.nix diff --git a/system/options.nix b/system/options.nix index 63bd0d663f7..64bee0fa878 100644 --- a/system/options.nix +++ b/system/options.nix @@ -3035,6 +3035,7 @@ root ALL=(ALL) SETENV: ALL # services (import ../upstart-jobs/cron.nix) + (import ../upstart-jobs/fcron.nix) (import ../upstart-jobs/cron/locate.nix) ]; } diff --git a/upstart-jobs/fcron.nix b/upstart-jobs/fcron.nix new file mode 100644 index 00000000000..73fff134693 --- /dev/null +++ b/upstart-jobs/fcron.nix @@ -0,0 +1,137 @@ +{pkgs, config}: + +###### interface +let + inherit (pkgs.lib) mkOption concatStringsSep; + inherit (pkgs) writeText; + + options = { + services = { + fcron = { + enable = mkOption { + default = false; + description = ''Whether to enable the `fcron' daemon. + From its docs: "fcron does both the job of Vixie Cron and anacron, but does even more and better". + It can trigger actions even if the event has passed due to shutdown for example. + TODO: add supoprt for fcron.allow and fcron.deny + Of course on cron daemon is enough.. So if fcron works fine there should be a system option systemCron="fcron or cron" + + There are (or have been) some security issues. + I haven't yet checked wether they have been resolved. + For now you should trust the users registering crontab files. + I think gentoo has them listed. + ''; + }; + allow = mkOption { + default = []; + description = '' + Users allowed to use fcrontab and fcrondyn (one name per line, special name "all" acts for everyone) + nix adds username "root" for you. + ''; + }; + deny = mkOption { + default = []; + description = " same as allow but deny "; + }; + maxSerialJobs = mkOption { + default = 1; + description = "maximum number of serial jobs which can run simultaneously (-m)"; + }; + queuelen = mkOption { + default = ""; + description = "number of jobs the serial queue and the lavg queue can contain - empty to net set this number (-q)"; + }; + systab = mkOption { + default = ""; + description = '' + The "system" crontab contents.. + ''; + }; + }; + }; + }; +in + +###### implementation +let + # Put all the system cronjobs together. + # TODO allow using fcron only.. + #systemCronJobs = + # config.services.cron.systemCronJobs; + cfg = config.services.fcron; + queuelen = if cfg.queuelen == "" then "" else "-q ${toString cfg.queuelen}"; + + # shell is set to /sh in config.. + # ${pkgs.lib.concatStrings (map (job: job + "\n") systemCronJobs)} + systemCronJobsFile = pkgs.writeText "fcron-systab" '' + SHELL=${pkgs.bash}/bin/sh + PATH=${pkgs.coreutils}/bin:${pkgs.findutils}/bin:${pkgs.gnused}/bin + ''; + + allowdeny = target: users : { + source = writeText "fcron.${target}" (concatStringsSep "\n" users); + target = "fcron.${target}"; + mode = "600"; # fcron has some security issues.. So I guess this is most safe + }; + +in + +{ + require = [ + # (import ../upstart-jobs/default.nix) # config.services.extraJobs + # (import ?) # config.time.timeZone + # (import ?) # config.environment.etc + # (import ?) # config.environment.extraPackages + # (import ?) # config.environment.cleanStart + options + ]; + + environment = { + etc = [ + (allowdeny "allow" (["root"] ++ cfg.allow)) + (allowdeny "deny" cfg.deny) + # see man 5 fcron.conf + { source = writeText "fcon.conf" '' + fcrontabs = /var/spool/fcron + pidfile = /var/run/fcron.pid + fifofile = /var/run/fcron.fifo + fcronallow = /etc/fcron.allow + fcrondeny = /etc/fcron.deny + shell = /bin/sh + sendmail = /var/setuid-wrappers/sendmail + editor = /var/run/current-system/sw/bin/vi + ''; + target = "fcron.conf"; + mode = "0600"; # max allowed is 644 + } + ]; + + extraPackages = + pkgs.lib.optional + (!config.environment.cleanStart) + pkgs.fcron; + }; + + services = { + extraJobs = [{ + name = "fcron"; + + job = '' + description "fcron daemon" + + start on startup + stop on shutdown + + env PATH=/var/run/current-system/sw/bin + + start script + ${pkgs.coreutils}/bin/mkdir -m 0700 -p /var/spool/fcron + # load system crontab file + ${pkgs.fcron}/bin/fcrontab -u systab ${writeText "systab" cfg.systab} + end script + + respawn ${pkgs.fcron}/sbin/fcron -f -m ${toString cfg.maxSerialJobs} ${queuelen} + ''; + }]; + }; +} From 9fefbf137990bddfb23e2783cc48c2a2d2340a0c Mon Sep 17 00:00:00 2001 From: Marc Weber Date: Mon, 24 Nov 2008 09:07:28 +0000 Subject: [PATCH 03/21] add ifEnable to fcron job svn path=/nixos/trunk/; revision=13383 --- upstart-jobs/fcron.