From eb0b2651b87b76db4a73dfe54e07658c9b726232 Mon Sep 17 00:00:00 2001 From: aszlig Date: Sun, 12 Aug 2012 09:12:54 +0200 Subject: [PATCH 01/23] stage-1: Add option to load keymap during bootup. As non-QWERTY keyboards don't feel so warm and cozy if they hug QWERTY LUKS password prompts, it was on honor for me to serve King Dvorak XV to fight the glorious keyboard war against... what?! Yes, I'm awake! We're fighting with loadkeys to spit out busybox binary keymaps against loadkmap (loadkeys does have a special target -b for that). And yep, I'm somewhat abusing preLVMCommands, if someone got issues with that, feel free to introduce a new substitute in stage-i-init.sh. Sent from my iPhone --- modules/system/boot/stage-1.nix | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/modules/system/boot/stage-1.nix b/modules/system/boot/stage-1.nix index 01ecd839f556..b08ff733a435 100644 --- a/modules/system/boot/stage-1.nix +++ b/modules/system/boot/stage-1.nix @@ -27,6 +27,15 @@ let "; }; + boot.initrd.loadConsoleKeyMap = mkOption { + default = false; + type = with types; bool; + description = '' + Load i18n.consoleKeyMap at boot time. This is especially useful if you + bring together a non-QWERTY keyboard with a LUKS password prompt. + ''; + }; + boot.initrd.checkJournalingFS = mkOption { default = true; type = types.bool; @@ -267,6 +276,14 @@ let ''; + # the binary keymap for busybox to load at boot + busyboxKeymap = pkgs.runCommand "boottime-keymap" + { preferLocalBuild = true; } + '' + ${pkgs.kbd}/bin/loadkeys -qb "${config.i18n.consoleKeyMap}" > $out + ''; + + # The init script of boot stage 1 (loading kernel modules for # mounting the root FS). bootStage1 = pkgs.substituteAll { @@ -281,7 +298,12 @@ let inherit (config.boot) resumeDevice devSize runSize; inherit (config.boot.initrd) checkJournalingFS - preLVMCommands postDeviceCommands postMountCommands kernelModules; + postDeviceCommands postMountCommands kernelModules; + + preLVMCommands = (optionalString config.boot.initrd.loadConsoleKeyMap '' + # load boot-time keymap before any LVM/LUKS initialization + ${extraUtils}/bin/busybox loadkmap < "${busyboxKeymap}" + '') + config.boot.initrd.preLVMCommands; fsInfo = let f = fs: [ fs.mountPoint (if fs.device != null then fs.device else "/dev/disk/by-label/${fs.label}") fs.fsType fs.options ]; From c9e05f1ed8130a2eda2a7838eebc792e9318cd44 Mon Sep 17 00:00:00 2001 From: aszlig Date: Sun, 12 Aug 2012 16:54:31 +0200 Subject: [PATCH 02/23] stage-1: Load boot-time keymap by default. This also removes the configuration option, as suggested by @edolstra. --- modules/system/boot/stage-1-init.sh | 4 ++++ modules/system/boot/stage-1.nix | 18 ++---------------- 2 files changed, 6 insertions(+), 16 deletions(-) diff --git a/modules/system/boot/stage-1-init.sh b/modules/system/boot/stage-1-init.sh index 593b9397e66b..53d528fcd560 100644 --- a/modules/system/boot/stage-1-init.sh +++ b/modules/system/boot/stage-1-init.sh @@ -147,6 +147,10 @@ modprobe scsi_wait_scan || true udevadm settle || true +# Load boot-time keymap before any LVM/LUKS initialization +@extraUtils@/bin/busybox loadkmap < "@busyboxKeymap@" + + # XXX: Use case usb->lvm will still fail, usb->luks->lvm is covered @preLVMCommands@ diff --git a/modules/system/boot/stage-1.nix b/modules/system/boot/stage-1.nix index b08ff733a435..df4e4e140351 100644 --- a/modules/system/boot/stage-1.nix +++ b/modules/system/boot/stage-1.nix @@ -27,15 +27,6 @@ let "; }; - boot.initrd.loadConsoleKeyMap = mkOption { - default = false; - type = with types; bool; - description = '' - Load i18n.consoleKeyMap at boot time. This is especially useful if you - bring together a non-QWERTY keyboard with a LUKS password prompt. - ''; - }; - boot.initrd.checkJournalingFS = mkOption { default = true; type = types.bool; @@ -293,17 +284,12 @@ let isExecutable = true; - inherit udevConf extraUtils modulesClosure; + inherit udevConf busyboxKeymap extraUtils modulesClosure; inherit (config.boot) resumeDevice devSize runSize; inherit (config.boot.initrd) checkJournalingFS - postDeviceCommands postMountCommands kernelModules; - - preLVMCommands = (optionalString config.boot.initrd.loadConsoleKeyMap '' - # load boot-time keymap before any LVM/LUKS initialization - ${extraUtils}/bin/busybox loadkmap < "${busyboxKeymap}" - '') + config.boot.initrd.preLVMCommands; + preLVMCommands postDeviceCommands postMountCommands kernelModules; fsInfo = let f = fs: [ fs.mountPoint (if fs.device != null then fs.device else "/dev/disk/by-label/${fs.label}") fs.fsType fs.options ]; From d12dd340b61b331653c3e166059121a51f906152 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 18 Sep 2012 17:20:46 -0400 Subject: [PATCH 03/23] firewall.nix: Respect networking.enableIPv6 = false Reported-by: Pablo Costa --- modules/services/networking/firewall.