lustrate /ˈlʌstreɪt/ verb.
purify by expiatory sacrifice, ceremonial washing, or some other
ritual action.
- sudo touch /etc/NIXOS_LUSTRATE
⇒ on next reboot, during stage 1, everything but /nix and /boot
is moved to /old-root
- echo "etc/passwd" | sudo tee -a /etc/NIXOS_LUSTRATE
⇒ on next reboot, during stage 1, everything but /nix and /boot
is moved to /old-root; except /etc/passwd is copied back.
Useful for installing NixOS in place on another distro. For instance:
$ nix-env -iE '_: with import <nixpkgs/nixos> { configuration = {}; }; with config.system.build; [ nixos-generate-config manual.manpages ]'
$ sudo mkdir /etc/nixos
$ sudo `which nixos-generate-config`
… edit the configuration files in /etc/nixos using man configuration.nix
if needed
maybe add: users.extraUsers.root.initialHashedPassword = "" ?
… Build the entire NixOS system and link it to the system profile:
$ nix-env -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' -A system --set
… If you were using a single user install:
$ sudo chown -R 0.0 /nix
… NixOS is about to take over
$ sudo touch /etc/NIXOS
$ sudo touch /etc/NIXOS_LUSTRATE
… Let's keep the configuration files we just created
$ echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE
$ sudo mv -v /boot /boot.bak &&
sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot
$ sudo reboot
… NixOS boots, Stage 1 moves all the old distro stuff in /old-root.
Closes#16730. Closes#17770. Closes#17846.
Test plan:
* Check that `fonts.fontconfig.ultimate.preset` changes things;
* Check that `fonts.fontconfig.dpi` changes things;
* Check that `fonts.fontconfig.defaultFonts.monospace` changes things;
Tested with AbiWord, mousepad and Firefox.
The fontconfig-ultimate patches are unmaintained. Since they were
not updated for newer FreeType versions, this removes them and
disables fontconfig-ultimate by default.
This removes our hardcoded presets which weren't updated for quite some time.
Infinality now has new hardcoded presets in freetype, which can be overriden if
desired with environment variables (as before). Accordingly, updated NixOS
module to set the hardcoded preset.
Additionally used a more "right" type for substitutions.
Before commit 54fa0cfe4e, the `redshift`
service was run with the environment variable `DISPLAY` set to `:0`.
Commit 54fa0cfe4e changed this to
instead use the value of the `services.xserver.display` configuration
option in the value of the `DISPLAY` variable. In so doing, no default
value was provided for the case where `services.xserver.display` is
`null`.
While the default value of `services.xserver.display` is `0`, use of
which by the `redshift` module would result in `DISPLAY` again being
set to `:0`, `services.xserver.display` may also be `null`, to which
value it is set by, e.g., the `lightdm` module.
In the case that `services.xserver.display` is `null`, with the change
made in commit 54fa0cfe4e, the `DISPLAY`
variable in the environment of the `redshift` service would be set to
`:` (a single colon), which, according to my personal experience,
would result in —
- the `redshift` service failing to start; and
- systemd repeatedly attempting to restart the `redshift` service,
looping indefinitely, while the hapless `redshift` spews error
messages into the journal.
It can be observed that the malformed value of `DISPLAY` is likely at
fault for this issue by executing the following commands in an
ordinary shell, with a suitable `redshift` executable, and the X11
display not already tinted:
- `redshift -O 2500` — This command should reduce the color
temperature of the display (making it more reddish).
- `DISPLAY=':' redshift -O 6500` — This command should raise the
color temperature back up, were it not for the `DISPLAY`
environment variable being set to `:` for it, which should cause
it to, instead, fail with several error messages.
This commit attempts to fix this issue by having the `DISPLAY`
environment variable for the `redshift` service default to its old
value of `:0` in the case that `services.xserver.display` is `null`.
I have tested this solution on NixOS, albeit without the benefit of a
system with multiple displays.
gdnc is a user process and can't be made into a NixOS module very
easily. It can still be put in the user's login script. According to the
GNUstep documentation it will be started as soon as it is needed.
- Replace hand-rolled version of nixos-install in make-disk-image by an
actual call to nixos-install
- Required a few cleanups of nixos-install
- nixos-install invokes an activation script which the hand-rolled version
in make-disk-image did not do. We remove /etc/machine-id as that's
a host-specific, impure, output of the activation script
Testing:
nix-build '<nixpkgs/nixos/release.nix>' -A tests.installer.simple passes
Also tried generating an image with:
nix-build -E 'let
pkgs = import <nixpkgs> {};
lib = pkgs.lib;
nixos = import <nixpkgs/nixos> {
configuration = {
fileSystems."/".device = "/dev/disk/by-label/nixos";
boot.loader.grub.devices = [ "/dev/sda" ];
boot.loader.grub.extraEntries = '"''"'
menuentry "Ubuntu" {
insmod ext2
search --set=root --label ubuntu
configfile /boot/grub/grub.cfg
}
'"''"';
};
};
in import <nixpkgs/nixos/lib/make-disk-image.nix> {
inherit pkgs lib;
config = nixos.config;
diskSize = 2000;
partitioned = false;
installBootLoader = false;
}'
Then installed the image:
$ sudo df if=./result/nixos.img of=/dev/sdaX bs=1M
$ sudo resize2fs /dev/disk/by-label/nixos
$ sudo mount /dev/disk/by-label/nixos /mnt
$ sudo mount --rbind /proc /mnt/proc
$ sudo mount --rbind /dev /mnt/dev
$ sudo chroot /mnt /nix/var/nix/profiles/system/bin/switch-to-configuration boot
[ … optionally do something about passwords … ]
and successfully rebooted to that image.
Was doing all this from inside a Ubuntu VM with a single user nix install.
