Commit graph

134 commits

Author SHA1 Message Date
aszlig
ac603e208c
virtualbox: Fix runtime paths in hardening mode.
Because we have to rely on setuid wrappers on NixOS, we can't easily
hardcode the executable paths and set it 4755. So for all calls, we need
to change the runtime path executable directory to /var/setuid-wrappers/
and for verification we need to retain the executable directory.

Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL
and VBoxVolInfo don't reside in directories that are commonly in PATH,
but in /usr/lib/virtualbox in most mainstream distros. But because the
names of these executables are distinctive enough to not cause
collisions with other setuid programs, I'll leave it like that and not
patch up setuid-wrappers.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 14:06:13 +01:00
Eelco Dolstra
bde9ae18cf Revert "enable bash autocomplete by default"
This reverts commit ee8e15fe76. See
discussion at ee8e15fe76.
2014-12-18 00:36:46 +01:00
aszlig
e36bec661c
nixos/virtualbox: Fix warning on enableHardening.
The warning was displayed whenever services.virtualboxHost.enable was
true, but if people were to enable hardening, they'd still get that
annoying message.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-16 11:24:55 +01:00
aszlig
d85fabd68c
nixos/virtualbox/hostonlyif: Fix writing to /root.
Creates unnecessary cruft in the root users home directory, which we
really don't need. Except the log, but therefore we now cat the log to
stderr and the private temporary directory is cleaned up afterwards.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 19:16:43 +01:00
aszlig
5d67b17901
nixos/virtualbox: Disable hardening for now.
This should display a big fat warning that people can hardly miss until
we have fixed the issues with the host-only-interfaces that persist when
hardining is enabled.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 18:53:41 +01:00
aszlig
245baeb2f6
nixos/virtualbox: Note about "vboxusers" group.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 17:52:19 +01:00
aszlig
e03e0ff42a
nixos/virtualbox: Allow to disable hardening.
Hardening mode in VirtualBox is quite restrictive and on some systems it
could make sense to disable hardening mode, especially while we still
have issues with hostonly networking and other issues[TM] we don't know
or haven't tested yet.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 17:52:18 +01:00
aszlig
0d71ec8a6e
nixos/virtualbox: Fix setuid wrappers.
We only need to have setuid-root wrappers for VBox{Headless,SDL} and
VirtualBox, otherwise VBoxManage will run as root and NOT drop
privileges!

Fixes #5283.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-13 07:52:19 +01:00
ambrop7@gmail.com
65393ca8d3 virtualbox: Unbreak the nixos module. 2014-12-12 00:16:33 +01:00
ambrop7@gmail.com
9fa2c35ec8 virtualbox: Allow disabling the network interface.
The current nixos module for VirtualBox unconditionally configures a vboxnet0
network interface at boot. This may be undesired, especially when the user wants
to manage network interfaces in a centralized manner.
2014-12-11 23:35:03 +01:00
Domen Kožar
ee8e15fe76 enable bash autocomplete by default 2014-12-08 12:06:02 +01:00
aszlig
3e49487c1a
virtualbox: Enable hardening by default.
VirtualBox with hardening support requires the main binaries to be
setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are
pointing to the libexec directory and we also need to unset
VBOX_WITH_ORIGIN to make sure that the build system is actually setting
those RPATHs.

The hardened.patch implements two things:

 * Set the binary directory to the setuid-wrappers dir so that
   VboxSVC calls them instead of the binaries from the store path. The
   reason behind this is because nothing in the Nix store can have the
   setuid flag.
 * Excempt /nix/store from the group permission check, because while it
   is group-writeable indeed it also has the sticky bit set (and also
   the whole store is mounted read-only on most NixOS systems), so we're
   checking on that as well.

Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers
directly, so someone would ever want to change those on a NixOS system,
please provide a patch to set those paths on build time. However, for
simplicity, it's best to do it when we _really_ need it.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 19:21:46 +01:00
aszlig
14f09e01c1
nixos: Add enable option for programs/virtualbox.
We will simply rename the previous module and add a warning whenever the
module is included directly, pointing the user to the right option and
also enable it as well (in case somebody has missed the option and is
wondering why VirtualBox doesn't work anymore).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:42:22 +01:00
Eelco Dolstra
e7cd18e907 Don't set $MANPATH
The default is derived automatically from $PATH, so it's in fact
better *not* to set it.
2014-11-27 17:36:46 +01:00
Aristid Breitkreuz
2fd7e5f39d ssh-agent: use types.nullOr 2014-11-15 12:33:01 +01:00
Aristid Breitkreuz
d57110fabc ssh-agent: make key timeout optional 2014-11-15 12:13:25 +01:00
Aristid Breitkreuz
d70336f37c limit the amount of time ssh-agent keeps a key (default: 1h) 2014-11-15 12:13:25 +01:00
Brian McKenna
a6bacd4d81 Add "light" package and setuid wrapper 2014-11-09 19:45:43 -07:00
Nikolay Amiantov
1b6f0ffb6e ssmtp: add 'root' option 2014-11-05 02:47:59 +03:00
Nikolay Amiantov
292e07689a ssmtp: add types to options 2014-11-05 02:42:48 +03:00
Nathaniel Baxter
ab8ef63ff4 alsa: Add multilib plugin support via "libs" entry in asound config.
alsa: Remove unused $ALSA_PLUGIN_DIRS support.
2014-10-04 14:48:58 +02:00
Shea Levy
f5aaefbb6c More pkgs.lib -> lib fixes 2014-09-29 09:45:59 -04:00
William A. Kennington III
bab5efd237 nixos/ssh: Allow user to configure the package that provides ssh/sshd 2014-09-11 22:07:39 -07:00
Nicolas Pierron
becde6132b Replace environment.profileVariables by environment.profileRelativeEnvVars 2014-09-07 19:41:00 +02:00
Michael Fellinger
d62e848cc9 virtualbox: vboxusers may use /dev/vboxnetctl 2014-09-04 22:44:38 +02:00
Michael Raskin
a3b9bf6c87 Merge pull request #3653 from iyzsong/nixos/xfce4-mixer
nixos: don't set variables for gstreamer-0.10 (fix #3652)
2014-09-04 20:54:57 +04:00
Michael Raskin
419031bcfc Merge pull request #2644 from lethalman/pam_tally
pam: Add logFailures option for adding pam_tally to su
2014-09-02 00:58:30 +04:00
William A. Kennington III
3d037ebb94 Revert "Revert "Merge pull request #3182 from wkennington/master.ipv6""
This reverts commit ea8910652f.
2014-08-31 09:46:16 -07:00
Rob Vermaas
ea8910652f Revert "Merge pull request #3182 from wkennington/master.ipv6"
This reverts commit b23fd65854, reversing
changes made to 43654cba2c.
2014-08-31 10:58:54 +02:00
William A. Kennington III
86c0f8c549 Refactor nixos files relying on the old ipAddress / prefixLength / subnetMask attributes 2014-08-30 07:33:38 -07:00
Michael Raskin
e8badf3c3b Merge pull request #3275 from taku0/gtk-env
uim, gtk-exe-env, qt-plugin-env: Add input method modules for GTK+ and Qt
2014-08-29 01:35:38 +04:00
Michael Raskin
1fd14fa415 Merge pull request #3100 from tailhook/new-shadow
Upgrade "shadow" to 4.2.1
2014-08-29 00:42:57 +04:00
Michael Raskin
0036f4d792 Merge pull request #3047 from chrisfarms/freetds
Simple nixos module to enable configuration of freetds
2014-08-29 00:38:23 +04:00
宋文武
22541ebdaa nixos/environment: do not set GST_PLUGIN_SYSTEM_PATH 2014-08-19 09:34:52 +08:00
Vladimír Čunát
56d9b2cc8a merge #3428: nano: bump and add system-wide config 2014-08-14 23:51:29 +02:00
Luca Bruno
1a29fcae69 gdm: Add very experimental display manager 2014-08-12 11:23:42 +02:00
Paul Colomiets
fb948c4f28 Upgrade shadow package 2014-08-01 21:19:21 +03:00
Joachim Fasting
decb4266f1 nano: support system-wide nanorc
This patch does two things
1. builds nano with sysconfdir=/etc; and
2. adds an option programs.nano.nanorc
2014-08-01 18:19:03 +02:00
taku0
a0c91d66f1 uim, gtk-exe-env, qt-plugin-env: Add input method modules for GTK+ and Qt 2014-07-14 21:33:05 +09:00
Eelco Dolstra
973c9abdbe Fix info command
The "info" command has been broken on NixOS since
457fdb3842 (proving that nobody uses
info).
2014-07-08 15:19:08 +02:00
lethalman
cb86818789 Merge pull request #3079 from wmertens/patch-4
virtualbox: Fix permissions for /dev/vboxdrvu
2014-07-03 15:05:05 +02:00
Shea Levy
b3cfb9084b Get all lib functions from lib, not pkgs.lib, in modules 2014-07-02 12:28:18 -04:00
Jan Malakhovski
37c7d024ef nixos: change EDITOR and PAGER environment variables to mkDefaults
Signed-off-by: Domen Kožar <domen@dev.si>
2014-06-25 17:07:10 +02:00
wmertens
147fd1ff12 virtualbox: Fix permissions for /dev/vboxdrvu
See https://bugs.archlinux.org/task/38314 and https://www.virtualbox.org/browser/vbox/trunk/src/VBox/Installer/linux/installer-common.sh?rev=47894#L28
2014-06-25 15:52:05 +02:00
Bjørn Forsman
4def9a762f nixos: add some missing '.' in option descriptions 2014-06-24 21:25:11 +02:00
Chris Farmiloe
d39684b69b Simple nixos module to enable configuration of freetds and setup the expected environment variables 2014-06-22 14:24:54 +02:00
aszlig
3e64126344
nixos/shadow: Add an example for defaultUserShell.
Thanks to @devhell for the suggestion.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-06-19 01:51:33 +02:00
Eelco Dolstra
f5055e2ef6 Rename environment.systemVariables -> environment.sessionVariables
This makes it clearer that they're part of PAM sessions.
2014-06-13 17:57:04 +02:00
Eelco Dolstra
8ae659f16c Revert "Revert "Merge #2692: Use pam_env to properly setup system-wide env""
This reverts commit 491c088731.
2014-06-10 13:07:10 +02:00
Eelco Dolstra
491c088731 Revert "Merge #2692: Use pam_env to properly setup system-wide env"
This reverts commit 18a0cdd864.
2014-06-10 13:03:44 +02:00
Vladimír Čunát
18a0cdd864 Merge #2692: Use pam_env to properly setup system-wide env 2014-06-10 11:42:59 +02:00
Luca Bruno
1d5d7fdee2 pam: Add logFailures option for adding pam_tally to su 2014-05-14 17:54:21 +02:00
Eelco Dolstra
956f464fff Remove obsolete zsh help text 2014-04-30 11:26:39 +02:00
Eelco Dolstra
90dac235bb Remove the option ‘programs.bash.enable’
NixOS has a pervasive dependency on bash. For instance, the X11
session script sources /etc/profile to get a reasonable
environment. Thus we should not provide an option to disable bash.

