Merge remote-tracking branch 'upstream/master'

doc/manual/installation.xml

@@ -326,7 +326,7 @@ packages.</para>
 some reason this is not the case, just do
 
 <screen>
-$ nix-channel --add http://nixos.org/releases/nixos/channels/nixos-unstable
+$ nix-channel --add http://nixos.org/channels/nixos-unstable
 </screen>
 
 You can then upgrade NixOS to the latest version in the channel by

maintainers/scripts/ec2/create-ebs-amis.py

@@ -52,7 +52,7 @@ m.run_command("mkdir -p /mnt")
 m.run_command("mount {0} /mnt".format(device))
 m.run_command("touch /mnt/.ebs")
 m.run_command("mkdir -p /mnt/etc/nixos")
-m.run_command("nix-channel --add http://nixos.org/releases/nixos/channels/nixos-unstable")
+m.run_command("nix-channel --add http://nixos.org/channels/nixos-unstable")
 m.run_command("nix-channel --update")
 m.run_command("nixos-rebuild switch")
 version = m.run_command("nixos-version", capture_stdout=True).replace('"', '').rstrip()

modules/config/power-management.nix

@@ -87,7 +87,7 @@ in
       };
 
     boot.kernelModules =
-      [ "acpi_cpufreq" "cpufreq_performance" "cpufreq_powersave" "cpufreq_ondemand"
+      [ "acpi_cpufreq" "powernow-k8" "cpufreq_performance" "cpufreq_powersave" "cpufreq_ondemand"
         "cpufreq_conservative"
       ];
 

modules/config/system-path.nix

@@ -55,7 +55,7 @@ let
       pkgs.time
       pkgs.udev
       pkgs.usbutils
-      pkgs.utillinux
+      pkgs.utillinuxCurses
       extraManpages      
     ];
 

modules/config/timezone.nix

@@ -27,7 +27,7 @@ with pkgs.lib;
     environment.shellInit =
       ''
         export TZ=${config.time.timeZone}
-        export TZDIR=${pkgs.glibc}/share/zoneinfo
+        export TZDIR=${pkgs.tzdata}/share/zoneinfo
       '';
 
     environment.etc = singleton

modules/installer/cd-dvd/installation-cd-new-kernel.nix

@@ -3,6 +3,6 @@
 {
   require = [ ./installation-cd-graphical.nix ];
 
-  boot.kernelPackages = pkgs.linuxPackages_3_2;
+  boot.kernelPackages = pkgs.linuxPackages_3_7;
   boot.vesa = false;
 }

modules/installer/cd-dvd/system-tarball-fuloong2f.nix

@@ -46,9 +46,8 @@ in
 
 {
   require =
-    [ options
+    [
       ./system-tarball.nix
-      ../../hardware/network/rt73.nix
     ];
 
 
@@ -106,8 +105,8 @@ in
   boot.initrd.availableKernelModules =
     [ "vfat" "reiserfs" ];
 
-  boot.kernelPackages = pkgs.linuxPackages_2_6_35;
-  boot.kernelParams = [ "console=tty" ];
+  boot.kernelPackages = pkgs.linuxPackages_3_6;
+  boot.kernelParams = [ "console=tty1" ];
 
   boot.postBootCommands =
     ''

modules/installer/cd-dvd/system-tarball-pc-readme.txt

@@ -80,7 +80,7 @@ had booted this nixos. Run:
 *  `grep local-cmds run/current-system/init`
 
 Then you can proceed normally subscribing to a nixos channel:
-  nix-channel --add http://nixos.org/releases/nixos/channels/nixos-unstable
+  nix-channel --add http://nixos.org/channels/nixos-unstable
   nix-channel --update
 
 Testing:

modules/module-list.nix

@@ -164,6 +164,7 @@
   ./services/security/fprot.nix
   ./services/security/frandom.nix
   ./services/security/tor.nix
+  ./services/security/torify.nix
   ./services/security/torsocks.nix
   ./services/system/cgroups.nix
   ./services/system/dbus.nix

modules/programs/bash/profile.sh

@@ -87,7 +87,7 @@ fi
 
 # Subscribe the root user to the NixOS channel by default.
 if [ "$USER" = root -a ! -e $HOME/.nix-channels ]; then
-    echo "http://nixos.org/releases/nixos/channels/nixos-unstable nixos" > $HOME/.nix-channels
+    echo "http://nixos.org/channels/nixos-unstable nixos" > $HOME/.nix-channels
 fi
 
