From 14483c0bf9326fda1c592da53b3df43081d3f159 Mon Sep 17 00:00:00 2001 From: Florian Friesdorf Date: Fri, 14 Dec 2012 18:24:41 +0100 Subject: [PATCH 01/23] update nixos channel path --- doc/manual/installation.xml | 2 +- maintainers/scripts/ec2/create-ebs-amis.py | 2 +- modules/installer/cd-dvd/system-tarball-pc-readme.txt | 2 +- modules/programs/bash/profile.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/manual/installation.xml b/doc/manual/installation.xml index 0a69ce0ecba8..6f19cc1a0b89 100644 --- a/doc/manual/installation.xml +++ b/doc/manual/installation.xml @@ -326,7 +326,7 @@ packages. some reason this is not the case, just do -$ nix-channel --add http://nixos.org/releases/nixos/channels/nixos-unstable +$ nix-channel --add http://nixos.org/channels/nixos-unstable You can then upgrade NixOS to the latest version in the channel by diff --git a/maintainers/scripts/ec2/create-ebs-amis.py b/maintainers/scripts/ec2/create-ebs-amis.py index 939bd30942dc..4dfaa9f3b129 100755 --- a/maintainers/scripts/ec2/create-ebs-amis.py +++ b/maintainers/scripts/ec2/create-ebs-amis.py @@ -52,7 +52,7 @@ m.run_command("mkdir -p /mnt") m.run_command("mount {0} /mnt".format(device)) m.run_command("touch /mnt/.ebs") m.run_command("mkdir -p /mnt/etc/nixos") -m.run_command("nix-channel --add http://nixos.org/releases/nixos/channels/nixos-unstable") +m.run_command("nix-channel --add http://nixos.org/channels/nixos-unstable") m.run_command("nix-channel --update") m.run_command("nixos-rebuild switch") version = m.run_command("nixos-version", capture_stdout=True).replace('"', '').rstrip() diff --git a/modules/installer/cd-dvd/system-tarball-pc-readme.txt b/modules/installer/cd-dvd/system-tarball-pc-readme.txt index c4a0a111cd3a..8f0a8d355c6e 100644 --- a/modules/installer/cd-dvd/system-tarball-pc-readme.txt +++ b/modules/installer/cd-dvd/system-tarball-pc-readme.txt @@ -80,7 +80,7 @@ had booted this nixos. Run: * `grep local-cmds run/current-system/init` Then you can proceed normally subscribing to a nixos channel: - nix-channel --add http://nixos.org/releases/nixos/channels/nixos-unstable + nix-channel --add http://nixos.org/channels/nixos-unstable nix-channel --update Testing: diff --git a/modules/programs/bash/profile.sh b/modules/programs/bash/profile.sh index 1eef2a9e84a8..5393a88d5ffe 100644 --- a/modules/programs/bash/profile.sh +++ b/modules/programs/bash/profile.sh @@ -87,7 +87,7 @@ fi # Subscribe the root user to the NixOS channel by default. if [ "$USER" = root -a ! -e $HOME/.nix-channels ]; then - echo "http://nixos.org/releases/nixos/channels/nixos-unstable nixos" > $HOME/.nix-channels + echo "http://nixos.org/channels/nixos-unstable nixos" > $HOME/.nix-channels fi # Create the per-user garbage collector roots directory. From 1ae44e42ed9aaa9e8b11b410855b0f87d9ca4d4b Mon Sep 17 00:00:00 2001 From: Alexander Inyukhin Date: Sat, 15 Dec 2012 22:05:32 +0400 Subject: [PATCH 02/23] Use zoneinfo from tzdata This fixes #50 --- modules/config/timezone.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/config/timezone.nix b/modules/config/timezone.nix index 38c698bc21c0..e891af344cc9 100644 --- a/modules/config/timezone.nix +++ b/modules/config/timezone.nix @@ -27,7 +27,7 @@ with pkgs.lib; environment.shellInit = '' export TZ=${config.time.timeZone} - export TZDIR=${pkgs.glibc}/share/zoneinfo + export TZDIR=${pkgs.tzdata}/share/zoneinfo ''; environment.etc = singleton From cba4d20280d286cdcd8d07bb9b721978d2c6f883 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 16 Dec 2012 16:03:38 +0100 Subject: [PATCH 03/23] Setting the system utillinux to be utillinuxCurses. The live-dvd was set that way already. I think some utillinux pieces may be nicer, or have more tools. I don't know the details though. --- modules/config/system-path.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/config/system-path.nix b/modules/config/system-path.nix index 38e5f076bcfd..85b16d50406e 100644 --- a/modules/config/system-path.nix +++ b/modules/config/system-path.nix @@ -55,7 +55,7 @@ let pkgs.time pkgs.udev pkgs.usbutils - pkgs.utillinux + pkgs.utillinuxCurses extraManpages ]; From dacd7d5a580dea6f865bea6855eac7c83244c71b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 16 Dec 2012 16:05:50 +0100 Subject: [PATCH 04/23] Setting iso_new_kernel to use linux 3.7. It was using 3.2, the same kernel as the other isos. --- modules/installer/cd-dvd/installation-cd-new-kernel.