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/upstart-jobs/fcron.nix b/upstart-jobs/fcron.nix index 73fff134693..fd7f2f05360 100644 --- a/upstart-jobs/fcron.nix +++ b/upstart-jobs/fcron.nix @@ -59,6 +59,7 @@ let #systemCronJobs = # config.services.cron.systemCronJobs; cfg = config.services.fcron; + ifEnabled = if cfg.enable then pkgs.lib.id else (x : []); queuelen = if cfg.queuelen == "" then "" else "-q ${toString cfg.queuelen}"; # shell is set to /sh in config.. @@ -87,7 +88,7 @@ in ]; environment = { - etc = [ + etc = ifEnabled [ (allowdeny "allow" (["root"] ++ cfg.allow)) (allowdeny "deny" cfg.deny) # see man 5 fcron.conf @@ -113,7 +114,7 @@ in }; services = { - extraJobs = [{ + extraJobs = ifEnabled [{ name = "fcron"; job = '' From e39be7a088a6af5922433a326a2cc560540ff0e4 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 25 Nov 2008 00:05:08 +0000 Subject: [PATCH 04/21] * Commented out the fcron job - for some reason it starts to build fcron even though it should be disabled by default, and the build fails. Strange... svn path=/nixos/trunk/; revision=13394 --- system/options.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/options.nix b/system/options.nix index 64bee0fa878..3574d0fb8eb 100644 --- a/system/options.nix +++ b/system/options.nix @@ -3035,7 +3035,7 @@ root ALL=(ALL) SETENV: ALL # services (import ../upstart-jobs/cron.nix) - (import ../upstart-jobs/fcron.nix) + #(import ../upstart-jobs/fcron.nix) (import ../upstart-jobs/cron/locate.nix) ]; } From 23551d0a4dbf2419a3a4534bc77411c1acdb9e07 Mon Sep 17 00:00:00 2001 From: Michael Raskin <7c6f434c@mail.ru> Date: Tue, 25 Nov 2008 18:00:25 +0000 Subject: [PATCH 05/21] some modules.. svn path=/nixos/trunk/; revision=13419 --- installer/cd-dvd/closed-install.nix | 1 + installer/cd-dvd/rescue-cd-configurable.nix | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/installer/cd-dvd/closed-install.nix b/installer/cd-dvd/closed-install.nix index d7544ff22b8..e7443719f60 100644 --- a/installer/cd-dvd/closed-install.nix +++ b/installer/cd-dvd/closed-install.nix @@ -70,4 +70,5 @@ in "" ["nix-reduce-build" "nix-http-export.cgi"] ["--with-docbook-xsl=\\\${pkgs.docbook5_xsl}/xml/xsl/docbook/"]; + extraInitrdKernelModules = ["usb_storage" "ehci_hcd" "ohci_hcd" "iso9660" "ext3"]; }).rescueCD diff --git a/installer/cd-dvd/rescue-cd-configurable.nix b/installer/cd-dvd/rescue-cd-configurable.nix index a00164a2088..e727d2d1f2d 100644 --- a/installer/cd-dvd/rescue-cd-configurable.nix +++ b/installer/cd-dvd/rescue-cd-configurable.nix @@ -153,7 +153,6 @@ rec { kernelModules = bootKernelModules; extraModulePackages = ((extraModulePackages pkgs) ++(if aufs then [(kernelPackages pkgs).aufs] else []) - ++(pkgs.lib.optional intel3945FWEnable (kernelPackages pkgs).iwlwifi) ); }; From be02b8a87a2c59b9ef5282f8567f15118f6ddf7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Wed, 26 Nov 2008 13:16:59 +0000 Subject: [PATCH 06/21] Use `iwlwifi4965ucode' from `kernelPackages'. svn path=/nixos/trunk/; revision=13430 --- upstart-jobs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/upstart-jobs/default.nix b/upstart-jobs/default.nix index 87833f09ed9..ff5dc633323 100644 --- a/upstart-jobs/default.nix +++ b/upstart-jobs/default.nix @@ -94,7 +94,7 @@ let firmwareDirs = pkgs.lib.optional config.networking.enableIntel2200BGFirmware pkgs.ipw2200fw ++ pkgs.lib.optional config.networking.enableIntel3945ABGFirmware