- Fix --no-bootloader which didn't do what it advertised
- Hardcode nixbld GID so that systems which do not have a nixbld user
can still run nixos-install (only with --closure since they can't
build anything)
- Cleanup: get rid of NIX_CONF_DIR(=/tmp)/nix.conf and pass arguments instead
- Cleanup: don't assume that the target system has '<nixpkgs/nixos>' or
'<nixos-config>' to see if config.users.mutableUsers. Instead check if
/var/setuid-wrappers/passwd is there
Installing NixOS now works from a Ubuntu host (using --closure).
nix-build -A tests.installer.simple '<nixpkgs/nixos/release.nix>' succeeds ✓
While useless, some builds may dabble with setuid bits (e.g.,
util-linux), which breaks under grsec. In the interest of user
friendliness, we once again compromise by disabling an otherwise useful
feature ...
Closes https://github.com/NixOS/nixpkgs/issues/17501
It uses import-from-derivation, which is a bad thing, because this
causes hydra-evaluator to build Cassandra at evaluation time.
$ nix-instantiate nixos/release.nix -A tests.cassandra.i686-linux --dry-run
error: cannot read ‘/nix/store/c41blyjz6pfvk9fnvrn6miihq5w3j0l4-cassandra-2.0.16/conf/cassandra-env.sh’, since path ‘/nix/store/0j9ax4z8xhaz5lhrwl3bwj10waxs3hgy-cassandra-2.0.16.drv’ is not valid, at /home/eelco/Dev/nixpkgs/nixos/modules/services/databases/cassandra.nix:373:11
Also, the module is a mess (bad option descriptions, poor indentation,
a gazillion options where a generic "config" option would suffice, it
opens ports in the firewall, it sets vm.swappiness, ...).
- Agent now takes a full URL to the Go.CD server
- Instruct the agent to attempt restart every 30s upon failure
- Test's Accept header did not match the server's expectation
- Replace the tests' complex Awk matches with calls to `jq`
Update gocd-agent package version to 16.6.0-3590 including new sha. Modify heapSize
and maxMemory mkOption to accurately reflect their intended purpose of configuring
initial java heap sizes.
Addresses #17218 in a better way in that it doesn't create a
".git-revision" file on every nixos-rebuild, because we already have
".git" available. Even if we don't nixos-rebuild can't create the
"git-revision" file.
Tested via:
nix-build -E '(import ./nixos/tests/make-test.nix {
name = "foo";
machine = {};
testScript = "startAll; $machine->execute(\"nixos-version >&2\");";
})'
Closes: #17610
Acked-by: @bennofs
Let's first try if we can determine the Git revision from the .git
directory and if that fails, fall back to get the info from the
".git-revision" file... and after that use something generic like
"master".
This should address #17218 in better way, because we don't need to
create another redundant file in the source checkout of nixpkgs.
I'm not going to route of falling back to using .git, because after
55d881e, we already have ".git-revision" files in people's Git
repositories, which in turn means that nixos-version will report that
old file every time even if the working tree has updated.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @bennofs, Profpatsch
Reported-by: @devhell
Fixes: #17218
This reverts commit 1e534e234b.
We already should have a .git directory if it is managed via Git,
otherwise there is no way to get the Git revision if neither
.git-revision or .git is present.
But having .git-revision _and_ .git present seems very much redundant to
me.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @bennofs, @Profpatsch
Issue: #17218
The builder has this convoluted `while` loop which just replicates
`readlink -e`. I'm sure there was a reason at one point, because the
loop has been there since time immemorial. It kept getting copied
around, I suspect because nobody bothered to understand what it actually
did.
Incidentally, this fixes#17513, but I have no idea why.
From @fpletz: Keep poolConfigs option for backwards-compatibility.
The original commit 6b3f5b5a42 was previously
reverted by c7860cae1a but the issues were
resolved.
Closes#17460
Changed the wrapper derivation to produce a second output containing the sandbox.
Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store).
This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it.
Does not trigger a Chromium rebuild.
cc @cleverca22 @joachifm @jasom
The varnish tools (varnishstat, varnishlog, ...) tried to load the VSM
file from a spurious var directory in the Nix store. Fix the default so
the tools "just work" when also keeping services.varnish.stateDir at the
default.
Notes:
- The tools use $localstatedir/$HOSTNAME so I've adapted the default for
stateDir as well to contain hostName.
- Added postStop action to remove the localstatedir. There is no point
in keeping it around when varnish does not run, as it regenerates it
on startup anyway.
Fixes#7495
The name gitlab-runner clashes with a component of Gitlab CI with the
same name and only confuses people. It's now called gitlab-bundle and
a convenience-script gitlab-rake for easier invocation of rake tasks
was added. This was the primary use case of gitlab-runner.
The module will configure a Cassandra server with common options being
tweakable. Included is also a test which will spin up 3 nodes and
verify that the cluster can be formed, broken, and repaired.
In light of Emacs packaging improvements such as those mentioned
in #11503, and with the addition of a systemd service (#15807
and #16356), and considering that the wiki page is completely
out of date (#13217), it seems that some documentation is in order.
Enabling EFI runtime services provides a venue for injecting code into
the kernel.
When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services. The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).
This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
Adds a new chain in the raw table for reverse path filtering and optional
logging. A rule to allow serving DHCPv4 was also added as it is commonly
needed and poses no security risk even when no DHCPv4 server is running.
Fixes#10101.
Adds options for tcp streaming and avahi zeroconf support (so that the
server can be easily found by clients).
There is also an option to allow anonymous clients to stream to the
server (by default pulseaudio uses a cookie mechanism, see manpage).
Instead of one package `extra-cmake-modules`, there is now `ecm` and
`ecmNoHooks`. The latter is used when one does not want to incur a Qt 5
dependency; it is also available as a top-level package
`extra-cmake-modules`.
With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network.
The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers.
Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing.
This makes the container a bit more secure, by preventing root
creating device nodes to access the host file system, for
instance. (Reference: systemd-nspawn@.service in systemd.)
Revert httpConfig its old behaviour and make it mutually exclusive to
the new structured configuration. Adds appendHttpConfig to have the
ability to write custom config in the generated http block.