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/installer/cd-dvd/installation-cd-new-kernel.nix b/modules/installer/cd-dvd/installation-cd-new-kernel.nix index c7ea5ddfb01b..2c79b68d0a43 100644 --- a/modules/installer/cd-dvd/installation-cd-new-kernel.nix +++ b/modules/installer/cd-dvd/installation-cd-new-kernel.nix @@ -3,6 +3,6 @@ { require = [ ./installation-cd-graphical.nix ]; - boot.kernelPackages = pkgs.linuxPackages_3_2; + boot.kernelPackages = pkgs.linuxPackages_3_7; boot.vesa = false; } From 3e734ba695062f0f2bdbbd209c95c56d02e143ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 16 Dec 2012 18:07:13 +0100 Subject: [PATCH 05/23] Qemu says 'boot=on' is deprecated, so I try a half-fix here I change the 'build-vm' to use '-boot menu=on', so a menu displays and allows choosing the 2nd hd. Otherwise, I don't know how to boot from a 2nd hd. --- modules/virtualisation/qemu-vm.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/virtualisation/qemu-vm.nix b/modules/virtualisation/qemu-vm.nix index f71e0ba51126..c30086487a74 100644 --- a/modules/virtualisation/qemu-vm.nix +++ b/modules/virtualisation/qemu-vm.nix @@ -166,6 +166,7 @@ let ${pkgs.vmTools.startSamba} # Start QEMU. + # "-boot menu=on" is there, because I don't know how to make qemu boot from 2nd hd. exec ${pkgs.qemu_kvm}/bin/qemu-kvm \ -name ${vmName} \ -m ${toString config.virtualisation.memorySize} \ @@ -174,8 +175,9 @@ let -chardev socket,id=samba,path=./samba \ -net user,vlan=0,guestfwd=tcp:10.0.2.4:445-chardev:samba''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} \ ${if cfg.useBootLoader then '' - -drive index=0,file=$NIX_DISK_IMAGE,if=virtio,cache=writeback,werror=report \ - -drive index=1,file=${bootDisk}/disk.img,if=virtio,boot=on,readonly \ + -drive index=0,id=drive1,file=$NIX_DISK_IMAGE,if=virtio,cache=writeback,werror=report \ + -drive index=1,id=drive2,file=${bootDisk}/disk.img,if=virtio,readonly \ + -boot menu=on '' else '' -drive file=$NIX_DISK_IMAGE,if=virtio,cache=writeback,werror=report \ -kernel ${config.system.build.toplevel}/kernel \ From 358239348aea0f076069fcd60e94aa0610fe777f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sun, 16 Dec 2012 21:41:47 +0100 Subject: [PATCH 06/23] making memtest grub entries work again I'm not any good at perl, and I only came up with this after many slow attempts. Any review welcome. But until this, memtest was broken, and extraPrepareConfig as well, in grub. --- modules/system/boot/loader/grub/grub.nix | 3 ++- modules/system/boot/loader/grub/install-grub.pl | 7 +++++++ modules/system/boot/loader/grub/memtest.nix | 6 +++--- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/modules/system/boot/loader/grub/grub.nix b/modules/system/boot/loader/grub/grub.nix index 0a9b374cc60c..70865c3c9338 100644 --- a/modules/system/boot/loader/grub/grub.nix +++ b/modules/system/boot/loader/grub/grub.nix @@ -13,10 +13,11 @@ let grubConfig = pkgs.writeText "grub-config.xml" (builtins.toXML { splashImage = f config.boot.loader.grub.splashImage; grub = f grub; + shell = "${pkgs.stdenv.shell}"; fullVersion = (builtins.parseDrvName config.system.build.grub.name).version; inherit (config.boot.loader.grub) version extraConfig extraPerEntryConfig extraEntries - extraEntriesBeforeNixOS configurationLimit copyKernels timeout + extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout default devices; }); diff --git a/modules/system/boot/loader/grub/install-grub.pl b/modules/system/boot/loader/grub/install-grub.pl index 5e9f3b4efdad..0140a711d727 100644 --- a/modules/system/boot/loader/grub/install-grub.pl +++ b/modules/system/boot/loader/grub/install-grub.pl @@ -30,6 +30,7 @@ sub writeFile { my $grub = get("grub"); my $grubVersion = int(get("version")); my $extraConfig = get("extraConfig"); +my $extraPrepareConfig = get("extraPrepareConfig"); my $extraPerEntryConfig = get("extraPerEntryConfig"); my $extraEntries = get("extraEntries"); my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true"; @@ -188,6 +189,8 @@ addEntry("NixOS - Default", $defaultConfig); $conf .= "$extraEntries\n" unless $extraEntriesBeforeNixOS; +# extraEntries could refer to @bootRoot@, which we have to substitute +$conf =~ s/\@bootRoot\@/$bootRoot/g; # Add entries for all previous generations of the system profile. $conf .= "submenu \"NixOS - Old configurations\" {\n" if $grubVersion == 2; @@ -211,6 +214,10 @@ foreach my $link (@links) { $conf .