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index 64cfcef124a8..a72ba7967737 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -33,7 +33,9 @@ let # Helper command to manipulate both the IPv4 and IPv6 tables. ip46tables() { iptables "$@" - ip6tables "$@" + ${optionalString config.networking.enableIPv6 '' + ip6tables "$@" + ''} } ''; From 0de3a0cff3853b4eda76f608d8ada9bd5ac6d379 Mon Sep 17 00:00:00 2001 From: Rickard Nilsson Date: Fri, 14 Sep 2012 00:39:11 +0200 Subject: [PATCH 04/23] nscd-invalidate: Invalidate passwd and group databases also I had some problems with LDAP user lookups not working properly at boot. I found that invalidating passwd and group on the ip-up event (when nscd-invalidate starts) helped a bit. --- modules/services/system/nscd.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/services/system/nscd.nix b/modules/services/system/nscd.nix index 6f35cd30f582..ca5ac428a9dc 100644 --- a/modules/services/system/nscd.nix +++ b/modules/services/system/nscd.nix @@ -64,7 +64,12 @@ in description = "Invalidate NSCD cache"; startOn = "ip-up or config-changed"; task = true; - exec = "${pkgs.glibc}/sbin/nscd --invalidate hosts"; + path = [ pkgs.glibc ]; + exec = '' + nscd --invalidate=passwd + nscd --invalidate=group + nscd --invalidate=hosts + ''; }; }; From 1e666c10fa45bacfaa137e3810801e61c7266c3f Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 20 Sep 2012 16:54:46 -0400 Subject: [PATCH 05/23] Get rid of the last use of mkThenElse --- modules/services/monitoring/nagios/default.nix | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/modules/services/monitoring/nagios/default.nix b/modules/services/monitoring/nagios/default.nix index 6d2fe3f2acec..ddb0da213276 100644 --- a/modules/services/monitoring/nagios/default.nix +++ b/modules/services/monitoring/nagios/default.nix @@ -184,12 +184,7 @@ in ''; }; - services.httpd = mkIf cfg.enableWebInterface { - extraConfig = mkThenElse { - thenPart = extraHttpdConfig; - elsePart = ""; - }; - }; + services.httpd.extraConfig = optionalString cfg.enableWebInterface extraHttpdConfig; }; From d4af6edd5e49cf69cb2eae06699b4edd74b0657c Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 20 Sep 2012 17:51:44 -0400 Subject: [PATCH 06/23] firewall.nix: Allow specifying trusted network interfaces Trusted network interfaces (such as "lo") will accept any incoming traffic. --- modules/services/networking/firewall.nix | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index a72ba7967737..e6ae725f85ff 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -98,6 +98,15 @@ in ''; }; + networking.firewall.trustedInterfaces = mkOption { + type = types.list types.string; + description = + '' + Traffic coming in from these interfaces will be accepted + unconditionally. + ''; + }; + networking.firewall.allowedTCPPorts = mkOption { default = []; example = [ 22 80 ]; @@ -155,6 +164,8 @@ in # holds). config = mkIf cfg.enable { + networking.firewall.trustedInterfaces = [ "lo" ]; + environment.systemPackages = [ pkgs.iptables ]; boot.kernelModules = [ "nf_conntrack_ftp" ]; @@ -222,8 +233,10 @@ in # The "nixos-fw" chain does the actual work. ip46tables -N nixos-fw - # Accept all traffic on the loopback interface. - ip46tables -A nixos-fw -i lo -j nixos-fw-accept + # Accept all traffic on the trusted interfaces. + ${flip concatMapStrings cfg.trustedInterfaces (iface: '' + ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept + '')} # Accept packets from established or related connections. ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept From 1da16a5ea112182ffc2d83ee6c42c1b70f96226d Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 21 Sep 2012 12:25:35 +0200 Subject: [PATCH 07/23] modules/services/mail/dovecot2.nix: log via syslog instead of writing a separate file --- modules/services/mail/dovecot2.