pkgs.iwlwifi3945ucode - ++ pkgs.lib.optional config.networking.enableIntel4965AGNFirmware pkgs.iwlwifi4965ucode + ++ pkgs.lib.optional config.networking.enableIntel4965AGNFirmware kernelPackages.iwlwifi4965ucode ++ pkgs.lib.optional config.networking.enableZydasZD1211Firmware pkgs.zd1211fw ++ pkgs.lib.optional config.hardware.enableGo7007 "${kernelPackages.wis_go7007}/firmware" ++ config.services.udev.addFirmware; From d02e5811920b60ea9ef5c95e882be1ab9f211fd2 Mon Sep 17 00:00:00 2001 From: Marc Weber Date: Wed, 26 Nov 2008 14:38:35 +0000 Subject: [PATCH 07/21] fix: FCRON should no longer be build by default svn path=/nixos/trunk/; revision=13436 --- system/options.nix | 2 +- upstart-jobs/fcron.nix | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/system/options.nix b/system/options.nix index 3574d0fb8eb..64bee0fa878 100644 --- a/system/options.nix +++ b/system/options.nix @@ -3035,7 +3035,7 @@ root ALL=(ALL) SETENV: ALL # services (import ../upstart-jobs/cron.nix) - #(import ../upstart-jobs/fcron.nix) + (import ../upstart-jobs/fcron.nix) (import ../upstart-jobs/cron/locate.nix) ]; } diff --git a/upstart-jobs/fcron.nix b/upstart-jobs/fcron.nix index fd7f2f05360..97d259c65e1 100644 --- a/upstart-jobs/fcron.nix +++ b/upstart-jobs/fcron.nix @@ -107,10 +107,10 @@ in } ]; - extraPackages = + extraPackages = ifEnabled ( pkgs.lib.optional (!config.environment.cleanStart) - pkgs.fcron; + pkgs.fcron); }; services = { From 3919a289719fd493f7f683ea0e5404f9c16c4136 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Thu, 27 Nov 2008 15:30:25 +0000 Subject: [PATCH 08/21] Add `host' to `systemPathList'. svn path=/nixos/trunk/; revision=13462 --- system/system.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/system/system.nix b/system/system.nix index eaa26cdea56..9a17ef6fccd 100644 --- a/system/system.nix +++ b/system/system.nix @@ -185,6 +185,7 @@ rec { pkgs.gnutar pkgs.grub pkgs.gzip + pkgs.host pkgs.iputils pkgs.less pkgs.lvm2 From 7ebc1821f932b2d808b373d7254b307a4db7f1aa Mon Sep 17 00:00:00 2001 From: Michael Raskin <7c6f434c@mail.ru> Date: Thu, 27 Nov 2008 20:35:26 +0000 Subject: [PATCH 09/21] Fixing build for new kernels when Intel WiFi firmware is used svn path=/nixos/trunk/; revision=13470 --- system/system.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/system/system.nix b/system/system.nix index 9a17ef6fccd..fa49383e048 100644 --- a/system/system.nix +++ b/system/system.nix @@ -43,7 +43,8 @@ rec { # directory. modulesTree = pkgs.aggregateModules ( [kernel] - ++ pkgs.lib.optional ((config.networking.enableIntel3945ABGFirmware || config.networking.enableIntel4965AGNFirmware) && !kernel.features ? iwlwifi) kernelPackages.iwlwifi + # Merged into mainline kernel + # ++ pkgs.lib.optional ((config.networking.enableIntel3945ABGFirmware || config.networking.enableIntel4965AGNFirmware) && !kernel.features ? iwlwifi) kernelPackages.iwlwifi # !!! this should be declared by the xserver Upstart job. ++ pkgs.lib.optional (config.services.xserver.enable && config.services.xserver.videoDriver == "nvidia") kernelPackages.nvidiaDrivers ++ pkgs.lib.optional config.hardware.enableGo7007 kernelPackages.wis_go7007 From 477ea7015c8e50dc07fcb20af67c22152cf94470 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Fri, 28 Nov 2008 12:03:56 +0000 Subject: [PATCH 10/21] boot-stage-1: Don't run `fsck' when on battery power. svn path=/nixos/trunk/; revision=13484 --- boot/boot-stage-1-init.sh | 55 ++++++++++++++++++++++++++++----------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/boot/boot-stage-1-init.sh b/boot/boot-stage-1-init.sh index 0ddf6bb7eae..c6d7214028c 100644 --- a/boot/boot-stage-1-init.sh +++ b/boot/boot-stage-1-init.sh @@ -138,6 +138,26 @@ fi if test -n "$debug1devices"; then fail; fi +# Return true if the machine is on AC power, or if we can't determine +# whether it's on AC power. +onACPower () { + if test -d "/proc/acpi/battery"; then + if ls /proc/acpi/battery/BAT[0-9]* > /dev/null 2>&1; then + if cat /proc/acpi/battery/BAT*/state \ + | grep "^charging state" \ + | grep -q "discharg" ; then + false + else + true + fi + else + true + fi + else + true + fi +} + # Function for mounting a file system. mountFS() { local device="$1" @@ -158,24 +178,29 @@ mountFS() { fi if test -n "$mustCheck"; then - FSTAB_FILE="/etc/mtab" fsck -V -v -C -a "$device" - fsckResult=$? + if onACPower; then + FSTAB_FILE="/etc/mtab" fsck -V -v -C -a "$device" + fsckResult=$? - if test $(($fsckResult | 2)) = $fsckResult; then - echo "fsck finished, rebooting..." - sleep 3 - reboot - fi + if test $(($fsckResult | 2)) = $fsckResult; then + echo "fsck finished, rebooting..." + sleep 3 + reboot + fi - if test $(($fsckResult | 4)) = $fsckResult; then - echo "$device has unrepaired errors, please fix them manually." - fail - fi + if test $(($fsckResult | 4)) = $fsckResult; then + echo "$device has unrepaired errors, please fix them manually." + fail + fi - if test $fsckResult -ge 8; then - echo "fsck on $device failed." - fail - fi + if test $fsckResult -ge 8; then + echo "fsck on $device failed." + fail + fi + else + # Don't run `fsck' if the machine is on battery power. + echo "on battery power, so \`fsck' not run on \`$device'" + fi fi # Mount read-writable. From 730244f13df3055258ca1a2984073f9c0cce6530 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Fri, 28 Nov 2008 15:44:15 +0000 Subject: [PATCH 11/21] lshd: Use `lsh-pam-checkpw' as the password helper program. This finally allows users to log in using password authentication. svn path=/nixos/trunk/; revision=13490 --- etc/default.nix | 1 - etc/pam.d/lsh-pam-checkpw | 4 ---- upstart-jobs/lshd.nix | 1 + 3 files changed, 1 insertion(+), 5 deletions(-) delete mode 100644 etc/pam.d/lsh-pam-checkpw diff --git a/etc/default.nix b/etc/default.nix index 6b8bc81503d..448fa993d73 100644 --- a/etc/default.nix +++ b/etc/default.nix @@ -226,7 +226,6 @@ import ../helpers/make-etc.nix { "shadow" "sshd" "lshd" - "lsh-pam-checkpw" "useradd" "chsh" "xlock" diff --git a/etc/pam.d/lsh-pam-checkpw b/etc/pam.d/lsh-pam-checkpw deleted file mode 100644 index 50f3cc5ce60..00000000000 --- a/etc/pam.d/lsh-pam-checkpw +++ /dev/null @@ -1,4 +0,0 @@ -auth include common -account include common -password include common -session include common diff --git a/upstart-jobs/lshd.nix b/upstart-jobs/lshd.nix index e2a61eed387..0a13d9ba7ee 100644 --- a/upstart-jobs/lshd.nix +++ b/upstart-jobs/lshd.nix @@ -31,6 +31,7 @@ start script end script respawn ${lsh}/sbin/lshd --daemonic \ + --password-helper="${lsh}/sbin/lsh-pam-checkpw" \ -p ${toString portNumber} \ ${if interfaces == [] then "" else (concatStrings (map (i: "--interface=\"${i}\"") From 7a6df0a5a89dcf9f348365f9c47d8919312e2f67 Mon Sep 17 00:00:00 2001 From: Michael Raskin <7c6f434c@mail.ru> Date: Sat, 29 Nov 2008 07:10:31 +0000 Subject: [PATCH 12/21] Create a low-priority section in system.nix; host goes there svn path=/nixos/trunk/; revision=13513 --- system/system.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/system/system.nix b/system/system.nix index fa49383e048..08422d5bd2d 100644 --- a/system/system.nix +++ b/system/system.nix @@ -186,7 +186,6 @@ rec { pkgs.gnutar pkgs.grub pkgs.gzip - pkgs.host pkgs.iputils pkgs.less pkgs.lvm2 @@ -231,7 +230,15 @@ rec { # chroot gets to seem them, and (ii) applications can benefit from # changes in the list of NSS modules at run-time, without requiring # a reboot. - ++ nssModules; + ++ nssModules + + # These packages are nice fallbacks unless any of the more powerful + # substitutes is present. + ++ [ + # Use ISC BIND version of the host util if you don't mind installing BIND + pkgs.host + ] + ; # We don't want to put all of `startPath' and `path' in $PATH, since From 8373c890a8aa80b1626cf84b7fb812839b70b477 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Sat, 