= "}\n" if $grubVersion == 2; +# Run extraPrepareConfig in sh +if ($extraPrepareConfig ne "") { + system((get("shell"), "-c", $extraPrepareConfig)); +} # Atomically update the GRUB config. my $confFile = $grubVersion == 1 ? "/boot/grub/menu.lst" : "/boot/grub/grub.cfg"; diff --git a/modules/system/boot/loader/grub/memtest.nix b/modules/system/boot/loader/grub/memtest.nix index 08eb8a1f41cb..4bd4b69101c9 100644 --- a/modules/system/boot/loader/grub/memtest.nix +++ b/modules/system/boot/loader/grub/memtest.nix @@ -22,17 +22,17 @@ in extraEntries = if config.boot.loader.grub.version == 2 then '' menuentry "${memtest86.name}" { - linux16 $bootRoot/memtest.bin + linux16 @bootRoot@/memtest.bin } '' else '' menuentry "${memtest86.name}" - linux16 $bootRoot/memtest.bin + linux16 @bootRoot@/memtest.bin ''; extraPrepareConfig = '' - cp ${memtest86}/memtest.bin /boot/memtest.bin; + ${pkgs.coreutils}/bin/cp ${memtest86}/memtest.bin /boot/memtest.bin; ''; }; } From ceedc50009874323fbea4c22be249d1f76490d71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sat, 22 Dec 2012 18:45:53 +0100 Subject: [PATCH 07/23] Fixing the fuloong2f system tarball --- modules/installer/cd-dvd/system-tarball-fuloong2f.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/installer/cd-dvd/system-tarball-fuloong2f.nix b/modules/installer/cd-dvd/system-tarball-fuloong2f.nix index e988647cf139..6ddaab0206b9 100644 --- a/modules/installer/cd-dvd/system-tarball-fuloong2f.nix +++ b/modules/installer/cd-dvd/system-tarball-fuloong2f.nix @@ -46,9 +46,8 @@ in { require = - [ options + [ ./system-tarball.nix - ../../hardware/network/rt73.nix ]; @@ -106,8 +105,8 @@ in boot.initrd.availableKernelModules = [ "vfat" "reiserfs" ]; - boot.kernelPackages = pkgs.linuxPackages_2_6_35; - boot.kernelParams = [ "console=tty" ]; + boot.kernelPackages = pkgs.linuxPackages_3_6; + boot.kernelParams = [ "console=tty1" ]; boot.postBootCommands = '' From 6961f5048d69f0d512a6e61221791f10e33f3fcf Mon Sep 17 00:00:00 2001 From: Tim Dysinger Date: Mon, 31 Dec 2012 11:00:02 -1000 Subject: [PATCH 08/23] add vboxsf group (for automatic mounting of shared folders) --- modules/virtualisation/virtualbox-guest.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/virtualisation/virtualbox-guest.nix b/modules/virtualisation/virtualbox-guest.nix index 8e09d79e3a48..a204f56b2eed 100644 --- a/modules/virtualisation/virtualbox-guest.nix +++ b/modules/virtualisation/virtualbox-guest.nix @@ -38,6 +38,8 @@ if (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) then boot.extraModulePackages = [ kernel.virtualboxGuestAdditions ]; + users.extraGroups = singleton { name = "vboxsf"; }; + jobs.virtualbox = { description = "VirtualBox service"; From a3ee9aac982172966d8dae67ce9d248f0b5f2bf2 Mon Sep 17 00:00:00 2001 From: Mathijs Kwik Date: Fri, 28 Dec 2012 11:21:39 +0100 Subject: [PATCH 09/23] efi-boot-stub: enable hook for running (fixup) commands after efibootmgr run --- .../loader/efi-boot-stub/efi-boot-stub-builder.sh | 7 +++++++ .../boot/loader/efi-boot-stub/efi-boot-stub.nix | 13 ++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/modules/system/boot/loader/efi-boot-stub/efi-boot-stub-builder.sh b/modules/system/boot/loader/efi-boot-stub/efi-boot-stub-builder.sh index 3c55363a44d3..2f550c98428b 100644 --- a/modules/system/boot/loader/efi-boot-stub/efi-boot-stub-builder.sh +++ b/modules/system/boot/loader/efi-boot-stub/efi-boot-stub-builder.sh @@ -122,3 +122,10 @@ for fn in "@efiSysMountPoint@/efi/nixos/"*; do rm -vf -- "$fn" fi done + +# Run any extra commands users may need +if test -n "@runEfibootmgr@"; then + set +e + @postEfiBootMgrCommands@ + set -e +fi diff --git a/modules/system/boot/loader/efi-boot-stub/efi-boot-stub.nix b/modules/system/boot/loader/efi-boot-stub/efi-boot-stub.nix index 2b35aadc623d..618c8d7737af 100644 --- a/modules/system/boot/loader/efi-boot-stub/efi-boot-stub.nix +++ b/modules/system/boot/loader/efi-boot-stub/efi-boot-stub.nix @@ -8,7 +8,7 @@ let isExecutable = true; inherit (pkgs) bash; path = [pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.glibc] ++ (pkgs.stdenv.lib.optionals config.boot.loader.efiBootStub.runEfibootmgr [pkgs.efibootmgr pkgs.module_init_tools]); - inherit (config.boot.loader.efiBootStub) efiSysMountPoint runEfibootmgr installStartupNsh efiDisk efiPartition; + inherit (config.boot.loader.efiBootStub) efiSysMountPoint runEfibootmgr installStartupNsh efiDisk efiPartition postEfiBootMgrCommands; efiShell = if config.boot.loader.efiBootStub.installShell then if pkgs.stdenv.isi686 then @@ -103,6 +103,17 @@ in ''; }; + postEfiBootMgrCommands = mkOption { + default = ""; + type = types.string; + description = '' + Shell commands to be executed immediately after efibootmgr has setup the system EFI. + Some systems do not follow the EFI specifications properly and insert extra entries. + Others will brick (fix by removing battery) on boot when