This reverts commit 6b3f5b5a42 because it
introduced a non-backwards compatible change in the phpfpm interface,
without really needing to. The new interface, if needed, can be re-added
alongside the old interface.
Commit 98e419c0e2 ("tt-rss service: init at 16.3")
depends on the new interface, so this commit updates the tt-rss service
to work with the old services.phpfpm.poolConfigs interface.
Update gocd-server package version to 16.6.0-3590 including new sha. Modify heapSize
and maxMemory mkOption to accurately reflect their intended purpose of configuring
initial java heap sizes.
Note: the option to configure the watchdog timeout seems to be gone
in the 2.3 series of Logstash. It complains about an unknown option
and it is not in the source anymore. I am thus removing this
configuration option to adjust the service to these changes, too.
This patch adds handling of a directory becoming a symlink in
/etc. Before this patch, the directory wasn't removed and then
symlinking failed, which caused directory not being updated at all.
The idea for the patch goes to @abbradar at
https://github.com/NixOS/nixpkgs/issues/16978#issuecomment-232921903:
> A heuristic idea for this -- a function `isStatic :: Path -> Bool`:
>
> * if path `/etc/foo` is a file, return True iff it's a symlink to `/etc/static/foo`.
> * if path is a directory, return True iff for all items in it `isStatic` is True.
>
> On any conflicts, if old path is static, it's safe to replace and/or
> delete stale. Otherwise make a backup and notify the user via a
> journal entry and console output.
The only difference here -- it will not replace user configs.
This also fixes https://github.com/NixOS/nixpkgs/issues/16978.
GoCD is an open source continuous delivery server specializing in advanced workflow
modeling and visualization. Update maintainers list to include swarren83. Update
module list to include gocd agent and server module. Update packages list to include
gocd agent and server package. Update version, revision and checksum for GoCD
release 16.5.0.
We currently only allow upstream's default of "reboot.target" due to the
way the symlinks are initialized. I made this configurable similar to the
default unit.
This moves nixos-containers into its own package so that it can be
relied upon by other packages/systems. This should make development
using dynamic containers much easier.
KDM and LightDM (at least with autologin) call the xsession-script with
two arguments: the first is the path of the xsession script itself,
while the second one are the actual arguments. The line to re-exec the
script under systemd-cat only forwarded a single argument, therefore
breaking LightDM and KDM login. This commit fixes the issue by always
forwarding all the arguments.
This reverts commit c69c76ca7e.
This patch was messed up during a rebase -- the commit title doesn't match what
it really does at all (it is actually a broken attempt to get LUKS passphrase
prompts in Plymouth).
We need to pass certain environment variables through the wrapper, but I
don't know how to do that yet. The setuid-root feature serves only to
hide kdeinit from the OOM killer, so this is not critical.
As pointed out by @danbst, the tomcat NixOS module expects packages
listed in services.tomcat.webapps to either be direct .war file paths or
have .war files inside a "webapps" directory.
Commit 4075c10a59
("jenkins: move .war file from $out to $out/lib/jenkins.war") broke
jenkins + tomcat. Fix it by moving jenkins.war to $out/webapps/.
Fixes#14137, also known as:
$ nix-shell -p jenkins
bash: source: /nix/store/ln1yw6c2v8bb2cjqfr1z5aqcssw054wa-jenkins-2.3:
cannot execute binary file
[nix-shell exited with error]
The problem is that jenkins.war is not installed inside the directory
$out, but rather _as the file_ $out. Fix it by moving the file to
$out/lib/jenkins.war.
While at it, move buildCommand so that the "meta" section is at the end
of the expression (standard style), and quote shell variables.
systemd[11376]: caddy.service: Failed at step EXEC spawning /nix/store/ghpcwj6paccc92l1gk7ykb6gf2i2w6fi-go1.6-caddy-0.8.3/bin/caddy: No such file or directory
Every period, sa1 collects and stores data.
Every 24 hours, sa2 aggregates the previous day's data in to a
report.
Timers and unit configurations were lifted from Fedora's default
units.
A disabled systemd service with a "startAt" attribute, like this:
systemd.services.foo-service = {
enable = false;
startAt = "*-*-* 05:15:00";
...
};
will cause the following errors in the system journal:
systemd[1]: foo-service.timer: Refusing to start, unit to trigger not loaded.
systemd[1]: Failed to start foo-service.timer.
Fix it by not generating the corresponding timer unit when the service
is disabled.
Previously, the value from stdenv.platform.kernelDTB was used. That
doesn't work well if both kinds (DTB and non-DTB) of generations exist
in the system profile.
The shairport-sync service currently fails to start with the error
shairport avahi_entry_group_new failed
This problem seems to have been introduced by
cdd7310a50
After some trial and error I concluded that the attached commit is a minimal
fix.
Currently NixOS creates the swapfile (with the specified size) only if
it doesn't already exist. Changing the swapfile size afterwards will not
have any effect.
This commit changes that so the swapfile will be recreated whenever
swapDevices.*.size is changed (or more precisely, whenever the actual
file size differs from the configured one), allowing both growing and
shrinking the swapfile.
The service unit has "restartIfChanged = false", so we don't have to
worry about the swapfile being in use at the time this code is run (you
have to reboot for swapfile changes).
fallocate doesn't shrink files, use truncate for that. truncate can also
be used to grow files, but it creates "holes" in the file which doesn't
work with swapfiles.
':' is currently used as separator in /boot/grub/state for the list of
devices GRUB should be installed to. The problem is that ':' itself may
appear in a device path:
/dev/disk/by-id/usb-SanDisk_Cruzer_20043512300546C0B317-0:0
With such a path, NixOS will install GRUB *every* time, because it
thinks the configuration differs from the state file (due to the wrong
list split). Fix it by using ',' as separator.
For existing systems with GRUB installed on multiple devices, this
change means that GRUB will be installed one extra time.