 # Create the per-user garbage collector roots directory.

modules/services/hardware/acpid.nix

@@ -8,11 +8,11 @@ let
     ''
       ensureDir $out
       ${
-        # Generate a .conf file for each event. (You can't have
+        # Generate a configuration file for each event. (You can't have
         # multiple events in one config file...)
         let f = event:
           ''
-            fn=$out/${event.name}.conf
+            fn=$out/${event.name}
             echo "event=${event.event}" > $fn
             echo "action=${pkgs.writeScript "${event.name}.sh" event.action}" >> $fn
           '';

modules/services/security/tor.nix

@@ -53,6 +53,14 @@ in
           '';
         };
 
+	socksListenAddressFaster = mkOption {
+          default = "127.0.0.1:9063";
+	  description = ''
+            Same as socksListenAddress but uses weaker circuit isolation to provide
+            performance suitable for a web browser.
+          '';
+        };
+
         socksPolicy = mkOption {
           default = "";
           example = "accept 192.168.0.0/16, reject *";
@@ -259,7 +267,8 @@ in
         User ${torUser}
       ''
       + optionalString cfg.client.enable  ''
-        SocksListenAddress ${cfg.client.socksListenAddress}
+        SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr
+	SOCKSPort ${cfg.client.socksListenAddressFaster}
         ${opt "SocksPolicy" cfg.client.socksPolicy}
       ''
       + optionalString cfg.relay.enable ''
@@ -276,7 +285,7 @@ in
         # Generally, this file goes in /etc/privoxy/config
         #
         # Tor listens as a SOCKS4a proxy here:
-        forward-socks4a / ${cfg.client.socksListenAddress} .
+        forward-socks4a / ${cfg.client.socksListenAddressFaster} .
         confdir ${privoxy}/etc
         logdir ${privoxyDir}
         # actionsfile standard  # Internal purpose, recommended

modules/services/security/torify.nix

@@ -0,0 +1,69 @@
+{ config, pkgs, ... }:
+with pkgs.lib;
+let
+
+  cfg = config.services.tor;
+
+  torify = pkgs.writeTextFile {
+    name = "torify";
+    text = ''
+        #!${pkgs.stdenv.shell}
+        TSOCKS_CONF_FILE=${pkgs.writeText "tsocks.conf" cfg.torify.config} LD_PRELOAD="${pkgs.tsocks}/lib/libtsocks.so $LD_PRELOAD" $@
+    '';
+    executable = true;
+    destination = "/bin/torify";
+  };
+
+in
+
+{
+
+  ###### interface
+  
+  options = {
+  
+    services.tor.torify = {
+
+      enable = mkOption {
+        default = cfg.client.enable;
+        description = ''
+          Whether to build torify scipt to relay application traffic via TOR.
+        '';
+      };
+
+      server = mkOption {
+        default = "localhost:9050";
+        example = "192.168.0.20";
+        description = ''
+          IP address of TOR client to use.
+        '';
+      };
+
+      config = mkOption {
+        default = "";
+        description = ''
+          Extra configuration. Contents will be added verbatim to TSocks
+          configuration file.
+        '';
+      };
+
+    };
+
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.torify.enable {
+
+    environment.systemPackages = [ torify ];  # expose it to the users
+
+    services.tor.torify.config = ''
+      server = ${toString(head (splitString ":" cfg.torify.server))}
+      server_port = ${toString(tail (splitString ":" cfg.torify.server))}
+
+      local = 127.0.0.0/255.128.0.0
+      local = 127.128.0.0/255.192.0.0
+    '';
+  };
+
+}

modules/services/security/torsocks.nix

@@ -4,16 +4,30 @@ let
 
   cfg = config.services.tor;
 