29 Nov 2008 17:36:00 +0000 Subject: [PATCH 13/21] atd: Make `at' and friends actually usable by regular users. This patch makes the `at' commands setuid `atd' (instead of `root') and fixes the ownership of `/etc/at/at.deny'. svn path=/nixos/trunk/; revision=13515 --- system/options.nix | 3 ++- system/system.nix | 10 +++++++++- upstart-jobs/atd.nix | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/system/options.nix b/system/options.nix index 64bee0fa878..05189dbd23b 100644 --- a/system/options.nix +++ b/system/options.nix @@ -639,7 +639,8 @@ in default = false; description = '' Whether to make /var/spool/at{jobs,spool} writeable - by everyone (and sticky). + by everyone (and sticky). This is normally not needed since + the `at' commands are setuid/setgid `atd'. ''; }; }; diff --git a/system/system.nix b/system/system.nix index 08422d5bd2d..d4594a91b9c 100644 --- a/system/system.nix +++ b/system/system.nix @@ -302,7 +302,15 @@ rec { chmod u${if entry.setuid then "+" else "-"}s $wrapperDir/${entry.program} chmod g${if entry.setgid then "+" else "-"}s $wrapperDir/${entry.program} '') - config.security.setuidOwners); + (config.security.setuidOwners ++ + + # The `at' commands must be setuid `atd' so they can access the files + # under `/etc/at', etc. + (if config.services.atd.enable + then (map (program: { inherit program; owner = "atd"; group = "atd"; + setuid = true; setgid = true; }) + [ "at" "atq" "atrm" ]) + else []))); }; diff --git a/upstart-jobs/atd.nix b/upstart-jobs/atd.nix index 8a775d0c5d7..310477d1994 100644 --- a/upstart-jobs/atd.nix +++ b/upstart-jobs/atd.nix @@ -48,7 +48,7 @@ start script if [ ! -f "$etcdir"/at.deny ] then touch "$etcdir"/at.deny && \ - chown root:root "$etcdir"/at.deny && \ + chown root:atd "$etcdir"/at.deny && \ chmod 640 "$etcdir"/at.deny fi if [ ! -f "$jobdir"/.SEQ ] From c155a3f46e44a08b1a2cca0ab5e3da9c39c685a1 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 15 Dec 2008 23:54:10 +0000 Subject: [PATCH 14/21] * When doing chroot builds, the `build-chroot-dirs' option should include the closure of /bin/sh. Otherwise all builders that call /bin/sh will fail when using the new chroot implementation, which only bind-mounts the inputs of a build rather than the whole Nix store. svn path=/nixos/trunk/; revision=13640 --- default.nix | 2 +- etc/default.nix | 31 ++++++++++++++++++++++--------- system/activate-configuration.sh | 2 +- system/system.nix | 12 ++++++++---- 4 files changed, 32 insertions(+), 15 deletions(-) diff --git a/default.nix b/default.nix index 3923cb9592b..46f2d265216 100644 --- a/default.nix +++ b/default.nix @@ -1,6 +1,6 @@ let - fromEnv = name : default : + fromEnv = name: default: let env = builtins.getEnv name; in if env == "" then default else env; configuration = import (fromEnv "NIXOS_CONFIG" /etc/nixos/configuration.nix); diff --git a/etc/default.nix b/etc/default.nix index 448fa993d73..c4cb68d9415 100644 --- a/etc/default.nix +++ b/etc/default.nix @@ -1,5 +1,5 @@ { config, pkgs, upstartJobs, systemPath, wrapperDir -, defaultShell, extraEtc, nixEnvVars, modulesTree, nssModulesPath +, defaultShell, extraEtc, nixEnvVars, modulesTree, nssModulesPath, binsh }: let @@ -123,14 +123,27 @@ import ../helpers/make-etc.nix { } { # Nix configuration. - source = pkgs.writeText "nix.conf" '' - # WARNING: this file is generated. - build-users-group = nixbld - build-max-jobs = ${toString (config.nix.maxJobs)} - build-use-chroot = ${if config.nix.useChroot then "true" else "false"} - build-chroot-dirs = /dev /dev/pts /proc /bin - ${config.nix.extraOptions} - ''; + source = + let + # Tricky: if we're using a chroot for builds, then we need + # /bin/sh in the chroot (our own compromise to purity). + # However, since /bin/sh is a symlink to some path in the + # Nix store, which furthermore has runtime dependencies on + # other paths in the store, we need the closure of /bin/sh + # in `build-chroot-dirs' - otherwise any builder that uses + # /bin/sh won't work. + refs = pkgs.writeReferencesToFile binsh; + in + pkgs.runCommand "nix.conf" {} '' + cat > $out < Date: Tue, 16 Dec 2008 00:16:35 +0000 Subject: [PATCH 15/21] * Doh. svn path=/nixos/trunk/; revision=13642 --- etc/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default.nix b/etc/default.nix index c4cb68d9415..0270e503326 100644 --- a/etc/default.nix +++ b/etc/default.nix @@ -140,7 +140,7 @@ import ../helpers/make-etc.nix { build-users-group = nixbld build-max-jobs = ${toString (config.nix.maxJobs)} build-use-chroot = ${if config.nix.useChroot then "true" else "false"} - build-chroot-dirs = $(echo $(cat ${refs})) + build-chroot-dirs = /dev /dev/pts /proc /bin $(echo $(cat ${refs})) ${config.nix.extraOptions} END ''; From 43dc3f6baad3ce4a17b11204a892baf7c39ff12a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 17 Dec 2008 13:06:48 +0000 Subject: [PATCH 16/21] * Fix grammar/spelling for some descriptions, and make them produce well-formed XML in the manual again. svn path=/nixos/trunk/; revision=13650 --- system/options.nix | 67 +++++++++++++++++++++++++++------------------- 1 file changed, 39 insertions(+), 28 deletions(-) diff --git a/system/options.nix b/system/options.nix index 05189dbd23b..6f445514857 100644 --- a/system/options.nix +++ b/system/options.nix @@ -1672,9 +1672,11 @@ in default = []; example = [ "proxy_connect" { name = "php5_module"; path = "${pkgs.php}/modules/libphp5.so"; } ]; description = '' - Loads additional modules either beeing distributed with apache. - If the module is contained in a foreign package (such as php5_module) - kse an attrset as given in the example. + Specifies additional Apache modules. These can be specified + as a string in the case of modules distributed with Apache, + or as an attribute set specifying the + name and path of the + module. ''; }; @@ -2530,25 +2532,29 @@ in example = [ { type = "svn"; url = "https://svn.nixos.org/repos/nix/nixos/branches/stdenv-updates"; target = "/etc/nixos/nixos-stdenv-updates"; } { type = "git"; initialize = ''git clone git://mawercer.de/nixos $target''; update = "git pull origin"; target = "/etc/nixos/nixos-git"; } ]; - description = "The NixOS repository from which the system will be build. - nixos-checkout will update all working copies of the given repositories, - nixos-rebuild will use the first item which has - the attribute default = true falling back to the - first item. The type defines the repository tool added - to the path. It also defines a \"valid\" repository. - If the target directory already exists and it's not - valid it will be moved to the backup location - \${dir}-date. - For svn the default target and repositories are - /etc/nixos/nixos and - https://svn.nixos.org/repos/nix/nixos/trunk. - For git repositories update is called after - initialization when the repo is initialized. - The initialize code is run from working directory - dirname \$target and should create the directory - \$target. (git clone url nixos/nixpkgs/services should do) - For the executables beeing used see - "; + description = '' + The NixOS repository from which the system will be built. + nixos-checkout will update all working + copies of the given repositories, + nixos-rebuild will use the first item + which has the attribute default = true + falling back to the first item. The type defines the + repository tool added to the path. It also defines a "valid" + repository. If the target directory already exists and it's + not valid it will be moved to the backup location + dir-date. + For svn the default target and repositories are + /etc/nixos/nixos and + https://svn.nixos.org/repos/nix/nixos/trunk. + For git repositories update is called after initialization + when the repo is initialized. The initialize code is run + from working directory dirname + target and should