- init gnome-software for gnome3 at 3.18.3
- list gnome-software as an "optional package" for gnome3
- enable packagekit service when gnome3 is enabled
- currently pulled in from Git until the next release of PackageKit
has Nix support
- also: add in a service module to start packagekit properly
- nixos service can be enabled via services.packagekit.enable
- packagekit requires nixunstable to build properly
Fixup regression introduced in commit 1bbcd91b2e
("spacefm: sudo and gksu fixes#15758 and license update").
A missing </filename> end tag caused this:
$ nixos-rebuild build
...
options-db.xml:4402: parser error : Opening and ending tag mismatch: filename line 4401 and para
</para><para><emphasis>Type:</emphasis> boolean</para><para><emphasis>Default:</
^
options-db.xml:4406: parser error : Opening and ending tag mismatch: filename line 4401 and listitem
</filename></member></simplelist></listitem></varlistentry><varliste
^
options-db.xml:4406: parser error : Opening and ending tag mismatch: para line 4401 and varlistentry
</filename></member></simplelist></listitem></varlistentry><varliste
^
options-db.xml:28430: parser error : Opening and ending tag mismatch: listitem line 4401 and variablelist
</filename></member></simplelist></listitem></varlistentry></variablelist
^
options-db.xml:28432: parser error : Premature end of data in tag varlistentry line 4401
- RPi3 successfully gets to U-Boot, but then fails to boot the kernel
due to a missing device tree file. This should get added to the 4.8
kernel release once this patch is merged: https://lkml.org/lkml/2016/6/1/841
- RPi2 is not tested, but it should successfully boot the NixOS image.
Instead of showing this output from "nixos-rebuild switch":
warning: not applying GID change of group ‘munin’
warning: not applying UID change of user ‘ntp’
print this:
warning: not applying GID change of group ‘munin’ (95 -> 102)
warning: not applying UID change of user ‘ntp’ (3 -> 179)
This makes it possible for users to take action and fixup the UIDs/GIDs
that NixOS won't touch.
Fixes issue when upgrading from very old NixOS systems that don't have
systemd-escape in $PATH:
$ sudo nixos-rebuild switch
...
building the system configuration...
updating GRUB 2 menu...
Can't exec "systemd-escape": No such file or directory at /nix/var/nix/profiles/system/bin/switch-to-configuration line 264.
Unable to escape /!
Fixes this (line wrapped):
$ gnome-control-center
[... click on the "Color" item ...]
(gnome-control-center:3977): color-cc-panel-WARNING **: \
The name org.freedesktop.ColorManager was not provided by any .service files
With this patch applied, the above warnings are not printed and the GUI
shows some devices that can be managed (my printer and display). Without
this patch the GUI is empty (non-functional).
(cups will also complain in the journal with a similar message when
doing print jobs, without this patch.)
The docstring for the `services.dbus.packages` configuration option only
mentioned one directory, but the implementation actually looked for DBus
config files in four separate places within the target packages. This
commit updates the docstring to reflect the actual implementation
behaviour.
stripHash uses a global variable to communicate it's computation
results, but it's not necessary. You can just pipe to stdout in a
subshell. A function mostly behaves like just another command.
baseHash() also introduces a suffix-stripping capability since it's
something the users of the function tend to use.
...by adding system-config-printer to services.dbus.packages (if
services.printing.enable is true).
Without this patch, trying to add a printer will result in a little dialog
saying "Failed to add new printer" and gnome-control-center will print this to
the terminal (line wrapped):
(gnome-control-center:3546): printers-cc-panel-WARNING **: \
GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: \
The name org.fedoraproject.Config.Printing was not provided by any .service files
system-config-printer supplies the "org.fedoraproject.Config.Printing" dbus
service, thus fixing the problem.
wpa_supplicant fails to start if the wireless interfaces aren't ready yet,
so we need to add a system ordering directive here to start wpa_supplicant
after the interfaces are ready. Note that Requires= is not enough since
it does not imply ordering.
This GID was used to exempt users from Grsecurity's
`/proc` restrictions; we now prefer to rely on
`security.hideProcessInformation`, which uses the `proc` group
for this purpose. That leaves no use for the grsecurity GID.
More generally, having only a single GID to, presumably, serve as the
default for all of grsecurity's GID based exemption/resriction schemes
would be problematic in any event, so if we decide to enable those
grsecurity features in the future, more specific GIDs should be added.
The new module is specifically adapted to the NixOS Grsecurity/PaX
kernel. The module declares the required kernel configurations and
so *should* be somewhat compatible with custom Grsecurity kernels.
The module exposes only a limited number of options, minimising the need
for user intervention beyond enabling the module. For experts,
Grsecurity/PaX behavior may be configured via `boot.kernelParams` and
`boot.kernel.sysctl`.
The module assumes the user knows what she's doing (esp. if she decides
to modify configuration values not directly exposed by the module).
Administration of Grsecurity's role based access control system is yet
to be implemented.
We need to use wrapped modprobe, so that it finds the right
modules. Docker needs modprobe to load overlay kernel module
for example.
This fixes an an error starting docker if the booted system's kernel
version is different from the /run/current-system profile's one.
The update-resolve-conf script from the update-resolv-conf
package is very useful and should work in most of the common
cases, so this adds an option to enable it. The option is
disabled by default for backwards compatibility.
So far the module only allowed for the ccid driver, but there are a lot
of other PCSC driver modules out there, so let's add an option called
"plugins", which boils down to a store path that links together all the
paths specified.
We don't need to create stuff in /var/lib/pcsc anymore, because we
patched pcsclite to allow setting PCSCLITE_HP_DROPDIR.
Another new option is readerConfig, which is especially useful for
non-USB readers that aren't autodetected.
The systemd service now is no longer Type=forking, because we're now
passing the -f (foreground) option to pcscd.
Tested against a YubiKey 4, SCR335 and a REINER SCT USB reader.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @wkennington
This was originally removed in d4d0e449d7.
The intent was not to maintain hydra expression at two places.