it finds more than X entries. + This hook allows for running a few extra efibootmgr commands to combat these issues. + ''; + }; + }; }; }; From 4e64755b9dc49a608c964c8fef31d407d52bd3b3 Mon Sep 17 00:00:00 2001 From: Jan Malakhovski Date: Sat, 5 Jan 2013 19:38:23 +0000 Subject: [PATCH 10/23] wacom: add USB tablet support To be honest, it's more like "be less discriminating against USB tablets". USB tablets usually get autodetected, device name is not necessary and defaulting to a serial touchscreen is a clear discrimination. Unconditionally remapping buttons is generally not a good idea either. Old defaults transformed into examples. --- modules/services/x11/hardware/wacom.nix | 54 +++++++++++++++++++------ 1 file changed, 42 insertions(+), 12 deletions(-) diff --git a/modules/services/x11/hardware/wacom.nix b/modules/services/x11/hardware/wacom.nix index 98717ce5a5bb..1ea928d9c76e 100644 --- a/modules/services/x11/hardware/wacom.nix +++ b/modules/services/x11/hardware/wacom.nix @@ -16,18 +16,41 @@ in enable = mkOption { default = false; - description = "Whether to enable the Wacom touchscreen/digitizer."; + description = "Whether to enable the Wacom touchscreen/digitizer/tablet."; }; device = mkOption { - default = "/dev/ttyS0"; - description = "Device to use."; + default = null; + example = "/dev/ttyS0"; + description = "Device to use. Set to null for autodetect (think USB tablet)."; }; forceDeviceType = mkOption { - default = "ISDV4"; - example = null; - description = "Some models (think touchscreen) require the device type to be specified."; + default = null; + example = "ISDV4"; + description = "Some models (think touchscreen) require the device type to be specified. Set to null for autodetect (think USB tablet)."; + }; + + stylusExtraConfig = mkOption { + default = ""; + example = '' + Option "Button1" "2" + ''; + description = "Lines to be added to Wacom_stylus InputDevice section."; + }; + + eraserExtraConfig = mkOption { + default = ""; + example = '' + Option "Button2" "3" + ''; + description = "Lines to be added to Wacom_eraser InputDevice section."; + }; + + cursorExtraConfig = mkOption { + default = ""; + example = ""; + description = "Lines to be added to Wacom_cursor InputDevice section."; }; }; @@ -44,8 +67,8 @@ in services.xserver.serverLayoutSection = '' InputDevice "Wacom_stylus" - InputDevice "Wacom_cursor" InputDevice "Wacom_eraser" + InputDevice "Wacom_cursor" ''; services.xserver.config = @@ -53,33 +76,40 @@ in Section "InputDevice" Driver "wacom" Identifier "Wacom_stylus" - Option "Device" "${cfg.device}" + ${optionalString (cfg.device != null) '' + Option "Device" "${cfg.device}" + ''} Option "Type" "stylus" ${optionalString (cfg.forceDeviceType != null) '' Option "ForceDevice" "${cfg.forceDeviceType}" ''} - Option "Button2" "3" + ${cfg.stylusExtraConfig} EndSection Section "InputDevice" Driver "wacom" Identifier "Wacom_eraser" - Option "Device" "${cfg.device}" + ${optionalString (cfg.device != null) '' + Option "Device" "${cfg.device}" + ''} Option "Type" "eraser" ${optionalString (cfg.forceDeviceType != null) '' Option "ForceDevice" "${cfg.forceDeviceType}" ''} - Option "Button1" "2" + ${cfg.eraserExtraConfig} EndSection Section "InputDevice" Driver "wacom" Identifier "Wacom_cursor" - Option "Device" "${cfg.device}" + ${optionalString (cfg.device != null) '' + Option "Device" "${cfg.device}" + ''} Option "Type" "cursor" ${optionalString (cfg.forceDeviceType != null) '' Option "ForceDevice" "${cfg.forceDeviceType}" ''} + ${cfg.cursorExtraConfig} EndSection ''; From 462a9f9fb05e2cb15103127c81d8266b7efb1a18 Mon Sep 17 00:00:00 2001 From: Alexander Inyukhin Date: Sat, 15 Dec 2012 15:31:32 +0400 Subject: [PATCH 11/23] Remove .conf extension from acpid config files This should fix #51 --- modules/services/hardware/acpid.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/services/hardware/acpid.nix b/modules/services/hardware/acpid.nix index 303db3816b5a..26c600092db3 100644 --- a/modules/services/hardware/acpid.nix +++ b/modules/services/hardware/acpid.nix @@ -8,11 +8,11 @@ let '' ensureDir $out ${ - # Generate a .conf file for each event. (You can't have + # Generate a configuration file for each event. (You can't have # multiple events in one config file...) let f = event: '' - fn=$out/${event.name}.conf + fn=$out/${event.name} echo "event=${event.event}" > $fn echo "action=${pkgs.writeScript "${event.name}.sh" event.action}" >> $fn ''; From e4d949ec8801af8662c206d08d95ff41ba640d08 Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 9 Jan 2013 22:19:58 +0100 Subject: [PATCH 12/23] xserver: Allow to add extra options to xorg config. This is especially useful if you want to supply a default XRandR configuration, where you need multiple "Monitor" sections in order to set properties for specific CRTCs (if not running in zaphod mode). Signed-off-by: aszlig --- modules/services/x11/xserver.nix | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/modules/services/x11/xserver.nix b/modules/services/x11/xserver.nix index 421f80c42bbb..bfdeef81f206 100644 --- a/modules/services/x11/xserver.nix +++ b/modules/services/x11/xserver.nix @@ -281,6 +281,25 @@ in description = "Lines to be added to every Display subsection of the Screen section."; }; + extraXorgOptions = mkOption { + default = ""; + example = '' + Section "Monitor" + Identifier "left monitor" + EndSection + + Section "Monitor" + Identifier "right monitor" + Option "RightOf" "left monitor" + EndSection + ''; + type = types.string; + description = '' + Additional options you want to append to your X server configuration + file. + ''; + }; + defaultDepth = mkOption { default = 0; example = 8; @@ -552,6 +571,8 @@ in EndSection '')} + + ${cfg.extraXorgOptions} ''; }); From 0129717b17e982d714ea93edc9d35898a27275ad Mon Sep 17 00:00:00 2001 From: aszlig Date: Thu, 10 Jan 2013 00:31:08 +0100 Subject: [PATCH 13/23] xserver: Allow to set XRandR multi head layout. This is currently only a very simple implementation which just recurses a list of heads that get chained together to the right of the corresponding previous item of the list. If I forgot about something in the already existing configuration options, please let me know or if this commit is useless or a duplicate, feel free to revert. But by looking at implementation before this commit, I only see zaphod and/or quirky xinerama-like configuration options. Signed-off-by: aszlig --- modules/services/x11/xserver.nix | 47 ++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/modules/services/x11/xserver.nix b/modules/services/x11/xserver.nix index bfdeef81f206..d78a8787e79c 100644 --- a/modules/services/x11/xserver.nix +++ b/modules/services/x11/xserver.nix @@ -43,6 +43,36 @@ let pkgs.xorg.fontadobe75dpi ]; + # Just enumerate all heads without discarding XRandR output information. + xrandrHeads = let + mkHead = num: output: { + name = "multihead${toString num}"; + inherit output; + }; + in imap mkHead cfg.xrandrHeads; + + xrandrDeviceSection = flip concatMapStrings xrandrHeads (h: '' + Option "monitor-${h.output}" "${h.name}" + ''); + + # Here we chain every monitor from the left to right, so we have: + # m4 right of m3 right of m2 right of m1 .----.----.----.----. + # Which will end up in reverse ----------> | m1 | m2 | m3 | m4 | + # `----^----^----^----' + xrandrMonitorSections = let + mkMonitor = previous: current: previous ++ singleton { + inherit (current) name; + value = '' + Section "Monitor" + Identifier "${current.name}" + ${optionalString (previous != []) '' + Option "RightOf" "${(head previous).name}" + ''} + EndSection + ''; + }; + monitors = foldl mkMonitor [] xrandrHeads; + in concatMapStrings (getAttr "value") monitors; configFile = pkgs.stdenv.mkDerivation { name = "xserver.conf"; @@ -256,6 +286,21 @@ in description = "Contents of the first Monitor section of the X server configuration file."; }; + xrandrHeads = mkOption { + default = []; + example = [ "HDMI-0" "DVI-0" ]; + type = with types; listOf string; + description = '' + Simple multiple monitor configuration, just specify a list of XRandR + outputs which will be mapped from left to right in the order of the + list. + + Be careful using this option with multiple graphic adapters or with + drivers that have poor support for XRandR, unexpected things might + happen with those. + ''; + }; + moduleSection = mkOption { default = ""; example = @@ -530,6 +575,7 @@ in Identifier "Device-${driver.name}[0]" Driver "${driver.driverName}" ${cfg.deviceSection} + ${xrandrDeviceSection} EndSection Section "Screen" @@ -572,6 +618,7 @@ in EndSection '')} + ${xrandrMonitorSections} ${cfg.extraXorgOptions} ''; From 80a381f521bae87aea47d7657d368167b0b42e91 Mon Sep 17 00:00:00 2001 From: aszlig Date: Thu, 10 Jan 2013 01:41:22 +0100 Subject: [PATCH 14/23] Revert "xserver: Allow to add extra options ... This reverts commit 1e741f1572b6793b861e2f9820015475ce339ae0 as it is unnecessary according to @edolstra, because services.xserver.config from another module will be merged into the configuration. Signed-off-by: aszlig --- modules/services/x11/xserver.nix | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/modules/services/x11/xserver.nix