Also, enabling zsh no longer sets ‘users.defaultUserShell’ to zsh, to
prevent a collision with bash's definition of the same
option. (Changing the default shell is also something that should be
left to the user.)
2014-04-29 19:00:39 +02:00
Eelco Dolstra
0e23a175de Allocate system uids/gids between 400 and 500
Previously it was between 100 and 500, but this can already collide
with the static uids/guid in misc/ids.nix.
2014-04-29 10:45:06 +02:00
Eelco Dolstra
465d6ff572 Set $LOCALE_ARCHIVE in all systemd units
This variable used to be inherited implicitly from the stage-2 script,
but systemd now clears the environment. So we need to set it
explicitly.
2014-04-18 19:04:45 +02:00
Eelco Dolstra
85fdaed9de ssh-agent: Tweaks 2014-04-18 17:37:47 +02:00
Eelco Dolstra
ffedee6ed5 Start ssh-agent as a user unit
This has some advantages:

* You get ssh-agent regardless of how you logged in. Previously it was
  only started for X11 sessions.

* All sessions of a user share the same agent. So if you added a key
  on tty1, it will also be available on tty2.

* Systemd will restart ssh-agent if it dies.

* $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is
  more secure than /tmp.

For bonus points, we should patch ssh-agent to support socket-based
activation...
2014-04-18 00:45:26 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Peter Simons
ad65a1e064 Revert "nixos: fix shell on conatiners"
This reverts commit c69577b7d6.
See https://github.com/NixOS/nixpkgs/pull/2198 for further details.
2014-04-11 12:07:00 +02:00
Jaka Hudoklin
c69577b7d6 nixos: fix shell on conatiners 2014-04-10 12:28:09 +02:00
William A. Kennington III
6c6d7dc11d ssh: Don't set xauth if not running xserver 2014-04-03 14:28:45 -05:00
Shea Levy
3f6a654d9c Merge branch 'zsh' of git://github.com/ttuegel/nixpkgs
zsh: don't clobber the environment of non-login shells
2014-03-15 13:11:38 -04:00
Domen Kožar
e9f3199973 add gstreamer 1.0 setup-hook and use it where appropriate 2014-02-28 02:03:07 +01:00
Shea Levy
17f88453f6 Don't complain if HOME isn't writable 2014-02-20 13:40:56 -05:00
Rickard Nilsson
03ee174032 Only add shadow to system packages if users.mutableUsers is true 2014-02-05 15:56:51 +01:00
Rickard Nilsson
eb2f44c18c Generate /etc/passwd and /etc/group at build time
This is a rather large commit that switches user/group creation from using
useradd/groupadd on activation to just generating the contents of /etc/passwd
and /etc/group, and then on activation merging the generated files with the
files that exist in the system. This makes the user activation process much
cleaner, in my opinion.