Nowadays we have enough devs to maintain this despite copy/pasta.
This should encourage more people to use Hydra, which is a really
great piece of software together with Nix.
Tested a deploy using https://github.com/peti/hydra-tutorial
Since systemd version 230, it is required to have a machine-id file
prior to the startup of the container. If the file is empty, a transient
machine ID is generated by systemd-nspawn.
See systemd/systemd#3014 for more details on the matter.
This unbreaks all of the containers-* NixOS tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
Closes: #15808
When displaying a warning about a removed Option we should always
include reasoning why it was removed and how to get the same
functionality without it.
Introduces such a description argument and patches occurences (mostly
with an empty string).
startGnuPGAgent: further notes on replacement
The primary motivation here is to get rid of builderDefs, but now the
resulting font directory is also linked into /run/current-system/sw,
which fixes#15194.
The existence of $root/var/lib/private/host-notify as a socket
prevented a bind mount:
container foo[8083]: Failed to create mount point /var/lib/containers/foo/var/lib/private/host-notify: No such device or address
This allows setting options for the same LUKS device in different
modules. For example, the auto-generated hardware-configuration.nix
can contain
boot.initrd.luks.devices.crypted.device = "/dev/disk/...";
while configuration.nix can add
boot.initrd.luks.devices.crypted.allowDiscards = true;
Also updated the examples/docs to use /disk/disk/by-uuid instead of
/dev/sda, since we shouldn't promote the use of the latter.
... rather than ~/.xsession-errors. It might make sense to make this
the default, in order to eliminate ad hoc, uncentralised, poorly
discoverable log files.
This ensures that "journalctl -u display-manager" does what you would
expect in 2016. However, the main reason is to ensure that our VM
tests show the output of the X server.
A slight problem is that with KDE user switching, messages from the
various X servers end up in the same place. However, that's an
improvement over the previous situation, where the second X server
would overwrite the /var/log/X.0.log of the first. (This was caused by
the fact that we were passing a hard-coded value for -logfile.)
For now, leave the old implementation under `man-old` attribute.
Small warning: I had a leftover ~/.nix-profile/man from an old package,
which caused man-db's man prefer it and ignore ~/.nix-profile/share/man.
The PATH->MANPATH code just selects the first match for each PATH item.
The motivation is using sudo in chroot nix builds, a somewhat
special edge case I have and pulling system path into chroot
yields to some very nasty bug like
https://github.com/NixOS/nixpkgs/issues/15581
Previously:
$ cat /var/setuid-wrappers/sudo.real
/nix/store/3sm04dzh0994r86xqxy52jjc0lqnkn65-system-path/bin/sudo
After the change:
$ cat /var/setuid-wrappers/sudo.real
/nix/store/4g9sxbzy8maxf1v217ikp69c0c3q12as-sudo-1.8.15/bin/sudo
This reverts commit c25907d072.
I think this commit broke the NixOS service for NetworkManager. At least
with this, and the two previous reverts, everything is back to normal.
(With multiple-outputs split, it would have reduced the closure size by
3 MiB.)
This reverts commit 7ac1ef05fa.
One of a few reverts needed to unbreak networkmanager NixOS service
since the multiple-output split (to save 3 MiB of closure size).
This reverts commit 2875293615.
One of a few reverts needed to unbreak networkmanager NixOS service
since the multiple-output split (to save 3 MiB of closure size).
Move Subsonic state directory from `/var/subsonic` to
`/var/lib/subsonic`, since the general convention is for each
application to put its state directory there.
Also, automatically set the home directory of the `subsonic` user to the
value of `config.services.subsonic.home`, rather than setting it to a
value hardcoded in the module. This keeps the home directory of the
`subsonic` user and the state directory for the Subsonic application in
sync.
leveraging users.users.<user>.createHome instead of a preStart script.
preStart script is still required to ensure proper creation of logging
directory.
This properly implements revert in
0729f60697.
We used to have which='type -P' alias, but really it's best to just
rely on which package, only 88K in size.
cc @edolstra
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293
This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
The list of public proxies is updated now and again and it's probably a
good idea to always work from the most recent list, rather than the one
that is shipped with the release. This can be crucial in case of
resolvers that are revealed to have gone rogue or otherwise have been
compromised.
Unfortunately, pkill doesn't distinguish between kernel and user space
processes, so we need to make sure we don't accidentally kill kernel
threads.
Normally, a kernel thread ignores all signals, but there are a few that
do. A quick grep on the kernel source tree (as of kernel 4.6.0) shows
the following source files which use allow_signal():
drivers/isdn/mISDN/l1oip_core.c
drivers/md/md.c
drivers/misc/mic/cosm/cosm_scif_server.c
drivers/misc/mic/cosm_client/cosm_scif_client.c
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
drivers/staging/rtl8188eu/core/rtw_cmd.c
drivers/staging/rtl8712/rtl8712_cmd.c
drivers/target/iscsi/iscsi_target.c
drivers/target/iscsi/iscsi_target_login.c
drivers/target/iscsi/iscsi_target_nego.c
drivers/usb/atm/usbatm.c
drivers/usb/gadget/function/f_mass_storage.c
fs/jffs2/background.c
fs/lockd/clntlock.c
fs/lockd/svc.c
fs/nfs/nfs4state.c
fs/nfsd/nfssvc.c
While not all of these are necessarily kthreads and some functionality
may still be unimpeded, it's still quite harmful and can cause
unexpected side-effects, especially because some of these kthreads are
storage-related (which we obviously don't want to kill during bootup).
During discussion at #15226, @dezgeg suggested the following
implementation:
for pid in $(pgrep -v -f '@'); do
if [ "$(cat /proc/$pid/cmdline)" != "" ]; then
kill -9 "$pid"
fi
done
This has a few downsides:
* User space processes which use an empty string in their command line
won't be killed.
* It results in errors during bootup because some shell-related
processes are already terminated (maybe it's pgrep itself, haven't
checked).