-  torsocks = pkgs.writeTextFile {
-    name = "torsocks";
+  makeConfig = server: ''
+      server = ${toString(head (splitString ":" server))}
+      server_port = ${toString(tail (splitString ":" server))}
+
+      local = 127.0.0.0/255.128.0.0
+      local = 127.128.0.0/255.192.0.0
+      local = 169.254.0.0/255.255.0.0
+      local = 172.16.0.0/255.240.0.0
+      local = 192.168.0.0/255.255.0.0
+
+      ${cfg.torsocks.config}
+    '';
+  makeTorsocks = name: server: pkgs.writeTextFile {
+    name = name;
     text = ''
         #!${pkgs.stdenv.shell}
-        TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" cfg.torsocks.config} LD_PRELOAD="${pkgs.torsocks}/lib/torsocks/libtorsocks.so $LD_PRELOAD" $@
+        TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (makeConfig server)} LD_PRELOAD="${pkgs.torsocks}/lib/torsocks/libtorsocks.so $LD_PRELOAD" $@
     '';
     executable = true;
-    destination = "/bin/torsocks";
+    destination = "/bin/${name}";
   };
 
+  torsocks = makeTorsocks "torsocks" cfg.torsocks.server;
+  torsocksFaster = makeTorsocks "torsocks-faster" cfg.torsocks.serverFaster;
 in
 
 {
@@ -33,12 +47,21 @@ in
 
       server = mkOption {
         default = cfg.client.socksListenAddress;
-        example = "192.168.0.20";
+        example = "192.168.0.20:9050";
         description = ''
           IP address of TOR client to use.
         '';
       };
 
+      serverFaster = mkOption {
+        default = cfg.client.socksListenAddressFaster;
+        example = "192.168.0.20:9063";
+        description = ''
+          IP address of TOR client to use for applications like web browsers which
+	  need less circuit isolation to achive satisfactory performance.
+        '';
+      };
+
       config = mkOption {
         default = "";
         description = ''
@@ -55,18 +78,8 @@ in
 
   config = mkIf cfg.torsocks.enable {
 
-    environment.systemPackages = [ torsocks ];  # expose it to the users
+    environment.systemPackages = [ torsocks torsocksFaster ];  # expose it to the users
 
-    services.tor.torsocks.config = ''
-      server = ${toString(head (splitString ":" cfg.torsocks.server))}
-      server_port = ${toString(tail (splitString ":" cfg.torsocks.server))}
-
-      local = 127.0.0.0/255.128.0.0
-      local = 127.128.0.0/255.192.0.0
-      local = 169.254.0.0/255.255.0.0
-      local = 172.16.0.0/255.240.0.0
-      local = 192.168.0.0/255.255.0.0
-    '';
   };
 
 }

modules/services/x11/hardware/wacom.nix

@@ -16,18 +16,41 @@ in
 
       enable = mkOption {
         default = false;
-        description = "Whether to enable the Wacom touchscreen/digitizer.";
+        description = "Whether to enable the Wacom touchscreen/digitizer/tablet.";
       };
 
       device = mkOption {
-        default = "/dev/ttyS0";
-        description = "Device to use.";
+        default = null;
+        example = "/dev/ttyS0";
+        description = "Device to use. Set to null for autodetect (think USB tablet).";
       };
 
       forceDeviceType = mkOption {
-        default = "ISDV4";
-        example = null;
-        description = "Some models (think touchscreen) require the device type to be specified.";
+        default = null;
+        example = "ISDV4";
+        description = "Some models (think touchscreen) require the device type to be specified. Set to null for autodetect (think USB tablet).";
+      };
+
+      stylusExtraConfig = mkOption {
+        default = "";
+        example = ''
+            Option "Button1" "2"
+          '';
+        description = "Lines to be added to Wacom_stylus InputDevice section.";
+      };
+
+      eraserExtraConfig = mkOption {
+        default = "";
+        example = ''
+            Option "Button2" "3"
+          '';
+        description = "Lines to be added to Wacom_eraser InputDevice section.";
+      };
+
+      cursorExtraConfig = mkOption {
+        default = "";
+        example = "";
+        description = "Lines to be added to Wacom_cursor InputDevice section.";
       };
 