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/services/mail/dovecot2.nix b/modules/services/mail/dovecot2.nix index c5f5da41d317..14355f51e3db 100644 --- a/modules/services/mail/dovecot2.nix +++ b/modules/services/mail/dovecot2.nix @@ -40,13 +40,8 @@ let driver = pam args = dovecot2 } - #auth_debug = yes - #auth_verbose = yes - #debug_log_path = /tmp/dovecot2debug.log pop3_uidl_format = %08Xv%08Xu - - log_path = /var/log/dovecot2.log ''; confFile = pkgs.writeText "dovecot.conf" dovecotConf; From 155495deb2ada2eda99fa4bf809830a0b506e51d Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 21 Sep 2012 12:26:53 +0200 Subject: [PATCH 08/23] modules/services/mail/dovecot2.nix: accept plain text authentication only over secure channels when TLS is available Connects from 'localhost' are always considered secure. --- modules/services/mail/dovecot2.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/services/mail/dovecot2.nix b/modules/services/mail/dovecot2.nix index 14355f51e3db..2054b80d0b14 100644 --- a/modules/services/mail/dovecot2.nix +++ b/modules/services/mail/dovecot2.nix @@ -17,6 +17,7 @@ let ssl_cert_file = ${cfg.sslServerCert} ssl_key_file = ${cfg.sslServerKey} ssl_ca_file = ${cfg.sslCACert} + disable_plaintext_auth = yes '' else '' ssl = no disable_plaintext_auth = no From 0573c7fcae7cc06da38895ea3d7b2ca7526720f3 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 21 Sep 2012 12:28:49 +0200 Subject: [PATCH 09/23] modules/services/mail/dovecot2.nix: update syntax for SSL config options --- modules/services/mail/dovecot2.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/services/mail/dovecot2.nix b/modules/services/mail/dovecot2.nix index 2054b80d0b14..c1f21ba457f1 100644 --- a/modules/services/mail/dovecot2.nix +++ b/modules/services/mail/dovecot2.nix @@ -14,9 +14,9 @@ let '' + (if cfg.sslServerCert!="" then '' - ssl_cert_file = ${cfg.sslServerCert} - ssl_key_file = ${cfg.sslServerKey} - ssl_ca_file = ${cfg.sslCACert} + ssl_cert = <${cfg.sslServerCert} + ssl_key = <${cfg.sslServerKey} + ssl_ca = <${cfg.sslCACert} disable_plaintext_auth = yes '' else '' ssl = no From 4476b875fc0d4b1a59b1f4ab7194fd15ae620921 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 21 Sep 2012 16:04:46 +0200 Subject: [PATCH 10/23] Add services.dovecot2.extraConfig option to configure arbitrary settings for which NixOS has no direct support. --- modules/services/mail/dovecot2.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/services/mail/dovecot2.nix b/modules/services/mail/dovecot2.nix index c1f21ba457f1..fc97e0d3ad0b 100644 --- a/modules/services/mail/dovecot2.nix +++ b/modules/services/mail/dovecot2.nix @@ -43,7 +43,7 @@ let } pop3_uidl_format = %08Xv%08Xu - ''; + '' + cfg.extraConfig; confFile = pkgs.writeText "dovecot.conf" dovecotConf; @@ -72,6 +72,12 @@ in description = "Dovecot group name."; }; + extraConfig = mkOption { + default = ""; + example = "mail_debug = yes"; + description = "Additional entries to put verbatim into Dovecot's config file."; + }; + mailLocation = mkOption { default = "maildir:/var/spool/mail/%u"; /* Same as inbox, as postfix */ example = "maildir:~/mail:INBOX=/var/spool/mail/%u"; From 600d43ba9326cee88cd2b3fedcb62cee4dd06a51 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 21 Sep 2012 11:03:07 -0400 Subject: [PATCH 11/23] Drop xfce-4.6 compatibility --- modules/services/x11/desktop-managers/xfce.nix | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/modules/services/x11/desktop-managers/xfce.nix b/modules/services/x11/desktop-managers/xfce.nix index 753bac476274..d06eb23b8e97 100644 --- a/modules/services/x11/desktop-managers/xfce.nix +++ b/modules/services/x11/desktop-managers/xfce.nix @@ -7,8 +7,6 @@ let xcfg = config.services.xserver; cfg = xcfg.desktopManager.xfce; - isXfce48 = pkgs.xfce ? libxfce4ui; - in { @@ -45,8 +43,7 @@ in }; environment.systemPackages = - [ - pkgs.gtk # To get GTK+'s themes. + [ pkgs.gtk # To get GTK+'s themes. pkgs.hicolor_icon_theme pkgs.shared_mime_info pkgs.which # Needed by the xfce's xinitrc script. @@ -70,8 +67,6 @@ in # "utilities-terminal" and "accessories-text-editor". pkgs.gnome.gnomeicontheme pkgs.desktop_file_utils - ] - ++ optionals isXfce48 [ pkgs.xfce.libxfce4ui pkgs.xfce.garcon pkgs.xfce.thunar_volman @@ -83,15 +78,14 @@ in environment.pathsToLink = [ "/share/xfce4" "/share/themes" "/share/mime" "/share/desktop-directories" ]; - environment.shellInit = optionalString isXfce48 + environment.shellInit = '' export GIO_EXTRA_MODULES=${pkgs.xfce.gvfs}/lib/gio/modules ''; # Enable helpful DBus services. - services.hal = mkIf (!isXfce48) { enable = true; }; - services.udisks = mkIf isXfce48 { enable = true; }; - services.upower = mkIf (isXfce48 && config.powerManagement.enable) { enable = true; }; + services.udisks.enable = true; + services.upower.enable = config.powerManagement.enable; }; From b8f09be5e0ad79e552e3715565851cb5b34579e9 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Sat, 22 Sep 2012 12:51:58 +0200 Subject: [PATCH 12/23] Remove service for dovecot version 1.x. --- modules/module-list.nix | 1 - modules/services/mail/dovecot.nix | 130 ------------------------------ 2 files changed, 131 deletions(-) delete mode 100644 modules/services/mail/dovecot.nix diff --git a/modules/module-list.nix b/modules/module-list.nix index 1d40a4145ae0..656adcf04b78 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -85,7 +85,6 @@ ./services/logging/logrotate.nix ./services/logging/logstash.nix ./services/logging/syslogd.nix - ./services/mail/dovecot.nix ./services/mail/dovecot2.nix ./services/mail/freepops.nix ./services/mail/mail.nix diff --git a/modules/services/mail/dovecot.nix b/modules/services/mail/dovecot.nix deleted file mode 100644 index ff41c8f43025..000000000000 --- a/modules/services/mail/dovecot.nix +++ /dev/null @@ -1,130 +0,0 @@ -{ config, pkgs, ... }: - -with pkgs.lib; - -let - - cfg = config.services.dovecot; - - dovecotConf = - '' - base_dir = /var/run/dovecot/ - - protocols = imap imaps pop3 pop3s - '' - + (if cfg.sslServerCert!="" then - '' - ssl_cert_file = ${cfg.sslServerCert} - ssl_key_file = ${cfg.sslServerKey} - ssl_ca_file = ${cfg.sslCACert} - '' else '' - ssl_disable = yes - disable_plaintext_auth = no - '') - - + '' - login_user = ${cfg.user} - login_chroot = no - - mail_location = maildir:/var/spool/mail/%u - - maildir_copy_with_hardlinks = yes - - auth default { - mechanisms = plain login - userdb passwd { - } - passdb pam { - } - user = root - } - auth_debug = yes - auth_verbose = yes - - pop3_uidl_format = %08Xv%08Xu - - log_path = /var/log/dovecot.log - ''; - - confFile = pkgs.writeText "dovecot.conf" dovecotConf; - -in - -{ - - ###### interface - - options = { - - services.dovecot = { - - enable = mkOption { - default = false; - description = "Whether to enable the Dovecot POP3/IMAP server."; - }; - - user = mkOption { - default = "dovecot"; - description = "Dovecot user name."; - }; - - group = mkOption { - default = "dovecot"; - description = "Dovecot group name."; - }; - - sslServerCert = mkOption { - default = ""; - description = "Server certificate"; - }; - - sslCACert = mkOption { - default = ""; - description = "CA certificate used by the server certificate."; - }; - - sslServerKey = mkOption { - default = ""; - description = "Server key."; - }; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.dovecot.enable { - - security.pam.services = [ { name = "dovecot"; } ]; - - users.extraUsers = singleton - { name = cfg.user; - uid = config.ids.uids.dovecot; - description = "Dovecot user"; - group = cfg.group; - }; - - users.extraGroups = singleton - { name = cfg.group; - gid = config.ids.gids.dovecot; - }; - - jobs.dovecot = - { description = "Dovecot IMAP/POP3 server"; - - startOn = "started networking"; - - preStart = - '' - ${pkgs.coreutils}/bin/mkdir -p /var/run/dovecot /var/run/dovecot/login - ${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} /var/run/dovecot - ''; - - exec = "${pkgs.dovecot}/sbin/dovecot -F -c ${confFile}"; - }; - - }; - -} From 00e19c91e59d2c3244f6f3bd6d048941e7ddafab Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Sun, 23 Sep 2012 12:21:34 +0200 Subject: [PATCH 13/23] postfix: add option 'extraMasterConf' to extend the default master.cf file --- modules/services/mail/postfix.nix | 53 +++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 3 deletions(-) diff --git a/modules/services/mail/postfix.nix b/modules/services/mail/postfix.nix index 3784ae3d39f6..ea887ea8e195 100644 --- a/modules/services/mail/postfix.nix +++ b/modules/services/mail/postfix.nix @@ -85,6 +85,45 @@ let '' + cfg.extraConfig; + masterCf = '' + # ========================================================================== + # service type private unpriv chroot wakeup maxproc command + args + # (yes) (yes) (yes) (never) (100) + # ========================================================================== + smtp inet n - n - - smtpd + #submission inet n - n - - smtpd + # -o smtpd_tls_security_level=encrypt + # -o smtpd_sasl_auth_enable=yes + # -o smtpd_client_restrictions=permit_sasl_authenticated,reject + # -o milter_macro_daemon_name=ORIGINATING + pickup fifo n - n 60 1 pickup + cleanup unix n - n - 0 cleanup + qmgr fifo n - n 300 1 qmgr + tlsmgr unix - - n 1000? 1 tlsmgr + rewrite unix - - n - - trivial-rewrite + bounce unix - - n - 0 bounce + defer unix - - n - 0 bounce + trace unix - - n - 0 bounce + verify unix - - n - 1 verify + flush unix n - n 1000? 0 flush + proxymap unix - - n - - proxymap + proxywrite unix - - n - 1 proxymap + smtp unix - - n - - smtp + relay unix - - n - - smtp + -o smtp_fallback_relay= + # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 + showq unix n - n - - showq + error unix - - n - - error + retry unix - - n - - error + discard unix - - n - - discard + local unix - n n - - local + virtual unix - n n - - virtual + lmtp unix - - n - - lmtp + anvil unix - - n - 1 anvil + scache unix - - n - 1 scache + ${cfg.extraMasterConf} + ''; + aliases = optionalString (cfg.postmasterAlias != "") '' postmaster: ${cfg.postmasterAlias} @@ -98,6 +137,7 @@ let aliasesFile = pkgs.writeText "postfix-aliases" aliases; virtualFile = pkgs.writeText "postfix-virtual" cfg.virtual; mainCfFile = pkgs.writeText "postfix-main.cf" mainCf; + masterCfFile = pkgs.writeText "postfix-master.cf" masterCf; in @@ -232,7 +272,7 @@ in extraConfig = mkOption { default = ""; description = " - Extra configuration, will be added verbatim to the configuration file. + Extra lines to be added verbatim to the main.cf configuration file. "; }; @@ -266,6 +306,12 @@ in "; }; + extraMasterConf = mkOption { + default = ""; + example = "submission inet n - n - - smtpd"; + description = "Extra lines to append to the generated master.cf file."; + }; + }; }; @@ -346,17 +392,18 @@ in ${pkgs.coreutils}/bin/chown root:root /var/spool/mail ${pkgs.coreutils}/bin/chmod a+rwxt /var/spool/mail - ln -sf ${pkgs.postfix}/share/postfix/conf/* /var/postfix/conf + ln -sf "${pkgs.postfix}/share/postfix/conf/"* /var/postfix/conf ln -sf ${aliasesFile} /var/postfix/conf/aliases ln -sf ${virtualFile} /var/postfix/conf/virtual ln -sf ${mainCfFile} /var/postfix/conf/main.cf + ln -sf ${masterCfFile} /var/postfix/conf/master.cf ${pkgs.postfix}/sbin/postalias -c /var/postfix/conf /var/postfix/conf/aliases ${pkgs.postfix}/sbin/postmap -c /var/postfix/conf /var/postfix/conf/virtual exec ${pkgs.postfix}/sbin/postfix -c /var/postfix/conf start - ''; # */ + ''; preStop = '' exec ${pkgs.postfix}/sbin/postfix -c /var/postfix/conf stop From 97c74bf05017524115e4127aa8fb27e776ed5d4a Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Sun, 23 Sep 2012 22:26:49 +0200 Subject: [PATCH 14/23] alsa.nix: initialize the sound card before restoring previously stored settings The sound card in my ThinkPad won't work unless "init" is run explicitly. --- modules/services/audio/alsa.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/services/audio/alsa.nix b/modules/services/audio/alsa.nix index d16a67948327..4d622428976a 100644 --- a/modules/services/audio/alsa.nix +++ b/modules/services/audio/alsa.nix @@ -54,8 +54,9 @@ in '' mkdir -m 0755 -p $(dirname ${soundState}) - # Restore the sound state. - ${alsaUtils}/sbin/alsactl --ignore -f ${soundState} restore + # Try to restore the sound state. + ${alsaUtils}/sbin/alsactl --ignore init || true + ${alsaUtils}/sbin/alsactl --ignore -f ${soundState} restore || true ''; postStop = From 5ee79c57228cda29883dd61fd75dc4e5c05ea7b6 Mon Sep 17 00:00:00 2001 From: Lluis Batlle Date: Mon, 24 Sep 2012 00:14:43 +0200 Subject: [PATCH 15/23] Adding a parameter 'ttyEmergency' It specifies what mingetty will be stopped, if a bad filesystem triggers an emergency shell. That should be ttyS0 on headless systems, and in that case, nixos should stop the ttyS0 mingetty from getting in. --- modules/tasks/filesystems.