create the + directory + dir. (git + clone url nixos/nixpkgs/services should do) For + the executables used see . + ''; }; nixpkgs = mkOption { @@ -2563,12 +2569,17 @@ in }; repoTypes = mkOption { - default = { - svn = { valid = "[ -d .svn ]"; env = [ pkgs.coreutils pkgs.subversion ]; }; - git = { valid = "[ -d .git ]"; env = [ pkgs.coreutils pkgs.git pkgs.gnused /* FIXME: use full path to sed in nix-pull */ ]; }; - }; - description = "defines PATH environment and when directory is considered beeing a valid repository. - If it's not it's moved to a backup directory"; + default = { + svn = { valid = "[ -d .svn ]"; env = [ pkgs.coreutils pkgs.subversion ]; }; + git = { valid = "[ -d .git ]"; env = [ pkgs.coreutils pkgs.git pkgs.gnused /* FIXME: use full path to sed in nix-pull */ ]; }; + }; + description = '' + Defines, for each supported version control system + (e.g. git), the dependencies for the + mechanism, as well as a test used to determine whether a + directory is a checkout created by that version control + system. + ''; }; manifests = mkOption { From 28979119159bd3dadabab64ab436570de109bdcb Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 17 Dec 2008 13:25:23 +0000 Subject: [PATCH 17/21] * Hydra release expression for building NixOS. svn path=/nixos/trunk/; revision=13651 --- doc/manual/default.nix | 2 ++ doc/manual/manual.xml | 1 + release.nix | 59 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 62 insertions(+) create mode 100644 release.nix diff --git a/doc/manual/default.nix b/doc/manual/default.nix index e6f9b84329f..a7f51adf287 100644 --- a/doc/manual/default.nix +++ b/doc/manual/default.nix @@ -38,6 +38,8 @@ let ${pkgs.docbook5_xsl}/xml/xsl/docbook/html/docbook.xsl \ ./manual.xml cp ${./style.css} $out/style.css + ensureDir $out/nix-support + echo "doc manual $out" >> $out/nix-support/hydra-build-products ''; }; diff --git a/doc/manual/manual.xml b/doc/manual/manual.xml index 55adf3e647d..9f79b6fdb6e 100644 --- a/doc/manual/manual.xml +++ b/doc/manual/manual.xml @@ -15,6 +15,7 @@ 2007 + 2008 Eelco Dolstra diff --git a/release.nix b/release.nix new file mode 100644 index 00000000000..25d4aa3658c --- /dev/null +++ b/release.nix @@ -0,0 +1,59 @@ +let + + + jobs = rec { + + + tarball = + { nixosSrc ? {path = ./.; rev = 1234;} + , nixpkgs ? {path = ../nixpkgs-wc;} + , officialRelease ? false + }: + + with import nixpkgs.path {}; + + releaseTools.makeSourceTarball { + name = "nixos-tarball"; + src = nixosSrc; + inherit officialRelease; + + distPhase = '' + releaseName=nixos-$(cat $src/VERSION)$VERSION_SUFFIX + ensureDir "$out/tarballs" + mkdir ../$releaseName + cp -prd . ../$releaseName + cd .. + tar cfvj $out/tarballs/$releaseName.tar.bz2 $releaseName + ''; # */ + }; + + + manual = + { nixosSrc ? {path = ./.; rev = 1234;} + , nixpkgs ? {path = ../nixpkgs-wc;} + , officialRelease ? false + }: + + import "${nixosSrc.path}/doc/manual" { + nixpkgsPath = nixpkgs.path; + }; + + + iso = + { nixosSrc ? {path = ./.; rev = 1234;} + , nixpkgs ? {path = ../nixpkgs-wc;} + , officialRelease ? false + , system ? "i686-linux" + }: + + (import "${nixosSrc.path}/installer/cd-dvd/rescue-cd.nix" { + platform = system; + compressImage = true; + nixpkgsPath = nixpkgs.path; + }).rescueCD; + + + }; + + +in jobs \ No newline at end of file From 9c0953b439f238e089b6675c6714b4cede71c043 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 17 Dec 2008 14:30:43 +0000 Subject: [PATCH 18/21] svn path=/nixos/trunk/; revision=13652 --- installer/cd-dvd/rescue-cd.nix | 14 ++++---------- release.nix | 22 +++++++++++++++++----- 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/installer/cd-dvd/rescue-cd.nix b/installer/cd-dvd/rescue-cd.nix index c34fc259340..66c707c77a7 100644 --- a/installer/cd-dvd/rescue-cd.nix +++ b/installer/cd-dvd/rescue-cd.nix @@ -220,18 +220,12 @@ rec { "; - # Put the current directory in a tarball (making sure to