The users.extraUsers.<user>.uid and users.extraGroups.<group>.gid must all be
properly defined (if <user>.createUser is true, which it is by default). My
pull request adds a lot of uids/gids to config.ids to solve this problem for
existing nixos services, but there might be configurations that break because
this change. However, this will be discovered during the build.

Option changes introduced by this commit:

* Remove the options <user>.isSystemUser and <user>.isAlias since
they don't make sense when generating /etc/passwd statically.

* Add <group>.members as a complement to <user>.extraGroups.

* Add <user>.passwordFile for setting a user's password from an encrypted
(shadow-style) file.

* Add users.mutableUsers which is true by default. This means you can keep
managing your users as previously, by using useradd/groupadd manually. This is
accomplished by merging the generated passwd/group file with the existing files
in /etc on system activation. The merging of the files is simplistic. It just
looks at the user/group names. If a user/group exists both on the system and
in the generated files, the system entry will be kept un-changed and the
generated entries will be ignored. The merging itself is performed with the
help of vipw/vigr to properly lock the account files during edit.
If mutableUsers is set to false, the generated passwd and group files will not
be merged with the system files on activation. Instead they will simply replace
the system files, and overwrite any changes done on the running system. The
same logic holds for user password, if the <user>.password or
<user>.passwordFile options are used. If mutableUsers is false, password will
simply be replaced on activation. If true, the initial user passwords will be
set according to the configuration, but existing passwords will not be touched.

I have tested this on a couple of different systems and it seems to work fine
so far. If you think this is a good idea, please test it. This way of adding
local users has been discussed in issue #103 (and this commit solves that
issue).
2014-02-05 15:56:51 +01:00
Thomas Tuegel
6a756af3e7 zsh: don't clobber the environment of non-login shells 2014-01-31 16:53:28 -06:00
Bjørn Forsman
dc352536a8 nixos: capitalize a bunch of service descriptions
(systemd service descriptions that is, not service descriptions in "man
configuration.nix".)

Capitalizing each word in the description seems to be the accepted
standard.

Also shorten these descriptions:
 * "Munin node, the agent process" => "Munin Node"
 * "Planet Venus, an awesome ‘river of news’ feed reader" => "Planet Venus Feed Reader"
2013-11-09 20:45:50 +01:00
Eelco Dolstra
d9c13a73c2 gurobi: Remove
It's proprietary, non-redistributable software.
2013-11-05 00:07:24 +01:00
Peter Simons
87c3907c14 Merge pull request #1168 from grwlf/nixos-gnu-screen
Add GNU Screen program module
2013-11-04 08:06:59 -08:00
Sergey Mironov
8c1e14e6cc Add GNU Screen program module 2013-11-04 19:07:51 +04:00
Eelco Dolstra
eab39f9dda venus.nix: Fix broken startAt option 2013-11-02 20:43:06 +01:00
Eelco Dolstra
408b8b5725 Add lots of missing option types 2013-10-30 18:47:43 +01:00
Eelco Dolstra
72ca782044 Fix an assertion set in the wrong place 2013-10-25 15:47:30 +02:00
Eelco Dolstra
373c14614b Put the NixOS channel in an option 2013-10-24 15:09:00 +02:00
Shea Levy
418fa3bb33 D'oh
Signed-off-by: Shea Levy <shea@shealevy.com>
2013-10-16 16:01:27 -04:00
Shea Levy
6171f13ed5 Add gurobi to the system packages if the configuration specifies a license
Signed-off-by: Shea Levy <shea@shealevy.com>
2013-10-16 11:26:39 -04:00
Shea Levy
715bee3a0a Add gurobi client module
Not yet tested, no license yet

Signed-off-by: Shea Levy <shea@shealevy.com>
2013-10-16 11:23:58 -04:00
Eelco Dolstra
a2c820c678 Turn security.pam.services into an attribute set
That is, you can say

  security.pam.services.sshd = { options... };

instead of

  security.pam.services = [ { name = "sshd"; options... } ];

making it easier to override PAM settings from other modules.
2013-10-15 14:47:51 +02:00
Eelco Dolstra
57ec8424e4 Drop <services> from $NIX_PATH 2013-10-13 17:35:55 +02:00
Domen Kožar
cf3e36a3b9 bash: place interactiveShellInit at the end to be able to override existing settings 2013-10-11 11:55:58 +02:00
Eelco Dolstra
31203732b3 Update the release expressions and the channel generators 2013-10-10 13:28:22 +02:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00