* The @ is searched within the full command line, not just at the
beginning of the string. Of course, we already had this until now, so
it's not a problem of his implementation.
I posted an alternative implementation which doesn't suffer from the
first point, but even that one wasn't sufficient:
for pid in $(pgrep -v -f '^@'); do
readlink "/proc/$pid/exe" &> /dev/null || continue
echo "$pid"
done | xargs kill -9
This one spawns a subshell, which would be included in the processes to
kill and actually kills itself during the process.
So what we have now is even checking whether the shell process itself is
in the list to kill and avoids killing it just to be sure.
Also, we don't spawn a subshell anymore and use /proc/$pid/exe to
distinguish between user space and kernel processes like in the comments
of the following StackOverflow answer:
http://stackoverflow.com/a/12231039
We don't need to take care of terminating processes, because what we
actually want IS to terminate the processes.
The only point where this (and any previous) approach falls short if we
have processes that act like fork bombs, because they might spawn
additional processes between the pgrep and the killing. We can only
address this with process/control groups and this still won't save us
because the root user can escape from that as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #15226
Instead of using this option, please modify the dovecot package by means of an
override. For example:
nixpkgs.config.packageOverrides = super: {
dovecot = super.dovecot.override { withPgSQL = true; };
};
Closes https://github.com/NixOS/nixpkgs/issues/14097.
* Perform HTTP HEAD request instead of full GET (lighter weight)
* Don't log output of curl to the journal (it's noise/debug)
* Use explicit http:// URL scheme
* Reduce poll interval from 10s to 2s (respond to state changes
quicker). Probably not relevant on boot (lots of services compete for
the CPU), but online service restarts/reloads should be quicker.
* Pass --fail to curl (should be more robust against false positives)
* Use 4 space indent for shell code.
The current postStart code holds Jenkins off the "started" state until
Jenkins becomes idle. But it should be enough to wait until Jenkins
start handling HTTP requests to consider it "started".
More reasons why the current approach is bad and we should remove it,
from @coreyoconnor in
https://github.com/NixOS/nixpkgs/issues/14991#issuecomment-216572571:
1. Repeatedly curling for a specific human-readable string to
determine "Active" is fragile. For instance, what happens when jenkins
is localized?
2. The time jenkins takes to initializes is variable. This (at least
used to) depend on the number of jobs and any plugin upgrades requested.
3. Jenkins can be requested to restart from the UI. Which will not
affect the status of the service. This means that the service being
"active" does not imply jenkins is initialized. Downstream services
cannot assume jenkins is initialized if the service is active. Might
as well accept that and remove the initialized test from service
startup.
Fixes#14991.
A sane backend for recent brother scanners.
Depends on the presence of etc files generated by the
nixos module of the same name.
Supports network scanner specification through the
nixos module.
The Nix store squashfs is stored inside the initrd instead of separately
(cherry picked from commit 976fd407796877b538c470d3a5253ad3e1f7bc68)
Signed-off-by: Domen Kožar <domen@dev.si>
A user noticed the example for `hosts`, took the `mode` permissions literally, and ended up with surprising behavior on their system. Updating the documentation to not reference a real config file which might have real permissions requirements.
The pre-sleep service exits if any command fails. Unloading facetimehd
without it being loaded blocks subsequent commands from running.
Note: `modprobe -r` works a bit better when unloading unused modules,
and is preferrable to `rmmod`. However, the facetimehd module does not
support suspending. In this case, it seems preferable to forcefully
unload the module. `modprobe` does not support a `--force` flag when
removing, so we are left with `rmmod`.
See:
- https://github.com/NixOS/nixpkgs/pull/14883
- https://github.com/patjak/bcwc_pcie/wiki#known-issues
Basic hardening
- Run as nobody:nogroup with a private /tmp, /home & /run/user
- Create working directory under /run (hoogle insists on writing to cwd
and otherwise returns "something went wrong" to every query)
Option tweaks
- Provide a default for the haskellPackage option
- Set text values for defaults
- Move hoogleEnv to the top-level & simplify it
This command was useful when NixOS was spread across multiple
repositories, but now it's pretty pointless (and obfuscates what
happens, i.e. "git clone git://github.com/NixOS/nixpkgs.git").
Note: I ignored the C++ libraries, but it appears we're not currently
using them. Once we do, we'll probably want to put them in a separate
output as well (to prevent non-C++ users from depending on Boost).
Need to pass `cups.out` to `systemd.packages`, lest we end up with an invalid
generated unit containing only directives set in the service module.
This patch gives us a valid cups.service unit but, vexingly, does not fix the
test failure at NixOS/nixpkgs#14748
`dbus-launch` is executed early in the script, before desktop managers
had a chance to setup the environment. If DBus activation is used,
applications launched by this may therefore lack necessary environment
variables. This patch sends the complete environment to DBus after
launching the desktop manager.
With the merge of the closure-size branch, most packages now have
multiple outputs. One of these packages is gnutls, so previously
everything that we needed was to reference "${gnutls}/bin/..." and now
we need to use "${gnutls.bin}/bin/...".
So it's not a very big issue to fix.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This adds a Taskserver module along with documentation and a small
helper tool which eases managing a custom CA along with Taskserver
organisations, users and groups.
Taskserver is the server component of Taskwarrior, a TODO list
application for the command line.
The work has been started by @matthiasbeyer back in mid 2015 and I have
continued to work on it recently, so this merge contains commits from
both of us.
Thanks particularly to @nbp and @matthiasbeyer for reviewing and
suggesting improvements.
I've tested this with the new test (nixos/tests/taskserver.nix) this
branch adds and it fails because of the changes introduced by the
closure-size branch, so we need to do additional work on base of this.
Suggested by @nbp:
"Choose a better organization name in this example, such that it is less
confusing. Maybe something like my-company"
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It was failing with a `Read-only filesystem` failure due to the systemd
service option `ReadWriteDirectories` not being correctly configured.