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/modules/tasks/filesystems.nix b/modules/tasks/filesystems.nix index 9495cac67855..5d6e4a4a3697 100644 --- a/modules/tasks/filesystems.nix +++ b/modules/tasks/filesystems.nix @@ -156,6 +156,16 @@ in description = "Names of supported filesystem types in the initial ramdisk."; }; + boot.ttyEmergency = mkOption { + default = + if pkgs.stdenv.isArm + then "ttyS0" # presumably an embedded platform such as a plug + else "tty1"; + description = '' + The tty that will be stopped in case an emergency shell is spawned + at boot. + ''; + }; }; @@ -247,7 +257,7 @@ in status="$(status xserver || true)" [[ "$status" =~ start/ ]] && exit 0 - stop tty1 || true + stop ${config.boot.ttyEmergency} || true start --no-wait emergency-shell \ DEVICE="$DEVICE" MOUNTPOINT="$MOUNTPOINT" From bf116c78760ce2124e96920cb5ea5bcae7a4cac1 Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Mon, 24 Sep 2012 17:15:26 -0400 Subject: [PATCH 16/23] busyboxKeymap: Support unicode keymaps --- modules/system/boot/stage-1.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/system/boot/stage-1.nix b/modules/system/boot/stage-1.nix index feb4b5838393..6f82f3285b9f 100644 --- a/modules/system/boot/stage-1.nix +++ b/modules/system/boot/stage-1.nix @@ -292,7 +292,8 @@ let busyboxKeymap = pkgs.runCommand "boottime-keymap" { preferLocalBuild = true; } '' - ${pkgs.kbd}/bin/loadkeys -qb "${config.i18n.consoleKeyMap}" > $out + ${pkgs.kbd}/bin/loadkeys -qb "${config.i18n.consoleKeyMap}" > $out || + ${pkgs.kbd}/bin/loadkeys -qbu "${config.i18n.consoleKeyMap}" > $out ''; From a7700202f2cf5973680fd86be71a435cb388ddee Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Tue, 25 Sep 2012 11:23:03 +0200 Subject: [PATCH 17/23] Rename dovecot2 module to dovecot. We no longer support more than one version. --- modules/module-list.nix | 2 +- modules/services/mail/{dovecot2.nix => dovecot.nix} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename modules/services/mail/{dovecot2.nix => dovecot.nix} (100%) diff --git a/modules/module-list.nix b/modules/module-list.nix index 656adcf04b78..e480ee9767e1 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -85,7 +85,7 @@ ./services/logging/logrotate.nix ./services/logging/logstash.nix ./services/logging/syslogd.nix - ./services/mail/dovecot2.nix + ./services/mail/dovecot.nix ./services/mail/freepops.nix ./services/mail/mail.nix ./services/mail/postfix.nix diff --git a/modules/services/mail/dovecot2.nix b/modules/services/mail/dovecot.nix similarity index 100% rename from modules/services/mail/dovecot2.nix rename to modules/services/mail/dovecot.nix From 2d6d678bb93ce4dae4289cfbdfb1cc02e7e22ba1 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Tue, 25 Sep 2012 11:24:35 +0200 Subject: [PATCH 18/23] dovecot.nix: correct bogus reference to dovecot in Nixpkgs --- modules/services/mail/dovecot.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/services/mail/dovecot.nix b/modules/services/mail/dovecot.nix index fc97e0d3ad0b..9a9acf69c51b 100644 --- a/modules/services/mail/dovecot.nix +++ b/modules/services/mail/dovecot.nix @@ -141,10 +141,10 @@ in ${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} /var/run/dovecot2 ''; - exec = "${pkgs.dovecot_2_0}/sbin/dovecot -F -c ${confFile}"; + exec = "${pkgs.dovecot}/sbin/dovecot -F -c ${confFile}"; }; - environment.systemPackages = [ pkgs.dovecot_2_0 ]; + environment.systemPackages = [ pkgs.dovecot ]; }; From 65c1c6525b7d2a57a7204410f7b155c11afee628 Mon Sep 17 00:00:00 2001 From: Rickard Nilsson Date: Wed, 19 Sep 2012 14:13:34 +0200 Subject: [PATCH 19/23] network-manager: Big overhaul * Add group 'networkmanager' and implement polkit configuration that allows users in this group to make persistent, system-wide changes to NetworkManager settings. * Add support for ModemManager. 