b/modules/services/x11/xserver.nix index d78a8787e79c..c1b14940f02a 100644 --- a/modules/services/x11/xserver.nix +++ b/modules/services/x11/xserver.nix @@ -326,25 +326,6 @@ in description = "Lines to be added to every Display subsection of the Screen section."; }; - extraXorgOptions = mkOption { - default = ""; - example = '' - Section "Monitor" - Identifier "left monitor" - EndSection - - Section "Monitor" - Identifier "right monitor" - Option "RightOf" "left monitor" - EndSection - ''; - type = types.string; - description = '' - Additional options you want to append to your X server configuration - file. - ''; - }; - defaultDepth = mkOption { default = 0; example = 8; @@ -619,7 +600,6 @@ in '')} ${xrandrMonitorSections} - ${cfg.extraXorgOptions} ''; }); From 8c710b4f2329448b648274cf84a61318de270bb9 Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Sun, 13 Jan 2013 11:04:26 +0200 Subject: [PATCH 15/23] LuksRoot: mitigate DMA key recovery attacks by default. --- modules/system/boot/luksroot.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/modules/system/boot/luksroot.nix b/modules/system/boot/luksroot.nix index 27c9c85eab3d..4620a34cbcb8 100644 --- a/modules/system/boot/luksroot.nix +++ b/modules/system/boot/luksroot.nix @@ -49,6 +49,18 @@ in description = "Obsolete."; }; + boot.initrd.luks.mitigateDMAAttacks = mkOption { + default = true; + description = '' + Unless enabled, encryption keys can be easily recovered by an attacker with physical + access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. + More information: http://en.wikipedia.org/wiki/DMA_attack + + This option blacklists FireWire drivers, but doesn't remove them. You can manually + load the drivers if you need to use a FireWire device, but don't forget to unload them! + ''; + }; + boot.initrd.luks.devices = mkOption { default = [ ]; example = [ { name = "luksroot"; device = "/dev/sda3"; preLVM = true; } ]; @@ -123,6 +135,10 @@ in config = mkIf (luks.devices != []) { + # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested + boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks + ["firewire_ohci" "firewire_core" "firewire_sbp2"]; + # Some modules that may be needed for mounting anything ciphered boot.initrd.kernelModules = [ "aes_generic" "aes_x86_64" "dm_mod" "dm_crypt" "sha256_generic" "cbc" "cryptd" ]; From 0f11519d450ac27fb3e32cc720f45b4894994f7c Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Sun, 13 Jan 2013 12:44:16 +0200 Subject: [PATCH 16/23] LuksRoot: add more modules to load by default and let users add more or override the list. Added every module mentioned by most popular guides, benchmarks and discussions to make things just work. --- modules/system/boot/luksroot.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/modules/system/boot/luksroot.nix b/modules/system/boot/luksroot.nix index 4620a34cbcb8..a076a1be6dcb 100644 --- a/modules/system/boot/luksroot.nix +++ b/modules/system/boot/luksroot.nix @@ -61,6 +61,14 @@ in ''; }; + boot.initrd.luks.cryptoModules = mkOption { + default = [ "aes_generic" "aes_x86_64" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha256" "sha1" "sha2" ]; + description = '' + A list of cryptographic kernel modules needed to decrypt the root device(s). + The default includes all common modules. + ''; + }; + boot.initrd.luks.devices = mkOption { default = [ ]; example = [ { name = "luksroot"; device = "/dev/sda3"; preLVM = true; } ]; @@ -140,8 +148,7 @@ in ["firewire_ohci" "firewire_core" "firewire_sbp2"]; # Some modules that may be needed for mounting anything ciphered - boot.initrd.kernelModules = [ "aes_generic" "aes_x86_64" "dm_mod" "dm_crypt" - "sha256_generic" "cbc" "cryptd" ]; + boot.initrd.kernelModules = [ "dm_mod" "dm_crypt" "cryptd" ] ++ luks.cryptoModules; # copy the cryptsetup binary and it's dependencies boot.initrd.extraUtilsCommands = '' From 6ecf2c3a2897eb3e170657a0a2b74d7f946aa846 Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Mon, 14 Jan 2013 05:12:20 +0200 Subject: [PATCH 17/23] LuksRoot: use generic aes module which loads platform-optimized modules automagically. --- modules/system/boot/luksroot.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/boot/luksroot.nix b/modules/system/boot/luksroot.nix index a076a1be6dcb..86523c56c6f5 100644 --- a/modules/system/boot/luksroot.nix +++ b/modules/system/boot/luksroot.nix @@ -62,7 +62,7 @@ in }; boot.initrd.luks.cryptoModules = mkOption { - default = [ "aes_generic" "aes_x86_64" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha256" "sha1" "sha2" ]; + default = [ "aes" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha256" "sha1" "sha2" ]; description = '' A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules. From 4e2f9c867982c4808938aa4d8e4211a7cd019ecd Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Mon, 14 Jan 2013 06:38:11 +0200 Subject: [PATCH 18/23] TOR: replace deprecated option --- modules/services/security/tor.