Fixes#14132
Continuation of 79c3c16dcbb3b45c0f108550cb89ccd4fc855e3b. Systemd 229
sets the default RLIMIT_CORE to infinity, causing systems to be
littered with core dumps when systemd.coredump.enable is disabled.
This restores the 15.09 soft limit of 0 and hard limit of infinity.
This module adds support for defining a flexget service.
Due to flexget insisting on being able to write all over where it finds
its configuration file, we use a ExecStartPre hook to copy the generated
configuration file into place under the user's home. It's fairly ugly
and I'm very open to suggestions
We have already revamped the CLI subcommands in commit
e2383b84f8.
This was just an artifact that was left because of this.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The options client.allow and client.deny are gone since the commit
8b793d1916, so let's fix that.
No feature changes, only fixes the descriptions of allowedClientIDs and
disallowedClientIDs.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is the recommended way for long-running services and ensures that
Taskserver will keep running until it has been stopped manually.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Using requiredBy is a bad idea for the initialisation units, because
whenever the Taskserver service is restarted the initialisation units
get restarted as well.
Also, make sure taskserver-init.service will be ordered *before*
taskserver.service.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The Taskserver doesn't need access to the full /dev nor does it need a
shared /tmp. In addition, the initialisation services don't need network
access, so let's constrain them to the loopback device.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Apart from the options manual, this should cover the basics for setting
up a Taskserver. I am not a native speaker so this can and (probably)
should be improved, especially the wording/grammar.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Try to match the subcommands to act more like the subcommands from the
taskd binary and also add a subcommand to list groups.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
As suggested by @matthiasbeyer:
"We might add a short note that this port has to be opened in the
firewall, or is this done by the service automatically?"
This commit now adds the listenPort to
networking.firewall.allowedTCPPorts as soon as the listenHost is not
"localhost".
In addition to that, this is now also documented in the listenHost
option declaration and I have removed disabling of the firewall from the
VM test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
No changes in functionality but rather just restructuring the module
definitions to be one mkMerge, which now uses mkIf from the top-level
scope of the CA initialization service so we can better abstract
additional options we might need there.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We want to make sure that the helper tool won't work if the automatic CA
wasn't properly set up. This not only avoids race conditions if the tool
is started before the actual service is running but it also fails if
something during CA setup has failed so the user can investigate what
went wrong.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We need to explicitly make sure the CA is created before we actually
launch the main Taskserver service in order to avoid race conditions
where the preStart phase of the main service could possibly corrupt
certificates if it would be started in parallel.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is simply to add configuration lines to the generated configuration
file. The reason why I didn't went for an attribute set is that the
taskdrc file format doesn't map very well on Nix attributes, for example
the following can be set in taskdrc:
server = somestring
server.key = anotherstring
In order to use a Nix attribute set for that, it would be way too
complicated, for example if we want to represent the mentioned example
we'd have to do something like this:
{ server._top = somestring;
server.key = anotherstring;
}
Of course, this would work as well but nothing is more simple than just
appending raw strings.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
At least this should allow for some customisation of how the
certificates and keys are created. We now have two sub-namespaces within
PKI so it should be more clear which options you have to set if you want
to either manage your own CA or let the module create it automatically.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Whenever the nixos-taskserver tool was invoked manually for creating an
organisation/group/user we now add an empty file called .imperative to
the data directory.
During the preStart of the Taskserver service, we use process-json which
in turn now checks whether those .imperative files exist and if so, it
doesn't do anything with it.
This should now ensure that whenever there is a manually created user,
it doesn't get killed off by the declarative configuration in case it
shouldn't exist within that configuration.
In addition, we also add a small subtest to check whether this is
happening or not and fail if the imperatively created user got deleted
by process-json.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We only print the output whenever there is an error, otherwise let's
shut it up because it only shows information the user can gather through
other means. For example by invoking certtool manually, or by just
looking at private key files (the whole blurb it's outputting is in
there as well).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Now we finally can delete organisations, groups and users along with
certificate revocation. The new subtests now make sure that the client
certificate is also revoked (both when removing the whole organisation
and just a single user).
If we use the imperative way to add and delete users, we have to restart
the Taskserver in order for the CRL to be effective.
However, by using the declarative configuration we now get this for
free, because removing a user will also restart the service and thus its
client certificate will end up in the CRL.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Unfortunately we don't have a better way to check whether the reload has
been done successfully, but at least we now *can* reload it without
figuring out the exact signal to send to the process.
Note that on reload, Taskserver will not reload the CRL file. For that
to work, a full restart needs to be done.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
If we want to revoke client certificates and want the server to actually
notice the revocation, we need to have a valid certificate revocation
list.
Right now the expiration_days is set to 10 years, but that's merely to
actually get certtool to actually generate the CRL without trying to
prompt for user input.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It doesn't do much harm to make the server certificate world readable,
because even though it's not accessible anymore via the file system,
someone can still get it by simply doing a TLS handshake with the
server.
So this is solely for consistency.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We now no longer have the stupid --service-helper option, which silences
messages about already existing organisations, users or groups.
Instead of that option, we now have a new subcommand called
"process-json", which accepts a JSON file directly from the specified
NixOS module options and creates/deletes the users accordingly.
Note that this still has a two issues left to solve in this area:
* Deletion is not supported yet.
* If a user is created imperatively, the next run of process-json will
delete it once deletion is supported.
So we need to implement deletion and a way to mark organisations, users
and groups as "imperatively managed".
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The Click functions really are for the command line and should be solely
used for that.
What I have in mind is that instead of that crappy --service-helper
argument, we should really have a new subcommand that is expecting JSON
which is directly coming from the services.taskserver.organisations
module option.