3G modems should work out of the box now (it does for me...). This introduces a dependency on pkgs.modemmanager. * Write NetworkManger config file to Nix store, and let the daemon use it from there. --- modules/misc/ids.nix | 1 + .../services/networking/networkmanager.nix | 120 ++++++++++++------ 2 files changed, 79 insertions(+), 42 deletions(-) diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index ea28162686eb..ca5d2051af2e 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -126,6 +126,7 @@ in clamav = 51; fprot = 52; wwwrun = 54; + networkmanager = 56; # When adding a gid, make sure it doesn't match an existing uid. diff --git a/modules/services/networking/networkmanager.nix b/modules/services/networking/networkmanager.nix index c33bbad83b36..591f34ceee75 100644 --- a/modules/services/networking/networkmanager.nix +++ b/modules/services/networking/networkmanager.nix @@ -3,12 +3,47 @@ with pkgs.lib; let + cfg = config.networking.networkmanager; - stateDir = "/var/lib/NetworkManager"; + stateDirs = "/var/lib/NetworkManager /var/lib/dhclient"; -in + configFile = pkgs.writeText "NetworkManager.conf" '' + [main] + plugins=keyfile -{ + [keyfile] + ${optionalString (config.networking.hostName != "") '' + hostname=${config.networking.hostName} + ''} + + [logging] + level=WARN + ''; + + polkitConf = '' + [network-manager] + Identity=unix-group:networkmanager + Action=org.freedesktop.NetworkManager.* + ResultAny=yes + ResultInactive=no + ResultActive=yes + + [modem-manager] + Identity=unix-group:networkmanager + Action=org.freedesktop.ModemManager.* + ResultAny=yes + ResultInactive=no + ResultActive=yes + ''; + + ipUpScript = pkgs.writeScript "01nixos-ip-up" '' + #!/bin/sh + if test "$2" = "up"; then + ${pkgs.upstart}/sbin/initctl emit ip-up "IFACE=$1" + fi + ''; + +in { ###### interface @@ -20,61 +55,62 @@ in description = '' Whether to use NetworkManager to obtain an IP adress and other configuration for all network interfaces that are not manually - configured. + configured. If enabled, a group networkmanager + will be created. Add all users that should have permission + to change network settings to this group. ''; }; networking.networkmanager.packages = mkOption { - default = [ pkgs.networkmanager ]; - description = - '' - Packages providing NetworkManager plugins. - ''; + default = [ ]; + description = '' + Extra packages that provide NetworkManager plugins. + ''; + merge = mergeListOption; + apply = list: [ pkgs.networkmanager pkgs.modemmanager ] ++ list; }; }; ###### implementation - config = mkIf config.networking.networkmanager.enable { + config = mkIf cfg.enable { - jobs.networkmanager = - { startOn = "started network-interfaces"; - stopOn = "stopping network-interfaces"; + environment.etc = singleton { + source = ipUpScript; + target = "NetworkManager/dispatcher.d/01nixos-ip-up"; + }; - script = - '' - mkdir -m 755 -p /etc/NetworkManager - mkdir -m 700 -p /etc/NetworkManager/system-connections - mkdir -m 755 -p ${stateDir} + environment.systemPackages = cfg.packages; - if [[ ! -f /etc/NetworkManager/NetworkManager.conf ]]; then - cat <<-EOF > /etc/NetworkManager/NetworkManager.conf - [main] - plugins=keyfile - EOF - fi + users.extraGroups = singleton { + name = "networkmanager"; + gid = config.ids.gids.networkmanager; + }; - exec ${pkgs.networkmanager}/sbin/NetworkManager --no-daemon - ''; - }; + jobs.networkmanager = { + startOn = "started network-interfaces"; + stopOn = "stopping network-interfaces"; + + path = [ pkgs.networkmanager ]; + + preStart = '' + mkdir -m 755 -p /etc/NetworkManager + mkdir -m 700 -p /etc/NetworkManager/system-connections + mkdir -m 755 -p ${stateDirs} + ''; + + exec = "NetworkManager --config=${configFile} --no-daemon"; + }; - environment.systemPackages = config.networking.networkmanager.packages; - services.dbus.packages = config.networking.networkmanager.packages; networking.useDHCP = false; - environment.etc = [ - { - source = pkgs.writeScript "01nixos-ip-up" - '' - #!/bin/sh - if test "$2" = "up"; then - ${pkgs.upstart}/sbin/initctl emit ip-up "IFACE=$1" - fi - ''; - target = "NetworkManager/dispatcher.d/01nixos-ip-up"; - } - ]; + networking.wireless.enable = true; + + security.polkit.permissions = polkitConf; + + services.dbus.packages = cfg.packages; + + services.udev.packages = cfg.packages; }; } - From 9d83b8897bf616dd6f83b8627e5d2edd2e58f777 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Thu, 27 Sep 2012 16:50:00 +0200 Subject: [PATCH 20/23] spamassassin: drop obsolete command line options --- modules/services/mail/spamassassin.