     };
@@ -44,8 +67,8 @@ in
     services.xserver.serverLayoutSection =
       ''
         InputDevice "Wacom_stylus"
-        InputDevice "Wacom_cursor"
         InputDevice "Wacom_eraser"
+        InputDevice "Wacom_cursor"
       '';
 
     services.xserver.config =
@@ -53,33 +76,40 @@ in
         Section "InputDevice"
           Driver "wacom"
           Identifier "Wacom_stylus"
-          Option "Device" "${cfg.device}"
+          ${optionalString (cfg.device != null) ''
+            Option "Device" "${cfg.device}"
+          ''}
           Option "Type" "stylus"
           ${optionalString (cfg.forceDeviceType != null) ''
             Option "ForceDevice" "${cfg.forceDeviceType}"
           ''}
-          Option "Button2" "3"
+          ${cfg.stylusExtraConfig}
         EndSection
 
         Section "InputDevice"
           Driver "wacom"
           Identifier "Wacom_eraser"
-          Option "Device" "${cfg.device}"
+          ${optionalString (cfg.device != null) ''
+            Option "Device" "${cfg.device}"
+          ''}
           Option "Type" "eraser"
           ${optionalString (cfg.forceDeviceType != null) ''
             Option "ForceDevice" "${cfg.forceDeviceType}"
           ''}
-          Option "Button1" "2"
+          ${cfg.eraserExtraConfig}
         EndSection
 
         Section "InputDevice"
           Driver "wacom"
           Identifier "Wacom_cursor"
-          Option "Device" "${cfg.device}"
+          ${optionalString (cfg.device != null) ''
+            Option "Device" "${cfg.device}"
+          ''}
           Option "Type" "cursor"
           ${optionalString (cfg.forceDeviceType != null) ''
             Option "ForceDevice" "${cfg.forceDeviceType}"
           ''}
+          ${cfg.cursorExtraConfig}
         EndSection
       '';
 

modules/services/x11/xserver.nix

@@ -43,6 +43,36 @@ let
       pkgs.xorg.fontadobe75dpi
     ];
 
+  # Just enumerate all heads without discarding XRandR output information.
+  xrandrHeads = let
+    mkHead = num: output: {
+      name = "multihead${toString num}";
+      inherit output;
+    };
+  in imap mkHead cfg.xrandrHeads;
+
+  xrandrDeviceSection = flip concatMapStrings xrandrHeads (h: ''
+    Option "monitor-${h.output}" "${h.name}"
+  '');
+
+  # Here we chain every monitor from the left to right, so we have:
+  # m4 right of m3 right of m2 right of m1   .----.----.----.----.
+  # Which will end up in reverse ----------> | m1 | m2 | m3 | m4 |
+  #                                          `----^----^----^----'
+  xrandrMonitorSections = let
+    mkMonitor = previous: current: previous ++ singleton {
+      inherit (current) name;
+      value = ''
+        Section "Monitor"
+          Identifier "${current.name}"
+          ${optionalString (previous != []) ''
+          Option "RightOf" "${(head previous).name}"
+          ''}
+        EndSection
+      '';
+    };
+    monitors = foldl mkMonitor [] xrandrHeads;
+  in concatMapStrings (getAttr "value") monitors;
 
   configFile = pkgs.stdenv.mkDerivation {
     name = "xserver.conf";
@@ -256,6 +286,21 @@ in
         description = "Contents of the first Monitor section of the X server configuration file.";
       };
 
+      xrandrHeads = mkOption {
+        default = [];
+        example = [ "HDMI-0" "DVI-0" ];
+        type = with types; listOf string;
+        description = ''
+          Simple multiple monitor configuration, just specify a list of XRandR
+          outputs which will be mapped from left to right in the order of the
+          list.
+
+          Be careful using this option with multiple graphic adapters or with
+          drivers that have poor support for XRandR, unexpected things might
+          happen with those.
+        '';
+      };
+
       moduleSection = mkOption {
         default = "";
         example =
@@ -515,6 +560,7 @@ in
             Identifier "Device-${driver.name}[0]"
             Driver "${driver.driverName}"
             ${cfg.deviceSection}
+            ${xrandrDeviceSection}
           EndSection
 