That way we can decrease even more boilerplate and we can also ensure
that organisations, users and groups get properly deleted if they're
removed from the NixOS configuration.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With <olink/> support in place, we can now reference the Taskserver
section within the NixOS manual, so that users reading the manpage of
configuration.nix(5) won't miss this information.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We're now using .pki.server.* and .pki.ca.* so that it's entirely clear
what these keys/certificates are for. For example we had just .pki.key
before, which doesn't really tell very much about what it's for except
if you look at the option description.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The improvement here is just that we're adding a big <note/> here so
that users of these options are aware that whenever they're setting one
of these the certificates and keys are _not_ created automatically.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is clearly a server configuration option and has nothing to do with
certificate creation and signing, so let's move it away from the .pki
namespace.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It's not necessarily related to the PKI options, because this is also
used for setting the server address on the Taskwarrior client.
So if someone doesn't have his/her own certificates from another CA, all
options that need to be adjusted are in .pki. And if someone doesn't
want to bother with getting certificates from another CA, (s)he just
doesn't set anything in .pki.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
After moving out the PKI-unrelated options, let's name this a bit more
appropriate, so we can finally get rid of the taskserver.server thing.
This also moves taskserver.caCert to taskserver.pki.caCert, because that
clearly belongs to the PKI options.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Having an option called services.taskserver.server.host is quite
confusing because we already have "server" in the service name, so let's
first get rid of the listening options before we rename the rest of the
options in that .server attribute.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
In the comments of the pull request @nbp wrote:
"Why is it implemented in 3 different languages: Nix, Bash and C?"
And he's right, it doesn't make sense, because we were using C as a
runuser replacement and used Nix to generate the shellscript
boilerplates.
Writing this in Python gets rid of all of this and we also don't need
the boilerplate as well, because we're using Click to handle all the
command line stuff.
Note that this currently is a 1:1 implementation of what we had before.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The option is solely for debugging purposes (particularly the unit tests
of the project itself) and doesn't make sense to include it in the NixOS
module options.
If people want to use this, we might want to introduce another option so
that we can insert arbitrary configuration lines.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Commit 98d9bba introduced this option as a nullOr type and it actually
checks whether null has been set and only appends -dpi if that's the
case. So let's actually set the default to null instead of 0.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This module adds an option `security.hideProcessInformation` that, when
enabled, restricts access to process information such as command-line
arguments to the process owner. The module adds a static group "proc"
whose members are exempt from process information hiding.
Ideally, this feature would be implemented by simply adding the
appropriate mount options to `fileSystems."/proc".fsOptions`, but this
was found to not work in vmtests. To ensure that process information
hiding is enforced, we use a systemd service unit that remounts `/proc`
after `systemd-remount-fs.service` has completed.
To verify the correctness of the feature, simple tests were added to
nixos/tests/misc: the test ensures that unprivileged users cannot see
process information owned by another user, while members of "proc" CAN.
Thanks to @abbradar for feedback and suggestions.
It's not by any means exhaustive, but we're still going to change the
implementation, so let's just use this as a starting point.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
These values match against the client IDs only, so let's rename it to
something that actually reflects that. Having client.cert in the same
namespace also could lead to confusion, because the client.cert setting
is for the *debugging* client only.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Referring to the GnuTLS documentation isn't very nice if the user has to
use a search engine to find that documentation. So let's directly link
to it.
The type was "str" before, but it's actually a colon-separated string,
so if we set options in multiple modules, the result is one concatenated
string.
I know there is types.envVar, which does the same as separatedString ":"
but I found that it could confuse the reader of the Taskserver module.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We already document that we allow special values such as "all" and
"none", but the type doesn't represent that. So let's use an enum in
conjuction with a loeOf type so that this becomes clear.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The option authzldapauthoritative had been removed in 2.4
I pushed this into 16.03 instead of master first. My fault.
(cherry picked from commit 516f47efefc44a5465266fe4d72f9136147d2caf)
Using nixos-taskserver is more verbose but less cryptic and I think it
fits the purpose better because it can't be confused to be a wrapper
around the taskdctl command from the upstream project as
nixos-taskserver shares no commonalities with it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With a cluttered up module source it's really a pain to navigate through
it, so it's a good idea to put it into another file.
No changes in functionality here, just splitting up the files and fixing
references.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Finally, this is where we declaratively set up our organisations and
users/groups, which looks like this in the system configuration:
services.taskserver.organisations.NixOS.users = [ "alice" "bob" ];
This automatically sets up "alice" and "bob" for the "NixOS"
organisation, generates the required client keys and signs it via the
CA.
However, we still need to use nixos-taskdctl export-user in order to
import these certificates on the client.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It's a helper for NixOS systems to make it easier to handle CA
certificate signing, similar to what taskd provides but comes preseeded
with the values from the system configuration.
The tool is very limited at the moment and only allows to *add*
organisations, users and groups. Deletion and suspension however is much
simpler to implement, because we don't need to handle certificate
signing.
Another limitation is that we don't take into account whether
certificates and keys are already set in the system configuration and if
they're set it will fail spectacularly.
For passing the commands to the taskd command, we're using a small C
program which does setuid() and setgid() to the Taskserver user and
group, because runuser(1) needs PAM (quite pointless if you're already
root) and su(1) doesn't allow for setting the group and setgid()s to the
default group of the user, so it even doesn't work in conjunction with
sg(1).
In summary, we now have a shiny nixos-taskdctl command, which lets us do
things like:
nixos-taskdctl add-org NixOS
nixos-taskdctl add-user NixOS alice
nixos-taskdctl export-user NixOS alice
The last command writes a series of shell commands to stdout, which then
can be imported on the client by piping it into a shell as well as doing
it for example via SSH:
ssh root@server nixos-taskdctl export-user NixOS alice | sh
Of course, in terms of security we need to improve this even further so
that we generate the private key on the client and just send a CSR to
the server so that we don't need to push any secrets over the wire.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We want to declaratively specify users and organisations, so let's add
another module option "organisations", which allows us to specify users,
groups and of course organisations.
The implementation of this is not yet done and this is just to feed the
boilerplate.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Using just the host for the common name *and* for listening on the port
is quite a bad idea if you want to listen on something like :: or an
internal IP address which is proxied/tunneled to the outside.
Hence this separates host and fqdn.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