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/security/tor.nix b/modules/services/security/tor.nix index 6df4590b85bb..41e2b4c356ed 100644 --- a/modules/services/security/tor.nix +++ b/modules/services/security/tor.nix @@ -259,7 +259,7 @@ in User ${torUser} '' + optionalString cfg.client.enable '' - SocksListenAddress ${cfg.client.socksListenAddress} + SOCKSPort ${cfg.client.socksListenAddress} ${opt "SocksPolicy" cfg.client.socksPolicy} '' + optionalString cfg.relay.enable '' From 7e82b41220ceb8067c157c779e1a40f0a6d69b99 Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Mon, 14 Jan 2013 06:46:46 +0200 Subject: [PATCH 19/23] LuksRoot: fix crypto module list. This one should finally work well. --- modules/system/boot/luksroot.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/system/boot/luksroot.nix b/modules/system/boot/luksroot.nix index 86523c56c6f5..a514b08a6a8d 100644 --- a/modules/system/boot/luksroot.nix +++ b/modules/system/boot/luksroot.nix @@ -62,7 +62,10 @@ in }; boot.initrd.luks.cryptoModules = mkOption { - default = [ "aes" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha256" "sha1" "sha2" ]; + default = [ "aes" "aes_generic" "aes_x86_64" "aes_i586" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha256" +"sha1" +"sha2" +]; description = '' A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules. From 0aad75fe7082dc46bba21f76fcf640f370febb35 Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Mon, 14 Jan 2013 07:37:13 +0200 Subject: [PATCH 20/23] Tor: improve circuit isolation. By default apps are isolated better, with extra port available for web browsers to keep performance as it used to be before this commit. --- modules/services/security/tor.nix | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/modules/services/security/tor.nix b/modules/services/security/tor.nix index 41e2b4c356ed..bad6be54e891 100644 --- a/modules/services/security/tor.nix +++ b/modules/services/security/tor.nix @@ -53,6 +53,14 @@ in ''; }; + socksListenAddressFaster = mkOption { + default = "127.0.0.1:9063"; + description = '' + Same as socksListenAddress but uses weaker circuit isolation to provide + performance suitable for a web browser. + ''; + }; + socksPolicy = mkOption { default = ""; example = "accept 192.168.0.0/16, reject *"; @@ -259,7 +267,8 @@ in User ${torUser} '' + optionalString cfg.client.enable '' - SOCKSPort ${cfg.client.socksListenAddress} + SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr + SOCKSPort ${cfg.client.socksListenAddressFaster} ${opt "SocksPolicy" cfg.client.socksPolicy} '' + optionalString cfg.relay.enable '' @@ -276,7 +285,7 @@ in # Generally, this file goes in /etc/privoxy/config # # Tor listens as a SOCKS4a proxy here: - forward-socks4a / ${cfg.client.socksListenAddress} . + forward-socks4a / ${cfg.client.socksListenAddressFaster} . confdir ${privoxy}/etc logdir ${privoxyDir} # actionsfile standard # Internal purpose, recommended From 9437db0d889c356e4b92230f63c1bc24bb35f35d Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Mon, 14 Jan 2013 09:07:35 +0200 Subject: [PATCH 21/23] Power management: add support for AMD CPUs --- modules/config/power-management.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/config/power-management.nix b/modules/config/power-management.nix index c8e1a62749b8..553105e83a83 100644 --- a/modules/config/power-management.nix +++ b/modules/config/power-management.nix @@ -87,7 +87,7 @@ in }; boot.kernelModules = - [ "acpi_cpufreq" "cpufreq_performance" "cpufreq_powersave" "cpufreq_ondemand" + [ "acpi_cpufreq" "powernow-k8" "cpufreq_performance" "cpufreq_powersave" "cpufreq_ondemand" "cpufreq_conservative" ]; From 123c73caf6390c4e6e7be29bddd7633895f8c9fc Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Tue, 15 Jan 2013 07:34:53 +0200 Subject: [PATCH 22/23] Torify: restore as an alternative to TorSocks due to lack of compatibility with apps like Kopete. --- modules/module-list.nix | 1 + modules/services/security/torify.nix | 69 ++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 modules/services/security/torify.nix diff --git a/modules/module-list.nix b/modules/module-list.nix index f2811fd2f5f6..f4622c84b8cb 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -164,6 +164,7 @@ ./services/security/fprot.nix ./services/security/frandom.nix ./services/security/tor.nix + ./services/security/torify.nix ./services/security/torsocks.nix ./services/system/cgroups.nix ./services/system/dbus.nix diff --git a/modules/services/security/torify.nix b/modules/services/security/torify.nix new file mode 100644 index 000000000000..b91d7d58505c --- /dev/null +++ b/modules/services/security/torify.