           Section "Screen"
@@ -556,6 +602,8 @@ in
 
           EndSection
         '')}
+
+        ${xrandrMonitorSections}
       '';
 
   });

modules/system/boot/loader/efi-boot-stub/efi-boot-stub-builder.sh

@@ -122,3 +122,10 @@ for fn in "@efiSysMountPoint@/efi/nixos/"*; do
         rm -vf -- "$fn"
     fi
 done
+
+# Run any extra commands users may need
+if test -n "@runEfibootmgr@"; then
+  set +e
+  @postEfiBootMgrCommands@
+  set -e
+fi

modules/system/boot/loader/efi-boot-stub/efi-boot-stub.nix

@@ -8,7 +8,7 @@ let
     isExecutable = true;
     inherit (pkgs) bash;
     path = [pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.glibc] ++ (pkgs.stdenv.lib.optionals config.boot.loader.efiBootStub.runEfibootmgr [pkgs.efibootmgr pkgs.module_init_tools]);
-    inherit (config.boot.loader.efiBootStub) efiSysMountPoint runEfibootmgr installStartupNsh efiDisk efiPartition;
+    inherit (config.boot.loader.efiBootStub) efiSysMountPoint runEfibootmgr installStartupNsh efiDisk efiPartition postEfiBootMgrCommands;
 
     efiShell = if config.boot.loader.efiBootStub.installShell then
       if pkgs.stdenv.isi686 then
@@ -103,6 +103,17 @@ in
             '';
           };
 
+          postEfiBootMgrCommands = mkOption {
+            default = "";
+            type = types.string;
+            description = ''
+              Shell commands to be executed immediately after efibootmgr has setup the system EFI.
+              Some systems do not follow the EFI specifications properly and insert extra entries.
+              Others will brick (fix by removing battery) on boot when it finds more than X entries.
+              This hook allows for running a few extra efibootmgr commands to combat these issues.
+            '';
+          };
+
         };
       };
     };

modules/system/boot/loader/grub/grub.nix

@@ -13,10 +13,11 @@ let
   grubConfig = pkgs.writeText "grub-config.xml" (builtins.toXML
     { splashImage = f config.boot.loader.grub.splashImage;
       grub = f grub;
+      shell = "${pkgs.stdenv.shell}";
       fullVersion = (builtins.parseDrvName config.system.build.grub.name).version;
       inherit (config.boot.loader.grub)
         version extraConfig extraPerEntryConfig extraEntries
-        extraEntriesBeforeNixOS configurationLimit copyKernels timeout
+        extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout
         default devices;
     });
 

modules/system/boot/loader/grub/install-grub.pl

@@ -30,6 +30,7 @@ sub writeFile {
 my $grub = get("grub");
 my $grubVersion = int(get("version"));
 my $extraConfig = get("extraConfig");
+my $extraPrepareConfig = get("extraPrepareConfig");
 my $extraPerEntryConfig = get("extraPerEntryConfig");
 my $extraEntries = get("extraEntries");
 my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true";
@@ -188,6 +189,8 @@ addEntry("NixOS - Default", $defaultConfig);
 
 $conf .= "$extraEntries\n" unless $extraEntriesBeforeNixOS;
 
+# extraEntries could refer to @bootRoot@, which we have to substitute
+$conf =~ s/\@bootRoot\@/$bootRoot/g;
 
 # Add entries for all previous generations of the system profile.
 $conf .= "submenu \"NixOS - Old configurations\" {\n" if $grubVersion == 2;
@@ -211,6 +214,10 @@ foreach my $link (@links) {
 
 $conf .= "}\n" if $grubVersion == 2;
 
+# Run extraPrepareConfig in sh
+if ($extraPrepareConfig ne "") {
+  system((get("shell"), "-c", $extraPrepareConfig));
+}
 