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/mail/spamassassin.nix b/modules/services/mail/spamassassin.nix index 9b387eb940f7..ecbb5dc31054 100644 --- a/modules/services/mail/spamassassin.nix +++ b/modules/services/mail/spamassassin.nix @@ -43,7 +43,7 @@ in description = "Spam Assassin Server"; startOn = "started networking and filesystem"; environment.TZ = config.time.timeZone; - exec = "${pkgs.spamassassin}/bin/spamd -C /etc/spamassassin/init.pre --siteconfigpath=/etc/spamassassin --username=spamd --pidfile=/var/run/spamd.pid"; + exec = "${pkgs.spamassassin}/bin/spamd -D --username=spamd --pidfile=/var/run/spamd.pid"; }; }; From bcb80387265e9a3865c0dc346631690c8c4da606 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Thu, 27 Sep 2012 17:12:25 +0200 Subject: [PATCH 21/23] spamassassin: add option for running the spamd daemon in debug mode --- modules/services/mail/spamassassin.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/services/mail/spamassassin.nix b/modules/services/mail/spamassassin.nix index ecbb5dc31054..9e378ab0f20c 100644 --- a/modules/services/mail/spamassassin.nix +++ b/modules/services/mail/spamassassin.nix @@ -21,6 +21,11 @@ in description = "Whether to run the SpamAssassin daemon."; }; + debug = mkOption { + default = false; + description = "Whether to run the SpamAssassin daemon in debug mode."; + }; + }; }; @@ -43,7 +48,7 @@ in description = "Spam Assassin Server"; startOn = "started networking and filesystem"; environment.TZ = config.time.timeZone; - exec = "${pkgs.spamassassin}/bin/spamd -D --username=spamd --pidfile=/var/run/spamd.pid"; + exec = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --pidfile=/var/run/spamd.pid"; }; }; From 6f052ee62e2e7d3e905a6443369409df9fa8147b Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 28 Sep 2012 00:06:52 +0200 Subject: [PATCH 22/23] spamassassin: use virtual user home directories under /var/lib/spamassassin to avoid permission problems When spamd isn't running as 'root', it cannot access the usual ~/.spamassassin path where user-specific files normally reside. Instead, we use the path /var/lib/spamassassin- to store those home directories. --- modules/misc/ids.nix | 1 + modules/services/mail/spamassassin.nix | 18 ++++++++++++------ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index ca5d2051af2e..dbecaf802a18 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -126,6 +126,7 @@ in clamav = 51; fprot = 52; wwwrun = 54; + spamd = 55; networkmanager = 56; # When adding a gid, make sure it doesn't match an existing uid. diff --git a/modules/services/mail/spamassassin.nix b/modules/services/mail/spamassassin.nix index 9e378ab0f20c..d4dbe8ddbd04 100644 --- a/modules/services/mail/spamassassin.nix +++ b/modules/services/mail/spamassassin.nix @@ -38,17 +38,23 @@ in # Allow users to run 'spamc'. environment.systemPackages = [ pkgs.spamassassin ]; - users.extraUsers = singleton - { name = "spamd"; - description = "Spam Assassin Daemon"; - uid = config.ids.uids.spamd; - }; + users.extraUsers = singleton { + name = "spamd"; + description = "Spam Assassin Daemon"; + uid = config.ids.uids.spamd; + group = "spamd"; + }; + + users.extraGroups = singleton { + name = "spamd"; + gid = config.ids.gids.spamd; + }; jobs.spamd = { description = "Spam Assassin Server"; startOn = "started networking and filesystem"; environment.TZ = config.time.timeZone; - exec = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --pidfile=/var/run/spamd.pid"; + exec = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --nouser-config --virtual-config-dir=/var/lib/spamassassin/user-%u --allow-tell --pidfile=/var/run/spamd.pid"; }; }; From 1084a8e0de805229d216c928efbc457cae57eea2 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 28 Sep 2012 11:14:33 -0400 Subject: [PATCH 23/23] Add "adm" group from the systemd branch to prevent constant collisions --- modules/misc/ids.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index dbecaf802a18..f26501105b1e 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -73,7 +73,7 @@ in fprot = 52; bind = 53; wwwrun = 54; - spamd = 55; + spamd = 56; # When adding a uid, make sure it doesn't match an existing gid. @@ -126,8 +126,9 @@ in clamav = 51; fprot = 52; wwwrun = 54; - spamd = 55; - networkmanager = 56; + adm = 55; + spamd = 56; + networkmanager = 57; # When adding a gid, make sure it doesn't match an existing uid.