filter - # out crap like the .svn directories). - nixosTarball = makeTarball "nixos.tar.bz2" (builtins.filterSource svnFilter ./../..); - - svnFilter = name: type: - let base = baseNameOf (toString name); - in base != ".svn" && base != "result"; + # Put the current directory in a tarball. + nixosTarball = makeTarball "nixos.tar.bz2" ../..; - # Put Nixpkgs in a tarball - nixpkgsTarball = makeTarball "nixpkgs.tar.bz2" - (builtins.filterSource svnFilter nixpkgsPath); + # Put Nixpkgs in a tarball. + nixpkgsTarball = makeTarball "nixpkgs.tar.bz2" nixpkgsPath; # The configuration file for Grub. diff --git a/release.nix b/release.nix index 25d4aa3658c..4e79ee27734 100644 --- a/release.nix +++ b/release.nix @@ -46,12 +46,24 @@ let , system ? "i686-linux" }: - (import "${nixosSrc.path}/installer/cd-dvd/rescue-cd.nix" { - platform = system; - compressImage = true; - nixpkgsPath = nixpkgs.path; - }).rescueCD; + with import nixpkgs.path {}; + let + + iso = (import "${nixosSrc.path}/installer/cd-dvd/rescue-cd.nix" { + platform = system; + compressImage = true; + nixpkgsPath = nixpkgs.path; + }).rescueCD; + + in + # Declare the ISO as a build product so that it shows up in Hydra. + runCommand "nixos-iso" {} + '' + ensureDir $out/nix-support + echo "file iso" ${iso}/iso/*.iso* >> $out/nix-support/hydra-build-products + ''; # */ + }; From 8a5bcfb934324f0d3adeb87c2f0e3b343717c611 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 17 Dec 2008 14:43:14 +0000 Subject: [PATCH 19/21] svn path=/nixos/trunk/; revision=13653 --- release.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/release.nix b/release.nix index 4e79ee27734..4612e94ded9 100644 --- a/release.nix +++ b/release.nix @@ -46,7 +46,7 @@ let , system ? "i686-linux" }: - with import nixpkgs.path {}; + with import nixpkgs.path {inherit system;}; let @@ -58,7 +58,11 @@ let in # Declare the ISO as a build product so that it shows up in Hydra. - runCommand "nixos-iso" {} + runCommand "nixos-iso" + { meta = { + description = "NixOS installation CD ISO image for ${system}"; + }; + } '' ensureDir $out/nix-support echo "file iso" ${iso}/iso/*.iso* >> $out/nix-support/hydra-build-products From 67451c470b357bbbe670f97c2e921088b569f76e Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 19 Dec 2008 10:22:45 +0000 Subject: [PATCH 20/21] * Make sure that build-chroot-dirs only contains directories. svn path=/nixos/trunk/; revision=13657 --- etc/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/default.nix b/etc/default.nix index 0270e503326..88d4d39e21e 100644 --- a/etc/default.nix +++ b/etc/default.nix @@ -135,12 +135,13 @@ import ../helpers/make-etc.nix { refs = pkgs.writeReferencesToFile binsh; in pkgs.runCommand "nix.conf" {} '' + binshDeps=$(for i in $(cat ${refs}); do if test -d $i; then echo $i; fi; done) cat > $out < Date: Sat, 20 Dec 2008 14:29:52 +0000 Subject: [PATCH 21/21] Synaptics two-finger scrolling option svn path=/nixos/trunk/; revision=13663 --- system/options.nix | 4 ++++ upstart-jobs/xserver.nix | 2 ++ 2 files changed, 6 insertions(+) diff --git a/system/options.nix b/system/options.nix index 6f445514857..92d6288c597 100644 --- a/system/options.nix +++ b/system/options.nix @@ -1376,6 +1376,10 @@ in default = "0.12"; description = "Cursor speed factor for highest-speed finger motion"; }; + twoFingerScroll = mkOption { + default = false; + description = "Whether to enable two-finger drag-scrolling"; + }; }; layout = mkOption { diff --git a/upstart-jobs/xserver.nix b/upstart-jobs/xserver.nix index 157effcb530..58e8e434ddd 100644 --- a/upstart-jobs/xserver.nix +++ b/upstart-jobs/xserver.nix @@ -100,6 +100,8 @@ let Option "TapButton1" "1" Option "TapButton2" "2" Option "TapButton3" "3" + Option "VertTwoFingerScroll" "${if cfg.synaptics.twoFingerScroll then "1" else "0"}" + Option "HorizTwoFingerScroll" "${if cfg.synaptics.twoFingerScroll then "1" else "0"}" EndSection '' else "";