 # Atomically update the GRUB config.
 my $confFile = $grubVersion == 1 ? "/boot/grub/menu.lst" : "/boot/grub/grub.cfg";

modules/system/boot/loader/grub/memtest.nix

@@ -22,17 +22,17 @@ in
     extraEntries = if config.boot.loader.grub.version == 2 then
       ''
         menuentry "${memtest86.name}" {
-          linux16 $bootRoot/memtest.bin
+          linux16 @bootRoot@/memtest.bin
         }
       ''
       else
       ''
         menuentry "${memtest86.name}"
-          linux16 $bootRoot/memtest.bin
+          linux16 @bootRoot@/memtest.bin
       '';
     extraPrepareConfig =
       ''
-        cp ${memtest86}/memtest.bin /boot/memtest.bin;
+        ${pkgs.coreutils}/bin/cp ${memtest86}/memtest.bin /boot/memtest.bin;
       '';
   };
 }

modules/system/boot/luksroot.nix

@@ -49,6 +49,29 @@ in
       description = "Obsolete.";
     };
 
+    boot.initrd.luks.mitigateDMAAttacks = mkOption {
+      default = true;
+      description = ''
+	Unless enabled, encryption keys can be easily recovered by an attacker with physical
+	access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port.
+	More information: http://en.wikipedia.org/wiki/DMA_attack
+
+	This option blacklists FireWire drivers, but doesn't remove them. You can manually
+	load the drivers if you need to use a FireWire device, but don't forget to unload them!
+      '';
+    };
+
+    boot.initrd.luks.cryptoModules = mkOption {
+      default = [ "aes" "aes_generic" "aes_x86_64" "aes_i586" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha256" 
+"sha1" 
+"sha2" 
+];
+      description = ''
+	A list of cryptographic kernel modules needed to decrypt the root device(s).
+	The default includes all common modules.
+      '';
+    };
+
     boot.initrd.luks.devices = mkOption {
       default = [ ];
       example = [ { name = "luksroot"; device = "/dev/sda3"; preLVM = true; } ];
@@ -123,9 +146,12 @@ in
 
   config = mkIf (luks.devices != []) {
 
+    # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
+    boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks
+      ["firewire_ohci" "firewire_core" "firewire_sbp2"];
+
     # Some modules that may be needed for mounting anything ciphered
-    boot.initrd.kernelModules = [ "aes_generic" "aes_x86_64" "dm_mod" "dm_crypt"
-      "sha256_generic" "cbc" "cryptd" ];
+    boot.initrd.kernelModules = [ "dm_mod" "dm_crypt" "cryptd" ] ++ luks.cryptoModules; 
 
     # copy the cryptsetup binary and it's dependencies
     boot.initrd.extraUtilsCommands = ''

modules/virtualisation/qemu-vm.nix

@@ -166,6 +166,7 @@ let
       ${pkgs.vmTools.startSamba}
 
       # Start QEMU.
+      # "-boot menu=on" is there, because I don't know how to make qemu boot from 2nd hd.
       exec ${pkgs.qemu_kvm}/bin/qemu-kvm \
           -name ${vmName} \
           -m ${toString config.virtualisation.memorySize} \
@@ -174,8 +175,9 @@ let
           -chardev socket,id=samba,path=./samba \
           -net user,vlan=0,guestfwd=tcp:10.0.2.4:445-chardev:samba''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} \
           ${if cfg.useBootLoader then ''
-            -drive index=0,file=$NIX_DISK_IMAGE,if=virtio,cache=writeback,werror=report \
-            -drive index=1,file=${bootDisk}/disk.img,if=virtio,boot=on,readonly \
+            -drive index=0,id=drive1,file=$NIX_DISK_IMAGE,if=virtio,cache=writeback,werror=report \
+            -drive index=1,id=drive2,file=${bootDisk}/disk.img,if=virtio,readonly \
+            -boot menu=on
           '' else ''
             -drive file=$NIX_DISK_IMAGE,if=virtio,cache=writeback,werror=report \
             -kernel ${config.system.build.toplevel}/kernel \

modules/virtualisation/virtualbox-guest.nix

@@ -38,6 +38,8 @@ if (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) then
 
     boot.extraModulePackages = [ kernel.virtualboxGuestAdditions ];
 
+    users.extraGroups = singleton { name = "vboxsf"; };
+
     jobs.virtualbox =
       { description = "VirtualBox service";