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: +with pkgs.lib; +let + + cfg = config.services.tor; + + torify = pkgs.writeTextFile { + name = "torify"; + text = '' + #!${pkgs.stdenv.shell} + TSOCKS_CONF_FILE=${pkgs.writeText "tsocks.conf" cfg.torify.config} LD_PRELOAD="${pkgs.tsocks}/lib/libtsocks.so $LD_PRELOAD" $@ + ''; + executable = true; + destination = "/bin/torify"; + }; + +in + +{ + + ###### interface + + options = { + + services.tor.torify = { + + enable = mkOption { + default = cfg.client.enable; + description = '' + Whether to build torify scipt to relay application traffic via TOR. + ''; + }; + + server = mkOption { + default = "localhost:9050"; + example = "192.168.0.20"; + description = '' + IP address of TOR client to use. + ''; + }; + + config = mkOption { + default = ""; + description = '' + Extra configuration. Contents will be added verbatim to TSocks + configuration file. + ''; + }; + + }; + + }; + + ###### implementation + + config = mkIf cfg.torify.enable { + + environment.systemPackages = [ torify ]; # expose it to the users + + services.tor.torify.config = '' + server = ${toString(head (splitString ":" cfg.torify.server))} + server_port = ${toString(tail (splitString ":" cfg.torify.server))} + + local = 127.0.0.0/255.128.0.0 + local = 127.128.0.0/255.192.0.0 + ''; + }; + +} \ No newline at end of file From e201da376e510ed96b3b40ac091423a1ea5b5dd4 Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Tue, 15 Jan 2013 08:59:02 +0200 Subject: [PATCH 23/23] torsocks: make 2 wrappers to torify apps with more and less circuit isolation. --- modules/services/security/torsocks.nix | 45 +++++++++++++++++--------- 1 file changed, 29 insertions(+), 16 deletions(-) diff --git a/modules/services/security/torsocks.nix b/modules/services/security/torsocks.nix index e56bd012d046..8c2015e37c1e 100644 --- a/modules/services/security/torsocks.nix +++ b/modules/services/security/torsocks.nix @@ -4,16 +4,30 @@ let cfg = config.services.tor; - torsocks = pkgs.writeTextFile { - name = "torsocks"; + makeConfig = server: '' + server = ${toString(head (splitString ":" server))} + server_port = ${toString(tail (splitString ":" server))} + + local = 127.0.0.0/255.128.0.0 + local = 127.128.0.0/255.192.0.0 + local = 169.254.0.0/255.255.0.0 + local = 172.16.0.0/255.240.0.0 + local = 192.168.0.0/255.255.0.0 + + ${cfg.torsocks.config} + ''; + makeTorsocks = name: server: pkgs.writeTextFile { + name = name; text = '' #!${pkgs.stdenv.shell} - TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" cfg.torsocks.config} LD_PRELOAD="${pkgs.torsocks}/lib/torsocks/libtorsocks.so $LD_PRELOAD" $@ + TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (makeConfig server)} LD_PRELOAD="${pkgs.torsocks}/lib/torsocks/libtorsocks.so $LD_PRELOAD" $@ ''; executable = true; - destination = "/bin/torsocks"; + destination = "/bin/${name}"; }; + torsocks = makeTorsocks "torsocks" cfg.torsocks.server; + torsocksFaster = makeTorsocks "torsocks-faster" cfg.torsocks.serverFaster; in { @@ -33,12 +47,21 @@ in server = mkOption { default = cfg.client.socksListenAddress; - example = "192.168.0.20"; + example = "192.168.0.20:9050"; description = '' IP address of TOR client to use. ''; }; + serverFaster = mkOption { + default = cfg.client.socksListenAddressFaster; + example = "192.168.0.20:9063"; + description = '' + IP address of TOR client to use for applications like web browsers which + need less circuit isolation to achive satisfactory performance. + ''; + }; + config = mkOption { default = ""; description = '' @@ -55,18 +78,8 @@ in config = mkIf cfg.torsocks.enable { - environment.systemPackages = [ torsocks ]; # expose it to the users + environment.systemPackages = [ torsocks torsocksFaster ]; # expose it to the users - services.tor.torsocks.config = '' - server = ${toString(head (splitString ":" cfg.torsocks.server))} - server_port = ${toString(tail (splitString ":" cfg.torsocks.server))} - - local = 127.0.0.0/255.128.0.0 - local = 127.128.0.0/255.192.0.0 - local = 169.254.0.0/255.255.0.0 - local = 172.16.0.0/255.240.0.0 - local = 192.168.0.0/255.255.0.0 - ''; }; }